-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merge master branch 2619197 to collab authn #13539
Merge master branch 2619197 to collab authn #13539
Conversation
* Don't require service account for spiffe Some kubernetes pods don't have a service account. This causes a log flood that the spiffe url is invalid, but this doesn't actually have any negative impact. We can just make it not an error to have no service account. * Revert "Don't require service account for spiffe" This reverts commit e88ff18. * Just drop error -> warn * Fix tests * Drop log level
…11800) (istio#12460) * Adding additional fields for bindings and validation. (istio#11800) * Implement namespaces for ServiceRoleBindings * Implement not_namespaces and refactor * Implement not_ips * Implement ips (no unit tests) * Add a unit tests for ips for ServiceRoleBinding * Implement groups and not_groups for ServiceRoleBinding * Implement names and not_names * Check for duplicated definition in constraints/properties and first-class fields * Disallow using * in names or not_names to prevent ambiguity * Disallow using * in names or not_names to prevent ambiguity * Refactor additional fields for bindings * Update validation.go * Update validation.go
* enhance verify install command * fix lint * fix lint
…o#12500) (istio#12556) * Add namespace scoping to the Gateway 'port' names (istio#12500) (istio#12500) Currently in order to configure ingressgateway to do TLS termination using multiple secure virtual hosts with different certificates Istio requires Gateway 'port' names to be globally unique (i.e. distinct). I.e. two gateways cannot have secure port named 'https' even if they reside in different namespaces. Behavior in such case is undefined. This breaks namespace isolation as a user creating a Gateway in one namespace might not have access to other namespaces hence can't if the port name is already 'taken'. Behavior in such case is undefined and likely to render other virtual hosts unavailable. This change adds namespace scoping to Gateway port names by appending namespace suffix to the HTTPS RDS routes. Port names still have to be unique within the namespace boundaries, but this change makes adding more specific scoping rather trivial. * Increase Gateway 'port' names scoping granularity
…stio#12592) * Locality label istio-locality in k8s should not contain `/`, use `.` instead * fix comments
Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>
The plumbing for propagating the envoy metrics service address config is missing a step to copy the given address to the config object that is passed on to the template renderer.
* finish demo Signed-off-by: Kuat Yessenov <kuat@google.com> * printf Signed-off-by: Kuat Yessenov <kuat@google.com> * publish keyval Signed-off-by: Kuat Yessenov <kuat@google.com>
Added a new case and cleaned up the existing test cases.
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* uds fix * readonly
This PR only increases test coverage. Does not impact functionality. Signed-off-by: Liam White <liam@tetrate.io>
* lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint
* Remove extra ingress template * cherry pick 10578 * reformat * Update rbac.go to use httpfilter when needed * Integration framework ensure apiVersion is top level * Update yaml make target * Disable setup on sidecar_api_test
Merge branch 'release-1.1' into master
The echo component currently assumes a hard-coded list of ports. We eventually want to replace the "apps" component with echo, but in order to do that we'll need to be able to tailor the port configuration for each instance.
* refresh handler with connection update * sanitize test error message
* Fixing coping of the data to the bucket. * Small fix * RM folder in any case
…#11531) * injector changes for health check, pilot agent take over app readiness check. (istio#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277 4b7b13a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277 Merge: 98fd48f 744b07a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156 Merge: a2a7744 010d5c2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a7744 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922 Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d6 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e87 Merge: 256d963 ac78a55 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d963 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f700963 Merge: bdce721 c7eb603 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce721 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b5 Merge: d626bb8 5ea7962 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb8 Merge: 3561ae0 66153da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91 Merge: 3a7eb48 abc53e1 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b12034 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0eda Merge: 7f5c8cb e45242c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cb Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9 Merge: 20f02c0 1ae6b4f Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c0 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb1 Merge: 3b3bcbf d8c4579 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4f Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbf Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c1 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadf Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb Merge: af1a679 f6b0ddc Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a679 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8 Merge: fcca1f8 bd1631b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659da Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * wip for adding health check test app. * wip very hack working solution app deployed * finally test starts working * make sure the test works if and only if the helm flag is turned on. * refactoring * small adjustment. * DeepCopy used. * working test only healthcheck test. * remove inline policy * change RegisterHelmValueOverrides. * unnecessary change. * Finish HelmValueMap refactor. * some cleanup. * clean up. * flags helm values takes higher priority. * fix the lint. * address comments. * revert chagnes on HelmValuesMap. * wip getting helm customizable with new configuration api. TODO: testing by rebuild image. * fix the helm value passing overrides. * wip the app is deployed but not ready and still finishes... * wip apps configuration not take effect. * working version of apps configuration. * clean up some debugging log. * test documentation. * WIP changing deploymentFactory to KubeApp. * verify test works. * clarify kubeappsconfig doc. * get the test pass, no apps configuration yet. * get test working. * clean up on apps/kube.go * few clean and update readme doc. * change the overrides by func callback. * fix the typo. * fix the comments.
The secret was being created after the apps where deployed on the remote. This was causes the test to never think the apps successfully deployed since the envoy sidecar was continually restarting.
`getNameSpace()` always returns an object, even if namespace does not exist. Checking the error status is safer.
The current EDS test is incorrect and passes because the check calls time out rather than sucessfully completing. This PR fixes the problem and add one more test. fixes issue istio#12994
* Include js/css files Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Append version to file Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * ignore assets.gen.go in code coverage Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * remove assets.gen.go from codecov test Signed-off-by: clyang82 <clyang@cn.ibm.com> * remove skipped test from .cov file Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix check chell issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix shell check issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
The most recent refactoring broke the apps component when Pilot is being used with Galley. The apps register their services with the ServiceManager directly. When Pilot is configured with Galley, however, it doesn't use the ServiceManager, which means that the app services are never properly registered with Pilot. - Changed the Pilot and Apps component to require Galley to be configured, to avoid confusion. - Removed the ServiceManager altogether - Galley is used for service registration. Fixes istio#13090
…o#13337) * Fixing copy for helm, one more time. * Fixing copy again for master
* Fixing iptabes ranges Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fix shellcheck errors Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures istio#1 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures istio#2 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures istio#3 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Addressing comments Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* Template injection spec fully at runtime This eliminates the need to have two layers of templates, which adds a lot of complexity to the template. * Get tests working and rebase on removal of hardcoded template * Remove unused vars * Fix istioctl tests
The dump script often fails for the same reason the test fails. The dump script should probably be hardened, but in the mean time we can just make sure we report the failure (high priority) before we dump the state.
* Implement RBAC v2 intergration test * Add Galley to app for security tests
* [Galley] Add NotReadyEndpoints to Synthetic ServiceEntry The k8s Endpoints NotReadyAddresses are used by Pilot to create inbound ports. Without these ports, the endpoints will never become "ready". Supports istio#10589 * addressing comments
This adds the make targets `rpm/istio` and `rpm/proxy` for creating rpm's for Istio components. Artifacts will be created in `$ISTIO_OUT/rpm`. It also creates a target `rpm/builder-image`, which creates a docker builder image necessary to build istio and proxy rpm's. All RPM's will have as the version number whatever is defined at `VERSION` variable. So, a typical usage will be `make VERSION=1.1.0 rpm/istio`.
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: lei-tang If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
So there's good news and bad news. 👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there. 😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request. Note to project maintainer: This is a terminal state, meaning the ℹ️ Googlers: Go here for more info. |
Merge master 2619197 to collab-authn branch.