-
Notifications
You must be signed in to change notification settings - Fork 7.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EnvoyFilter: patch/add/remove clusters and virtual hosts #15515
Conversation
} | ||
|
||
func applyClusterConfigPatches(env *model.Environment, proxy *model.Proxy, | ||
push *model.PushContext, clusters []*xdsapi.Cluster) []*xdsapi.Cluster { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
applyClusterConfigPatches
- push
is unused (from unparam
)
continue | ||
} | ||
if matchExactContext(proxy, clusters[i], cp.Match) && clusterMatch(clusters[i], cp.Match) { | ||
proto.Merge(clusters[i], userChanges) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
File is not goimports
-ed (from goimports
)
proto.Merge(clusters[i], userChanges) | |
proto.Merge(clusters[i], userChanges) |
if err != nil { | ||
return nil, err | ||
//log.Warnf("Failed to unmarshal provided value into cluster") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
commentedOutCode: may want to remove commented-out code (from gocritic
)
|
||
newCluster, err := buildXDSObjectFromValue(cp.ApplyTo, cp.Patch.Value) | ||
if err != nil { | ||
// log.Warnf("Failed to unmarshal provided value into cluster") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
commentedOutCode: may want to remove commented-out code (from gocritic
)
} | ||
|
||
if proxy.Type == model.Router { | ||
if matchCondition.Context == networking.EnvoyFilter_GATEWAY { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
S1008: should use 'return ' instead of 'if { return }; return ' (from gosimple
)
} | ||
|
||
if proxy.Type == model.Router { | ||
if matchCondition.Context == networking.EnvoyFilter_GATEWAY { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
S1008: should use 'return ' instead of 'if { return }; return ' (from gosimple
)
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
pilot/pkg/model/gateway.go
Outdated
if len(parts) == 2 { | ||
portNumber, _ = strconv.Atoi(parts[1]) | ||
} | ||
} else if strings.HasPrefix(name,"https.") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
File is not goimports
-ed (from goimports
)
} else if strings.HasPrefix(name,"https.") { | |
} else if strings.HasPrefix(name, "https.") { |
return routeConfiguration | ||
} | ||
|
||
func clusterMatch(proxy *model.Proxy, cluster *xdsapi.Cluster, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we expect users to only specify one cluster at a time for patching?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for adds, yes. user can add only one cluster. and for merges, they specify the pieces of a cluster that needs to be updated.
…lter_cluster Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
/test istio-racetest-master |
/retest |
return nil, fmt.Errorf("unknown object type") | ||
} | ||
|
||
val := value.GetStringValue() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They can only provide a string? Do we validate this, otherwise it may be confusingly silently ignored
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm.. thats a good point. the intent is not that they can only provide string.
Took a first pass and looks good to me. Let me take another look on a bigger screen in a couple hours, hard to review when the lines area all wrapped and stuff |
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: howardjohn, rshriram The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test all |
@rshriram: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
* Remove test that was moved to istio/pkg repo (#15025) * Remove test that was moved to istio/pkg repo * Restore checks of command line typos * Mock remote test * Step three in creating local releases. (#15074) * Local build * Local build * Fix shell * Add docker_tag * Fix lint * Removing some dups * License * License * License * Push images to docker hub * Httpbin sample fixes (#15070) * Httpbin sample fixes * fix link * Show example of new parameter, fix Trademark, grammar (#15073) * Add a Mixer integration test for testing K8s integration. (#15039) * Add a Mixer integration test for testing K8s integration. * Add the Mixer test as a presubmit gate. * Add additional check to ensure that pods stay in ready state. * Increase number of checks. * Adding more resiliency to the test. * Make linter happy. * Re-fix the problem that is being tested. On the bright side, the test works. * Do not overwrite Citadel storage namespace with env var (#15037) * Add a pull request template. (#15080) While I was here, update the common files. * [fix] spelling error (#15083) * Update istio.io/api (#15050) * update istio.io/api * tidy * Enable vulnerability scanning for Istio docker images (#14363) Currently we build and push docker images for Istio components and sample apps as part of our build process. In this PR, we have included a way to enable security vulnerability scanning of these images using IBM's image scanning tool - ImageScanner (imagescanner.cloud.ibm.com). The results of the image scans are put under a new folder 'vulnerability_scan_results' which will be available to view later. Fixes Bug: #13262 * copy code coverage to artifacts directory (#15076) * copy code coverage to artifacts directory For the eng dashboard, we want to be able to scrape code coverage from GCS. This change adds the coverage file to the artifacts directory, which in turn should automatically be uploaded to GCS. * quote variables to fix shellcheck * Update to latest version of istio.io/pkg (#15103) Also, fixed some errors in our GitHub templates. * update istio api (#15106) * update istio api Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * set nodeagent updateStrategy to RollingUpdate (#15079) * Create distroless variant in release scripts . Closes #14696 (#14737) * Also build distroless images by default. Closes #14696 Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Do not build distroless variant by default * Use BUILD_VARIANTS for docker.save Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Add handling of build variants to release scripts Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Also use distroless variant for release process Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Add missing dependency Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Use correct image name in add_extra_artifacts_to_tar_images. Co-authored-by: Julia Plachetka <julia.plachetka@sap.com> * Fix variant check. Co-authored-by: Julia Plachetka <julia.plachetka@sap.com> * Address comments. * Fix check for VARIANT_NAME. Co-authored-by: Julia Plachetka <julia.plachetka@sap.com> * Refactor and fix TAG issue. Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Fix set_image_vars for distroless Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * [Testing] Adding Docker utilities (#14950) These are wrappers around the Docker go client library that simplify the process for the creation of networks, containers, and images. Not including unit tests here due to the fact that not all CI environments support access to the Docker daemon. This is split out from #14614 * Change CA client test name (#15104) * Add istio state metrics for some of the networking resources (#14111) * Add istio state metrics for some of the networking resources Ref: https://docs.google.com/document/d/1KMUKRMtbpp-K7hvrG5WKBJgoSABydUh4KCHXxKTg8Bk/edit?ts=5ca534e3 Ref: https://github.com/istio/istio/issues/882 Fix based on feedback Added test for the metrics Fix golang error Updated based on feedback from Oz Updated based on feedback from Oz * Fix native error in scenarios_test.go * fix based on feedback * fix golang errors * fix based on feedback * Fixed based on feedback * Fix based on feedback * Fixed golang error * Fix based on feedback * Fix scenarios_test.go * Remove _total from metric name * Add junit report for racetest and fix test failures (#15120) * Add junit report for racetest * Increase rds wait time Prow is really slow I guess. I was able to reproduce the failure with a CPU constrained docker container and raising to 15s resolved the issue. * Fix secretcontroller test race * use loadint * Cleanup management of Envoy binaries (#15063) * Cleanup management of Envoy binaries The logic flow for linux vs mac is not currently obvious and without setting GOOS beforehand, you'll end up with mac binaries in your dockerfiles. This PR makes more clear where binaries are used. Docker always uses linux, where tests will use the appropriate binary for the os. * addressing comments. * Make Iris Ding an owner (#14948) * Implement /quitquitquit in pilot-agent to support k8s job exit (#15123) * Implement /quitquitquit in pilot-agent to support k8s job exit * lint fix * add e2e * fix lint * Fix release script to handle distroless tags correctly (#15154) Fixes #15150 * Relax keepalive enforcement policy to avoid dropping connections under load (#15141) * Relax keepalive enforcement policy to avoid dropping connections under load. * lint * Add comment. * Move pkg/features/pilot to pilot/pkg/features. (#15064) * Move pkg/features/pilot to pilot/pkg/features. This cleans up the /pkg package, in preparation of multi-repo. * Remove naked os.GetEnv usages. * Fix call sites. * Change the default values. * jwt: add sample jwt token for e2e tests (#15051) * jwt: add sample jwt token for e2e tests. * add to Makefile and move to tests/common * Fix Docker build on OSX (#15140) Adding cross-compile targets for linux and always include linux images in Docker. * [Node agent] Add retry for token exchange + improve tests (#15144) * Add retry for token exchange + improve tests * Move member functions back to secretcache.go + fix lint * Update security/pkg/nodeagent/cache/secretcache_test.go Co-Authored-By: Bot from GolangCI <42910462+golangcibot@users.noreply.github.com> * Fix linter issue * Change msg log and refactor getExchangedToken * lint * Resolve merge conflict on #15147 (#15167) * gaurd use_remote_address by feature flag Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add tests Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * fix comment Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * change the config name Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * Resolve rebase conflict * Fix flaky upgrade test (#14856) * Fix flaky upgrade test * Address comments * Run simple tests with distroless variant (#14944) * Run simple test with distroless images Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Add comment to set_image_vars * Use e2e-simpleTest.sh to run distroless test Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Use mini-kube for distroless tests Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Add distroless test to circle-ci Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Make tests for distroless work Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Migrate e2e_simple distroless test from circle ci to prow Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Rename test_tag to app_tag and test_hub to app_hub Co-authored-by: Philipp Stehle <philipp.stehle@sap.com> * Fix building docker images for distroless variant Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Update go-control-plane to include stackdriver tracing (#15135) * Update to go-control-plane v0.8.1 * update rbac from v2alpha --> v2 * warn only if remote cluster is unavailable (#15184) * Correct the nodeport for 80 (#14984) * Correct the nodeport for 80 Signed-off-by: clyang82 <clyang@cn.ibm.com> address comments * drop 0 before var * [Testing] Add Dockerfile that bundles echo with the sidecar (#15136) This is split out from #14614 Also moving the existing Dockerfile.app to a more sane location. * [Testing] Utility for cross-compiling (#14924) This is split out from #14614 and is needed for dynamically building Docker images for the Echo component. * refactor(pilot metrics): convert to OpenCensus from Prometheus (#14854) * refactor(pilot metrics): convert to OpenCensus from Prometheus * fix(lint issues) * fix(e2e_test): remove timeout queries from dashboard e2e test * fix(racetest failure): push_context.go * fix(data race): workaround freeze access to global in listener.go * fix(metrics): context init after tag creation * refactor(monitoring): add monitoring pkg to improve OC ux * cleanup(monitoring package): refactor monitoring API * fix(docs): add copyright to file * fix(data race): copy tags slice before append in WithTags and remove MetricOpts * refactor(monitoring pkg): adds Tag and TagValue types * refactor(monitoring): WithTags -> With * fix(metric): k8sErrors had wrong tag * More detailed errors when kube-inject fails (#15198) * Test Framework: Add target for simple new installer tests, and minor fixes (#15138) * Add test target for new installer and fix issues This PR accomplishes two things: * Gets the same tests running on istio/installer running on istio/istio so changes in istio/istio are less likely to come in that break the installer repo * Makes some minor modifications to get the tests passing In the long term, we will have the test framework actually do the installer, but there are still some open questions on how that will be done. In the short term getting this test enabled will help the installer progress. * Run format * Use strict version for zipkin (#15187) Signed-off-by: clyang82 <clyang@cn.ibm.com> * change to apps/v1 (#15210) * change to apps/v1 for samples (#15212) * change to appsv1 (#15213) * Creating helm charts for local release. (#15137) * Local build * Local build * Fix shell * Add docker_tag * Fix lint * Removing some dups * License * License * License * Push images to docker hub * Local 5 * branch * Finish local build with creating helm charts * shellcheck * fixes * Fixes * right code * apps/v1 for tests (#15211) * apps/v1 for tests * fix typo * Refactor server.Args out to its own package. (#15202) * Refactor server.Args out to its own package. - Move all settings into Args struct. - Make handling of defaults in command-line uniform. - Minor code analysis fixes. * Add missing edit. * Fix lint errors * fix server_test.go * suppress lint check * Fix imports. * [Fix] retain CommonLbConfig for HealthyPanicThreshold (#13682) (#15220) * Align service resolution with Pilot's validation (#15067) * Align service resolution with Pilot's validation - This change makes service resolution more aligned with Pilot validation during the converson of an instance to serviceEntry in Galley * Use external service endpoints if K8s endpoints are empty * Fix handler test * Grant k8s namespace read permissions to Citadel (#15113) In order to check labels attached to a namespace, Citadel must have k8s cluster permissions to read namespace resources. In the current chart defaults, Citadel is not granted *any* namespace related permissions, despite making a namespace read in the istioEnabledObject function. * Fix for Makefile breakage in #15140 (#15196) Fixes #15192 * [Testing] New utility for downloading Envoy binary (#14922) This is split out from #14614 and is needed for dynamically building docker images for the Echo component. Overview: - Added parsing for istio.deps - Moved test utilities for downloading and extracting tar.gz files to pkg/test/util - Added utility for downloading the current release of the envoy linux binary. * add yamllint (#14904) * add yamllint check into prow * fix encoding issue for grafana/values.yaml * fix encoding issue for values.yaml * Fix metric description typos (#15111) Found those while looking at metrics endpoint. * Replace zipkin test using new integration test framework (#14769) * Replace zipkin test using new integration test framework Fix golang errors Add license headers Fixed based on feedback Change calls to product page to 1 from 10 for client tracing Add ability to query for client trace id Fix golang error * Fix golang error * update kind installation step. (#15251) * read rootcert from configured ns to connect to citadel (#15199) * read rootcert from configured ns to connect to citadel * fix error nodeagent->citadel in configured ns * rename * desc * Fix testMTlsWithAuthNPolicy by not using --export in kubectl (#15278) * make keepalive EnforcementPolicy.MinTime equals keepalive interval (#15254) * Build distroless proxy_init image with go version of istio-iptables (#14985) * Build distroless proxy_init image with go version of istio-iptables Co-authored-by: Philipp Stehle <philipp.stehle@sap.com> * Renamed istio-iptables.sh to istio-iptables for distroless * [Test Framework] Rewrite Native Echo with Docker (#14614) This changes the native Echo component to use Docker to address many limitations of the existing native implementation. The native environment now creates its own Docker network, to which all Echo instance containers are attached. Since they're all on the same Docker network, they have built-in reachability. The Echo+sidecar Dockerfile is a blend of the existing Dockerfile and the setup used for raw VMs. Going forward, I expect we'll build on this and create a common Dockerfile to support non-k8s use cases. Limitations: - This PR does not yet enable mTLS. The connection to Pilot has been switched to TLS, however the mesh config is not truly configurable yet in the native environment. We need to re-think how helm settings might be set for the native environment. - The Docker images are currently built every time the tests are run. While this guarantees that we're running with the latest, it adds a bit of time to the duration of the test run (e.g. the sidecar image takes ~30s to build). Need to investigate ways of detecting when the image needs to be built to avoid this overhead, as well as the additional storage required for several duplicate Docker images. - Currently using a copy of Go code for performing the untar of the downloaded Envoy. Should investigate alternatives or write our own version. - Not currently using the node agent. Once we have a native citadel, we can consider enabling it. Fixes #13177 * Fixes #15250. Add support for HTTP1.0 for sidecar inbound listeners (#15262) * Fixes #15250. Add support for HTTP1.0 for sidecar inbound listeners * Adapt to move of pilot.HTTP10 to features.HTTP10 * Turn off more CircleCI tests covered by prow (#15068) * Turn everything but cloudfoundry circle test * Turn on nightly builds for some tests * Turn off noauth * change order (#15263) * jwt: add metric for network fetch (#15013) * jwt: add metric for network fetch * fix metrix name * fix lint * update to use monitoring pkg * Update pilot/pkg/model/jwks_resolver_test.go Co-Authored-By: Bot from GolangCI <42910462+golangcibot@users.noreply.github.com> * jwt: update to use unified jwt token in e2e tests (#15224) * jwt: update to use unified jwt token in e2e tests * fix test * Include sds stats back into ingress gateway proxy and sidecar proxy. (#15266) * update * check sds stats * check sds stats * update * update * format * format * revise * revise * fix the handling of empty secret * update test * format * revise * revise * add sds stats inclustion into bootstrap config * revise * update test * Fix policybackend indentation (#15298) * adding date (#15303) * Make Galley yaml to proto conversion nonstrict (#15307) * make toProto nonstrict when converting values * Looks like we also test this in converter, updating there too * add integ case for virtualservice with and without extra unsupported params * Add a process package to galley/pkg/server for tracking sub-components (#15203) * Add a process package to pkg/server for tracking sub-component. - process.Host is a basic container of multiple sub-components. - process.Component is an interface to be implemented by sub-components. * Fix lint errors. * Accommodate CR feedback. * Fixing macos docker build (#15294) This was broken by #14985 * Componentize code by moving it into server/components. (#15227) * Grafana additional env for config changes (#14796) * Added section for configuring additional environment variable configs for grafana to override certain grafana.ini settings like adding SMTP settings. * Removed redundance templating code. Moved grafana env to demo config file. * Removed demo grafana config file. Moved the env and envSecrets values to grafana chart values file with comments on how to use. * Fix getServiceLoadBalancer (#15344) A recent change (#14944) modified this logic which was causing it to no longer actually poll for the ingress ip -- it would return "" and use that rather than erroring properly. With this change we will continue to retry if we don't get a valid IP. * format code (#15259) * Fix TestRBACV1Group and TestRBACV2Group (#15314) * fix JWT token * use groups instead of group * one more file * fix format * Accommodate CR feedback. (#15340) * Turn off HPA on demo profile (#15346) Currently each component has 10m cpu requests and an HPA that scales at 80% CPU usage meaning they will immediately scale up. This turns off the HPA for the demo. * Optimize yamllint to run in one process (#15335) Previously we ran a new process for every yaml file. yamllint can just take in a list of files to run, and handles this much more efficiently. On my machine, this broguht runtime from 75s to 15s. * minor galley component test cleanup (#15348) * Update KinD e2e test suite (#15308) * Update KinD e2e test suite * Set imagePullPolciy=Never per KinD docs * Fix image loading -- before it was only loading the last image not all of them * Set ARTIFACTS_DIR so the script can be run locally * Fix shellcheck * Fix accesslog integration tests (#15387) * Fix accesslog integration tests The log command was only getting the last 10 results, so it was missing the logs it was looking for. Additionally, cleaned up the error message to expose what log was actually missing rather than "one of these 3 logs was missing" * Get all logs * Deflake Redisquota Fixed Window (#14958) In the flakes, test fails as if the ratelimit rule has not been applied. Adding a retry, so as to give change for the rules to sync in properly Format the files Send some initial traffic to boot up the system. This had helped ratelimit tests to be more stable in old framework Dont change defaultlessthanoverride test as it is not flaky in postsubmits * Add cert expir time into pushed certs (#15336) * add cert expir time * add debug log * add debug log * remove debug log * revise * revise * format * revise * lint and format * revise * fix tests * lint * remove waring from yamllint (#15353) * Use docker.push instead of push in prow tests (#15139) The push command also does some installgen stuff which wastes 5+ minutes. * Standardize and increase E2E timeout (#15295) * fix a typo (#15368) * add myself to owner file (#15391) * add myself to owner file * update * Fully qualifies images names for all Istio sample charts. (#15195) Fixes: #14237. Signed-off-by: Jason Clark <jason.clark@ibm.com> * Cleanup unused prow scripts (#15389) These scripts are no longer needed; the prow just just directly call the targets. * update istio api and tidy (#15393) * Fixes #12873. Add support for Sidecar.OutboundTrafficPolicy to configure outbound traffic policy individually per cluster instead of on a cluster global scope (#15257) * code clean (#15282) * code clean * fix ut * decouple webhook configuration reconciliation (#12571) * decouple webhook configuration reconciliation Signed-off-by: clyang82 <clyang@cn.ibm.com> * remove unused param Signed-off-by: clyang82 <clyang@cn.ibm.com> * Address review comments * try to fix TestJobComplete flake (#15398) * try to fix TestJobComplete flake * makes curl in a loop * fix sh loop * Add cloudfoundry target for prow (#15404) * Set tail to high number for access log test (#15395) A prior commit was settting this to -1, which apparently doesn't work on all versions of kubectl and wasn't caught because the test is not required. Setting this to a high number will work on all versions. * Reenable mixer test (Fix #12750) (#14821) * Fix #12750 Make TestIngessToPrometheus_ServiceMetric less flaky by sending more than 1 productpage request. Ref: https://github.com/istio/istio/issues/14819 Make TestTCPMetric more resilient by sending more than 1 request. Fix fmt * Make util.SendTraffic use new method signature * Allow /quitquitquit on localhost only (#15406) * Allow /quitquitquit on localhost only * Add tests * Fix linter * Remove debugging code * Update bookinfo sample to propagate Datadog headers (#14442) * Propagate datadog tracing headers in bookinfo apps * Changes requested in review comments * update proxy sha to cb503fe (#15342) * update proxy sha cb503fe Update Envoy-WASM SHA to latest. (#2295) e2e9c43 Fix header parsing in JWT filter (#2291) 716f81b Update Envoy WASM sha to the latest (#2286) 6f1a58c Limit resource usage on Prow. (#2289) bfc559d Fix checks on master. (#2287) 2a21f69 Set Istio authn filter to prefer using Envoy jwt filter if found (#2281) e954534 Update common files. (#2280) 5c150dd Fix lint (#2279) b00c974 add insufficient include (#2275) af8f3c8 Report StopIteration if connection is closed (#2270) 362fdf1 Update Envoy SHA to latest with option to select WASM runtimes. (#2273) 59ad44d Add a simple setup for testing communication between 2 envoys (#2262) c77759c Use envoy-wasm as upstream (#2252) ac78dc0 Import common files into this repo. (#2251) 5747f69 Replace qiwzhang who has left the project with crazyxy. (#2241) (#2243) 83f6566 Replace qiwzhang who has left the project with crazyxy. (#2241) * fix listeners * update go-control-plane * Align httpstatus fault validation with envoy (#15382) * Align httpstatus fault validation with envoy * Update test case * Add support for running integration tests in kind (#15415) * jwt: switch to use Envoy JWT filter (#14938) * jwt: add support for Envoy JWT filter * fix format * fix * support RCToken * update vendor * Fix native racetests (#15388) * Fix docker.newInstance race * Fix conformance MCP race failure * Fix reachabiltiy test race condition * Protect with mutex and revert docker changes * Remove dead test code (#15403) This test code is not used anywhere and keeping it around just causes confusion. These tests have migrated to istio/tools which has expanded far beyond this and kept up to date. * Stackdriver tracer: part I, generate bootstrap given meshconfig (#15345) * Add Stackdriver tracer thru OC * update go.mod for tests * Add basic default Grafana dashboard for Citadel [Issue 15228] (#15297) * Add basic Citadel dashboard with performance metrics, secret-controller metrics, general Citadel metrics, and error metrics * Add axis labels, remove duplicated CPU metric query * Fix dashboard row sizing stretch fit * Add back test target to circleci nightly (#15384) We previously added back some targets to run on circleci nightly so we can compare to prow, but the test target was deleted so the tests are failing. This just adds the same test target back. * Fix misleading error message in pilot-agent (#15409) Previously this would log `error: <nil>` every time an exit was triggered which was confusing. This makes it so it is only logged when an error actually occurs. * Use envoy with symbol and add gdb, strace, pstack to docker image (#14483) * Fix junit on integration kind tests (#15436) * Revert "Use envoy with symbol and add gdb, strace, pstack to docker image (#14483)" (#15441) This reverts commit 5f0726987db5c383ccea77543ae0832ca4e8d6e7. * Remove GCP Deployment Manager support in installer (#15438) * Makes the release grab the actual latest version (#15449) * Remove Ansible as it is unmaintained (#15443) In the future if individuals wish to maintain Ansible installation, that would be fine. The environments WG sees the role of Ansible to handle mesh expansion automation. * Make invalid test configs valid k8s configs (#15447) Right now these configs were rejected by kubernetes before even reaching Galley validation on Kubernetes 1.15+. This change makes them valid from a kubernetes perspective, but still invalid from Galley perspective. * Update pilot service registry aggregate controller to use rlock (#14953) * Add myself to pilot e2e (#15289) * Adapt e2e-suite.sh to allow execution with existing cluster (#15402) Add dummy comment to retrigger test. Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Fix RPM building (#15446) - Use newer git - Use newer go - Use clang instead of gcc Closes #15423. * Fix invalid kubernetes yaml in tests (#15463) * fix(dash): specify job in cadvisor queries (#15481) * Remove unused circleci tests (#15466) The cloudfoundry test has been migrated to circleci e2e-simple test does not exist, throwing errors. We agreed to have build+test+one e2e test so I think its ok to remove. * Optimize kind tests suite setup (#15464) * Load kind images in parallel * Add time command so we can measure if this is better or not * Remove build step -- it is not needed * Allow auth strategy configuration in Kiali Helm chart (#15016) * Add OpenCensus metrics for citadel agent for outgoing requests + add monitoring package from istio/pkg (#15413) * Add OpenCensus metrics for citadel agent for outgoing requests * Switch to use the monitoring common package * allow users to add listeners using envoyfilter patch (#14398) EnvoyFilter: remove Filters validation The Filters field is now deprecated. Users should be using the ConfigPatches field instead. In the case where a user includes Filters as part of the EnvoyFilter configuration, the deprecation warning is logged. use frozen istio config store in cluster test allow users to add listeners using envoy filter patch allow users to add clusters using envoy filter patch * remove verification of nondeterministic stats (#15495) * envoy filter: merging struct into any util (#15491) * envoy filter: merging struct into any util Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * Only delete each staled connection key once (#15506) * Only delete each staled connection key once * Avoid race condition * Add nodeagent debug endpoints (#15418) * Remove warn log message of ignored Consul service tag (#15452) Fix issue: Too many warn of ignored Consul service tag #15426 Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * feat(proxy metadata): introduce istio.io/metadata in proxy node metadata (#15143) * feat(proxy metadata): introduce istio.io/metadata in proxy node metadata * feat(canonical service): add initial support for canonical service label * fix(labels): restore direct inclusion of labels in metadata * fix(test cases): add env vars to golden file test case * fix(test): address stackdriver golden test failure * fix(tests): move locality into pod labels * cleanup code * Fix checkDeploymentsReady. (#15462) Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Add pkg/bootstrap owners (#15483) * Add comments to exported sdsservice functions (#15474) * fix a typo (#15486) * Fix concurrency docs on values.yaml (#15383) * Fixes #14842. Make BookInfo reviews service handle timeouts of rating service (#15489) * Update base image version for bookinfo-reviews sample app (#15480) Update the base image version from websphere-liberty version 19.0.0.4-javaee8 to 19.0.0.5-javaee8. Fixes: #15477 * Skip/reject k8s jwt authentication if SDS is disabled (#15445) * Skip/reject k8s jwt authentication if SDS is disabled * Update security/pkg/server/ca/server.go Co-Authored-By: Bot from GolangCI <42910462+golangcibot@users.noreply.github.com> * Fix linter issues * Only add k8s jwt to authenticator list if sds is enabled * Allow setting EnableNamespacesByDefault from command line (#15284) * Allow setting EnableNamespacesByDefault from command line Signed-off-by: clyang82 <clyang@cn.ibm.com> correct the condition * Address comment to use useCustomSidecarInjector Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * use customSidecarInjectorNamespace instead * Use imagePullSecrets in istio-init serviceaccount (#15472) * Use imagePullSecrets in istio-init serviceaccount * Remove unnecessary $ from serviceaccount.yaml * Extend ListenerBuilder to include Gateway listeners (#15502) * use builder for both code paths * extend builder to include gateway listeners * Fix istioctl integration test (#15532) * Add log on connection close done by Citadel Agent (#15539) * add log on connection close * update * Reject null header matches (#15549) * Split the server/client secret fetching into two k8s secrets (#15496) * support watching CA cert from separate k8s secret * update * lint * check total active listeners stats * lint * lint * revise * revise * goimports * revise * lint * Send output to files instead of stdout (#15339) * Clean up legacy pilot flags (#15548) * Clean up legacy pilot flags These features flags were intended to introduce risky code in the 1.1 release. As there have been no cases of needing this in 1.1 or 1.2, it should be safe to clean these up for the 1.3 release. Fixes https://github.com/istio/istio/issues/15442 * format * remote clusters mesh networks reload (#15553) * remote clusters mesh networks reload * fix lint * Fix typo in 'expected' (#15557) * Publishes istioctl binaries for GCS for separate (#15422) download. Addresses #11527. Signed-off-by: Jason Clark <jason.clark@ibm.com> * feat(node metadata): add GCP env metadata to node metadata (#15555) * feat(node metadata): add GCP env metadata to node metadata * goimports + strip platform-specific metadata * attempt at a better regex for removal * forget stripping the data, use wrapper method for testing * goimports on boostrap_config_test.go * Replace ServicePortByHostname by ServiceByHostname (#15566) The Service already has the port, so maintaining a separate data struce to hold the port just adds complications. * EnvoyFilter: patch/add/remove clusters and virtual hosts (#15515) * first cut Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * simplify Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * refactor Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * adding vhost support Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * tests Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * update api Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * update api Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * remove unneeded service instance guard for gateway (#15473) - This guard breaks Cloud Foundry, because CF does not need a service instance attached to the gateway. - This guard should not be needed by Galley; Galley should only be sending config when it is updated. - Tests have been doctored to address removal of guard. - The mock copilot has been removed, since it is unused. * Add msyelf to OWNERS file in tools dir (#15455) * Add containSubstring to structpath/instance (#15560) * fix(test flake): send more requests for trace tests to ensure cross flush boundaries in envoy (#15564) * Helm tests fail on distroless. (#15424) * Helm tests fail on distroless. Relates #15414. * Use ubuntu instead of proxy_init for enable_core_dump. Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Make coreDumpImage configurable. Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Fix injection-test. Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Add unit test for increase test coverage (#15599) * Changes from running `go mod tidy` and `go mod vendor` (#15589) * Make --sinkMeta take effect for incoming connections too (#15501) * Override fixed nodePort values for testing (#15596) * update log scope (#15592) * Add SDS connection information into CSR logs (#15602) * update CSR log and refactor method interface * revise * revise * lint * revise * Ignore unknown types when parsing Envoy configuration (#15601) * Consolidate all Istio annotations into a common place (#15520) * EnvoyFilter: Validation & Pre-processing (#15561) * first cut Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * simplify Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * refactor Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * adding vhost support Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * tests Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * EnvoyFilter: validation logic for new api fields Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * update api Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * update api Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * api update and fixes Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * fix tests Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * nit Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * nit Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * major update Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * Revert "major update" This reverts commit 3dd6d37d3762e21ab2b22c001ded94b706cc8bcb. * Revert "Revert "major update"" This reverts commit 25625272a98655cb2d8ab2596dbead56916cb01f. * lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * nuke dead code Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * Make all proxies, even gateways, have SidecarScope (#15569) By giving gateways a `ergess: */*` we can simplify the code and use the assumption that sidecarscope is never nil. This is a stepping stone to removing the old EDS legacy code entirely * Fix FQDN for docker using test framework (#15590) * Fix FQDN for docker using test framework In an attempt to get the trafficshifting test running natively, I found there was an issue with the FQDN construction. The kube component has the domain set to "svc.cluster.local", which is not really true, the domain is just "cluster.local" but it works fine because pilot-agent is actually using "cluster.local" for the domain. For docker this works differently, and we are creating configs for "foo.ns.cluster.local" which is not the correct service. This change makes the domain "cluster.local" everywhere, and adds the .svc. part everywhere it is needed. Additionally, it enables the trafficshifting test using docker, which works with this change. * Fix unit tests, disable native trafficshift * Don't produce duplicate wildcard host matches (#15628) Currently, if there are two https services, both will attempt to create this wildcard listener. Later, one of them will be rejected and logged as an outbound conflict. With this change we check to make sure that not only does the filter chain we are building not already have a wildcard, but the existing listener also does not have a wildcard. * cluster: fix original dst cluster type (#15613) * fix original dst cluster type Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * minor doc * gaurd with enable redis flag Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * rbac: refactor with better modular and unit tests (#15508) * refactor authz plugin to security package * address comments * move v1/v2 code to separate directory * fix lint * Don't report send error for expected errors (#15636) Right now a metric is incremeneted for every send error. The vast majority of the time this error is just due to standard operations with the connection closing while sending. This masks real errors. Once https://github.com/istio/istio/pull/15476 is merged and we have these errors displayed more prominently, we will not want to display these false positives. * fix stackdriver adapter getting shutdown (#15612) * Update license checker to use modules instead of packages (#15595) * Update license checker to use modules instead of packages * Add those modules with no license file to missing license output * Update to license path based on mod cache from URL and add knownUnknownLicenses * Additional logging to help determine failure point * Update to latest istio/api version (#15657) Annotations have been updated to clearly indicate alpha-level annotations. Also added annotations for synthetic service entries. * Add log dumping to kind to help debug integration test failures (#15637) * Retry and increase log level on kind creation We are seeing lots of flakes due to kind failing to create the cluster. This adds retries to cluster creation, and increase the log level so we can help root cause the issue. * Fix retry and shellcheck * Remove retries, dump logs * retain cluster * Build only images needed for tests (#15642) * Add sample traffic conformance tests (#15172) * Add minimal traffic conformance tests * Fix vendor * move 3rd party images to values (#14815) * refactor the rbac integ tests to reduce test time (#15643) * refactor the rbac integ tests to reduce test time 1) Puts all tests in the same package (main_test.go) to reuse the same Istio cluster and avoid creating/deleting the Istio cluster multiple times. Each test case will deploy the RBAC policy in their own namespace. 2) Do not wait for 60 seconds in each test case. The RunRBACTest() function will just retry for 10 times. So if there is any delay in policy propagation, it should be covered by the retry already, so it doesn't make too much sense to wait for another 60 seconds. * tweak the retry delay from 1.0 to 0.5 seconds and timeout from 10 seconds to 15 seconds * Reduce Galley unit test flakes (#15667) These tests fail sometimes due to trying to use a port that is already in use (9876). * enable multiple Set-Cookie headers (#15581) * enable multiple Set-Cookie headers - split DirectHttpResponse handling to its own function (ease testing) - split Set-Cookie header to multiple APPEND directives * add test for duplicate set-cookie header in directive * Add version suffix for crd jobs (#15677) * add version suffix for crds creation jobs. * update crds job names. * Refactor pilot dashboard to improve key metric visibility (#15665) * fix(pilot dash): refactor pilot dash to improve ux * Additional improvements * Table for the no known endpoints * More envoy stats, like connection failures and XDS size * exclude values from dashboard test * Fix quotes * fix wrong italic format (#15655) * fix wrong italic format * fix wrong italic format * fix wrong italic format * fix wrong italic format * fix wrong italic format * fix wrong italic format * Update config URL (#15153) Old link 404s * Add support for specify redirectCode in HTTPRoute (#15650) * Mark redis policy tests as flaky (#15687) * Fix kiali upgrade issue (#15690) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Update versions field in crds definition. (#15615) * multi-cluster panic fix (#15700) * Refactor pilot pushing logic (#15405) * connection queue * Add tests * Improve comments, fix tests * Use sync.cond to fix race condition * Fix race * Clean up lint * Fix race, add license * Add proxy queue time metric * Fix test * Set push start time explicitly * Cleanup hacky virtual inbound listener code (#15585) * Cleanup the hacky virtual inbound listener code Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * fmt Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * split * test fix Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * test fix Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * Add node image, skip options to kind tests (#15684) Specifying the node image will be needed to test against multiple versions of Kubernetes. Skipping setup or image building is useful for running locally. * Add a Dockerfile linter to our tests (#15484) * Hadolint first pass Decided to ignore a lot of message by default. We should fix those in several passes. * Apply suggestions from code review Remove useless comment * Address shellcheck issue Also fix a ignore * Address @howardjohn 's comment * Address @howardjohn 's comment on vendor directory * Address @johnma14 's comments * Address @ericvn 's comments * Move check_dockerfiles to common files * Verification of shell substitution Aparently was not caught by shellcheck and doesn't pass tests as intended. If CI/lint pass on this, we need to submit the check_dockerfile.sh to istio/common_files * Use bash * Fix shellcheck * Fix commonfile linter * Address @rlenglet 's comments * Forgot to remove ignore in previous commit * Refactor pilot test organization (#15608) * Refactor pilot test organization Prior to this change we had a package per test, making an unneccesary number of istio install/teardowns. Any test without a special set up can just be in the top level pilot package. This required some changes to the existing test in the top level (for some reason it was blocking the Close() method when it wasn't using the "new style" of tests) and some improved error reporting for trafficshifting. * Add license * Optimize contextgraph batch send algorithm (#15689) * Optimize contextgraph batch send algorithm This function attempts to split the request size to be the largest possible request that is smaller than the request size limit. It did this by linearly checking size(list[:n]), size(list[:n-1])... This ends up being extremely slow, because proto.size is not a very cheap operation for such large objects. In the case of racetests, this test was taking over 5 minutes sometimes. This modifies the algorithm to do a binary search for the optimal request; behavior should be the same. With this change: BenchmarkSendBatch/Size2-8 500000 3042 ns/op BenchmarkSendBatch/Size200-8 10000 135250 ns/op BenchmarkSendBatch/Size20000-8 30 52180768 ns/op Without this change BenchmarkSendBatch/Size2-8 500000 3082 ns/op BenchmarkSendBatch/Size200-8 10000 140837 ns/op BenchmarkSendBatch/Size20000-8 1 7999998085 ns/op This represents a 150x improvement on large request sizes and a negligible change for small requests Alternatively, if we don't care about the performance of this function, we can disable it in the racetests and leave this code as is. * Linear search by looking at individual size New benchmark: BenchmarkSendBatch/Size2-8 500000 3199 ns/op BenchmarkSendBatch/Size200-8 10000 138123 ns/op BenchmarkSendBatch/Size20000-8 100 24098886 ns/op This represents a 2x improvement over the previous commit and 300x improvement over the original * Look at size of message only once * Don't undershoot by one * Enable XDS marshalling to Any by default (#15632) This feature improves pilot performance substantially, but was disabled by default due to some proxy CPU regressions we were seeing. Since some Envoy changes we have been unable to reproduce since then. This will still be able to be turn off if issues do arise, but for now it seems safe to enable this by default. * Fix race condition in adsc client (#15771) CloseSend and Send cannot be called concurrently, which is possible and does happen in our tests, failing racetests. CloseSend is NOT required and also doesn't actually close the stream (but we do that in the next line anyways). See https://github.com/grpc/grpc-go/issues/2927 for details. * Fix: Consul high CPU usage (#15509) (#15510) * Fix: Consul high CPU usage (#15509) Add cache to avoid repeated remote calls to Consul catalog REST APIs Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix race test Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * move private methods down Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * Generates sha256 for each istioctl archive published to GCS. (#15629) Signed-off-by: Jason Clark <jason.clark@ibm.com> * iptables: for listener using filter chain (#15710) * iptables: for listener using filter chain * fix test * iptables inbound capture port: cli flag and always enable (#15681) * add cli switch for specifing iptables inbound capture port Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * always use separate capture port for inbound traffic Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * update goldens Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * separate variable * update goldens Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * shell check Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * Disable Envoy's panic mode as default (#15609) * [Fix] retain CommonLbConfig for HealthyPanicThreshold (#13682) * retain the HealthyPanicThreshold field even if it's set to 0 for disabling Envoy's panic mode (#13682) * fix a comment and add a test for disabling panic threshold as default * run go fmt * run gofmt -s * reword a comment * remove link * Add mandarjog and nmittler to tools OWNERS (#15780) * Move Citadel workloadsecret.go metrics from prometheus to opencensus (#15223) * pilot agent change to support sds at bootstrap time (#15420) * pa * lint * test coverage * test cover * format * simplify code * cleanup * address comment * cleanup * cleanup * wait sdsudsfile only in controlplane when authn enabled * test cover * test cover * rebase * test * unit test * rebase * lint * address comment * token meta * Disable frozen config store (#15671) The frozen config store was meant to detect when we were modifying the configs returned from the config store. However, this caused issues, because we actually do want to modify - in particular, we sort the configs. Freezing + sorting can lead to obscure segmentation faults due to the freeze library using unsafe pointers, which was causing test failures. * Fix TestWorkloadAgentRefreshSecret racetest failure (#15794) * Split out common config items from Pilot (#15634) * Added TCP telemetry for BlackHole/Passthrough cluster (#15512) * Added telemetry for BlackHole/Passthrough cluster Fixes: #14664 Implements partial fix for #7669 * Updated pluging interface with OnVirtualListener method * Updated HTTP routes plugins for default clusters * Fix and update integration test * Change function name to onVirtualOutboundListener * Add destination service name for BlackHole/Passthrough * Created const for Passthrough/BlackHole route names * Change pkg/model to pkg/config * Fix TestServerSource race condition (#15799) If we set the desired error after we start the stream, the stream could have a real error before we get to setting the error. * Disable Test_KubeSecretController in racetest (#15769) * Make PushQueue test less flaky (#15786) The previous test depended on ordering of goroutines which is not reliable. It would consistently fail when running repeatedly. This change refactors the test to provide more coverage while not relying on any undefined ordering. * Fix metrics proxy port (#15807) * Cleanup makefile and prow scripts (#15685) * Remove junit for lint, set pipefail once * Remove ARTIFACTS_DIR and special junit outputs * Fix racetest junit * refactor listener.go (#15828) * enable locality weighted lb by default (#15014) * enable locality weighted lb by default * fix lint * fix ut * update mesh config helm template * revert * fixes for markdown style and typos (#15816) * Fix consul monitoring test flakes (#15821) Previously, the tests would wait for some period of time and check if it got any updates. This timing sensitive test fails often when CPU is throttled or slow, especially in -race or coverage mode. Additionally, one of the tests depended on the order of a map which is undefined. This change sorts the map output to be deterministic and changes the test to poll for success rather than wait and check. * rbac: remove the deprecated RBAC mixer adapter (#15675) * fixed typo: you-project => your-project (#15812) * Fix port collision on the Ctrlz component tests. (#15836) * Revert "multi-cluster panic fix (#15700)" (#15830) This reverts commit 0c93b9d75536b3134888b89edbcf04d35ec82054. * Fix testing flags showing up in release binaries (#15797) * Move test helper to test package * add test * Skip tests in codecov * Revert "Move test helper to test package" This reverts commit 1ed6cec3fe888e7851f5e050bc480e86035bdddb. * Replace testing with interface * Cleanup and properly document pilot env vars (#15801) * Cleanup and properly document pilot env vars Currently most of our environment variables are undocumented, and some also use the wrong types. This makes it very confusing because you can set FOO=false and it actually turns on FOO. This change cleans up these cases, and adds documentation to most of the variables used in pilot. * Fix errors * Upgrade kiali (#15372) * upgrade kiali Signed-off-by: clyang82 <clyang@cn.ibm.com> * upgrade kiali to 1.1 * Avoid inject panic with corner case (#15840) Signed-off-by: clyang82 <clyang@cn.ibm.com> * Make ServiceEntry follow Sidecar isolation (#13631) * Change hostname resolution to follow Sidecar See the design doc for more details https://docs.google.com/document/d/15-PU9O22Pb0qTzCfwK2hjwNTcb-CqFuw8JnIgwK3EIM/ This PR changes the behavior of Pilot when the same hostname is found in multiple namespaces (due to ServiceEntries). Previously, the behavior was undefined -- in some cases we selected an arbitrary service while in others we selected all services. The new behavior will always select a single namespace for a given hostname. If a hostname exists in multiple namespaces, one will be determined by the Sidecar scope. If the sidecar imports multiple namespaces with the same hostname, an arbitrary one will be chosen, favoring the proxies namespace if possible. * Get rid of dummy sidecar * Make InstancesByPort take a Service instead of host This is primarily meant to enable https://github.com/istio/istio/pull/13631, which will require the full Service * Make instances by port use proper namespace selection * Clean up dead code * Fix rebase errors * Various improvements to pilot tests to make them more hermetic (#15847) * Make listener_test use open port * Make appprobe test poll until ready * Make pilot-agent role tests not depend on global state * Enable skipped test with resolved issue * Integration tests for webhook in galley scaling scenarios (#15841) * Integ test for webhook behavior when scaling galley * integ test to verify webhook config deletion when galley uninstalled * PR review fixups * Move galley webhook tests into their own suite * Use subtests * Increase delay to wait for webhook reconciliation to act * Try fetch secret directly in case a secret is requested but cache doe… (#15672) * Try fetch secret directly in case a secret is requested but cache doesn't have it somehow * Don't put secret directly fetched from API call to cache * Mixer: add tests for direct HTTP response (#15781) * add test for direct HTTP response - status code - body setting - header manipulation * gofmt changes * Initial infinite request loop fix (#15833) * Add POD_IP match to prevent infinite traffic loops * fix lint * Disable for cloudfoundry test * Precompute filter * Add integration test * Also report number of virtual services known to pilot. (#14946) * Also report number of virtual services known to pilot. Only count virtual services for ISTIO_MESH_GATEWAY. Fixes #14932 * Move gauge for total virtual service count to initVirtualServices * add comment (#15015) * simplify the Envoy JWT filter config (#15854) * Fix duplicate close PortForwarder (#15813) * add configurable rolling update strategy. (#15586) * EnvoyFilter: match filter chains, http/network filters (#15639) * Match http/network filters Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * insert before or after Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * split into smaller files Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * tests and lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * test Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lots of tests Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint1 * test fixes * lint * disable until resolution * lint * update gogo Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * unskip tests Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * integration test Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * config fixes Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * bug fix Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * Detect ARM arch with variant when building (#15668) * detect arm architecture * remove hardcoded value * only normalize arm with variant * Support kube-uninject for istioctl command (#15573) * Support kube-uninject for istioctl command Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Address review comments * avoid duplicated method Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * add more cases: handle enable-core-dump container/dnsConfig/annotations * add sidecar.istio.io/inject:false always * avoid panics Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * correct the comment for exported method * Update the chart version (#15893) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Fix goroutine leak on send timeout (#15897) Previously the done channel was unbuffered. This means that if a timeout occured, there would be nothing trying to read from `done`, which would cause it to block indefinitely. Because of this, every timeout resulted in a goroutine to be leaked. Now it is buffered so the send can occur even after the timer completes.
Supports editing, removing or adding new clusters/virtualhosts, as well as editing route configurations.
There are a set of optimizations to be done [pre-processing envoy filters]. These
will come in separate PR.
Signed-off-by: Shriram Rajagopalan rshriram@tetrate.io