-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ingress election failure fix due to empty ingress class #12120
Conversation
/assign @ymesika |
pilot/pkg/model/context.go
Outdated
@@ -408,6 +408,7 @@ func DefaultMeshConfig() meshconfig.MeshConfig { | |||
ConnectTimeout: types.DurationProto(1 * time.Second), | |||
IngressControllerMode: meshconfig.MeshConfig_STRICT, | |||
IngressService: "istio-ingressgateway", | |||
IngressClass: "istio", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@linsun You removed this in https://github.com/istio/istio/pull/11950/files#r259056328
Although not in the Helm chart seems like we should still have it to avoid the errors.
If you have no objection let's push that into release-1.1
to fix the annoying errors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the problem here is because the ingress controller is enabled by default. What Lin did was to disable it. But she forgot to change the IngressControllerMode variable to off. Right now, it says its "strict", i.e. istio will still try to do leader election for ingress. If you set it to off, the errors would go away I assume?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes I removed it because the default mesh file we mounted to the pilot pod doesn't have this config.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 we should disable leader election for ingress when ingress is off.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sbezverk you can just remove this line:
IngressControllerMode: meshconfig.MeshConfig_STRICT,
BTW, this is the default file we should be using, and I forgot to remove the above line.
#11950 (comment)
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
/lgtm @wenchenglu this is an important fix for 1.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
@linsun: changing LGTM is restricted to assignees, and assigning you to the PR failed. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@wenchenglu my vote to get this in, can you help pls? |
@sbezverk I don't think we will support old istio ingress in 1.1... it is not working from what I learned. |
@linsun got it, then it should be safe. btw galley has IngressClass set in its Default mesh config func. |
/lgtm @costinm do you have different opinion? |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: linsun, sbezverk, wenchenglu, ymesika The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@sbezverk: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
* Fix routing when DNS is resolved (#11522) The DNSDomain variable needs to be enhanced to include more then one DNS entry. Change DNSDomain to DNSDomains as a meta and add the dnsConfig in the meta. As now DNSDomain is a slice of strings instead of a string, the variable needs consolidation. * adjust galley dashboard time range (#11627) * Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631) (cherry picked from commit f9b6866) * [release-1.1] Update fluentd adapter to be more robust (#11623) * Update fluentd adapter to be more robust * Minor touchup of bad merge * Lint fixes * Fix kubernetesenv workload attributes for multicluster with one control plane (#11581) * remove myself from pilot OWNERS (#11632) * remove me (#11636) Signed-off-by: Kuat Yessenov <kuat@google.com> * add debug logs for citadel authenticate fail (#11633) * move apply plugin below buildscript (#11625) The Cloud Foundry open source licensing scanner has a plugin that identifies dependencies from gradle scripts, but it requires the buildscript and plugins block be before anything else in the file. This change does not affect the build, but makes our lives a smidge easier. Co-authored-by: Teal Stannard <tstannard@pivotal.io> * check key.pem (#11599) * Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508) * Samples for accessing apt-get repo, Github, and pip repo * A Readme explaining the samples * Link to future doc on default external comm capability * Incorporate documentation feedback from venilnoronha * Add support for metadata constraints in RBAC (#11459) * Add support for metadata constraints in RBAC This adds support for mapping RBAC constraints with keys in the a[b] format to Envoy's filter metadata matcher. Signed-off-by: Venil Noronha <veniln@vmware.com> * Use SplitN instead of Split for completeness This updates the metadata matcher definition to use strings.SplitN instead of strings.Split in order to capture the whole binary key in two parts. Signed-off-by: Venil Noronha <veniln@vmware.com> * Accomodate [list] and plain value type constraints This adds logic to accomodate filter metadata matching over both [list] and value type constraints. Signed-off-by: Venil Noronha <veniln@vmware.com> * Add extra experimental. prefix test for matching This adds an extra experimental. prefix test while creating metadata matchers based on Envoy filters. Signed-off-by: Venil Noronha <veniln@vmware.com> * Update comments This updates code comments. Signed-off-by: Venil Noronha <veniln@vmware.com> * add POST to ratings service to demonstrate security policies on HTTP Methods (#10778) * add POST to ratings service * put a space between if and opening parenthesis * add comments * remove extra line-break * Enable remote clusters to check/report to local Mixer (#11585) * Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570) * Fix racetest in fluentd test (#11647) * Bump the number of connection that can be re-use in Citadel (#11641) * Bump the number of connection that can be re-use in Citadel * A small fix * First cut of xDS APi structural testing using the new integration tests (#11406) * Fixes for k8s ingress (#11343) * Fix ingress in pilot, writeback and multiple namespaces * Fix tests, format * Fix test - the generated service should be left in the namespace of ingress * Additional test fixes, match the new 1.1 semantics * Again make fmt and lint not matching * Break up the helloworld sample into versions (#11650) * Break up the helloworld sample into versions * Moved to default namespace * Seperated gateway file and added labels * Update the doc * Cleanup section updated too * Fix build break due to #11406. (#11677) https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215 * make stackdriver e2e test cluster wide (#11674) * Add handling for independent encoding in Report batches to Mixer (#11640) * Add handling for independent encoding in Report batches to Mixer * fix lll * Address review * protect protobag done * exit circleci test early if setup fails (#11572) * wip: exit circleci test early if setup fails Many of the circleci tests will attempt to run the e2e/integration tests even after the test setup fails. This leads to misleading test failures that suggest the problem is with the feature test and not the test setup itself. Example test runs where the setup failed and the test was run but immediately errored out because a dependency was missing: https://circleci.com/gh/istio/istio/316588 https://circleci.com/gh/istio/istio/317262 https://circleci.com/gh/istio/istio/318281 https://circleci.com/gh/istio/istio/316031 https://circleci.com/gh/istio/istio/315952 https://circleci.com/gh/istio/istio/315871 https://circleci.com/gh/istio/istio/315813 ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute ``` By default, CircleCI will execute job steps one at a time, in the order that they are defined in config.yml, until a step fails (returns a non-zero exit code). After a command fails, no further job steps will be executed. Adding the when attribute to a job step allows you to override this default behaviour, and selectively run or skip steps depending on the status of the job. The default value of on_success means that the step will run only if all of the previous steps have been successful (returned exit code 0). A value of always means that the step will run regardless of the exit status of previous steps. This is useful if you have a task that you want to run regardless of whether the previous steps are successful or not. For example, you might have a job step that needs to upload logs or code-coverage data somewhere. ``` * re-add `when: always` to codecov job * Implementation of isolation for EDS (#11672) * Implementation of isolation for EDS * Provide nil proxy for older calls * Always call loadAssignmentsForClusterIsolated * Revert "Always call loadAssignmentsForClusterIsolated" This reverts commit db2c997. * Env variable to disable * Lint * Environment Variable controlled Graceful Termination with low defaults. (#11630) * Feature flag graceful shutdown Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in. Signed-off-by: Liam White <liam@tetrate.io> * Address pr comments Signed-off-by: Liam White <liam@tetrate.io> * Clean up missed feature flag var Signed-off-by: Liam White <liam@tetrate.io> * Add turn off test case, todo comments and fix agent tests Signed-off-by: Liam White <liam@tetrate.io> * fix lint Signed-off-by: Liam White <liam@tetrate.io> * PR review comments Signed-off-by: Liam White <liam@tetrate.io> * Move TerminationDuration function and tests to Pilot features Signed-off-by: Liam White <liam@tetrate.io> * Update Proxy SHA to latest (release-1.1). (#11687) Signed-off-by: Piotr Sikora <piotrsikora@google.com> * Add empty check for proxy's locality (#11681) Make sure empty proxy locality will fall back to using proxy service's instance locality. * Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685) * cache ServiceAccounts and remove it drom Environment (#11442) * cache ServiceAccounts and remove it drom Environment * use allServices var * fix ut * Adding Envoy bootstrap template for a custom Pilot implementation. (#11395) * Adding Envoy bootstrap template for a custom Pilot implementation. New template connects to Pilot using Google gRPC Envoy client, which allows to perform authz by passing additional credentials. Placed into install/gcp due to being GCP installation specific. To enable this template, introducing {{ .discovery_address }} variable, which passes --discoveryAddress flag value "as is", without splitting it into address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable. * Removing static interception listener from gcp_envoy_bootstrap.json as it is generated by the Pilot. * Update bookinfo images, fix the script to bump bookinfo versions (#11701) * add wildcard to digits in the sed regex, for setting version * bump a minor version * Add cli option to Galley to allow metadata on outgoing sink connections. (#11602) * Add cli option to Galley to allow metadata on outgoing sink connections. For use with sinkAddress, outgoing connections to MCP sink servers will have gRPC stream metadata attached as defined by sinkMeta. * Update sinkMeta to use key=value. * Review comments. * Error message if istioctl version doesn't match data plane version (#11592) * Additional error text if istioctl version doesn't match data plane version * Fix typo * Revise wording of error msg * Allow Envoy listener stats to be turned off/on with a pod annotation (#11398) * If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection * Versionize annotation tag * Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid * pin goimports in make fmt (#11645) * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * just dont use circle Signed-off-by: Kuat Yessenov <kuat@google.com> * add comment Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding namespace declaration in Grafana PersistentVolumeClaim (#11314) When using the Helm chart with a user specific namespace and Grafana persistency enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace, leading in the Grafana pod to be stuck in the Pending state. * Fix the periodic builds, add a non-mcp to presubmit (#11703) * Update api sha (#11709) * issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715) (cherry picked from commit 1ad4e29) * [WIP] Fix sync issue with policy enablement and check enablement (#11707) * Fix sync issue with policy enablement and check enablement * Remove outdated comment * Support customization of Envoy bootstrap config (#11559) (#11702) * Support customization of Envoy bootstrap config This change allows override the default Envoy bootstrap configuration for a resource. A sample is included to show how it can be used. * Format code * Fix tests * Pull in new istio/proxy. (#11717) * Add experimental support for 'allowhttp10' (#11511) * Add AcceptHttp10 option to outbound listeners based on global or per sidecar setting * Clarify this is only for 'sidecar enabled' mode * Format and lint * Move http10 option, it was overriden * Add http10 to test, remove verbose * Format * Format * Use release-1.1 images for release-1.1 branch (#11725) * guard with gateway enabled (#11732) * guard with gateway enabled * remove and * Clean up Helm RBAC rules (#11234) * Add apps apiGroup to istio-security-post-install ClusterRole * Delete empty job file * Clean up ClusterRole apiGroups * Separate Kiali's ClusterRole rules into correct API groups * Fix list indentation * Remove OpenShift-specific "projects" resource from core apiGroup * Consolidate more RBAC rules * Update all RBAC resource apiVersions to v1 * Use service hostname as SNI match for TLS ports if virtual service is missing (#11735) * Use service hostname as SNI match for TLS ports Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad port name Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * unique port names Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix stateful set Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * handle multiple streams in nodeagent (#11738) * service change * unit test * debug log * lint * remove annoying log * Add duration time to stale EDS (#11568) * Tests for drain duration function (#11691) * Tests for drain duration function Signed-off-by: Liam White <liam@tetrate.io> * Licenses... Signed-off-by: Liam White <liam@tetrate.io> * typo Signed-off-by: Liam White <liam@tetrate.io> * Ability to override SAN from destination rule for ISTIO_MUTUAL (#11747) * Add ability to override SAN from destination rule for ISTIO_MUTUAL Fixes issue #11737 * Reformat code. * Fix the Citadel-apiserver connection proliferation issue. (#11743) * Fix the Citadel-apiserver connection prolification issue. * Small fix on logging. * Add comment. * Small fix on log. * Performance oriented helm defaults for release 1.1 (#11476) * Disable stdio adapter * Disable envoy access log * Add telemetry load shedding defaults based on existing data * Add telemetry limits and update hpa * when proxy locality is empty, apply it with service instance locality (#11727) * Get rid of subcharts (#11767) * Get rid of subcharts Now we can use `helm package istio` in the infrastructure to produce a downloadable Istio chart. Note any `helm package -u istio` usage will fail always, so any usage of that needs to be removed throughout the documentation or infrastructure. Finally the CNI helm chart or manifest must be installed if CNI is enabled. If enabling CNI and the CNI manifest is not installed, the Istio sidecar will fail. * Add dashboard checking to helm charts. * wrong path for dashboards * Fix dashboard test cases. * Change helm package -u to helm package * Another attempt at fixing the dashboards. * Fix rebase error. * update jaeger client (#11765) Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix hostname match function returns wrong result sometimes (#11793) * Fix hostname matching function * wrong method call * fix lint errors * Remove `helm package -u` in favor of `helm package` (#11769) This work removes the ability to include packages from external helm repositories. This is to remove the `helm dep update` step. The hidden implication here is that CNI must be installed indepently but still enabled in the chart for it to be used. Not installing the CNI chart or manifest while enabling CNI will result in sidecar injector failures. * stackdriver adapter memory usage optimization (#11792) * sd adapter memory usage optimization * clean up test. * Remove calls to helm repo add (#11805) * Remove calls to helm repo add * One more place * Create internal interface argument for istio-iptables script. (#11321) * remove 'istiotesting' parent section for 'onenamespace' values. (#11588) * remove istiotesting in onenamespace values. * add comments. * fix typo. * add more tests for external service (#11752) * add more tests * add an error msg * more tests * fix char * rename test yaml file * mark as unreachable for TLS protocol with VS * add another test * remove wikipedia in many tests * remove dash * .* not allowed at hosts ending * looks like no VS for TLS protocol too * rename per shriram comment * address comment * delete not needed file * typos * when host has * must provide endpoints * remove redundant data * [Kiali] changes for the next version (#11513) (#11804) * changes for new kiali version * add create perms * secret is now optional though really required. this, however, let's kiali provide a more user-friendly error message when the secret is missing, rather than failing to start the pod. See https://issues.jboss.org/browse/KIALI-2308 and its parent https://issues.jboss.org/browse/KIALI-2303 (cherry picked from commit 322452a) * use YAML map nil value ({}) for meshNetworks (#11849) since meshNetworks is a map, the correct nil value is {} setting the nil value correctly will allow setting networks by helm command line, using --set : --set global.meshNetworks.network2.endpoints[0].fromRegistry=remote_kubeconfig --set global.meshNetworks.network2.gateways[0].address=0.0.0.0 --set global.meshNetworks.network2.gateways[0].port=15443 * Add configurable Mixer transport error retry (#11795) * Add configurable Mixer transport error retry Adds annotations for the number of retries, base wait time, and max wait time to configure Mixer transport error retry policy. If values are not provided, they will be left unset; defaults will be provided in istio/proxy. * Add more comments * new proxy sha for release-1.1 (#11857) * new proxy sha for release-1.1 * Run deps ensure to api * right sha * Adapt mixer client tests to new mixer filter counters (#11591) * Added new counters from #8224 to Mixer client tests. * Reformat * Add a map to manage FileBasedMetadataConfig (#11753) * use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Marshal SDS call credential config using deterministic order * update * update * revise * add comment * update * move MCP settings to meshConfig (#11875) * move MCP settings to meshConfig Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix cert bug * enable allow any for outbound traffic demo profile (#11820) * remove helm repo add (#11896) * merge timeseries before sending (#11876) * Fix listener parsing with ipv6 addresses (#11861) * Fix listener parsing with ipv6 addresses Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Fixing typo Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * add sample file to expose bookinfo productpage service as nodeport type (#11858) * add sample file to expose bookinfo productpage service as nodeport type * address comment * build network filters in inbound path, like outbound (#11907) * build network filters in inbound path Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * assorted fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix network filter stack Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * set allow any as the default for outgoing traffic (#11906) * set allow_any for default * enable egress for demo profile * enabel egress gateway for e2e testing * update comment per costin's comment * adding more docs * delete accidentally checked in file * minor typo * hope to get tests passing * remove spaces * [Kiali][release-1.1] Tell kiali about the new Pilot /version endpoint used to obtain Istio version string (#11833) * rebase (#11879) * citadel uses OpenCensus for self-monitoring (#10048) * citadel and pilot use OpenCensus for self-monitoring Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * modify based on 10270 Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Use DefaultRegisterer instead of create a new register Signed-off-by: clyang82 <clyang@cn.ibm.com> * do not accept XDS connection if gateway has no service instances (#11905) * kill XDS if proxy has no service instances Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix cloud foundry test case failure * fix mcp test * fix crash * Update istioctl authn tls-check to take into account caller proxy (#11603) (#11924) * Lower resource requirements in demo profile (#11942) * Remove implicit usage of 'busybox:latest' (#11812) * add long description for verify-install (#11928) * add long description for verify-install * review * singular * update pilot mesh config default (#11950) * set allow_any for default * enable egress for demo profile * enabel egress gateway for e2e testing * update comment per costin's comment * adding more docs * delete accidentally checked in file * minor typo * hope to get tests passing * remove spaces * sync default with the mesh file * update test given we changed mesh default * update test * update test * update test * update test * update test * update test * add adapter secret mount into telemetry deployment (#11921) * add gcp credential secret mount into telemetry deployment * update * rename * add optional * remove helm values * update path * do the same thing for policy * mixer: minor doc fixes (#11958) * minor doc fixes Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * Rename sidecar.istio.io/statsInclusionPrefixes annotation (#11993) * Flexible DNS names (#11986) * WIP Flexible DNS names * More fix * Style filx * Fix error * Fix lint * Fix lint * fix lint * Fix pilot-agent application port 0 (#12001) * fix bug * fix comments * Remove duplicated keys (#10928) Remove duplicated keys in values-istio-test.yaml * Add shortnames for common crds (#11969) * Unit tests for sidecar config to sidcar scope conversion (#11901) * Unit tests for sidecar config to sidcar scope conversion * Unit tests for sidecar config to sidcar scope conversion * fix citadel health check issue. (#11965) * add imagepullsecrets for hook jobs. (#11666) * Add Auth to OOP handler (#10622) * add oop auth * simpliy get auth option logic * clear comment * address comment * custom mtls auth check * lint * add server name into tls config * figure out mixer SAN from mixer own cert * remove unnecessary comment * update customVerify * update customVerify * add test to cover untrusted certs in mtls * remove mtls option * lint * clear diff * test * Don't admit CRDs with unknown top-level keys (#11791) * Don't admit CRDs with unknown top-level keys Use term 'field' for error messages Check when admitting both Pilot and Mixer configurations * The admission control rejected a test yaml as invalid * Improve message wording and resolve TODOs by using 'mock' Kind * Add dynamic discovery and listener initialization for supported k8s resource types (#11871) * wip: dynamically discover supported crd types * fix linter errors * improve logs when resource type not found * increase code coverage * address review comments * add a comment * fix linter error * fix issue for generating custom gateway from chart. (#11970) * Let `kubectl get` show additional columns for popular Istio CRDs (#11734) * Annotate CRDs with the columns we would like printed by * Verbiage change suggested by Frank B * Explicitly include AGE column because some versions of K8s will not create it if additionalPrinterColumns are declared * Update ingress gateway TLS validation for credentialName (#11991) * use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Marshal SDS call credential config using deterministic order * update * update * revise * add comment * update * Update validation * Use e2e values for e2e tests (#11952) * Use e2e values for e2e tests New settings were added to give e2e tests reasonable resource requests. However, some this target did not have these values applied, causing too many requests * hardcode e2e for just the failing test instead of all * generate_e2e_test_yaml not called, moving to own target * expose healthcheck port in gateway (#12041) * GetProxyServiceInstances should not depend on endpoint if there is associated services and pod (#11999) * fix incremental EDS bug: proxy may not get listeners config when endpoint arrive later than the first full xDS push * get endpoint by key instead of loop for all * fix memory leak in pilot (#11183) * fix memory leak in pilot * protect Shards and EndpointShardsByService * Make demo-auth use same resource requests as demo (#11956) * rename to TestDestinationRuleExportTo (#12009) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Fix the logic testing for errors (#12053) * Fix jaeger metrics path template (#11963) * Fix virtual machine parameter from "r" to "k" (#12062) * Istio Perf Dashboard fixes (#12049) * fix mcp source unit test (#12069) * Fix upgrade/downgrade issue, add guard for visibility and make it off by default (#12084) * Add MTLS into mixer connection to oop adapter (#12052) * add oop mtls * address comment * add a comment about how key/certs are generated * New proxy and api sha for istio (#12045) * new proxy sha in istio * New proxy sha for istio * Fixing test * Right intend * MOre fixes * Endpoint locality prioritization (#11981) * Endpoint locality prioritization Defaults to off and has to be enabled via a env var in Pilot as it is an experimental feature and we are close to a release Signed-off-by: Liam White <liam@tetrate.io> * Fix correct spelling of prioritise Signed-off-by: Liam White <liam@tetrate.io> * Don't ignore kube-system in EDS (#12028) This was originally ignored due to a high rate of updates from kube-system. EDSInformer now checks that there were actual meaningful changes made, otherwise they are ignored, so this is no longer and issue. * Istio auth sds e2e (#12100) * use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Marshal SDS call credential config using deterministic order * update * update * revise * add comment * update * Update validation * fix istio_auth_sds_e2e * fix TestRouteSNIViaEgressGateway/* * istioctl validation improvements (#11768) Use term 'field' for error messages Look for same top-level fields as admission controller * Hide GODEBUG output from istioctl requests (#12091) * Hide GODEBUG output from istioctl requests * Fix in single function as well * support listen multi-namespaces (#11667) * support listen multi-namespaces Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix kube errors Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix lint error Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix ut error Signed-off-by: clyang82 <clyang@cn.ibm.com> * Add new dep Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * replace CA with Citadel Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix merge issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * properly handle passthrough and non passthrough on same gateway port (#12071) * properly handle passthrough and non passthrough on same gateway port Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * flimsy tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * snafu Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bring back e2e tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Revert "bring back e2e tests" This reverts commit a3fbb48. * fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Improving error message for sidecar readiness (#12123) Currently, the readiness error message doesn't make it clear that the issue is likely Pilot: ``` 2019-02-25T07:22:20.019287Z info Envoy proxy is NOT ready: cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected ``` This PR should help users better diagnose these issues in the future. This is a port of PR #12098 into the release-1.1 branch. * Remove mem registry (#11543) (#12026) * Remove mem registry (#11543) * Fix lint * extract Galley root command to server. (#12073) * Replace root command of Galley with server mode. * Fix linter issue. * Remove accidentally added envoy.test (#12136) * Fix the health check probe (#12135) * Fix the health check prob. * Small fix. * Small fix. * Small fix. * Small fix * Fix identity in certs provisioned for VMs. (#12109) * Avoid unnecessary service change events(#11971) (#12148) Unecessary service/instances change events are fired by consul registry, causing TCP connections destroyed by Envoy Fixes #11971 Change-Id: Iaf60a89175c9113cd8cde1556c9bf11d1a367e8f Signed-off-by: zhaohuabing <zhaohuabing@gmail.com> * Removing a leftover to disable ingress (#12120) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Fix EDS race condition when using localities (#12151) * Fix EDS race condition when using localities Signed-off-by: Liam White <liam@tetrate.io> * Wordz Signed-off-by: Liam White <liam@tetrate.io> * Wire-up excluded resource types list to the CRD check and update logging (#12143) * - Wire-up excluded resource types list to the CRD check. - Update logging. * Revert copyright. * Revert copyright. * Remove VirtualService examples that no longer have an effect (#11892) * Remove no-longer-needed VirtualServices ServiceEntry for github.com not needed to clone https URLs * Modifications after testing using release-1.1-20190214-09-16 * Correct comment explanation * Include pythonhosted.org for 'pypi' and sort/format/dedup the github addresses * Doc fixes. (#12107) * Update jaeger-client-go deps to catch 128bit traceid transport fix (#12166) * Update jaeger-client-go dep * Ensure mixer generates 128bit traceids * Fix DestinationRule issue when there is no Sidecar (#12047) * Fix DestinationRule issue when there is no Sidecar * Default to legacy (current codepath) * Refactor e2e yaml value files (#12076) * Refactor e2e yaml value files This change involes: * renaming uses of old make target * adding all generated files to gitignore * create new target to build all e2e yaml files and another for the demo files that are included in release * move all testing value files, and example value files, to folders * create value files for tests that were using --set * Fix reference to values-e2e.yaml * Fix typo * Add readme and fix test failures * Fix integration tests file * Enable core dump for auth sds test * Actually use coredump * Move istio minimal - needed for docs * resolve conflict * Do not setup SNI match if service has a VIP (#12161) * Do not setup SNI match if service has a VIP Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * missing check Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Upgrade cert-manager to v0.6.2 (#12149) Currently Istio ships with cert-manager v0.5.0 as an optional dependency. This version is outdated and has known issues/limitations with regards to certificates renewal, excessive calls to the ACME APIs, etc. This commit contains minimal changes necessary to upgrade the bundled cert-manager to the most recent stable version. Changes are based on the official Helm Charts distribution of cert-manager. * Doc fixes. (#12180) * fix mixer and pilot upgrade issues. (#12177) * add namespace parameter support (#12104) * add namspace parameter support * add namspace parameter support * add namspace parameter support * fix lint * add test case for proxystatus * Move mixer check annotation to model with defaults (#11859) * Move mixer check annotation to model with defaults * Initialize proto once * Update tests * Add an e2e test to validate fault injection telemetry. (#11773) * Add an e2e test to validate fault injection telemetry. This attempts to provide validation of telemetry for FI to guard against recurrence of issues such as: #11151. It adds a new test in the mixer suite that installs custom virtual service and destination rules that inject faults at 100% (using error code 555). The test validates that the destination workload information is "unknown" and that we receive telemetry with the `FI` response flag. * Add forgotten file to PR * Updates tests to match CNI install procedure (#11877) * Updates tests to match CNI install procedure The CNI install procedure was changed to eliminate dependant helm templates. Changes are required in the test routines to match. * Move daemon start after cluster setup THe daemon start was before the cluster start. * Changes required after testing * debug * Final fix ups * Adress review comments. * Turn policy off by default (#12114) * Simplify files and cleanup base values.yaml * golden files update * switch back to old defaults for rewriteAppHTTPProbe * update golden * override cpu requests for e2e tests * move policy and telemetry to top level for visibility * Update deps for 1.1rc2 (#12213) * Proxy sha and Api sha for istio * Update istio/proxy to pickup istio/proxy#2135 * pilot should wait for kubernetes cache sync before serving (#12214) * Remove test mgmt ports (#12206) * Remove test mgmt ports * Remove todo and fix test * Fix local test * guard mysql proxy with version check (#12225) Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Various fixes for the Multicluster e2e test [release-1.1] (#11940) * Choose the correct Istio yaml file for MC * Increase the timeout for the MC test (typically it's 40+ mins) * Set selfSigned flag to false for remote (shared root CA) * Wait for remote addition/deletion to propogate * Enable access log for primary and remote clusters * Fix pilot grpc failure in Consul (#12228)
Signed-off-by: Serguei Bezverkhi sbezverk@cisco.com
Closes: #12119