-
Notifications
You must be signed in to change notification settings - Fork 7.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refresh oop handler with connection config update #12575
Refresh oop handler with connection config update #12575
Conversation
/assign @kyessenov @mandarjog |
@bianpengyuan: GitHub didn't allow me to assign the following users: kyessenov. Note that only istio members and repo collaborators can be assigned. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @kyessenov |
@bianpengyuan: GitHub didn't allow me to assign the following users: kyessenov. Note that only istio members and repo collaborators can be assigned. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Thanks for taking it on! I added a few comment to improve error messaging, but other than that it looks good. I also discovered #2539 while reviewing this. |
@bianpengyuan: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
@kyessenov: changing LGTM is restricted to assignees, and assigning you to the PR failed. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bianpengyuan, kyessenov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@mandarjog @duderino Can we merge this into 1.1? This is a bug fix for out of process adapter. |
* Testing: support retries in Structpath (#12539) * Testing: support retries in Structpath The current structpath library automatically fails the test as soon as an error occurs. This change splits structpath into 2 types: Instance: methods return errors. InstanceForTest: delegates to Instance and fails the test if an error occurs. Tests that allow retries will use Instance and handle the errors manually. * splitting out the test and non-test instances * Fixing TestMain for sidecar_api_test * fixing bug in ForTest * Switching to single fluent-style api * Move Distributor interface back to runtime. (#12242) Distributor is an interface consumed by the runtime package. * [Kiali][master] things needed for next version of Kiali (#11823) * things needed for next version of kiali * additions needed for https://issues.jboss.org/browse/KIALI-2417 * install kiali v0.15 * add read-only role for people to use if they don't want to grant write access to kiali * mount secret to volume now, not env vars * add rbacconfigs - https://issues.jboss.org/browse/KIALI-2564 * add prometheus scrape annotations to scrape the new metrics endpoint * everything is now up to date for kiali v0.16 * Canonicalize help strings for CLI (#12219) * Fix recently broken racetest on master (#12383) * Fix racetest * Lint * One more race * Added a todo with issue ref * missing comment on exported function ConstructCustomDNSNames (#12492) * missing comment on exported function ConstructCustomDNSNames * Document customization process * Merge collab-test-framework to master (#12574) * Fix deps and broken merge for mixer test * Fix overly restrictive golang version match * Fix integration test framework merge issues * Fix line length lint issue * Interim checkin of Test Framework refactorings. (#11718) Seeding collab-test-framework * Tf 11 scopes (#11772) Cleaning up the new prototype code. * Remove hardwired constants from the deployment file. * Fixup some tests * Use framework2 for pilot tests (#12243) * WIP updating sidecar test to new framework * Re-create Pilot tests based on framework2 * Merge master => collab-test-framework (#12374) * [Galley] Standardize worker thread lifecycles (#12125) * [Galley] Standardize worker thread lifecycles We currently have several worker classes that follow a similar lifecycle pattern, but are inconsistent. This PR makes standardizes the lifecycle management logic into a new Worker class. * addressing comments. * addressing comments. * Update to grafana 6.0.0 (#12191) * Support offline running productpage by packing js and css in image (#12218) * Make code more reusable in other contexts (#11353) * Make code more reusable in other contexts - Export processStream methods, they are useful when using the code outside of Istio - Move verifySentResourcesMultipleTypes to client_test.go * Add licence * Correct TestAdmitPilot Case (#12281) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Fix pilot grpc failure in Consul (#12273) * fix wrong link for mixer (#12347) * Update OWNERS (#12361) * Update OWNERS * Update OWNERS * mixer: CEL runtime (#12145) Signed-off-by: Kuat Yessenov <kuat@google.com> * Change IP addresses to show up as strings in label maps in accesslog (#11740) Change IP addresses to show up as strings in http req in accesslog Fix lint errors Fix lint errors Use stringify function Updated based on feedback * Improve resource lifecycle management and debuggability. (#12402) * Improve lifecycle model. - Add defer context.Done() to sidecar_api_test for resource cleanup. - Ensure that Pilot's Close returns after the background go-routine is torn down. - Properly register components/resources for cleanup purposes. - Reverse the resource cleanup loop to make sure resource dependencies are handled properly. - Add friendly ids to test framework components to help with debugging. - Refactor environment names to avoid cyclic dependencies. * Fix lint issues. * Major refactoring of the new framework & ensure the native mode tests work. * Fix runaway refactoring. * Make Istio deployment work. * Fix some Kubernetes based tests. - Accommodate code review feedback. * Fix all K8s tests. * Cleaning up of the core framework API surface. * More cleanup of the surface area. * Fix lint and formatting * Update Makefile & related settings. * Move collateral docs to framework2, remove framework and integration. * Move framework2 -> framework * Fixup echo. * Fix minor bug. * Fix lint issue. * Minor clarification to the output message. * Fix Makefile * Temporarily add debug log output for tf. * Improve in-CI debugging. * Fix lint problem. * Add CI Mode flag. * Convert Always to IfNotPresent * Convert Always to IfNotPresent * Fix Citadel component init. * Write pod state to files. * Fix galley.New() * Minor fix. * Refactor Hub/Tag/PullPolicy usage. * Increase deployment timeouts. * Fix formatting bug. * Make linter happy * More diagnostic output support. * minor cleanup * Fix Yaml deployment code. * link fixes. * Fix comment. * Set minikube ingress to minikube-none. * More minukube fixes. * Final cleanups. * extract namespace to its own component. * Major cleanup of structure/packages. * Post merge fixups. * Fixup sidecar api tests post-merge. * Fix structpath panic. * Increase the deployment timeouts in CI. * Add istio 1.2 CRD file. * Fix linting. * Fix imports. * Disable sidecar_api_test.go test (which is already disabled in master). * Remove debug flag. * Fix lint errors. * Fix testcontext format parameters * Disable the sidecar tests before the merge. * Fix CI Mode timings. * Fix CI Mode timings. * Make linter happy. * Cherry-pick Galley/MCP changes from 1.1 => master (#12604) * Add dynamic discovery and listener initialization for supported k8s resource types (#11871) * wip: dynamically discover supported crd types * fix linter errors * improve logs when resource type not found * increase code coverage * address review comments * add a comment * fix linter error * extract Galley root command to server. (#12073) * Replace root command of Galley with server mode. * Fix linter issue. * Wire-up excluded resource types list to the CRD check and update logging (#12143) * - Wire-up excluded resource types list to the CRD check. - Update logging. * Revert copyright. * Revert copyright. * Do not reject entire batch of updates, if items get past validation. (#12476) * Do not drop the whole batch, if validatin of a single resource fails. * minor comment cleanup. * Adding unit tests. * Make linter happy happy happy. * Remove myself from OWNERS files (#12608) * add a e2e test for oop (#12577) * Add a config package folder. (#12611) * Hide most logging CLI options from istioctl (#12633) * Log descriptions of pods when tests break (#11904) * Log descriptions of pods when tests break * Don't overwhelm the logs for a possibly transient error * Fix kubectl syntax * Back out change in retry behavior to avoid masking root cause * add istio-init.yaml to .gitignore (#12542) * authz: add authorization policy CRD to helm-init (#12541) * Fix bug in locality LB normalization (#12532) (#12579) The priority needs to be normalized (so it is always has no gaps), so priorities [0,2] should be changed to [0,1]. However, we were changing the wrong endpoint's priorities. * Apply locality weighted lb config correctly (#12588) Previously, this value was not set if the load balancer config was nil. However, it should actually set anytime outlier detection is enabled, so that locality lb can behave correctly. * Fix bug causing empty endpoints per locality (#12615) * Fix bug causing empty endpoints per locality Before, we were allocating the array then appending to it, creating empty endpoints at the start of the array. * Predefine slice size * Fix the MCP Client ConfigZ page (#12626) * Fix the MCP Client ConfigZ page. * Fix the tests * Update test name to clear confusion. * Add threshold for rds.go codecov (#12499) Test is flakey, saying it has droppped coverage when it has not due to it being nondeterministic. * Drop log level for missing service account for spiffe uri (#12239) * Don't require service account for spiffe Some kubernetes pods don't have a service account. This causes a log flood that the spiffe url is invalid, but this doesn't actually have any negative impact. We can just make it not an error to have no service account. * Revert "Don't require service account for spiffe" This reverts commit e88ff187963e97949d3b81c3575b997ddd7e7a6f. * Just drop error -> warn * Fix tests * Drop log level * [Authz v2] Add additional fields for bindings and validation. (#11800) (#12460) * Adding additional fields for bindings and validation. (#11800) * Implement namespaces for ServiceRoleBindings * Implement not_namespaces and refactor * Implement not_ips * Implement ips (no unit tests) * Add a unit tests for ips for ServiceRoleBinding * Implement groups and not_groups for ServiceRoleBinding * Implement names and not_names * Check for duplicated definition in constraints/properties and first-class fields * Disallow using * in names or not_names to prevent ambiguity * Disallow using * in names or not_names to prevent ambiguity * Refactor additional fields for bindings * Update validation.go * Update validation.go * enhance verify install command (#12174) * enhance verify install command * fix lint * fix lint * configure prometheus to monitor citadel. (#12175) * Add namespace scoping to the Gateway 'port' names (#11509) (#12500) (#12556) * Add namespace scoping to the Gateway 'port' names (#12500) (#12500) Currently in order to configure ingressgateway to do TLS termination using multiple secure virtual hosts with different certificates Istio requires Gateway 'port' names to be globally unique (i.e. distinct). I.e. two gateways cannot have secure port named 'https' even if they reside in different namespaces. Behavior in such case is undefined. This breaks namespace isolation as a user creating a Gateway in one namespace might not have access to other namespaces hence can't if the port name is already 'taken'. Behavior in such case is undefined and likely to render other virtual hosts unavailable. This change adds namespace scoping to Gateway port names by appending namespace suffix to the HTTPS RDS routes. Port names still have to be unique within the namespace boundaries, but this change makes adding more specific scoping rather trivial. * Increase Gateway 'port' names scoping granularity * Minimal changes to make locality lb not sigsegv (#12649) * Locality label istio-locality in k8s should not contain `/`, use `.` (#12592) * Locality label istio-locality in k8s should not contain `/`, use `.` instead * fix comments * Only use gateways for servers being processed (#12663) Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * Propagate Envoy Metrics Service Config (#12569) The plumbing for propagating the envoy metrics service address config is missing a step to copy the given address to the config object that is passed on to the template renderer. * mixer: add directive demo adapter (#12505) * finish demo Signed-off-by: Kuat Yessenov <kuat@google.com> * printf Signed-off-by: Kuat Yessenov <kuat@google.com> * publish keyval Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding sidecars to validating webhook configuration (#12233) (#12643) Addresses issue #12193 * Cleaning up Unit tests for RDS (#12581) Added a new case and cleaned up the existing test cases. * switching deployment to v1 api (#10578) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Cleanup Galley OWNERS file. (#12676) * fix uds socket (#12688) * uds fix * readonly * Add unit test to cover multiple different locality case (#12388) This PR only increases test coverage. Does not impact functionality. Signed-off-by: Liam White <liam@tetrate.io> * Build 1.1.1 (#12690) * Fix LB weight setting for split horizon eds (#12560) * lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint * fix typo in default envoy JSON log format (#12473) * Make release-1.1 changes compatible with master * Remove extra ingress template * cherry pick 10578 * reformat * Update rbac.go to use httpfilter when needed * Integration framework ensure apiVersion is top level * Update yaml make target * Disable setup on sidecar_api_test * clarified mesh connect timeout fields based on code impl (#12089) * Testing: configurable ports for Echo (#12681) The echo component currently assumes a hard-coded list of ports. We eventually want to replace the "apps" component with echo, but in order to do that we'll need to be able to tailor the port configuration for each instance. * add image pull secrets for zipkin. (#12327) * Refresh oop handler with connection config update (#12575) * refresh handler with connection update * sanitize test error message * Fixing coping of the data to the bucket during release (#12585) * Fixing coping of the data to the bucket. * Small fix * RM folder in any case * 'istioctl proxy-config clusters' cluster type column rendering (#12458) * Make error message explicit (#12675) * E2E test for health check under mtls using app prober rewrite. (#11531) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277d7 4b7b13aef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861 Merge: 98fd48f59 744b07ad2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07ad2406d1eb94bcf5492125f91486ad6b10 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002ff6f5dd4afe22afa984384addc1be1104 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5 Merge: a2a774498 010d5c266 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a774498e1021c1ca01c021c071e225fa330407 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c074bcc787702a5a9257d23103521f525c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922719e2c4723a334d1d8d959cac361b1ecb Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e871c640cdabead372eada2b17d717fa707f Merge: 256d9635f ac78a552a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d9635f4d590936c473bf3be0299064cb9c716 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f70096334464fd1d59a0e81997e8f0fd6623a564 Merge: bdce72119 c7eb603ee Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce72119ef78dab40b750861768c332811b9ee2 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c21000ba2b7fe9e2bc728783ce530cfe87 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695a2fea828f06a31f14ed7795a3b3716111 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b58f0212972d42e298fa4185275642d672c Merge: d626bb85d 5ea79622c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb85dee628771f8f41fc90335ac608dea923 Merge: 3561ae0a6 66153da4d Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0a69350730834e625c0710394968f9fcde Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f01964a14f6ace0da6217d7a36f364b661 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91189e16beb0dadee6c612464b1aa9bad21 Merge: 3a7eb48e6 abc53e120 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e488f875ffea0c3a279403277010160ee1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce9ddc55ce339aa65eac06602591d3113c9 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676 Merge: 7f5c8cbd8 e45242c0d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479 Merge: 20f02c045 1ae6b4fde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c04563fab9b81b418c00a5455994fda5148 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64 Merge: 3b3bcbff8 d8c4579fa Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c15d06054e4bb173ab2c37333a4de647c2d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f4144482874c1219c7da90e97f19f1172f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb6892509d8938be8d64f1435cf64e22317 Merge: af1a67989 f6b0ddc30 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a6798988f9fe70e40add2a6d4971efa9b50ed Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef3520037a81db8baa34d6e13849d20af10 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0 Merge: fcca1f89a bd1631be3 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517cfc4214994be1be848d40b12f09ba8a4b8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96ed8a3200fc91bc73aee86d471117232fc Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659dacbc569f4532dc6a37b2091f39c7cf115b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * wip for adding health check test app. * wip very hack working solution app deployed * finally test starts working * make sure the test works if and only if the helm flag is turned on. * refactoring * small adjustment. * DeepCopy used. * working test only healthcheck test. * remove inline policy * change RegisterHelmValueOverrides. * unnecessary change. * Finish HelmValueMap refactor. * some cleanup. * clean up. * flags helm values takes higher priority. * fix the lint. * address comments. * revert chagnes on HelmValuesMap. * wip getting helm customizable with new configuration api. TODO: testing by rebuild image. * fix the helm value passing overrides. * wip the app is deployed but not ready and still finishes... * wip apps configuration not take effect. * working version of apps configuration. * clean up some debugging log. * test documentation. * WIP changing deploymentFactory to KubeApp. * verify test works. * clarify kubeappsconfig doc. * get the test pass, no apps configuration yet. * get test working. * clean up on apps/kube.go * few clean and update readme doc. * change the overrides by func callback. * fix the typo. * fix the comments. * Hide ServiceAccounts from PushContext log (#12702) * Configure localityLbSetting in values.yaml (#12683) * Configure localityLbSetting in values.yaml * Update docs * Fix concurrent map access (#12706) * Remove when: always from CircleCI configuration for integration tests. (#12679) This causes the integration tests to run, even if the previous steps fail. * Removed unused code from EDS (#12221) * Should not add a worker in GoroutinePool construction func (#12619) * GoroutinePool does not add a worker in construction func * fix ut * remove redundant code (#12656) * remove redundant k8s discovery code * remove redundant * Configure logging level in proxy and control plane (#12639) * configure proxy log level via helm values for sidecar and gateways * configure istio control plane log level via helm * Put back a couple settings for Kiali that were accidentally deleted. (#12472) Some Kiali settings were accidently deleted when the new installation options for release-1.1 was published. This is because these settings were commented out in the values.yaml file for kiali under istio/kubernetes/helm/istio/charts/kiali. Bug:#3660 * remove to be deprecated critical pod annotation. (#12657) * remove to be deprecated critical pod annotation. * fix ci. * Adding timeouts in Galley processor tests (#12701) * Adding timeouts in Galley processor tests This is to help in debugging #12628. * making await method private * add pod antiaffinity. (#12691) * add pod antiaffinity. * fix gateways issue. * add pod antiaffnity to helm test pod. * remove local test file. * apply comments. * Adding galley test for sidecar config validation (#12247) * Adding galley test for sidecar config validation Test cases related to PR #12233 * Using istio-system as namespace for resource * Collect details/artifacts for failed tests in Prow. (#12753) * Add infrastructure to document env var usage. (#12727) - Introduce the pkg/env package containing a few functions to query environment variable values. It keeps track of the variables requested so they can be documented. - Extend pkg/collateral to recognize and output the environment variables used in the process. This is what is needed to make this stuff show up on istio.io. - Update all relevant call sites to use the new infrsstructure. It's still missing descriptions for all the variables, that'll be up to component authors. I'll file issues to get that work done. - Fixed bugs in the node_agent_k8s code that was using env vars as the default for Cobra command-line arguments, resulting in potentially variable default values produced in the generated docs. Default values need to be static. * Enable more linters. (#12751) - Flip on a couple more linters - Fix a bazzilion warnings produced by these linters, along with many warnings produced by other not-yet-enabled linters. - Fix pkg/version so the tests compile on Mac. This broke a while back, preventing the linter from running to completion on the Mac. * Convert galley to reload files via SIGUSR1 or a ctrlz handler (#11617) * Convert galley to reload files via SIGUSR1 or a ctrlz handler * Fix ctrlz shutdown not to block * Disable the mtls_healthcheck test until it can be fixed. (#12775) * Change IP addresses to show up as strings in label maps in accesslog (#11740) (#12502) Change IP addresses to show up as strings in http req in accesslog Fix lint errors Fix lint errors Use stringify function Updated based on feedback * upgrade prometheus version. (#12781) * Wait for endpoints of policy backend, before trying to use it. (#12763) * Wait for endpoints of policy backend, before trying to use it. * Minor fix to the structure. * Add wait logic for waiting Galley to come online. * Fix minor bug. * Rename the method so that it is clear what it is doing. * Add additional constraint check. * Remove redundant write header (#12731) Write already writes 200 status code, so this wasn't needed. This caused unneeded logging every time it was called. * Tell Kubernetes that Istio validation has no side effects (#12670) * Tell Kubernetes that Istio validation has no side effects * Add integration tests for --server-dry-run * Report version of kubectl and server * Version check error * Undo --server-dry-run tests which require K8s 1.12 or higher * fix uds socket (#12688) (#12802) * uds fix * readonly * mixer: switch to simplified config model (#12689) * take 2 compiled instances Signed-off-by: Kuat Yessenov <kuat@google.com> * try with apa Signed-off-by: Kuat Yessenov <kuat@google.com> * quota failure Signed-off-by: Kuat Yessenov <kuat@google.com> * false signal? Signed-off-by: Kuat Yessenov <kuat@google.com> * more crds Signed-off-by: Kuat Yessenov <kuat@google.com> * nil params Signed-off-by: Kuat Yessenov <kuat@google.com> * patching config Signed-off-by: Kuat Yessenov <kuat@google.com> * remove stale command Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix destination host validataion (#12804) * Implement AuthorizationPolicy with workload selector. (#12050) (#12667) * WIP AuthorizationPolicy with selector * WIP AuthorizationPolicy with selector * Check if need to use convertRbacRulesToFilterConfig and ignore permissive mode * Support TCP * Move new functions for RBAC v2 to rbac_v2.go * Change the structure and refactor tests * Put services field check back * Remove services field validation * Remove optimization * Add selector no match test * [Galley] Adding ServiceEntry synthesis (#12409) Added a new custom projection that is subscribed to events for k8s Pods, Nodes, Services and Endpoints. These events are absorbed and do not become part of the snapshot. Instead, synthetic ServiceEntry resources are generated and become part of the snapshot. Partially addresses #10497 and #10589 * Add a linter to prevent use of os.Getenv and os.LookupEnv (#12778) - Add more unit tests to pkg/env to bring coverage to 100% - Move existing linter sources from test/util/checker to tools/checker * Specify istio-init user explicitly (#5453) (#12708) Istio-init is supposed to be run as a superuser so it can configure iptables and this is the current default. However many popular Helm charts typically define a single container pod and specify `securityContext.runAsUser` on a pod level (rather than the container level) and that is what istio-init inherits. As the result many Helm charts aren't working with Istio auto-injection out of the box. A simple fix would be explicitly setting `securityContext.runAsUser` for istio-init on the container-level so it takes precedence. * Removing depencency on the order of returned IP addresses (#12812) * Removing depencency on the order of returned IP addresses Allows returned addresses by the default resolver to be in any order. The first IPv4 address returned by the resolver is used. If there are no IPv4 address is found, an IPv6 address is used. Added more unit tests. * Making logic for local IP the same as the rest * Disabling flaky parts of Galley integ test (#12837) This should deflake the test in #12820. Real fix is coming soon. * Set SAN as critical for workload certs. (#12838) * inject sds related param in pilot/mixer deployment (#12809) * inject sds related param in pilot/mixer deployment * remove args * Disabling Mixer tests using the new TF in K8s. (#12848) * Disabling Mixer tests using the new TF in K8s. * Make linter happy. * accommodate PR review comments. * galley: support optional crds (#12822) * optional galley crds Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * Removing a "TODO" that is not necessary any more (#12841) Cleaning up the comments. * mixer: add template CRD flag and set it to false (#12851) * template CRD flag Signed-off-by: Kuat Yessenov <kuat@google.com> * missed a flag Signed-off-by: Kuat Yessenov <kuat@google.com> * Zombie cleanup. (#12878) - Delete a bunch of dead code, dead variables, unused parameters, and superfluous type declarations. * Refactor Istio deployment code for clarity and add wait for webhook. (#12888) * Refactor Istio deployment code for clarity and add wait for webhook to come online. * Make linter happy. * Fix stupid bug. * Remove accidental file add (#12895) * Re-enable sidecar_api_test (#12887) * Re-enable sidecar_api_test * Remove kube setup * Fix race condition * Make Mixer readiness timeout configurable. (#12640) - Mixer waits for readiness of the config backend. It is currently hard-wired at 30 seconds. This change makes this configurable and sets the default as 2 minutes. - The pod was being killed because the liveness probe was not starting on time. It is blocked behind other readiness checks. This change enables readiness early on. * Minor improvements to the test framework. (#12858) * Add dump support to policy backend. * Add a suitecontext dir. * test: add dump pod events function (#12821) * Fix flush behavior in Stackdriver adapter. (#12853) * Fix prometheus and citadel connection tests (#12747) * Fix test-prometheus-connection.yaml: test never failed Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix test-citadel-connection.yaml: test never failed Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix a bunch more linter items. (#12897) * delete stale file (#12898) Signed-off-by: Kuat Yessenov <kuat@google.com> * Run dep ensure * Implement EnvoyXdsServer graceful shutdown (#12826) * update api sha (#12862) * update api sha * api files * Add two sample deployments for user guide of Istio Vault integration (#12917) * Rename types.go to types.gen.go. (#12921) * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * Update to latest doc gen tool. (#12932) * Fix the regular expression that splits the deployment scripts. (#12931) The script was fixed with a start-line anchor during the merge of 1.1. However the regular expressions in Go is not multi-line. * Add labels to the test framework. (#12819) * Add basic label support to the test framework. * Refactor test framework surface area to use fluent-style. * Apply labels to CircleCI tests & stable integration tests. * Add early exit support to avoid running setup functions when the label set can never match. * Add Citadel tests as presubmit tests. * Remove environments from label usage. * Fixup some of the label usages, and convert some of the test entry points. * Fixup label usage. * Redisable sidecar tests. * Accommodate PR feedback. * Accommodate CR feedback. * Add more CR fixup. * Introduce pkg/annotations (#12909) - pkg/annotations lets us track the annotations used by the calling process. - pkg/collateral now outputs annotations if there are any. This will make annotations show up on istio.io - Adjusted how pkg/collateral handles deprecated environment variabes to match how we handle deprecated fields in protos (by coloring them differently on istio.io) - Added another test to pkg/env to cover a case I missed originally. - Updated the sidecar injector and pilot to use pkg/annotations. - Fixed some invalid HTML generated by pkg/collateral. I'll file an issue to get descriptions added for the annotations. * remove unused pdb in remote values. (#12943) * prevent duplicate inbound listeners (#12937) * [Galley] Fix race in runtime strategy (#12927) This address a race condition that seems to only occur when using a very low timerFrequency (e.g. 1 microsecond) on a slow machine (e.g. prow). Under these conditions, the strategy can encounter a race condition when creating the timer. The code was setting the `timer` variable to the result of time.AfterFunc. However, due to the extremely low frequency used, the AfterFunc was invoking its handler, `onTimer` before returning. This led to accessing an uninitilized `timer` value. This PR swaps out AfterFunc for NewTimer. The use of time.Timer is now abstracted behind the `asyncTimer` object, which provides the semantics needed by the strategy. Now strategy.timer is set before it is started, avoiding the race. Fixes #12628 * Adding unit tests for sidecar scope (#12184) * Adding unit tests for sidecar scope * Removing unused variable * linters: enable errcheck (#12933) * enable errcheck Signed-off-by: Kuat Yessenov <kuat@google.com> * add maligned to exceptions Signed-off-by: Kuat Yessenov <kuat@google.com> * Istio does not use Cluster_LOGICAL_DNS, so remove it (#12905) * Istio does not use Cluster_LOGICAL_DNS, so remove it * clean up LOGICAL_DNS in comments * Clean up Helm README (#12914) The README has outdated information on the values, we should just defer to istio.io which is up to date. Additionally, we should point users to istio.io which has up to date install instructions. * 'istioctl experimental dashboard' command to show add-ons and sidecars (#12627) * 'istioctl experimental dashboard' command to show add-ons and sidecars * Test cases, output of URL, use of Cobra output stream * Refactor code into istioctl/pkg/kubernetes * Refactor to expose PortForward stop channel * Validate new mixer CRDs (#12918) * Validate new mixer CRDs * Add templates and adapters * Test cases for new mixer CRDs * Add environment variables to allow configuring bookinfo hostnames (#12646) * Allow bookinfo hostnames to be configurable - add DETAILS_HOSTNAME, RATINGS_HOSTNAME, REVIEWS_HOSTNAME environment variables to configure hostnames. Defaults to details, ratings, reviews respectively * Bump bookinfo sample to 1.11.0 * Update expected outputs for bookinfo tests - this is not related to our PR, but the tests were failing - the apps were changed, but images were not rebuilt * Add edsClusters should be atomic (#12942) * Add edsClusters should be atomic * fix lint * properly report errors on failure (#12945) The CI Infrastructure times out after 10 minutes of no activity. In one of the test case runners, 10 miniutes is specified causing the CI timeout to flush any debuggable output from the checks. This results in an in-exact error result to be returned. Instead a vague reponse about the test case timing out is reported, resulting in confusion for the PR authors. The typical max I was able to achieve was ~230 seconds, but I trimmed to 3 minutes so the test case fails in all conditions and properly reports the errors. * Hoist exemptLabels to top-level, so that they can apply to prs as well. (#12902) * [mixer-e2e-test] add retry to prometheus query in check cache test (#12680) * check cache test sleep longer * use retry instead of longer waiting * reword error message * Fixing typos in unit tests (#12661) Redoing PR #12035 * respect locality weight set from ServiceEntry (#12714) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * sidecars with workload selector takes precedence over namespace wide one (#12831) * Auto bind to services for Sidecar listeners with specific ports (#12724) * auto bind to TCP services for egress ports in Sidecar Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * fix test Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * minor patch (#12963) Signed-off-by: Kuat Yessenov <kuat@google.com> * Cleanup gateway vhost config gen (#12847) * check match direction * Cleanup http route generation * undo pickMatching change * golangbot comments * address review comments * fix validation bug * gofmt * check for intersection duplicates * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Support PKCS#8 private keys. (#12972) * Support PKCS#8 private keys. * Small fix. * Fix LB weight setting for split horizon eds (#12560) (#12827) * lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint * Restore dump_kubernetes.sh function on OSX (#12159) * Fixes for Bash 3.x and detecting non-running pods * Address shellcheck warnings * Remove Robert Li from tests OWNERS file (#12946) Robert has had a change in employment and can no longer contribute to Istio. * remove unnecessary namespace for webhook configuration (#12981) * remove deprecated mcpServerAddrs flag (#12954) * remove deprecated mcpServerAddrs * fix ut * support ip:port format configSource * fix ut * fix ut * supprt proxy https app probe (#12872) * supprt proxy https app probe * add ut * fix ut * add webhook inject test * fix test * fix comments by incfly * Allow some time for the configuration propagation (#12865) * Allow some time for the listeners config propogation * change to use watchDiscovery * samples/bookinfo: easier access to logs (#12584) * Use shorter namespace prefixes. (#13001) * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) (#12936) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * Update integration test env flag (#12977) The flag should be "kube" not "kubernetes" but it was not updated in some places before. * Support inline role definition in AuthorizationPolicy (#12849) * Don't fill test logs with "no provious log" (#12857) This isn't a real error, but it is misleading in the test output. We have no reason to output all of these errors that there is no previous container to get logs from. * mixer: delete old style CRDs from installation (#12710) * delete old style CRD from installation Signed-off-by: Kuat Yessenov <kuat@google.com> * disable galley from listening to old style CRDs Signed-off-by: Kuat Yessenov <kuat@google.com> * more hardcoded yamls Signed-off-by: Kuat Yessenov <kuat@google.com> * debuggin default install Signed-off-by: Kuat Yessenov <kuat@google.com> * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * keep galley pipeline Signed-off-by: Kuat Yessenov <kuat@google.com> * disable resource ready Signed-off-by: Kuat Yessenov <kuat@google.com> * delete debugging line Signed-off-by: Kuat Yessenov <kuat@google.com> * fixing testdata Signed-off-by: Kuat Yessenov <kuat@google.com> * delete deprecated configs Signed-off-by: Kuat Yessenov <kuat@google.com> * remove declarations Signed-off-by: Kuat Yessenov <kuat@google.com> * delete more yaml Signed-off-by: Kuat Yessenov <kuat@google.com> * merge fix Signed-off-by: Kuat Yessenov <kuat@google.com> * Add tests for the effect of mTLS setting to reachability (#11624) * Reachability test in new ingegration test framework * Add test for port specific policy * Expose KubeApp interface and move EndpointForPort to that instead * Use the retry.UntilSuccess from framework * Change to UntilSuccessOrFail instead of UntilSucces * remove deprecated code (#13005) * remove deprecated code * remove dep * Add examples/documentation for the test framework. (#13000) * Add examples/documentation for the test framework. * Add more prose about test lifecycle. * Fix typo. * Fix typos. * fix retry loop in mixer crd watch (#13003) * first change to apps/v1 for Install (#13015) * first change for install * appsv1 * indention * use only ipv4 for pilot and zipkin (#12997) * do ipv4 lookups for pilot and zipkin Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * update goldens Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * small fix for imports (#13013) * remove old mcp stack (#12092) * remove old mcp stack * remove legacy mcp server from galley * fix server build * fix linter * remove unused code in journal.go * fix build * s/server/source * fix linter errors * Exclude Prometheus traffic in rule so that Kiali does not show it. (#12251) * [Galley] Fix race in strategy shutdown. (#13004) * [Galley] Fix race in strategy shutdown. The Close() logic was holding onto the state lock, which can race with worker thread. Specifically, the worker thread could be in a call to onTimer awaiting the lock, which would never be acquired since the Close() method is stuck waiting for the stopped channel to close. * cleaning up reset logic to avoid holding on the stateLock * Add instructions and scripts to facilitate running E2E tests locally using KinD (#12641) * Adding check/install go in both macOS and Linux. * Install go if not installed. * Adding support to run e2e test on KinD locally. * Adding the ability to run e2e tests locally on KinD. * Update install_prereqs_debian.sh * Update setup_test.sh * Adding the ability to run e2e test on KinD for presubmit test. * Presubmit e2e test on KinD. * Adding the ability to run e2e_simple presubmit on KinD * Adding README file for testing on KinD locally. * Revert the changes on adding install_go function. * Revert install_go in common_macos.sh * Revert the file changes of deleting newline. * Reverting the changes. * Addressing reviews. * Fixing shellcheck * respect locality weight set from ServiceEntry (#12714) (#13012) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * Add documentation about -p 1 for integration test framework. (#13032) * Reduce logs in security/pkg/nodeagent/sds/ (#13035) * Reduce logs in security/pkg/nodeagent/sds/ https://github.com/istio/istio/issues/13033 * Count the log output times * Revise the PR based on review comments * move pkg/mcp/configz to pkg/mcp/configz/client (#12982) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Restore TestMtlsHealthCheck in postsubmit, prow. (#12969) * restore test to debug. * add presubmit label to the test for triggering. * change to only run in postsubmit. * remove postsubmit label just comment. * Enable more linters and fix warnings/errors (#12993) * Cherry pick cert file config from master to release-1.1 (#12707) * Cherry pick from master: Configuration: no longer hardcode mesh certs (#12189) * Configuration: Pilot-Agent: no longer hardcode certs to watch. Pilot-Discovery: no longer hardcode Envoy listener cert paths. * Address demands of golangcibot overlord * Change usages of github.com/stretchr/testify/require to github.com/stretchr/testify/assert * Address code style violation * Revert temporary api changes. Set cert paths in envoy node metadata and use them when setting up listeners * Use envoy node metadata cert paths (if available) when constructing clusters * Rename constants to make golint happy * Fix imports * Ignore ordering in test * Pass around proxy instead of proxy.Metadata (cherry picked from commit 7c342741df9bd4e313420b4d17e279089d8956da) * goimports file * Allow limiting Citadel to marked namespaces only (#12289) * Allow limiting Citadel to marked namespaces only - add command line flag to require explicit opt-in to secrets (defaults to false to retain current behavior of always create) - extend secret controller to consider namespace labels (reuses existing 'istio-injected=enabled') - modify unit tests to retain previous behavior (i.e., always create secrets, explicit opt-in not required) and account for additional namespace access * removed left-over debug print, check enable only when explicit opt-in is required * reverting k8s actions in tests: namespaces no longer checked when explicit opt-in is false * unit tests for checking labels and behavior * Namespace specified in command line is explicitly enabled - save namespace specified in the `--listened-namespace` option on the controller (allow multiple to prepare for r1.1) - check SA namespace against explicit namespaces * use dedicated label name to avoid overloading the injection label * use istio-managed label in tests * clarified explicit-opt-in is relevant for keys and certificates provided via a volume mount * refactor istio managed object test to a function so it can be called from secret deletion handler as well * fix left over istio-injection label in tests * manual merge fix * appsv1 galley (#13047) * Add support for datadog tracing (on release-1.1 branch) (#12687) * Add support for datadog tracing. Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * Use $(HOST_IP) instead of special-casing empty address value Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * add param to sidecar to ignore iptables changes (#12829) * add param to sidecar to ignore iptables changes * rephrase description * samples/bookinfo: migrate `apiVersion` of deployments to `apps/v1` (#13030) * fix validation logic so that port.name is no longer a valid PortSelector (#13054) * [Test Framework]: Galley support for deleting config (#13037) In order to properly support deleting resources, it was necessary to revisit how ApplyConfig is done as well. Previously, apply would just blindly copy the yaml to a new file in the configDir. The assumption was that the resource was always being "added" (rather than updated). I'm not certain what would happen if two resources appeared with the same name/namespace. This PR generalizes (and fixes) the way resources are handled so that it's not concerned with files, but rather the underlying resources. The code now parses the top-portion of the yaml to properly identify each resource. Once identified, the code now properly updates resources by writing back to the file where the resource was found. Deletes are similar, where the original resource in the file is replaced with "" (empty files are removed). * Support controlz for mcp server (#12980) * Support controlz for mcp server Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix lint error * Address review comments Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * generalize artifact injection into Docker images (#12203) Instead of just adding LICENSES.txt only, also optionally add in the source code as well, gating on the new EXTRA_ARTIFACTS and EXTRA_ARTIFACTS_CNI environment variables. Change-Id: Iab8fadfbcbbaa8906491e12324fae20185d9f33e * Keep going when problem happens checking remote version (#13060) * remove deprecated show-all flag (#13053) * Add x alias to experimental istioctl command (#11801) * Add x alias to experimental istioctl command I'm super lazy and experimental is far too much effort to type Signed-off-by: Liam White <liam@tetrate.io> * Add exp as an additional alias Signed-off-by: Liam White <liam@tetrate.io> * Correct the app label for Gateway (#12693) * update selector for gateway Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix build fail Signed-off-by: clyang82 <clyang@cn.ibm.com> * Update tracing_datadog_golden.json (#13082) * Fix small typo (#13089) can useful -> can be useful * Add jitter in CSR request (#12805) * Add jitter in CSR request * Add log * Fix comments * Fix test * Fix test * Fix comment * Allows cleanup.sh to run non-interactively when in terminal (#12635) This change allows cleanup.sh to run non-interactively in standard terminals. For example: NAMESPACE="test123" ./cleanup.sh * 'istioctl proxy-config clusters' cluster type column rendering (#12458) (#12730) * update sds secret mount. (#12733) * Copy data from right place (#12762) * Fix updateClusterInc for overlapping ports (#12766) * Fix updateClusterInc for overlapping ports It is possible that a service will have multiple ports, with the same port number. The typical example here is kube-dns, which uses port 53 for UDP and TCP. When we do an incremental push, we would select the first port to match the port number, which would sometimes causes us to ignore the correct port. This fix searches through all matching ports. * Ensure port number matches as well * Add unit tests * remove dead code * enable default sidecarscope (#12832) * [Galley] Fix for ServiceEntry event ordering (#12890) The integration test was encountering this, exposing a real bug. If nodes/pod events occur after service/endpoints (which should generally be unusual) then it is possible to have a ServiceEntry missing pod/node information (e.g. locality). Fixes #12820 * Adding sha for istio/tools to manifest.txt for future automation of perf tests (#11706) * Copy helm data from the right place (#12808) * Refactor solution based on Costin's feedback (#13027) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Enable more linters and fix warnings/errors (#13061) * Making tags requirement same as those in Kubernetes (#12852) * Making tags requirement same as those in Kubernetes Changing validation check to make sure non-empty tags start with an alphanumeric character * Validating label keys are not empty strings Allow empty string for label values Do not allow empty string for label keys * Added certmanager flag into helm chart values.yaml (#12953) * Added certmanager flag into helm chart values.yaml * Moved certmanager configuration * Pilot [networking]: Add upstream idle_timeout to cluster definition (#13066) * adding upstream idle_timeout to cluster definition. * reverting vendor changes before running dep ensure again. * running dep ensure update on api from master. * controlPlaneMtls renamed to controlPlaneSecurityEnabled (#13141) * Patch #12805 to master (#13104) * Patch #12805 to master * Fix lint * Fix HelmDelete command (#12515) * Fix HelmDelete command HelmDelete was called with the namespace it needs to be called with a chartname. Also created a constant to make it more obvious when called by the other Helm related commands. * Fix typo * Goimports fix * ight modification path (#13148) * Allow overriding of registry locality (#13077) Also fixes bug where non-kube envs could override to something that parsed incorrectly Signed-off-by: Liam White <liam@tetrate.io> * mixer: add support for standard CRDs for compiled-in adapters (#12815) * cherry pick subset of https://github.com/istio/istio/pull/12689/ Signed-off-by: Kuat Yessenov <kuat@google.com> * add support for compiled in adapters Signed-off-by: Kuat Yessenov <kuat@google.com> * patch log line Signed-off-by: Kuat Yessenov <kuat@google.com> * parse cert to get expire time (#13145) * parse cert * cleanup * unit test coverage * missing file * address comments * rebase and address comment * Installing istio for perf testing (#13159) * Perf scripts * gsutil * WD * perf running and geting metrics * Perf * perf * perf * Perf * remove * qq * Appsv1 pilot (#13050) * appsv1 for Pilot * appsv1 for Pilot * appsv1 for Pilot * dep update * fix test * fix test * fix test * fix test * fix test * typo * typo * typo * typo * typo * update go-control-plane (#13154) Signed-off-by: Kuat Yessenov <kuat@google.com> * added sidecar.istio.io/rewriteAppProbers annotation (#13112) * pilot: registered sidecar.istio.io/rewriteAppProbers annotation * pilot: checked from sidecar.istio.io/rewriteAppProbers too * pilot: added webhook inject tests TestWebhookInject_http_probe_rewrite_enabled_via_annotation case is a modification of TestWebhookInject_http_probe_rewrite case. The difference is rewriteAppHTTPProbe is false in template, but set to true in annotation. TestWebhookInject_http_probe_rewrite_disabled_via_annotation case is a modification of TestWebhookInject case. The difference is rewriteAppHTTPProbe is true in template, but set to false in annotation. * fixed linter issue in test * added http probe test for kubeinject case * added tests and fixed login upon checking RewriteAppHTTPProbe setting * Add more tests in app_probe_test.go * renamed RewriteAppProbers to RewriteAppHTTPProbers * fixed test case for webhook injection * add description to rewriteAppHTTPProbers annotation * updated tests in app probe to sync with recent master change * change validateBool to alwaysValidFunc as per review * Export inject.injectionData() (#12426) * Registrator should use master version (#13083) * dependencies: update cel-go and remove protoc-gen-docs (#12711) * experiment with COMPAT Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * stop validation Signed-off-by: Kuat Yessenov <kuat@google.com> * remove hack Signed-off-by: Kuat Yessenov <kuat@google.com> * testing Signed-off-by: Kuat Yessenov <kuat@google.com> * only access log Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * add runtimeconfig Signed-off-by: Kuat Yessenov <kuat@google.com> * add a benchmark Signed-off-by: Kuat Yessenov <kuat@google.com> * cel_perf Signed-off-by: Kuat Yessenov <kuat@google.com> * update cel Signed-off-by: Kuat Yessenov <kuat@google.com> * update examples Signed-off-by: Kuat Yessenov <kuat@google.com> * remove unnecessary dependencies Signed-off-by: Kuat Yessenov <kuat@google.com> * Fixing copy for helm, one more time. (#13186) * Run goimports on generated file (#13195) * Enable disabled mixer tests in New Test Framework (#13151) * Enable disabled mixer tests in NF * Change tests config to new style * Change tests config to new style * Change tests config to new style * Fix config for native policybackend * Fix report test * Reduce Pilot resource requests for demo (#12477) * Reduce Pilot resource requests for demo * Add limits as well * Added data source for Galley dashboard (#13041) Fixes: #13040 * fix values for pod anti-affinity. (#12798) * Add sensible defaults to istio-gateways (#12315) * report succeed after validation (#13165) * report succeed after validation * review comments * Change exposed port of istio-pilot in consul (#13170) `15003` and `15005` are never used in pilot under consul env. It would be confusing to expose the two ports. Instead, ``` --grpcAddr string Discovery service grpc address (default ":15010") --secureGrpcAddr string Discovery service grpc address, with https (default ":15012") ``` we know `15010` and `15012` are still using. * Cherrypick: Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) (#12973) * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Use new env var framework * Fix long line * Run format and linter * CEL checker mutex (#13192) * checker mutex Signed-off-by: Kuat Yessenov <kuat@google.com> * deadlock Signed-off-by: Kuat Yessenov <kuat@google.com> * Integration testing for Locality Load Balancing (#13084) * Initial testing functionality Signed-off-by: Liam White <liam@tetrate.io> * appease the linting gods Signed-off-by: Liam White <liam@tetrate.io> * Fall back to bootstrap locality as a last resort Signed-off-by: Liam White <liam@tetrate.io> * Move service instance check after we set them... Signed-off-by: Liam White <liam@tetr…
* add istio-init.yaml to .gitignore (#12542) * authz: add authorization policy CRD to helm-init (#12541) * Fix bug in locality LB normalization (#12532) (#12579) The priority needs to be normalized (so it is always has no gaps), so priorities [0,2] should be changed to [0,1]. However, we were changing the wrong endpoint's priorities. * Apply locality weighted lb config correctly (#12588) Previously, this value was not set if the load balancer config was nil. However, it should actually set anytime outlier detection is enabled, so that locality lb can behave correctly. * Fix bug causing empty endpoints per locality (#12615) * Fix bug causing empty endpoints per locality Before, we were allocating the array then appending to it, creating empty endpoints at the start of the array. * Predefine slice size * Fix the MCP Client ConfigZ page (#12626) * Fix the MCP Client ConfigZ page. * Fix the tests * Update test name to clear confusion. * Add threshold for rds.go codecov (#12499) Test is flakey, saying it has droppped coverage when it has not due to it being nondeterministic. * Drop log level for missing service account for spiffe uri (#12239) * Don't require service account for spiffe Some kubernetes pods don't have a service account. This causes a log flood that the spiffe url is invalid, but this doesn't actually have any negative impact. We can just make it not an error to have no service account. * Revert "Don't require service account for spiffe" This reverts commit e88ff187963e97949d3b81c3575b997ddd7e7a6f. * Just drop error -> warn * Fix tests * Drop log level * [Authz v2] Add additional fields for bindings and validation. (#11800) (#12460) * Adding additional fields for bindings and validation. (#11800) * Implement namespaces for ServiceRoleBindings * Implement not_namespaces and refactor * Implement not_ips * Implement ips (no unit tests) * Add a unit tests for ips for ServiceRoleBinding * Implement groups and not_groups for ServiceRoleBinding * Implement names and not_names * Check for duplicated definition in constraints/properties and first-class fields * Disallow using * in names or not_names to prevent ambiguity * Disallow using * in names or not_names to prevent ambiguity * Refactor additional fields for bindings * Update validation.go * Update validation.go * enhance verify install command (#12174) * enhance verify install command * fix lint * fix lint * configure prometheus to monitor citadel. (#12175) * Add namespace scoping to the Gateway 'port' names (#11509) (#12500) (#12556) * Add namespace scoping to the Gateway 'port' names (#12500) (#12500) Currently in order to configure ingressgateway to do TLS termination using multiple secure virtual hosts with different certificates Istio requires Gateway 'port' names to be globally unique (i.e. distinct). I.e. two gateways cannot have secure port named 'https' even if they reside in different namespaces. Behavior in such case is undefined. This breaks namespace isolation as a user creating a Gateway in one namespace might not have access to other namespaces hence can't if the port name is already 'taken'. Behavior in such case is undefined and likely to render other virtual hosts unavailable. This change adds namespace scoping to Gateway port names by appending namespace suffix to the HTTPS RDS routes. Port names still have to be unique within the namespace boundaries, but this change makes adding more specific scoping rather trivial. * Increase Gateway 'port' names scoping granularity * Minimal changes to make locality lb not sigsegv (#12649) * Locality label istio-locality in k8s should not contain `/`, use `.` (#12592) * Locality label istio-locality in k8s should not contain `/`, use `.` instead * fix comments * Only use gateways for servers being processed (#12663) Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * Propagate Envoy Metrics Service Config (#12569) The plumbing for propagating the envoy metrics service address config is missing a step to copy the given address to the config object that is passed on to the template renderer. * mixer: add directive demo adapter (#12505) * finish demo Signed-off-by: Kuat Yessenov <kuat@google.com> * printf Signed-off-by: Kuat Yessenov <kuat@google.com> * publish keyval Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding sidecars to validating webhook configuration (#12233) (#12643) Addresses issue #12193 * Cleaning up Unit tests for RDS (#12581) Added a new case and cleaned up the existing test cases. * switching deployment to v1 api (#10578) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Cleanup Galley OWNERS file. (#12676) * fix uds socket (#12688) * uds fix * readonly * Add unit test to cover multiple different locality case (#12388) This PR only increases test coverage. Does not impact functionality. Signed-off-by: Liam White <liam@tetrate.io> * Build 1.1.1 (#12690) * Fix LB weight setting for split horizon eds (#12560) * lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint * fix typo in default envoy JSON log format (#12473) * Make release-1.1 changes compatible with master * Remove extra ingress template * cherry pick 10578 * reformat * Update rbac.go to use httpfilter when needed * Integration framework ensure apiVersion is top level * Update yaml make target * Disable setup on sidecar_api_test * clarified mesh connect timeout fields based on code impl (#12089) * Testing: configurable ports for Echo (#12681) The echo component currently assumes a hard-coded list of ports. We eventually want to replace the "apps" component with echo, but in order to do that we'll need to be able to tailor the port configuration for each instance. * add image pull secrets for zipkin. (#12327) * Refresh oop handler with connection config update (#12575) * refresh handler with connection update * sanitize test error message * Fixing coping of the data to the bucket during release (#12585) * Fixing coping of the data to the bucket. * Small fix * RM folder in any case * 'istioctl proxy-config clusters' cluster type column rendering (#12458) * Make error message explicit (#12675) * E2E test for health check under mtls using app prober rewrite. (#11531) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277d7 4b7b13aef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861 Merge: 98fd48f59 744b07ad2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07ad2406d1eb94bcf5492125f91486ad6b10 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002ff6f5dd4afe22afa984384addc1be1104 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5 Merge: a2a774498 010d5c266 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a774498e1021c1ca01c021c071e225fa330407 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c074bcc787702a5a9257d23103521f525c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922719e2c4723a334d1d8d959cac361b1ecb Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e871c640cdabead372eada2b17d717fa707f Merge: 256d9635f ac78a552a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d9635f4d590936c473bf3be0299064cb9c716 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f70096334464fd1d59a0e81997e8f0fd6623a564 Merge: bdce72119 c7eb603ee Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce72119ef78dab40b750861768c332811b9ee2 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c21000ba2b7fe9e2bc728783ce530cfe87 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695a2fea828f06a31f14ed7795a3b3716111 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b58f0212972d42e298fa4185275642d672c Merge: d626bb85d 5ea79622c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb85dee628771f8f41fc90335ac608dea923 Merge: 3561ae0a6 66153da4d Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0a69350730834e625c0710394968f9fcde Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f01964a14f6ace0da6217d7a36f364b661 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91189e16beb0dadee6c612464b1aa9bad21 Merge: 3a7eb48e6 abc53e120 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e488f875ffea0c3a279403277010160ee1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce9ddc55ce339aa65eac06602591d3113c9 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676 Merge: 7f5c8cbd8 e45242c0d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479 Merge: 20f02c045 1ae6b4fde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c04563fab9b81b418c00a5455994fda5148 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64 Merge: 3b3bcbff8 d8c4579fa Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c15d06054e4bb173ab2c37333a4de647c2d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f4144482874c1219c7da90e97f19f1172f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb6892509d8938be8d64f1435cf64e22317 Merge: af1a67989 f6b0ddc30 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a6798988f9fe70e40add2a6d4971efa9b50ed Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef3520037a81db8baa34d6e13849d20af10 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0 Merge: fcca1f89a bd1631be3 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517cfc4214994be1be848d40b12f09ba8a4b8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96ed8a3200fc91bc73aee86d471117232fc Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659dacbc569f4532dc6a37b2091f39c7cf115b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * wip for adding health check test app. * wip very hack working solution app deployed * finally test starts working * make sure the test works if and only if the helm flag is turned on. * refactoring * small adjustment. * DeepCopy used. * working test only healthcheck test. * remove inline policy * change RegisterHelmValueOverrides. * unnecessary change. * Finish HelmValueMap refactor. * some cleanup. * clean up. * flags helm values takes higher priority. * fix the lint. * address comments. * revert chagnes on HelmValuesMap. * wip getting helm customizable with new configuration api. TODO: testing by rebuild image. * fix the helm value passing overrides. * wip the app is deployed but not ready and still finishes... * wip apps configuration not take effect. * working version of apps configuration. * clean up some debugging log. * test documentation. * WIP changing deploymentFactory to KubeApp. * verify test works. * clarify kubeappsconfig doc. * get the test pass, no apps configuration yet. * get test working. * clean up on apps/kube.go * few clean and update readme doc. * change the overrides by func callback. * fix the typo. * fix the comments. * Hide ServiceAccounts from PushContext log (#12702) * Configure localityLbSetting in values.yaml (#12683) * Configure localityLbSetting in values.yaml * Update docs * Fix concurrent map access (#12706) * Remove when: always from CircleCI configuration for integration tests. (#12679) This causes the integration tests to run, even if the previous steps fail. * Removed unused code from EDS (#12221) * Should not add a worker in GoroutinePool construction func (#12619) * GoroutinePool does not add a worker in construction func * fix ut * remove redundant code (#12656) * remove redundant k8s discovery code * remove redundant * Configure logging level in proxy and control plane (#12639) * configure proxy log level via helm values for sidecar and gateways * configure istio control plane log level via helm * Put back a couple settings for Kiali that were accidentally deleted. (#12472) Some Kiali settings were accidently deleted when the new installation options for release-1.1 was published. This is because these settings were commented out in the values.yaml file for kiali under istio/kubernetes/helm/istio/charts/kiali. Bug:#3660 * remove to be deprecated critical pod annotation. (#12657) * remove to be deprecated critical pod annotation. * fix ci. * Adding timeouts in Galley processor tests (#12701) * Adding timeouts in Galley processor tests This is to help in debugging #12628. * making await method private * add pod antiaffinity. (#12691) * add pod antiaffinity. * fix gateways issue. * add pod antiaffnity to helm test pod. * remove local test file. * apply comments. * Adding galley test for sidecar config validation (#12247) * Adding galley test for sidecar config validation Test cases related to PR #12233 * Using istio-system as namespace for resource * Collect details/artifacts for failed tests in Prow. (#12753) * Add infrastructure to document env var usage. (#12727) - Introduce the pkg/env package containing a few functions to query environment variable values. It keeps track of the variables requested so they can be documented. - Extend pkg/collateral to recognize and output the environment variables used in the process. This is what is needed to make this stuff show up on istio.io. - Update all relevant call sites to use the new infrsstructure. It's still missing descriptions for all the variables, that'll be up to component authors. I'll file issues to get that work done. - Fixed bugs in the node_agent_k8s code that was using env vars as the default for Cobra command-line arguments, resulting in potentially variable default values produced in the generated docs. Default values need to be static. * Enable more linters. (#12751) - Flip on a couple more linters - Fix a bazzilion warnings produced by these linters, along with many warnings produced by other not-yet-enabled linters. - Fix pkg/version so the tests compile on Mac. This broke a while back, preventing the linter from running to completion on the Mac. * Convert galley to reload files via SIGUSR1 or a ctrlz handler (#11617) * Convert galley to reload files via SIGUSR1 or a ctrlz handler * Fix ctrlz shutdown not to block * Disable the mtls_healthcheck test until it can be fixed. (#12775) * Change IP addresses to show up as strings in label maps in accesslog (#11740) (#12502) Change IP addresses to show up as strings in http req in accesslog Fix lint errors Fix lint errors Use stringify function Updated based on feedback * upgrade prometheus version. (#12781) * Wait for endpoints of policy backend, before trying to use it. (#12763) * Wait for endpoints of policy backend, before trying to use it. * Minor fix to the structure. * Add wait logic for waiting Galley to come online. * Fix minor bug. * Rename the method so that it is clear what it is doing. * Add additional constraint check. * Remove redundant write header (#12731) Write already writes 200 status code, so this wasn't needed. This caused unneeded logging every time it was called. * Tell Kubernetes that Istio validation has no side effects (#12670) * Tell Kubernetes that Istio validation has no side effects * Add integration tests for --server-dry-run * Report version of kubectl and server * Version check error * Undo --server-dry-run tests which require K8s 1.12 or higher * fix uds socket (#12688) (#12802) * uds fix * readonly * mixer: switch to simplified config model (#12689) * take 2 compiled instances Signed-off-by: Kuat Yessenov <kuat@google.com> * try with apa Signed-off-by: Kuat Yessenov <kuat@google.com> * quota failure Signed-off-by: Kuat Yessenov <kuat@google.com> * false signal? Signed-off-by: Kuat Yessenov <kuat@google.com> * more crds Signed-off-by: Kuat Yessenov <kuat@google.com> * nil params Signed-off-by: Kuat Yessenov <kuat@google.com> * patching config Signed-off-by: Kuat Yessenov <kuat@google.com> * remove stale command Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix destination host validataion (#12804) * Implement AuthorizationPolicy with workload selector. (#12050) (#12667) * WIP AuthorizationPolicy with selector * WIP AuthorizationPolicy with selector * Check if need to use convertRbacRulesToFilterConfig and ignore permissive mode * Support TCP * Move new functions for RBAC v2 to rbac_v2.go * Change the structure and refactor tests * Put services field check back * Remove services field validation * Remove optimization * Add selector no match test * [Galley] Adding ServiceEntry synthesis (#12409) Added a new custom projection that is subscribed to events for k8s Pods, Nodes, Services and Endpoints. These events are absorbed and do not become part of the snapshot. Instead, synthetic ServiceEntry resources are generated and become part of the snapshot. Partially addresses #10497 and #10589 * Add a linter to prevent use of os.Getenv and os.LookupEnv (#12778) - Add more unit tests to pkg/env to bring coverage to 100% - Move existing linter sources from test/util/checker to tools/checker * Specify istio-init user explicitly (#5453) (#12708) Istio-init is supposed to be run as a superuser so it can configure iptables and this is the current default. However many popular Helm charts typically define a single container pod and specify `securityContext.runAsUser` on a pod level (rather than the container level) and that is what istio-init inherits. As the result many Helm charts aren't working with Istio auto-injection out of the box. A simple fix would be explicitly setting `securityContext.runAsUser` for istio-init on the container-level so it takes precedence. * Removing depencency on the order of returned IP addresses (#12812) * Removing depencency on the order of returned IP addresses Allows returned addresses by the default resolver to be in any order. The first IPv4 address returned by the resolver is used. If there are no IPv4 address is found, an IPv6 address is used. Added more unit tests. * Making logic for local IP the same as the rest * Disabling flaky parts of Galley integ test (#12837) This should deflake the test in #12820. Real fix is coming soon. * Set SAN as critical for workload certs. (#12838) * inject sds related param in pilot/mixer deployment (#12809) * inject sds related param in pilot/mixer deployment * remove args * Disabling Mixer tests using the new TF in K8s. (#12848) * Disabling Mixer tests using the new TF in K8s. * Make linter happy. * accommodate PR review comments. * galley: support optional crds (#12822) * optional galley crds Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * Removing a "TODO" that is not necessary any more (#12841) Cleaning up the comments. * mixer: add template CRD flag and set it to false (#12851) * template CRD flag Signed-off-by: Kuat Yessenov <kuat@google.com> * missed a flag Signed-off-by: Kuat Yessenov <kuat@google.com> * Zombie cleanup. (#12878) - Delete a bunch of dead code, dead variables, unused parameters, and superfluous type declarations. * Refactor Istio deployment code for clarity and add wait for webhook. (#12888) * Refactor Istio deployment code for clarity and add wait for webhook to come online. * Make linter happy. * Fix stupid bug. * Remove accidental file add (#12895) * Re-enable sidecar_api_test (#12887) * Re-enable sidecar_api_test * Remove kube setup * Fix race condition * Make Mixer readiness timeout configurable. (#12640) - Mixer waits for readiness of the config backend. It is currently hard-wired at 30 seconds. This change makes this configurable and sets the default as 2 minutes. - The pod was being killed because the liveness probe was not starting on time. It is blocked behind other readiness checks. This change enables readiness early on. * Minor improvements to the test framework. (#12858) * Add dump support to policy backend. * Add a suitecontext dir. * test: add dump pod events function (#12821) * Fix flush behavior in Stackdriver adapter. (#12853) * Fix prometheus and citadel connection tests (#12747) * Fix test-prometheus-connection.yaml: test never failed Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix test-citadel-connection.yaml: test never failed Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix a bunch more linter items. (#12897) * delete stale file (#12898) Signed-off-by: Kuat Yessenov <kuat@google.com> * Run dep ensure * Implement EnvoyXdsServer graceful shutdown (#12826) * update api sha (#12862) * update api sha * api files * Add two sample deployments for user guide of Istio Vault integration (#12917) * Rename types.go to types.gen.go. (#12921) * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * Update to latest doc gen tool. (#12932) * Fix the regular expression that splits the deployment scripts. (#12931) The script was fixed with a start-line anchor during the merge of 1.1. However the regular expressions in Go is not multi-line. * Add labels to the test framework. (#12819) * Add basic label support to the test framework. * Refactor test framework surface area to use fluent-style. * Apply labels to CircleCI tests & stable integration tests. * Add early exit support to avoid running setup functions when the label set can never match. * Add Citadel tests as presubmit tests. * Remove environments from label usage. * Fixup some of the label usages, and convert some of the test entry points. * Fixup label usage. * Redisable sidecar tests. * Accommodate PR feedback. * Accommodate CR feedback. * Add more CR fixup. * Introduce pkg/annotations (#12909) - pkg/annotations lets us track the annotations used by the calling process. - pkg/collateral now outputs annotations if there are any. This will make annotations show up on istio.io - Adjusted how pkg/collateral handles deprecated environment variabes to match how we handle deprecated fields in protos (by coloring them differently on istio.io) - Added another test to pkg/env to cover a case I missed originally. - Updated the sidecar injector and pilot to use pkg/annotations. - Fixed some invalid HTML generated by pkg/collateral. I'll file an issue to get descriptions added for the annotations. * remove unused pdb in remote values. (#12943) * prevent duplicate inbound listeners (#12937) * [Galley] Fix race in runtime strategy (#12927) This address a race condition that seems to only occur when using a very low timerFrequency (e.g. 1 microsecond) on a slow machine (e.g. prow). Under these conditions, the strategy can encounter a race condition when creating the timer. The code was setting the `timer` variable to the result of time.AfterFunc. However, due to the extremely low frequency used, the AfterFunc was invoking its handler, `onTimer` before returning. This led to accessing an uninitilized `timer` value. This PR swaps out AfterFunc for NewTimer. The use of time.Timer is now abstracted behind the `asyncTimer` object, which provides the semantics needed by the strategy. Now strategy.timer is set before it is started, avoiding the race. Fixes #12628 * Adding unit tests for sidecar scope (#12184) * Adding unit tests for sidecar scope * Removing unused variable * linters: enable errcheck (#12933) * enable errcheck Signed-off-by: Kuat Yessenov <kuat@google.com> * add maligned to exceptions Signed-off-by: Kuat Yessenov <kuat@google.com> * Istio does not use Cluster_LOGICAL_DNS, so remove it (#12905) * Istio does not use Cluster_LOGICAL_DNS, so remove it * clean up LOGICAL_DNS in comments * Clean up Helm README (#12914) The README has outdated information on the values, we should just defer to istio.io which is up to date. Additionally, we should point users to istio.io which has up to date install instructions. * 'istioctl experimental dashboard' command to show add-ons and sidecars (#12627) * 'istioctl experimental dashboard' command to show add-ons and sidecars * Test cases, output of URL, use of Cobra output stream * Refactor code into istioctl/pkg/kubernetes * Refactor to expose PortForward stop channel * Validate new mixer CRDs (#12918) * Validate new mixer CRDs * Add templates and adapters * Test cases for new mixer CRDs * Add environment variables to allow configuring bookinfo hostnames (#12646) * Allow bookinfo hostnames to be configurable - add DETAILS_HOSTNAME, RATINGS_HOSTNAME, REVIEWS_HOSTNAME environment variables to configure hostnames. Defaults to details, ratings, reviews respectively * Bump bookinfo sample to 1.11.0 * Update expected outputs for bookinfo tests - this is not related to our PR, but the tests were failing - the apps were changed, but images were not rebuilt * Add edsClusters should be atomic (#12942) * Add edsClusters should be atomic * fix lint * properly report errors on failure (#12945) The CI Infrastructure times out after 10 minutes of no activity. In one of the test case runners, 10 miniutes is specified causing the CI timeout to flush any debuggable output from the checks. This results in an in-exact error result to be returned. Instead a vague reponse about the test case timing out is reported, resulting in confusion for the PR authors. The typical max I was able to achieve was ~230 seconds, but I trimmed to 3 minutes so the test case fails in all conditions and properly reports the errors. * Hoist exemptLabels to top-level, so that they can apply to prs as well. (#12902) * [mixer-e2e-test] add retry to prometheus query in check cache test (#12680) * check cache test sleep longer * use retry instead of longer waiting * reword error message * Fixing typos in unit tests (#12661) Redoing PR #12035 * respect locality weight set from ServiceEntry (#12714) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * sidecars with workload selector takes precedence over namespace wide one (#12831) * Auto bind to services for Sidecar listeners with specific ports (#12724) * auto bind to TCP services for egress ports in Sidecar Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * fix test Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * minor patch (#12963) Signed-off-by: Kuat Yessenov <kuat@google.com> * Cleanup gateway vhost config gen (#12847) * check match direction * Cleanup http route generation * undo pickMatching change * golangbot comments * address review comments * fix validation bug * gofmt * check for intersection duplicates * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Support PKCS#8 private keys. (#12972) * Support PKCS#8 private keys. * Small fix. * Fix LB weight setting for split horizon eds (#12560) (#12827) * lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint * Restore dump_kubernetes.sh function on OSX (#12159) * Fixes for Bash 3.x and detecting non-running pods * Address shellcheck warnings * Remove Robert Li from tests OWNERS file (#12946) Robert has had a change in employment and can no longer contribute to Istio. * remove unnecessary namespace for webhook configuration (#12981) * remove deprecated mcpServerAddrs flag (#12954) * remove deprecated mcpServerAddrs * fix ut * support ip:port format configSource * fix ut * fix ut * supprt proxy https app probe (#12872) * supprt proxy https app probe * add ut * fix ut * add webhook inject test * fix test * fix comments by incfly * Allow some time for the configuration propagation (#12865) * Allow some time for the listeners config propogation * change to use watchDiscovery * samples/bookinfo: easier access to logs (#12584) * Use shorter namespace prefixes. (#13001) * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) (#12936) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * Update integration test env flag (#12977) The flag should be "kube" not "kubernetes" but it was not updated in some places before. * Support inline role definition in AuthorizationPolicy (#12849) * Don't fill test logs with "no provious log" (#12857) This isn't a real error, but it is misleading in the test output. We have no reason to output all of these errors that there is no previous container to get logs from. * mixer: delete old style CRDs from installation (#12710) * delete old style CRD from installation Signed-off-by: Kuat Yessenov <kuat@google.com> * disable galley from listening to old style CRDs Signed-off-by: Kuat Yessenov <kuat@google.com> * more hardcoded yamls Signed-off-by: Kuat Yessenov <kuat@google.com> * debuggin default install Signed-off-by: Kuat Yessenov <kuat@google.com> * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * keep galley pipeline Signed-off-by: Kuat Yessenov <kuat@google.com> * disable resource ready Signed-off-by: Kuat Yessenov <kuat@google.com> * delete debugging line Signed-off-by: Kuat Yessenov <kuat@google.com> * fixing testdata Signed-off-by: Kuat Yessenov <kuat@google.com> * delete deprecated configs Signed-off-by: Kuat Yessenov <kuat@google.com> * remove declarations Signed-off-by: Kuat Yessenov <kuat@google.com> * delete more yaml Signed-off-by: Kuat Yessenov <kuat@google.com> * merge fix Signed-off-by: Kuat Yessenov <kuat@google.com> * Add tests for the effect of mTLS setting to reachability (#11624) * Reachability test in new ingegration test framework * Add test for port specific policy * Expose KubeApp interface and move EndpointForPort to that instead * Use the retry.UntilSuccess from framework * Change to UntilSuccessOrFail instead of UntilSucces * remove deprecated code (#13005) * remove deprecated code * remove dep * Add examples/documentation for the test framework. (#13000) * Add examples/documentation for the test framework. * Add more prose about test lifecycle. * Fix typo. * Fix typos. * fix retry loop in mixer crd watch (#13003) * first change to apps/v1 for Install (#13015) * first change for install * appsv1 * indention * use only ipv4 for pilot and zipkin (#12997) * do ipv4 lookups for pilot and zipkin Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * update goldens Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * small fix for imports (#13013) * remove old mcp stack (#12092) * remove old mcp stack * remove legacy mcp server from galley * fix server build * fix linter * remove unused code in journal.go * fix build * s/server/source * fix linter errors * Exclude Prometheus traffic in rule so that Kiali does not show it. (#12251) * [Galley] Fix race in strategy shutdown. (#13004) * [Galley] Fix race in strategy shutdown. The Close() logic was holding onto the state lock, which can race with worker thread. Specifically, the worker thread could be in a call to onTimer awaiting the lock, which would never be acquired since the Close() method is stuck waiting for the stopped channel to close. * cleaning up reset logic to avoid holding on the stateLock * Add instructions and scripts to facilitate running E2E tests locally using KinD (#12641) * Adding check/install go in both macOS and Linux. * Install go if not installed. * Adding support to run e2e test on KinD locally. * Adding the ability to run e2e tests locally on KinD. * Update install_prereqs_debian.sh * Update setup_test.sh * Adding the ability to run e2e test on KinD for presubmit test. * Presubmit e2e test on KinD. * Adding the ability to run e2e_simple presubmit on KinD * Adding README file for testing on KinD locally. * Revert the changes on adding install_go function. * Revert install_go in common_macos.sh * Revert the file changes of deleting newline. * Reverting the changes. * Addressing reviews. * Fixing shellcheck * respect locality weight set from ServiceEntry (#12714) (#13012) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * Add documentation about -p 1 for integration test framework. (#13032) * Reduce logs in security/pkg/nodeagent/sds/ (#13035) * Reduce logs in security/pkg/nodeagent/sds/ https://github.com/istio/istio/issues/13033 * Count the log output times * Revise the PR based on review comments * move pkg/mcp/configz to pkg/mcp/configz/client (#12982) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Restore TestMtlsHealthCheck in postsubmit, prow. (#12969) * restore test to debug. * add presubmit label to the test for triggering. * change to only run in postsubmit. * remove postsubmit label just comment. * Enable more linters and fix warnings/errors (#12993) * Cherry pick cert file config from master to release-1.1 (#12707) * Cherry pick from master: Configuration: no longer hardcode mesh certs (#12189) * Configuration: Pilot-Agent: no longer hardcode certs to watch. Pilot-Discovery: no longer hardcode Envoy listener cert paths. * Address demands of golangcibot overlord * Change usages of github.com/stretchr/testify/require to github.com/stretchr/testify/assert * Address code style violation * Revert temporary api changes. Set cert paths in envoy node metadata and use them when setting up listeners * Use envoy node metadata cert paths (if available) when constructing clusters * Rename constants to make golint happy * Fix imports * Ignore ordering in test * Pass around proxy instead of proxy.Metadata (cherry picked from commit 7c342741df9bd4e313420b4d17e279089d8956da) * goimports file * Allow limiting Citadel to marked namespaces only (#12289) * Allow limiting Citadel to marked namespaces only - add command line flag to require explicit opt-in to secrets (defaults to false to retain current behavior of always create) - extend secret controller to consider namespace labels (reuses existing 'istio-injected=enabled') - modify unit tests to retain previous behavior (i.e., always create secrets, explicit opt-in not required) and account for additional namespace access * removed left-over debug print, check enable only when explicit opt-in is required * reverting k8s actions in tests: namespaces no longer checked when explicit opt-in is false * unit tests for checking labels and behavior * Namespace specified in command line is explicitly enabled - save namespace specified in the `--listened-namespace` option on the controller (allow multiple to prepare for r1.1) - check SA namespace against explicit namespaces * use dedicated label name to avoid overloading the injection label * use istio-managed label in tests * clarified explicit-opt-in is relevant for keys and certificates provided via a volume mount * refactor istio managed object test to a function so it can be called from secret deletion handler as well * fix left over istio-injection label in tests * manual merge fix * appsv1 galley (#13047) * Add support for datadog tracing (on release-1.1 branch) (#12687) * Add support for datadog tracing. Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * Use $(HOST_IP) instead of special-casing empty address value Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * add param to sidecar to ignore iptables changes (#12829) * add param to sidecar to ignore iptables changes * rephrase description * samples/bookinfo: migrate `apiVersion` of deployments to `apps/v1` (#13030) * fix validation logic so that port.name is no longer a valid PortSelector (#13054) * [Test Framework]: Galley support for deleting config (#13037) In order to properly support deleting resources, it was necessary to revisit how ApplyConfig is done as well. Previously, apply would just blindly copy the yaml to a new file in the configDir. The assumption was that the resource was always being "added" (rather than updated). I'm not certain what would happen if two resources appeared with the same name/namespace. This PR generalizes (and fixes) the way resources are handled so that it's not concerned with files, but rather the underlying resources. The code now parses the top-portion of the yaml to properly identify each resource. Once identified, the code now properly updates resources by writing back to the file where the resource was found. Deletes are similar, where the original resource in the file is replaced with "" (empty files are removed). * Support controlz for mcp server (#12980) * Support controlz for mcp server Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix lint error * Address review comments Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * generalize artifact injection into Docker images (#12203) Instead of just adding LICENSES.txt only, also optionally add in the source code as well, gating on the new EXTRA_ARTIFACTS and EXTRA_ARTIFACTS_CNI environment variables. Change-Id: Iab8fadfbcbbaa8906491e12324fae20185d9f33e * Keep going when problem happens checking remote version (#13060) * remove deprecated show-all flag (#13053) * Add x alias to experimental istioctl command (#11801) * Add x alias to experimental istioctl command I'm super lazy and experimental is far too much effort to type Signed-off-by: Liam White <liam@tetrate.io> * Add exp as an additional alias Signed-off-by: Liam White <liam@tetrate.io> * Correct the app label for Gateway (#12693) * update selector for gateway Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix build fail Signed-off-by: clyang82 <clyang@cn.ibm.com> * Update tracing_datadog_golden.json (#13082) * Fix small typo (#13089) can useful -> can be useful * Add jitter in CSR request (#12805) * Add jitter in CSR request * Add log * Fix comments * Fix test * Fix test * Fix comment * Allows cleanup.sh to run non-interactively when in terminal (#12635) This change allows cleanup.sh to run non-interactively in standard terminals. For example: NAMESPACE="test123" ./cleanup.sh * 'istioctl proxy-config clusters' cluster type column rendering (#12458) (#12730) * update sds secret mount. (#12733) * Copy data from right place (#12762) * Fix updateClusterInc for overlapping ports (#12766) * Fix updateClusterInc for overlapping ports It is possible that a service will have multiple ports, with the same port number. The typical example here is kube-dns, which uses port 53 for UDP and TCP. When we do an incremental push, we would select the first port to match the port number, which would sometimes causes us to ignore the correct port. This fix searches through all matching ports. * Ensure port number matches as well * Add unit tests * remove dead code * enable default sidecarscope (#12832) * [Galley] Fix for ServiceEntry event ordering (#12890) The integration test was encountering this, exposing a real bug. If nodes/pod events occur after service/endpoints (which should generally be unusual) then it is possible to have a ServiceEntry missing pod/node information (e.g. locality). Fixes #12820 * Adding sha for istio/tools to manifest.txt for future automation of perf tests (#11706) * Copy helm data from the right place (#12808) * Refactor solution based on Costin's feedback (#13027) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Enable more linters and fix warnings/errors (#13061) * Making tags requirement same as those in Kubernetes (#12852) * Making tags requirement same as those in Kubernetes Changing validation check to make sure non-empty tags start with an alphanumeric character * Validating label keys are not empty strings Allow empty string for label values Do not allow empty string for label keys * Added certmanager flag into helm chart values.yaml (#12953) * Added certmanager flag into helm chart values.yaml * Moved certmanager configuration * Pilot [networking]: Add upstream idle_timeout to cluster definition (#13066) * adding upstream idle_timeout to cluster definition. * reverting vendor changes before running dep ensure again. * running dep ensure update on api from master. * controlPlaneMtls renamed to controlPlaneSecurityEnabled (#13141) * Patch #12805 to master (#13104) * Patch #12805 to master * Fix lint * Fix HelmDelete command (#12515) * Fix HelmDelete command HelmDelete was called with the namespace it needs to be called with a chartname. Also created a constant to make it more obvious when called by the other Helm related commands. * Fix typo * Goimports fix * ight modification path (#13148) * Allow overriding of registry locality (#13077) Also fixes bug where non-kube envs could override to something that parsed incorrectly Signed-off-by: Liam White <liam@tetrate.io> * mixer: add support for standard CRDs for compiled-in adapters (#12815) * cherry pick subset of https://github.com/istio/istio/pull/12689/ Signed-off-by: Kuat Yessenov <kuat@google.com> * add support for compiled in adapters Signed-off-by: Kuat Yessenov <kuat@google.com> * patch log line Signed-off-by: Kuat Yessenov <kuat@google.com> * parse cert to get expire time (#13145) * parse cert * cleanup * unit test coverage * missing file * address comments * rebase and address comment * Installing istio for perf testing (#13159) * Perf scripts * gsutil * WD * perf running and geting metrics * Perf * perf * perf * Perf * remove * qq * Appsv1 pilot (#13050) * appsv1 for Pilot * appsv1 for Pilot * appsv1 for Pilot * dep update * fix test * fix test * fix test * fix test * fix test * typo * typo * typo * typo * typo * update go-control-plane (#13154) Signed-off-by: Kuat Yessenov <kuat@google.com> * added sidecar.istio.io/rewriteAppProbers annotation (#13112) * pilot: registered sidecar.istio.io/rewriteAppProbers annotation * pilot: checked from sidecar.istio.io/rewriteAppProbers too * pilot: added webhook inject tests TestWebhookInject_http_probe_rewrite_enabled_via_annotation case is a modification of TestWebhookInject_http_probe_rewrite case. The difference is rewriteAppHTTPProbe is false in template, but set to true in annotation. TestWebhookInject_http_probe_rewrite_disabled_via_annotation case is a modification of TestWebhookInject case. The difference is rewriteAppHTTPProbe is true in template, but set to false in annotation. * fixed linter issue in test * added http probe test for kubeinject case * added tests and fixed login upon checking RewriteAppHTTPProbe setting * Add more tests in app_probe_test.go * renamed RewriteAppProbers to RewriteAppHTTPProbers * fixed test case for webhook injection * add description to rewriteAppHTTPProbers annotation * updated tests in app probe to sync with recent master change * change validateBool to alwaysValidFunc as per review * Export inject.injectionData() (#12426) * Registrator should use master version (#13083) * dependencies: update cel-go and remove protoc-gen-docs (#12711) * experiment with COMPAT Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * stop validation Signed-off-by: Kuat Yessenov <kuat@google.com> * remove hack Signed-off-by: Kuat Yessenov <kuat@google.com> * testing Signed-off-by: Kuat Yessenov <kuat@google.com> * only access log Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * add runtimeconfig Signed-off-by: Kuat Yessenov <kuat@google.com> * add a benchmark Signed-off-by: Kuat Yessenov <kuat@google.com> * cel_perf Signed-off-by: Kuat Yessenov <kuat@google.com> * update cel Signed-off-by: Kuat Yessenov <kuat@google.com> * update examples Signed-off-by: Kuat Yessenov <kuat@google.com> * remove unnecessary dependencies Signed-off-by: Kuat Yessenov <kuat@google.com> * Fixing copy for helm, one more time. (#13186) * Run goimports on generated file (#13195) * Enable disabled mixer tests in New Test Framework (#13151) * Enable disabled mixer tests in NF * Change tests config to new style * Change tests config to new style * Change tests config to new style * Fix config for native policybackend * Fix report test * Reduce Pilot resource requests for demo (#12477) * Reduce Pilot resource requests for demo * Add limits as well * Added data source for Galley dashboard (#13041) Fixes: #13040 * fix values for pod anti-affinity. (#12798) * Add sensible defaults to istio-gateways (#12315) * report succeed after validation (#13165) * report succeed after validation * review comments * Change exposed port of istio-pilot in consul (#13170) `15003` and `15005` are never used in pilot under consul env. It would be confusing to expose the two ports. Instead, ``` --grpcAddr string Discovery service grpc address (default ":15010") --secureGrpcAddr string Discovery service grpc address, with https (default ":15012") ``` we know `15010` and `15012` are still using. * Cherrypick: Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) (#12973) * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Use new env var framework * Fix long line * Run format and linter * CEL checker mutex (#13192) * checker mutex Signed-off-by: Kuat Yessenov <kuat@google.com> * deadlock Signed-off-by: Kuat Yessenov <kuat@google.com> * Integration testing for Locality Load Balancing (#13084) * Initial testing functionality Signed-off-by: Liam White <liam@tetrate.io> * appease the linting gods Signed-off-by: Liam White <liam@tetrate.io> * Fall back to bootstrap locality as a last resort Signed-off-by: Liam White <liam@tetrate.io> * Move service instance check after we set them... Signed-off-by: Liam White <liam@tetrate.io> * Add EDS test Signed-off-by: Liam White <liam@tetrate.io> * Reorganise tests to run in parallel Signed-off-by: Liam White <liam@tetrate.io> * Move to pilot directory Signed-off-by: Liam White <liam@tetrate.io> * minor Infof fixes Signed-off-by: Liam White <liam@tetrate.io> * fix package name Signed-off-by: Liam White <liam@tetrate.io> * Increase propagation sleep and add warning Signed-off-by: Liam White <liam@tetrate.io> * [test-framework] Support helm values containing spaces (#13127) * Support helm values containing spaces in integration test framework For a helm template command, e.g., "helm template --set key1=value1 --set key2=value2", the existing integration test framework assumes the values do not contain spaces and splits the command argument using the space character before executing the helm command. Thus, the existing implementation does not support helm values (e.g., certificates) containing spaces. This PR adds the support of helm values that contain spaces. * Revised to use array based on review comments * Adding servicegraph testing to postsubmit (#13190) * Adding servicegraph testing to postsubmit * m * perf * change * pod * fix * Adding E2E Test for kiali (#11448) * Add Kiali E2E Test * Minor Fixings on Kiali E2E Test * Remove unused mixer.enabled value (#13214) This is not a functional change; this value is never used so it is misleading/confusing. mixer.policy.enabled and mixer.telemetry.enabled are used. * Adding aliases for OWNERS (#13194) * Fixing copy for helm, one more time. * Adding aliases for test group. Setting up labels and no parent_owners * prow * owners * Fixing helm order (#13224) * Fixing copy for helm, one more time. * Fix order of the helm command * fix lint (#12988) * update certificates with expiration time 100 years (#13233) * update certificates with expiration time 100 years * update testdata/local/etc/certs * fix original destination bug (#13011) * fix original destination bug * add ut * align init role label. (#13172) * Remove --platform option (#13187) * Fix #10380: Remove hardcoded sidecar template for istioctl kube-inject (#10830) * Remove the hardcoded sidecar template for * Remove deprecated flags in istioctl kube-inject * update testdata after rebase * add rule for kubeinject.go in codecov.threshold * push client the new root cert when it's changed (#13163) * refresh root * refresh root * unit test * add logs * address comment * more comment * address comment * Implement `role` field in AuthorizationPolicy (#13181) * Add check for role in ServiceRoleBinding * Implement global role * Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow (#13199) * Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow. The mutual TLS connection uses the certificates issued by SDS-Vault CA flow and SDS-Citadel CA flow. * Use the flag EnableCDSPrecomputation() * Address review comments * Ignore missing resources on kubectl delete (#13225) This makes it so tests won't fail on cleanup for resources that are already deleted. * [Testing] Cleanup PortForwarder (#13250) * Add generated LICENSES.txt to gitignore (#13209) * remove myself from owners (#13231) Signed-off-by: Kuat Yessenov <kuat@google.com> * add upstream_transport_failure_reason to access log (#12434) * add upstream_transport_failure_reason to access log Signed-off-by: Lizan Zhou <lizan@tetrate.io> * update proxy to latest Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fix Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fix format Signed-off-by: Lizan Zhou <lizan@tetrate.io> * Fix integration test errors and refactor security integration tests (#13253) * Fix integration test errors and refactor security integration tests - Fix the failure of integration tests when --istio.test.nocleanup=false, which is the default test setting. The failures of integration tests when --istio.test.nocleanup=false are caused by that the errors during cleaning up tests are treated as test failures while the actual tests have succeeded when --istio.test.nocleanup=true. - Organize security integration tests under testss/integration/security. - Refactor the code to share common utility functions and remove duplicate code. - Misc fixes. * Address review comments * Use a const to represent the test policy directory * Address review comments * Fixes the multicluster e2e test (#13246) The secret was being created after the apps where deployed on the remote. This was causes the test to never think the apps successfully deployed since the envoy sidecar was continually restarting. * pre-check: fix a logic error (#13278) `getNameSpace()` always returns an object, even if namespace does not exist. Checking the error status is safer. * Remove kubectl from dockerfile prereqs since it pulls it (#13256) * Fixing EDS unit tests (#12995) The current EDS test is incorrect and passes because the check calls time out rather than sucessfully completing. This PR fixes the problem and add one more test. fixes issue #12994 * rbac: fix a data race in listener generation (#13308) * Include js/css files into static folder (#12983) * Include js/css files Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Append version to file Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * ignore assets.gen.go in code coverage Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * remove assets.gen.go from codecov test Signed-off-by: clyang82 <clyang@cn.ibm.com> * remove skipped test from .cov file Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix check chell issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix shell check issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Fix galley integration test race (#13303) * [Test Framework] Integrate apps with Galley (#13115) The most recent refactoring broke the apps component when Pilot is being used with Galley. The apps register their services with the ServiceManager directly. When Pilot is configured with Galley, however, it doesn't use the ServiceManager, which means that the app services are never properly registered with Pilot. - Changed the Pilot and Apps component to require Galley to be configured, to avoid confusion. - Removed the ServiceManager altogether - Galley is used for service registration. Fixes #13090 * Fix again helm copy, was reverted during merge from release 1.1 (#13337) * Fixing copy for helm, one more time. * Fixing copy again for master * Update OpenShift dependencies; Drop [deprecated] legacy schema (#13160) * Extend istioctl mocking library to allow mocking of authn etc (#13118) * Fixing iptabes ranges (#13291) * Fixing iptabes ranges Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fix shellcheck errors Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures #1 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures #2 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com…
* Drop log level for missing service account for spiffe uri (#12239) * Don't require service account for spiffe Some kubernetes pods don't have a service account. This causes a log flood that the spiffe url is invalid, but this doesn't actually have any negative impact. We can just make it not an error to have no service account. * Revert "Don't require service account for spiffe" This reverts commit e88ff187963e97949d3b81c3575b997ddd7e7a6f. * Just drop error -> warn * Fix tests * Drop log level * [Authz v2] Add additional fields for bindings and validation. (#11800) (#12460) * Adding additional fields for bindings and validation. (#11800) * Implement namespaces for ServiceRoleBindings * Implement not_namespaces and refactor * Implement not_ips * Implement ips (no unit tests) * Add a unit tests for ips for ServiceRoleBinding * Implement groups and not_groups for ServiceRoleBinding * Implement names and not_names * Check for duplicated definition in constraints/properties and first-class fields * Disallow using * in names or not_names to prevent ambiguity * Disallow using * in names or not_names to prevent ambiguity * Refactor additional fields for bindings * Update validation.go * Update validation.go * enhance verify install command (#12174) * enhance verify install command * fix lint * fix lint * configure prometheus to monitor citadel. (#12175) * Add namespace scoping to the Gateway 'port' names (#11509) (#12500) (#12556) * Add namespace scoping to the Gateway 'port' names (#12500) (#12500) Currently in order to configure ingressgateway to do TLS termination using multiple secure virtual hosts with different certificates Istio requires Gateway 'port' names to be globally unique (i.e. distinct). I.e. two gateways cannot have secure port named 'https' even if they reside in different namespaces. Behavior in such case is undefined. This breaks namespace isolation as a user creating a Gateway in one namespace might not have access to other namespaces hence can't if the port name is already 'taken'. Behavior in such case is undefined and likely to render other virtual hosts unavailable. This change adds namespace scoping to Gateway port names by appending namespace suffix to the HTTPS RDS routes. Port names still have to be unique within the namespace boundaries, but this change makes adding more specific scoping rather trivial. * Increase Gateway 'port' names scoping granularity * Minimal changes to make locality lb not sigsegv (#12649) * Locality label istio-locality in k8s should not contain `/`, use `.` (#12592) * Locality label istio-locality in k8s should not contain `/`, use `.` instead * fix comments * Only use gateways for servers being processed (#12663) Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * Propagate Envoy Metrics Service Config (#12569) The plumbing for propagating the envoy metrics service address config is missing a step to copy the given address to the config object that is passed on to the template renderer. * mixer: add directive demo adapter (#12505) * finish demo Signed-off-by: Kuat Yessenov <kuat@google.com> * printf Signed-off-by: Kuat Yessenov <kuat@google.com> * publish keyval Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding sidecars to validating webhook configuration (#12233) (#12643) Addresses issue #12193 * Cleaning up Unit tests for RDS (#12581) Added a new case and cleaned up the existing test cases. * switching deployment to v1 api (#10578) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Cleanup Galley OWNERS file. (#12676) * fix uds socket (#12688) * uds fix * readonly * Add unit test to cover multiple different locality case (#12388) This PR only increases test coverage. Does not impact functionality. Signed-off-by: Liam White <liam@tetrate.io> * Build 1.1.1 (#12690) * Fix LB weight setting for split horizon eds (#12560) * lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint * fix typo in default envoy JSON log format (#12473) * Make release-1.1 changes compatible with master * Remove extra ingress template * cherry pick 10578 * reformat * Update rbac.go to use httpfilter when needed * Integration framework ensure apiVersion is top level * Update yaml make target * Disable setup on sidecar_api_test * clarified mesh connect timeout fields based on code impl (#12089) * Testing: configurable ports for Echo (#12681) The echo component currently assumes a hard-coded list of ports. We eventually want to replace the "apps" component with echo, but in order to do that we'll need to be able to tailor the port configuration for each instance. * add image pull secrets for zipkin. (#12327) * Refresh oop handler with connection config update (#12575) * refresh handler with connection update * sanitize test error message * Fixing coping of the data to the bucket during release (#12585) * Fixing coping of the data to the bucket. * Small fix * RM folder in any case * 'istioctl proxy-config clusters' cluster type column rendering (#12458) * Make error message explicit (#12675) * E2E test for health check under mtls using app prober rewrite. (#11531) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277d7 4b7b13aef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861 Merge: 98fd48f59 744b07ad2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07ad2406d1eb94bcf5492125f91486ad6b10 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002ff6f5dd4afe22afa984384addc1be1104 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5 Merge: a2a774498 010d5c266 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a774498e1021c1ca01c021c071e225fa330407 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c074bcc787702a5a9257d23103521f525c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922719e2c4723a334d1d8d959cac361b1ecb Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e871c640cdabead372eada2b17d717fa707f Merge: 256d9635f ac78a552a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d9635f4d590936c473bf3be0299064cb9c716 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f70096334464fd1d59a0e81997e8f0fd6623a564 Merge: bdce72119 c7eb603ee Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce72119ef78dab40b750861768c332811b9ee2 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c21000ba2b7fe9e2bc728783ce530cfe87 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695a2fea828f06a31f14ed7795a3b3716111 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b58f0212972d42e298fa4185275642d672c Merge: d626bb85d 5ea79622c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb85dee628771f8f41fc90335ac608dea923 Merge: 3561ae0a6 66153da4d Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0a69350730834e625c0710394968f9fcde Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f01964a14f6ace0da6217d7a36f364b661 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91189e16beb0dadee6c612464b1aa9bad21 Merge: 3a7eb48e6 abc53e120 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e488f875ffea0c3a279403277010160ee1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce9ddc55ce339aa65eac06602591d3113c9 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676 Merge: 7f5c8cbd8 e45242c0d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479 Merge: 20f02c045 1ae6b4fde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c04563fab9b81b418c00a5455994fda5148 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64 Merge: 3b3bcbff8 d8c4579fa Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c15d06054e4bb173ab2c37333a4de647c2d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f4144482874c1219c7da90e97f19f1172f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb6892509d8938be8d64f1435cf64e22317 Merge: af1a67989 f6b0ddc30 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a6798988f9fe70e40add2a6d4971efa9b50ed Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef3520037a81db8baa34d6e13849d20af10 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0 Merge: fcca1f89a bd1631be3 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517cfc4214994be1be848d40b12f09ba8a4b8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96ed8a3200fc91bc73aee86d471117232fc Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659dacbc569f4532dc6a37b2091f39c7cf115b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * wip for adding health check test app. * wip very hack working solution app deployed * finally test starts working * make sure the test works if and only if the helm flag is turned on. * refactoring * small adjustment. * DeepCopy used. * working test only healthcheck test. * remove inline policy * change RegisterHelmValueOverrides. * unnecessary change. * Finish HelmValueMap refactor. * some cleanup. * clean up. * flags helm values takes higher priority. * fix the lint. * address comments. * revert chagnes on HelmValuesMap. * wip getting helm customizable with new configuration api. TODO: testing by rebuild image. * fix the helm value passing overrides. * wip the app is deployed but not ready and still finishes... * wip apps configuration not take effect. * working version of apps configuration. * clean up some debugging log. * test documentation. * WIP changing deploymentFactory to KubeApp. * verify test works. * clarify kubeappsconfig doc. * get the test pass, no apps configuration yet. * get test working. * clean up on apps/kube.go * few clean and update readme doc. * change the overrides by func callback. * fix the typo. * fix the comments. * Hide ServiceAccounts from PushContext log (#12702) * Configure localityLbSetting in values.yaml (#12683) * Configure localityLbSetting in values.yaml * Update docs * Fix concurrent map access (#12706) * Remove when: always from CircleCI configuration for integration tests. (#12679) This causes the integration tests to run, even if the previous steps fail. * Removed unused code from EDS (#12221) * Should not add a worker in GoroutinePool construction func (#12619) * GoroutinePool does not add a worker in construction func * fix ut * remove redundant code (#12656) * remove redundant k8s discovery code * remove redundant * Configure logging level in proxy and control plane (#12639) * configure proxy log level via helm values for sidecar and gateways * configure istio control plane log level via helm * Put back a couple settings for Kiali that were accidentally deleted. (#12472) Some Kiali settings were accidently deleted when the new installation options for release-1.1 was published. This is because these settings were commented out in the values.yaml file for kiali under istio/kubernetes/helm/istio/charts/kiali. Bug:#3660 * remove to be deprecated critical pod annotation. (#12657) * remove to be deprecated critical pod annotation. * fix ci. * Adding timeouts in Galley processor tests (#12701) * Adding timeouts in Galley processor tests This is to help in debugging #12628. * making await method private * add pod antiaffinity. (#12691) * add pod antiaffinity. * fix gateways issue. * add pod antiaffnity to helm test pod. * remove local test file. * apply comments. * Adding galley test for sidecar config validation (#12247) * Adding galley test for sidecar config validation Test cases related to PR #12233 * Using istio-system as namespace for resource * Collect details/artifacts for failed tests in Prow. (#12753) * Add infrastructure to document env var usage. (#12727) - Introduce the pkg/env package containing a few functions to query environment variable values. It keeps track of the variables requested so they can be documented. - Extend pkg/collateral to recognize and output the environment variables used in the process. This is what is needed to make this stuff show up on istio.io. - Update all relevant call sites to use the new infrsstructure. It's still missing descriptions for all the variables, that'll be up to component authors. I'll file issues to get that work done. - Fixed bugs in the node_agent_k8s code that was using env vars as the default for Cobra command-line arguments, resulting in potentially variable default values produced in the generated docs. Default values need to be static. * Enable more linters. (#12751) - Flip on a couple more linters - Fix a bazzilion warnings produced by these linters, along with many warnings produced by other not-yet-enabled linters. - Fix pkg/version so the tests compile on Mac. This broke a while back, preventing the linter from running to completion on the Mac. * Convert galley to reload files via SIGUSR1 or a ctrlz handler (#11617) * Convert galley to reload files via SIGUSR1 or a ctrlz handler * Fix ctrlz shutdown not to block * Disable the mtls_healthcheck test until it can be fixed. (#12775) * Change IP addresses to show up as strings in label maps in accesslog (#11740) (#12502) Change IP addresses to show up as strings in http req in accesslog Fix lint errors Fix lint errors Use stringify function Updated based on feedback * upgrade prometheus version. (#12781) * Wait for endpoints of policy backend, before trying to use it. (#12763) * Wait for endpoints of policy backend, before trying to use it. * Minor fix to the structure. * Add wait logic for waiting Galley to come online. * Fix minor bug. * Rename the method so that it is clear what it is doing. * Add additional constraint check. * Remove redundant write header (#12731) Write already writes 200 status code, so this wasn't needed. This caused unneeded logging every time it was called. * Tell Kubernetes that Istio validation has no side effects (#12670) * Tell Kubernetes that Istio validation has no side effects * Add integration tests for --server-dry-run * Report version of kubectl and server * Version check error * Undo --server-dry-run tests which require K8s 1.12 or higher * fix uds socket (#12688) (#12802) * uds fix * readonly * mixer: switch to simplified config model (#12689) * take 2 compiled instances Signed-off-by: Kuat Yessenov <kuat@google.com> * try with apa Signed-off-by: Kuat Yessenov <kuat@google.com> * quota failure Signed-off-by: Kuat Yessenov <kuat@google.com> * false signal? Signed-off-by: Kuat Yessenov <kuat@google.com> * more crds Signed-off-by: Kuat Yessenov <kuat@google.com> * nil params Signed-off-by: Kuat Yessenov <kuat@google.com> * patching config Signed-off-by: Kuat Yessenov <kuat@google.com> * remove stale command Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix destination host validataion (#12804) * Implement AuthorizationPolicy with workload selector. (#12050) (#12667) * WIP AuthorizationPolicy with selector * WIP AuthorizationPolicy with selector * Check if need to use convertRbacRulesToFilterConfig and ignore permissive mode * Support TCP * Move new functions for RBAC v2 to rbac_v2.go * Change the structure and refactor tests * Put services field check back * Remove services field validation * Remove optimization * Add selector no match test * [Galley] Adding ServiceEntry synthesis (#12409) Added a new custom projection that is subscribed to events for k8s Pods, Nodes, Services and Endpoints. These events are absorbed and do not become part of the snapshot. Instead, synthetic ServiceEntry resources are generated and become part of the snapshot. Partially addresses #10497 and #10589 * Add a linter to prevent use of os.Getenv and os.LookupEnv (#12778) - Add more unit tests to pkg/env to bring coverage to 100% - Move existing linter sources from test/util/checker to tools/checker * Specify istio-init user explicitly (#5453) (#12708) Istio-init is supposed to be run as a superuser so it can configure iptables and this is the current default. However many popular Helm charts typically define a single container pod and specify `securityContext.runAsUser` on a pod level (rather than the container level) and that is what istio-init inherits. As the result many Helm charts aren't working with Istio auto-injection out of the box. A simple fix would be explicitly setting `securityContext.runAsUser` for istio-init on the container-level so it takes precedence. * Removing depencency on the order of returned IP addresses (#12812) * Removing depencency on the order of returned IP addresses Allows returned addresses by the default resolver to be in any order. The first IPv4 address returned by the resolver is used. If there are no IPv4 address is found, an IPv6 address is used. Added more unit tests. * Making logic for local IP the same as the rest * Disabling flaky parts of Galley integ test (#12837) This should deflake the test in #12820. Real fix is coming soon. * Set SAN as critical for workload certs. (#12838) * inject sds related param in pilot/mixer deployment (#12809) * inject sds related param in pilot/mixer deployment * remove args * Disabling Mixer tests using the new TF in K8s. (#12848) * Disabling Mixer tests using the new TF in K8s. * Make linter happy. * accommodate PR review comments. * galley: support optional crds (#12822) * optional galley crds Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * Removing a "TODO" that is not necessary any more (#12841) Cleaning up the comments. * mixer: add template CRD flag and set it to false (#12851) * template CRD flag Signed-off-by: Kuat Yessenov <kuat@google.com> * missed a flag Signed-off-by: Kuat Yessenov <kuat@google.com> * Zombie cleanup. (#12878) - Delete a bunch of dead code, dead variables, unused parameters, and superfluous type declarations. * Refactor Istio deployment code for clarity and add wait for webhook. (#12888) * Refactor Istio deployment code for clarity and add wait for webhook to come online. * Make linter happy. * Fix stupid bug. * Remove accidental file add (#12895) * Re-enable sidecar_api_test (#12887) * Re-enable sidecar_api_test * Remove kube setup * Fix race condition * Make Mixer readiness timeout configurable. (#12640) - Mixer waits for readiness of the config backend. It is currently hard-wired at 30 seconds. This change makes this configurable and sets the default as 2 minutes. - The pod was being killed because the liveness probe was not starting on time. It is blocked behind other readiness checks. This change enables readiness early on. * Minor improvements to the test framework. (#12858) * Add dump support to policy backend. * Add a suitecontext dir. * test: add dump pod events function (#12821) * Fix flush behavior in Stackdriver adapter. (#12853) * Fix prometheus and citadel connection tests (#12747) * Fix test-prometheus-connection.yaml: test never failed Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix test-citadel-connection.yaml: test never failed Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix a bunch more linter items. (#12897) * delete stale file (#12898) Signed-off-by: Kuat Yessenov <kuat@google.com> * Run dep ensure * Implement EnvoyXdsServer graceful shutdown (#12826) * update api sha (#12862) * update api sha * api files * Add two sample deployments for user guide of Istio Vault integration (#12917) * Rename types.go to types.gen.go. (#12921) * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * Update to latest doc gen tool. (#12932) * Fix the regular expression that splits the deployment scripts. (#12931) The script was fixed with a start-line anchor during the merge of 1.1. However the regular expressions in Go is not multi-line. * Add labels to the test framework. (#12819) * Add basic label support to the test framework. * Refactor test framework surface area to use fluent-style. * Apply labels to CircleCI tests & stable integration tests. * Add early exit support to avoid running setup functions when the label set can never match. * Add Citadel tests as presubmit tests. * Remove environments from label usage. * Fixup some of the label usages, and convert some of the test entry points. * Fixup label usage. * Redisable sidecar tests. * Accommodate PR feedback. * Accommodate CR feedback. * Add more CR fixup. * Introduce pkg/annotations (#12909) - pkg/annotations lets us track the annotations used by the calling process. - pkg/collateral now outputs annotations if there are any. This will make annotations show up on istio.io - Adjusted how pkg/collateral handles deprecated environment variabes to match how we handle deprecated fields in protos (by coloring them differently on istio.io) - Added another test to pkg/env to cover a case I missed originally. - Updated the sidecar injector and pilot to use pkg/annotations. - Fixed some invalid HTML generated by pkg/collateral. I'll file an issue to get descriptions added for the annotations. * remove unused pdb in remote values. (#12943) * prevent duplicate inbound listeners (#12937) * [Galley] Fix race in runtime strategy (#12927) This address a race condition that seems to only occur when using a very low timerFrequency (e.g. 1 microsecond) on a slow machine (e.g. prow). Under these conditions, the strategy can encounter a race condition when creating the timer. The code was setting the `timer` variable to the result of time.AfterFunc. However, due to the extremely low frequency used, the AfterFunc was invoking its handler, `onTimer` before returning. This led to accessing an uninitilized `timer` value. This PR swaps out AfterFunc for NewTimer. The use of time.Timer is now abstracted behind the `asyncTimer` object, which provides the semantics needed by the strategy. Now strategy.timer is set before it is started, avoiding the race. Fixes #12628 * Adding unit tests for sidecar scope (#12184) * Adding unit tests for sidecar scope * Removing unused variable * linters: enable errcheck (#12933) * enable errcheck Signed-off-by: Kuat Yessenov <kuat@google.com> * add maligned to exceptions Signed-off-by: Kuat Yessenov <kuat@google.com> * Istio does not use Cluster_LOGICAL_DNS, so remove it (#12905) * Istio does not use Cluster_LOGICAL_DNS, so remove it * clean up LOGICAL_DNS in comments * Clean up Helm README (#12914) The README has outdated information on the values, we should just defer to istio.io which is up to date. Additionally, we should point users to istio.io which has up to date install instructions. * 'istioctl experimental dashboard' command to show add-ons and sidecars (#12627) * 'istioctl experimental dashboard' command to show add-ons and sidecars * Test cases, output of URL, use of Cobra output stream * Refactor code into istioctl/pkg/kubernetes * Refactor to expose PortForward stop channel * Validate new mixer CRDs (#12918) * Validate new mixer CRDs * Add templates and adapters * Test cases for new mixer CRDs * Add environment variables to allow configuring bookinfo hostnames (#12646) * Allow bookinfo hostnames to be configurable - add DETAILS_HOSTNAME, RATINGS_HOSTNAME, REVIEWS_HOSTNAME environment variables to configure hostnames. Defaults to details, ratings, reviews respectively * Bump bookinfo sample to 1.11.0 * Update expected outputs for bookinfo tests - this is not related to our PR, but the tests were failing - the apps were changed, but images were not rebuilt * Add edsClusters should be atomic (#12942) * Add edsClusters should be atomic * fix lint * properly report errors on failure (#12945) The CI Infrastructure times out after 10 minutes of no activity. In one of the test case runners, 10 miniutes is specified causing the CI timeout to flush any debuggable output from the checks. This results in an in-exact error result to be returned. Instead a vague reponse about the test case timing out is reported, resulting in confusion for the PR authors. The typical max I was able to achieve was ~230 seconds, but I trimmed to 3 minutes so the test case fails in all conditions and properly reports the errors. * Hoist exemptLabels to top-level, so that they can apply to prs as well. (#12902) * [mixer-e2e-test] add retry to prometheus query in check cache test (#12680) * check cache test sleep longer * use retry instead of longer waiting * reword error message * Fixing typos in unit tests (#12661) Redoing PR #12035 * respect locality weight set from ServiceEntry (#12714) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * sidecars with workload selector takes precedence over namespace wide one (#12831) * Auto bind to services for Sidecar listeners with specific ports (#12724) * auto bind to TCP services for egress ports in Sidecar Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * fix test Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * minor patch (#12963) Signed-off-by: Kuat Yessenov <kuat@google.com> * Cleanup gateway vhost config gen (#12847) * check match direction * Cleanup http route generation * undo pickMatching change * golangbot comments * address review comments * fix validation bug * gofmt * check for intersection duplicates * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Support PKCS#8 private keys. (#12972) * Support PKCS#8 private keys. * Small fix. * Fix LB weight setting for split horizon eds (#12560) (#12827) * lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint * Restore dump_kubernetes.sh function on OSX (#12159) * Fixes for Bash 3.x and detecting non-running pods * Address shellcheck warnings * Remove Robert Li from tests OWNERS file (#12946) Robert has had a change in employment and can no longer contribute to Istio. * remove unnecessary namespace for webhook configuration (#12981) * remove deprecated mcpServerAddrs flag (#12954) * remove deprecated mcpServerAddrs * fix ut * support ip:port format configSource * fix ut * fix ut * supprt proxy https app probe (#12872) * supprt proxy https app probe * add ut * fix ut * add webhook inject test * fix test * fix comments by incfly * Allow some time for the configuration propagation (#12865) * Allow some time for the listeners config propogation * change to use watchDiscovery * samples/bookinfo: easier access to logs (#12584) * Use shorter namespace prefixes. (#13001) * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) (#12936) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * Update integration test env flag (#12977) The flag should be "kube" not "kubernetes" but it was not updated in some places before. * Support inline role definition in AuthorizationPolicy (#12849) * Don't fill test logs with "no provious log" (#12857) This isn't a real error, but it is misleading in the test output. We have no reason to output all of these errors that there is no previous container to get logs from. * mixer: delete old style CRDs from installation (#12710) * delete old style CRD from installation Signed-off-by: Kuat Yessenov <kuat@google.com> * disable galley from listening to old style CRDs Signed-off-by: Kuat Yessenov <kuat@google.com> * more hardcoded yamls Signed-off-by: Kuat Yessenov <kuat@google.com> * debuggin default install Signed-off-by: Kuat Yessenov <kuat@google.com> * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * keep galley pipeline Signed-off-by: Kuat Yessenov <kuat@google.com> * disable resource ready Signed-off-by: Kuat Yessenov <kuat@google.com> * delete debugging line Signed-off-by: Kuat Yessenov <kuat@google.com> * fixing testdata Signed-off-by: Kuat Yessenov <kuat@google.com> * delete deprecated configs Signed-off-by: Kuat Yessenov <kuat@google.com> * remove declarations Signed-off-by: Kuat Yessenov <kuat@google.com> * delete more yaml Signed-off-by: Kuat Yessenov <kuat@google.com> * merge fix Signed-off-by: Kuat Yessenov <kuat@google.com> * Add tests for the effect of mTLS setting to reachability (#11624) * Reachability test in new ingegration test framework * Add test for port specific policy * Expose KubeApp interface and move EndpointForPort to that instead * Use the retry.UntilSuccess from framework * Change to UntilSuccessOrFail instead of UntilSucces * remove deprecated code (#13005) * remove deprecated code * remove dep * Add examples/documentation for the test framework. (#13000) * Add examples/documentation for the test framework. * Add more prose about test lifecycle. * Fix typo. * Fix typos. * fix retry loop in mixer crd watch (#13003) * first change to apps/v1 for Install (#13015) * first change for install * appsv1 * indention * use only ipv4 for pilot and zipkin (#12997) * do ipv4 lookups for pilot and zipkin Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * update goldens Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * small fix for imports (#13013) * remove old mcp stack (#12092) * remove old mcp stack * remove legacy mcp server from galley * fix server build * fix linter * remove unused code in journal.go * fix build * s/server/source * fix linter errors * Exclude Prometheus traffic in rule so that Kiali does not show it. (#12251) * [Galley] Fix race in strategy shutdown. (#13004) * [Galley] Fix race in strategy shutdown. The Close() logic was holding onto the state lock, which can race with worker thread. Specifically, the worker thread could be in a call to onTimer awaiting the lock, which would never be acquired since the Close() method is stuck waiting for the stopped channel to close. * cleaning up reset logic to avoid holding on the stateLock * Add instructions and scripts to facilitate running E2E tests locally using KinD (#12641) * Adding check/install go in both macOS and Linux. * Install go if not installed. * Adding support to run e2e test on KinD locally. * Adding the ability to run e2e tests locally on KinD. * Update install_prereqs_debian.sh * Update setup_test.sh * Adding the ability to run e2e test on KinD for presubmit test. * Presubmit e2e test on KinD. * Adding the ability to run e2e_simple presubmit on KinD * Adding README file for testing on KinD locally. * Revert the changes on adding install_go function. * Revert install_go in common_macos.sh * Revert the file changes of deleting newline. * Reverting the changes. * Addressing reviews. * Fixing shellcheck * respect locality weight set from ServiceEntry (#12714) (#13012) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * Add documentation about -p 1 for integration test framework. (#13032) * Reduce logs in security/pkg/nodeagent/sds/ (#13035) * Reduce logs in security/pkg/nodeagent/sds/ https://github.com/istio/istio/issues/13033 * Count the log output times * Revise the PR based on review comments * move pkg/mcp/configz to pkg/mcp/configz/client (#12982) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Restore TestMtlsHealthCheck in postsubmit, prow. (#12969) * restore test to debug. * add presubmit label to the test for triggering. * change to only run in postsubmit. * remove postsubmit label just comment. * Enable more linters and fix warnings/errors (#12993) * Cherry pick cert file config from master to release-1.1 (#12707) * Cherry pick from master: Configuration: no longer hardcode mesh certs (#12189) * Configuration: Pilot-Agent: no longer hardcode certs to watch. Pilot-Discovery: no longer hardcode Envoy listener cert paths. * Address demands of golangcibot overlord * Change usages of github.com/stretchr/testify/require to github.com/stretchr/testify/assert * Address code style violation * Revert temporary api changes. Set cert paths in envoy node metadata and use them when setting up listeners * Use envoy node metadata cert paths (if available) when constructing clusters * Rename constants to make golint happy * Fix imports * Ignore ordering in test * Pass around proxy instead of proxy.Metadata (cherry picked from commit 7c342741df9bd4e313420b4d17e279089d8956da) * goimports file * Allow limiting Citadel to marked namespaces only (#12289) * Allow limiting Citadel to marked namespaces only - add command line flag to require explicit opt-in to secrets (defaults to false to retain current behavior of always create) - extend secret controller to consider namespace labels (reuses existing 'istio-injected=enabled') - modify unit tests to retain previous behavior (i.e., always create secrets, explicit opt-in not required) and account for additional namespace access * removed left-over debug print, check enable only when explicit opt-in is required * reverting k8s actions in tests: namespaces no longer checked when explicit opt-in is false * unit tests for checking labels and behavior * Namespace specified in command line is explicitly enabled - save namespace specified in the `--listened-namespace` option on the controller (allow multiple to prepare for r1.1) - check SA namespace against explicit namespaces * use dedicated label name to avoid overloading the injection label * use istio-managed label in tests * clarified explicit-opt-in is relevant for keys and certificates provided via a volume mount * refactor istio managed object test to a function so it can be called from secret deletion handler as well * fix left over istio-injection label in tests * manual merge fix * appsv1 galley (#13047) * Add support for datadog tracing (on release-1.1 branch) (#12687) * Add support for datadog tracing. Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * Use $(HOST_IP) instead of special-casing empty address value Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * add param to sidecar to ignore iptables changes (#12829) * add param to sidecar to ignore iptables changes * rephrase description * samples/bookinfo: migrate `apiVersion` of deployments to `apps/v1` (#13030) * fix validation logic so that port.name is no longer a valid PortSelector (#13054) * [Test Framework]: Galley support for deleting config (#13037) In order to properly support deleting resources, it was necessary to revisit how ApplyConfig is done as well. Previously, apply would just blindly copy the yaml to a new file in the configDir. The assumption was that the resource was always being "added" (rather than updated). I'm not certain what would happen if two resources appeared with the same name/namespace. This PR generalizes (and fixes) the way resources are handled so that it's not concerned with files, but rather the underlying resources. The code now parses the top-portion of the yaml to properly identify each resource. Once identified, the code now properly updates resources by writing back to the file where the resource was found. Deletes are similar, where the original resource in the file is replaced with "" (empty files are removed). * Support controlz for mcp server (#12980) * Support controlz for mcp server Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix lint error * Address review comments Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * generalize artifact injection into Docker images (#12203) Instead of just adding LICENSES.txt only, also optionally add in the source code as well, gating on the new EXTRA_ARTIFACTS and EXTRA_ARTIFACTS_CNI environment variables. Change-Id: Iab8fadfbcbbaa8906491e12324fae20185d9f33e * Keep going when problem happens checking remote version (#13060) * remove deprecated show-all flag (#13053) * Add x alias to experimental istioctl command (#11801) * Add x alias to experimental istioctl command I'm super lazy and experimental is far too much effort to type Signed-off-by: Liam White <liam@tetrate.io> * Add exp as an additional alias Signed-off-by: Liam White <liam@tetrate.io> * Correct the app label for Gateway (#12693) * update selector for gateway Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix build fail Signed-off-by: clyang82 <clyang@cn.ibm.com> * Update tracing_datadog_golden.json (#13082) * Fix small typo (#13089) can useful -> can be useful * Add jitter in CSR request (#12805) * Add jitter in CSR request * Add log * Fix comments * Fix test * Fix test * Fix comment * Allows cleanup.sh to run non-interactively when in terminal (#12635) This change allows cleanup.sh to run non-interactively in standard terminals. For example: NAMESPACE="test123" ./cleanup.sh * 'istioctl proxy-config clusters' cluster type column rendering (#12458) (#12730) * update sds secret mount. (#12733) * Copy data from right place (#12762) * Fix updateClusterInc for overlapping ports (#12766) * Fix updateClusterInc for overlapping ports It is possible that a service will have multiple ports, with the same port number. The typical example here is kube-dns, which uses port 53 for UDP and TCP. When we do an incremental push, we would select the first port to match the port number, which would sometimes causes us to ignore the correct port. This fix searches through all matching ports. * Ensure port number matches as well * Add unit tests * remove dead code * enable default sidecarscope (#12832) * [Galley] Fix for ServiceEntry event ordering (#12890) The integration test was encountering this, exposing a real bug. If nodes/pod events occur after service/endpoints (which should generally be unusual) then it is possible to have a ServiceEntry missing pod/node information (e.g. locality). Fixes #12820 * Adding sha for istio/tools to manifest.txt for future automation of perf tests (#11706) * Copy helm data from the right place (#12808) * Refactor solution based on Costin's feedback (#13027) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Enable more linters and fix warnings/errors (#13061) * Making tags requirement same as those in Kubernetes (#12852) * Making tags requirement same as those in Kubernetes Changing validation check to make sure non-empty tags start with an alphanumeric character * Validating label keys are not empty strings Allow empty string for label values Do not allow empty string for label keys * Added certmanager flag into helm chart values.yaml (#12953) * Added certmanager flag into helm chart values.yaml * Moved certmanager configuration * Pilot [networking]: Add upstream idle_timeout to cluster definition (#13066) * adding upstream idle_timeout to cluster definition. * reverting vendor changes before running dep ensure again. * running dep ensure update on api from master. * controlPlaneMtls renamed to controlPlaneSecurityEnabled (#13141) * Patch #12805 to master (#13104) * Patch #12805 to master * Fix lint * Fix HelmDelete command (#12515) * Fix HelmDelete command HelmDelete was called with the namespace it needs to be called with a chartname. Also created a constant to make it more obvious when called by the other Helm related commands. * Fix typo * Goimports fix * ight modification path (#13148) * Allow overriding of registry locality (#13077) Also fixes bug where non-kube envs could override to something that parsed incorrectly Signed-off-by: Liam White <liam@tetrate.io> * mixer: add support for standard CRDs for compiled-in adapters (#12815) * cherry pick subset of https://github.com/istio/istio/pull/12689/ Signed-off-by: Kuat Yessenov <kuat@google.com> * add support for compiled in adapters Signed-off-by: Kuat Yessenov <kuat@google.com> * patch log line Signed-off-by: Kuat Yessenov <kuat@google.com> * parse cert to get expire time (#13145) * parse cert * cleanup * unit test coverage * missing file * address comments * rebase and address comment * Installing istio for perf testing (#13159) * Perf scripts * gsutil * WD * perf running and geting metrics * Perf * perf * perf * Perf * remove * qq * Appsv1 pilot (#13050) * appsv1 for Pilot * appsv1 for Pilot * appsv1 for Pilot * dep update * fix test * fix test * fix test * fix test * fix test * typo * typo * typo * typo * typo * update go-control-plane (#13154) Signed-off-by: Kuat Yessenov <kuat@google.com> * added sidecar.istio.io/rewriteAppProbers annotation (#13112) * pilot: registered sidecar.istio.io/rewriteAppProbers annotation * pilot: checked from sidecar.istio.io/rewriteAppProbers too * pilot: added webhook inject tests TestWebhookInject_http_probe_rewrite_enabled_via_annotation case is a modification of TestWebhookInject_http_probe_rewrite case. The difference is rewriteAppHTTPProbe is false in template, but set to true in annotation. TestWebhookInject_http_probe_rewrite_disabled_via_annotation case is a modification of TestWebhookInject case. The difference is rewriteAppHTTPProbe is true in template, but set to false in annotation. * fixed linter issue in test * added http probe test for kubeinject case * added tests and fixed login upon checking RewriteAppHTTPProbe setting * Add more tests in app_probe_test.go * renamed RewriteAppProbers to RewriteAppHTTPProbers * fixed test case for webhook injection * add description to rewriteAppHTTPProbers annotation * updated tests in app probe to sync with recent master change * change validateBool to alwaysValidFunc as per review * Export inject.injectionData() (#12426) * Registrator should use master version (#13083) * dependencies: update cel-go and remove protoc-gen-docs (#12711) * experiment with COMPAT Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * stop validation Signed-off-by: Kuat Yessenov <kuat@google.com> * remove hack Signed-off-by: Kuat Yessenov <kuat@google.com> * testing Signed-off-by: Kuat Yessenov <kuat@google.com> * only access log Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * add runtimeconfig Signed-off-by: Kuat Yessenov <kuat@google.com> * add a benchmark Signed-off-by: Kuat Yessenov <kuat@google.com> * cel_perf Signed-off-by: Kuat Yessenov <kuat@google.com> * update cel Signed-off-by: Kuat Yessenov <kuat@google.com> * update examples Signed-off-by: Kuat Yessenov <kuat@google.com> * remove unnecessary dependencies Signed-off-by: Kuat Yessenov <kuat@google.com> * Fixing copy for helm, one more time. (#13186) * Run goimports on generated file (#13195) * Enable disabled mixer tests in New Test Framework (#13151) * Enable disabled mixer tests in NF * Change tests config to new style * Change tests config to new style * Change tests config to new style * Fix config for native policybackend * Fix report test * Reduce Pilot resource requests for demo (#12477) * Reduce Pilot resource requests for demo * Add limits as well * Added data source for Galley dashboard (#13041) Fixes: #13040 * fix values for pod anti-affinity. (#12798) * Add sensible defaults to istio-gateways (#12315) * report succeed after validation (#13165) * report succeed after validation * review comments * Change exposed port of istio-pilot in consul (#13170) `15003` and `15005` are never used in pilot under consul env. It would be confusing to expose the two ports. Instead, ``` --grpcAddr string Discovery service grpc address (default ":15010") --secureGrpcAddr string Discovery service grpc address, with https (default ":15012") ``` we know `15010` and `15012` are still using. * Cherrypick: Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) (#12973) * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Use new env var framework * Fix long line * Run format and linter * CEL checker mutex (#13192) * checker mutex Signed-off-by: Kuat Yessenov <kuat@google.com> * deadlock Signed-off-by: Kuat Yessenov <kuat@google.com> * Integration testing for Locality Load Balancing (#13084) * Initial testing functionality Signed-off-by: Liam White <liam@tetrate.io> * appease the linting gods Signed-off-by: Liam White <liam@tetrate.io> * Fall back to bootstrap locality as a last resort Signed-off-by: Liam White <liam@tetrate.io> * Move service instance check after we set them... Signed-off-by: Liam White <liam@tetrate.io> * Add EDS test Signed-off-by: Liam White <liam@tetrate.io> * Reorganise tests to run in parallel Signed-off-by: Liam White <liam@tetrate.io> * Move to pilot directory Signed-off-by: Liam White <liam@tetrate.io> * minor Infof fixes Signed-off-by: Liam White <liam@tetrate.io> * fix package name Signed-off-by: Liam White <liam@tetrate.io> * Increase propagation sleep and add warning Signed-off-by: Liam White <liam@tetrate.io> * [test-framework] Support helm values containing spaces (#13127) * Support helm values containing spaces in integration test framework For a helm template command, e.g., "helm template --set key1=value1 --set key2=value2", the existing integration test framework assumes the values do not contain spaces and splits the command argument using the space character before executing the helm command. Thus, the existing implementation does not support helm values (e.g., certificates) containing spaces. This PR adds the support of helm values that contain spaces. * Revised to use array based on review comments * Adding servicegraph testing to postsubmit (#13190) * Adding servicegraph testing to postsubmit * m * perf * change * pod * fix * Adding E2E Test for kiali (#11448) * Add Kiali E2E Test * Minor Fixings on Kiali E2E Test * Remove unused mixer.enabled value (#13214) This is not a functional change; this value is never used so it is misleading/confusing. mixer.policy.enabled and mixer.telemetry.enabled are used. * Adding aliases for OWNERS (#13194) * Fixing copy for helm, one more time. * Adding aliases for test group. Setting up labels and no parent_owners * prow * owners * Fixing helm order (#13224) * Fixing copy for helm, one more time. * Fix order of the helm command * fix lint (#12988) * update certificates with expiration time 100 years (#13233) * update certificates with expiration time 100 years * update testdata/local/etc/certs * fix original destination bug (#13011) * fix original destination bug * add ut * align init role label. (#13172) * Remove --platform option (#13187) * Fix #10380: Remove hardcoded sidecar template for istioctl kube-inject (#10830) * Remove the hardcoded sidecar template for * Remove deprecated flags in istioctl kube-inject * update testdata after rebase * add rule for kubeinject.go in codecov.threshold * push client the new root cert when it's changed (#13163) * refresh root * refresh root * unit test * add logs * address comment * more comment * address comment * Implement `role` field in AuthorizationPolicy (#13181) * Add check for role in ServiceRoleBinding * Implement global role * Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow (#13199) * Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow. The mutual TLS connection uses the certificates issued by SDS-Vault CA flow and SDS-Citadel CA flow. * Use the flag EnableCDSPrecomputation() * Address review comments * Ignore missing resources on kubectl delete (#13225) This makes it so tests won't fail on cleanup for resources that are already deleted. * [Testing] Cleanup PortForwarder (#13250) * Add generated LICENSES.txt to gitignore (#13209) * remove myself from owners (#13231) Signed-off-by: Kuat Yessenov <kuat@google.com> * add upstream_transport_failure_reason to access log (#12434) * add upstream_transport_failure_reason to access log Signed-off-by: Lizan Zhou <lizan@tetrate.io> * update proxy to latest Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fix Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fix format Signed-off-by: Lizan Zhou <lizan@tetrate.io> * Fix integration test errors and refactor security integration tests (#13253) * Fix integration test errors and refactor security integration tests - Fix the failure of integration tests when --istio.test.nocleanup=false, which is the default test setting. The failures of integration tests when --istio.test.nocleanup=false are caused by that the errors during cleaning up tests are treated as test failures while the actual tests have succeeded when --istio.test.nocleanup=true. - Organize security integration tests under testss/integration/security. - Refactor the code to share common utility functions and remove duplicate code. - Misc fixes. * Address review comments * Use a const to represent the test policy directory * Address review comments * Fixes the multicluster e2e test (#13246) The secret was being created after the apps where deployed on the remote. This was causes the test to never think the apps successfully deployed since the envoy sidecar was continually restarting. * pre-check: fix a logic error (#13278) `getNameSpace()` always returns an object, even if namespace does not exist. Checking the error status is safer. * Remove kubectl from dockerfile prereqs since it pulls it (#13256) * Fixing EDS unit tests (#12995) The current EDS test is incorrect and passes because the check calls time out rather than sucessfully completing. This PR fixes the problem and add one more test. fixes issue #12994 * rbac: fix a data race in listener generation (#13308) * Include js/css files into static folder (#12983) * Include js/css files Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Append version to file Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * ignore assets.gen.go in code coverage Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * remove assets.gen.go from codecov test Signed-off-by: clyang82 <clyang@cn.ibm.com> * remove skipped test from .cov file Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix check chell issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix shell check issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Fix galley integration test race (#13303) * [Test Framework] Integrate apps with Galley (#13115) The most recent refactoring broke the apps component when Pilot is being used with Galley. The apps register their services with the ServiceManager directly. When Pilot is configured with Galley, however, it doesn't use the ServiceManager, which means that the app services are never properly registered with Pilot. - Changed the Pilot and Apps component to require Galley to be configured, to avoid confusion. - Removed the ServiceManager altogether - Galley is used for service registration. Fixes #13090 * Fix again helm copy, was reverted during merge from release 1.1 (#13337) * Fixing copy for helm, one more time. * Fixing copy again for master * Update OpenShift dependencies; Drop [deprecated] legacy schema (#13160) * Extend istioctl mocking library to allow mocking of authn etc (#13118) * Fixing iptabes ranges (#13291) * Fixing iptabes ranges Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fix shellcheck errors Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures #1 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures #2 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures #3 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Addressing comments Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Don't apply locality label unless provided (#13297) * Single Template injection spec fully at runtime (#13147) * Template injection spec fully at runtime This eliminates the need to have two layers of templates, which adds a lot of complexity to the template. * Get tests working and rebase on removal of hardcoded template * Remove unused vars * Fix istioctl tests * Report circleci status to testgrid k8s dump (#13340) The dump script often fails for the same reason the test fails. The dump script should probably be hardened, but in the mean time we can just make sure we report the failure (high priority) before we dump the state. * Add integration tests for RBAC v2 (#13353) * Implement RBAC v2 intergration test * Add Galley to app for security tests * Disable locality LB tests (#13305) * [Galley] Add NotReadyEndpoints to Synthetic ServiceEntry (#13255) * [Galley] Add NotReadyEndpoints to Synthetic ServiceEntry …
Supersedes #12512, Thanks @zhranklin for the great work!
This fixes #12488