-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Environment Variable controlled Graceful Termination with low defaults. #11630
Environment Variable controlled Graceful Termination with low defaults. #11630
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better than not having a flag, but if we have time:
-
make it an int, so we can customize the duration - I don't think it needs to be the same as the one used for graceful restarts, there are valid use cases to have a very long value on cert rotation - which would not be right for restarts. (example long running connections)
-
I think we can keep the default on - maybe with a 5 second value - testing so far looks good, and as long as it can be turned off in case of problems I think it is safe.
-
I would use an environment variable instead, since this is how we fine tune pilot and other components
and already have ways to hook them in the installer. Otherwise - you will need documentation in values.yaml
In 1.2 we can probably upgrade this to an API - most 'fine tune' env variables are intended to be short-term, to get user feedback and for temporary feature/bug fix control - but eventually need to be removed
or upgraded to proper API.
@costinm sounds good, will address on Monday. |
Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in. Signed-off-by: Liam White <liam@tetrate.io>
Signed-off-by: Liam White <liam@tetrate.io>
Signed-off-by: Liam White <liam@tetrate.io>
Signed-off-by: Liam White <liam@tetrate.io>
pilot/cmd/pilot-agent/main.go
Outdated
// TODO: move this to API in 1.2 | ||
func handleTDDEnvVar() time.Duration { | ||
tddEnvVar, found := os.LookupEnv("TERMINATION_DRAIN_DURATION_SECONDS") | ||
if !found || tddEnvVar == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: I think you can just ignore the value of found
?
pilot/cmd/pilot-agent/main.go
Outdated
@@ -341,6 +341,20 @@ func waitForCompletion(ctx context.Context, fn func(context.Context)) { | |||
wg.Done() | |||
} | |||
|
|||
// TODO: move this to API in 1.2 | |||
func handleTDDEnvVar() time.Duration { | |||
tddEnvVar, found := os.LookupEnv("TERMINATION_DRAIN_DURATION_SECONDS") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we move the constant to a more common place? Would be good to get all the variables in one place eventually.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We actually do have a place - pkg/features/pilot :-)
pilot/cmd/pilot-agent/main.go
Outdated
tdd, err := strconv.Atoi(tddEnvVar) | ||
if err != nil { | ||
log.Warnf("unable to parse env var TERMINATION_DRAIN_DURATION_SECONDS, using default of 5 seconds.") | ||
return time.Second * 5 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: use a constant for the default value to avoid the code duplication.
pilot/cmd/pilot-agent/main.go
Outdated
@@ -341,6 +341,20 @@ func waitForCompletion(ctx context.Context, fn func(context.Context)) { | |||
wg.Done() | |||
} | |||
|
|||
// TODO: move this to API in 1.2 | |||
func handleTDDEnvVar() time.Duration { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: this is a slightly odd name for the function ... maybe just getTerminationDrainDuration
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would settle for some comments :-), but the better name is nice too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Asides from the issues Nate mentioned, which we can fix in separate PRs ( since this is pretty critical ).
There is one test failing - likely a flake, but you'll need to re-trigger ( click on workflow and 'rerun from failed') |
I'd rather just fix these now ... otherwise they'll be forgotten. They're pretty trivial cleanups. |
Signed-off-by: Liam White <liam@tetrate.io>
Yeah, moving the env var to the separate pkg has broken the new tests. It seems that it looks up the Env var value on the initial function call then uses that value for subsequent calls. This is fine for actual use but not for tests. Does anyone know of a workaround I can use for the tests? |
pkg/features/pilot/pilot.go
Outdated
// On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, | ||
// preventing any new connections and allowing existing connections to complete. It then | ||
// sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes. | ||
TerminationDrainDuration = os.Getenv("TERMINATION_DRAIN_DURATION_SECONDS") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we could move your get function to this file and call the function where needed?
Signed-off-by: Liam White <liam@tetrate.io>
@liamawhite: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: costinm, liamawhite, nmittler The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* Fix routing when DNS is resolved (#11522) The DNSDomain variable needs to be enhanced to include more then one DNS entry. Change DNSDomain to DNSDomains as a meta and add the dnsConfig in the meta. As now DNSDomain is a slice of strings instead of a string, the variable needs consolidation. * adjust galley dashboard time range (#11627) * Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631) (cherry picked from commit f9b6866) * [release-1.1] Update fluentd adapter to be more robust (#11623) * Update fluentd adapter to be more robust * Minor touchup of bad merge * Lint fixes * Fix kubernetesenv workload attributes for multicluster with one control plane (#11581) * remove myself from pilot OWNERS (#11632) * remove me (#11636) Signed-off-by: Kuat Yessenov <kuat@google.com> * add debug logs for citadel authenticate fail (#11633) * move apply plugin below buildscript (#11625) The Cloud Foundry open source licensing scanner has a plugin that identifies dependencies from gradle scripts, but it requires the buildscript and plugins block be before anything else in the file. This change does not affect the build, but makes our lives a smidge easier. Co-authored-by: Teal Stannard <tstannard@pivotal.io> * check key.pem (#11599) * Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508) * Samples for accessing apt-get repo, Github, and pip repo * A Readme explaining the samples * Link to future doc on default external comm capability * Incorporate documentation feedback from venilnoronha * Add support for metadata constraints in RBAC (#11459) * Add support for metadata constraints in RBAC This adds support for mapping RBAC constraints with keys in the a[b] format to Envoy's filter metadata matcher. Signed-off-by: Venil Noronha <veniln@vmware.com> * Use SplitN instead of Split for completeness This updates the metadata matcher definition to use strings.SplitN instead of strings.Split in order to capture the whole binary key in two parts. Signed-off-by: Venil Noronha <veniln@vmware.com> * Accomodate [list] and plain value type constraints This adds logic to accomodate filter metadata matching over both [list] and value type constraints. Signed-off-by: Venil Noronha <veniln@vmware.com> * Add extra experimental. prefix test for matching This adds an extra experimental. prefix test while creating metadata matchers based on Envoy filters. Signed-off-by: Venil Noronha <veniln@vmware.com> * Update comments This updates code comments. Signed-off-by: Venil Noronha <veniln@vmware.com> * add POST to ratings service to demonstrate security policies on HTTP Methods (#10778) * add POST to ratings service * put a space between if and opening parenthesis * add comments * remove extra line-break * Enable remote clusters to check/report to local Mixer (#11585) * Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570) * Fix racetest in fluentd test (#11647) * Bump the number of connection that can be re-use in Citadel (#11641) * Bump the number of connection that can be re-use in Citadel * A small fix * First cut of xDS APi structural testing using the new integration tests (#11406) * Fixes for k8s ingress (#11343) * Fix ingress in pilot, writeback and multiple namespaces * Fix tests, format * Fix test - the generated service should be left in the namespace of ingress * Additional test fixes, match the new 1.1 semantics * Again make fmt and lint not matching * Break up the helloworld sample into versions (#11650) * Break up the helloworld sample into versions * Moved to default namespace * Seperated gateway file and added labels * Update the doc * Cleanup section updated too * Fix build break due to #11406. (#11677) https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215 * make stackdriver e2e test cluster wide (#11674) * Add handling for independent encoding in Report batches to Mixer (#11640) * Add handling for independent encoding in Report batches to Mixer * fix lll * Address review * protect protobag done * exit circleci test early if setup fails (#11572) * wip: exit circleci test early if setup fails Many of the circleci tests will attempt to run the e2e/integration tests even after the test setup fails. This leads to misleading test failures that suggest the problem is with the feature test and not the test setup itself. Example test runs where the setup failed and the test was run but immediately errored out because a dependency was missing: https://circleci.com/gh/istio/istio/316588 https://circleci.com/gh/istio/istio/317262 https://circleci.com/gh/istio/istio/318281 https://circleci.com/gh/istio/istio/316031 https://circleci.com/gh/istio/istio/315952 https://circleci.com/gh/istio/istio/315871 https://circleci.com/gh/istio/istio/315813 ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute ``` By default, CircleCI will execute job steps one at a time, in the order that they are defined in config.yml, until a step fails (returns a non-zero exit code). After a command fails, no further job steps will be executed. Adding the when attribute to a job step allows you to override this default behaviour, and selectively run or skip steps depending on the status of the job. The default value of on_success means that the step will run only if all of the previous steps have been successful (returned exit code 0). A value of always means that the step will run regardless of the exit status of previous steps. This is useful if you have a task that you want to run regardless of whether the previous steps are successful or not. For example, you might have a job step that needs to upload logs or code-coverage data somewhere. ``` * re-add `when: always` to codecov job * Implementation of isolation for EDS (#11672) * Implementation of isolation for EDS * Provide nil proxy for older calls * Always call loadAssignmentsForClusterIsolated * Revert "Always call loadAssignmentsForClusterIsolated" This reverts commit db2c997. * Env variable to disable * Lint * Environment Variable controlled Graceful Termination with low defaults. (#11630) * Feature flag graceful shutdown Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in. Signed-off-by: Liam White <liam@tetrate.io> * Address pr comments Signed-off-by: Liam White <liam@tetrate.io> * Clean up missed feature flag var Signed-off-by: Liam White <liam@tetrate.io> * Add turn off test case, todo comments and fix agent tests Signed-off-by: Liam White <liam@tetrate.io> * fix lint Signed-off-by: Liam White <liam@tetrate.io> * PR review comments Signed-off-by: Liam White <liam@tetrate.io> * Move TerminationDuration function and tests to Pilot features Signed-off-by: Liam White <liam@tetrate.io> * Update Proxy SHA to latest (release-1.1). (#11687) Signed-off-by: Piotr Sikora <piotrsikora@google.com> * Add empty check for proxy's locality (#11681) Make sure empty proxy locality will fall back to using proxy service's instance locality. * Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685) * cache ServiceAccounts and remove it drom Environment (#11442) * cache ServiceAccounts and remove it drom Environment * use allServices var * fix ut * Adding Envoy bootstrap template for a custom Pilot implementation. (#11395) * Adding Envoy bootstrap template for a custom Pilot implementation. New template connects to Pilot using Google gRPC Envoy client, which allows to perform authz by passing additional credentials. Placed into install/gcp due to being GCP installation specific. To enable this template, introducing {{ .discovery_address }} variable, which passes --discoveryAddress flag value "as is", without splitting it into address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable. * Removing static interception listener from gcp_envoy_bootstrap.json as it is generated by the Pilot.
* Incremental EDS only need updated service names (#11117) * Configure envoy_bootstrap_v2.json to use the configured admin port (#11214) * Configure envoy_bootstrap_v2.json to use the configured admin port * Also set the prometheus_stats cluster's port * Fix bootstrap tests that override admin port * Allow ipv6 local traffic. (#10738) * Allow specifying multiple egress host entries with same namespace (#11258) * allow multiple hosts in same namespace in sidecar egress host Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * merge Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Galley: Include full Pod resource (#11323) The ServiceEntry transformation requires the Pod status, which is not included in the PodSpec. We need to pass through the entire Pod proto, so that it's available for the conversion. * Delete the obsolete service control adapter. (#11275) * [DO NOT MERGE] Rollout Status timeout during e2e tests (#10996) Addresses issue #9685 * Disable shared span context by default (#11281) * Add logic to kubeenv adapter Close() to clean-up resources (#10839) * Add logic to kubeenv adapter Close() to clean-up resources * Add extra logging and robustness to daemon shutdown checking in runtime * WIP * Revert "WIP" This reverts commit 74f22ec. * Increase unit test coverage * Address review comments * Ensure xenial base image present before building proxy_init (#11277) * Update codecov to use skip file as threshold as well (#11294) * Fix e2e-simple test flake (#11271) * Fix e2e-simple test flake istio-init.yaml was not being applied. Atleast on bare metal, this caused e2e-simple to fail nearly 100% of the time in a race between the kubeapi server applying CRD's and the applicaton of custom resources in the manifest. This problem is less pervasive on slower (vm) environments. * Fix a spelling error complaint from linter * integrate new MCP stack into galley, pilot, and mixer (#11292) This PR integrates the new MCP source/sink stack into Galley, Pilot, and Mixer. The old stack is temporarily retained while we complete extended scale/perf testing. * Revert "Fix e2e-simple test flake (#11271)" (#11331) This reverts commit f993e46. * Update README.md (#9501) * Add response_flags to metrics and logs (#9945) * Use sdsName from Gateway config as the resource name in sds config (#11239) * Use sdsName from Gateway config as the resource name in sds config * Add test * goimports * Fix lint * Fix test * mixer: pod policy override (#10886) * implement injection and override Signed-off-by: Kuat Yessenov <kuat@google.com> * lint Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * mend * annotation from node metadata Signed-off-by: Kuat Yessenov <kuat@google.com> * fix a bug Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding --controlPlaneBootstrap pilot-agent flag (#11212) * Adding --controlPlaneBootstrap pilot-agent flag to explicitly enable generation of Envoy bootstrap for Istio control plane components. Only effective when --templateFile is provided as well. If --templateFile is provided, but --controlPlaneBootstrap=false, then template file will be passed through regular bootstrap config processing, replacing default bootstrap config template. Default flag value is "true" to be backward-compatible with existing behavior, so that no other changes are required by other components that rely on pilot-agent for control plane bootstrap config generation. * Adding TODO to clean up Mixer and Pilot to use standard template Mixer and Pilot use custom Envoy bootstrap templates, that have special processing in pilot-agent. They should migrate to the standard bootstrap template and special processing should be removed from pilot-agent. * Fixing formatting errors on pilot/cmd/pilot-agent/main.go * [Galley] Restructure runtime package to support multiple states. (#11325) * [Galley] Restructure runtime package to support multiple states. This is a follow-on to #11162 that moves the runtime state as well as its previously package-private dependencies into their own packages. This allows new "states" to exist in separate packages under runtime. * addressing comments * addressing comments * extend istio-multi rbac rule (#11339) * Galley file-source was occluding resources with the same name with different types in the same file (#11257) * Only add localhost IP if no other IP address were found (#11367) * not make PDB configurable (#11330) * not allow users to configure pdb * remove maxUnavailable * incorporate google CA's merge APIs change in nodeagent (#11341) * merge api * remove extra line * Revert "Location based Load Balancing (#10720)" (#11371) This reverts commit 3f05706. * Support multiple Citadels running in one cluster. (#11312) * Support multiple Citadels running. * Small fix. * Small fix. * Small fix. * consistent autoscaling config among control plane components (#11376) * consistent autoscaling config among control plane components * address Yossi comment * add missing end * use spec here * support namespace/host in gateway (#11290) * assorted cleanups Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Loosen secret type for ingress gateway (#11385) * set conccurency according to cpu resource limit/request if it is not set (#11311) * set conccurency according to cpu resource request if it is not set * address comments * fix ut * fix ut * fix ut * run dep ensure * cache proxy service instances to improve performance (#11368) * cache proxy service instances to improve performance * address comments & fix ut * Support gateway agent to read TLS secret set by cert-manager (#11399) * read tls secret format * Update test * fix lint * fix lint * fix lint * update test * format * fix lint * fix lint * mixer: option for alternative language runtime (#11391) * split the original PR Signed-off-by: Kuat Yessenov <kuat@google.com> * add annotation support Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix simpletest flake in citadel testing (#11360) * Fix simpletest flake in citadel testing A PR was merged ~4 weeks ago which introduced built-in testing of the Helm charts. The readiness testing in these Helm chart tests were defective. This problem was masked by a silently failing gate. (cherry picked from commit bf9bc7b) * Fix a flaky e2e_simpleTests (#11408) * Add retries and delay trying to test connection to prometheus * Also retry on connection refused errors * Workaround due to old version of curl in proxy (cherry picked from commit 0e937c7) * Increase integ test deployment timeout (#11423) * Increase integ test deployment timeout * Skip flaky/failing TestTcpMetric * Remove post-install job and (kubectl) apply security policy CRs to k8s directly (#11248) (#11418) * Remove post-install job and (kubectl) apply security policy CRs to k8s directly * Fix condition logic * Exit on fatal logs (#11335) * Exit on fatal logs * Do not call Fatalf in the middle of Galley code * envoy: use any instead of struct (#11419) * fix tests Signed-off-by: Kuat Yessenov <kuat@google.com> * fix framework assuming json Signed-off-by: Kuat Yessenov <kuat@google.com> * add gates Signed-off-by: Kuat Yessenov <kuat@google.com> * Loops ends after first iteration (#11378) (#11383) * Adding istio-init chart to release (#11443) (#11445) * fix superfluous condition in pdb. (#11413) * Set seconds as the value of MaxAge instead of Duration.String (#11447) * Allow identity domain to be configured in istio: Ensure e2e tests are working with different identity domain (#9226) * Refactor identity domain handling and adapt unit tests Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Fix goimports error * set role.TrustDomain in pilot main Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Add end to end test e2e_bookinfo_trustdomain Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Use .Values.global.trustDomain as trustDomain for citadel Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Removed commented out code Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Remove fallback to domain for trust domain This became necessary due to #11050, which always set the domain command line flag for executables. But we didn't expect this flag to have two different meanings (dns-domain and domain-suffix). Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Tls fix (#11455) * revert deleted TLS validation logic * lint fixes * Make TestDuplicateResourceNamesDifferentTypes have consistent ordering. (#11456) * Adding support for named components to the test framework (#11440) Each component can be created with a name and optionally a configuration. This allows multiple echo instances, policy backends, envoy proxies, etcetera to be managed independently. Also adding a standard way to configure components but support for that is in a followup. * Galley support for MCP Source Client dial out (#11291) * Auth plugin to be used for Galley callout. * Lint * Add unit tests. * Mock Google credentials * Galley callout code. * Review comments, fix client_source test. * Lint * Switch callout.go to use patch table for test vars. * Rename callout cli args. * Increase coverage * newcallout args, syncWG change. * Fatal->Error * Review comments * Review comments. * Update metadata model. (#11477) This is split out from #11293 Supporting work for #10497 and #10589 * [pilot] Export virtual service and destination rule metadata (#11384) * [pilot] Export virtual service and destination rule metadata * fixup bad rebase * restore lost test * Small fixes * use URL for rule uid and config as key * goimports * update unit tests to match code changes in previous commit * goimports, redux * Randomize Galley ports for integration testing (#11285) * Randomize Galley port for code-coverage runs. * Remove runaway empty test. * Update istio-proxy for source.uid fix (#11428) * Update gateway_test.go to check for overrides * update to include new proxy * linter fix * update client tests for whitelisted attributes * use source fixed build * disable TestSecretCreationKubernetes (#11479) * Fix e2e-simple test flake (#11356) (#11481) istio-init.yaml was not being applied. Atleast on bare metal, this caused e2e-simple to fail nearly 100% of the time in a race between the kubeapi server applying CRD's and the applicaton of custom resources in the manifest. This problem is less pervasive on slower (vm) environments. (cherry picked from commit 1caa6ce) * Enhance MCP index function to support multiple groups (#11478) This is split out from #11293 In #11293 we modify the index function to return a different group when choosing the synthetic ServiceEntry collection. Support for #10497 and #10589 * Zipkin adapter supporting the tracespan template (#11282) (#11483) * Zipkin adapter supporting the tracespan template (#11282) * Zipkin adapter supporting the tracespan template * Refactored generic OpenCensus trace support into a helper package * Use this to implement Zipkin support using OpenCensus Zipkin exporter * regenerate template. * lint. move crd. * dep ensure. * new line. * add zipkin to galley. * dep ensure * Default exports, and config root namespace (#11387) * default exportTo flags Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * compile fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * helm stuff Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * istio-config namespace and default sidecar scope Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * spell fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nits Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * reorder initialization steps Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test compile fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * helm tweaks Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * missing helm file * allow ~ in sidecar imports Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad copy paste Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo framework change Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Revert "bad copy paste" This reverts commit 934b54a. * Revert "missing helm file" This reverts commit 992685d. * Revert "helm tweaks" This reverts commit 5b78b92. * redos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lists Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * quotes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Fixing race condition in Galley Server.Close() (#11484) The issue was introduced by #11285 It causes a race with the startup of the gRPC server, which leads to a segfault. From prow logs: ``` === RUN TestServer_Basic 2019-02-01T20:33:05.867746Z info ControlZ available at 10.44.58.28:9876 2019-02-01T20:33:05.867968Z info ControlZ terminated 2019-02-01T20:33:05.867987Z info runtime Stopping processor... 2019-02-01T20:33:05.868000Z warn runtime Processor has already stopped 2019-02-01T20:33:05.867798Z info runtime Starting processor... panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x9e4bc8] goroutine 148 [running]: istio.io/istio/vendor/google.golang.org/grpc.(*Server).Serve(0xc42046d080, 0x0, 0x0, 0x0, 0x0) /home/prow/go/src/istio.io/istio/vendor/google.golang.org/grpc/server.go:522 +0x748 istio.io/istio/galley/pkg/server.(*Server).Run.func1(0xc4202d9490) /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:242 +0xfb created by istio.io/istio/galley/pkg/server.(*Server).Run /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:233 +0x5c FAIL istio.io/istio/galley/pkg/server 0.383s ``` * add labels to services and deployments (#11503) * Quote accessLogFormat in configmap template in helm chart (#11449) (#11490) * Make custom gateway works (#11320) Signed-off-by: clyang82 <clyang@cn.ibm.com> * Add missing values global object and template (#11500) * Envoy Graceful Shutdown (#11485) * Add Draining bootstrap to Proxies Signed-off-by: Liam White <liam@tetrate.io> * Drain open connections Signed-off-by: Liam White <liam@tetrate.io> * typo and makefile fix for drain config Signed-off-by: Liam White <liam@tetrate.io> * Add proxy agent tests for draining Signed-off-by: Liam White <liam@tetrate.io> * appease our golangcibot overlord Signed-off-by: Liam White <liam@tetrate.io> * Windows Go doesn't have syscall.Kill Signed-off-by: Liam White <liam@tetrate.io> * Skip spybackend test when in racetest (#11497) (#11506) * Workaround to make racetest skip this test due to low memory * Lint * Add mixer status to access log (#11471) * Add mixer status to access log Signed-off-by: Lizan Zhou <lizan@tetrate.io> * review Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fixing default exports (#11507) Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Fix 10971 p1 injector (#11512) * Fix global DNS resolution in sidecar injector The dnsConfig key was not honored by the sidecar injector. This PR ensures the dnsConfig key is honored by the sidecar injector. This enables the injected application can resolve DNS, but does not solve routing via RDS. Routing via RDS needs a followup PR. * Fix syntax error in sidecar injector template * HTTP probe rewrite for webhook part. (#10470) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277 4b7b13a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277 Merge: 98fd48f 744b07a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156 Merge: a2a7744 010d5c2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a7744 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922 Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d6 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e87 Merge: 256d963 ac78a55 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d963 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f700963 Merge: bdce721 c7eb603 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce721 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b5 Merge: d626bb8 5ea7962 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb8 Merge: 3561ae0 66153da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91 Merge: 3a7eb48 abc53e1 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b12034 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0eda Merge: 7f5c8cb e45242c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cb Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9 Merge: 20f02c0 1ae6b4f Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c0 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb1 Merge: 3b3bcbf d8c4579 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4f Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbf Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c1 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadf Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb Merge: af1a679 f6b0ddc Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a679 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8 Merge: fcca1f8 bd1631b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659da Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * DeepCopy used. * fix lint. * Add longer timeouts for Galley tests. (#11517) Addresses #11464 * Locality based load balancing for strict dns clusters (#11381) * rework locality based load balancing Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * simplify Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad merge Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint again Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Update pilot/pkg/networking/core/v1alpha3/cluster.go Co-Authored-By: rshriram <rshriram@users.noreply.github.com> * move load balancer setting to a separate pkg * should also apply applyLocalityLBSetting for non-cached outbound clusters * set cluster locality_weighted_lb_config * fix ci * enable LocalityWeightedLbConfig only when cluster has outlier detection * address comments * Correct Citadel server log. (#11361) * Correct Citadel server log. * Small fix. * Remove sidecar injection in istio-init jobs (#11317) This PR aims to solve a problem where the injector is running but a new job is added in an upgrade scenario. In this condition the job is injected, which can result in errors contacting the injector. * Only require go.opencensus.io on Linux (#11327) * Only require go.opencensus.io on Linux * Ran fmt.sh and goimports against the stats_linux.go file. Signed-off-by: Jason Clark <jason.clark.oss@gmail.com> * Remove the istio-remote chart and make it an istio chart values (#11307) * Remove the istio-remote chart and make it an istio chart values * By default tracing should be disabled in remote as it's unsupported * Fixing the path to values file in e2e MC test * Fixing istio-pilot-multicluster-e2e.sh * Correction for previous commit * Better way to remove MeshPolicy on remote yaml * Newline * Newline * Remove redundant and * Fix for flakes in TestSource_MangledNames (#11538) The source of the panic appeared to be access to the labels, which were not being explicitly set on the Unstructured object. This PR sets them directly, so that should no longer be an issue. Fixes #11532 * Use istio namespace for global destination rule to avoid overwritting mixer policy (#11546) * Change default monitoring port (#11421) * Change default monitoring port Update the default monitoring port from 9093 to 15014. * Fix test cases * Hardcode the monitoringPort in istio-remote * Use credentialName to specify credential resource name and support mTLS for external cert management at ingress gateway. (#11496) * use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Add MCP stress test suite (#11465) * add -labels option to mcpc for testing and debug * fix typo in source CollectionOptions name * increase queue test coverage to 100% * add more tests for incremental mcp option (still off by default) * add mcp stress test suite * fix unit tests * review comments and add README.md * run goimports * fix some wording * fix bad merge * formatting * rebase stress test on latest snapshot group changes * math.Rand is not safe for concurrent use * address review comments * add missing file * plumb through serverIncSupported * rename test file * changing the default limits for init proxy (#11540) * Add readiness check for Ingress Gateway (#3063) (#11001) (#11548) Enabling the same readiness probe for Ingress Gateway that is being used for sidecars. * istioctl proxy-status should only exec into running pilot pods (#11539) istioctl proxy-status uses kubectl exec on pilot pods to extract debug and diagnostic information. Use `--field-selector=status.phase=Running` to only exec into pods that are actually running. fixes #11488 * increase control plane component replicas during upgrade test (#11389) * add multiple control plane component * remove space * Allow specify the path for SDS k8s token (#11460) * Allow specify SDS token path * Change the default value to empty string * Rephrase the comment for sds token path * Address review comments * Change to use node metadata to pass SDS token path * Address review comments (e.g., remove static variable) * Use SDS token path if it is set * remove chart.version label in pod template. (#11302) * remove deprecated 'refreshInterval' option in chart. (#11412) * remove deprecated option in chart. * fix CI issue. * Disable agent TestFull test. (#11562) * remove istio cni subchart tar from source. (#11230) * Moved subcharts into the istio chart (#11558) * Moved subcharts into istio charts * Removed helm dep update calls * Removed also programatic helmDepUpdate calls * Removing helm package call not necessary anymore * Fix non-Linux builds. (#11580) * add debug logs to print cert chain (#11575) * revert #11558 Moved subcharts into the istio chart (#11597) * add multiple control plane component * remove space * Revert "Moved subcharts into the istio chart (#11558)" This reverts commit a5f9e9b. * add missing attribute declarations (#11595) Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix a few doc issues. (#11596) * Update istio/api to #3094619 release 1.1 subject_alt_names in Service… (#11541) * Update istio/api to #3094619 release 1.1 subject_alt_names in ServiceEntry * Comment out sdsName * Linter fix * more linter fixes * Comment out SDS test * run bin/fmt.sh * Skip gateway sds test completely * Use issue # in t.Skip() * revert sds changes * Fix racetest in SDS service (#11615) * Set the serviceCluster namespace based on env var, to also support specifying namespace on cli after kubeinject (#11587) * Make image pull policy configurable in Makefile (#10269) * Adds missing 1.1 attribute data to testdata for integration tests (#11313) The request.url_path and request.query_params attributes have been added as of istio 1.1 These are required in the testdata attributes manifest in order for them to be useable in the integration test framework. * Doc fixes. (#11619) * [mixer:stackdriver] Initial changes to support dst svc edges in graph (#11426) * Initial changes to support dst svc edges * Add istio service to k8s service member relation * Refactor of edge logic and add test * Add <workload, service> relations * Fix routing when DNS is resolved (#11522) The DNSDomain variable needs to be enhanced to include more then one DNS entry. Change DNSDomain to DNSDomains as a meta and add the dnsConfig in the meta. As now DNSDomain is a slice of strings instead of a string, the variable needs consolidation. * adjust galley dashboard time range (#11627) * Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631) (cherry picked from commit f9b6866) * [release-1.1] Update fluentd adapter to be more robust (#11623) * Update fluentd adapter to be more robust * Minor touchup of bad merge * Lint fixes * Fix kubernetesenv workload attributes for multicluster with one control plane (#11581) * remove myself from pilot OWNERS (#11632) * remove me (#11636) Signed-off-by: Kuat Yessenov <kuat@google.com> * add debug logs for citadel authenticate fail (#11633) * move apply plugin below buildscript (#11625) The Cloud Foundry open source licensing scanner has a plugin that identifies dependencies from gradle scripts, but it requires the buildscript and plugins block be before anything else in the file. This change does not affect the build, but makes our lives a smidge easier. Co-authored-by: Teal Stannard <tstannard@pivotal.io> * check key.pem (#11599) * Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508) * Samples for accessing apt-get repo, Github, and pip repo * A Readme explaining the samples * Link to future doc on default external comm capability * Incorporate documentation feedback from venilnoronha * Add support for metadata constraints in RBAC (#11459) * Add support for metadata constraints in RBAC This adds support for mapping RBAC constraints with keys in the a[b] format to Envoy's filter metadata matcher. Signed-off-by: Venil Noronha <veniln@vmware.com> * Use SplitN instead of Split for completeness This updates the metadata matcher definition to use strings.SplitN instead of strings.Split in order to capture the whole binary key in two parts. Signed-off-by: Venil Noronha <veniln@vmware.com> * Accomodate [list] and plain value type constraints This adds logic to accomodate filter metadata matching over both [list] and value type constraints. Signed-off-by: Venil Noronha <veniln@vmware.com> * Add extra experimental. prefix test for matching This adds an extra experimental. prefix test while creating metadata matchers based on Envoy filters. Signed-off-by: Venil Noronha <veniln@vmware.com> * Update comments This updates code comments. Signed-off-by: Venil Noronha <veniln@vmware.com> * add POST to ratings service to demonstrate security policies on HTTP Methods (#10778) * add POST to ratings service * put a space between if and opening parenthesis * add comments * remove extra line-break * Enable remote clusters to check/report to local Mixer (#11585) * Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570) * Fix racetest in fluentd test (#11647) * Bump the number of connection that can be re-use in Citadel (#11641) * Bump the number of connection that can be re-use in Citadel * A small fix * First cut of xDS APi structural testing using the new integration tests (#11406) * Fixes for k8s ingress (#11343) * Fix ingress in pilot, writeback and multiple namespaces * Fix tests, format * Fix test - the generated service should be left in the namespace of ingress * Additional test fixes, match the new 1.1 semantics * Again make fmt and lint not matching * Break up the helloworld sample into versions (#11650) * Break up the helloworld sample into versions * Moved to default namespace * Seperated gateway file and added labels * Update the doc * Cleanup section updated too * Fix build break due to #11406. (#11677) https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215 * make stackdriver e2e test cluster wide (#11674) * Add handling for independent encoding in Report batches to Mixer (#11640) * Add handling for independent encoding in Report batches to Mixer * fix lll * Address review * protect protobag done * exit circleci test early if setup fails (#11572) * wip: exit circleci test early if setup fails Many of the circleci tests will attempt to run the e2e/integration tests even after the test setup fails. This leads to misleading test failures that suggest the problem is with the feature test and not the test setup itself. Example test runs where the setup failed and the test was run but immediately errored out because a dependency was missing: https://circleci.com/gh/istio/istio/316588 https://circleci.com/gh/istio/istio/317262 https://circleci.com/gh/istio/istio/318281 https://circleci.com/gh/istio/istio/316031 https://circleci.com/gh/istio/istio/315952 https://circleci.com/gh/istio/istio/315871 https://circleci.com/gh/istio/istio/315813 ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute ``` By default, CircleCI will execute job steps one at a time, in the order that they are defined in config.yml, until a step fails (returns a non-zero exit code). After a command fails, no further job steps will be executed. Adding the when attribute to a job step allows you to override this default behaviour, and selectively run or skip steps depending on the status of the job. The default value of on_success means that the step will run only if all of the previous steps have been successful (returned exit code 0). A value of always means that the step will run regardless of the exit status of previous steps. This is useful if you have a task that you want to run regardless of whether the previous steps are successful or not. For example, you might have a job step that needs to upload logs or code-coverage data somewhere. ``` * re-add `when: always` to codecov job * Implementation of isolation for EDS (#11672) * Implementation of isolation for EDS * Provide nil proxy for older calls * Always call loadAssignmentsForClusterIsolated * Revert "Always call loadAssignmentsForClusterIsolated" This reverts commit db2c997. * Env variable to disable * Lint * Environment Variable controlled Graceful Termination with low defaults. (#11630) * Feature flag graceful shutdown Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in. Signed-off-by: Liam White <liam@tetrate.io> * Address pr comments Signed-off-by: Liam White <liam@tetrate.io> * Clean up missed feature flag var Signed-off-by: Liam White <liam@tetrate.io> * Add turn off test case, todo comments and fix agent tests Signed-off-by: Liam White <liam@tetrate.io> * fix lint Signed-off-by: Liam White <liam@tetrate.io> * PR review comments Signed-off-by: Liam White <liam@tetrate.io> * Move TerminationDuration function and tests to Pilot features Signed-off-by: Liam White <liam@tetrate.io> * Update Proxy SHA to latest (release-1.1). (#11687) Signed-off-by: Piotr Sikora <piotrsikora@google.com> * Add empty check for proxy's locality (#11681) Make sure empty proxy locality will fall back to using proxy service's instance locality. * Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685) * cache ServiceAccounts and remove it drom Environment (#11442) * cache ServiceAccounts and remove it drom Environment * use allServices var * fix ut * Adding Envoy bootstrap template for a custom Pilot implementation. (#11395) * Adding Envoy bootstrap template for a custom Pilot implementation. New template connects to Pilot using Google gRPC Envoy client, which allows to perform authz by passing additional credentials. Placed into install/gcp due to being GCP installation specific. To enable this template, introducing {{ .discovery_address }} variable, which passes --discoveryAddress flag value "as is", without splitting it into address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable. * Removing static interception listener from gcp_envoy_bootstrap.json as it is generated by the Pilot. * Update bookinfo images, fix the script to bump bookinfo versions (#11701) * add wildcard to digits in the sed regex, for setting version * bump a minor version * Add cli option to Galley to allow metadata on outgoing sink connections. (#11602) * Add cli option to Galley to allow metadata on outgoing sink connections. For use with sinkAddress, outgoing connections to MCP sink servers will have gRPC stream metadata attached as defined by sinkMeta. * Update sinkMeta to use key=value. * Review comments. * Error message if istioctl version doesn't match data plane version (#11592) * Additional error text if istioctl version doesn't match data plane version * Fix typo * Revise wording of error msg * Allow Envoy listener stats to be turned off/on with a pod annotation (#11398) * If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection * Versionize annotation tag * Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid * pin goimports in make fmt (#11645) * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * just dont use circle Signed-off-by: Kuat Yessenov <kuat@google.com> * add comment Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding namespace declaration in Grafana PersistentVolumeClaim (#11314) When using the Helm chart with a user specific namespace and Grafana persistency enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace, leading in the Grafana pod to be stuck in the Pending state. * Fix the periodic builds, add a non-mcp to presubmit (#11703) * Update api sha (#11709) * issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715) (cherry picked from commit 1ad4e29) * [WIP] Fix sync issue with policy enablement and check enablement (#11707) * Fix sync issue with policy enablement and check enablement * Remove outdated comment * Fix deps and broken merge for mixer test * Fix overly restrictive golang version match * Fix integration test framework merge issues * Fix line length lint issue
* Fix routing when DNS is resolved (istio#11522) The DNSDomain variable needs to be enhanced to include more then one DNS entry. Change DNSDomain to DNSDomains as a meta and add the dnsConfig in the meta. As now DNSDomain is a slice of strings instead of a string, the variable needs consolidation. * adjust galley dashboard time range (istio#11627) * Add update permissions to deployments/finalizers for galley clusterrole (istio#11586) (istio#11631) (cherry picked from commit f9b6866) * [release-1.1] Update fluentd adapter to be more robust (istio#11623) * Update fluentd adapter to be more robust * Minor touchup of bad merge * Lint fixes * Fix kubernetesenv workload attributes for multicluster with one control plane (istio#11581) * remove myself from pilot OWNERS (istio#11632) * remove me (istio#11636) Signed-off-by: Kuat Yessenov <kuat@google.com> * add debug logs for citadel authenticate fail (istio#11633) * move apply plugin below buildscript (istio#11625) The Cloud Foundry open source licensing scanner has a plugin that identifies dependencies from gradle scripts, but it requires the buildscript and plugins block be before anything else in the file. This change does not affect the build, but makes our lives a smidge easier. Co-authored-by: Teal Stannard <tstannard@pivotal.io> * check key.pem (istio#11599) * Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (istio#11508) * Samples for accessing apt-get repo, Github, and pip repo * A Readme explaining the samples * Link to future doc on default external comm capability * Incorporate documentation feedback from venilnoronha * Add support for metadata constraints in RBAC (istio#11459) * Add support for metadata constraints in RBAC This adds support for mapping RBAC constraints with keys in the a[b] format to Envoy's filter metadata matcher. Signed-off-by: Venil Noronha <veniln@vmware.com> * Use SplitN instead of Split for completeness This updates the metadata matcher definition to use strings.SplitN instead of strings.Split in order to capture the whole binary key in two parts. Signed-off-by: Venil Noronha <veniln@vmware.com> * Accomodate [list] and plain value type constraints This adds logic to accomodate filter metadata matching over both [list] and value type constraints. Signed-off-by: Venil Noronha <veniln@vmware.com> * Add extra experimental. prefix test for matching This adds an extra experimental. prefix test while creating metadata matchers based on Envoy filters. Signed-off-by: Venil Noronha <veniln@vmware.com> * Update comments This updates code comments. Signed-off-by: Venil Noronha <veniln@vmware.com> * add POST to ratings service to demonstrate security policies on HTTP Methods (istio#10778) * add POST to ratings service * put a space between if and opening parenthesis * add comments * remove extra line-break * Enable remote clusters to check/report to local Mixer (istio#11585) * Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (istio#11570) * Fix racetest in fluentd test (istio#11647) * Bump the number of connection that can be re-use in Citadel (istio#11641) * Bump the number of connection that can be re-use in Citadel * A small fix * First cut of xDS APi structural testing using the new integration tests (istio#11406) * Fixes for k8s ingress (istio#11343) * Fix ingress in pilot, writeback and multiple namespaces * Fix tests, format * Fix test - the generated service should be left in the namespace of ingress * Additional test fixes, match the new 1.1 semantics * Again make fmt and lint not matching * Break up the helloworld sample into versions (istio#11650) * Break up the helloworld sample into versions * Moved to default namespace * Seperated gateway file and added labels * Update the doc * Cleanup section updated too * Fix build break due to istio#11406. (istio#11677) https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215 * make stackdriver e2e test cluster wide (istio#11674) * Add handling for independent encoding in Report batches to Mixer (istio#11640) * Add handling for independent encoding in Report batches to Mixer * fix lll * Address review * protect protobag done * exit circleci test early if setup fails (istio#11572) * wip: exit circleci test early if setup fails Many of the circleci tests will attempt to run the e2e/integration tests even after the test setup fails. This leads to misleading test failures that suggest the problem is with the feature test and not the test setup itself. Example test runs where the setup failed and the test was run but immediately errored out because a dependency was missing: https://circleci.com/gh/istio/istio/316588 https://circleci.com/gh/istio/istio/317262 https://circleci.com/gh/istio/istio/318281 https://circleci.com/gh/istio/istio/316031 https://circleci.com/gh/istio/istio/315952 https://circleci.com/gh/istio/istio/315871 https://circleci.com/gh/istio/istio/315813 ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute ``` By default, CircleCI will execute job steps one at a time, in the order that they are defined in config.yml, until a step fails (returns a non-zero exit code). After a command fails, no further job steps will be executed. Adding the when attribute to a job step allows you to override this default behaviour, and selectively run or skip steps depending on the status of the job. The default value of on_success means that the step will run only if all of the previous steps have been successful (returned exit code 0). A value of always means that the step will run regardless of the exit status of previous steps. This is useful if you have a task that you want to run regardless of whether the previous steps are successful or not. For example, you might have a job step that needs to upload logs or code-coverage data somewhere. ``` * re-add `when: always` to codecov job * Implementation of isolation for EDS (istio#11672) * Implementation of isolation for EDS * Provide nil proxy for older calls * Always call loadAssignmentsForClusterIsolated * Revert "Always call loadAssignmentsForClusterIsolated" This reverts commit db2c997. * Env variable to disable * Lint * Environment Variable controlled Graceful Termination with low defaults. (istio#11630) * Feature flag graceful shutdown Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in. Signed-off-by: Liam White <liam@tetrate.io> * Address pr comments Signed-off-by: Liam White <liam@tetrate.io> * Clean up missed feature flag var Signed-off-by: Liam White <liam@tetrate.io> * Add turn off test case, todo comments and fix agent tests Signed-off-by: Liam White <liam@tetrate.io> * fix lint Signed-off-by: Liam White <liam@tetrate.io> * PR review comments Signed-off-by: Liam White <liam@tetrate.io> * Move TerminationDuration function and tests to Pilot features Signed-off-by: Liam White <liam@tetrate.io> * Update Proxy SHA to latest (release-1.1). (istio#11687) Signed-off-by: Piotr Sikora <piotrsikora@google.com> * Add empty check for proxy's locality (istio#11681) Make sure empty proxy locality will fall back to using proxy service's instance locality. * Increase sleep value to account for Galley default aggregation of 1 sec with MCP (istio#11685) * cache ServiceAccounts and remove it drom Environment (istio#11442) * cache ServiceAccounts and remove it drom Environment * use allServices var * fix ut * Adding Envoy bootstrap template for a custom Pilot implementation. (istio#11395) * Adding Envoy bootstrap template for a custom Pilot implementation. New template connects to Pilot using Google gRPC Envoy client, which allows to perform authz by passing additional credentials. Placed into install/gcp due to being GCP installation specific. To enable this template, introducing {{ .discovery_address }} variable, which passes --discoveryAddress flag value "as is", without splitting it into address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable. * Removing static interception listener from gcp_envoy_bootstrap.json as it is generated by the Pilot.
…s. (istio#11630) * Feature flag graceful shutdown Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in. Signed-off-by: Liam White <liam@tetrate.io> * Address pr comments Signed-off-by: Liam White <liam@tetrate.io> * Clean up missed feature flag var Signed-off-by: Liam White <liam@tetrate.io> * Add turn off test case, todo comments and fix agent tests Signed-off-by: Liam White <liam@tetrate.io> * fix lint Signed-off-by: Liam White <liam@tetrate.io> * PR review comments Signed-off-by: Liam White <liam@tetrate.io> * Move TerminationDuration function and tests to Pilot features Signed-off-by: Liam White <liam@tetrate.io>
* Fix routing when DNS is resolved (#11522) The DNSDomain variable needs to be enhanced to include more then one DNS entry. Change DNSDomain to DNSDomains as a meta and add the dnsConfig in the meta. As now DNSDomain is a slice of strings instead of a string, the variable needs consolidation. * adjust galley dashboard time range (#11627) * Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631) (cherry picked from commit f9b6866) * [release-1.1] Update fluentd adapter to be more robust (#11623) * Update fluentd adapter to be more robust * Minor touchup of bad merge * Lint fixes * Fix kubernetesenv workload attributes for multicluster with one control plane (#11581) * remove myself from pilot OWNERS (#11632) * remove me (#11636) Signed-off-by: Kuat Yessenov <kuat@google.com> * add debug logs for citadel authenticate fail (#11633) * move apply plugin below buildscript (#11625) The Cloud Foundry open source licensing scanner has a plugin that identifies dependencies from gradle scripts, but it requires the buildscript and plugins block be before anything else in the file. This change does not affect the build, but makes our lives a smidge easier. Co-authored-by: Teal Stannard <tstannard@pivotal.io> * check key.pem (#11599) * Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508) * Samples for accessing apt-get repo, Github, and pip repo * A Readme explaining the samples * Link to future doc on default external comm capability * Incorporate documentation feedback from venilnoronha * Add support for metadata constraints in RBAC (#11459) * Add support for metadata constraints in RBAC This adds support for mapping RBAC constraints with keys in the a[b] format to Envoy's filter metadata matcher. Signed-off-by: Venil Noronha <veniln@vmware.com> * Use SplitN instead of Split for completeness This updates the metadata matcher definition to use strings.SplitN instead of strings.Split in order to capture the whole binary key in two parts. Signed-off-by: Venil Noronha <veniln@vmware.com> * Accomodate [list] and plain value type constraints This adds logic to accomodate filter metadata matching over both [list] and value type constraints. Signed-off-by: Venil Noronha <veniln@vmware.com> * Add extra experimental. prefix test for matching This adds an extra experimental. prefix test while creating metadata matchers based on Envoy filters. Signed-off-by: Venil Noronha <veniln@vmware.com> * Update comments This updates code comments. Signed-off-by: Venil Noronha <veniln@vmware.com> * add POST to ratings service to demonstrate security policies on HTTP Methods (#10778) * add POST to ratings service * put a space between if and opening parenthesis * add comments * remove extra line-break * Enable remote clusters to check/report to local Mixer (#11585) * Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570) * Fix racetest in fluentd test (#11647) * Bump the number of connection that can be re-use in Citadel (#11641) * Bump the number of connection that can be re-use in Citadel * A small fix * First cut of xDS APi structural testing using the new integration tests (#11406) * Fixes for k8s ingress (#11343) * Fix ingress in pilot, writeback and multiple namespaces * Fix tests, format * Fix test - the generated service should be left in the namespace of ingress * Additional test fixes, match the new 1.1 semantics * Again make fmt and lint not matching * Break up the helloworld sample into versions (#11650) * Break up the helloworld sample into versions * Moved to default namespace * Seperated gateway file and added labels * Update the doc * Cleanup section updated too * Fix build break due to #11406. (#11677) https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215 * make stackdriver e2e test cluster wide (#11674) * Add handling for independent encoding in Report batches to Mixer (#11640) * Add handling for independent encoding in Report batches to Mixer * fix lll * Address review * protect protobag done * exit circleci test early if setup fails (#11572) * wip: exit circleci test early if setup fails Many of the circleci tests will attempt to run the e2e/integration tests even after the test setup fails. This leads to misleading test failures that suggest the problem is with the feature test and not the test setup itself. Example test runs where the setup failed and the test was run but immediately errored out because a dependency was missing: https://circleci.com/gh/istio/istio/316588 https://circleci.com/gh/istio/istio/317262 https://circleci.com/gh/istio/istio/318281 https://circleci.com/gh/istio/istio/316031 https://circleci.com/gh/istio/istio/315952 https://circleci.com/gh/istio/istio/315871 https://circleci.com/gh/istio/istio/315813 ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute ``` By default, CircleCI will execute job steps one at a time, in the order that they are defined in config.yml, until a step fails (returns a non-zero exit code). After a command fails, no further job steps will be executed. Adding the when attribute to a job step allows you to override this default behaviour, and selectively run or skip steps depending on the status of the job. The default value of on_success means that the step will run only if all of the previous steps have been successful (returned exit code 0). A value of always means that the step will run regardless of the exit status of previous steps. This is useful if you have a task that you want to run regardless of whether the previous steps are successful or not. For example, you might have a job step that needs to upload logs or code-coverage data somewhere. ``` * re-add `when: always` to codecov job * Implementation of isolation for EDS (#11672) * Implementation of isolation for EDS * Provide nil proxy for older calls * Always call loadAssignmentsForClusterIsolated * Revert "Always call loadAssignmentsForClusterIsolated" This reverts commit db2c997. * Env variable to disable * Lint * Environment Variable controlled Graceful Termination with low defaults. (#11630) * Feature flag graceful shutdown Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in. Signed-off-by: Liam White <liam@tetrate.io> * Address pr comments Signed-off-by: Liam White <liam@tetrate.io> * Clean up missed feature flag var Signed-off-by: Liam White <liam@tetrate.io> * Add turn off test case, todo comments and fix agent tests Signed-off-by: Liam White <liam@tetrate.io> * fix lint Signed-off-by: Liam White <liam@tetrate.io> * PR review comments Signed-off-by: Liam White <liam@tetrate.io> * Move TerminationDuration function and tests to Pilot features Signed-off-by: Liam White <liam@tetrate.io> * Update Proxy SHA to latest (release-1.1). (#11687) Signed-off-by: Piotr Sikora <piotrsikora@google.com> * Add empty check for proxy's locality (#11681) Make sure empty proxy locality will fall back to using proxy service's instance locality. * Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685) * cache ServiceAccounts and remove it drom Environment (#11442) * cache ServiceAccounts and remove it drom Environment * use allServices var * fix ut * Adding Envoy bootstrap template for a custom Pilot implementation. (#11395) * Adding Envoy bootstrap template for a custom Pilot implementation. New template connects to Pilot using Google gRPC Envoy client, which allows to perform authz by passing additional credentials. Placed into install/gcp due to being GCP installation specific. To enable this template, introducing {{ .discovery_address }} variable, which passes --discoveryAddress flag value "as is", without splitting it into address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable. * Removing static interception listener from gcp_envoy_bootstrap.json as it is generated by the Pilot. * Update bookinfo images, fix the script to bump bookinfo versions (#11701) * add wildcard to digits in the sed regex, for setting version * bump a minor version * Add cli option to Galley to allow metadata on outgoing sink connections. (#11602) * Add cli option to Galley to allow metadata on outgoing sink connections. For use with sinkAddress, outgoing connections to MCP sink servers will have gRPC stream metadata attached as defined by sinkMeta. * Update sinkMeta to use key=value. * Review comments. * Error message if istioctl version doesn't match data plane version (#11592) * Additional error text if istioctl version doesn't match data plane version * Fix typo * Revise wording of error msg * Allow Envoy listener stats to be turned off/on with a pod annotation (#11398) * If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection * Versionize annotation tag * Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid * pin goimports in make fmt (#11645) * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * just dont use circle Signed-off-by: Kuat Yessenov <kuat@google.com> * add comment Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding namespace declaration in Grafana PersistentVolumeClaim (#11314) When using the Helm chart with a user specific namespace and Grafana persistency enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace, leading in the Grafana pod to be stuck in the Pending state. * Fix the periodic builds, add a non-mcp to presubmit (#11703) * Update api sha (#11709) * issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715) (cherry picked from commit 1ad4e29) * [WIP] Fix sync issue with policy enablement and check enablement (#11707) * Fix sync issue with policy enablement and check enablement * Remove outdated comment * Support customization of Envoy bootstrap config (#11559) (#11702) * Support customization of Envoy bootstrap config This change allows override the default Envoy bootstrap configuration for a resource. A sample is included to show how it can be used. * Format code * Fix tests * Pull in new istio/proxy. (#11717) * Add experimental support for 'allowhttp10' (#11511) * Add AcceptHttp10 option to outbound listeners based on global or per sidecar setting * Clarify this is only for 'sidecar enabled' mode * Format and lint * Move http10 option, it was overriden * Add http10 to test, remove verbose * Format * Format * Use release-1.1 images for release-1.1 branch (#11725) * guard with gateway enabled (#11732) * guard with gateway enabled * remove and * Clean up Helm RBAC rules (#11234) * Add apps apiGroup to istio-security-post-install ClusterRole * Delete empty job file * Clean up ClusterRole apiGroups * Separate Kiali's ClusterRole rules into correct API groups * Fix list indentation * Remove OpenShift-specific "projects" resource from core apiGroup * Consolidate more RBAC rules * Update all RBAC resource apiVersions to v1 * Use service hostname as SNI match for TLS ports if virtual service is missing (#11735) * Use service hostname as SNI match for TLS ports Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad port name Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * unique port names Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix stateful set Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * handle multiple streams in nodeagent (#11738) * service change * unit test * debug log * lint * remove annoying log * Add duration time to stale EDS (#11568)
Have you tested that this works? I have been unable to figure out how to configure it. I thought I needed to set Let me know if I am missing something. |
It can be set using the auto-injector. Here - https://github.com/istio/istio/blob/release-1.1/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml#L146. |
Ah, thanks for the help. The one concern I have for this is how users are going to configure this. This isn't just a flag that is turned off for now, and will be turned on once its tested, right? Users will want to set this how they want it based on there services (some need long shutdown periods, some don't, etc). Right now they would have to manually edit the config map you linked, which makes updates either complicated or overwrite this change. Most of our other flags can be set by helm which make this much simpler. I think another possibility is wanting to configure this per-pod - you could have just one service with long running connections, for example. Here is an example using pod annotations to configure the sidecar-injector: istio/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml Lines 192 to 195 in a970ec6
And an example that has both global setting and per pod annotation: https://github.com/istio/istio/pull/11511/files Maybe we don't need the per-pod setting, but I think we should look into at least making it settable via Helm. |
I agree, right now without this the timeout is effectively zero. Everything gets severed as soon as SIGTERM is received. I think the plan is for this to be moved into the API in 1.2 so users can configure on a per service bases. |
* Fix routing when DNS is resolved (#11522) The DNSDomain variable needs to be enhanced to include more then one DNS entry. Change DNSDomain to DNSDomains as a meta and add the dnsConfig in the meta. As now DNSDomain is a slice of strings instead of a string, the variable needs consolidation. * adjust galley dashboard time range (#11627) * Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631) (cherry picked from commit f9b6866) * [release-1.1] Update fluentd adapter to be more robust (#11623) * Update fluentd adapter to be more robust * Minor touchup of bad merge * Lint fixes * Fix kubernetesenv workload attributes for multicluster with one control plane (#11581) * remove myself from pilot OWNERS (#11632) * remove me (#11636) Signed-off-by: Kuat Yessenov <kuat@google.com> * add debug logs for citadel authenticate fail (#11633) * move apply plugin below buildscript (#11625) The Cloud Foundry open source licensing scanner has a plugin that identifies dependencies from gradle scripts, but it requires the buildscript and plugins block be before anything else in the file. This change does not affect the build, but makes our lives a smidge easier. Co-authored-by: Teal Stannard <tstannard@pivotal.io> * check key.pem (#11599) * Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508) * Samples for accessing apt-get repo, Github, and pip repo * A Readme explaining the samples * Link to future doc on default external comm capability * Incorporate documentation feedback from venilnoronha * Add support for metadata constraints in RBAC (#11459) * Add support for metadata constraints in RBAC This adds support for mapping RBAC constraints with keys in the a[b] format to Envoy's filter metadata matcher. Signed-off-by: Venil Noronha <veniln@vmware.com> * Use SplitN instead of Split for completeness This updates the metadata matcher definition to use strings.SplitN instead of strings.Split in order to capture the whole binary key in two parts. Signed-off-by: Venil Noronha <veniln@vmware.com> * Accomodate [list] and plain value type constraints This adds logic to accomodate filter metadata matching over both [list] and value type constraints. Signed-off-by: Venil Noronha <veniln@vmware.com> * Add extra experimental. prefix test for matching This adds an extra experimental. prefix test while creating metadata matchers based on Envoy filters. Signed-off-by: Venil Noronha <veniln@vmware.com> * Update comments This updates code comments. Signed-off-by: Venil Noronha <veniln@vmware.com> * add POST to ratings service to demonstrate security policies on HTTP Methods (#10778) * add POST to ratings service * put a space between if and opening parenthesis * add comments * remove extra line-break * Enable remote clusters to check/report to local Mixer (#11585) * Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570) * Fix racetest in fluentd test (#11647) * Bump the number of connection that can be re-use in Citadel (#11641) * Bump the number of connection that can be re-use in Citadel * A small fix * First cut of xDS APi structural testing using the new integration tests (#11406) * Fixes for k8s ingress (#11343) * Fix ingress in pilot, writeback and multiple namespaces * Fix tests, format * Fix test - the generated service should be left in the namespace of ingress * Additional test fixes, match the new 1.1 semantics * Again make fmt and lint not matching * Break up the helloworld sample into versions (#11650) * Break up the helloworld sample into versions * Moved to default namespace * Seperated gateway file and added labels * Update the doc * Cleanup section updated too * Fix build break due to #11406. (#11677) https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215 * make stackdriver e2e test cluster wide (#11674) * Add handling for independent encoding in Report batches to Mixer (#11640) * Add handling for independent encoding in Report batches to Mixer * fix lll * Address review * protect protobag done * exit circleci test early if setup fails (#11572) * wip: exit circleci test early if setup fails Many of the circleci tests will attempt to run the e2e/integration tests even after the test setup fails. This leads to misleading test failures that suggest the problem is with the feature test and not the test setup itself. Example test runs where the setup failed and the test was run but immediately errored out because a dependency was missing: https://circleci.com/gh/istio/istio/316588 https://circleci.com/gh/istio/istio/317262 https://circleci.com/gh/istio/istio/318281 https://circleci.com/gh/istio/istio/316031 https://circleci.com/gh/istio/istio/315952 https://circleci.com/gh/istio/istio/315871 https://circleci.com/gh/istio/istio/315813 ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute ``` By default, CircleCI will execute job steps one at a time, in the order that they are defined in config.yml, until a step fails (returns a non-zero exit code). After a command fails, no further job steps will be executed. Adding the when attribute to a job step allows you to override this default behaviour, and selectively run or skip steps depending on the status of the job. The default value of on_success means that the step will run only if all of the previous steps have been successful (returned exit code 0). A value of always means that the step will run regardless of the exit status of previous steps. This is useful if you have a task that you want to run regardless of whether the previous steps are successful or not. For example, you might have a job step that needs to upload logs or code-coverage data somewhere. ``` * re-add `when: always` to codecov job * Implementation of isolation for EDS (#11672) * Implementation of isolation for EDS * Provide nil proxy for older calls * Always call loadAssignmentsForClusterIsolated * Revert "Always call loadAssignmentsForClusterIsolated" This reverts commit db2c997. * Env variable to disable * Lint * Environment Variable controlled Graceful Termination with low defaults. (#11630) * Feature flag graceful shutdown Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in. Signed-off-by: Liam White <liam@tetrate.io> * Address pr comments Signed-off-by: Liam White <liam@tetrate.io> * Clean up missed feature flag var Signed-off-by: Liam White <liam@tetrate.io> * Add turn off test case, todo comments and fix agent tests Signed-off-by: Liam White <liam@tetrate.io> * fix lint Signed-off-by: Liam White <liam@tetrate.io> * PR review comments Signed-off-by: Liam White <liam@tetrate.io> * Move TerminationDuration function and tests to Pilot features Signed-off-by: Liam White <liam@tetrate.io> * Update Proxy SHA to latest (release-1.1). (#11687) Signed-off-by: Piotr Sikora <piotrsikora@google.com> * Add empty check for proxy's locality (#11681) Make sure empty proxy locality will fall back to using proxy service's instance locality. * Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685) * cache ServiceAccounts and remove it drom Environment (#11442) * cache ServiceAccounts and remove it drom Environment * use allServices var * fix ut * Adding Envoy bootstrap template for a custom Pilot implementation. (#11395) * Adding Envoy bootstrap template for a custom Pilot implementation. New template connects to Pilot using Google gRPC Envoy client, which allows to perform authz by passing additional credentials. Placed into install/gcp due to being GCP installation specific. To enable this template, introducing {{ .discovery_address }} variable, which passes --discoveryAddress flag value "as is", without splitting it into address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable. * Removing static interception listener from gcp_envoy_bootstrap.json as it is generated by the Pilot. * Update bookinfo images, fix the script to bump bookinfo versions (#11701) * add wildcard to digits in the sed regex, for setting version * bump a minor version * Add cli option to Galley to allow metadata on outgoing sink connections. (#11602) * Add cli option to Galley to allow metadata on outgoing sink connections. For use with sinkAddress, outgoing connections to MCP sink servers will have gRPC stream metadata attached as defined by sinkMeta. * Update sinkMeta to use key=value. * Review comments. * Error message if istioctl version doesn't match data plane version (#11592) * Additional error text if istioctl version doesn't match data plane version * Fix typo * Revise wording of error msg * Allow Envoy listener stats to be turned off/on with a pod annotation (#11398) * If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection * Versionize annotation tag * Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid * pin goimports in make fmt (#11645) * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * just dont use circle Signed-off-by: Kuat Yessenov <kuat@google.com> * add comment Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding namespace declaration in Grafana PersistentVolumeClaim (#11314) When using the Helm chart with a user specific namespace and Grafana persistency enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace, leading in the Grafana pod to be stuck in the Pending state. * Fix the periodic builds, add a non-mcp to presubmit (#11703) * Update api sha (#11709) * issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715) (cherry picked from commit 1ad4e29) * [WIP] Fix sync issue with policy enablement and check enablement (#11707) * Fix sync issue with policy enablement and check enablement * Remove outdated comment * Support customization of Envoy bootstrap config (#11559) (#11702) * Support customization of Envoy bootstrap config This change allows override the default Envoy bootstrap configuration for a resource. A sample is included to show how it can be used. * Format code * Fix tests * Pull in new istio/proxy. (#11717) * Add experimental support for 'allowhttp10' (#11511) * Add AcceptHttp10 option to outbound listeners based on global or per sidecar setting * Clarify this is only for 'sidecar enabled' mode * Format and lint * Move http10 option, it was overriden * Add http10 to test, remove verbose * Format * Format * Use release-1.1 images for release-1.1 branch (#11725) * guard with gateway enabled (#11732) * guard with gateway enabled * remove and * Clean up Helm RBAC rules (#11234) * Add apps apiGroup to istio-security-post-install ClusterRole * Delete empty job file * Clean up ClusterRole apiGroups * Separate Kiali's ClusterRole rules into correct API groups * Fix list indentation * Remove OpenShift-specific "projects" resource from core apiGroup * Consolidate more RBAC rules * Update all RBAC resource apiVersions to v1 * Use service hostname as SNI match for TLS ports if virtual service is missing (#11735) * Use service hostname as SNI match for TLS ports Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad port name Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * unique port names Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix stateful set Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * handle multiple streams in nodeagent (#11738) * service change * unit test * debug log * lint * remove annoying log * Add duration time to stale EDS (#11568) * Tests for drain duration function (#11691) * Tests for drain duration function Signed-off-by: Liam White <liam@tetrate.io> * Licenses... Signed-off-by: Liam White <liam@tetrate.io> * typo Signed-off-by: Liam White <liam@tetrate.io> * Ability to override SAN from destination rule for ISTIO_MUTUAL (#11747) * Add ability to override SAN from destination rule for ISTIO_MUTUAL Fixes issue #11737 * Reformat code. * Fix the Citadel-apiserver connection proliferation issue. (#11743) * Fix the Citadel-apiserver connection prolification issue. * Small fix on logging. * Add comment. * Small fix on log. * Performance oriented helm defaults for release 1.1 (#11476) * Disable stdio adapter * Disable envoy access log * Add telemetry load shedding defaults based on existing data * Add telemetry limits and update hpa * when proxy locality is empty, apply it with service instance locality (#11727) * Get rid of subcharts (#11767) * Get rid of subcharts Now we can use `helm package istio` in the infrastructure to produce a downloadable Istio chart. Note any `helm package -u istio` usage will fail always, so any usage of that needs to be removed throughout the documentation or infrastructure. Finally the CNI helm chart or manifest must be installed if CNI is enabled. If enabling CNI and the CNI manifest is not installed, the Istio sidecar will fail. * Add dashboard checking to helm charts. * wrong path for dashboards * Fix dashboard test cases. * Change helm package -u to helm package * Another attempt at fixing the dashboards. * Fix rebase error. * update jaeger client (#11765) Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix hostname match function returns wrong result sometimes (#11793) * Fix hostname matching function * wrong method call * fix lint errors * Remove `helm package -u` in favor of `helm package` (#11769) This work removes the ability to include packages from external helm repositories. This is to remove the `helm dep update` step. The hidden implication here is that CNI must be installed indepently but still enabled in the chart for it to be used. Not installing the CNI chart or manifest while enabling CNI will result in sidecar injector failures. * stackdriver adapter memory usage optimization (#11792) * sd adapter memory usage optimization * clean up test. * Remove calls to helm repo add (#11805) * Remove calls to helm repo add * One more place * Create internal interface argument for istio-iptables script. (#11321) * remove 'istiotesting' parent section for 'onenamespace' values. (#11588) * remove istiotesting in onenamespace values. * add comments. * fix typo. * add more tests for external service (#11752) * add more tests * add an error msg * more tests * fix char * rename test yaml file * mark as unreachable for TLS protocol with VS * add another test * remove wikipedia in many tests * remove dash * .* not allowed at hosts ending * looks like no VS for TLS protocol too * rename per shriram comment * address comment * delete not needed file * typos * when host has * must provide endpoints * remove redundant data * [Kiali] changes for the next version (#11513) (#11804) * changes for new kiali version * add create perms * secret is now optional though really required. this, however, let's kiali provide a more user-friendly error message when the secret is missing, rather than failing to start the pod. See https://issues.jboss.org/browse/KIALI-2308 and its parent https://issues.jboss.org/browse/KIALI-2303 (cherry picked from commit 322452a) * use YAML map nil value ({}) for meshNetworks (#11849) since meshNetworks is a map, the correct nil value is {} setting the nil value correctly will allow setting networks by helm command line, using --set : --set global.meshNetworks.network2.endpoints[0].fromRegistry=remote_kubeconfig --set global.meshNetworks.network2.gateways[0].address=0.0.0.0 --set global.meshNetworks.network2.gateways[0].port=15443 * Add configurable Mixer transport error retry (#11795) * Add configurable Mixer transport error retry Adds annotations for the number of retries, base wait time, and max wait time to configure Mixer transport error retry policy. If values are not provided, they will be left unset; defaults will be provided in istio/proxy. * Add more comments * new proxy sha for release-1.1 (#11857) * new proxy sha for release-1.1 * Run deps ensure to api * right sha * Adapt mixer client tests to new mixer filter counters (#11591) * Added new counters from #8224 to Mixer client tests. * Reformat * Add a map to manage FileBasedMetadataConfig (#11753) * use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Marshal SDS call credential config using deterministic order * update * update * revise * add comment * update * move MCP settings to meshConfig (#11875) * move MCP settings to meshConfig Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix cert bug * enable allow any for outbound traffic demo profile (#11820) * remove helm repo add (#11896) * merge timeseries before sending (#11876) * Fix listener parsing with ipv6 addresses (#11861) * Fix listener parsing with ipv6 addresses Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Fixing typo Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * add sample file to expose bookinfo productpage service as nodeport type (#11858) * add sample file to expose bookinfo productpage service as nodeport type * address comment * build network filters in inbound path, like outbound (#11907) * build network filters in inbound path Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * assorted fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix network filter stack Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
* Fix routing when DNS is resolved (#11522) The DNSDomain variable needs to be enhanced to include more then one DNS entry. Change DNSDomain to DNSDomains as a meta and add the dnsConfig in the meta. As now DNSDomain is a slice of strings instead of a string, the variable needs consolidation. * adjust galley dashboard time range (#11627) * Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631) (cherry picked from commit f9b6866) * [release-1.1] Update fluentd adapter to be more robust (#11623) * Update fluentd adapter to be more robust * Minor touchup of bad merge * Lint fixes * Fix kubernetesenv workload attributes for multicluster with one control plane (#11581) * remove myself from pilot OWNERS (#11632) * remove me (#11636) Signed-off-by: Kuat Yessenov <kuat@google.com> * add debug logs for citadel authenticate fail (#11633) * move apply plugin below buildscript (#11625) The Cloud Foundry open source licensing scanner has a plugin that identifies dependencies from gradle scripts, but it requires the buildscript and plugins block be before anything else in the file. This change does not affect the build, but makes our lives a smidge easier. Co-authored-by: Teal Stannard <tstannard@pivotal.io> * check key.pem (#11599) * Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508) * Samples for accessing apt-get repo, Github, and pip repo * A Readme explaining the samples * Link to future doc on default external comm capability * Incorporate documentation feedback from venilnoronha * Add support for metadata constraints in RBAC (#11459) * Add support for metadata constraints in RBAC This adds support for mapping RBAC constraints with keys in the a[b] format to Envoy's filter metadata matcher. Signed-off-by: Venil Noronha <veniln@vmware.com> * Use SplitN instead of Split for completeness This updates the metadata matcher definition to use strings.SplitN instead of strings.Split in order to capture the whole binary key in two parts. Signed-off-by: Venil Noronha <veniln@vmware.com> * Accomodate [list] and plain value type constraints This adds logic to accomodate filter metadata matching over both [list] and value type constraints. Signed-off-by: Venil Noronha <veniln@vmware.com> * Add extra experimental. prefix test for matching This adds an extra experimental. prefix test while creating metadata matchers based on Envoy filters. Signed-off-by: Venil Noronha <veniln@vmware.com> * Update comments This updates code comments. Signed-off-by: Venil Noronha <veniln@vmware.com> * add POST to ratings service to demonstrate security policies on HTTP Methods (#10778) * add POST to ratings service * put a space between if and opening parenthesis * add comments * remove extra line-break * Enable remote clusters to check/report to local Mixer (#11585) * Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570) * Fix racetest in fluentd test (#11647) * Bump the number of connection that can be re-use in Citadel (#11641) * Bump the number of connection that can be re-use in Citadel * A small fix * First cut of xDS APi structural testing using the new integration tests (#11406) * Fixes for k8s ingress (#11343) * Fix ingress in pilot, writeback and multiple namespaces * Fix tests, format * Fix test - the generated service should be left in the namespace of ingress * Additional test fixes, match the new 1.1 semantics * Again make fmt and lint not matching * Break up the helloworld sample into versions (#11650) * Break up the helloworld sample into versions * Moved to default namespace * Seperated gateway file and added labels * Update the doc * Cleanup section updated too * Fix build break due to #11406. (#11677) https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215 * make stackdriver e2e test cluster wide (#11674) * Add handling for independent encoding in Report batches to Mixer (#11640) * Add handling for independent encoding in Report batches to Mixer * fix lll * Address review * protect protobag done * exit circleci test early if setup fails (#11572) * wip: exit circleci test early if setup fails Many of the circleci tests will attempt to run the e2e/integration tests even after the test setup fails. This leads to misleading test failures that suggest the problem is with the feature test and not the test setup itself. Example test runs where the setup failed and the test was run but immediately errored out because a dependency was missing: https://circleci.com/gh/istio/istio/316588 https://circleci.com/gh/istio/istio/317262 https://circleci.com/gh/istio/istio/318281 https://circleci.com/gh/istio/istio/316031 https://circleci.com/gh/istio/istio/315952 https://circleci.com/gh/istio/istio/315871 https://circleci.com/gh/istio/istio/315813 ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute ``` By default, CircleCI will execute job steps one at a time, in the order that they are defined in config.yml, until a step fails (returns a non-zero exit code). After a command fails, no further job steps will be executed. Adding the when attribute to a job step allows you to override this default behaviour, and selectively run or skip steps depending on the status of the job. The default value of on_success means that the step will run only if all of the previous steps have been successful (returned exit code 0). A value of always means that the step will run regardless of the exit status of previous steps. This is useful if you have a task that you want to run regardless of whether the previous steps are successful or not. For example, you might have a job step that needs to upload logs or code-coverage data somewhere. ``` * re-add `when: always` to codecov job * Implementation of isolation for EDS (#11672) * Implementation of isolation for EDS * Provide nil proxy for older calls * Always call loadAssignmentsForClusterIsolated * Revert "Always call loadAssignmentsForClusterIsolated" This reverts commit db2c997. * Env variable to disable * Lint * Environment Variable controlled Graceful Termination with low defaults. (#11630) * Feature flag graceful shutdown Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in. Signed-off-by: Liam White <liam@tetrate.io> * Address pr comments Signed-off-by: Liam White <liam@tetrate.io> * Clean up missed feature flag var Signed-off-by: Liam White <liam@tetrate.io> * Add turn off test case, todo comments and fix agent tests Signed-off-by: Liam White <liam@tetrate.io> * fix lint Signed-off-by: Liam White <liam@tetrate.io> * PR review comments Signed-off-by: Liam White <liam@tetrate.io> * Move TerminationDuration function and tests to Pilot features Signed-off-by: Liam White <liam@tetrate.io> * Update Proxy SHA to latest (release-1.1). (#11687) Signed-off-by: Piotr Sikora <piotrsikora@google.com> * Add empty check for proxy's locality (#11681) Make sure empty proxy locality will fall back to using proxy service's instance locality. * Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685) * cache ServiceAccounts and remove it drom Environment (#11442) * cache ServiceAccounts and remove it drom Environment * use allServices var * fix ut * Adding Envoy bootstrap template for a custom Pilot implementation. (#11395) * Adding Envoy bootstrap template for a custom Pilot implementation. New template connects to Pilot using Google gRPC Envoy client, which allows to perform authz by passing additional credentials. Placed into install/gcp due to being GCP installation specific. To enable this template, introducing {{ .discovery_address }} variable, which passes --discoveryAddress flag value "as is", without splitting it into address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable. * Removing static interception listener from gcp_envoy_bootstrap.json as it is generated by the Pilot. * Update bookinfo images, fix the script to bump bookinfo versions (#11701) * add wildcard to digits in the sed regex, for setting version * bump a minor version * Add cli option to Galley to allow metadata on outgoing sink connections. (#11602) * Add cli option to Galley to allow metadata on outgoing sink connections. For use with sinkAddress, outgoing connections to MCP sink servers will have gRPC stream metadata attached as defined by sinkMeta. * Update sinkMeta to use key=value. * Review comments. * Error message if istioctl version doesn't match data plane version (#11592) * Additional error text if istioctl version doesn't match data plane version * Fix typo * Revise wording of error msg * Allow Envoy listener stats to be turned off/on with a pod annotation (#11398) * If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection * Versionize annotation tag * Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid * pin goimports in make fmt (#11645) * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * just dont use circle Signed-off-by: Kuat Yessenov <kuat@google.com> * add comment Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding namespace declaration in Grafana PersistentVolumeClaim (#11314) When using the Helm chart with a user specific namespace and Grafana persistency enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace, leading in the Grafana pod to be stuck in the Pending state. * Fix the periodic builds, add a non-mcp to presubmit (#11703) * Update api sha (#11709) * issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715) (cherry picked from commit 1ad4e29) * [WIP] Fix sync issue with policy enablement and check enablement (#11707) * Fix sync issue with policy enablement and check enablement * Remove outdated comment * Support customization of Envoy bootstrap config (#11559) (#11702) * Support customization of Envoy bootstrap config This change allows override the default Envoy bootstrap configuration for a resource. A sample is included to show how it can be used. * Format code * Fix tests * Pull in new istio/proxy. (#11717) * Add experimental support for 'allowhttp10' (#11511) * Add AcceptHttp10 option to outbound listeners based on global or per sidecar setting * Clarify this is only for 'sidecar enabled' mode * Format and lint * Move http10 option, it was overriden * Add http10 to test, remove verbose * Format * Format * Use release-1.1 images for release-1.1 branch (#11725) * guard with gateway enabled (#11732) * guard with gateway enabled * remove and * Clean up Helm RBAC rules (#11234) * Add apps apiGroup to istio-security-post-install ClusterRole * Delete empty job file * Clean up ClusterRole apiGroups * Separate Kiali's ClusterRole rules into correct API groups * Fix list indentation * Remove OpenShift-specific "projects" resource from core apiGroup * Consolidate more RBAC rules * Update all RBAC resource apiVersions to v1 * Use service hostname as SNI match for TLS ports if virtual service is missing (#11735) * Use service hostname as SNI match for TLS ports Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad port name Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * unique port names Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix stateful set Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * handle multiple streams in nodeagent (#11738) * service change * unit test * debug log * lint * remove annoying log * Add duration time to stale EDS (#11568) * Tests for drain duration function (#11691) * Tests for drain duration function Signed-off-by: Liam White <liam@tetrate.io> * Licenses... Signed-off-by: Liam White <liam@tetrate.io> * typo Signed-off-by: Liam White <liam@tetrate.io> * Ability to override SAN from destination rule for ISTIO_MUTUAL (#11747) * Add ability to override SAN from destination rule for ISTIO_MUTUAL Fixes issue #11737 * Reformat code. * Fix the Citadel-apiserver connection proliferation issue. (#11743) * Fix the Citadel-apiserver connection prolification issue. * Small fix on logging. * Add comment. * Small fix on log. * Performance oriented helm defaults for release 1.1 (#11476) * Disable stdio adapter * Disable envoy access log * Add telemetry load shedding defaults based on existing data * Add telemetry limits and update hpa * when proxy locality is empty, apply it with service instance locality (#11727) * Get rid of subcharts (#11767) * Get rid of subcharts Now we can use `helm package istio` in the infrastructure to produce a downloadable Istio chart. Note any `helm package -u istio` usage will fail always, so any usage of that needs to be removed throughout the documentation or infrastructure. Finally the CNI helm chart or manifest must be installed if CNI is enabled. If enabling CNI and the CNI manifest is not installed, the Istio sidecar will fail. * Add dashboard checking to helm charts. * wrong path for dashboards * Fix dashboard test cases. * Change helm package -u to helm package * Another attempt at fixing the dashboards. * Fix rebase error. * update jaeger client (#11765) Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix hostname match function returns wrong result sometimes (#11793) * Fix hostname matching function * wrong method call * fix lint errors * Remove `helm package -u` in favor of `helm package` (#11769) This work removes the ability to include packages from external helm repositories. This is to remove the `helm dep update` step. The hidden implication here is that CNI must be installed indepently but still enabled in the chart for it to be used. Not installing the CNI chart or manifest while enabling CNI will result in sidecar injector failures. * stackdriver adapter memory usage optimization (#11792) * sd adapter memory usage optimization * clean up test. * Remove calls to helm repo add (#11805) * Remove calls to helm repo add * One more place * Create internal interface argument for istio-iptables script. (#11321) * remove 'istiotesting' parent section for 'onenamespace' values. (#11588) * remove istiotesting in onenamespace values. * add comments. * fix typo. * add more tests for external service (#11752) * add more tests * add an error msg * more tests * fix char * rename test yaml file * mark as unreachable for TLS protocol with VS * add another test * remove wikipedia in many tests * remove dash * .* not allowed at hosts ending * looks like no VS for TLS protocol too * rename per shriram comment * address comment * delete not needed file * typos * when host has * must provide endpoints * remove redundant data * [Kiali] changes for the next version (#11513) (#11804) * changes for new kiali version * add create perms * secret is now optional though really required. this, however, let's kiali provide a more user-friendly error message when the secret is missing, rather than failing to start the pod. See https://issues.jboss.org/browse/KIALI-2308 and its parent https://issues.jboss.org/browse/KIALI-2303 (cherry picked from commit 322452a) * use YAML map nil value ({}) for meshNetworks (#11849) since meshNetworks is a map, the correct nil value is {} setting the nil value correctly will allow setting networks by helm command line, using --set : --set global.meshNetworks.network2.endpoints[0].fromRegistry=remote_kubeconfig --set global.meshNetworks.network2.gateways[0].address=0.0.0.0 --set global.meshNetworks.network2.gateways[0].port=15443 * Add configurable Mixer transport error retry (#11795) * Add configurable Mixer transport error retry Adds annotations for the number of retries, base wait time, and max wait time to configure Mixer transport error retry policy. If values are not provided, they will be left unset; defaults will be provided in istio/proxy. * Add more comments * new proxy sha for release-1.1 (#11857) * new proxy sha for release-1.1 * Run deps ensure to api * right sha * Adapt mixer client tests to new mixer filter counters (#11591) * Added new counters from #8224 to Mixer client tests. * Reformat * Add a map to manage FileBasedMetadataConfig (#11753) * use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Marshal SDS call credential config using deterministic order * update * update * revise * add comment * update * move MCP settings to meshConfig (#11875) * move MCP settings to meshConfig Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix cert bug * enable allow any for outbound traffic demo profile (#11820) * remove helm repo add (#11896) * merge timeseries before sending (#11876) * Fix listener parsing with ipv6 addresses (#11861) * Fix listener parsing with ipv6 addresses Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Fixing typo Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * add sample file to expose bookinfo productpage service as nodeport type (#11858) * add sample file to expose bookinfo productpage service as nodeport type * address comment * build network filters in inbound path, like outbound (#11907) * build network filters in inbound path Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * assorted fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix network filter stack Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * set allow any as the default for outgoing traffic (#11906) * set allow_any for default * enable egress for demo profile * enabel egress gateway for e2e testing * update comment per costin's comment * adding more docs * delete accidentally checked in file * minor typo * hope to get tests passing * remove spaces * [Kiali][release-1.1] Tell kiali about the new Pilot /version endpoint used to obtain Istio version string (#11833) * rebase (#11879) * citadel uses OpenCensus for self-monitoring (#10048) * citadel and pilot use OpenCensus for self-monitoring Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * modify based on 10270 Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Use DefaultRegisterer instead of create a new register Signed-off-by: clyang82 <clyang@cn.ibm.com> * do not accept XDS connection if gateway has no service instances (#11905) * kill XDS if proxy has no service instances Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix cloud foundry test case failure * fix mcp test * fix crash * Update istioctl authn tls-check to take into account caller proxy (#11603) (#11924) * Lower resource requirements in demo profile (#11942) * Remove implicit usage of 'busybox:latest' (#11812) * add long description for verify-install (#11928) * add long description for verify-install * review * singular * update pilot mesh config default (#11950) * set allow_any for default * enable egress for demo profile * enabel egress gateway for e2e testing * update comment per costin's comment * adding more docs * delete accidentally checked in file * minor typo * hope to get tests passing * remove spaces * sync default with the mesh file * update test given we changed mesh default * update test * update test * update test * update test * update test * update test * add adapter secret mount into telemetry deployment (#11921) * add gcp credential secret mount into telemetry deployment * update * rename * add optional * remove helm values * update path * do the same thing for policy * mixer: minor doc fixes (#11958) * minor doc fixes Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * Rename sidecar.istio.io/statsInclusionPrefixes annotation (#11993) * Flexible DNS names (#11986) * WIP Flexible DNS names * More fix * Style filx * Fix error * Fix lint * Fix lint * fix lint * Fix pilot-agent application port 0 (#12001) * fix bug * fix comments * Remove duplicated keys (#10928) Remove duplicated keys in values-istio-test.yaml * Add shortnames for common crds (#11969) * Unit tests for sidecar config to sidcar scope conversion (#11901) * Unit tests for sidecar config to sidcar scope conversion * Unit tests for sidecar config to sidcar scope conversion * fix citadel health check issue. (#11965) * add imagepullsecrets for hook jobs. (#11666) * Add Auth to OOP handler (#10622) * add oop auth * simpliy get auth option logic * clear comment * address comment * custom mtls auth check * lint * add server name into tls config * figure out mixer SAN from mixer own cert * remove unnecessary comment * update customVerify * update customVerify * add test to cover untrusted certs in mtls * remove mtls option * lint * clear diff * test * Don't admit CRDs with unknown top-level keys (#11791) * Don't admit CRDs with unknown top-level keys Use term 'field' for error messages Check when admitting both Pilot and Mixer configurations * The admission control rejected a test yaml as invalid * Improve message wording and resolve TODOs by using 'mock' Kind * Add dynamic discovery and listener initialization for supported k8s resource types (#11871) * wip: dynamically discover supported crd types * fix linter errors * improve logs when resource type not found * increase code coverage * address review comments * add a comment * fix linter error * fix issue for generating custom gateway from chart. (#11970) * Let `kubectl get` show additional columns for popular Istio CRDs (#11734) * Annotate CRDs with the columns we would like printed by * Verbiage change suggested by Frank B * Explicitly include AGE column because some versions of K8s will not create it if additionalPrinterColumns are declared * Update ingress gateway TLS validation for credentialName (#11991) * use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Marshal SDS call credential config using deterministic order * update * update * revise * add comment * update * Update validation * Use e2e values for e2e tests (#11952) * Use e2e values for e2e tests New settings were added to give e2e tests reasonable resource requests. However, some this target did not have these values applied, causing too many requests * hardcode e2e for just the failing test instead of all * generate_e2e_test_yaml not called, moving to own target * expose healthcheck port in gateway (#12041) * GetProxyServiceInstances should not depend on endpoint if there is associated services and pod (#11999) * fix incremental EDS bug: proxy may not get listeners config when endpoint arrive later than the first full xDS push * get endpoint by key instead of loop for all * fix memory leak in pilot (#11183) * fix memory leak in pilot * protect Shards and EndpointShardsByService * Make demo-auth use same resource requests as demo (#11956) * rename to TestDestinationRuleExportTo (#12009) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Fix the logic testing for errors (#12053) * Fix jaeger metrics path template (#11963) * Fix virtual machine parameter from "r" to "k" (#12062) * Istio Perf Dashboard fixes (#12049) * fix mcp source unit test (#12069) * Fix upgrade/downgrade issue, add guard for visibility and make it off by default (#12084) * Add MTLS into mixer connection to oop adapter (#12052) * add oop mtls * address comment * add a comment about how key/certs are generated * New proxy and api sha for istio (#12045) * new proxy sha in istio * New proxy sha for istio * Fixing test * Right intend * MOre fixes * Endpoint locality prioritization (#11981) * Endpoint locality prioritization Defaults to off and has to be enabled via a env var in Pilot as it is an experimental feature and we are close to a release Signed-off-by: Liam White <liam@tetrate.io> * Fix correct spelling of prioritise Signed-off-by: Liam White <liam@tetrate.io> * Don't ignore kube-system in EDS (#12028) This was originally ignored due to a high rate of updates from kube-system. EDSInformer now checks that there were actual meaningful changes made, otherwise they are ignored, so this is no longer and issue. * Istio auth sds e2e (#12100) * use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Marshal SDS call credential config using deterministic order * update * update * revise * add comment * update * Update validation * fix istio_auth_sds_e2e * fix TestRouteSNIViaEgressGateway/* * istioctl validation improvements (#11768) Use term 'field' for error messages Look for same top-level fields as admission controller * Hide GODEBUG output from istioctl requests (#12091) * Hide GODEBUG output from istioctl requests * Fix in single function as well * support listen multi-namespaces (#11667) * support listen multi-namespaces Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix kube errors Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix lint error Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix ut error Signed-off-by: clyang82 <clyang@cn.ibm.com> * Add new dep Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * replace CA with Citadel Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix merge issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * properly handle passthrough and non passthrough on same gateway port (#12071) * properly handle passthrough and non passthrough on same gateway port Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * flimsy tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * snafu Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bring back e2e tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Revert "bring back e2e tests" This reverts commit a3fbb48. * fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Improving error message for sidecar readiness (#12123) Currently, the readiness error message doesn't make it clear that the issue is likely Pilot: ``` 2019-02-25T07:22:20.019287Z info Envoy proxy is NOT ready: cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected ``` This PR should help users better diagnose these issues in the future. This is a port of PR #12098 into the release-1.1 branch. * Remove mem registry (#11543) (#12026) * Remove mem registry (#11543) * Fix lint * extract Galley root command to server. (#12073) * Replace root command of Galley with server mode. * Fix linter issue. * Remove accidentally added envoy.test (#12136) * Fix the health check probe (#12135) * Fix the health check prob. * Small fix. * Small fix. * Small fix. * Small fix * Fix identity in certs provisioned for VMs. (#12109) * Avoid unnecessary service change events(#11971) (#12148) Unecessary service/instances change events are fired by consul registry, causing TCP connections destroyed by Envoy Fixes #11971 Change-Id: Iaf60a89175c9113cd8cde1556c9bf11d1a367e8f Signed-off-by: zhaohuabing <zhaohuabing@gmail.com> * Removing a leftover to disable ingress (#12120) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Fix EDS race condition when using localities (#12151) * Fix EDS race condition when using localities Signed-off-by: Liam White <liam@tetrate.io> * Wordz Signed-off-by: Liam White <liam@tetrate.io> * Wire-up excluded resource types list to the CRD check and update logging (#12143) * - Wire-up excluded resource types list to the CRD check. - Update logging. * Revert copyright. * Revert copyright. * Remove VirtualService examples that no longer have an effect (#11892) * Remove no-longer-needed VirtualServices ServiceEntry for github.com not needed to clone https URLs * Modifications after testing using release-1.1-20190214-09-16 * Correct comment explanation * Include pythonhosted.org for 'pypi' and sort/format/dedup the github addresses * Doc fixes. (#12107) * Update jaeger-client-go deps to catch 128bit traceid transport fix (#12166) * Update jaeger-client-go dep * Ensure mixer generates 128bit traceids * Fix DestinationRule issue when there is no Sidecar (#12047) * Fix DestinationRule issue when there is no Sidecar * Default to legacy (current codepath) * Refactor e2e yaml value files (#12076) * Refactor e2e yaml value files This change involes: * renaming uses of old make target * adding all generated files to gitignore * create new target to build all e2e yaml files and another for the demo files that are included in release * move all testing value files, and example value files, to folders * create value files for tests that were using --set * Fix reference to values-e2e.yaml * Fix typo * Add readme and fix test failures * Fix integration tests file * Enable core dump for auth sds test * Actually use coredump * Move istio minimal - needed for docs * resolve conflict * Do not setup SNI match if service has a VIP (#12161) * Do not setup SNI match if service has a VIP Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * missing check Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Upgrade cert-manager to v0.6.2 (#12149) Currently Istio ships with cert-manager v0.5.0 as an optional dependency. This version is outdated and has known issues/limitations with regards to certificates renewal, excessive calls to the ACME APIs, etc. This commit contains minimal changes necessary to upgrade the bundled cert-manager to the most recent stable version. Changes are based on the official Helm Charts distribution of cert-manager. * Doc fixes. (#12180) * fix mixer and pilot upgrade issues. (#12177) * add namespace parameter support (#12104) * add namspace parameter support * add namspace parameter support * add namspace parameter support * fix lint * add test case for proxystatus * Move mixer check annotation to model with defaults (#11859) * Move mixer check annotation to model with defaults * Initialize proto once * Update tests * Add an e2e test to validate fault injection telemetry. (#11773) * Add an e2e test to validate fault injection telemetry. This attempts to provide validation of telemetry for FI to guard against recurrence of issues such as: #11151. It adds a new test in the mixer suite that installs custom virtual service and destination rules that inject faults at 100% (using error code 555). The test validates that the destination workload information is "unknown" and that we receive telemetry with the `FI` response flag. * Add forgotten file to PR * Updates tests to match CNI install procedure (#11877) * Updates tests to match CNI install procedure The CNI install procedure was changed to eliminate dependant helm templates. Changes are required in the test routines to match. * Move daemon start after cluster setup THe daemon start was before the cluster start. * Changes required after testing * debug * Final fix ups * Adress review comments. * Turn policy off by default (#12114) * Simplify files and cleanup base values.yaml * golden files update * switch back to old defaults for rewriteAppHTTPProbe * update golden * override cpu requests for e2e tests * move policy and telemetry to top level for visibility * Update deps for 1.1rc2 (#12213) * Proxy sha and Api sha for istio * Update istio/proxy to pickup istio/proxy#2135 * pilot should wait for kubernetes cache sync before serving (#12214) * Remove test mgmt ports (#12206) * Remove test mgmt ports * Remove todo and fix test * Fix local test * guard mysql proxy with version check (#12225) Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Various fixes for the Multicluster e2e test [release-1.1] (#11940) * Choose the correct Istio yaml file for MC * Increase the timeout for the MC test (typically it's 40+ mins) * Set selfSigned flag to false for remote (shared root CA) * Wait for remote addition/deletion to propogate * Enable access log for primary and remote clusters * Fix pilot grpc failure in Consul (#12228)
* Merge release-1.1 to master (#11722) * Incremental EDS only need updated service names (#11117) * Configure envoy_bootstrap_v2.json to use the configured admin port (#11214) * Configure envoy_bootstrap_v2.json to use the configured admin port * Also set the prometheus_stats cluster's port * Fix bootstrap tests that override admin port * Allow ipv6 local traffic. (#10738) * Allow specifying multiple egress host entries with same namespace (#11258) * allow multiple hosts in same namespace in sidecar egress host Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * merge Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Galley: Include full Pod resource (#11323) The ServiceEntry transformation requires the Pod status, which is not included in the PodSpec. We need to pass through the entire Pod proto, so that it's available for the conversion. * Delete the obsolete service control adapter. (#11275) * [DO NOT MERGE] Rollout Status timeout during e2e tests (#10996) Addresses issue #9685 * Disable shared span context by default (#11281) * Add logic to kubeenv adapter Close() to clean-up resources (#10839) * Add logic to kubeenv adapter Close() to clean-up resources * Add extra logging and robustness to daemon shutdown checking in runtime * WIP * Revert "WIP" This reverts commit 74f22eced391bfbfb54834e7ffdc2505931b60b1. * Increase unit test coverage * Address review comments * Ensure xenial base image present before building proxy_init (#11277) * Update codecov to use skip file as threshold as well (#11294) * Fix e2e-simple test flake (#11271) * Fix e2e-simple test flake istio-init.yaml was not being applied. Atleast on bare metal, this caused e2e-simple to fail nearly 100% of the time in a race between the kubeapi server applying CRD's and the applicaton of custom resources in the manifest. This problem is less pervasive on slower (vm) environments. * Fix a spelling error complaint from linter * integrate new MCP stack into galley, pilot, and mixer (#11292) This PR integrates the new MCP source/sink stack into Galley, Pilot, and Mixer. The old stack is temporarily retained while we complete extended scale/perf testing. * Revert "Fix e2e-simple test flake (#11271)" (#11331) This reverts commit f993e46d69c2ae4f990eabdfa377034f23c3b807. * Update README.md (#9501) * Add response_flags to metrics and logs (#9945) * Use sdsName from Gateway config as the resource name in sds config (#11239) * Use sdsName from Gateway config as the resource name in sds config * Add test * goimports * Fix lint * Fix test * mixer: pod policy override (#10886) * implement injection and override Signed-off-by: Kuat Yessenov <kuat@google.com> * lint Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * mend * annotation from node metadata Signed-off-by: Kuat Yessenov <kuat@google.com> * fix a bug Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding --controlPlaneBootstrap pilot-agent flag (#11212) * Adding --controlPlaneBootstrap pilot-agent flag to explicitly enable generation of Envoy bootstrap for Istio control plane components. Only effective when --templateFile is provided as well. If --templateFile is provided, but --controlPlaneBootstrap=false, then template file will be passed through regular bootstrap config processing, replacing default bootstrap config template. Default flag value is "true" to be backward-compatible with existing behavior, so that no other changes are required by other components that rely on pilot-agent for control plane bootstrap config generation. * Adding TODO to clean up Mixer and Pilot to use standard template Mixer and Pilot use custom Envoy bootstrap templates, that have special processing in pilot-agent. They should migrate to the standard bootstrap template and special processing should be removed from pilot-agent. * Fixing formatting errors on pilot/cmd/pilot-agent/main.go * [Galley] Restructure runtime package to support multiple states. (#11325) * [Galley] Restructure runtime package to support multiple states. This is a follow-on to #11162 that moves the runtime state as well as its previously package-private dependencies into their own packages. This allows new "states" to exist in separate packages under runtime. * addressing comments * addressing comments * extend istio-multi rbac rule (#11339) * Galley file-source was occluding resources with the same name with different types in the same file (#11257) * Only add localhost IP if no other IP address were found (#11367) * not make PDB configurable (#11330) * not allow users to configure pdb * remove maxUnavailable * incorporate google CA's merge APIs change in nodeagent (#11341) * merge api * remove extra line * Revert "Location based Load Balancing (#10720)" (#11371) This reverts commit 3f0570653f37ecaa5ccb75df0cb9619f84419624. * Support multiple Citadels running in one cluster. (#11312) * Support multiple Citadels running. * Small fix. * Small fix. * Small fix. * consistent autoscaling config among control plane components (#11376) * consistent autoscaling config among control plane components * address Yossi comment * add missing end * use spec here * support namespace/host in gateway (#11290) * assorted cleanups Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Loosen secret type for ingress gateway (#11385) * set conccurency according to cpu resource limit/request if it is not set (#11311) * set conccurency according to cpu resource request if it is not set * address comments * fix ut * fix ut * fix ut * run dep ensure * cache proxy service instances to improve performance (#11368) * cache proxy service instances to improve performance * address comments & fix ut * Support gateway agent to read TLS secret set by cert-manager (#11399) * read tls secret format * Update test * fix lint * fix lint * fix lint * update test * format * fix lint * fix lint * mixer: option for alternative language runtime (#11391) * split the original PR Signed-off-by: Kuat Yessenov <kuat@google.com> * add annotation support Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix simpletest flake in citadel testing (#11360) * Fix simpletest flake in citadel testing A PR was merged ~4 weeks ago which introduced built-in testing of the Helm charts. The readiness testing in these Helm chart tests were defective. This problem was masked by a silently failing gate. (cherry picked from commit bf9bc7bada15288cd1e4d0c8fa4b04c39e4379b5) * Fix a flaky e2e_simpleTests (#11408) * Add retries and delay trying to test connection to prometheus * Also retry on connection refused errors * Workaround due to old version of curl in proxy (cherry picked from commit 0e937c77b2d037a9216698a7c93037ccb5062dcc) * Increase integ test deployment timeout (#11423) * Increase integ test deployment timeout * Skip flaky/failing TestTcpMetric * Remove post-install job and (kubectl) apply security policy CRs to k8s directly (#11248) (#11418) * Remove post-install job and (kubectl) apply security policy CRs to k8s directly * Fix condition logic * Exit on fatal logs (#11335) * Exit on fatal logs * Do not call Fatalf in the middle of Galley code * envoy: use any instead of struct (#11419) * fix tests Signed-off-by: Kuat Yessenov <kuat@google.com> * fix framework assuming json Signed-off-by: Kuat Yessenov <kuat@google.com> * add gates Signed-off-by: Kuat Yessenov <kuat@google.com> * Loops ends after first iteration (#11378) (#11383) * Adding istio-init chart to release (#11443) (#11445) * fix superfluous condition in pdb. (#11413) * Set seconds as the value of MaxAge instead of Duration.String (#11447) * Allow identity domain to be configured in istio: Ensure e2e tests are working with different identity domain (#9226) * Refactor identity domain handling and adapt unit tests Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Fix goimports error * set role.TrustDomain in pilot main Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Add end to end test e2e_bookinfo_trustdomain Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Use .Values.global.trustDomain as trustDomain for citadel Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Removed commented out code Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Remove fallback to domain for trust domain This became necessary due to #11050, which always set the domain command line flag for executables. But we didn't expect this flag to have two different meanings (dns-domain and domain-suffix). Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Tls fix (#11455) * revert deleted TLS validation logic * lint fixes * Make TestDuplicateResourceNamesDifferentTypes have consistent ordering. (#11456) * Adding support for named components to the test framework (#11440) Each component can be created with a name and optionally a configuration. This allows multiple echo instances, policy backends, envoy proxies, etcetera to be managed independently. Also adding a standard way to configure components but support for that is in a followup. * Galley support for MCP Source Client dial out (#11291) * Auth plugin to be used for Galley callout. * Lint * Add unit tests. * Mock Google credentials * Galley callout code. * Review comments, fix client_source test. * Lint * Switch callout.go to use patch table for test vars. * Rename callout cli args. * Increase coverage * newcallout args, syncWG change. * Fatal->Error * Review comments * Review comments. * Update metadata model. (#11477) This is split out from #11293 Supporting work for #10497 and #10589 * [pilot] Export virtual service and destination rule metadata (#11384) * [pilot] Export virtual service and destination rule metadata * fixup bad rebase * restore lost test * Small fixes * use URL for rule uid and config as key * goimports * update unit tests to match code changes in previous commit * goimports, redux * Randomize Galley ports for integration testing (#11285) * Randomize Galley port for code-coverage runs. * Remove runaway empty test. * Update istio-proxy for source.uid fix (#11428) * Update gateway_test.go to check for overrides * update to include new proxy * linter fix * update client tests for whitelisted attributes * use source fixed build * disable TestSecretCreationKubernetes (#11479) * Fix e2e-simple test flake (#11356) (#11481) istio-init.yaml was not being applied. Atleast on bare metal, this caused e2e-simple to fail nearly 100% of the time in a race between the kubeapi server applying CRD's and the applicaton of custom resources in the manifest. This problem is less pervasive on slower (vm) environments. (cherry picked from commit 1caa6cedcc7b0526f94bf3f9d3941df65ae4956f) * Enhance MCP index function to support multiple groups (#11478) This is split out from #11293 In #11293 we modify the index function to return a different group when choosing the synthetic ServiceEntry collection. Support for #10497 and #10589 * Zipkin adapter supporting the tracespan template (#11282) (#11483) * Zipkin adapter supporting the tracespan template (#11282) * Zipkin adapter supporting the tracespan template * Refactored generic OpenCensus trace support into a helper package * Use this to implement Zipkin support using OpenCensus Zipkin exporter * regenerate template. * lint. move crd. * dep ensure. * new line. * add zipkin to galley. * dep ensure * Default exports, and config root namespace (#11387) * default exportTo flags Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * compile fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * helm stuff Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * istio-config namespace and default sidecar scope Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * spell fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nits Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * reorder initialization steps Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test compile fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * helm tweaks Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * missing helm file * allow ~ in sidecar imports Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad copy paste Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo framework change Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Revert "bad copy paste" This reverts commit 934b54a922dd0a6102016901b77badba7774090f. * Revert "missing helm file" This reverts commit 992685db5e1fe3f68a484f01dac21f44c66acc8e. * Revert "helm tweaks" This reverts commit 5b78b920d18379253ea7c8ae37fd0c0611180c75. * redos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lists Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * quotes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Fixing race condition in Galley Server.Close() (#11484) The issue was introduced by #11285 It causes a race with the startup of the gRPC server, which leads to a segfault. From prow logs: ``` === RUN TestServer_Basic 2019-02-01T20:33:05.867746Z info ControlZ available at 10.44.58.28:9876 2019-02-01T20:33:05.867968Z info ControlZ terminated 2019-02-01T20:33:05.867987Z info runtime Stopping processor... 2019-02-01T20:33:05.868000Z warn runtime Processor has already stopped 2019-02-01T20:33:05.867798Z info runtime Starting processor... panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x9e4bc8] goroutine 148 [running]: istio.io/istio/vendor/google.golang.org/grpc.(*Server).Serve(0xc42046d080, 0x0, 0x0, 0x0, 0x0) /home/prow/go/src/istio.io/istio/vendor/google.golang.org/grpc/server.go:522 +0x748 istio.io/istio/galley/pkg/server.(*Server).Run.func1(0xc4202d9490) /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:242 +0xfb created by istio.io/istio/galley/pkg/server.(*Server).Run /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:233 +0x5c FAIL istio.io/istio/galley/pkg/server 0.383s ``` * add labels to services and deployments (#11503) * Quote accessLogFormat in configmap template in helm chart (#11449) (#11490) * Make custom gateway works (#11320) Signed-off-by: clyang82 <clyang@cn.ibm.com> * Add missing values global object and template (#11500) * Envoy Graceful Shutdown (#11485) * Add Draining bootstrap to Proxies Signed-off-by: Liam White <liam@tetrate.io> * Drain open connections Signed-off-by: Liam White <liam@tetrate.io> * typo and makefile fix for drain config Signed-off-by: Liam White <liam@tetrate.io> * Add proxy agent tests for draining Signed-off-by: Liam White <liam@tetrate.io> * appease our golangcibot overlord Signed-off-by: Liam White <liam@tetrate.io> * Windows Go doesn't have syscall.Kill Signed-off-by: Liam White <liam@tetrate.io> * Skip spybackend test when in racetest (#11497) (#11506) * Workaround to make racetest skip this test due to low memory * Lint * Add mixer status to access log (#11471) * Add mixer status to access log Signed-off-by: Lizan Zhou <lizan@tetrate.io> * review Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fixing default exports (#11507) Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Fix 10971 p1 injector (#11512) * Fix global DNS resolution in sidecar injector The dnsConfig key was not honored by the sidecar injector. This PR ensures the dnsConfig key is honored by the sidecar injector. This enables the injected application can resolve DNS, but does not solve routing via RDS. Routing via RDS needs a followup PR. * Fix syntax error in sidecar injector template * HTTP probe rewrite for webhook part. (#10470) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277d7 4b7b13aef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861 Merge: 98fd48f59 744b07ad2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07ad2406d1eb94bcf5492125f91486ad6b10 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002ff6f5dd4afe22afa984384addc1be1104 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5 Merge: a2a774498 010d5c266 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a774498e1021c1ca01c021c071e225fa330407 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c074bcc787702a5a9257d23103521f525c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922719e2c4723a334d1d8d959cac361b1ecb Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e871c640cdabead372eada2b17d717fa707f Merge: 256d9635f ac78a552a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d9635f4d590936c473bf3be0299064cb9c716 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f70096334464fd1d59a0e81997e8f0fd6623a564 Merge: bdce72119 c7eb603ee Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce72119ef78dab40b750861768c332811b9ee2 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c21000ba2b7fe9e2bc728783ce530cfe87 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695a2fea828f06a31f14ed7795a3b3716111 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b58f0212972d42e298fa4185275642d672c Merge: d626bb85d 5ea79622c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb85dee628771f8f41fc90335ac608dea923 Merge: 3561ae0a6 66153da4d Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0a69350730834e625c0710394968f9fcde Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f01964a14f6ace0da6217d7a36f364b661 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91189e16beb0dadee6c612464b1aa9bad21 Merge: 3a7eb48e6 abc53e120 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e488f875ffea0c3a279403277010160ee1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce9ddc55ce339aa65eac06602591d3113c9 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676 Merge: 7f5c8cbd8 e45242c0d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479 Merge: 20f02c045 1ae6b4fde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c04563fab9b81b418c00a5455994fda5148 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64 Merge: 3b3bcbff8 d8c4579fa Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c15d06054e4bb173ab2c37333a4de647c2d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f4144482874c1219c7da90e97f19f1172f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb6892509d8938be8d64f1435cf64e22317 Merge: af1a67989 f6b0ddc30 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a6798988f9fe70e40add2a6d4971efa9b50ed Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef3520037a81db8baa34d6e13849d20af10 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0 Merge: fcca1f89a bd1631be3 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517cfc4214994be1be848d40b12f09ba8a4b8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96ed8a3200fc91bc73aee86d471117232fc Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659dacbc569f4532dc6a37b2091f39c7cf115b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * DeepCopy used. * fix lint. * Add longer timeouts for Galley tests. (#11517) Addresses #11464 * Locality based load balancing for strict dns clusters (#11381) * rework locality based load balancing Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * simplify Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad merge Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint again Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Update pilot/pkg/networking/core/v1alpha3/cluster.go Co-Authored-By: rshriram <rshriram@users.noreply.github.com> * move load balancer setting to a separate pkg * should also apply applyLocalityLBSetting for non-cached outbound clusters * set cluster locality_weighted_lb_config * fix ci * enable LocalityWeightedLbConfig only when cluster has outlier detection * address comments * Correct Citadel server log. (#11361) * Correct Citadel server log. * Small fix. * Remove sidecar injection in istio-init jobs (#11317) This PR aims to solve a problem where the injector is running but a new job is added in an upgrade scenario. In this condition the job is injected, which can result in errors contacting the injector. * Only require go.opencensus.io on Linux (#11327) * Only require go.opencensus.io on Linux * Ran fmt.sh and goimports against the stats_linux.go file. Signed-off-by: Jason Clark <jason.clark.oss@gmail.com> * Remove the istio-remote chart and make it an istio chart values (#11307) * Remove the istio-remote chart and make it an istio chart values * By default tracing should be disabled in remote as it's unsupported * Fixing the path to values file in e2e MC test * Fixing istio-pilot-multicluster-e2e.sh * Correction for previous commit * Better way to remove MeshPolicy on remote yaml * Newline * Newline * Remove redundant and * Fix for flakes in TestSource_MangledNames (#11538) The source of the panic appeared to be access to the labels, which were not being explicitly set on the Unstructured object. This PR sets them directly, so that should no longer be an issue. Fixes #11532 * Use istio namespace for global destination rule to avoid overwritting mixer policy (#11546) * Change default monitoring port (#11421) * Change default monitoring port Update the default monitoring port from 9093 to 15014. * Fix test cases * Hardcode the monitoringPort in istio-remote * Use credentialName to specify credential resource name and support mTLS for external cert management at ingress gateway. (#11496) * use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Add MCP stress test suite (#11465) * add -labels option to mcpc for testing and debug * fix typo in source CollectionOptions name * increase queue test coverage to 100% * add more tests for incremental mcp option (still off by default) * add mcp stress test suite * fix unit tests * review comments and add README.md * run goimports * fix some wording * fix bad merge * formatting * rebase stress test on latest snapshot group changes * math.Rand is not safe for concurrent use * address review comments * add missing file * plumb through serverIncSupported * rename test file * changing the default limits for init proxy (#11540) * Add readiness check for Ingress Gateway (#3063) (#11001) (#11548) Enabling the same readiness probe for Ingress Gateway that is being used for sidecars. * istioctl proxy-status should only exec into running pilot pods (#11539) istioctl proxy-status uses kubectl exec on pilot pods to extract debug and diagnostic information. Use `--field-selector=status.phase=Running` to only exec into pods that are actually running. fixes https://github.com/istio/istio/issues/11488 * increase control plane component replicas during upgrade test (#11389) * add multiple control plane component * remove space * Allow specify the path for SDS k8s token (#11460) * Allow specify SDS token path * Change the default value to empty string * Rephrase the comment for sds token path * Address review comments * Change to use node metadata to pass SDS token path * Address review comments (e.g., remove static variable) * Use SDS token path if it is set * remove chart.version label in pod template. (#11302) * remove deprecated 'refreshInterval' option in chart. (#11412) * remove deprecated option in chart. * fix CI issue. * Disable agent TestFull test. (#11562) * remove istio cni subchart tar from source. (#11230) * Moved subcharts into the istio chart (#11558) * Moved subcharts into istio charts * Removed helm dep update calls * Removed also programatic helmDepUpdate calls * Removing helm package call not necessary anymore * Fix non-Linux builds. (#11580) * add debug logs to print cert chain (#11575) * revert #11558 Moved subcharts into the istio chart (#11597) * add multiple control plane component * remove space * Revert "Moved subcharts into the istio chart (#11558)" This reverts commit a5f9e9bb30eb4240ee0b00893796126b5b434c5d. * add missing attribute declarations (#11595) Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix a few doc issues. (#11596) * Update istio/api to #3094619 release 1.1 subject_alt_names in Service… (#11541) * Update istio/api to #3094619 release 1.1 subject_alt_names in ServiceEntry * Comment out sdsName * Linter fix * more linter fixes * Comment out SDS test * run bin/fmt.sh * Skip gateway sds test completely * Use issue # in t.Skip() * revert sds changes * Fix racetest in SDS service (#11615) * Set the serviceCluster namespace based on env var, to also support specifying namespace on cli after kubeinject (#11587) * Make image pull policy configurable in Makefile (#10269) * Adds missing 1.1 attribute data to testdata for integration tests (#11313) The request.url_path and request.query_params attributes have been added as of istio 1.1 These are required in the testdata attributes manifest in order for them to be useable in the integration test framework. * Doc fixes. (#11619) * [mixer:stackdriver] Initial changes to support dst svc edges in graph (#11426) * Initial changes to support dst svc edges * Add istio service to k8s service member relation * Refactor of edge logic and add test * Add <workload, service> relations * Fix routing when DNS is resolved (#11522) The DNSDomain variable needs to be enhanced to include more then one DNS entry. Change DNSDomain to DNSDomains as a meta and add the dnsConfig in the meta. As now DNSDomain is a slice of strings instead of a string, the variable needs consolidation. * adjust galley dashboard time range (#11627) * Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631) (cherry picked from commit f9b6866731aabe056c699b608a8e93eb850d13c0) * [release-1.1] Update fluentd adapter to be more robust (#11623) * Update fluentd adapter to be more robust * Minor touchup of bad merge * Lint fixes * Fix kubernetesenv workload attributes for multicluster with one control plane (#11581) * remove myself from pilot OWNERS (#11632) * remove me (#11636) Signed-off-by: Kuat Yessenov <kuat@google.com> * add debug logs for citadel authenticate fail (#11633) * move apply plugin below buildscript (#11625) The Cloud Foundry open source licensing scanner has a plugin that identifies dependencies from gradle scripts, but it requires the buildscript and plugins block be before anything else in the file. This change does not affect the build, but makes our lives a smidge easier. Co-authored-by: Teal Stannard <tstannard@pivotal.io> * check key.pem (#11599) * Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508) * Samples for accessing apt-get repo, Github, and pip repo * A Readme explaining the samples * Link to future doc on default external comm capability * Incorporate documentation feedback from venilnoronha * Add support for metadata constraints in RBAC (#11459) * Add support for metadata constraints in RBAC This adds support for mapping RBAC constraints with keys in the a[b] format to Envoy's filter metadata matcher. Signed-off-by: Venil Noronha <veniln@vmware.com> * Use SplitN instead of Split for completeness This updates the metadata matcher definition to use strings.SplitN instead of strings.Split in order to capture the whole binary key in two parts. Signed-off-by: Venil Noronha <veniln@vmware.com> * Accomodate [list] and plain value type constraints This adds logic to accomodate filter metadata matching over both [list] and value type constraints. Signed-off-by: Venil Noronha <veniln@vmware.com> * Add extra experimental. prefix test for matching This adds an extra experimental. prefix test while creating metadata matchers based on Envoy filters. Signed-off-by: Venil Noronha <veniln@vmware.com> * Update comments This updates code comments. Signed-off-by: Venil Noronha <veniln@vmware.com> * add POST to ratings service to demonstrate security policies on HTTP Methods (#10778) * add POST to ratings service * put a space between if and opening parenthesis * add comments * remove extra line-break * Enable remote clusters to check/report to local Mixer (#11585) * Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570) * Fix racetest in fluentd test (#11647) * Bump the number of connection that can be re-use in Citadel (#11641) * Bump the number of connection that can be re-use in Citadel * A small fix * First cut of xDS APi structural testing using the new integration tests (#11406) * Fixes for k8s ingress (#11343) * Fix ingress in pilot, writeback and multiple namespaces * Fix tests, format * Fix test - the generated service should be left in the namespace of ingress * Additional test fixes, match the new 1.1 semantics * Again make fmt and lint not matching * Break up the helloworld sample into versions (#11650) * Break up the helloworld sample into versions * Moved to default namespace * Seperated gateway file and added labels * Update the doc * Cleanup section updated too * Fix build break due to https://github.com/istio/istio/pull/11406. (#11677) https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215 * make stackdriver e2e test cluster wide (#11674) * Add handling for independent encoding in Report batches to Mixer (#11640) * Add handling for independent encoding in Report batches to Mixer * fix lll * Address review * protect protobag done * exit circleci test early if setup fails (#11572) * wip: exit circleci test early if setup fails Many of the circleci tests will attempt to run the e2e/integration tests even after the test setup fails. This leads to misleading test failures that suggest the problem is with the feature test and not the test setup itself. Example test runs where the setup failed and the test was run but immediately errored out because a dependency was missing: https://circleci.com/gh/istio/istio/316588 https://circleci.com/gh/istio/istio/317262 https://circleci.com/gh/istio/istio/318281 https://circleci.com/gh/istio/istio/316031 https://circleci.com/gh/istio/istio/315952 https://circleci.com/gh/istio/istio/315871 https://circleci.com/gh/istio/istio/315813 ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute ``` By default, CircleCI will execute job steps one at a time, in the order that they are defined in config.yml, until a step fails (returns a non-zero exit code). After a command fails, no further job steps will be executed. Adding the when attribute to a job step allows you to override this default behaviour, and selectively run or skip steps depending on the status of the job. The default value of on_success means that the step will run only if all of the previous steps have been successful (returned exit code 0). A value of always means that the step will run regardless of the exit status of previous steps. This is useful if you have a task that you want to run regardless of whether the previous steps are successful or not. For example, you might have a job step that needs to upload logs or code-coverage data somewhere. ``` * re-add `when: always` to codecov job * Implementation of isolation for EDS (#11672) * Implementation of isolation for EDS * Provide nil proxy for older calls * Always call loadAssignmentsForClusterIsolated * Revert "Always call loadAssignmentsForClusterIsolated" This reverts commit db2c99778edb69a9522320a2271ec8b965bad450. * Env variable to disable * Lint * Environment Variable controlled Graceful Termination with low defaults. (#11630) * Feature flag graceful shutdown Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in. Signed-off-by: Liam White <liam@tetrate.io> * Address pr comments Signed-off-by: Liam White <liam@tetrate.io> * Clean up missed feature flag var Signed-off-by: Liam White <liam@tetrate.io> * Add turn off test case, todo comments and fix agent tests Signed-off-by: Liam White <liam@tetrate.io> * fix lint Signed-off-by: Liam White <liam@tetrate.io> * PR review comments Signed-off-by: Liam White <liam@tetrate.io> * Move TerminationDuration function and tests to Pilot features Signed-off-by: Liam White <liam@tetrate.io> * Update Proxy SHA to latest (release-1.1). (#11687) Signed-off-by: Piotr Sikora <piotrsikora@google.com> * Add empty check for proxy's locality (#11681) Make sure empty proxy locality will fall back to using proxy service's instance locality. * Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685) * cache ServiceAccounts and remove it drom Environment (#11442) * cache ServiceAccounts and remove it drom Environment * use allServices var * fix ut * Adding Envoy bootstrap template for a custom Pilot implementation. (#11395) * Adding Envoy bootstrap template for a custom Pilot implementation. New template connects to Pilot using Google gRPC Envoy client, which allows to perform authz by passing additional credentials. Placed into install/gcp due to being GCP installation specific. To enable this template, introducing {{ .discovery_address }} variable, which passes --discoveryAddress flag value "as is", without splitting it into address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable. * Removing static interception listener from gcp_envoy_bootstrap.json as it is generated by the Pilot. * Update bookinfo images, fix the script to bump bookinfo versions (#11701) * add wildcard to digits in the sed regex, for setting version * bump a minor version * Add cli option to Galley to allow metadata on outgoing sink connections. (#11602) * Add cli option to Galley to allow metadata on outgoing sink connections. For use with sinkAddress, outgoing connections to MCP sink servers will have gRPC stream metadata attached as defined by sinkMeta. * Update sinkMeta to use key=value. * Review comments. * Error message if istioctl version doesn't match data plane version (#11592) * Additional error text if istioctl version doesn't match data plane version * Fix typo * Revise wording of error msg * Allow Envoy listener stats to be turned off/on with a pod annotation (#11398) * If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection * Versionize annotation tag * Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid * pin goimports in make fmt (#11645) * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * just dont use circle Signed-off-by: Kuat Yessenov <kuat@google.com> * add comment Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding namespace declaration in Grafana PersistentVolumeClaim (#11314) When using the Helm chart with a user specific namespace and Grafana persistency enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace, leading in the Grafana pod to be stuck in the Pending state. * Fix the periodic builds, add a non-mcp to presubmit (#11703) * Update api sha (#11709) * issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715) (cherry picked from commit 1ad4e29576da6c722dcf19fc5df703beede92a4d) * [WIP] Fix sync issue with policy enablement and check enablement (#11707) * Fix sync issue with policy enablement and check enablement * Remove outdated comment * Fix deps and broken merge for mixer test * Fix overly restrictive golang version match * Fix integration test framework merge issues * Fix line length lint issue * handle multiple streams in nodeagent (#11738) * service change * unit test * debug log * lint * remove annoying log * Add duration time to stale EDS (#11568) * Revert "Merge release-1.1 to master (#11722)" (#11761) This reverts commit 727e719b56362060924cd75bef6ed731cc41b272. * Rename node agent in README.md (#11751) * Tests for drain duration function (#11691) * Tests for drain duration function Signed-off-by: Liam White <liam@tetrate.io> * Licenses... Signed-off-by: Liam White <liam@tetrate.io> * typo Signed-off-by: Liam White <liam@tetrate.io> * Ability to override SAN from destination rule for ISTIO_MUTUAL (#11747) * Add ability to override SAN from destination rule for ISTIO_MUTUAL Fixes issue https://github.com/istio/istio/issues/11737 * Reformat code. * Incremental EDS only need updated service names (#11117) * Configure envoy_bootstrap_v2.json to use the configured admin port (#11214) * Configure envoy_bootstrap_v2.json to use the configured admin port * Also set the prometheus_stats cluster's port * Fix bootstrap tests that override admin port * Allow ipv6 local traffic. (#10738) * Allow specifying multiple egress host entries with same namespace (#11258) * allow multiple hosts in same namespace in sidecar egress host Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * merge Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Galley: Include full Pod resource (#11323) The ServiceEntry transformation requires the Pod status, which is not included in the PodSpec. We need to pass through the entire Pod proto, so that it's available for the conversion. * Delete the obsolete service control adapter. (#11275) * [DO NOT MERGE] Rollout Status timeout during e2e tests (#10996) Addresses issue #9685 * Disable shared span context by default (#11281) * Add logic to kubeenv adapter Close() to clean-up resources (#10839) * Add logic to kubeenv adapter Close() to clean-up resources * Add extra logging and robustness to daemon shutdown checking in runtime * WIP * Revert "WIP" This reverts commit 74f22eced391bfbfb54834e7ffdc2505931b60b1. * Increase unit test coverage * Address review comments * Ensure xenial base image present before building proxy_init (#11277) * Update codecov to use skip file as threshold as well (#11294) * Fix e2e-simple test flake (#11271) * Fix e2e-simple test flake istio-init.yaml was not being applied. Atleast on bare metal, this caused e2e-simple to fail nearly 100% of the time in a race between the kubeapi server applying CRD's and the applicaton of custom resources in the manifest. This problem is less pervasive on slower (vm) environments. * Fix a spelling error complaint from linter * integrate new MCP stack into galley, pilot, and mixer (#11292) This PR integrates the new MCP source/sink stack into Galley, Pilot, and Mixer. The old stack is temporarily retained while we complete extended scale/perf testing. * Revert "Fix e2e-simple test flake (#11271)" (#11331) This reverts commit f993e46d69c2ae4f990eabdfa377034f23c3b807. * Update README.md (#9501) * Add response_flags to metrics and logs (#9945) * Use sdsName from Gateway config as the resource name in sds config (#11239) * Use sdsName from Gateway config as the resource name in sds config * Add test * goimports * Fix lint * Fix test * mixer: pod policy override (#10886) * implement injection and override Signed-off-by: Kuat Yessenov <kuat@google.com> * lint Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * mend * annotation from node metadata Signed-off-by: Kuat Yessenov <kuat@google.com> * fix a bug Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding --controlPlaneBootstrap pilot-agent flag (#11212) * Adding --controlPlaneBootstrap pilot-agent flag to explicitly enable generation of Envoy bootstrap for Istio control plane components. Only effective when --templateFile is provided as well. If --templateFile is provided, but --controlPlaneBootstrap=false, then template file will be passed through regular bootstrap config processing, replacing default bootstrap config template. Default flag value is "true" to be backward-compatible with existing behavior, so that no other changes are required by other components that rely on pilot-agent for control plane bootstrap config generation. * Adding TODO to clean up Mixer and Pilot to use standard template Mixer and Pilot use custom Envoy bootstrap templates, that have special processing in pilot-agent. They should migrate to the standard bootstrap template and special processing should be removed from pilot-agent. * Fixing formatting errors on pilot/cmd/pilot-agent/main.go * [Galley] Restructure runtime package to support multiple states. (#11325) * [Galley] Restructure runtime package to support multiple states. This is a follow-on to #11162 that moves the runtime state as well as its previously package-private dependencies into their own packages. This allows new "states" to exist in separate packages under runtime. * addressing comments * addressing comments * extend istio-multi rbac rule (#11339) * Galley file-source was occluding resources with the same name with different types in the same file (#11257) * not make PDB configurable (#11330) * not allow users to configure pdb * remove maxUnavailable * incorporate google CA's merge APIs change in nodeagent (#11341) * merge api * remove extra line * Revert "Location based Load Balancing (#10720)" (#11371) This reverts commit 3f0570653f37ecaa5ccb75df0cb9619f84419624. * Support multiple Citadels running in one cluster. (#11312) * Support multiple Citadels running. * Small fix. * Small fix. * Small fix. * consistent autoscaling config among control plane components (#11376) * consistent autoscaling config among control plane components * address Yossi comment * add missing end * use spec here * support namespace/host in gateway (#11290) * assorted cleanups Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Loosen secret type for ingress gateway (#11385) * set conccurency according to cpu resource limit/request if it is not set (#11311) * set conccurency according to cpu resource request if it is not set * address comments * fix ut * fix ut * fix ut * run dep ensure * cache proxy service instances to improve performance (#11368) * cache proxy service instances to improve performance * address comments & fix ut * Support gateway agent to read TLS secret set by cert-manager (#11399) * read tls secret format * Update test * fix lint * fix lint * fix lint * update test * format * fix lint * fix lint * mixer: option for alternative language runtime (#11391) * split the original PR Signed-off-by: Kuat Yessenov <kuat@google.com> * add annotation support Signed-off-by: Kuat Yessenov <kuat@google.com> * Exit on fatal logs (#11335) * Exit on fatal logs * Do not call Fatalf in the middle of Galley code * envoy: use any instead of struct (#11419) * fix tests Signed-off-by: Kuat Yessenov <kuat@google.com> * fix framework assuming json Signed-off-by: Kuat Yessenov <kuat@google.com> * add gates Signed-off-by: Kuat Yessenov <kuat@google.com> * fix superfluous condition in pdb. (#11413) * Allow identity domain to be configured in istio: Ensure e2e tests are working with different identity domain (#9226) * Refactor identity domain handling and adapt unit tests Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Fix goimports error * set role.TrustDomain in pilot main Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Add end to end test e2e_bookinfo_trustdomain Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Use .Values.global.trustDomain as trustDomain for citadel Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Removed commented out code Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Remove fallback to domain for trust domain This became necessary due to #11050, which always set the domain command line flag for executables. But we didn't expect this flag to have two different meanings (dns-domain and domain-suffix). Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Make TestDuplicateResourceNamesDifferentTypes have consistent ordering. (#11456) * Adding support for named components to the test framework (#11440) Each component can be created with a name and optionally a configuration. This allows multiple echo instances, policy backends, envoy proxies, etcetera to be managed independently. Also adding a standard way to configure components but support for that is in a followup. * Galley support for MCP Source Client dial out (#11291) * Auth plugin to be used for Galley callout. * Lint * Add unit tests. * Mock Google credentials * Galley callout code. * Review comments, fix client_source test. * Lint * Switch callout.go to use patch table for test vars. * Rename callout cli args. * Increase coverage * newcallout args, syncWG change. * Fatal->Error * Review comments * Review comments. * Update metadata model. (#11477) This is split out from #11293 Supporting work for #10497 and #10589 * [pilot] Export virtual service and destination rule metadata (#11384) * [pilot] Export virtual service and destination rule metadata * fixup bad rebase * restore lost test * Small fixes * use URL for rule uid and config as key * goimports * update unit tests to match code changes in previous commit * goimports, redux * Randomize Galley ports for integration testing (#11285) * Randomize Galley port for code-coverage runs. * Remove runaway empty test. * Update istio-proxy for source.uid fix (#11428) * Update gateway_test.go to check for overrides * update to include new proxy * linter fix * update client tests for whitelisted attributes * use source fixed build * disable TestSecretCreationKubernetes (#11479) * Fix e2e-simple test flake (#11356) (#11481) istio-init.yaml was not being applied. Atleast on bare metal, this caused e2e-simple to fail nearly 100% of the time in a race between the kubeapi server applying CRD's and the applicaton of custom resources in the manifest. This problem is less pervasive on slower (vm) environments. (cherry picked from commit 1caa6cedcc7b0526f94bf3f9d3941df65ae4956f) * Enhance MCP index function to support multiple groups (#11478) This is split out from #11293 In #11293 we modify the index function to return a different group when choosing the synthetic ServiceEntry collection. Support for #10497 and #10589 * Zipkin adapter supporting the tracespan template (#11282) (#11483) * Zipkin adapter supporting the tracespan template (#11282) * Zipkin adapter supporting the tracespan template * Refactored generic OpenCensus trace support into a helper package * Use this to implement Zipkin support using OpenCensus Zipkin exporter * regenerate template. * lint. move crd. * dep ensure. * new line. * add zipkin to galley. * dep ensure * Default exports, and config root namespace (#11387) * default exportTo flags Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * compile fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * helm stuff Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * istio-config namespace and default sidecar scope Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * spell fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nits Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * reorder initialization steps Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test compile fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * helm tweaks Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * missing helm file * allow ~ in sidecar imports Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad copy paste Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo framework change Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Revert "bad copy paste" This reverts commit 934b54a922dd0a6102016901b77badba7774090f. * Revert "missing helm file" This reverts commit 992685db5e1fe3f68a484f01dac21f44c66acc8e. * Revert "helm tweaks" This reverts commit 5b78b920d18379253ea7c8ae37fd0c0611180c75. * redos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lists Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * quotes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Fixing race condition in Galley Server.Close() (#11484) The issue was introduced by #11285 It causes a race with the startup of the gRPC server, which leads to a segfault. From prow logs: ``` === RUN TestServer_Basic 2019-02-01T20:33:05.867746Z info ControlZ available at 10.44.58.28:9876 2019-02-01T20:33:05.867968Z info ControlZ terminated 2019-02-01T20:33:05.867987Z info runtime Stopping processor... 2019-02-01T20:33:05.868000Z warn runtime Processor has already stopped 2019-02-01T20:33:05.867798Z info runtime Starting processor... panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x9e4bc8] goroutine 148 [running]: istio.io/istio/vendor/google.golang.org/grpc.(*Server).Serve(0xc42046d080, 0x0, 0x0, 0x0, 0x0) /home/prow/go/src/istio.io/istio/vendor/google.golang.org/grpc/server.go:522 +0x748 istio.io/istio/galley/pkg/server.(*Server).Run.func1(0xc4202d9490) /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:242 +0xfb created by istio.io/istio/galley/pkg/server.(*Server).Run /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:233 +0x5c FAIL istio.io/istio/galley/pkg/server 0.383s ``` * add labels to services and deployments (#11503) * Make custom gateway works (#11320) Signed-off-by: clyang82 <clyang@cn.ibm.com> * Add missing values global object and template (#11500) * Envoy Graceful Shutdown (#11485) * Add Draining bootstrap to Proxies Signed-off-by: Liam White <liam@tetrate.io> * Drain open connections Signed-off-by: Liam White <liam@tetrate.io> * typo and makefile fix for drain config Signed-off-by: Liam White <liam@tetrate.io> * Add proxy agent tests for draining Signed-off-by: Liam White <liam@tetrate.io> * appease our golangcibot overlord Signed-off-by: Liam White <liam@tetrate.io> * Windows Go doesn't have syscall.Kill Signed-off-by: Liam White <liam@tetrate.io> * Add mixer status to access log (#11471) * Add mixer status to access log Signed-off-by: Lizan Zhou <lizan@tetrate.io> * review Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fixing default exports (#11507) Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * HTTP probe rewrite for webhook part. (#10470) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277d7 4b7b13aef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861 Merge: 98fd48f59 744b07ad2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07ad2406d1eb94bcf5492125f91486ad6b10 Author: Jianfei Hu <jianfeih@goo…
Uses an env var in istio-proxy that defaults to 5 seconds if not set. Can be used to turn off graceful termination completely by setting to 0.
Signed-off-by: Liam White liam@tetrate.io