Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add duration proxy status #11568

Merged
merged 1 commit into from Feb 14, 2019

Conversation

@MorrisLaw
Copy link
Contributor

commented Feb 6, 2019

This was the original PR for my changes to add duration to the proxy status. I closed it out and opened a new PR against release-1.1

This addresses issue #6518

@istio-testing

This comment has been minimized.

Copy link
Collaborator

commented Feb 6, 2019

Hi @MorrisLaw. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@MorrisLaw

This comment has been minimized.

Copy link
Contributor Author

commented Feb 6, 2019

Not sure what happened, I'll fix the commit history.

@googlebot

This comment has been minimized.

Copy link
Collaborator

commented Feb 6, 2019

So there's good news and bad news.

👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.

😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.

Note to project maintainer: This is a terminal state, meaning the cla/google commit status will not change from this state. It's up to you to confirm consent of all the commit author(s), set the cla label to yes (if enabled on your project), and then merge this pull request when appropriate.

@googlebot googlebot added the cla: no label Feb 6, 2019

@googlebot

This comment has been minimized.

Copy link
Collaborator

commented Feb 6, 2019

So there's good news and bad news.

👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.

😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.

Note to project maintainer: This is a terminal state, meaning the cla/google commit status will not change from this state. It's up to you to confirm consent of all the commit author(s), set the cla label to yes (if enabled on your project), and then merge this pull request when appropriate.

@MorrisLaw MorrisLaw force-pushed the MorrisLaw:add-duration-proxy-status branch from 692dd9f to 2329291 Feb 6, 2019

@googlebot

This comment has been minimized.

Copy link
Collaborator

commented Feb 6, 2019

CLAs look good, thanks!

@googlebot googlebot added cla: yes and removed cla: no labels Feb 6, 2019

@liamawhite

This comment has been minimized.

Copy link
Member

commented Feb 7, 2019

/lgtm

@liamawhite

This comment has been minimized.

Copy link
Member

commented Feb 7, 2019

fix the conflicts and I'll get this merged 🙂

@MorrisLaw MorrisLaw force-pushed the MorrisLaw:add-duration-proxy-status branch from 2329291 to d4e58f6 Feb 8, 2019

@istio-testing istio-testing removed the lgtm label Feb 8, 2019

@codecov

This comment has been minimized.

Copy link

commented Feb 8, 2019

Codecov Report

Merging #11568 into release-1.1 will decrease coverage by 2%.
The diff coverage is 100%.

Impacted file tree graph

@@               Coverage Diff               @@
##           release-1.1   #11568      +/-   ##
===============================================
- Coverage           71%      70%      -1%     
===============================================
  Files              602      429     -173     
  Lines            52993    40263   -12730     
===============================================
- Hits             37622    28074    -9548     
+ Misses           13249    10841    -2408     
+ Partials          2122     1348     -774
Impacted Files Coverage Δ
istioctl/pkg/writer/pilot/status.go 93% <100%> (+2%) ⬆️
mixer/adapter/inventory.gen.go 0% <0%> (-100%) ⬇️
mixer/adapter/cloudwatch/client.go 0% <0%> (-100%) ⬇️
pilot/cmd/pilot-agent/status/util/stats.go 0% <0%> (-95%) ⬇️
pilot/pkg/networking/plugin/mixer/mixer.go 1% <0%> (-79%) ⬇️
mixer/adapter/rbac/rbac.go 0% <0%> (-60%) ⬇️
pilot/cmd/pilot-agent/status/util/util.go 0% <0%> (-53%) ⬇️
pilot/cmd/pilot-agent/status/ready/probe.go 0% <0%> (-52%) ⬇️
mixer/pkg/runtime/config/queries.go 64% <0%> (-36%) ⬇️
mixer/pkg/runtime/config/snapshot.go 58% <0%> (-36%) ⬇️
... and 429 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 428179f...30f7ab6. Read the comment docs.

@MorrisLaw MorrisLaw force-pushed the MorrisLaw:add-duration-proxy-status branch from d4e58f6 to 680a626 Feb 8, 2019

@liamawhite

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

/lgtm

@istio-testing istio-testing added the lgtm label Feb 8, 2019

@liamawhite

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

@MorrisLaw did you rebase? that test failure is fixed in the 1.1 branch.

@MorrisLaw MorrisLaw force-pushed the MorrisLaw:add-duration-proxy-status branch from 188f1db to b10afc5 Feb 9, 2019

@istio-testing istio-testing removed the lgtm label Feb 9, 2019

@MorrisLaw

This comment has been minimized.

Copy link
Contributor Author

commented Feb 9, 2019

@liamawhite it should be good now. The latest release-1.1 branch with just my changes on top.

@MorrisLaw

This comment has been minimized.

Copy link
Contributor Author

commented Feb 9, 2019

Not sure why those tests would be failing @liamawhite 🤔

@MorrisLaw

This comment has been minimized.

Copy link
Contributor Author

commented Feb 10, 2019

/retest

@istio-testing

This comment has been minimized.

Copy link
Collaborator

commented Feb 10, 2019

@MorrisLaw: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@liamawhite

This comment has been minimized.

Copy link
Member

commented Feb 10, 2019

/ok-to-test

@liamawhite liamawhite force-pushed the MorrisLaw:add-duration-proxy-status branch from b10afc5 to 30f7ab6 Feb 11, 2019

@istio-testing

This comment has been minimized.

Copy link
Collaborator

commented Feb 11, 2019

@MorrisLaw: The following tests failed, say /retest to rerun them all:

Test name Commit Details Rerun command
prow/istio-integ-k8s-tests.sh 30f7ab6 link /test istio-integ-k8s-tests
prow/istio-pilot-multicluster-e2e.sh 30f7ab6 link /test istio-pilot-multicluster-e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@GregHanson

This comment has been minimized.

Copy link
Member

commented Feb 13, 2019

/approve
/lgtm

@istio-testing

This comment has been minimized.

Copy link
Collaborator

commented Feb 13, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: GregHanson, liamawhite, MorrisLaw

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@wenchenglu wenchenglu merged commit 6113e15 into istio:release-1.1 Feb 14, 2019

29 of 33 checks passed

ci/circleci: racetest Your tests failed on CircleCI
Details
prow/istio-integ-k8s-tests.sh Job failed.
Details
prow/istio-pilot-multicluster-e2e.sh Job failed.
Details
tide Not mergeable. Job merges-blocked-needs-admin has not succeeded.
Details
GolangCI No issues found!
Details
ci/circleci: build Your tests passed on CircleCI!
Details
ci/circleci: codecov Your tests passed on CircleCI!
Details
ci/circleci: e2e-dashboard Your tests passed on CircleCI!
Details
ci/circleci: e2e-galley Your tests passed on CircleCI!
Details
ci/circleci: e2e-mixer-noauth-v1alpha3-v2 Your tests passed on CircleCI!
Details
ci/circleci: e2e-pilot-auth-v1alpha3-v2 Your tests passed on CircleCI!
Details
ci/circleci: e2e-pilot-cloudfoundry-v1alpha3-v2 Your tests passed on CircleCI!
Details
ci/circleci: e2e-pilot-noauth-v1alpha3-v2 Your tests passed on CircleCI!
Details
ci/circleci: e2e-simple Your tests passed on CircleCI!
Details
ci/circleci: lint Your tests passed on CircleCI!
Details
ci/circleci: shellcheck Your tests passed on CircleCI!
Details
ci/circleci: test Your tests passed on CircleCI!
Details
ci/circleci: test-integration-local Your tests passed on CircleCI!
Details
cla/google All necessary CLAs are signed
prow/e2e-bookInfoTests-v1alpha3.sh Job succeeded.
Details
prow/e2e-bookInfoTests.sh Skipped
prow/e2e-dashboard.sh Job succeeded.
Details
prow/e2e-mixer-no_auth.sh Job succeeded.
Details
prow/e2e-simpleTests-cni.sh Skipped
prow/e2e-simpleTests-minProfile.sh Job succeeded.
Details
prow/e2e-simpleTests.sh Job succeeded.
Details
prow/e2e_pilotv2_auth_sds.sh Job succeeded.
Details
prow/istio-integ-local-tests.sh Job succeeded.
Details
prow/istio-pilot-e2e-envoyv2-v1alpha3.sh Job succeeded.
Details
prow/istio-pilot-e2e.sh Skipped
prow/istio-presubmit.sh Job succeeded.
Details
prow/istio-unit-tests.sh Job succeeded.
Details
prow/release-test.sh Job succeeded.
Details

istio-testing added a commit that referenced this pull request Feb 14, 2019

Sync with release 1.1 (#11766)
* Fix routing when DNS is resolved (#11522)

The DNSDomain variable needs to be enhanced to include more
then one DNS entry.  Change DNSDomain to DNSDomains as a meta
and add the dnsConfig in the meta.  As now DNSDomain is a slice
of strings instead of a string, the variable needs consolidation.

* adjust galley dashboard time range (#11627)

* Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631)

(cherry picked from commit f9b6866)

* [release-1.1] Update fluentd adapter to be more robust (#11623)

* Update fluentd adapter to be more robust

* Minor touchup of bad merge

* Lint fixes

* Fix kubernetesenv workload attributes for multicluster with one control plane (#11581)

* remove myself from pilot OWNERS (#11632)

* remove me (#11636)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add debug logs for citadel authenticate fail (#11633)

* move apply plugin below buildscript (#11625)

The Cloud Foundry open source licensing scanner has a plugin that
identifies dependencies from gradle scripts, but it requires the
buildscript and plugins block be before anything else in the file.
This change does not affect the build, but makes our lives a smidge
easier.

Co-authored-by: Teal Stannard <tstannard@pivotal.io>

* check key.pem (#11599)

* Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508)

* Samples for accessing apt-get repo, Github, and pip repo

* A Readme explaining the samples

* Link to future doc on default external comm capability

* Incorporate documentation feedback from venilnoronha

* Add support for metadata constraints in RBAC (#11459)

* Add support for metadata constraints in RBAC

This adds support for mapping RBAC constraints with keys in the a[b]
format to Envoy's filter metadata matcher.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Use SplitN instead of Split for completeness

This updates the metadata matcher definition to use strings.SplitN
instead of strings.Split in order to capture the whole binary key in two
parts.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Accomodate [list] and plain value type constraints

This adds logic to accomodate filter metadata matching over both [list]
and value type constraints.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Add extra experimental. prefix test for matching

This adds an extra experimental. prefix test while creating metadata
matchers based on Envoy filters.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Update comments

This updates code comments.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* add POST to ratings service to demonstrate security policies on HTTP Methods (#10778)

* add POST to ratings service

* put a space between if and opening parenthesis

* add comments

* remove extra line-break

* Enable remote clusters to check/report to local Mixer (#11585)

* Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570)

* Fix racetest in fluentd test (#11647)

* Bump the number of connection that can be re-use in Citadel (#11641)

* Bump the number of connection that can be re-use in Citadel

* A small fix

* First cut of xDS APi structural testing using the new integration tests (#11406)

* Fixes for k8s ingress (#11343)

* Fix ingress in pilot, writeback and multiple namespaces

* Fix tests, format

* Fix test - the generated service should be left in the namespace of ingress

* Additional test fixes, match the new 1.1 semantics

* Again make fmt and lint not matching

* Break up the helloworld sample into versions (#11650)

* Break up the helloworld sample into versions

* Moved to default namespace

* Seperated gateway file and added labels

* Update the doc

* Cleanup section updated too

* Fix build break due to #11406. (#11677)

https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215

* make stackdriver e2e test cluster wide (#11674)

* Add handling for independent encoding in Report batches to Mixer (#11640)

* Add handling for independent encoding in Report batches to Mixer

* fix lll

* Address review

* protect protobag done

* exit circleci test early if setup fails (#11572)

* wip: exit circleci test early if setup fails

Many of the circleci tests will attempt to run the e2e/integration
tests even after the test setup fails. This leads to misleading test
failures that suggest the problem is with the feature test and not the
test setup itself.

Example test runs where the setup failed and the test was run but
immediately errored out because a dependency was missing:

https://circleci.com/gh/istio/istio/316588
https://circleci.com/gh/istio/istio/317262
https://circleci.com/gh/istio/istio/318281
https://circleci.com/gh/istio/istio/316031
https://circleci.com/gh/istio/istio/315952
https://circleci.com/gh/istio/istio/315871
https://circleci.com/gh/istio/istio/315813

ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute
```
By default, CircleCI will execute job steps one at a time, in the
order that they are defined in config.yml, until a step fails (returns
a non-zero exit code). After a command fails, no further job steps
will be executed.

Adding the when attribute to a job step allows you to override this
default behaviour, and selectively run or skip steps depending on the
status of the job.

The default value of on_success means that the step will run only if
all of the previous steps have been successful (returned exit code 0).

A value of always means that the step will run regardless of the exit
status of previous steps. This is useful if you have a task that you
want to run regardless of whether the previous steps are successful or
not. For example, you might have a job step that needs to upload logs
or code-coverage data somewhere.
```

* re-add `when: always` to codecov job

* Implementation of isolation for EDS (#11672)

* Implementation of isolation for EDS

* Provide nil proxy for older calls

* Always call loadAssignmentsForClusterIsolated

* Revert "Always call loadAssignmentsForClusterIsolated"

This reverts commit db2c997.

* Env variable to disable

* Lint

* Environment Variable controlled Graceful Termination with low defaults. (#11630)

* Feature flag graceful shutdown

Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in.

Signed-off-by: Liam White <liam@tetrate.io>

* Address pr comments

Signed-off-by: Liam White <liam@tetrate.io>

* Clean up missed feature flag var

Signed-off-by: Liam White <liam@tetrate.io>

* Add turn off test case, todo comments and fix agent tests

Signed-off-by: Liam White <liam@tetrate.io>

* fix lint

Signed-off-by: Liam White <liam@tetrate.io>

* PR review comments

Signed-off-by: Liam White <liam@tetrate.io>

* Move TerminationDuration function and tests to Pilot features

Signed-off-by: Liam White <liam@tetrate.io>

* Update Proxy SHA to latest (release-1.1). (#11687)

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

* Add empty check for proxy's locality (#11681)

Make sure empty proxy locality will fall back to using proxy service's instance locality.

* Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685)

* cache ServiceAccounts and remove it drom Environment (#11442)

* cache ServiceAccounts and remove it drom Environment

* use allServices var

* fix ut

* Adding Envoy bootstrap template for a custom Pilot implementation. (#11395)

* Adding Envoy bootstrap template for a custom Pilot implementation.

New template connects to Pilot using Google gRPC Envoy client, which
allows to perform authz by passing additional credentials. Placed into
install/gcp due to being GCP installation specific.

To enable this template, introducing {{ .discovery_address }} variable,
which passes --discoveryAddress flag value "as is", without splitting it into
address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable.

* Removing static interception listener from gcp_envoy_bootstrap.json
as it is generated by the Pilot.

* Update bookinfo images, fix the script to bump bookinfo versions (#11701)

* add wildcard to digits in the sed regex, for setting version

* bump a minor version

* Add cli option to Galley to allow metadata on outgoing sink connections. (#11602)

* Add cli option to Galley to allow metadata on outgoing sink connections.

For use with sinkAddress, outgoing connections to MCP sink servers
will have gRPC stream metadata attached as defined by sinkMeta.

* Update sinkMeta to use key=value.

* Review comments.

* Error message if istioctl version doesn't match data plane version (#11592)

* Additional error text if istioctl version doesn't match data plane version

* Fix typo

* Revise wording of error msg

* Allow Envoy listener stats to be turned off/on with a pod annotation (#11398)

* If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection

* Versionize annotation tag

* Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid

* pin goimports in make fmt (#11645)

* fix fmt

Signed-off-by: Kuat Yessenov <kuat@google.com>

* trying to run docker in circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* trying to run docker in circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* circling

Signed-off-by: Kuat Yessenov <kuat@google.com>

* circling

Signed-off-by: Kuat Yessenov <kuat@google.com>

* just dont use circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add comment

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Adding namespace declaration in Grafana PersistentVolumeClaim (#11314)

When using the Helm chart with a user specific namespace and Grafana persistency
enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace,
leading in the Grafana pod to be stuck in the Pending state.

* Fix the periodic builds, add a non-mcp to presubmit (#11703)

* Update api sha (#11709)

* issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715)

(cherry picked from commit 1ad4e29)

* [WIP] Fix sync issue with policy enablement and check enablement (#11707)

* Fix sync issue with policy enablement and check enablement

* Remove outdated comment

* Support customization of Envoy bootstrap config (#11559) (#11702)

* Support customization of Envoy bootstrap config

This change allows override the default Envoy bootstrap configuration
for a resource. A sample is included to show how it can be used.

* Format code

* Fix tests

* Pull in new istio/proxy. (#11717)

* Add experimental support for 'allowhttp10' (#11511)

* Add AcceptHttp10 option to outbound listeners based on global or per sidecar setting

* Clarify this is only for 'sidecar enabled' mode

* Format and lint

* Move http10 option, it was overriden

* Add http10 to test, remove verbose

* Format

* Format

* Use release-1.1 images for release-1.1 branch (#11725)

* guard with gateway enabled (#11732)

* guard with gateway enabled

* remove and

* Clean up Helm RBAC rules (#11234)

* Add apps apiGroup to istio-security-post-install ClusterRole

* Delete empty job file

* Clean up ClusterRole apiGroups

* Separate Kiali's ClusterRole rules into correct API groups

* Fix list indentation

* Remove OpenShift-specific "projects" resource from core apiGroup

* Consolidate more RBAC rules

* Update all RBAC resource apiVersions to v1

* Use service hostname as SNI match for TLS ports if virtual service is missing (#11735)

* Use service hostname as SNI match for TLS ports

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* tests

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* bad port name

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* unique port names

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix stateful set

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* handle multiple streams in nodeagent  (#11738)

* service change

* unit test

* debug log

* lint

* remove annoying log

* Add duration time to stale EDS (#11568)

istio-testing added a commit that referenced this pull request Feb 21, 2019

Merge branch 'release-1.1' into authz-v2 (#11930)
* Fix routing when DNS is resolved (#11522)

The DNSDomain variable needs to be enhanced to include more
then one DNS entry.  Change DNSDomain to DNSDomains as a meta
and add the dnsConfig in the meta.  As now DNSDomain is a slice
of strings instead of a string, the variable needs consolidation.

* adjust galley dashboard time range (#11627)

* Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631)

(cherry picked from commit f9b6866)

* [release-1.1] Update fluentd adapter to be more robust (#11623)

* Update fluentd adapter to be more robust

* Minor touchup of bad merge

* Lint fixes

* Fix kubernetesenv workload attributes for multicluster with one control plane (#11581)

* remove myself from pilot OWNERS (#11632)

* remove me (#11636)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add debug logs for citadel authenticate fail (#11633)

* move apply plugin below buildscript (#11625)

The Cloud Foundry open source licensing scanner has a plugin that
identifies dependencies from gradle scripts, but it requires the
buildscript and plugins block be before anything else in the file.
This change does not affect the build, but makes our lives a smidge
easier.

Co-authored-by: Teal Stannard <tstannard@pivotal.io>

* check key.pem (#11599)

* Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508)

* Samples for accessing apt-get repo, Github, and pip repo

* A Readme explaining the samples

* Link to future doc on default external comm capability

* Incorporate documentation feedback from venilnoronha

* Add support for metadata constraints in RBAC (#11459)

* Add support for metadata constraints in RBAC

This adds support for mapping RBAC constraints with keys in the a[b]
format to Envoy's filter metadata matcher.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Use SplitN instead of Split for completeness

This updates the metadata matcher definition to use strings.SplitN
instead of strings.Split in order to capture the whole binary key in two
parts.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Accomodate [list] and plain value type constraints

This adds logic to accomodate filter metadata matching over both [list]
and value type constraints.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Add extra experimental. prefix test for matching

This adds an extra experimental. prefix test while creating metadata
matchers based on Envoy filters.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Update comments

This updates code comments.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* add POST to ratings service to demonstrate security policies on HTTP Methods (#10778)

* add POST to ratings service

* put a space between if and opening parenthesis

* add comments

* remove extra line-break

* Enable remote clusters to check/report to local Mixer (#11585)

* Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570)

* Fix racetest in fluentd test (#11647)

* Bump the number of connection that can be re-use in Citadel (#11641)

* Bump the number of connection that can be re-use in Citadel

* A small fix

* First cut of xDS APi structural testing using the new integration tests (#11406)

* Fixes for k8s ingress (#11343)

* Fix ingress in pilot, writeback and multiple namespaces

* Fix tests, format

* Fix test - the generated service should be left in the namespace of ingress

* Additional test fixes, match the new 1.1 semantics

* Again make fmt and lint not matching

* Break up the helloworld sample into versions (#11650)

* Break up the helloworld sample into versions

* Moved to default namespace

* Seperated gateway file and added labels

* Update the doc

* Cleanup section updated too

* Fix build break due to #11406. (#11677)

https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215

* make stackdriver e2e test cluster wide (#11674)

* Add handling for independent encoding in Report batches to Mixer (#11640)

* Add handling for independent encoding in Report batches to Mixer

* fix lll

* Address review

* protect protobag done

* exit circleci test early if setup fails (#11572)

* wip: exit circleci test early if setup fails

Many of the circleci tests will attempt to run the e2e/integration
tests even after the test setup fails. This leads to misleading test
failures that suggest the problem is with the feature test and not the
test setup itself.

Example test runs where the setup failed and the test was run but
immediately errored out because a dependency was missing:

https://circleci.com/gh/istio/istio/316588
https://circleci.com/gh/istio/istio/317262
https://circleci.com/gh/istio/istio/318281
https://circleci.com/gh/istio/istio/316031
https://circleci.com/gh/istio/istio/315952
https://circleci.com/gh/istio/istio/315871
https://circleci.com/gh/istio/istio/315813

ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute
```
By default, CircleCI will execute job steps one at a time, in the
order that they are defined in config.yml, until a step fails (returns
a non-zero exit code). After a command fails, no further job steps
will be executed.

Adding the when attribute to a job step allows you to override this
default behaviour, and selectively run or skip steps depending on the
status of the job.

The default value of on_success means that the step will run only if
all of the previous steps have been successful (returned exit code 0).

A value of always means that the step will run regardless of the exit
status of previous steps. This is useful if you have a task that you
want to run regardless of whether the previous steps are successful or
not. For example, you might have a job step that needs to upload logs
or code-coverage data somewhere.
```

* re-add `when: always` to codecov job

* Implementation of isolation for EDS (#11672)

* Implementation of isolation for EDS

* Provide nil proxy for older calls

* Always call loadAssignmentsForClusterIsolated

* Revert "Always call loadAssignmentsForClusterIsolated"

This reverts commit db2c997.

* Env variable to disable

* Lint

* Environment Variable controlled Graceful Termination with low defaults. (#11630)

* Feature flag graceful shutdown

Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in.

Signed-off-by: Liam White <liam@tetrate.io>

* Address pr comments

Signed-off-by: Liam White <liam@tetrate.io>

* Clean up missed feature flag var

Signed-off-by: Liam White <liam@tetrate.io>

* Add turn off test case, todo comments and fix agent tests

Signed-off-by: Liam White <liam@tetrate.io>

* fix lint

Signed-off-by: Liam White <liam@tetrate.io>

* PR review comments

Signed-off-by: Liam White <liam@tetrate.io>

* Move TerminationDuration function and tests to Pilot features

Signed-off-by: Liam White <liam@tetrate.io>

* Update Proxy SHA to latest (release-1.1). (#11687)

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

* Add empty check for proxy's locality (#11681)

Make sure empty proxy locality will fall back to using proxy service's instance locality.

* Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685)

* cache ServiceAccounts and remove it drom Environment (#11442)

* cache ServiceAccounts and remove it drom Environment

* use allServices var

* fix ut

* Adding Envoy bootstrap template for a custom Pilot implementation. (#11395)

* Adding Envoy bootstrap template for a custom Pilot implementation.

New template connects to Pilot using Google gRPC Envoy client, which
allows to perform authz by passing additional credentials. Placed into
install/gcp due to being GCP installation specific.

To enable this template, introducing {{ .discovery_address }} variable,
which passes --discoveryAddress flag value "as is", without splitting it into
address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable.

* Removing static interception listener from gcp_envoy_bootstrap.json
as it is generated by the Pilot.

* Update bookinfo images, fix the script to bump bookinfo versions (#11701)

* add wildcard to digits in the sed regex, for setting version

* bump a minor version

* Add cli option to Galley to allow metadata on outgoing sink connections. (#11602)

* Add cli option to Galley to allow metadata on outgoing sink connections.

For use with sinkAddress, outgoing connections to MCP sink servers
will have gRPC stream metadata attached as defined by sinkMeta.

* Update sinkMeta to use key=value.

* Review comments.

* Error message if istioctl version doesn't match data plane version (#11592)

* Additional error text if istioctl version doesn't match data plane version

* Fix typo

* Revise wording of error msg

* Allow Envoy listener stats to be turned off/on with a pod annotation (#11398)

* If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection

* Versionize annotation tag

* Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid

* pin goimports in make fmt (#11645)

* fix fmt

Signed-off-by: Kuat Yessenov <kuat@google.com>

* trying to run docker in circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* trying to run docker in circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* circling

Signed-off-by: Kuat Yessenov <kuat@google.com>

* circling

Signed-off-by: Kuat Yessenov <kuat@google.com>

* just dont use circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add comment

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Adding namespace declaration in Grafana PersistentVolumeClaim (#11314)

When using the Helm chart with a user specific namespace and Grafana persistency
enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace,
leading in the Grafana pod to be stuck in the Pending state.

* Fix the periodic builds, add a non-mcp to presubmit (#11703)

* Update api sha (#11709)

* issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715)

(cherry picked from commit 1ad4e29)

* [WIP] Fix sync issue with policy enablement and check enablement (#11707)

* Fix sync issue with policy enablement and check enablement

* Remove outdated comment

* Support customization of Envoy bootstrap config (#11559) (#11702)

* Support customization of Envoy bootstrap config

This change allows override the default Envoy bootstrap configuration
for a resource. A sample is included to show how it can be used.

* Format code

* Fix tests

* Pull in new istio/proxy. (#11717)

* Add experimental support for 'allowhttp10' (#11511)

* Add AcceptHttp10 option to outbound listeners based on global or per sidecar setting

* Clarify this is only for 'sidecar enabled' mode

* Format and lint

* Move http10 option, it was overriden

* Add http10 to test, remove verbose

* Format

* Format

* Use release-1.1 images for release-1.1 branch (#11725)

* guard with gateway enabled (#11732)

* guard with gateway enabled

* remove and

* Clean up Helm RBAC rules (#11234)

* Add apps apiGroup to istio-security-post-install ClusterRole

* Delete empty job file

* Clean up ClusterRole apiGroups

* Separate Kiali's ClusterRole rules into correct API groups

* Fix list indentation

* Remove OpenShift-specific "projects" resource from core apiGroup

* Consolidate more RBAC rules

* Update all RBAC resource apiVersions to v1

* Use service hostname as SNI match for TLS ports if virtual service is missing (#11735)

* Use service hostname as SNI match for TLS ports

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* tests

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* bad port name

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* unique port names

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix stateful set

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* handle multiple streams in nodeagent  (#11738)

* service change

* unit test

* debug log

* lint

* remove annoying log

* Add duration time to stale EDS (#11568)

* Tests for drain duration function (#11691)

* Tests for drain duration function

Signed-off-by: Liam White <liam@tetrate.io>

* Licenses...

Signed-off-by: Liam White <liam@tetrate.io>

* typo

Signed-off-by: Liam White <liam@tetrate.io>

* Ability to override SAN from destination rule for ISTIO_MUTUAL (#11747)

* Add ability to override SAN from destination rule for ISTIO_MUTUAL

Fixes issue #11737

* Reformat code.

* Fix the Citadel-apiserver connection proliferation issue. (#11743)

* Fix the Citadel-apiserver connection prolification issue.

* Small fix on logging.

* Add comment.

* Small fix on log.

* Performance oriented helm defaults for release 1.1 (#11476)

* Disable stdio adapter
* Disable envoy access log
* Add telemetry load shedding defaults based on existing data
* Add telemetry limits and update hpa

* when proxy locality is empty, apply it with service instance locality (#11727)

* Get rid of subcharts (#11767)

* Get rid of subcharts

Now we can use `helm package istio` in the infrastructure to produce
a downloadable Istio chart.

Note any `helm package -u istio` usage will fail always, so any usage
of that needs to be removed throughout the documentation or infrastructure.

Finally the CNI helm chart or manifest must be installed if CNI is enabled.
If enabling CNI and the CNI manifest is not installed, the Istio sidecar
will fail.

* Add dashboard checking to helm charts.

* wrong path for dashboards

* Fix dashboard test cases.

* Change helm package -u to helm package

* Another attempt at fixing the dashboards.

* Fix rebase error.

* update jaeger client (#11765)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Fix hostname match function returns wrong result sometimes (#11793)

* Fix hostname matching function

* wrong method call

* fix lint errors

* Remove `helm package -u` in favor of `helm package` (#11769)

This work removes the ability to include packages from
external helm repositories.  This is to remove the
`helm dep update` step.

The hidden implication here is that CNI must be installed
indepently but still enabled in the chart for it to be used.

Not installing the CNI chart or manifest while enabling CNI
will result in sidecar injector failures.

* stackdriver adapter memory usage optimization (#11792)

* sd adapter memory usage optimization

* clean up test.

* Remove calls to helm repo add (#11805)

* Remove calls to helm repo add

* One more place

* Create internal interface argument for istio-iptables script. (#11321)

* remove 'istiotesting' parent section for 'onenamespace' values. (#11588)

* remove istiotesting in onenamespace values.

* add comments.

* fix typo.

* add more tests for external service (#11752)

* add more tests

* add an error msg

* more tests

* fix char

* rename test yaml file

* mark as unreachable for TLS protocol with VS

* add another test

* remove wikipedia in many tests

* remove dash

* .* not allowed at hosts ending

* looks like no VS for TLS protocol too

* rename per shriram comment

* address comment

* delete not needed file

* typos

* when host has * must provide endpoints

* remove redundant data

* [Kiali] changes for the next version (#11513) (#11804)

* changes for new kiali version

* add create perms

* secret is now optional though really required. this, however, let's kiali provide a more user-friendly error message when the secret is missing, rather than failing to start the pod.
See https://issues.jboss.org/browse/KIALI-2308 and its parent https://issues.jboss.org/browse/KIALI-2303

(cherry picked from commit 322452a)

* use YAML map nil value ({}) for meshNetworks (#11849)

since meshNetworks is a map, the correct nil value is {}
setting the nil value correctly will allow setting networks by
helm command line, using --set :

    --set global.meshNetworks.network2.endpoints[0].fromRegistry=remote_kubeconfig --set global.meshNetworks.network2.gateways[0].address=0.0.0.0 --set global.meshNetworks.network2.gateways[0].port=15443

* Add configurable Mixer transport error retry (#11795)

* Add configurable Mixer transport error retry

Adds annotations for the number of retries, base wait time, and max wait
time to configure Mixer transport error retry policy. If values are not
provided, they will be left unset; defaults will be provided in
istio/proxy.

* Add more comments

* new proxy sha for release-1.1 (#11857)

* new proxy sha for release-1.1

* Run deps ensure to api

* right sha

* Adapt mixer client tests to new mixer filter counters (#11591)

* Added new counters from #8224 to Mixer client tests.

* Reformat

* Add a map to manage FileBasedMetadataConfig (#11753)

* use CredentialName for SIMPLE

* cvc

* rootca

* update test.

* update test

* fix format

* update gateway config

* fix test

* fix lint

* fix test

* add comments.

* add nolint

* update cvc

* update

* update

* update

* update

* update

* update

* format

* dep ensure --update istio.io/api

* Revise per comments

* Revise

* lint

* Marshal SDS call credential config using deterministic order

* update

* update

* revise

* add comment

* update

* move MCP settings to meshConfig (#11875)

* move MCP settings to meshConfig

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix cert bug

* enable allow any for outbound traffic demo profile (#11820)

* remove helm repo add (#11896)

* merge timeseries before sending (#11876)

* Fix listener parsing with ipv6 addresses (#11861)

* Fix listener parsing with ipv6 addresses

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* Fixing typo

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* add sample file to expose bookinfo productpage service as nodeport type (#11858)

* add sample file to expose bookinfo productpage service as nodeport type

* address comment

* build network filters in inbound path, like outbound (#11907)

* build network filters in inbound path

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* assorted fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix network filter stack

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

istio-testing added a commit that referenced this pull request Mar 4, 2019

Sync with 1.1 (#12201)
* Fix routing when DNS is resolved (#11522)

The DNSDomain variable needs to be enhanced to include more
then one DNS entry.  Change DNSDomain to DNSDomains as a meta
and add the dnsConfig in the meta.  As now DNSDomain is a slice
of strings instead of a string, the variable needs consolidation.

* adjust galley dashboard time range (#11627)

* Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631)

(cherry picked from commit f9b6866)

* [release-1.1] Update fluentd adapter to be more robust (#11623)

* Update fluentd adapter to be more robust

* Minor touchup of bad merge

* Lint fixes

* Fix kubernetesenv workload attributes for multicluster with one control plane (#11581)

* remove myself from pilot OWNERS (#11632)

* remove me (#11636)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add debug logs for citadel authenticate fail (#11633)

* move apply plugin below buildscript (#11625)

The Cloud Foundry open source licensing scanner has a plugin that
identifies dependencies from gradle scripts, but it requires the
buildscript and plugins block be before anything else in the file.
This change does not affect the build, but makes our lives a smidge
easier.

Co-authored-by: Teal Stannard <tstannard@pivotal.io>

* check key.pem (#11599)

* Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508)

* Samples for accessing apt-get repo, Github, and pip repo

* A Readme explaining the samples

* Link to future doc on default external comm capability

* Incorporate documentation feedback from venilnoronha

* Add support for metadata constraints in RBAC (#11459)

* Add support for metadata constraints in RBAC

This adds support for mapping RBAC constraints with keys in the a[b]
format to Envoy's filter metadata matcher.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Use SplitN instead of Split for completeness

This updates the metadata matcher definition to use strings.SplitN
instead of strings.Split in order to capture the whole binary key in two
parts.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Accomodate [list] and plain value type constraints

This adds logic to accomodate filter metadata matching over both [list]
and value type constraints.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Add extra experimental. prefix test for matching

This adds an extra experimental. prefix test while creating metadata
matchers based on Envoy filters.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Update comments

This updates code comments.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* add POST to ratings service to demonstrate security policies on HTTP Methods (#10778)

* add POST to ratings service

* put a space between if and opening parenthesis

* add comments

* remove extra line-break

* Enable remote clusters to check/report to local Mixer (#11585)

* Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570)

* Fix racetest in fluentd test (#11647)

* Bump the number of connection that can be re-use in Citadel (#11641)

* Bump the number of connection that can be re-use in Citadel

* A small fix

* First cut of xDS APi structural testing using the new integration tests (#11406)

* Fixes for k8s ingress (#11343)

* Fix ingress in pilot, writeback and multiple namespaces

* Fix tests, format

* Fix test - the generated service should be left in the namespace of ingress

* Additional test fixes, match the new 1.1 semantics

* Again make fmt and lint not matching

* Break up the helloworld sample into versions (#11650)

* Break up the helloworld sample into versions

* Moved to default namespace

* Seperated gateway file and added labels

* Update the doc

* Cleanup section updated too

* Fix build break due to #11406. (#11677)

https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215

* make stackdriver e2e test cluster wide (#11674)

* Add handling for independent encoding in Report batches to Mixer (#11640)

* Add handling for independent encoding in Report batches to Mixer

* fix lll

* Address review

* protect protobag done

* exit circleci test early if setup fails (#11572)

* wip: exit circleci test early if setup fails

Many of the circleci tests will attempt to run the e2e/integration
tests even after the test setup fails. This leads to misleading test
failures that suggest the problem is with the feature test and not the
test setup itself.

Example test runs where the setup failed and the test was run but
immediately errored out because a dependency was missing:

https://circleci.com/gh/istio/istio/316588
https://circleci.com/gh/istio/istio/317262
https://circleci.com/gh/istio/istio/318281
https://circleci.com/gh/istio/istio/316031
https://circleci.com/gh/istio/istio/315952
https://circleci.com/gh/istio/istio/315871
https://circleci.com/gh/istio/istio/315813

ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute
```
By default, CircleCI will execute job steps one at a time, in the
order that they are defined in config.yml, until a step fails (returns
a non-zero exit code). After a command fails, no further job steps
will be executed.

Adding the when attribute to a job step allows you to override this
default behaviour, and selectively run or skip steps depending on the
status of the job.

The default value of on_success means that the step will run only if
all of the previous steps have been successful (returned exit code 0).

A value of always means that the step will run regardless of the exit
status of previous steps. This is useful if you have a task that you
want to run regardless of whether the previous steps are successful or
not. For example, you might have a job step that needs to upload logs
or code-coverage data somewhere.
```

* re-add `when: always` to codecov job

* Implementation of isolation for EDS (#11672)

* Implementation of isolation for EDS

* Provide nil proxy for older calls

* Always call loadAssignmentsForClusterIsolated

* Revert "Always call loadAssignmentsForClusterIsolated"

This reverts commit db2c997.

* Env variable to disable

* Lint

* Environment Variable controlled Graceful Termination with low defaults. (#11630)

* Feature flag graceful shutdown

Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in.

Signed-off-by: Liam White <liam@tetrate.io>

* Address pr comments

Signed-off-by: Liam White <liam@tetrate.io>

* Clean up missed feature flag var

Signed-off-by: Liam White <liam@tetrate.io>

* Add turn off test case, todo comments and fix agent tests

Signed-off-by: Liam White <liam@tetrate.io>

* fix lint

Signed-off-by: Liam White <liam@tetrate.io>

* PR review comments

Signed-off-by: Liam White <liam@tetrate.io>

* Move TerminationDuration function and tests to Pilot features

Signed-off-by: Liam White <liam@tetrate.io>

* Update Proxy SHA to latest (release-1.1). (#11687)

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

* Add empty check for proxy's locality (#11681)

Make sure empty proxy locality will fall back to using proxy service's instance locality.

* Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685)

* cache ServiceAccounts and remove it drom Environment (#11442)

* cache ServiceAccounts and remove it drom Environment

* use allServices var

* fix ut

* Adding Envoy bootstrap template for a custom Pilot implementation. (#11395)

* Adding Envoy bootstrap template for a custom Pilot implementation.

New template connects to Pilot using Google gRPC Envoy client, which
allows to perform authz by passing additional credentials. Placed into
install/gcp due to being GCP installation specific.

To enable this template, introducing {{ .discovery_address }} variable,
which passes --discoveryAddress flag value "as is", without splitting it into
address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable.

* Removing static interception listener from gcp_envoy_bootstrap.json
as it is generated by the Pilot.

* Update bookinfo images, fix the script to bump bookinfo versions (#11701)

* add wildcard to digits in the sed regex, for setting version

* bump a minor version

* Add cli option to Galley to allow metadata on outgoing sink connections. (#11602)

* Add cli option to Galley to allow metadata on outgoing sink connections.

For use with sinkAddress, outgoing connections to MCP sink servers
will have gRPC stream metadata attached as defined by sinkMeta.

* Update sinkMeta to use key=value.

* Review comments.

* Error message if istioctl version doesn't match data plane version (#11592)

* Additional error text if istioctl version doesn't match data plane version

* Fix typo

* Revise wording of error msg

* Allow Envoy listener stats to be turned off/on with a pod annotation (#11398)

* If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection

* Versionize annotation tag

* Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid

* pin goimports in make fmt (#11645)

* fix fmt

Signed-off-by: Kuat Yessenov <kuat@google.com>

* trying to run docker in circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* trying to run docker in circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* circling

Signed-off-by: Kuat Yessenov <kuat@google.com>

* circling

Signed-off-by: Kuat Yessenov <kuat@google.com>

* just dont use circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add comment

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Adding namespace declaration in Grafana PersistentVolumeClaim (#11314)

When using the Helm chart with a user specific namespace and Grafana persistency
enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace,
leading in the Grafana pod to be stuck in the Pending state.

* Fix the periodic builds, add a non-mcp to presubmit (#11703)

* Update api sha (#11709)

* issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715)

(cherry picked from commit 1ad4e29)

* [WIP] Fix sync issue with policy enablement and check enablement (#11707)

* Fix sync issue with policy enablement and check enablement

* Remove outdated comment

* Support customization of Envoy bootstrap config (#11559) (#11702)

* Support customization of Envoy bootstrap config

This change allows override the default Envoy bootstrap configuration
for a resource. A sample is included to show how it can be used.

* Format code

* Fix tests

* Pull in new istio/proxy. (#11717)

* Add experimental support for 'allowhttp10' (#11511)

* Add AcceptHttp10 option to outbound listeners based on global or per sidecar setting

* Clarify this is only for 'sidecar enabled' mode

* Format and lint

* Move http10 option, it was overriden

* Add http10 to test, remove verbose

* Format

* Format

* Use release-1.1 images for release-1.1 branch (#11725)

* guard with gateway enabled (#11732)

* guard with gateway enabled

* remove and

* Clean up Helm RBAC rules (#11234)

* Add apps apiGroup to istio-security-post-install ClusterRole

* Delete empty job file

* Clean up ClusterRole apiGroups

* Separate Kiali's ClusterRole rules into correct API groups

* Fix list indentation

* Remove OpenShift-specific "projects" resource from core apiGroup

* Consolidate more RBAC rules

* Update all RBAC resource apiVersions to v1

* Use service hostname as SNI match for TLS ports if virtual service is missing (#11735)

* Use service hostname as SNI match for TLS ports

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* tests

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* bad port name

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* unique port names

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix stateful set

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* handle multiple streams in nodeagent  (#11738)

* service change

* unit test

* debug log

* lint

* remove annoying log

* Add duration time to stale EDS (#11568)

* Tests for drain duration function (#11691)

* Tests for drain duration function

Signed-off-by: Liam White <liam@tetrate.io>

* Licenses...

Signed-off-by: Liam White <liam@tetrate.io>

* typo

Signed-off-by: Liam White <liam@tetrate.io>

* Ability to override SAN from destination rule for ISTIO_MUTUAL (#11747)

* Add ability to override SAN from destination rule for ISTIO_MUTUAL

Fixes issue #11737

* Reformat code.

* Fix the Citadel-apiserver connection proliferation issue. (#11743)

* Fix the Citadel-apiserver connection prolification issue.

* Small fix on logging.

* Add comment.

* Small fix on log.

* Performance oriented helm defaults for release 1.1 (#11476)

* Disable stdio adapter
* Disable envoy access log
* Add telemetry load shedding defaults based on existing data
* Add telemetry limits and update hpa

* when proxy locality is empty, apply it with service instance locality (#11727)

* Get rid of subcharts (#11767)

* Get rid of subcharts

Now we can use `helm package istio` in the infrastructure to produce
a downloadable Istio chart.

Note any `helm package -u istio` usage will fail always, so any usage
of that needs to be removed throughout the documentation or infrastructure.

Finally the CNI helm chart or manifest must be installed if CNI is enabled.
If enabling CNI and the CNI manifest is not installed, the Istio sidecar
will fail.

* Add dashboard checking to helm charts.

* wrong path for dashboards

* Fix dashboard test cases.

* Change helm package -u to helm package

* Another attempt at fixing the dashboards.

* Fix rebase error.

* update jaeger client (#11765)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Fix hostname match function returns wrong result sometimes (#11793)

* Fix hostname matching function

* wrong method call

* fix lint errors

* Remove `helm package -u` in favor of `helm package` (#11769)

This work removes the ability to include packages from
external helm repositories.  This is to remove the
`helm dep update` step.

The hidden implication here is that CNI must be installed
indepently but still enabled in the chart for it to be used.

Not installing the CNI chart or manifest while enabling CNI
will result in sidecar injector failures.

* stackdriver adapter memory usage optimization (#11792)

* sd adapter memory usage optimization

* clean up test.

* Remove calls to helm repo add (#11805)

* Remove calls to helm repo add

* One more place

* Create internal interface argument for istio-iptables script. (#11321)

* remove 'istiotesting' parent section for 'onenamespace' values. (#11588)

* remove istiotesting in onenamespace values.

* add comments.

* fix typo.

* add more tests for external service (#11752)

* add more tests

* add an error msg

* more tests

* fix char

* rename test yaml file

* mark as unreachable for TLS protocol with VS

* add another test

* remove wikipedia in many tests

* remove dash

* .* not allowed at hosts ending

* looks like no VS for TLS protocol too

* rename per shriram comment

* address comment

* delete not needed file

* typos

* when host has * must provide endpoints

* remove redundant data

* [Kiali] changes for the next version (#11513) (#11804)

* changes for new kiali version

* add create perms

* secret is now optional though really required. this, however, let's kiali provide a more user-friendly error message when the secret is missing, rather than failing to start the pod.
See https://issues.jboss.org/browse/KIALI-2308 and its parent https://issues.jboss.org/browse/KIALI-2303

(cherry picked from commit 322452a)

* use YAML map nil value ({}) for meshNetworks (#11849)

since meshNetworks is a map, the correct nil value is {}
setting the nil value correctly will allow setting networks by
helm command line, using --set :

    --set global.meshNetworks.network2.endpoints[0].fromRegistry=remote_kubeconfig --set global.meshNetworks.network2.gateways[0].address=0.0.0.0 --set global.meshNetworks.network2.gateways[0].port=15443

* Add configurable Mixer transport error retry (#11795)

* Add configurable Mixer transport error retry

Adds annotations for the number of retries, base wait time, and max wait
time to configure Mixer transport error retry policy. If values are not
provided, they will be left unset; defaults will be provided in
istio/proxy.

* Add more comments

* new proxy sha for release-1.1 (#11857)

* new proxy sha for release-1.1

* Run deps ensure to api

* right sha

* Adapt mixer client tests to new mixer filter counters (#11591)

* Added new counters from #8224 to Mixer client tests.

* Reformat

* Add a map to manage FileBasedMetadataConfig (#11753)

* use CredentialName for SIMPLE

* cvc

* rootca

* update test.

* update test

* fix format

* update gateway config

* fix test

* fix lint

* fix test

* add comments.

* add nolint

* update cvc

* update

* update

* update

* update

* update

* update

* format

* dep ensure --update istio.io/api

* Revise per comments

* Revise

* lint

* Marshal SDS call credential config using deterministic order

* update

* update

* revise

* add comment

* update

* move MCP settings to meshConfig (#11875)

* move MCP settings to meshConfig

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix cert bug

* enable allow any for outbound traffic demo profile (#11820)

* remove helm repo add (#11896)

* merge timeseries before sending (#11876)

* Fix listener parsing with ipv6 addresses (#11861)

* Fix listener parsing with ipv6 addresses

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* Fixing typo

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* add sample file to expose bookinfo productpage service as nodeport type (#11858)

* add sample file to expose bookinfo productpage service as nodeport type

* address comment

* build network filters in inbound path, like outbound (#11907)

* build network filters in inbound path

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* assorted fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix network filter stack

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* set allow any as the default for outgoing traffic (#11906)

* set allow_any for default

* enable egress for demo profile

* enabel egress gateway for e2e testing

* update comment per costin's comment

* adding more docs

* delete accidentally checked in file

* minor typo

* hope to get tests passing

* remove spaces

* [Kiali][release-1.1] Tell kiali about the new Pilot /version endpoint used to obtain Istio version string (#11833)

* rebase (#11879)

* citadel uses OpenCensus for self-monitoring (#10048)

* citadel and pilot use OpenCensus for self-monitoring

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* modify based on 10270

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* Use DefaultRegisterer instead of create a new register

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* do not accept XDS connection if gateway has no service instances (#11905)

* kill XDS if proxy has no service instances

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix cloud foundry test case failure

* fix mcp test

* fix crash

* Update istioctl authn tls-check to take into account caller proxy (#11603) (#11924)

* Lower resource requirements in demo profile (#11942)

* Remove implicit usage of 'busybox:latest' (#11812)

* add long description for verify-install (#11928)

* add long description for verify-install

* review

* singular

* update pilot mesh config default (#11950)

* set allow_any for default

* enable egress for demo profile

* enabel egress gateway for e2e testing

* update comment per costin's comment

* adding more docs

* delete accidentally checked in file

* minor typo

* hope to get tests passing

* remove spaces

* sync default with the mesh file

* update test given we changed mesh default

* update test

* update test

* update test

* update test

* update test

* update test

* add adapter secret mount into telemetry deployment (#11921)

* add gcp credential secret mount into telemetry deployment

* update

* rename

* add optional

* remove helm values

* update path

* do the same thing for policy

* mixer: minor doc fixes (#11958)

* minor doc fixes

Signed-off-by: Kuat Yessenov <kuat@google.com>

* review

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Rename sidecar.istio.io/statsInclusionPrefixes annotation (#11993)

* Flexible DNS names (#11986)

* WIP Flexible DNS names

* More fix

* Style filx

* Fix error

* Fix lint

* Fix lint

* fix lint

* Fix pilot-agent application port 0 (#12001)

* fix bug

* fix comments

* Remove duplicated keys (#10928)

Remove duplicated keys in values-istio-test.yaml

* Add shortnames for common crds (#11969)

* Unit tests for sidecar config to sidcar scope conversion (#11901)

* Unit tests for sidecar config to sidcar scope conversion

* Unit tests for sidecar config to sidcar scope conversion

* fix citadel health check issue. (#11965)

* add imagepullsecrets for hook jobs. (#11666)

* Add Auth to OOP handler (#10622)

* add oop auth

* simpliy get auth option logic

* clear comment

* address comment

* custom mtls auth check

* lint

* add server name into tls config

* figure out mixer SAN from mixer own cert

* remove unnecessary comment

* update customVerify

* update customVerify

* add test to cover untrusted certs in mtls

* remove mtls option

* lint

* clear diff

* test

* Don't admit CRDs with unknown top-level keys (#11791)

* Don't admit CRDs with unknown top-level keys

Use term 'field' for error messages

Check when admitting both Pilot and Mixer configurations

* The admission control rejected a test yaml as invalid

* Improve message wording and resolve TODOs by using 'mock' Kind

* Add dynamic discovery and listener initialization for supported k8s resource types (#11871)

* wip: dynamically discover supported crd types

* fix linter errors

* improve logs when resource type not found

* increase code coverage

* address review comments

* add a comment

* fix linter error

* fix issue for generating custom gateway from chart. (#11970)

* Let `kubectl get` show additional columns for popular Istio CRDs (#11734)

* Annotate CRDs with the columns we would like printed by

* Verbiage change suggested by Frank B

* Explicitly include AGE column because some versions of K8s will not create it if additionalPrinterColumns are declared

* Update ingress gateway TLS validation for credentialName (#11991)

* use CredentialName for SIMPLE

* cvc

* rootca

* update test.

* update test

* fix format

* update gateway config

* fix test

* fix lint

* fix test

* add comments.

* add nolint

* update cvc

* update

* update

* update

* update

* update

* update

* format

* dep ensure --update istio.io/api

* Revise per comments

* Revise

* lint

* Marshal SDS call credential config using deterministic order

* update

* update

* revise

* add comment

* update

* Update validation

* Use e2e values for e2e tests (#11952)

* Use e2e values for e2e tests

New settings were added to give e2e tests reasonable resource requests.
However, some this target did not have these values applied, causing too
many requests

* hardcode e2e for just the failing test instead of all

* generate_e2e_test_yaml not called, moving to own target

* expose healthcheck port in gateway (#12041)

* GetProxyServiceInstances should not depend on endpoint if there is associated services and pod (#11999)

* fix incremental EDS bug: proxy may not get listeners config when endpoint arrive later than the first full xDS push

* get endpoint by key instead of loop for all

* fix memory leak in pilot (#11183)

* fix memory leak in pilot

* protect Shards and EndpointShardsByService

* Make demo-auth use same resource requests as demo (#11956)

* rename to TestDestinationRuleExportTo (#12009)

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* Fix the logic testing for errors (#12053)

* Fix jaeger metrics path template (#11963)

* Fix virtual machine parameter from "r" to "k" (#12062)

* Istio Perf Dashboard fixes (#12049)

* fix mcp source unit test (#12069)

* Fix upgrade/downgrade issue, add guard for visibility and make it off by default (#12084)

* Add MTLS into mixer connection to oop adapter (#12052)

* add oop mtls

* address comment

* add a comment about how key/certs are generated

* New proxy and api sha for istio (#12045)

* new proxy sha in istio

* New proxy sha for istio

* Fixing test

* Right intend

* MOre fixes

* Endpoint locality prioritization (#11981)

* Endpoint locality prioritization

Defaults to off and has to be enabled via a env var in Pilot as it is an experimental feature and we are close to a release

Signed-off-by: Liam White <liam@tetrate.io>

* Fix correct spelling of prioritise

Signed-off-by: Liam White <liam@tetrate.io>

* Don't ignore kube-system in EDS (#12028)

This was originally ignored due to a high rate of updates from
kube-system. EDSInformer now checks that there were actual meaningful
changes made, otherwise they are ignored, so this is no longer and
issue.

* Istio auth sds e2e (#12100)

* use CredentialName for SIMPLE

* cvc

* rootca

* update test.

* update test

* fix format

* update gateway config

* fix test

* fix lint

* fix test

* add comments.

* add nolint

* update cvc

* update

* update

* update

* update

* update

* update

* format

* dep ensure --update istio.io/api

* Revise per comments

* Revise

* lint

* Marshal SDS call credential config using deterministic order

* update

* update

* revise

* add comment

* update

* Update validation

* fix istio_auth_sds_e2e

* fix TestRouteSNIViaEgressGateway/*

* istioctl validation improvements (#11768)

Use term 'field' for error messages

Look for same top-level fields as admission controller

* Hide GODEBUG output from istioctl requests (#12091)

* Hide GODEBUG output from istioctl requests

* Fix in single function as well

* support listen multi-namespaces (#11667)

* support listen multi-namespaces

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* fix kube errors

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* fix lint error

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* fix ut error

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* Add new dep

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* replace CA with Citadel

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* fix merge issue

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* properly handle passthrough and non passthrough on same gateway port (#12071)

* properly handle passthrough and non passthrough on same gateway port

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* flimsy tests

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* snafu

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* bring back e2e tests

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Revert "bring back e2e tests"

This reverts commit a3fbb48.

* fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Improving error message for sidecar readiness (#12123)

Currently, the readiness error message doesn't make it clear that
the issue is likely Pilot:

```
2019-02-25T07:22:20.019287Z	info	Envoy proxy is NOT ready: cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
```

This PR should help users better diagnose these issues in the future.

This is a port of PR #12098 into the release-1.1 branch.

* Remove mem registry (#11543) (#12026)

* Remove mem registry (#11543)

* Fix lint

* extract Galley root command to server. (#12073)

* Replace root command of Galley with server mode.

* Fix linter issue.

* Remove accidentally added envoy.test (#12136)

* Fix the health check probe (#12135)

* Fix the health check prob.

* Small fix.

* Small fix.

* Small fix.

* Small fix

* Fix identity in certs provisioned for VMs. (#12109)

* Avoid unnecessary service change events(#11971) (#12148)

Unecessary service/instances change events are fired by consul registry,
causing TCP connections destroyed by Envoy
Fixes #11971

Change-Id: Iaf60a89175c9113cd8cde1556c9bf11d1a367e8f
Signed-off-by: zhaohuabing <zhaohuabing@gmail.com>

* Removing a leftover to disable ingress (#12120)

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* Fix EDS race condition when using localities (#12151)

* Fix EDS race condition when using localities

Signed-off-by: Liam White <liam@tetrate.io>

* Wordz

Signed-off-by: Liam White <liam@tetrate.io>

* Wire-up excluded resource types list to the CRD check and update logging (#12143)

* - Wire-up excluded resource types list to the CRD check.
- Update logging.

* Revert copyright.

* Revert copyright.

* Remove VirtualService examples that no longer have an effect (#11892)

* Remove no-longer-needed VirtualServices

ServiceEntry for github.com not needed to clone https URLs

* Modifications after testing using release-1.1-20190214-09-16

* Correct comment explanation

* Include pythonhosted.org for 'pypi' and sort/format/dedup the github addresses

* Doc fixes. (#12107)

* Update jaeger-client-go deps to catch 128bit traceid transport fix (#12166)

* Update jaeger-client-go dep

* Ensure mixer generates 128bit traceids

* Fix DestinationRule issue when there is no Sidecar (#12047)

* Fix DestinationRule issue when there is no Sidecar

* Default to legacy (current codepath)

* Refactor e2e yaml value files (#12076)

* Refactor e2e yaml value files

This change involes:
* renaming uses of old make target
* adding all generated files to gitignore
* create new target to build all e2e yaml files and another for the demo
files that are included in release
* move all testing value files, and example value files, to folders
* create value files for tests that were using --set

* Fix reference to values-e2e.yaml

* Fix typo

* Add readme and fix test failures

* Fix integration tests file

* Enable core dump for auth sds test

* Actually use coredump

* Move istio minimal - needed for docs

* resolve conflict

* Do not setup SNI match if service has a VIP (#12161)

* Do not setup SNI match if service has a VIP

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* missing check

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Upgrade cert-manager to v0.6.2 (#12149)

Currently Istio ships with cert-manager v0.5.0 as an optional
dependency. This version is outdated and has known issues/limitations
with regards to certificates renewal, excessive calls to the ACME APIs,
etc.

This commit contains minimal changes necessary to upgrade the bundled
cert-manager to the most recent stable version. Changes are based on
the official Helm Charts distribution of cert-manager.

* Doc fixes. (#12180)

* fix mixer and pilot upgrade issues. (#12177)

* add namespace parameter support (#12104)

* add namspace parameter support

* add namspace parameter support

* add namspace parameter support

* fix lint

* add test case for proxystatus

* Move mixer check annotation to model with defaults (#11859)

* Move mixer check annotation to model with defaults

* Initialize proto once

* Update tests

* Add an e2e test to validate fault injection telemetry. (#11773)

* Add an e2e test to validate fault injection telemetry.

This attempts to provide validation of telemetry for FI to guard against
recurrence of issues such as: #11151.

It adds a new test in the mixer suite that installs custom virtual
service and destination rules that inject faults at 100% (using error code 555).

The test validates that the destination workload information is
"unknown" and that we receive telemetry with the `FI` response flag.

* Add forgotten file to PR

* Updates tests to match CNI install procedure (#11877)

* Updates tests to match CNI install procedure

The CNI install procedure was changed to eliminate dependant helm
templates.   Changes are required in the test routines to match.

* Move daemon start after cluster setup

THe daemon start was before the cluster start.

* Changes required after testing

* debug

* Final fix ups

* Adress review comments.

* Turn policy off by default (#12114)

* Simplify files and cleanup base values.yaml

* golden files update

* switch back to old defaults for rewriteAppHTTPProbe

* update golden

* override cpu requests for e2e tests

* move policy and telemetry to top level for visibility

* Update deps for 1.1rc2 (#12213)

* Proxy sha and Api sha for istio

* Update istio/proxy to pickup istio/proxy#2135

* pilot should wait for kubernetes cache sync before serving (#12214)

* Remove test mgmt ports (#12206)

* Remove test mgmt ports

* Remove todo and fix test

* Fix local test

* guard mysql proxy with version check (#12225)

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Various fixes for the Multicluster e2e test [release-1.1] (#11940)

* Choose the correct Istio yaml file for MC

* Increase the timeout for the MC test (typically it's 40+ mins)

* Set selfSigned flag to false for remote (shared root CA)

* Wait for remote addition/deletion to propogate

* Enable access log for primary and remote clusters

* Fix pilot grpc failure in Consul (#12228)

istio-testing added a commit that referenced this pull request Mar 20, 2019

Merge master into collab-galley (#12630)
* Merge release-1.1 to master (#11722)

* Incremental EDS only need updated service names (#11117)

* Configure envoy_bootstrap_v2.json to use the configured admin port (#11214)

* Configure envoy_bootstrap_v2.json to use the configured admin port

* Also set the prometheus_stats cluster's port

* Fix bootstrap tests that override admin port

* Allow ipv6 local traffic. (#10738)

* Allow specifying multiple egress host entries with same namespace (#11258)

* allow multiple hosts in same namespace in sidecar egress host

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* merge

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nit

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Galley: Include full Pod resource (#11323)

The ServiceEntry transformation requires the Pod status, which is
not included in the PodSpec. We need to pass through the entire
Pod proto, so that it's available for the conversion.

* Delete the obsolete service control adapter. (#11275)

* [DO NOT MERGE] Rollout Status timeout during e2e tests (#10996)

Addresses issue #9685

* Disable shared span context by default (#11281)

* Add logic to kubeenv adapter Close() to clean-up resources (#10839)

* Add logic to kubeenv adapter Close() to clean-up resources

* Add extra logging and robustness to daemon shutdown checking in runtime

* WIP

* Revert "WIP"

This reverts commit 74f22eced391bfbfb54834e7ffdc2505931b60b1.

* Increase unit test coverage

* Address review comments

* Ensure xenial base image present before building proxy_init (#11277)

* Update codecov to use skip file as threshold as well (#11294)

* Fix e2e-simple test flake (#11271)

* Fix e2e-simple test flake

istio-init.yaml was not being applied. Atleast on bare metal,
this caused e2e-simple to fail nearly 100% of the time in a race
between the kubeapi server applying CRD's and the applicaton of
custom resources in the manifest.

This problem is less pervasive on slower (vm) environments.

* Fix a spelling error complaint from linter

* integrate new MCP stack into galley, pilot, and mixer (#11292)

This PR integrates the new MCP source/sink stack into Galley, Pilot,
and Mixer. The old stack is temporarily retained while we complete
extended scale/perf testing.

* Revert "Fix e2e-simple test flake (#11271)" (#11331)

This reverts commit f993e46d69c2ae4f990eabdfa377034f23c3b807.

* Update README.md (#9501)

* Add response_flags to metrics and logs (#9945)

* Use sdsName from Gateway config as the resource name in sds config (#11239)

* Use sdsName from Gateway config as the resource name in sds config

* Add test

* goimports

* Fix lint

* Fix test

* mixer: pod policy override (#10886)

* implement injection and override

Signed-off-by: Kuat Yessenov <kuat@google.com>

* lint

Signed-off-by: Kuat Yessenov <kuat@google.com>

* review

Signed-off-by: Kuat Yessenov <kuat@google.com>

* mend

* annotation from node metadata

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix a bug

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Adding --controlPlaneBootstrap pilot-agent flag (#11212)

* Adding --controlPlaneBootstrap pilot-agent flag to explicitly enable
generation of Envoy bootstrap for Istio control plane components. Only
effective when --templateFile is provided as well.

If --templateFile is provided, but --controlPlaneBootstrap=false, then
template file will be passed through regular bootstrap config
processing, replacing default bootstrap config template.

Default flag value is "true" to be backward-compatible with existing
behavior, so that no other changes are required by other components that
rely on pilot-agent for control plane bootstrap config generation.

* Adding TODO to clean up Mixer and Pilot to use standard template

Mixer and Pilot use custom Envoy bootstrap templates, that have special processing in pilot-agent. They should migrate to the standard bootstrap template and special processing should be removed from pilot-agent.

* Fixing formatting errors on pilot/cmd/pilot-agent/main.go

* [Galley] Restructure runtime package to support multiple states. (#11325)

* [Galley] Restructure runtime package to support multiple states.

This is a follow-on to #11162 that moves the runtime state as well as
 its previously package-private dependencies into their
 own packages. This allows new "states" to exist in separate packages
 under runtime.

* addressing comments

* addressing comments

* extend istio-multi rbac rule (#11339)

* Galley file-source was occluding resources with the same name with different types in the same file (#11257)

* Only add localhost IP if no other IP address were found (#11367)

* not make PDB configurable (#11330)

* not allow users to configure pdb

* remove maxUnavailable

* incorporate google CA's merge APIs change in nodeagent  (#11341)

* merge api

* remove extra line

* Revert "Location based Load Balancing (#10720)" (#11371)

This reverts commit 3f0570653f37ecaa5ccb75df0cb9619f84419624.

* Support multiple Citadels running in one cluster. (#11312)

* Support multiple Citadels running.

* Small fix.

* Small fix.

* Small fix.

* consistent autoscaling config among control plane components (#11376)

* consistent autoscaling config among control plane components

* address Yossi comment

* add missing end

* use spec here

* support namespace/host in gateway (#11290)

* assorted cleanups

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Loosen secret type for ingress gateway (#11385)

* set conccurency according to cpu resource limit/request if it is not set (#11311)

* set conccurency according to cpu resource request if it is not set

* address comments

* fix ut

* fix ut

* fix ut

* run dep ensure

* cache proxy service instances to improve performance (#11368)

* cache proxy service instances to improve performance

* address comments & fix ut

* Support gateway agent to read TLS secret set by cert-manager (#11399)

* read tls secret format

* Update test

* fix lint

* fix lint

* fix lint

* update test

* format

* fix lint

* fix lint

* mixer: option for alternative language runtime (#11391)

* split the original PR

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add annotation support

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Fix simpletest flake in citadel testing (#11360)

* Fix simpletest flake in citadel testing

A PR was merged ~4 weeks ago which introduced built-in
testing of the Helm charts.  The readiness testing in these
Helm chart tests were defective.  This problem was masked by
a silently failing gate.

(cherry picked from commit bf9bc7bada15288cd1e4d0c8fa4b04c39e4379b5)

* Fix a flaky e2e_simpleTests (#11408)

* Add retries and delay trying to test connection to prometheus

* Also retry on connection refused errors

* Workaround due to old version of curl in proxy

(cherry picked from commit 0e937c77b2d037a9216698a7c93037ccb5062dcc)

* Increase integ test deployment timeout (#11423)

* Increase integ test deployment timeout

* Skip flaky/failing TestTcpMetric

* Remove post-install job and (kubectl) apply security policy CRs to k8s directly (#11248) (#11418)

* Remove post-install job and (kubectl) apply security policy CRs to k8s directly

* Fix condition logic

* Exit on fatal logs (#11335)

* Exit on fatal logs

* Do not call Fatalf in the middle of Galley code

* envoy: use any instead of struct (#11419)

* fix tests

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix framework assuming json

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add gates

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Loops ends after first iteration (#11378) (#11383)

* Adding istio-init chart to release (#11443) (#11445)

* fix superfluous condition in pdb. (#11413)

* Set seconds as the value of MaxAge instead of Duration.String (#11447)

* Allow identity domain to be configured in istio: Ensure e2e tests are working with different identity domain (#9226)

* Refactor identity domain handling and adapt unit tests

Co-authored-by: Ulrich Kramer <u.kramer@sap.com>

* Fix goimports error

*  set role.TrustDomain in pilot main

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Add end to end test e2e_bookinfo_trustdomain

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Use .Values.global.trustDomain as trustDomain for citadel

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Removed commented out code

Co-authored-by: Jakob Schmid <jakob.schmid@sap.com>

* Remove fallback to domain for trust domain

This became necessary due to #11050, which always set the domain
command line flag for executables. But we didn't expect this flag to
have two different meanings (dns-domain and domain-suffix).

Co-authored-by: Ulrich Kramer <u.kramer@sap.com>

* Tls fix (#11455)

* revert deleted TLS validation logic

* lint fixes

* Make TestDuplicateResourceNamesDifferentTypes have consistent ordering. (#11456)

* Adding support for named components to the test framework (#11440)

Each component can be created with a name and optionally a configuration. This allows multiple echo instances, policy backends, envoy proxies, etcetera to be managed independently. Also adding a standard way to configure components but support for that is in a followup.

* Galley support for MCP Source Client dial out (#11291)

* Auth plugin to be used for Galley callout.

* Lint

* Add unit tests.

* Mock Google credentials

* Galley callout code.

* Review comments, fix client_source test.

* Lint

* Switch callout.go to use patch table for test vars.

* Rename callout cli args.

* Increase coverage

* newcallout args, syncWG change.

* Fatal->Error

* Review comments

* Review comments.

* Update metadata model. (#11477)

This is split out from #11293

Supporting work for #10497 and #10589

* [pilot] Export virtual service and destination rule metadata (#11384)

* [pilot] Export virtual service and destination rule metadata

* fixup bad rebase

* restore lost test

* Small fixes

* use URL for rule uid and config as key

* goimports

* update unit tests to match code changes in previous commit

* goimports, redux

* Randomize Galley ports for integration testing (#11285)

* Randomize Galley port for code-coverage runs.

* Remove runaway empty test.

* Update istio-proxy for source.uid fix (#11428)

* Update gateway_test.go to check for overrides

* update to include new proxy

* linter fix

* update client tests for whitelisted attributes

* use source fixed build

* disable TestSecretCreationKubernetes (#11479)

* Fix e2e-simple test flake (#11356) (#11481)

istio-init.yaml was not being applied. Atleast on bare metal,
this caused e2e-simple to fail nearly 100% of the time in a race
between the kubeapi server applying CRD's and the applicaton of
custom resources in the manifest.

This problem is less pervasive on slower (vm) environments.
(cherry picked from commit 1caa6cedcc7b0526f94bf3f9d3941df65ae4956f)

* Enhance MCP index function to support multiple groups (#11478)

This is split out from #11293

In #11293 we modify the index function to return a different group when choosing the synthetic ServiceEntry collection.

Support for #10497 and #10589

* Zipkin adapter supporting the tracespan template (#11282) (#11483)

* Zipkin adapter supporting the tracespan template (#11282)

* Zipkin adapter supporting the tracespan template

* Refactored generic OpenCensus trace support into a helper package
* Use this to implement Zipkin support using OpenCensus Zipkin exporter

* regenerate template.

* lint. move crd.

* dep ensure.

* new line.

* add zipkin to galley.

* dep ensure

* Default exports, and config root namespace (#11387)

* default exportTo flags

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* format

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nit

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* compile fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* helm stuff

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* istio-config namespace and default sidecar scope

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* spell fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* reorder initialization steps

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* test compile fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* helm tweaks

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* missing helm file

* allow ~ in sidecar imports

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* bad copy paste

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* test fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo framework change

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Revert "bad copy paste"

This reverts commit 934b54a922dd0a6102016901b77badba7774090f.

* Revert "missing helm file"

This reverts commit 992685db5e1fe3f68a484f01dac21f44c66acc8e.

* Revert "helm tweaks"

This reverts commit 5b78b920d18379253ea7c8ae37fd0c0611180c75.

* redos

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lists

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* quotes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* tests

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undos

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Fixing race condition in Galley Server.Close() (#11484)

The issue was introduced by #11285

It causes a race with the startup of the gRPC server, which leads to a segfault.  From prow logs:

```
=== RUN TestServer_Basic 2019-02-01T20:33:05.867746Z	info	ControlZ available at 10.44.58.28:9876 2019-02-01T20:33:05.867968Z	info ControlZ terminated 2019-02-01T20:33:05.867987Z	info	runtime Stopping processor... 2019-02-01T20:33:05.868000Z	warn	runtime Processor has already stopped 2019-02-01T20:33:05.867798Z	info runtime	Starting processor... panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x9e4bc8] goroutine 148 [running]: istio.io/istio/vendor/google.golang.org/grpc.(*Server).Serve(0xc42046d080, 0x0, 0x0, 0x0, 0x0) /home/prow/go/src/istio.io/istio/vendor/google.golang.org/grpc/server.go:522 +0x748 istio.io/istio/galley/pkg/server.(*Server).Run.func1(0xc4202d9490) /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:242 +0xfb created by istio.io/istio/galley/pkg/server.(*Server).Run /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:233 +0x5c FAIL	istio.io/istio/galley/pkg/server 0.383s
```

* add labels to services and deployments (#11503)

* Quote accessLogFormat in configmap template in helm chart (#11449) (#11490)

* Make custom gateway works (#11320)

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* Add missing values global object and template (#11500)

* Envoy Graceful Shutdown (#11485)

* Add Draining bootstrap to Proxies

Signed-off-by: Liam White <liam@tetrate.io>

* Drain open connections

Signed-off-by: Liam White <liam@tetrate.io>

* typo and makefile fix for drain config

Signed-off-by: Liam White <liam@tetrate.io>

* Add proxy agent tests for draining

Signed-off-by: Liam White <liam@tetrate.io>

* appease our golangcibot overlord

Signed-off-by: Liam White <liam@tetrate.io>

* Windows Go doesn't have syscall.Kill

Signed-off-by: Liam White <liam@tetrate.io>

* Skip spybackend test when in racetest (#11497) (#11506)

* Workaround to make racetest skip this test due to low memory

* Lint

* Add mixer status to access log (#11471)

* Add mixer status to access log

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* review

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* fixing default exports (#11507)

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Fix 10971 p1 injector (#11512)

* Fix global DNS resolution in sidecar injector

The dnsConfig key was not honored by the sidecar injector.  This PR
ensures the dnsConfig key is honored by the sidecar injector.  This
enables the injected application can resolve DNS, but does not solve
routing via RDS.  Routing via RDS needs a followup PR.

* Fix syntax error in sidecar injector template

* HTTP probe rewrite for webhook part. (#10470)

* injector changes for health check, pilot agent take over app readiness check. (#9266)

* WIP injector change to modify istio-proxy.

* move out to app_probe.go

* Iterating sidecartmpl to find the statusPort.

* use the same name for ready path.

* Get rewrite work, almost.

* Some clean up on test and check one container criteria.

* fix the injected test file.

* Add inject test for readiness probe itself.

* Add missing added test file.

* fix helm test.

* fix lint.

* update header based finding the port.

* return to previous injected file status.

* fixing TestIntoResource test.

* sed fixing all remaining injecting files.

* handling named port.

* fixing merginge failure.

* remove the debug print.

* lint fixing.

* Apply the suggestions for finding statusPort arg.

* Address comments, regex support more port value format.

* add app_probe_test.go

* add more test.

* merge fix the test.

* webhook autoinject is ready for review.

* Squashed commit of the following:

commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 18:13:30 2019 -0800

    renaming env var.

commit 1a82b2c0de292a34643f59ce802858c8d26a7a46
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 17:59:25 2019 -0800

    finish migrating test to yaml file based.

commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:55:00 2019 -0800

    get test working.

commit 28225cd409c7790636c11da74ad8f69d0e7cf89b
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:49:58 2019 -0800

    WIP add some test files.

commit 612b8aa3db468850d8e34f47d0dc05c536f57dde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:13:06 2019 -0800

    WIP changing to using the environment var.

commit 7dabcb1695fa375de1b93add014528ae7509c94c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:52:47 2019 -0800

    add todo for the tests.

commit 7af6ba524176616d67d35867665225e27f4a96ce
Merge: ca22277d7 4b7b13aef
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:47:17 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip

commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861
Merge: 98fd48f59 744b07ad2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:34 2019 -0800

    Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip

commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:00 2019 -0800

    findsidecar.

commit 744b07ad2406d1eb94bcf5492125f91486ad6b10
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 22:29:28 2019 -0800

    add FindSidecar.

commit 40ed002ff6f5dd4afe22afa984384addc1be1104
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 21:55:51 2019 -0800

    refactor some code.

commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 18:19:32 2019 -0800

    Integration test works and fixing a bug.

commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 16:09:13 2019 -0800

    all inject tests pass.

commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5
Merge: a2a774498 010d5c266
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 15:22:18 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip

commit a2a774498e1021c1ca01c021c071e225fa330407
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 15:16:04 2019 -0800

    update the TestWebhookInject.

commit 36fd45c074bcc787702a5a9257d23103521f525c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Fri Jan 25 12:13:21 2019 -0800

    some document

commit 88dc922719e2c4723a334d1d8d959cac361b1ecb
Author: Jianfei Hu <jianfeih@google.com>
Date:   Fri Jan 25 11:43:44 2019 -0800

    new version works for kubeinject, webhook unit test.

commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 18:17:38 2019 -0800

    WIP working on modifying sidecar.Args first, then modify app container patch.

commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 15:20:36 2019 -0800

    WIP add what's missing to get e2e test working.

commit 1595e871c640cdabead372eada2b17d717fa707f
Merge: 256d9635f ac78a552a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 13:26:05 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 256d9635f4d590936c473bf3be0299064cb9c716
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 12:14:04 2019 -0800

    add some debugging log.

commit f70096334464fd1d59a0e81997e8f0fd6623a564
Merge: bdce72119 c7eb603ee
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 10:57:43 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit bdce72119ef78dab40b750861768c332811b9ee2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 18:04:37 2019 -0800

    refactor to host something up to caller.

commit b51763c21000ba2b7fe9e2bc728783ce530cfe87
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 16:31:32 2019 -0800

    get everything works.

commit 0815695a2fea828f06a31f14ed7795a3b3716111
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:48:27 2019 -0800

    kubeinject test is working.

commit 14c99b58f0212972d42e298fa4185275642d672c
Merge: d626bb85d 5ea79622c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:38:30 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit d626bb85dee628771f8f41fc90335ac608dea923
Merge: 3561ae0a6 66153da4d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:38:23 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 3561ae0a69350730834e625c0710394968f9fcde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 16:49:44 2019 -0800

    WIP, policy is not taking effect, test passing without rewrite.

commit a9bef0f01964a14f6ace0da6217d7a36f364b661
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 16:31:08 2019 -0800

    fix the json path in the patch.

commit f1aee91189e16beb0dadee6c612464b1aa9bad21
Merge: 3a7eb48e6 abc53e120
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 14:03:49 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 13:57:55 2019 -0800

    fix it, removing namespace since metadata not matching will fail for kubeapply

commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 11:58:39 2019 -0800

    WIP, debuggin why mtls policy is not showed up.

commit 72e9c4e488f875ffea0c3a279403277010160ee1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 17:24:16 2019 -0800

    working on integration2 test framework.

commit 90c1cce9ddc55ce339aa65eac06602591d3113c9
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 17:04:38 2019 -0800

    add small comments.

commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676
Merge: 7f5c8cbd8 e45242c0d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 16:43:47 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 09:37:53 2018 -0800

    check rewriteAppProbe separately.

commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479
Merge: 20f02c045 1ae6b4fde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 09:01:37 2018 -0800

    Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject

commit 20f02c04563fab9b81b418c00a5455994fda5148
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 08:59:57 2018 -0800

    duplicate the rewrite logic.

commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64
Merge: 3b3bcbff8 d8c4579fa
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 08:53:44 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Dec 17 21:56:51 2018 -0800

    address comments.

commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:24:33 2018 -0800

    massage comments.

commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:15:50 2018 -0800

    helm flag is off, so change the expected outoupt.

commit 43522c15d06054e4bb173ab2c37333a4de647c2d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:09:46 2018 -0800

    make webhook support rewriteAppHTTPProbe flag.

commit f60f18f4144482874c1219c7da90e97f19f1172f
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 12:03:04 2018 -0800

    fixing the merge typo.

commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 11:56:38 2018 -0800

    remove unnecessary changes in test for debugging.

commit a81eacb6892509d8938be8d64f1435cf64e22317
Merge: af1a67989 f6b0ddc30
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 11:53:07 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit af1a6798988f9fe70e40add2a6d4971efa9b50ed
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 18:07:19 2018 -0800

    fixing all the test.

commit 58d0bef3520037a81db8baa34d6e13849d20af10
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 17:51:34 2018 -0800

    Get TestInject happy.

commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 17:49:42 2018 -0800

    make TestHelmInject happy.

commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0
Merge: fcca1f89a bd1631be3
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:53:01 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:18:20 2018 -0800

    get webhook_test.TestInject working.

commit 06f517cfc4214994be1be848d40b12f09ba8a4b8
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:10:55 2018 -0800

    restructure app_probe_test working for both.

commit 7142e96ed8a3200fc91bc73aee86d471117232fc
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 13:19:41 2018 -0800

    starting to work on serious test

commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 11:50:19 2018 -0800

    prototyping get familar with the test.

commit 51659dacbc569f4532dc6a37b2091f39c7cf115b
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 11:05:51 2018 -0800

    wip for adding test.

* resolve appprobetest.

* update the golden due to another injector change.

* remove unnecessary files in this pr.

* remove the test framework change.

* remove unnecessary testdata file.

* DeepCopy used.

* fix lint.

* Add longer timeouts for Galley tests. (#11517)

Addresses #11464

* Locality based load balancing for strict dns clusters (#11381)

* rework locality based load balancing

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* simplify

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* bad merge

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint again

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Update pilot/pkg/networking/core/v1alpha3/cluster.go

Co-Authored-By: rshriram <rshriram@users.noreply.github.com>

* move load balancer setting to a separate pkg

* should also apply applyLocalityLBSetting for non-cached outbound clusters

* set cluster locality_weighted_lb_config

* fix ci

* enable LocalityWeightedLbConfig only when cluster has outlier detection

* address comments

* Correct Citadel server log. (#11361)

* Correct Citadel server log.

* Small fix.

* Remove sidecar injection in istio-init jobs (#11317)

This PR aims to solve a problem where the injector is running
but a new job is added in an upgrade scenario.  In this condition
the job is injected, which can result in errors contacting the
injector.

* Only require go.opencensus.io on Linux (#11327)

* Only require go.opencensus.io on Linux

* Ran fmt.sh and goimports against
the stats_linux.go file.

Signed-off-by: Jason Clark <jason.clark.oss@gmail.com>

* Remove the istio-remote chart and make it an istio chart values (#11307)

* Remove the istio-remote chart and make it an istio chart values

* By default tracing should be disabled in remote as it's unsupported

* Fixing the path to values file in e2e MC test

* Fixing istio-pilot-multicluster-e2e.sh

* Correction for previous commit

* Better way to remove MeshPolicy on remote yaml

* Newline

* Newline

* Remove redundant and

* Fix for flakes in TestSource_MangledNames (#11538)

The source of the panic appeared to be access to the labels, which were not being explicitly set on the Unstructured object. This PR sets them directly, so that should no longer be an issue.

Fixes #11532

* Use istio namespace for global destination rule to avoid overwritting mixer policy (#11546)

* Change default monitoring port (#11421)

* Change default monitoring port

Update the default monitoring port from 9093 to 15014.

* Fix test cases

* Hardcode the monitoringPort in istio-remote

* Use credentialName to specify credential resource name and support mTLS for external cert management at ingress gateway. (#11496)

* use CredentialName for SIMPLE

* cvc

* rootca

* update test.

* update test

* fix format

* update gateway config

* fix test

* fix lint

* fix test

* add comments.

* add nolint

* update cvc

* update

* update

* update

* update

* update

* update

* format

* dep ensure --update istio.io/api

* Revise per comments

* Revise

* lint

* Add MCP stress test suite (#11465)

* add -labels option to mcpc for testing and debug

* fix typo in source CollectionOptions name

* increase queue test coverage to 100%

* add more tests for incremental mcp option (still off by default)

* add mcp stress test suite

* fix unit tests

* review comments and add README.md

* run goimports

* fix some wording

* fix bad merge

* formatting

* rebase stress test on latest snapshot group changes

* math.Rand is not safe for concurrent use

* address review comments

* add missing file

* plumb through serverIncSupported

* rename test file

* changing the default limits for init proxy (#11540)

* Add readiness check for Ingress Gateway (#3063) (#11001) (#11548)

Enabling the same readiness probe for Ingress Gateway that is being
used for sidecars.

* istioctl proxy-status should only exec into running pilot pods (#11539)

istioctl proxy-status uses kubectl exec on pilot pods to extract debug
and diagnostic information. Use
`--field-selector=status.phase=Running` to only exec into pods that
are actually running.

fixes https://github.com/istio/istio/issues/11488

* increase control plane component replicas during upgrade test (#11389)

* add multiple control plane component

* remove space

* Allow specify the path for SDS k8s token (#11460)

* Allow specify SDS token path

* Change the default value to empty string

* Rephrase the comment for sds token path

* Address review comments

* Change to use node metadata to pass SDS token path

* Address review comments (e.g., remove static variable)

* Use SDS token path if it is set

* remove chart.version label in pod template. (#11302)

* remove deprecated 'refreshInterval' option in chart. (#11412)

* remove deprecated option in chart.

* fix CI issue.

* Disable agent TestFull test. (#11562)

* remove istio cni subchart tar from source. (#11230)

* Moved subcharts into the istio chart (#11558)

* Moved subcharts into istio charts

* Removed helm dep update calls

* Removed also programatic helmDepUpdate calls

* Removing helm package call not necessary anymore

* Fix non-Linux builds. (#11580)

* add debug logs to print cert chain (#11575)

* revert #11558 Moved subcharts into the istio chart (#11597)

* add multiple control plane component

* remove space

* Revert "Moved subcharts into the istio chart (#11558)"

This reverts commit a5f9e9bb30eb4240ee0b00893796126b5b434c5d.

* add missing attribute declarations (#11595)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Fix a few doc issues. (#11596)

* Update istio/api to #3094619 release 1.1 subject_alt_names in Service… (#11541)

* Update istio/api to #3094619 release 1.1 subject_alt_names in ServiceEntry

* Comment out sdsName

* Linter fix

* more linter fixes

* Comment out SDS test

* run bin/fmt.sh

* Skip gateway sds test completely

* Use issue # in t.Skip()

* revert sds changes

* Fix racetest in SDS service (#11615)

* Set the serviceCluster namespace based on env var, to also support specifying namespace on cli after kubeinject (#11587)

* Make image pull policy configurable in Makefile (#10269)

* Adds missing 1.1 attribute data to testdata for integration tests (#11313)

The request.url_path and request.query_params attributes have been added as of istio 1.1
These are required in the testdata attributes manifest in order for them to be useable in the integration test framework.

* Doc fixes. (#11619)

* [mixer:stackdriver] Initial changes to support dst svc edges in graph (#11426)

* Initial changes to support dst svc edges

* Add istio service to k8s service member relation

* Refactor of edge logic and add test

* Add <workload, service> relations

* Fix routing when DNS is resolved (#11522)

The DNSDomain variable needs to be enhanced to include more
then one DNS entry.  Change DNSDomain to DNSDomains as a meta
and add the dnsConfig in the meta.  As now DNSDomain is a slice
of strings instead of a string, the variable needs consolidation.

* adjust galley dashboard time range (#11627)

* Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631)

(cherry picked from commit f9b6866731aabe056c699b608a8e93eb850d13c0)

* [release-1.1] Update fluentd adapter to be more robust (#11623)

* Update fluentd adapter to be more robust

* Minor touchup of bad merge

* Lint fixes

* Fix kubernetesenv workload attributes for multicluster with one control plane (#11581)

* remove myself from pilot OWNERS (#11632)

* remove me (#11636)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add debug logs for citadel authenticate fail (#11633)

* move apply plugin below buildscript (#11625)

The Cloud Foundry open source licensing scanner has a plugin that
identifies dependencies from gradle scripts, but it requires the
buildscript and plugins block be before anything else in the file.
This change does not affect the build, but makes our lives a smidge
easier.

Co-authored-by: Teal Stannard <tstannard@pivotal.io>

* check key.pem (#11599)

* Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508)

* Samples for accessing apt-get repo, Github, and pip repo

* A Readme explaining the samples

* Link to future doc on default external comm capability

* Incorporate documentation feedback from venilnoronha

* Add support for metadata constraints in RBAC (#11459)

* Add support for metadata constraints in RBAC

This adds support for mapping RBAC constraints with keys in the a[b]
format to Envoy's filter metadata matcher.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Use SplitN instead of Split for completeness

This updates the metadata matcher definition to use strings.SplitN
instead of strings.Split in order to capture the whole binary key in two
parts.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Accomodate [list] and plain value type constraints

This adds logic to accomodate filter metadata matching over both [list]
and value type constraints.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Add extra experimental. prefix test for matching

This adds an extra experimental. prefix test while creating metadata
matchers based on Envoy filters.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Update comments

This updates code comments.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* add POST to ratings service to demonstrate security policies on HTTP Methods (#10778)

* add POST to ratings service

* put a space between if and opening parenthesis

* add comments

* remove extra line-break

* Enable remote clusters to check/report to local Mixer (#11585)

* Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570)

* Fix racetest in fluentd test (#11647)

* Bump the number of connection that can be re-use in Citadel (#11641)

* Bump the number of connection that can be re-use in Citadel

* A small fix

* First cut of xDS APi structural testing using the new integration tests (#11406)

* Fixes for k8s ingress (#11343)

* Fix ingress in pilot, writeback and multiple namespaces

* Fix tests, format

* Fix test - the generated service should be left in the namespace of ingress

* Additional test fixes, match the new 1.1 semantics

* Again make fmt and lint not matching

* Break up the helloworld sample into versions (#11650)

* Break up the helloworld sample into versions

* Moved to default namespace

* Seperated gateway file and added labels

* Update the doc

* Cleanup section updated too

* Fix build break due to https://github.com/istio/istio/pull/11406. (#11677)

https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215

* make stackdriver e2e test cluster wide (#11674)

* Add handling for independent encoding in Report batches to Mixer (#11640)

* Add handling for independent encoding in Report batches to Mixer

* fix lll

* Address review

* protect protobag done

* exit circleci test early if setup fails (#11572)

* wip: exit circleci test early if setup fails

Many of the circleci tests will attempt to run the e2e/integration
tests even after the test setup fails. This leads to misleading test
failures that suggest the problem is with the feature test and not the
test setup itself.

Example test runs where the setup failed and the test was run but
immediately errored out because a dependency was missing:

https://circleci.com/gh/istio/istio/316588
https://circleci.com/gh/istio/istio/317262
https://circleci.com/gh/istio/istio/318281
https://circleci.com/gh/istio/istio/316031
https://circleci.com/gh/istio/istio/315952
https://circleci.com/gh/istio/istio/315871
https://circleci.com/gh/istio/istio/315813

ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute
```
By default, CircleCI will execute job steps one at a time, in the
order that they are defined in config.yml, until a step fails (returns
a non-zero exit code). After a command fails, no further job steps
will be executed.

Adding the when attribute to a job step allows you to override this
default behaviour, and selectively run or skip steps depending on the
status of the job.

The default value of on_success means that the step will run only if
all of the previous steps have been successful (returned exit code 0).

A value of always means that the step will run regardless of the exit
status of previous steps. This is useful if you have a task that you
want to run regardless of whether the previous steps are successful or
not. For example, you might have a job step that needs to upload logs
or code-coverage data somewhere.
```

* re-add `when: always` to codecov job

* Implementation of isolation for EDS (#11672)

* Implementation of isolation for EDS

* Provide nil proxy for older calls

* Always call loadAssignmentsForClusterIsolated

* Revert "Always call loadAssignmentsForClusterIsolated"

This reverts commit db2c99778edb69a9522320a2271ec8b965bad450.

* Env variable to disable

* Lint

* Environment Variable controlled Graceful Termination with low defaults. (#11630)

* Feature flag graceful shutdown

Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in.

Signed-off-by: Liam White <liam@tetrate.io>

* Address pr comments

Signed-off-by: Liam White <liam@tetrate.io>

* Clean up missed feature flag var

Signed-off-by: Liam White <liam@tetrate.io>

* Add turn off test case, todo comments and fix agent tests

Signed-off-by: Liam White <liam@tetrate.io>

* fix lint

Signed-off-by: Liam White <liam@tetrate.io>

* PR review comments

Signed-off-by: Liam White <liam@tetrate.io>

* Move TerminationDuration function and tests to Pilot features

Signed-off-by: Liam White <liam@tetrate.io>

* Update Proxy SHA to latest (release-1.1). (#11687)

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

* Add empty check for proxy's locality (#11681)

Make sure empty proxy locality will fall back to using proxy service's instance locality.

* Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685)

* cache ServiceAccounts and remove it drom Environment (#11442)

* cache ServiceAccounts and remove it drom Environment

* use allServices var

* fix ut

* Adding Envoy bootstrap template for a custom Pilot implementation. (#11395)

* Adding Envoy bootstrap template for a custom Pilot implementation.

New template connects to Pilot using Google gRPC Envoy client, which
allows to perform authz by passing additional credentials. Placed into
install/gcp due to being GCP installation specific.

To enable this template, introducing {{ .discovery_address }} variable,
which passes --discoveryAddress flag value "as is", without splitting it into
address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable.

* Removing static interception listener from gcp_envoy_bootstrap.json
as it is generated by the Pilot.

* Update bookinfo images, fix the script to bump bookinfo versions (#11701)

* add wildcard to digits in the sed regex, for setting version

* bump a minor version

* Add cli option to Galley to allow metadata on outgoing sink connections. (#11602)

* Add cli option to Galley to allow metadata on outgoing sink connections.

For use with sinkAddress, outgoing connections to MCP sink servers
will have gRPC stream metadata attached as defined by sinkMeta.

* Update sinkMeta to use key=value.

* Review comments.

* Error message if istioctl version doesn't match data plane version (#11592)

* Additional error text if istioctl version doesn't match data plane version

* Fix typo

* Revise wording of error msg

* Allow Envoy listener stats to be turned off/on with a pod annotation (#11398)

* If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection

* Versionize annotation tag

* Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid

* pin goimports in make fmt (#11645)

* fix fmt

Signed-off-by: Kuat Yessenov <kuat@google.com>

* trying to run docker in circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* trying to run docker in circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* circling

Signed-off-by: Kuat Yessenov <kuat@google.com>

* circling

Signed-off-by: Kuat Yessenov <kuat@google.com>

* just dont use circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add comment

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Adding namespace declaration in Grafana PersistentVolumeClaim (#11314)

When using the Helm chart with a user specific namespace and Grafana persistency
enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace,
leading in the Grafana pod to be stuck in the Pending state.

* Fix the periodic builds, add a non-mcp to presubmit (#11703)

* Update api sha (#11709)

* issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715)

(cherry picked from commit 1ad4e29576da6c722dcf19fc5df703beede92a4d)

* [WIP] Fix sync issue with policy enablement and check enablement (#11707)

* Fix sync issue with policy enablement and check enablement

* Remove outdated comment

* Fix deps and broken merge for mixer test

* Fix overly restrictive golang version match

* Fix integration test framework merge issues

* Fix line length lint issue

* handle multiple streams in nodeagent  (#11738)

* service change

* unit test

* debug log

* lint

* remove annoying log

* Add duration time to stale EDS (#11568)

* Revert "Merge release-1.1 to master (#11722)" (#11761)

This reverts commit 727e719b56362060924cd75bef6ed731cc41b272.

* Rename node agent in README.md (#11751)

* Tests for drain duration function (#11691)

* Tests for drain duration function

Signed-off-by: Liam White <liam@tetrate.io>

* Licenses...

Signed-off-by: Liam White <liam@tetrate.io>

* typo

Signed-off-by: Liam White <liam@tetrate.io>

* Ability to override SAN from destination rule for ISTIO_MUTUAL (#11747)

* Add ability to override SAN from destination rule for ISTIO_MUTUAL

Fixes issue https://github.com/istio/istio/issues/11737

* Reformat code.

* Incremental EDS only need updated service names (#11117)

* Configure envoy_bootstrap_v2.json to use the configured admin port (#11214)

* Configure envoy_bootstrap_v2.json to use the configured admin port

* Also set the prometheus_stats cluster's port

* Fix bootstrap tests that override admin port

* Allow ipv6 local traffic. (#10738)

* Allow specifying multiple egress host entries with same namespace (#11258)

* allow multiple hosts in same namespace in sidecar egress host

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* merge

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nit

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Galley: Include full Pod resource (#11323)

The ServiceEntry transformation requires the Pod status, which is
not included in the PodSpec. We need to pass through the entire
Pod proto, so that it's available for the conversion.

* Delete the obsolete service control adapter. (#11275)

* [DO NOT MERGE] Rollout Status timeout during e2e tests (#10996)

Addresses issue #9685

* Disable shared span context by default (#11281)

* Add logic to kubeenv adapter Close() to clean-up resources (#10839)

* Add logic to kubeenv adapter Close() to clean-up resources

* Add extra logging and robustness to daemon shutdown checking in runtime

* WIP

* Revert "WIP"

This reverts commit 74f22eced391bfbfb54834e7ffdc2505931b60b1.

* Increase unit test coverage

* Address review comments

* Ensure xenial base image present before building proxy_init (#11277)

* Update codecov to use skip file as threshold as well (#11294)

* Fix e2e-simple test flake (#11271)

* Fix e2e-simple test flake

istio-init.yaml was not being applied. Atleast on bare metal,
this caused e2e-simple to fail nearly 100% of the time in a race
between the kubeapi server applying CRD's and the applicaton of
custom resources in the manifest.

This problem is less pervasive on slower (vm) environments.

* Fix a spelling error complaint from linter

* integrate new MCP stack into galley, pilot, and mixer (#11292)

This PR integrates the new MCP source/sink stack into Galley, Pilot,
and Mixer. The old stack is temporarily retained while we complete
extended scale/perf testing.

* Revert "Fix e2e-simple test flake (#11271)" (#11331)

This reverts commit f993e46d69c2ae4f990eabdfa377034f23c3b807.

* Update README.md (#9501)

* Add response_flags to metrics and logs (#9945)

* Use sdsName from Gateway config as the resource name in sds config (#11239)

* Use sdsName from Gateway config as the resource name in sds config

* Add test

* goimports

* Fix lint

* Fix test

* mixer: pod policy override (#10886)

* implement injection and override

Signed-off-by: Kuat Yessenov <kuat@google.com>

* lint

Signed-off-by: Kuat Yessenov <kuat@google.com>

* review

Signed-off-by: Kuat Yessenov <kuat@google.com>

* mend

* annotation from node metadata

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix a bug

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Adding --controlPlaneBootstrap pilot-agent flag (#11212)

* Adding --controlPlaneBootstrap pilot-agent flag to explicitly enable
generation of Envoy bootstrap for Istio control plane components. Only
effective when --templateFile is provided as well.

If --templateFile is provided, but --controlPlaneBootstrap=false, then
template file will be passed through regular bootstrap config
processing, replacing default bootstrap config template.

Default flag value is "true" to be backward-compatible with existing
behavior, so that no other changes are required by other components that
rely on pilot-agent for control plane bootstrap config generation.

* Adding TODO to clean up Mixer and Pilot to use standard template

Mixer and Pilot use custom Envoy bootstrap templates, that have special processing in pilot-agent. They should migrate to the standard bootstrap template and special processing should be removed from pilot-agent.

* Fixing formatting errors on pilot/cmd/pilot-agent/main.go

* [Galley] Restructure runtime package to support multiple states. (#11325)

* [Galley] Restructure runtime package to support multiple states.

This is a follow-on to #11162 that moves the runtime state as well as
 its previously package-private dependencies into their
 own packages. This allows new "states" to exist in separate packages
 under runtime.

* addressing comments

* addressing comments

* extend istio-multi rbac rule (#11339)

* Galley file-source was occluding resources with the same name with different types in the same file (#11257)

* not make PDB configurable (#11330)

* not allow users to configure pdb

* remove maxUnavailable

* incorporate google CA's merge APIs change in nodeagent  (#11341)

* merge api

* remove extra line

* Revert "Location based Load Balancing (#10720)" (#11371)

This reverts commit 3f0570653f37ecaa5ccb75df0cb9619f84419624.

* Support multiple Citadels running in one cluster. (#11312)

* Support multiple Citadels running.

* Small fix.

* Small fix.

* Small fix.

* consistent autoscaling config among control plane components (#11376)

* consistent autoscaling config among control plane components

* address Yossi comment

* add missing end

* use spec here

* support namespace/host in gateway (#11290)

* assorted cleanups

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Loosen secret type for ingress gateway (#11385)

* set conccurency according to cpu resource limit/request if it is not set (#11311)

* set conccurency according to cpu resource request if it is not set

* address comments

* fix ut

* fix ut

* fix ut

* run dep ensure

* cache proxy service instances to improve performance (#11368)

* cache proxy service instances to improve performance

* address comments & fix ut

* Support gateway agent to read TLS secret set by cert-manager (#11399)

* read tls secret format

* Update test

* fix lint

* fix lint

* fix lint

* update test

* format

* fix lint

* fix lint

* mixer: option for alternative language runtime (#11391)

* split the original PR

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add annotation support

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Exit on fatal logs (#11335)

* Exit on fatal logs

* Do not call Fatalf in the middle of Galley code

* envoy: use any instead of struct (#11419)

* fix tests

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix framework assuming json

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add gates

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix superfluous condition in pdb. (#11413)

* Allow identity domain to be configured in istio: Ensure e2e tests are working with different identity domain (#9226)

* Refactor identity domain handling and adapt unit tests

Co-authored-by: Ulrich Kramer <u.kramer@sap.com>

* Fix goimports error

*  set role.TrustDomain in pilot main

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Add end to end test e2e_bookinfo_trustdomain

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Use .Values.global.trustDomain as trustDomain for citadel

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Removed commented out code

Co-authored-by: Jakob Schmid <jakob.schmid@sap.com>

* Remove fallback to domain for trust domain

This became necessary due to #11050, which always set the domain
command line flag for executables. But we didn't expect this flag to
have two different meanings (dns-domain and domain-suffix).

Co-authored-by: Ulrich Kramer <u.kramer@sap.com>

* Make TestDuplicateResourceNamesDifferentTypes have consistent ordering. (#11456)

* Adding support for named components to the test framework (#11440)

Each component can be created with a name and optionally a configuration. This allows multiple echo instances, policy backends, envoy proxies, etcetera to be managed independently. Also adding a standard way to configure components but support for that is in a followup.

* Galley support for MCP Source Client dial out (#11291)

* Auth plugin to be used for Galley callout.

* Lint

* Add unit tests.

* Mock Google credentials

* Galley callout code.

* Review comments, fix client_source test.

* Lint

* Switch callout.go to use patch table for test vars.

* Rename callout cli args.

* Increase coverage

* newcallout args, syncWG change.

* Fatal->Error

* Review comments

* Review comments.

* Update metadata model. (#11477)

This is split out from #11293

Supporting work for #10497 and #10589

* [pilot] Export virtual service and destination rule metadata (#11384)

* [pilot] Export virtual service and destination rule metadata

* fixup bad rebase

* restore lost test

* Small fixes

* use URL for rule uid and config as key

* goimports

* update unit tests to match code changes in previous commit

* goimports, redux

* Randomize Galley ports for integration testing (#11285)

* Randomize Galley port for code-coverage runs.

* Remove runaway empty test.

* Update istio-proxy for source.uid fix (#11428)

* Update gateway_test.go to check for overrides

* update to include new proxy

* linter fix

* update client tests for whitelisted attributes

* use source fixed build

* disable TestSecretCreationKubernetes (#11479)

* Fix e2e-simple test flake (#11356) (#11481)

istio-init.yaml was not being applied. Atleast on bare metal,
this caused e2e-simple to fail nearly 100% of the time in a race
between the kubeapi server applying CRD's and the applicaton of
custom resources in the manifest.

This problem is less pervasive on slower (vm) environments.
(cherry picked from commit 1caa6cedcc7b0526f94bf3f9d3941df65ae4956f)

* Enhance MCP index function to support multiple groups (#11478)

This is split out from #11293

In #11293 we modify the index function to return a different group when choosing the synthetic ServiceEntry collection.

Support for #10497 and #10589

* Zipkin adapter supporting the tracespan template (#11282) (#11483)

* Zipkin adapter supporting the tracespan template (#11282)

* Zipkin adapter supporting the tracespan template

* Refactored generic OpenCensus trace support into a helper package
* Use this to implement Zipkin support using OpenCensus Zipkin exporter

* regenerate template.

* lint. move crd.

* dep ensure.

* new line.

* add zipkin to galley.

* dep ensure

* Default exports, and config root namespace (#11387)

* default exportTo flags

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* format

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nit

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* compile fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* helm stuff

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* istio-config namespace and default sidecar scope

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* spell fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* reorder initialization steps

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* test compile fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* helm tweaks

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* missing helm file

* allow ~ in sidecar imports

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* bad copy paste

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* test fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo framework change

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Revert "bad copy paste"

This reverts commit 934b54a922dd0a6102016901b77badba7774090f.

* Revert "missing helm file"

This reverts commit 992685db5e1fe3f68a484f01dac21f44c66acc8e.

* Revert "helm tweaks"

This reverts commit 5b78b920d18379253ea7c8ae37fd0c0611180c75.

* redos

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lists

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* quotes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* tests

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undos

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Fixing race condition in Galley Server.Close() (#11484)

The issue was introduced by #11285

It causes a race with the startup of the gRPC server, which leads to a segfault.  From prow logs:

```
=== RUN TestServer_Basic 2019-02-01T20:33:05.867746Z	info	ControlZ available at 10.44.58.28:9876 2019-02-01T20:33:05.867968Z	info ControlZ terminated 2019-02-01T20:33:05.867987Z	info	runtime Stopping processor... 2019-02-01T20:33:05.868000Z	warn	runtime Processor has already stopped 2019-02-01T20:33:05.867798Z	info runtime	Starting processor... panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x9e4bc8] goroutine 148 [running]: istio.io/istio/vendor/google.golang.org/grpc.(*Server).Serve(0xc42046d080, 0x0, 0x0, 0x0, 0x0) /home/prow/go/src/istio.io/istio/vendor/google.golang.org/grpc/server.go:522 +0x748 istio.io/istio/galley/pkg/server.(*Server).Run.func1(0xc4202d9490) /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:242 +0xfb created by istio.io/istio/galley/pkg/server.(*Server).Run /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:233 +0x5c FAIL	istio.io/istio/galley/pkg/server 0.383s
```

* add labels to services and deployments (#11503)

* Make custom gateway works (#11320)

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* Add missing values global object and template (#11500)

* Envoy Graceful Shutdown (#11485)

* Add Draining bootstrap to Proxies

Signed-off-by: Liam White <liam@tetrate.io>

* Drain open connections

Signed-off-by: Liam White <liam@tetrate.io>

* typo and makefile fix for drain config

Signed-off-by: Liam White <liam@tetrate.io>

* Add proxy agent tests for draining

Signed-off-by: Liam White <liam@tetrate.io>

* appease our golangcibot overlord

Signed-off-by: Liam White <liam@tetrate.io>

* Windows Go doesn't have syscall.Kill

Signed-off-by: Liam White <liam@tetrate.io>

* Add mixer status to access log (#11471)

* Add mixer status to access log

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* review

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* fixing default exports (#11507)

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* HTTP probe rewrite for webhook part. (#10470)

* injector changes for health check, pilot agent take over app readiness check. (#9266)

* WIP injector change to modify istio-proxy.

* move out to app_probe.go

* Iterating sidecartmpl to find the statusPort.

* use the same name for ready path.

* Get rewrite work, almost.

* Some clean up on test and check one container criteria.

* fix the injected test file.

* Add inject test for readiness probe itself.

* Add missing added test file.

* fix helm test.

* fix lint.

* update header based finding the port.

* return to previous injected file status.

* fixing TestIntoResource test.

* sed fixing all remaining injecting files.

* handling named port.

* fixing merginge failure.

* remove the debug print.

* lint fixing.

* Apply the suggestions for finding statusPort arg.

* Address comments, regex support more port value format.

* add app_probe_test.go

* add more test.

* merge fix the test.

* webhook autoinject is ready for review.

* Squashed commit of the following:

commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 18:13:30 2019 -0800

    renaming env var.

commit 1a82b2c0de292a34643f59ce802858c8d26a7a46
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 17:59:25 2019 -0800

    finish migrating test to yaml file based.

commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:55:00 2019 -0800

    get test working.

commit 28225cd409c7790636c11da74ad8f69d0e7cf89b
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:49:58 2019 -0800

    WIP add some test files.

commit 612b8aa3db468850d8e34f47d0dc05c536f57dde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:13:06 2019 -0800

    WIP changing to using the environment var.

commit 7dabcb1695fa375de1b93add014528ae7509c94c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:52:47 2019 -0800

    add todo for the tests.

commit 7af6ba524176616d67d35867665225e27f4a96ce
Merge: ca22277d7 4b7b13aef
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:47:17 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip

commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861
Merge: 98fd48f59 744b07ad2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:34 2019 -0800

    Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip

commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:00 2019 -0800

    findsidecar.

commit 744b07ad2406d1eb94bcf5492125f91486ad6b10
Author: Jianfei Hu <jianfeih@goo…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.