Merge remote-tracking branch 'upstream/master' into profiling

cmd/cue-gen/doc.cue

@@ -53,7 +53,7 @@ all?: {
 
 // directories is a map of directories, relative to the root, for which to
 // process proto files.
-directories <Dir>: [...{
+directories: [string]: [...{
 	// mode indicates which proto files to include in generated output.
 	//   all      include all proto files
 	//   perFile  generate a separate OpenAPI file for each proto file

common/.commonfiles.sha

@@ -1 +1 @@
-943115bd3d7cf4bb44ce0a01d4d618984d497d4d
+d1c990b8e308d92fe3a76db64f2c9ad11714b0ba

common/scripts/setup_env.sh

@@ -59,7 +59,7 @@ fi
 
 # Build image to use
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  export IMAGE_VERSION=master-2020-05-08T20-48-51
+  export IMAGE_VERSION=master-2020-05-20T22-13-03
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
   export IMAGE_NAME=build-tools

docker/build-tools/Dockerfile

@@ -313,6 +313,7 @@ ENV YAMLLINT_VERSION=1.17.0
 ENV REQUESTS_VERSION=2.22.0
 ENV RUAMELYAML_VERSION=0.16.5
 ENV PYTHON_PROTOBUF_VERSION=3.11.2
+ENV PYYAML_VERSION=5.3.1
 
 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -334,6 +335,7 @@ RUN pip3 install yamllint==${YAMLLINT_VERSION}
 RUN pip3 install requests==${REQUESTS_VERSION}
 RUN pip3 install ruamel.yaml==${RUAMELYAML_VERSION}
 RUN pip3 install protobuf==${PYTHON_PROTOBUF_VERSION}
+RUN pip3 install PyYAML==${PYYAML_VERSION}
 # hadolint ignore=DL3013
 RUN pip3 install /tmp/mako-0.1-cp37-cp37m-linux_x86_64.whl
 
@@ -383,6 +385,9 @@ RUN add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubunt
 RUN apt-get update
 RUN apt-get -y install --no-install-recommends docker-ce="${DOCKER_VERSION}" docker-ce-cli="${DOCKER_VERSION}" containerd.io="${CONTAINERD_VERSION}"
 
+# Update python3 to point to python3.7
+RUN ln -sf /usr/bin/python3.7 /usr/bin/python3
+
 # Clean up stuff we don't need in the final image
 RUN rm -rf /var/lib/apt/lists/*
 RUN rm -fr /usr/share/python

docker/build-tools/build-and-push.sh

@@ -41,8 +41,7 @@ ${CONTAINER_CLI} ${CONTAINER_BUILDER}  --target build_tools --build-arg "ISTIO_T
 # shellcheck disable=SC2086
 ${CONTAINER_CLI} ${CONTAINER_BUILDER}  --build-arg "ISTIO_TOOLS_SHA=${SHA}" --build-arg "VERSION=${VERSION}" -t "${HUB}/build-tools-proxy:${VERSION}" -t "${HUB}/build-tools-proxy:${BRANCH}-latest" .
 # shellcheck disable=SC2086
-# ${CONTAINER_CLI} ${CONTAINER_BUILDER}  --build-arg "ISTIO_TOOLS_SHA=${SHA}" --build-arg "VERSION=${VERSION}" -t "${HUB}/build-tools-centos:${VERSION}" -t "${HUB}/build-tools-centos:${BRANCH}-latest" -f Dockerfile.centos .
-# CentOS is temporarily disabled to workaround LLVM download issues
+${CONTAINER_CLI} ${CONTAINER_BUILDER}  --build-arg "ISTIO_TOOLS_SHA=${SHA}" --build-arg "VERSION=${VERSION}" -t "${HUB}/build-tools-centos:${VERSION}" -t "${HUB}/build-tools-centos:${BRANCH}-latest" -f Dockerfile.centos .
 
 if [[ -z "${DRY_RUN:-}" ]]; then
   ${CONTAINER_CLI} push "${HUB}/build-tools:${VERSION}"

docker/build-tools/docker-entrypoint.sh

@@ -21,7 +21,7 @@ gid=$(id -g)
 shopt -s dotglob
 
 # Make a copy of the hosts's config secrets
-su-exec 0:0 cp -aR /config/* /config-copy/
+su-exec 0:0 cp -R /config/* /config-copy/
 
 # Set the ownershp of the host's config secrets to that of the container
 su-exec 0:0 chown -R "${uid}":"${gid}" /config-copy
@@ -52,6 +52,6 @@ su-exec 0:0 chown "${uid}":"${gid}" /home
 
 # Copy the config secrets without changing permissions nor ownership for
 # consumption by tooolchains
-cp -aR /config-copy/* /home/
+cp -R /config-copy/* /home/
 
 exec "$@"

perf/benchmark/README.md

@@ -313,7 +313,7 @@ Currently we are running benchmark test towards different configs as [prow job](
 
 To add a new config to this pipeline, we need to add a new directory under [configs folder](https://github.com/istio/tools/tree/master/perf/benchmark/configs/istio), where we can define config parameters structured as below:
 
-- installation.yaml: install Istio with this IstioOperator overlay file on top of istioctl built-in default profile and [perf testing default overlay](https://github.com/istio/tools/tree/master/perf/istio-install/istioctl_profiles/default.yaml)
+- installation.yaml: install Istio with this IstioOperator overlay file on top of istioctl built-in default profile and [perf testing default overlay](https://github.com/istio/tools/tree/master/perf/istio-install/istioctl_profiles/default-overlay.yaml)
 - cpu_mem.yaml: if provided, run cpu, memory test with this config
 - latency.yaml: if provided, run latency test with this config
 - prerun.sh: prerun hook we want to run before test

perf/benchmark/configs/README.md

@@ -4,7 +4,7 @@ Currently we are running benchmark test towards different configs as [prow job](
 
 To add a new config to this pipeline, we need to add a new directory under [configs folder](https://github.com/istio/tools/tree/master/perf/benchmark/configs/istio), where we can define config parameters structured as below:
 
-- installation.yaml: install Istio with this IstioOperator overlay file on top of istioctl built-in default profile and [perf testing default overlay](https://github.com/istio/tools/tree/master/perf/istio-install/istioctl_profiles/default.yaml)
+- installation.yaml: install Istio with this IstioOperator overlay file on top of istioctl built-in default profile and [perf testing default overlay](https://github.com/istio/tools/tree/master/perf/istio-install/istioctl_profiles/default-overlay.yaml)
 - cpu_mem.yaml: if provided, run cpu, memory test with this config
 - latency.yaml: if provided, run latency test with this config
 - prerun.sh: prerun hook we want to run before test

perf/benchmark/configs/run_perf_test.conf

@@ -1,6 +1,6 @@
 mixer=false
 none=true
-plaintext=true
+plaintext=false
 telemetryv2_sd_full=true
 telemetryv2_sd_nologging=true
 telemetryv2_stats=true

perf/benchmark/run_benchmark_job.sh

@@ -73,7 +73,7 @@ INSTALL_VERSION=$(curl "https://storage.googleapis.com/istio-build/dev/${BRANCH}
 echo "Setup istio release: ${INSTALL_VERSION}"
 
 pushd "${ROOT}/istio-install"
-   DEV_VERSION=${INSTALL_VERSION} ./setup_istio.sh -f istioctl_profiles/default.yaml
+   DEV_VERSION=${INSTALL_VERSION} ./setup_istio.sh -f istioctl_profiles/default-overlay.yaml
 popd
 
 # Step 3: setup Istio performance test
@@ -95,8 +95,8 @@ pipenv install
 
 # Step 5: setup perf data local output directory
 dt=$(date +'%Y%m%d')
-# Current output dir should be like: 20191025_1.5-alpha.f19fb40b777e357b605e85c04fb871578592ad1e
-export OUTPUT_DIR="${dt}_${INSTALL_VERSION}"
+# Current output dir should be like: 20200523_nighthawk_master_1.7-alpha.f19fb40b777e357b605e85c04fb871578592ad1e
+export OUTPUT_DIR="${dt}_${LOAD_GEN_TYPE}_${GIT_BRANCH}_${INSTALL_VERSION}"
 LOCAL_OUTPUT_DIR="/tmp/${OUTPUT_DIR}"
 mkdir -p "${LOCAL_OUTPUT_DIR}"
 
@@ -192,7 +192,7 @@ function collect_envoy_info() {
   POD_NAME=${2}
   FILE_SUFFIX=${3}
 
-  ENVOY_DUMP_NAME="${POD_NAME}_${CONFIG_NAME}_${FILE_SUFFIX}.yaml"
+  ENVOY_DUMP_NAME="${LOAD_GEN_TYPE}_${POD_NAME}_${CONFIG_NAME}_${FILE_SUFFIX}.yaml"
   kubectl exec -n "${NAMESPACE}" "${POD_NAME}" -c istio-proxy -- curl http://localhost:15000/"${FILE_SUFFIX}" > "${ENVOY_DUMP_NAME}"
   gsutil -q cp -r "${ENVOY_DUMP_NAME}" "gs://${GCS_BUCKET}/${OUTPUT_DIR}/${FILE_SUFFIX}/${ENVOY_DUMP_NAME}"
 }
@@ -207,6 +207,13 @@ function collect_clusters_info() {
   collect_envoy_info "${1}" "${FORTIO_SERVER_POD}" "clusters"
 }
 
+function collect_pod_spec() {
+  POD_NAME=${1}
+  POD_SPEC_NAME="${LOAD_GEN_TYPE}_${POD_NAME}.yaml"
+  kubectl get pods "${POD_NAME}" -n "${NAMESPACE}" -o yaml > "${POD_SPEC_NAME}"
+  gsutil -q cp -r "${POD_SPEC_NAME}" "gs://${GCS_BUCKET}/${OUTPUT_DIR}/pod_spec/${POD_SPEC_NAME}"
+}
+
 # Start run perf test
 echo "Start to run perf benchmark test, all collected data will be dumped to GCS bucket: ${GCS_BUCKET}/${OUTPUT_DIR}"
 
@@ -230,7 +237,7 @@ for dir in "${CONFIG_DIR}"/*; do
        extra_overlay="-f ${dir}/installation.yaml"
     fi
     pushd "${ROOT}/istio-install"
-      DEV_VERSION=${INSTALL_VERSION} ./setup_istio.sh -f istioctl_profiles/default.yaml "${extra_overlay}"
+      DEV_VERSION=${INSTALL_VERSION} ./setup_istio.sh -f istioctl_profiles/default-overlay.yaml "${extra_overlay}"
     popd
 
     # Custom pre-run
@@ -248,6 +255,10 @@ for dir in "${CONFIG_DIR}"/*; do
     # Collect config_dump after prerun.sh and before test run, in order to verify test setup is correct
     collect_config_dump "${config_name}"
 
+    # Collect pod spec
+    collect_pod_spec "${FORTIO_CLIENT_POD}"
+    collect_pod_spec "${FORTIO_SERVER_POD}"
+
     # Run test and collect data
     if [[ -e "./cpu_mem.yaml" ]]; then
        run_benchmark_test "${dir}/cpu_mem.yaml"

perf/benchmark/runner/fortio.py

@@ -61,10 +61,10 @@ def convert_data(data):
 
     success = 0
     if '200' in data["RetCodes"]:
-        success = data["RetCodes"]["200"]
+        success = int(data["RetCodes"]["200"])
 
     obj["errorPercent"] = 100 * \
-        (data["Sizes"]["Count"] - success) / data["Sizes"]["Count"]
+        (int(data["Sizes"]["Count"]) - success) / int(data["Sizes"]["Count"])
     obj["Payload"] = int(data['Sizes']['Avg'])
     return obj
 

perf/benchmark/runner/runner.py

@@ -381,6 +381,7 @@ def maybe_start_profiling_threads(self, labels, perf_label):
         return threads
 
     def generate_nighthawk_cmd(self, cpus, conn, qps, duration, labels):
+        labels = "nighthawk_" + labels
         nighthawk_args = [
             "nighthawk_client",
             "--concurrency {cpus}",
@@ -389,7 +390,6 @@ def generate_nighthawk_cmd(self, cpus, conn, qps, duration, labels):
             "--open-loop",
             "--experimental-h1-connection-reuse-strategy lru",
             "--experimental-h2-use-multiple-connections",
-            "--label Nighthawk",
             "--connections {conn}",
             "--burst-size {conn}",
             "--rps {qps}",

perf/istio-install/README.md

@@ -50,5 +50,5 @@ In addition to setting up the core Istio, the prometheus operator and gateways f
 Arguments to the script will be passed to `istioctl during install`. For example, to install the latest version with the default config file:
 
 ```shell
-TAG=latest ./setup_istio.sh -f istioctl_profiles/default.yaml
+TAG=latest ./setup_istio.sh -f istioctl_profiles/default-overlay.yaml
 ```

perf/istio-install/istioctl_profiles/default.yaml → perf/istio-install/istioctl_profiles/default-overlay.yaml

@@ -1,9 +1,7 @@
-apiVersion: operator.istio.io/v1alpha1
+apiVersion: install.istio.io/v1alpha1
 kind: IstioOperator
 spec:
   components:
-    galley:
-      enabled: false
     ingressGateways:
     - name: istio-ingressgateway
       enabled: true
@@ -31,21 +29,17 @@ spec:
           value: external
     policy:
       enabled: false
-    citadel:
-      enabled: true
-    nodeAgent:
-      enabled: false
     telemetry:
       enabled: false
       k8s:
         hpaSpec:
           maxReplicas: 15
+          minReplicas: 1
           metrics:
             - resource:
                 name: cpu
                 targetAverageUtilization: 80
               type: Resource
-          minReplicas: 1
           scaleTargetRef:
             apiVersion: apps/v1
             kind: Deployment
@@ -87,8 +81,6 @@ spec:
       meshExpansion:
         enabled: true
         useILB: true
-      mtls:
-        enabled: true
       multiCluster:
         enabled: true
       podDNSSearchNamespaces:
@@ -122,4 +114,4 @@ spec:
             url: http://istio-prometheus.istio-prometheus:9090
       enabled: true
     tracing:
-      enabled: true
+      enabled: true

perf/istio-install/setup_istio.sh

@@ -79,7 +79,7 @@ function download_release() {
 function install_istioctl() {
   release=${1:?release folder}
   shift
-  "${release}/bin/istioctl" manifest apply --skip-confirmation --wait -d "${release}/manifests" "${@}"
+  "${release}/bin/istioctl" manifest apply --skip-confirmation -d "${release}/manifests" "${@}"
 }
 
 function install_extras() {

perf/security/sds-tests/ingress-sds/README.md

@@ -0,0 +1,57 @@
+# Test description
+
+This is a TLS ingress gateway SDS test.
+The test sets up a number of TLS ingress gateways for a group of httpbin services.
+The test creates a group of sleep pods, where each sleep sends HTTPS requests to a httpbin
+service periodically. For example, sleep-1 sends HTTPS requests to httpbin-1.example.com,
+and sleep-2 sends HTTPS requests to httpbin-2.example.com. The sleep and httpbin are deployed
+in a test namespace with prefix "httpbin".
+
+## To run the SDS test that goes to Citadel
+
+- Create a GKE cluster and set it as the current cluster.
+Here this test is run on the cluster *istio-testing*
+on GCP project *istio-security-testing*.
+You may use `kubectl config current-context` to confirm that your newly created cluster
+is set as the current cluster.
+
+- Deploy Istio:
+Let the root directory of this repo be *ROOT-OF-REPO*.
+Run the following commands:
+
+    ```bash
+    cd ROOT-OF-REPO/perf/istio-install
+    DNS_DOMAIN=your-example-domain EXTRA_VALUES=values-istio-sds-auth.yaml ./setup_istio.sh release-1.5.1
+    ```
+
+    You may replace the Istio release
+    in the command to the Istio release to test.
+    After running the above script to deploy Istio, wait a moment for Istio to be ready.
+
+- Deploy workloads that request for certificates through SDS.
+*NUM* variable specifies the number of TLS gateway and client workloads. For example, `NUM=100` will
+create 100 TLS ingress gateway and 100 ingress secrets, and 100 sleep workloads as clients.
+*CLUSTER* variable specifies the cluster for running the test
+(the list of clusters can be viewed through "kubectl config get-contexts").
+The following example command will deploy a test namespace, with 10 TLS ingress gateway and 10 sleep workloads in
+the namespace.
+Note: the number of workloads can be ran depends on the size of your cluster.
+
+    ```bash
+    NUM=100 CLUSTER=gke_istio-security-testing_us-central1-a_istio-testing ./setup_test.sh
+    ```
+
+The log in sleep container shows number of requests sent to httpbin and number of successful responses.
+
+To download a specific version of istioctl and deploy the test worloads using that istioctl binary.
+
+    ```bash
+    NUM=100 CLUSTER=gke_istio-security-testing_us-central1-a_istio-testing ./setup_test.sh 1.5.1 pre-release
+    ```
+
+To delete the ingress secrets, use util script cleanup_ingress_secrets.sh. The example below deletes
+100 ingress secrets.
+
+    ```bash
+    NUM=100 CLUSTER=gke_istio-security-testing_us-central1-a_istio-testing ./cleanup_ingress_secrets.sh
+    ```

perf/security/sds-tests/ingress-sds/cleanup_ingress_secrets.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+NUM=${NUM:?"specify the number of gateway"}
+CLUSTER=${CLUSTER:?"specify the cluster for running the test"}
+
+kubectl -n istio-system delete secret ingress-root
+# shellcheck disable=SC2022
+for s in $(kubectl -n istio-system get secrets -oname | grep "httpbin-credential*")
+do
+  kubectl -n istio-system delete "${s}"
+done