Wire-up excluded resource types list to the CRD check and update logging by ozevren · Pull Request #12143 · istio/istio

ozevren · 2019-02-28T00:33:02Z

No description provided.

- Update logging.

ozevren · 2019-02-28T01:25:09Z

Unrelated failure in e2e-pilot-noauth-v1alpha3-v2

gateway "istio-ingressgateway" deleted
--- FAIL: TestIngressGateway503DuringRuleChange (62.84s)
	ingressgateway_test.go:263: Could not parse response codes from the client
=== RUN   TestVirtualServiceMergingAtGateway

ayj · 2019-02-28T17:25:16Z

@@ -1,4 +1,4 @@
-// Copyright 2018 Istio Authors
+// Copyright 2019 Istio Authors


I believe copyright date corresponds to when the file was created and not the latest update. cc @geeknoid

ozevren · 2019-02-28T17:48:10Z

This is the new GoLand version updating the copyright notice during commits. Given that they've added this as part of the commit model and enabled it by default, I assumed this was acceptable. Happy to revert if this is not the right thing to do.

Things LG otherwise?

ayj · 2019-02-28T18:06:12Z

The changes LGTM sans the updated copyright date.

ozevren · 2019-02-28T18:40:52Z

Updated Copyright dates.

istio-testing · 2019-02-28T19:11:30Z

@ozevren: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
prow/e2e-simpleTests-cni.sh	`6fe9515`	link	`/test e2e-simpleTests-cni`
prow/istio-integ-k8s-tests.sh	`6fe9515`	link	`/test istio-integ-k8s-tests`
prow/e2e_pilotv2_auth_sds.sh	`6fe9515`	link	`/test istio_auth_sds_e2e`

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

ayj

/lgtm

istio-testing · 2019-02-28T19:18:14Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ayj, ozevren

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~galley/OWNERS~~ [ayj,ozevren]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

ozevren · 2019-02-28T19:41:07Z

@duderino This wires-up the excludedResourceKinds to the CRD check. It ensures that Galley can start when CRDs are missing (and when explicitly set on the command-line).

* Fix routing when DNS is resolved (#11522) The DNSDomain variable needs to be enhanced to include more then one DNS entry. Change DNSDomain to DNSDomains as a meta and add the dnsConfig in the meta. As now DNSDomain is a slice of strings instead of a string, the variable needs consolidation. * adjust galley dashboard time range (#11627) * Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631) (cherry picked from commit f9b6866) * [release-1.1] Update fluentd adapter to be more robust (#11623) * Update fluentd adapter to be more robust * Minor touchup of bad merge * Lint fixes * Fix kubernetesenv workload attributes for multicluster with one control plane (#11581) * remove myself from pilot OWNERS (#11632) * remove me (#11636) Signed-off-by: Kuat Yessenov <kuat@google.com> * add debug logs for citadel authenticate fail (#11633) * move apply plugin below buildscript (#11625) The Cloud Foundry open source licensing scanner has a plugin that identifies dependencies from gradle scripts, but it requires the buildscript and plugins block be before anything else in the file. This change does not affect the build, but makes our lives a smidge easier. Co-authored-by: Teal Stannard <tstannard@pivotal.io> * check key.pem (#11599) * Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508) * Samples for accessing apt-get repo, Github, and pip repo * A Readme explaining the samples * Link to future doc on default external comm capability * Incorporate documentation feedback from venilnoronha * Add support for metadata constraints in RBAC (#11459) * Add support for metadata constraints in RBAC This adds support for mapping RBAC constraints with keys in the a[b] format to Envoy's filter metadata matcher. Signed-off-by: Venil Noronha <veniln@vmware.com> * Use SplitN instead of Split for completeness This updates the metadata matcher definition to use strings.SplitN instead of strings.Split in order to capture the whole binary key in two parts. Signed-off-by: Venil Noronha <veniln@vmware.com> * Accomodate [list] and plain value type constraints This adds logic to accomodate filter metadata matching over both [list] and value type constraints. Signed-off-by: Venil Noronha <veniln@vmware.com> * Add extra experimental. prefix test for matching This adds an extra experimental. prefix test while creating metadata matchers based on Envoy filters. Signed-off-by: Venil Noronha <veniln@vmware.com> * Update comments This updates code comments. Signed-off-by: Venil Noronha <veniln@vmware.com> * add POST to ratings service to demonstrate security policies on HTTP Methods (#10778) * add POST to ratings service * put a space between if and opening parenthesis * add comments * remove extra line-break * Enable remote clusters to check/report to local Mixer (#11585) * Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570) * Fix racetest in fluentd test (#11647) * Bump the number of connection that can be re-use in Citadel (#11641) * Bump the number of connection that can be re-use in Citadel * A small fix * First cut of xDS APi structural testing using the new integration tests (#11406) * Fixes for k8s ingress (#11343) * Fix ingress in pilot, writeback and multiple namespaces * Fix tests, format * Fix test - the generated service should be left in the namespace of ingress * Additional test fixes, match the new 1.1 semantics * Again make fmt and lint not matching * Break up the helloworld sample into versions (#11650) * Break up the helloworld sample into versions * Moved to default namespace * Seperated gateway file and added labels * Update the doc * Cleanup section updated too * Fix build break due to #11406. (#11677) https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215 * make stackdriver e2e test cluster wide (#11674) * Add handling for independent encoding in Report batches to Mixer (#11640) * Add handling for independent encoding in Report batches to Mixer * fix lll * Address review * protect protobag done * exit circleci test early if setup fails (#11572) * wip: exit circleci test early if setup fails Many of the circleci tests will attempt to run the e2e/integration tests even after the test setup fails. This leads to misleading test failures that suggest the problem is with the feature test and not the test setup itself. Example test runs where the setup failed and the test was run but immediately errored out because a dependency was missing: https://circleci.com/gh/istio/istio/316588 https://circleci.com/gh/istio/istio/317262 https://circleci.com/gh/istio/istio/318281 https://circleci.com/gh/istio/istio/316031 https://circleci.com/gh/istio/istio/315952 https://circleci.com/gh/istio/istio/315871 https://circleci.com/gh/istio/istio/315813 ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute ``` By default, CircleCI will execute job steps one at a time, in the order that they are defined in config.yml, until a step fails (returns a non-zero exit code). After a command fails, no further job steps will be executed. Adding the when attribute to a job step allows you to override this default behaviour, and selectively run or skip steps depending on the status of the job. The default value of on_success means that the step will run only if all of the previous steps have been successful (returned exit code 0). A value of always means that the step will run regardless of the exit status of previous steps. This is useful if you have a task that you want to run regardless of whether the previous steps are successful or not. For example, you might have a job step that needs to upload logs or code-coverage data somewhere. ``` * re-add `when: always` to codecov job * Implementation of isolation for EDS (#11672) * Implementation of isolation for EDS * Provide nil proxy for older calls * Always call loadAssignmentsForClusterIsolated * Revert "Always call loadAssignmentsForClusterIsolated" This reverts commit db2c997. * Env variable to disable * Lint * Environment Variable controlled Graceful Termination with low defaults. (#11630) * Feature flag graceful shutdown Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in. Signed-off-by: Liam White <liam@tetrate.io> * Address pr comments Signed-off-by: Liam White <liam@tetrate.io> * Clean up missed feature flag var Signed-off-by: Liam White <liam@tetrate.io> * Add turn off test case, todo comments and fix agent tests Signed-off-by: Liam White <liam@tetrate.io> * fix lint Signed-off-by: Liam White <liam@tetrate.io> * PR review comments Signed-off-by: Liam White <liam@tetrate.io> * Move TerminationDuration function and tests to Pilot features Signed-off-by: Liam White <liam@tetrate.io> * Update Proxy SHA to latest (release-1.1). (#11687) Signed-off-by: Piotr Sikora <piotrsikora@google.com> * Add empty check for proxy's locality (#11681) Make sure empty proxy locality will fall back to using proxy service's instance locality. * Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685) * cache ServiceAccounts and remove it drom Environment (#11442) * cache ServiceAccounts and remove it drom Environment * use allServices var * fix ut * Adding Envoy bootstrap template for a custom Pilot implementation. (#11395) * Adding Envoy bootstrap template for a custom Pilot implementation. New template connects to Pilot using Google gRPC Envoy client, which allows to perform authz by passing additional credentials. Placed into install/gcp due to being GCP installation specific. To enable this template, introducing {{ .discovery_address }} variable, which passes --discoveryAddress flag value "as is", without splitting it into address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable. * Removing static interception listener from gcp_envoy_bootstrap.json as it is generated by the Pilot. * Update bookinfo images, fix the script to bump bookinfo versions (#11701) * add wildcard to digits in the sed regex, for setting version * bump a minor version * Add cli option to Galley to allow metadata on outgoing sink connections. (#11602) * Add cli option to Galley to allow metadata on outgoing sink connections. For use with sinkAddress, outgoing connections to MCP sink servers will have gRPC stream metadata attached as defined by sinkMeta. * Update sinkMeta to use key=value. * Review comments. * Error message if istioctl version doesn't match data plane version (#11592) * Additional error text if istioctl version doesn't match data plane version * Fix typo * Revise wording of error msg * Allow Envoy listener stats to be turned off/on with a pod annotation (#11398) * If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection * Versionize annotation tag * Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid * pin goimports in make fmt (#11645) * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * just dont use circle Signed-off-by: Kuat Yessenov <kuat@google.com> * add comment Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding namespace declaration in Grafana PersistentVolumeClaim (#11314) When using the Helm chart with a user specific namespace and Grafana persistency enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace, leading in the Grafana pod to be stuck in the Pending state. * Fix the periodic builds, add a non-mcp to presubmit (#11703) * Update api sha (#11709) * issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715) (cherry picked from commit 1ad4e29) * [WIP] Fix sync issue with policy enablement and check enablement (#11707) * Fix sync issue with policy enablement and check enablement * Remove outdated comment * Support customization of Envoy bootstrap config (#11559) (#11702) * Support customization of Envoy bootstrap config This change allows override the default Envoy bootstrap configuration for a resource. A sample is included to show how it can be used. * Format code * Fix tests * Pull in new istio/proxy. (#11717) * Add experimental support for 'allowhttp10' (#11511) * Add AcceptHttp10 option to outbound listeners based on global or per sidecar setting * Clarify this is only for 'sidecar enabled' mode * Format and lint * Move http10 option, it was overriden * Add http10 to test, remove verbose * Format * Format * Use release-1.1 images for release-1.1 branch (#11725) * guard with gateway enabled (#11732) * guard with gateway enabled * remove and * Clean up Helm RBAC rules (#11234) * Add apps apiGroup to istio-security-post-install ClusterRole * Delete empty job file * Clean up ClusterRole apiGroups * Separate Kiali's ClusterRole rules into correct API groups * Fix list indentation * Remove OpenShift-specific "projects" resource from core apiGroup * Consolidate more RBAC rules * Update all RBAC resource apiVersions to v1 * Use service hostname as SNI match for TLS ports if virtual service is missing (#11735) * Use service hostname as SNI match for TLS ports Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad port name Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * unique port names Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix stateful set Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * handle multiple streams in nodeagent (#11738) * service change * unit test * debug log * lint * remove annoying log * Add duration time to stale EDS (#11568) * Tests for drain duration function (#11691) * Tests for drain duration function Signed-off-by: Liam White <liam@tetrate.io> * Licenses... Signed-off-by: Liam White <liam@tetrate.io> * typo Signed-off-by: Liam White <liam@tetrate.io> * Ability to override SAN from destination rule for ISTIO_MUTUAL (#11747) * Add ability to override SAN from destination rule for ISTIO_MUTUAL Fixes issue #11737 * Reformat code. * Fix the Citadel-apiserver connection proliferation issue. (#11743) * Fix the Citadel-apiserver connection prolification issue. * Small fix on logging. * Add comment. * Small fix on log. * Performance oriented helm defaults for release 1.1 (#11476) * Disable stdio adapter * Disable envoy access log * Add telemetry load shedding defaults based on existing data * Add telemetry limits and update hpa * when proxy locality is empty, apply it with service instance locality (#11727) * Get rid of subcharts (#11767) * Get rid of subcharts Now we can use `helm package istio` in the infrastructure to produce a downloadable Istio chart. Note any `helm package -u istio` usage will fail always, so any usage of that needs to be removed throughout the documentation or infrastructure. Finally the CNI helm chart or manifest must be installed if CNI is enabled. If enabling CNI and the CNI manifest is not installed, the Istio sidecar will fail. * Add dashboard checking to helm charts. * wrong path for dashboards * Fix dashboard test cases. * Change helm package -u to helm package * Another attempt at fixing the dashboards. * Fix rebase error. * update jaeger client (#11765) Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix hostname match function returns wrong result sometimes (#11793) * Fix hostname matching function * wrong method call * fix lint errors * Remove `helm package -u` in favor of `helm package` (#11769) This work removes the ability to include packages from external helm repositories. This is to remove the `helm dep update` step. The hidden implication here is that CNI must be installed indepently but still enabled in the chart for it to be used. Not installing the CNI chart or manifest while enabling CNI will result in sidecar injector failures. * stackdriver adapter memory usage optimization (#11792) * sd adapter memory usage optimization * clean up test. * Remove calls to helm repo add (#11805) * Remove calls to helm repo add * One more place * Create internal interface argument for istio-iptables script. (#11321) * remove 'istiotesting' parent section for 'onenamespace' values. (#11588) * remove istiotesting in onenamespace values. * add comments. * fix typo. * add more tests for external service (#11752) * add more tests * add an error msg * more tests * fix char * rename test yaml file * mark as unreachable for TLS protocol with VS * add another test * remove wikipedia in many tests * remove dash * .* not allowed at hosts ending * looks like no VS for TLS protocol too * rename per shriram comment * address comment * delete not needed file * typos * when host has * must provide endpoints * remove redundant data * [Kiali] changes for the next version (#11513) (#11804) * changes for new kiali version * add create perms * secret is now optional though really required. this, however, let's kiali provide a more user-friendly error message when the secret is missing, rather than failing to start the pod. See https://issues.jboss.org/browse/KIALI-2308 and its parent https://issues.jboss.org/browse/KIALI-2303 (cherry picked from commit 322452a) * use YAML map nil value ({}) for meshNetworks (#11849) since meshNetworks is a map, the correct nil value is {} setting the nil value correctly will allow setting networks by helm command line, using --set : --set global.meshNetworks.network2.endpoints[0].fromRegistry=remote_kubeconfig --set global.meshNetworks.network2.gateways[0].address=0.0.0.0 --set global.meshNetworks.network2.gateways[0].port=15443 * Add configurable Mixer transport error retry (#11795) * Add configurable Mixer transport error retry Adds annotations for the number of retries, base wait time, and max wait time to configure Mixer transport error retry policy. If values are not provided, they will be left unset; defaults will be provided in istio/proxy. * Add more comments * new proxy sha for release-1.1 (#11857) * new proxy sha for release-1.1 * Run deps ensure to api * right sha * Adapt mixer client tests to new mixer filter counters (#11591) * Added new counters from #8224 to Mixer client tests. * Reformat * Add a map to manage FileBasedMetadataConfig (#11753) * use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Marshal SDS call credential config using deterministic order * update * update * revise * add comment * update * move MCP settings to meshConfig (#11875) * move MCP settings to meshConfig Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix cert bug * enable allow any for outbound traffic demo profile (#11820) * remove helm repo add (#11896) * merge timeseries before sending (#11876) * Fix listener parsing with ipv6 addresses (#11861) * Fix listener parsing with ipv6 addresses Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Fixing typo Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * add sample file to expose bookinfo productpage service as nodeport type (#11858) * add sample file to expose bookinfo productpage service as nodeport type * address comment * build network filters in inbound path, like outbound (#11907) * build network filters in inbound path Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * assorted fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix network filter stack Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * set allow any as the default for outgoing traffic (#11906) * set allow_any for default * enable egress for demo profile * enabel egress gateway for e2e testing * update comment per costin's comment * adding more docs * delete accidentally checked in file * minor typo * hope to get tests passing * remove spaces * [Kiali][release-1.1] Tell kiali about the new Pilot /version endpoint used to obtain Istio version string (#11833) * rebase (#11879) * citadel uses OpenCensus for self-monitoring (#10048) * citadel and pilot use OpenCensus for self-monitoring Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * modify based on 10270 Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Use DefaultRegisterer instead of create a new register Signed-off-by: clyang82 <clyang@cn.ibm.com> * do not accept XDS connection if gateway has no service instances (#11905) * kill XDS if proxy has no service instances Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix cloud foundry test case failure * fix mcp test * fix crash * Update istioctl authn tls-check to take into account caller proxy (#11603) (#11924) * Lower resource requirements in demo profile (#11942) * Remove implicit usage of 'busybox:latest' (#11812) * add long description for verify-install (#11928) * add long description for verify-install * review * singular * update pilot mesh config default (#11950) * set allow_any for default * enable egress for demo profile * enabel egress gateway for e2e testing * update comment per costin's comment * adding more docs * delete accidentally checked in file * minor typo * hope to get tests passing * remove spaces * sync default with the mesh file * update test given we changed mesh default * update test * update test * update test * update test * update test * update test * add adapter secret mount into telemetry deployment (#11921) * add gcp credential secret mount into telemetry deployment * update * rename * add optional * remove helm values * update path * do the same thing for policy * mixer: minor doc fixes (#11958) * minor doc fixes Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * Rename sidecar.istio.io/statsInclusionPrefixes annotation (#11993) * Flexible DNS names (#11986) * WIP Flexible DNS names * More fix * Style filx * Fix error * Fix lint * Fix lint * fix lint * Fix pilot-agent application port 0 (#12001) * fix bug * fix comments * Remove duplicated keys (#10928) Remove duplicated keys in values-istio-test.yaml * Add shortnames for common crds (#11969) * Unit tests for sidecar config to sidcar scope conversion (#11901) * Unit tests for sidecar config to sidcar scope conversion * Unit tests for sidecar config to sidcar scope conversion * fix citadel health check issue. (#11965) * add imagepullsecrets for hook jobs. (#11666) * Add Auth to OOP handler (#10622) * add oop auth * simpliy get auth option logic * clear comment * address comment * custom mtls auth check * lint * add server name into tls config * figure out mixer SAN from mixer own cert * remove unnecessary comment * update customVerify * update customVerify * add test to cover untrusted certs in mtls * remove mtls option * lint * clear diff * test * Don't admit CRDs with unknown top-level keys (#11791) * Don't admit CRDs with unknown top-level keys Use term 'field' for error messages Check when admitting both Pilot and Mixer configurations * The admission control rejected a test yaml as invalid * Improve message wording and resolve TODOs by using 'mock' Kind * Add dynamic discovery and listener initialization for supported k8s resource types (#11871) * wip: dynamically discover supported crd types * fix linter errors * improve logs when resource type not found * increase code coverage * address review comments * add a comment * fix linter error * fix issue for generating custom gateway from chart. (#11970) * Let `kubectl get` show additional columns for popular Istio CRDs (#11734) * Annotate CRDs with the columns we would like printed by * Verbiage change suggested by Frank B * Explicitly include AGE column because some versions of K8s will not create it if additionalPrinterColumns are declared * Update ingress gateway TLS validation for credentialName (#11991) * use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Marshal SDS call credential config using deterministic order * update * update * revise * add comment * update * Update validation * Use e2e values for e2e tests (#11952) * Use e2e values for e2e tests New settings were added to give e2e tests reasonable resource requests. However, some this target did not have these values applied, causing too many requests * hardcode e2e for just the failing test instead of all * generate_e2e_test_yaml not called, moving to own target * expose healthcheck port in gateway (#12041) * GetProxyServiceInstances should not depend on endpoint if there is associated services and pod (#11999) * fix incremental EDS bug: proxy may not get listeners config when endpoint arrive later than the first full xDS push * get endpoint by key instead of loop for all * fix memory leak in pilot (#11183) * fix memory leak in pilot * protect Shards and EndpointShardsByService * Make demo-auth use same resource requests as demo (#11956) * rename to TestDestinationRuleExportTo (#12009) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Fix the logic testing for errors (#12053) * Fix jaeger metrics path template (#11963) * Fix virtual machine parameter from "r" to "k" (#12062) * Istio Perf Dashboard fixes (#12049) * fix mcp source unit test (#12069) * Fix upgrade/downgrade issue, add guard for visibility and make it off by default (#12084) * Add MTLS into mixer connection to oop adapter (#12052) * add oop mtls * address comment * add a comment about how key/certs are generated * New proxy and api sha for istio (#12045) * new proxy sha in istio * New proxy sha for istio * Fixing test * Right intend * MOre fixes * Endpoint locality prioritization (#11981) * Endpoint locality prioritization Defaults to off and has to be enabled via a env var in Pilot as it is an experimental feature and we are close to a release Signed-off-by: Liam White <liam@tetrate.io> * Fix correct spelling of prioritise Signed-off-by: Liam White <liam@tetrate.io> * Don't ignore kube-system in EDS (#12028) This was originally ignored due to a high rate of updates from kube-system. EDSInformer now checks that there were actual meaningful changes made, otherwise they are ignored, so this is no longer and issue. * Istio auth sds e2e (#12100) * use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Marshal SDS call credential config using deterministic order * update * update * revise * add comment * update * Update validation * fix istio_auth_sds_e2e * fix TestRouteSNIViaEgressGateway/* * istioctl validation improvements (#11768) Use term 'field' for error messages Look for same top-level fields as admission controller * Hide GODEBUG output from istioctl requests (#12091) * Hide GODEBUG output from istioctl requests * Fix in single function as well * support listen multi-namespaces (#11667) * support listen multi-namespaces Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix kube errors Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix lint error Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix ut error Signed-off-by: clyang82 <clyang@cn.ibm.com> * Add new dep Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * replace CA with Citadel Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix merge issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * properly handle passthrough and non passthrough on same gateway port (#12071) * properly handle passthrough and non passthrough on same gateway port Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * flimsy tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * snafu Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bring back e2e tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Revert "bring back e2e tests" This reverts commit a3fbb48. * fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Improving error message for sidecar readiness (#12123) Currently, the readiness error message doesn't make it clear that the issue is likely Pilot: ``` 2019-02-25T07:22:20.019287Z info Envoy proxy is NOT ready: cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected ``` This PR should help users better diagnose these issues in the future. This is a port of PR #12098 into the release-1.1 branch. * Remove mem registry (#11543) (#12026) * Remove mem registry (#11543) * Fix lint * extract Galley root command to server. (#12073) * Replace root command of Galley with server mode. * Fix linter issue. * Remove accidentally added envoy.test (#12136) * Fix the health check probe (#12135) * Fix the health check prob. * Small fix. * Small fix. * Small fix. * Small fix * Fix identity in certs provisioned for VMs. (#12109) * Avoid unnecessary service change events(#11971) (#12148) Unecessary service/instances change events are fired by consul registry, causing TCP connections destroyed by Envoy Fixes #11971 Change-Id: Iaf60a89175c9113cd8cde1556c9bf11d1a367e8f Signed-off-by: zhaohuabing <zhaohuabing@gmail.com> * Removing a leftover to disable ingress (#12120) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Fix EDS race condition when using localities (#12151) * Fix EDS race condition when using localities Signed-off-by: Liam White <liam@tetrate.io> * Wordz Signed-off-by: Liam White <liam@tetrate.io> * Wire-up excluded resource types list to the CRD check and update logging (#12143) * - Wire-up excluded resource types list to the CRD check. - Update logging. * Revert copyright. * Revert copyright. * Remove VirtualService examples that no longer have an effect (#11892) * Remove no-longer-needed VirtualServices ServiceEntry for github.com not needed to clone https URLs * Modifications after testing using release-1.1-20190214-09-16 * Correct comment explanation * Include pythonhosted.org for 'pypi' and sort/format/dedup the github addresses * Doc fixes. (#12107) * Update jaeger-client-go deps to catch 128bit traceid transport fix (#12166) * Update jaeger-client-go dep * Ensure mixer generates 128bit traceids * Fix DestinationRule issue when there is no Sidecar (#12047) * Fix DestinationRule issue when there is no Sidecar * Default to legacy (current codepath) * Refactor e2e yaml value files (#12076) * Refactor e2e yaml value files This change involes: * renaming uses of old make target * adding all generated files to gitignore * create new target to build all e2e yaml files and another for the demo files that are included in release * move all testing value files, and example value files, to folders * create value files for tests that were using --set * Fix reference to values-e2e.yaml * Fix typo * Add readme and fix test failures * Fix integration tests file * Enable core dump for auth sds test * Actually use coredump * Move istio minimal - needed for docs * resolve conflict * Do not setup SNI match if service has a VIP (#12161) * Do not setup SNI match if service has a VIP Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * missing check Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Upgrade cert-manager to v0.6.2 (#12149) Currently Istio ships with cert-manager v0.5.0 as an optional dependency. This version is outdated and has known issues/limitations with regards to certificates renewal, excessive calls to the ACME APIs, etc. This commit contains minimal changes necessary to upgrade the bundled cert-manager to the most recent stable version. Changes are based on the official Helm Charts distribution of cert-manager. * Doc fixes. (#12180) * fix mixer and pilot upgrade issues. (#12177) * add namespace parameter support (#12104) * add namspace parameter support * add namspace parameter support * add namspace parameter support * fix lint * add test case for proxystatus * Move mixer check annotation to model with defaults (#11859) * Move mixer check annotation to model with defaults * Initialize proto once * Update tests * Add an e2e test to validate fault injection telemetry. (#11773) * Add an e2e test to validate fault injection telemetry. This attempts to provide validation of telemetry for FI to guard against recurrence of issues such as: #11151. It adds a new test in the mixer suite that installs custom virtual service and destination rules that inject faults at 100% (using error code 555). The test validates that the destination workload information is "unknown" and that we receive telemetry with the `FI` response flag. * Add forgotten file to PR * Updates tests to match CNI install procedure (#11877) * Updates tests to match CNI install procedure The CNI install procedure was changed to eliminate dependant helm templates. Changes are required in the test routines to match. * Move daemon start after cluster setup THe daemon start was before the cluster start. * Changes required after testing * debug * Final fix ups * Adress review comments. * Turn policy off by default (#12114) * Simplify files and cleanup base values.yaml * golden files update * switch back to old defaults for rewriteAppHTTPProbe * update golden * override cpu requests for e2e tests * move policy and telemetry to top level for visibility * Update deps for 1.1rc2 (#12213) * Proxy sha and Api sha for istio * Update istio/proxy to pickup istio/proxy#2135 * pilot should wait for kubernetes cache sync before serving (#12214) * Remove test mgmt ports (#12206) * Remove test mgmt ports * Remove todo and fix test * Fix local test * guard mysql proxy with version check (#12225) Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Various fixes for the Multicluster e2e test [release-1.1] (#11940) * Choose the correct Istio yaml file for MC * Increase the timeout for the MC test (typically it's 40+ mins) * Set selfSigned flag to false for remote (shared root CA) * Wait for remote addition/deletion to propogate * Enable access log for primary and remote clusters * Fix pilot grpc failure in Consul (#12228)

* Add dynamic discovery and listener initialization for supported k8s resource types (#11871) * wip: dynamically discover supported crd types * fix linter errors * improve logs when resource type not found * increase code coverage * address review comments * add a comment * fix linter error * extract Galley root command to server. (#12073) * Replace root command of Galley with server mode. * Fix linter issue. * Wire-up excluded resource types list to the CRD check and update logging (#12143) * - Wire-up excluded resource types list to the CRD check. - Update logging. * Revert copyright. * Revert copyright. * Do not reject entire batch of updates, if items get past validation. (#12476) * Do not drop the whole batch, if validatin of a single resource fails. * minor comment cleanup. * Adding unit tests. * Make linter happy happy happy.

* Testing: support retries in Structpath (#12539) * Testing: support retries in Structpath The current structpath library automatically fails the test as soon as an error occurs. This change splits structpath into 2 types: Instance: methods return errors. InstanceForTest: delegates to Instance and fails the test if an error occurs. Tests that allow retries will use Instance and handle the errors manually. * splitting out the test and non-test instances * Fixing TestMain for sidecar_api_test * fixing bug in ForTest * Switching to single fluent-style api * Move Distributor interface back to runtime. (#12242) Distributor is an interface consumed by the runtime package. * [Kiali][master] things needed for next version of Kiali (#11823) * things needed for next version of kiali * additions needed for https://issues.jboss.org/browse/KIALI-2417 * install kiali v0.15 * add read-only role for people to use if they don't want to grant write access to kiali * mount secret to volume now, not env vars * add rbacconfigs - https://issues.jboss.org/browse/KIALI-2564 * add prometheus scrape annotations to scrape the new metrics endpoint * everything is now up to date for kiali v0.16 * Canonicalize help strings for CLI (#12219) * Fix recently broken racetest on master (#12383) * Fix racetest * Lint * One more race * Added a todo with issue ref * missing comment on exported function ConstructCustomDNSNames (#12492) * missing comment on exported function ConstructCustomDNSNames * Document customization process * Merge collab-test-framework to master (#12574) * Fix deps and broken merge for mixer test * Fix overly restrictive golang version match * Fix integration test framework merge issues * Fix line length lint issue * Interim checkin of Test Framework refactorings. (#11718) Seeding collab-test-framework * Tf 11 scopes (#11772) Cleaning up the new prototype code. * Remove hardwired constants from the deployment file. * Fixup some tests * Use framework2 for pilot tests (#12243) * WIP updating sidecar test to new framework * Re-create Pilot tests based on framework2 * Merge master => collab-test-framework (#12374) * [Galley] Standardize worker thread lifecycles (#12125) * [Galley] Standardize worker thread lifecycles We currently have several worker classes that follow a similar lifecycle pattern, but are inconsistent. This PR makes standardizes the lifecycle management logic into a new Worker class. * addressing comments. * addressing comments. * Update to grafana 6.0.0 (#12191) * Support offline running productpage by packing js and css in image (#12218) * Make code more reusable in other contexts (#11353) * Make code more reusable in other contexts - Export processStream methods, they are useful when using the code outside of Istio - Move verifySentResourcesMultipleTypes to client_test.go * Add licence * Correct TestAdmitPilot Case (#12281) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Fix pilot grpc failure in Consul (#12273) * fix wrong link for mixer (#12347) * Update OWNERS (#12361) * Update OWNERS * Update OWNERS * mixer: CEL runtime (#12145) Signed-off-by: Kuat Yessenov <kuat@google.com> * Change IP addresses to show up as strings in label maps in accesslog (#11740) Change IP addresses to show up as strings in http req in accesslog Fix lint errors Fix lint errors Use stringify function Updated based on feedback * Improve resource lifecycle management and debuggability. (#12402) * Improve lifecycle model. - Add defer context.Done() to sidecar_api_test for resource cleanup. - Ensure that Pilot's Close returns after the background go-routine is torn down. - Properly register components/resources for cleanup purposes. - Reverse the resource cleanup loop to make sure resource dependencies are handled properly. - Add friendly ids to test framework components to help with debugging. - Refactor environment names to avoid cyclic dependencies. * Fix lint issues. * Major refactoring of the new framework & ensure the native mode tests work. * Fix runaway refactoring. * Make Istio deployment work. * Fix some Kubernetes based tests. - Accommodate code review feedback. * Fix all K8s tests. * Cleaning up of the core framework API surface. * More cleanup of the surface area. * Fix lint and formatting * Update Makefile & related settings. * Move collateral docs to framework2, remove framework and integration. * Move framework2 -> framework * Fixup echo. * Fix minor bug. * Fix lint issue. * Minor clarification to the output message. * Fix Makefile * Temporarily add debug log output for tf. * Improve in-CI debugging. * Fix lint problem. * Add CI Mode flag. * Convert Always to IfNotPresent * Convert Always to IfNotPresent * Fix Citadel component init. * Write pod state to files. * Fix galley.New() * Minor fix. * Refactor Hub/Tag/PullPolicy usage. * Increase deployment timeouts. * Fix formatting bug. * Make linter happy * More diagnostic output support. * minor cleanup * Fix Yaml deployment code. * link fixes. * Fix comment. * Set minikube ingress to minikube-none. * More minukube fixes. * Final cleanups. * extract namespace to its own component. * Major cleanup of structure/packages. * Post merge fixups. * Fixup sidecar api tests post-merge. * Fix structpath panic. * Increase the deployment timeouts in CI. * Add istio 1.2 CRD file. * Fix linting. * Fix imports. * Disable sidecar_api_test.go test (which is already disabled in master). * Remove debug flag. * Fix lint errors. * Fix testcontext format parameters * Disable the sidecar tests before the merge. * Fix CI Mode timings. * Fix CI Mode timings. * Make linter happy. * Cherry-pick Galley/MCP changes from 1.1 => master (#12604) * Add dynamic discovery and listener initialization for supported k8s resource types (#11871) * wip: dynamically discover supported crd types * fix linter errors * improve logs when resource type not found * increase code coverage * address review comments * add a comment * fix linter error * extract Galley root command to server. (#12073) * Replace root command of Galley with server mode. * Fix linter issue. * Wire-up excluded resource types list to the CRD check and update logging (#12143) * - Wire-up excluded resource types list to the CRD check. - Update logging. * Revert copyright. * Revert copyright. * Do not reject entire batch of updates, if items get past validation. (#12476) * Do not drop the whole batch, if validatin of a single resource fails. * minor comment cleanup. * Adding unit tests. * Make linter happy happy happy. * Remove myself from OWNERS files (#12608) * add a e2e test for oop (#12577) * Add a config package folder. (#12611) * Hide most logging CLI options from istioctl (#12633) * Log descriptions of pods when tests break (#11904) * Log descriptions of pods when tests break * Don't overwhelm the logs for a possibly transient error * Fix kubectl syntax * Back out change in retry behavior to avoid masking root cause * add istio-init.yaml to .gitignore (#12542) * authz: add authorization policy CRD to helm-init (#12541) * Fix bug in locality LB normalization (#12532) (#12579) The priority needs to be normalized (so it is always has no gaps), so priorities [0,2] should be changed to [0,1]. However, we were changing the wrong endpoint's priorities. * Apply locality weighted lb config correctly (#12588) Previously, this value was not set if the load balancer config was nil. However, it should actually set anytime outlier detection is enabled, so that locality lb can behave correctly. * Fix bug causing empty endpoints per locality (#12615) * Fix bug causing empty endpoints per locality Before, we were allocating the array then appending to it, creating empty endpoints at the start of the array. * Predefine slice size * Fix the MCP Client ConfigZ page (#12626) * Fix the MCP Client ConfigZ page. * Fix the tests * Update test name to clear confusion. * Add threshold for rds.go codecov (#12499) Test is flakey, saying it has droppped coverage when it has not due to it being nondeterministic. * Drop log level for missing service account for spiffe uri (#12239) * Don't require service account for spiffe Some kubernetes pods don't have a service account. This causes a log flood that the spiffe url is invalid, but this doesn't actually have any negative impact. We can just make it not an error to have no service account. * Revert "Don't require service account for spiffe" This reverts commit e88ff187963e97949d3b81c3575b997ddd7e7a6f. * Just drop error -> warn * Fix tests * Drop log level * [Authz v2] Add additional fields for bindings and validation. (#11800) (#12460) * Adding additional fields for bindings and validation. (#11800) * Implement namespaces for ServiceRoleBindings * Implement not_namespaces and refactor * Implement not_ips * Implement ips (no unit tests) * Add a unit tests for ips for ServiceRoleBinding * Implement groups and not_groups for ServiceRoleBinding * Implement names and not_names * Check for duplicated definition in constraints/properties and first-class fields * Disallow using * in names or not_names to prevent ambiguity * Disallow using * in names or not_names to prevent ambiguity * Refactor additional fields for bindings * Update validation.go * Update validation.go * enhance verify install command (#12174) * enhance verify install command * fix lint * fix lint * configure prometheus to monitor citadel. (#12175) * Add namespace scoping to the Gateway 'port' names (#11509) (#12500) (#12556) * Add namespace scoping to the Gateway 'port' names (#12500) (#12500) Currently in order to configure ingressgateway to do TLS termination using multiple secure virtual hosts with different certificates Istio requires Gateway 'port' names to be globally unique (i.e. distinct). I.e. two gateways cannot have secure port named 'https' even if they reside in different namespaces. Behavior in such case is undefined. This breaks namespace isolation as a user creating a Gateway in one namespace might not have access to other namespaces hence can't if the port name is already 'taken'. Behavior in such case is undefined and likely to render other virtual hosts unavailable. This change adds namespace scoping to Gateway port names by appending namespace suffix to the HTTPS RDS routes. Port names still have to be unique within the namespace boundaries, but this change makes adding more specific scoping rather trivial. * Increase Gateway 'port' names scoping granularity * Minimal changes to make locality lb not sigsegv (#12649) * Locality label istio-locality in k8s should not contain `/`, use `.` (#12592) * Locality label istio-locality in k8s should not contain `/`, use `.` instead * fix comments * Only use gateways for servers being processed (#12663) Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * Propagate Envoy Metrics Service Config (#12569) The plumbing for propagating the envoy metrics service address config is missing a step to copy the given address to the config object that is passed on to the template renderer. * mixer: add directive demo adapter (#12505) * finish demo Signed-off-by: Kuat Yessenov <kuat@google.com> * printf Signed-off-by: Kuat Yessenov <kuat@google.com> * publish keyval Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding sidecars to validating webhook configuration (#12233) (#12643) Addresses issue #12193 * Cleaning up Unit tests for RDS (#12581) Added a new case and cleaned up the existing test cases. * switching deployment to v1 api (#10578) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Cleanup Galley OWNERS file. (#12676) * fix uds socket (#12688) * uds fix * readonly * Add unit test to cover multiple different locality case (#12388) This PR only increases test coverage. Does not impact functionality. Signed-off-by: Liam White <liam@tetrate.io> * Build 1.1.1 (#12690) * Fix LB weight setting for split horizon eds (#12560) * lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint * fix typo in default envoy JSON log format (#12473) * Make release-1.1 changes compatible with master * Remove extra ingress template * cherry pick 10578 * reformat * Update rbac.go to use httpfilter when needed * Integration framework ensure apiVersion is top level * Update yaml make target * Disable setup on sidecar_api_test * clarified mesh connect timeout fields based on code impl (#12089) * Testing: configurable ports for Echo (#12681) The echo component currently assumes a hard-coded list of ports. We eventually want to replace the "apps" component with echo, but in order to do that we'll need to be able to tailor the port configuration for each instance. * add image pull secrets for zipkin. (#12327) * Refresh oop handler with connection config update (#12575) * refresh handler with connection update * sanitize test error message * Fixing coping of the data to the bucket during release (#12585) * Fixing coping of the data to the bucket. * Small fix * RM folder in any case * 'istioctl proxy-config clusters' cluster type column rendering (#12458) * Make error message explicit (#12675) * E2E test for health check under mtls using app prober rewrite. (#11531) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277d7 4b7b13aef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861 Merge: 98fd48f59 744b07ad2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07ad2406d1eb94bcf5492125f91486ad6b10 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002ff6f5dd4afe22afa984384addc1be1104 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5 Merge: a2a774498 010d5c266 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a774498e1021c1ca01c021c071e225fa330407 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c074bcc787702a5a9257d23103521f525c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922719e2c4723a334d1d8d959cac361b1ecb Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e871c640cdabead372eada2b17d717fa707f Merge: 256d9635f ac78a552a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d9635f4d590936c473bf3be0299064cb9c716 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f70096334464fd1d59a0e81997e8f0fd6623a564 Merge: bdce72119 c7eb603ee Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce72119ef78dab40b750861768c332811b9ee2 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c21000ba2b7fe9e2bc728783ce530cfe87 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695a2fea828f06a31f14ed7795a3b3716111 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b58f0212972d42e298fa4185275642d672c Merge: d626bb85d 5ea79622c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb85dee628771f8f41fc90335ac608dea923 Merge: 3561ae0a6 66153da4d Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0a69350730834e625c0710394968f9fcde Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f01964a14f6ace0da6217d7a36f364b661 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91189e16beb0dadee6c612464b1aa9bad21 Merge: 3a7eb48e6 abc53e120 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e488f875ffea0c3a279403277010160ee1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce9ddc55ce339aa65eac06602591d3113c9 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676 Merge: 7f5c8cbd8 e45242c0d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479 Merge: 20f02c045 1ae6b4fde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c04563fab9b81b418c00a5455994fda5148 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64 Merge: 3b3bcbff8 d8c4579fa Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c15d06054e4bb173ab2c37333a4de647c2d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f4144482874c1219c7da90e97f19f1172f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb6892509d8938be8d64f1435cf64e22317 Merge: af1a67989 f6b0ddc30 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a6798988f9fe70e40add2a6d4971efa9b50ed Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef3520037a81db8baa34d6e13849d20af10 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0 Merge: fcca1f89a bd1631be3 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517cfc4214994be1be848d40b12f09ba8a4b8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96ed8a3200fc91bc73aee86d471117232fc Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659dacbc569f4532dc6a37b2091f39c7cf115b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * wip for adding health check test app. * wip very hack working solution app deployed * finally test starts working * make sure the test works if and only if the helm flag is turned on. * refactoring * small adjustment. * DeepCopy used. * working test only healthcheck test. * remove inline policy * change RegisterHelmValueOverrides. * unnecessary change. * Finish HelmValueMap refactor. * some cleanup. * clean up. * flags helm values takes higher priority. * fix the lint. * address comments. * revert chagnes on HelmValuesMap. * wip getting helm customizable with new configuration api. TODO: testing by rebuild image. * fix the helm value passing overrides. * wip the app is deployed but not ready and still finishes... * wip apps configuration not take effect. * working version of apps configuration. * clean up some debugging log. * test documentation. * WIP changing deploymentFactory to KubeApp. * verify test works. * clarify kubeappsconfig doc. * get the test pass, no apps configuration yet. * get test working. * clean up on apps/kube.go * few clean and update readme doc. * change the overrides by func callback. * fix the typo. * fix the comments. * Hide ServiceAccounts from PushContext log (#12702) * Configure localityLbSetting in values.yaml (#12683) * Configure localityLbSetting in values.yaml * Update docs * Fix concurrent map access (#12706) * Remove when: always from CircleCI configuration for integration tests. (#12679) This causes the integration tests to run, even if the previous steps fail. * Removed unused code from EDS (#12221) * Should not add a worker in GoroutinePool construction func (#12619) * GoroutinePool does not add a worker in construction func * fix ut * remove redundant code (#12656) * remove redundant k8s discovery code * remove redundant * Configure logging level in proxy and control plane (#12639) * configure proxy log level via helm values for sidecar and gateways * configure istio control plane log level via helm * Put back a couple settings for Kiali that were accidentally deleted. (#12472) Some Kiali settings were accidently deleted when the new installation options for release-1.1 was published. This is because these settings were commented out in the values.yaml file for kiali under istio/kubernetes/helm/istio/charts/kiali. Bug:#3660 * remove to be deprecated critical pod annotation. (#12657) * remove to be deprecated critical pod annotation. * fix ci. * Adding timeouts in Galley processor tests (#12701) * Adding timeouts in Galley processor tests This is to help in debugging #12628. * making await method private * add pod antiaffinity. (#12691) * add pod antiaffinity. * fix gateways issue. * add pod antiaffnity to helm test pod. * remove local test file. * apply comments. * Adding galley test for sidecar config validation (#12247) * Adding galley test for sidecar config validation Test cases related to PR #12233 * Using istio-system as namespace for resource * Collect details/artifacts for failed tests in Prow. (#12753) * Add infrastructure to document env var usage. (#12727) - Introduce the pkg/env package containing a few functions to query environment variable values. It keeps track of the variables requested so they can be documented. - Extend pkg/collateral to recognize and output the environment variables used in the process. This is what is needed to make this stuff show up on istio.io. - Update all relevant call sites to use the new infrsstructure. It's still missing descriptions for all the variables, that'll be up to component authors. I'll file issues to get that work done. - Fixed bugs in the node_agent_k8s code that was using env vars as the default for Cobra command-line arguments, resulting in potentially variable default values produced in the generated docs. Default values need to be static. * Enable more linters. (#12751) - Flip on a couple more linters - Fix a bazzilion warnings produced by these linters, along with many warnings produced by other not-yet-enabled linters. - Fix pkg/version so the tests compile on Mac. This broke a while back, preventing the linter from running to completion on the Mac. * Convert galley to reload files via SIGUSR1 or a ctrlz handler (#11617) * Convert galley to reload files via SIGUSR1 or a ctrlz handler * Fix ctrlz shutdown not to block * Disable the mtls_healthcheck test until it can be fixed. (#12775) * Change IP addresses to show up as strings in label maps in accesslog (#11740) (#12502) Change IP addresses to show up as strings in http req in accesslog Fix lint errors Fix lint errors Use stringify function Updated based on feedback * upgrade prometheus version. (#12781) * Wait for endpoints of policy backend, before trying to use it. (#12763) * Wait for endpoints of policy backend, before trying to use it. * Minor fix to the structure. * Add wait logic for waiting Galley to come online. * Fix minor bug. * Rename the method so that it is clear what it is doing. * Add additional constraint check. * Remove redundant write header (#12731) Write already writes 200 status code, so this wasn't needed. This caused unneeded logging every time it was called. * Tell Kubernetes that Istio validation has no side effects (#12670) * Tell Kubernetes that Istio validation has no side effects * Add integration tests for --server-dry-run * Report version of kubectl and server * Version check error * Undo --server-dry-run tests which require K8s 1.12 or higher * fix uds socket (#12688) (#12802) * uds fix * readonly * mixer: switch to simplified config model (#12689) * take 2 compiled instances Signed-off-by: Kuat Yessenov <kuat@google.com> * try with apa Signed-off-by: Kuat Yessenov <kuat@google.com> * quota failure Signed-off-by: Kuat Yessenov <kuat@google.com> * false signal? Signed-off-by: Kuat Yessenov <kuat@google.com> * more crds Signed-off-by: Kuat Yessenov <kuat@google.com> * nil params Signed-off-by: Kuat Yessenov <kuat@google.com> * patching config Signed-off-by: Kuat Yessenov <kuat@google.com> * remove stale command Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix destination host validataion (#12804) * Implement AuthorizationPolicy with workload selector. (#12050) (#12667) * WIP AuthorizationPolicy with selector * WIP AuthorizationPolicy with selector * Check if need to use convertRbacRulesToFilterConfig and ignore permissive mode * Support TCP * Move new functions for RBAC v2 to rbac_v2.go * Change the structure and refactor tests * Put services field check back * Remove services field validation * Remove optimization * Add selector no match test * [Galley] Adding ServiceEntry synthesis (#12409) Added a new custom projection that is subscribed to events for k8s Pods, Nodes, Services and Endpoints. These events are absorbed and do not become part of the snapshot. Instead, synthetic ServiceEntry resources are generated and become part of the snapshot. Partially addresses #10497 and #10589 * Add a linter to prevent use of os.Getenv and os.LookupEnv (#12778) - Add more unit tests to pkg/env to bring coverage to 100% - Move existing linter sources from test/util/checker to tools/checker * Specify istio-init user explicitly (#5453) (#12708) Istio-init is supposed to be run as a superuser so it can configure iptables and this is the current default. However many popular Helm charts typically define a single container pod and specify `securityContext.runAsUser` on a pod level (rather than the container level) and that is what istio-init inherits. As the result many Helm charts aren't working with Istio auto-injection out of the box. A simple fix would be explicitly setting `securityContext.runAsUser` for istio-init on the container-level so it takes precedence. * Removing depencency on the order of returned IP addresses (#12812) * Removing depencency on the order of returned IP addresses Allows returned addresses by the default resolver to be in any order. The first IPv4 address returned by the resolver is used. If there are no IPv4 address is found, an IPv6 address is used. Added more unit tests. * Making logic for local IP the same as the rest * Disabling flaky parts of Galley integ test (#12837) This should deflake the test in #12820. Real fix is coming soon. * Set SAN as critical for workload certs. (#12838) * inject sds related param in pilot/mixer deployment (#12809) * inject sds related param in pilot/mixer deployment * remove args * Disabling Mixer tests using the new TF in K8s. (#12848) * Disabling Mixer tests using the new TF in K8s. * Make linter happy. * accommodate PR review comments. * galley: support optional crds (#12822) * optional galley crds Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * Removing a "TODO" that is not necessary any more (#12841) Cleaning up the comments. * mixer: add template CRD flag and set it to false (#12851) * template CRD flag Signed-off-by: Kuat Yessenov <kuat@google.com> * missed a flag Signed-off-by: Kuat Yessenov <kuat@google.com> * Zombie cleanup. (#12878) - Delete a bunch of dead code, dead variables, unused parameters, and superfluous type declarations. * Refactor Istio deployment code for clarity and add wait for webhook. (#12888) * Refactor Istio deployment code for clarity and add wait for webhook to come online. * Make linter happy. * Fix stupid bug. * Remove accidental file add (#12895) * Re-enable sidecar_api_test (#12887) * Re-enable sidecar_api_test * Remove kube setup * Fix race condition * Make Mixer readiness timeout configurable. (#12640) - Mixer waits for readiness of the config backend. It is currently hard-wired at 30 seconds. This change makes this configurable and sets the default as 2 minutes. - The pod was being killed because the liveness probe was not starting on time. It is blocked behind other readiness checks. This change enables readiness early on. * Minor improvements to the test framework. (#12858) * Add dump support to policy backend. * Add a suitecontext dir. * test: add dump pod events function (#12821) * Fix flush behavior in Stackdriver adapter. (#12853) * Fix prometheus and citadel connection tests (#12747) * Fix test-prometheus-connection.yaml: test never failed Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix test-citadel-connection.yaml: test never failed Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix a bunch more linter items. (#12897) * delete stale file (#12898) Signed-off-by: Kuat Yessenov <kuat@google.com> * Run dep ensure * Implement EnvoyXdsServer graceful shutdown (#12826) * update api sha (#12862) * update api sha * api files * Add two sample deployments for user guide of Istio Vault integration (#12917) * Rename types.go to types.gen.go. (#12921) * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * Update to latest doc gen tool. (#12932) * Fix the regular expression that splits the deployment scripts. (#12931) The script was fixed with a start-line anchor during the merge of 1.1. However the regular expressions in Go is not multi-line. * Add labels to the test framework. (#12819) * Add basic label support to the test framework. * Refactor test framework surface area to use fluent-style. * Apply labels to CircleCI tests & stable integration tests. * Add early exit support to avoid running setup functions when the label set can never match. * Add Citadel tests as presubmit tests. * Remove environments from label usage. * Fixup some of the label usages, and convert some of the test entry points. * Fixup label usage. * Redisable sidecar tests. * Accommodate PR feedback. * Accommodate CR feedback. * Add more CR fixup. * Introduce pkg/annotations (#12909) - pkg/annotations lets us track the annotations used by the calling process. - pkg/collateral now outputs annotations if there are any. This will make annotations show up on istio.io - Adjusted how pkg/collateral handles deprecated environment variabes to match how we handle deprecated fields in protos (by coloring them differently on istio.io) - Added another test to pkg/env to cover a case I missed originally. - Updated the sidecar injector and pilot to use pkg/annotations. - Fixed some invalid HTML generated by pkg/collateral. I'll file an issue to get descriptions added for the annotations. * remove unused pdb in remote values. (#12943) * prevent duplicate inbound listeners (#12937) * [Galley] Fix race in runtime strategy (#12927) This address a race condition that seems to only occur when using a very low timerFrequency (e.g. 1 microsecond) on a slow machine (e.g. prow). Under these conditions, the strategy can encounter a race condition when creating the timer. The code was setting the `timer` variable to the result of time.AfterFunc. However, due to the extremely low frequency used, the AfterFunc was invoking its handler, `onTimer` before returning. This led to accessing an uninitilized `timer` value. This PR swaps out AfterFunc for NewTimer. The use of time.Timer is now abstracted behind the `asyncTimer` object, which provides the semantics needed by the strategy. Now strategy.timer is set before it is started, avoiding the race. Fixes #12628 * Adding unit tests for sidecar scope (#12184) * Adding unit tests for sidecar scope * Removing unused variable * linters: enable errcheck (#12933) * enable errcheck Signed-off-by: Kuat Yessenov <kuat@google.com> * add maligned to exceptions Signed-off-by: Kuat Yessenov <kuat@google.com> * Istio does not use Cluster_LOGICAL_DNS, so remove it (#12905) * Istio does not use Cluster_LOGICAL_DNS, so remove it * clean up LOGICAL_DNS in comments * Clean up Helm README (#12914) The README has outdated information on the values, we should just defer to istio.io which is up to date. Additionally, we should point users to istio.io which has up to date install instructions. * 'istioctl experimental dashboard' command to show add-ons and sidecars (#12627) * 'istioctl experimental dashboard' command to show add-ons and sidecars * Test cases, output of URL, use of Cobra output stream * Refactor code into istioctl/pkg/kubernetes * Refactor to expose PortForward stop channel * Validate new mixer CRDs (#12918) * Validate new mixer CRDs * Add templates and adapters * Test cases for new mixer CRDs * Add environment variables to allow configuring bookinfo hostnames (#12646) * Allow bookinfo hostnames to be configurable - add DETAILS_HOSTNAME, RATINGS_HOSTNAME, REVIEWS_HOSTNAME environment variables to configure hostnames. Defaults to details, ratings, reviews respectively * Bump bookinfo sample to 1.11.0 * Update expected outputs for bookinfo tests - this is not related to our PR, but the tests were failing - the apps were changed, but images were not rebuilt * Add edsClusters should be atomic (#12942) * Add edsClusters should be atomic * fix lint * properly report errors on failure (#12945) The CI Infrastructure times out after 10 minutes of no activity. In one of the test case runners, 10 miniutes is specified causing the CI timeout to flush any debuggable output from the checks. This results in an in-exact error result to be returned. Instead a vague reponse about the test case timing out is reported, resulting in confusion for the PR authors. The typical max I was able to achieve was ~230 seconds, but I trimmed to 3 minutes so the test case fails in all conditions and properly reports the errors. * Hoist exemptLabels to top-level, so that they can apply to prs as well. (#12902) * [mixer-e2e-test] add retry to prometheus query in check cache test (#12680) * check cache test sleep longer * use retry instead of longer waiting * reword error message * Fixing typos in unit tests (#12661) Redoing PR #12035 * respect locality weight set from ServiceEntry (#12714) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * sidecars with workload selector takes precedence over namespace wide one (#12831) * Auto bind to services for Sidecar listeners with specific ports (#12724) * auto bind to TCP services for egress ports in Sidecar Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * fix test Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * minor patch (#12963) Signed-off-by: Kuat Yessenov <kuat@google.com> * Cleanup gateway vhost config gen (#12847) * check match direction * Cleanup http route generation * undo pickMatching change * golangbot comments * address review comments * fix validation bug * gofmt * check for intersection duplicates * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Support PKCS#8 private keys. (#12972) * Support PKCS#8 private keys. * Small fix. * Fix LB weight setting for split horizon eds (#12560) (#12827) * lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint * Restore dump_kubernetes.sh function on OSX (#12159) * Fixes for Bash 3.x and detecting non-running pods * Address shellcheck warnings * Remove Robert Li from tests OWNERS file (#12946) Robert has had a change in employment and can no longer contribute to Istio. * remove unnecessary namespace for webhook configuration (#12981) * remove deprecated mcpServerAddrs flag (#12954) * remove deprecated mcpServerAddrs * fix ut * support ip:port format configSource * fix ut * fix ut * supprt proxy https app probe (#12872) * supprt proxy https app probe * add ut * fix ut * add webhook inject test * fix test * fix comments by incfly * Allow some time for the configuration propagation (#12865) * Allow some time for the listeners config propogation * change to use watchDiscovery * samples/bookinfo: easier access to logs (#12584) * Use shorter namespace prefixes. (#13001) * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) (#12936) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * Update integration test env flag (#12977) The flag should be "kube" not "kubernetes" but it was not updated in some places before. * Support inline role definition in AuthorizationPolicy (#12849) * Don't fill test logs with "no provious log" (#12857) This isn't a real error, but it is misleading in the test output. We have no reason to output all of these errors that there is no previous container to get logs from. * mixer: delete old style CRDs from installation (#12710) * delete old style CRD from installation Signed-off-by: Kuat Yessenov <kuat@google.com> * disable galley from listening to old style CRDs Signed-off-by: Kuat Yessenov <kuat@google.com> * more hardcoded yamls Signed-off-by: Kuat Yessenov <kuat@google.com> * debuggin default install Signed-off-by: Kuat Yessenov <kuat@google.com> * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * keep galley pipeline Signed-off-by: Kuat Yessenov <kuat@google.com> * disable resource ready Signed-off-by: Kuat Yessenov <kuat@google.com> * delete debugging line Signed-off-by: Kuat Yessenov <kuat@google.com> * fixing testdata Signed-off-by: Kuat Yessenov <kuat@google.com> * delete deprecated configs Signed-off-by: Kuat Yessenov <kuat@google.com> * remove declarations Signed-off-by: Kuat Yessenov <kuat@google.com> * delete more yaml Signed-off-by: Kuat Yessenov <kuat@google.com> * merge fix Signed-off-by: Kuat Yessenov <kuat@google.com> * Add tests for the effect of mTLS setting to reachability (#11624) * Reachability test in new ingegration test framework * Add test for port specific policy * Expose KubeApp interface and move EndpointForPort to that instead * Use the retry.UntilSuccess from framework * Change to UntilSuccessOrFail instead of UntilSucces * remove deprecated code (#13005) * remove deprecated code * remove dep * Add examples/documentation for the test framework. (#13000) * Add examples/documentation for the test framework. * Add more prose about test lifecycle. * Fix typo. * Fix typos. * fix retry loop in mixer crd watch (#13003) * first change to apps/v1 for Install (#13015) * first change for install * appsv1 * indention * use only ipv4 for pilot and zipkin (#12997) * do ipv4 lookups for pilot and zipkin Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * update goldens Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * small fix for imports (#13013) * remove old mcp stack (#12092) * remove old mcp stack * remove legacy mcp server from galley * fix server build * fix linter * remove unused code in journal.go * fix build * s/server/source * fix linter errors * Exclude Prometheus traffic in rule so that Kiali does not show it. (#12251) * [Galley] Fix race in strategy shutdown. (#13004) * [Galley] Fix race in strategy shutdown. The Close() logic was holding onto the state lock, which can race with worker thread. Specifically, the worker thread could be in a call to onTimer awaiting the lock, which would never be acquired since the Close() method is stuck waiting for the stopped channel to close. * cleaning up reset logic to avoid holding on the stateLock * Add instructions and scripts to facilitate running E2E tests locally using KinD (#12641) * Adding check/install go in both macOS and Linux. * Install go if not installed. * Adding support to run e2e test on KinD locally. * Adding the ability to run e2e tests locally on KinD. * Update install_prereqs_debian.sh * Update setup_test.sh * Adding the ability to run e2e test on KinD for presubmit test. * Presubmit e2e test on KinD. * Adding the ability to run e2e_simple presubmit on KinD * Adding README file for testing on KinD locally. * Revert the changes on adding install_go function. * Revert install_go in common_macos.sh * Revert the file changes of deleting newline. * Reverting the changes. * Addressing reviews. * Fixing shellcheck * respect locality weight set from ServiceEntry (#12714) (#13012) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * Add documentation about -p 1 for integration test framework. (#13032) * Reduce logs in security/pkg/nodeagent/sds/ (#13035) * Reduce logs in security/pkg/nodeagent/sds/ https://github.com/istio/istio/issues/13033 * Count the log output times * Revise the PR based on review comments * move pkg/mcp/configz to pkg/mcp/configz/client (#12982) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Restore TestMtlsHealthCheck in postsubmit, prow. (#12969) * restore test to debug. * add presubmit label to the test for triggering. * change to only run in postsubmit. * remove postsubmit label just comment. * Enable more linters and fix warnings/errors (#12993) * Cherry pick cert file config from master to release-1.1 (#12707) * Cherry pick from master: Configuration: no longer hardcode mesh certs (#12189) * Configuration: Pilot-Agent: no longer hardcode certs to watch. Pilot-Discovery: no longer hardcode Envoy listener cert paths. * Address demands of golangcibot overlord * Change usages of github.com/stretchr/testify/require to github.com/stretchr/testify/assert * Address code style violation * Revert temporary api changes. Set cert paths in envoy node metadata and use them when setting up listeners * Use envoy node metadata cert paths (if available) when constructing clusters * Rename constants to make golint happy * Fix imports * Ignore ordering in test * Pass around proxy instead of proxy.Metadata (cherry picked from commit 7c342741df9bd4e313420b4d17e279089d8956da) * goimports file * Allow limiting Citadel to marked namespaces only (#12289) * Allow limiting Citadel to marked namespaces only - add command line flag to require explicit opt-in to secrets (defaults to false to retain current behavior of always create) - extend secret controller to consider namespace labels (reuses existing 'istio-injected=enabled') - modify unit tests to retain previous behavior (i.e., always create secrets, explicit opt-in not required) and account for additional namespace access * removed left-over debug print, check enable only when explicit opt-in is required * reverting k8s actions in tests: namespaces no longer checked when explicit opt-in is false * unit tests for checking labels and behavior * Namespace specified in command line is explicitly enabled - save namespace specified in the `--listened-namespace` option on the controller (allow multiple to prepare for r1.1) - check SA namespace against explicit namespaces * use dedicated label name to avoid overloading the injection label * use istio-managed label in tests * clarified explicit-opt-in is relevant for keys and certificates provided via a volume mount * refactor istio managed object test to a function so it can be called from secret deletion handler as well * fix left over istio-injection label in tests * manual merge fix * appsv1 galley (#13047) * Add support for datadog tracing (on release-1.1 branch) (#12687) * Add support for datadog tracing. Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * Use $(HOST_IP) instead of special-casing empty address value Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * add param to sidecar to ignore iptables changes (#12829) * add param to sidecar to ignore iptables changes * rephrase description * samples/bookinfo: migrate `apiVersion` of deployments to `apps/v1` (#13030) * fix validation logic so that port.name is no longer a valid PortSelector (#13054) * [Test Framework]: Galley support for deleting config (#13037) In order to properly support deleting resources, it was necessary to revisit how ApplyConfig is done as well. Previously, apply would just blindly copy the yaml to a new file in the configDir. The assumption was that the resource was always being "added" (rather than updated). I'm not certain what would happen if two resources appeared with the same name/namespace. This PR generalizes (and fixes) the way resources are handled so that it's not concerned with files, but rather the underlying resources. The code now parses the top-portion of the yaml to properly identify each resource. Once identified, the code now properly updates resources by writing back to the file where the resource was found. Deletes are similar, where the original resource in the file is replaced with "" (empty files are removed). * Support controlz for mcp server (#12980) * Support controlz for mcp server Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix lint error * Address review comments Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * generalize artifact injection into Docker images (#12203) Instead of just adding LICENSES.txt only, also optionally add in the source code as well, gating on the new EXTRA_ARTIFACTS and EXTRA_ARTIFACTS_CNI environment variables. Change-Id: Iab8fadfbcbbaa8906491e12324fae20185d9f33e * Keep going when problem happens checking remote version (#13060) * remove deprecated show-all flag (#13053) * Add x alias to experimental istioctl command (#11801) * Add x alias to experimental istioctl command I'm super lazy and experimental is far too much effort to type Signed-off-by: Liam White <liam@tetrate.io> * Add exp as an additional alias Signed-off-by: Liam White <liam@tetrate.io> * Correct the app label for Gateway (#12693) * update selector for gateway Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix build fail Signed-off-by: clyang82 <clyang@cn.ibm.com> * Update tracing_datadog_golden.json (#13082) * Fix small typo (#13089) can useful -> can be useful * Add jitter in CSR request (#12805) * Add jitter in CSR request * Add log * Fix comments * Fix test * Fix test * Fix comment * Allows cleanup.sh to run non-interactively when in terminal (#12635) This change allows cleanup.sh to run non-interactively in standard terminals. For example: NAMESPACE="test123" ./cleanup.sh * 'istioctl proxy-config clusters' cluster type column rendering (#12458) (#12730) * update sds secret mount. (#12733) * Copy data from right place (#12762) * Fix updateClusterInc for overlapping ports (#12766) * Fix updateClusterInc for overlapping ports It is possible that a service will have multiple ports, with the same port number. The typical example here is kube-dns, which uses port 53 for UDP and TCP. When we do an incremental push, we would select the first port to match the port number, which would sometimes causes us to ignore the correct port. This fix searches through all matching ports. * Ensure port number matches as well * Add unit tests * remove dead code * enable default sidecarscope (#12832) * [Galley] Fix for ServiceEntry event ordering (#12890) The integration test was encountering this, exposing a real bug. If nodes/pod events occur after service/endpoints (which should generally be unusual) then it is possible to have a ServiceEntry missing pod/node information (e.g. locality). Fixes #12820 * Adding sha for istio/tools to manifest.txt for future automation of perf tests (#11706) * Copy helm data from the right place (#12808) * Refactor solution based on Costin's feedback (#13027) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Enable more linters and fix warnings/errors (#13061) * Making tags requirement same as those in Kubernetes (#12852) * Making tags requirement same as those in Kubernetes Changing validation check to make sure non-empty tags start with an alphanumeric character * Validating label keys are not empty strings Allow empty string for label values Do not allow empty string for label keys * Added certmanager flag into helm chart values.yaml (#12953) * Added certmanager flag into helm chart values.yaml * Moved certmanager configuration * Pilot [networking]: Add upstream idle_timeout to cluster definition (#13066) * adding upstream idle_timeout to cluster definition. * reverting vendor changes before running dep ensure again. * running dep ensure update on api from master. * controlPlaneMtls renamed to controlPlaneSecurityEnabled (#13141) * Patch #12805 to master (#13104) * Patch #12805 to master * Fix lint * Fix HelmDelete command (#12515) * Fix HelmDelete command HelmDelete was called with the namespace it needs to be called with a chartname. Also created a constant to make it more obvious when called by the other Helm related commands. * Fix typo * Goimports fix * ight modification path (#13148) * Allow overriding of registry locality (#13077) Also fixes bug where non-kube envs could override to something that parsed incorrectly Signed-off-by: Liam White <liam@tetrate.io> * mixer: add support for standard CRDs for compiled-in adapters (#12815) * cherry pick subset of https://github.com/istio/istio/pull/12689/ Signed-off-by: Kuat Yessenov <kuat@google.com> * add support for compiled in adapters Signed-off-by: Kuat Yessenov <kuat@google.com> * patch log line Signed-off-by: Kuat Yessenov <kuat@google.com> * parse cert to get expire time (#13145) * parse cert * cleanup * unit test coverage * missing file * address comments * rebase and address comment * Installing istio for perf testing (#13159) * Perf scripts * gsutil * WD * perf running and geting metrics * Perf * perf * perf * Perf * remove * qq * Appsv1 pilot (#13050) * appsv1 for Pilot * appsv1 for Pilot * appsv1 for Pilot * dep update * fix test * fix test * fix test * fix test * fix test * typo * typo * typo * typo * typo * update go-control-plane (#13154) Signed-off-by: Kuat Yessenov <kuat@google.com> * added sidecar.istio.io/rewriteAppProbers annotation (#13112) * pilot: registered sidecar.istio.io/rewriteAppProbers annotation * pilot: checked from sidecar.istio.io/rewriteAppProbers too * pilot: added webhook inject tests TestWebhookInject_http_probe_rewrite_enabled_via_annotation case is a modification of TestWebhookInject_http_probe_rewrite case. The difference is rewriteAppHTTPProbe is false in template, but set to true in annotation. TestWebhookInject_http_probe_rewrite_disabled_via_annotation case is a modification of TestWebhookInject case. The difference is rewriteAppHTTPProbe is true in template, but set to false in annotation. * fixed linter issue in test * added http probe test for kubeinject case * added tests and fixed login upon checking RewriteAppHTTPProbe setting * Add more tests in app_probe_test.go * renamed RewriteAppProbers to RewriteAppHTTPProbers * fixed test case for webhook injection * add description to rewriteAppHTTPProbers annotation * updated tests in app probe to sync with recent master change * change validateBool to alwaysValidFunc as per review * Export inject.injectionData() (#12426) * Registrator should use master version (#13083) * dependencies: update cel-go and remove protoc-gen-docs (#12711) * experiment with COMPAT Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * stop validation Signed-off-by: Kuat Yessenov <kuat@google.com> * remove hack Signed-off-by: Kuat Yessenov <kuat@google.com> * testing Signed-off-by: Kuat Yessenov <kuat@google.com> * only access log Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * add runtimeconfig Signed-off-by: Kuat Yessenov <kuat@google.com> * add a benchmark Signed-off-by: Kuat Yessenov <kuat@google.com> * cel_perf Signed-off-by: Kuat Yessenov <kuat@google.com> * update cel Signed-off-by: Kuat Yessenov <kuat@google.com> * update examples Signed-off-by: Kuat Yessenov <kuat@google.com> * remove unnecessary dependencies Signed-off-by: Kuat Yessenov <kuat@google.com> * Fixing copy for helm, one more time. (#13186) * Run goimports on generated file (#13195) * Enable disabled mixer tests in New Test Framework (#13151) * Enable disabled mixer tests in NF * Change tests config to new style * Change tests config to new style * Change tests config to new style * Fix config for native policybackend * Fix report test * Reduce Pilot resource requests for demo (#12477) * Reduce Pilot resource requests for demo * Add limits as well * Added data source for Galley dashboard (#13041) Fixes: #13040 * fix values for pod anti-affinity. (#12798) * Add sensible defaults to istio-gateways (#12315) * report succeed after validation (#13165) * report succeed after validation * review comments * Change exposed port of istio-pilot in consul (#13170) `15003` and `15005` are never used in pilot under consul env. It would be confusing to expose the two ports. Instead, ``` --grpcAddr string Discovery service grpc address (default ":15010") --secureGrpcAddr string Discovery service grpc address, with https (default ":15012") ``` we know `15010` and `15012` are still using. * Cherrypick: Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) (#12973) * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Use new env var framework * Fix long line * Run format and linter * CEL checker mutex (#13192) * checker mutex Signed-off-by: Kuat Yessenov <kuat@google.com> * deadlock Signed-off-by: Kuat Yessenov <kuat@google.com> * Integration testing for Locality Load Balancing (#13084) * Initial testing functionality Signed-off-by: Liam White <liam@tetrate.io> * appease the linting gods Signed-off-by: Liam White <liam@tetrate.io> * Fall back to bootstrap locality as a last resort Signed-off-by: Liam White <liam@tetrate.io> * Move service instance check after we set them... Signed-off-by: Liam White <liam@tetr…

- Wire-up excluded resource types list to the CRD check.

f6a5fc8

- Update logging.

istio-testing requested review from ayj and cmluciano February 28, 2019 00:33

googlebot added the cla: yes label Feb 28, 2019

ozevren removed the request for review from cmluciano February 28, 2019 00:33

istio-testing added the approved label Feb 28, 2019

ayj reviewed Feb 28, 2019

View reviewed changes

Oz Evren added 2 commits February 28, 2019 10:34

Revert copyright.

bfc34c8

Revert copyright.

6fe9515

ayj approved these changes Feb 28, 2019

View reviewed changes

istio-testing assigned ayj Feb 28, 2019

istio-testing added the lgtm label Feb 28, 2019

duderino merged commit 38caa77 into istio:release-1.1 Feb 28, 2019

ozevren deleted the gal-release11-resource-ready-check-logs branch August 23, 2019 23:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Wire-up excluded resource types list to the CRD check and update logging#12143

Wire-up excluded resource types list to the CRD check and update logging#12143
duderino merged 3 commits intoistio:release-1.1from
ozevren:gal-release11-resource-ready-check-logs

ozevren commented Feb 28, 2019

Uh oh!

ozevren commented Feb 28, 2019

Uh oh!

ayj Feb 28, 2019

Uh oh!

ozevren commented Feb 28, 2019

Uh oh!

ayj commented Feb 28, 2019

Uh oh!

ozevren commented Feb 28, 2019

Uh oh!

istio-testing commented Feb 28, 2019 •

edited

Loading

Uh oh!

ayj left a comment

Uh oh!

istio-testing commented Feb 28, 2019

Uh oh!

ozevren commented Feb 28, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

		@@ -1,4 +1,4 @@
		// Copyright 2018 Istio Authors
		// Copyright 2019 Istio Authors

Conversation

ozevren commented Feb 28, 2019

Uh oh!

ozevren commented Feb 28, 2019

Uh oh!

ayj Feb 28, 2019

Choose a reason for hiding this comment

Uh oh!

ozevren commented Feb 28, 2019

Uh oh!

ayj commented Feb 28, 2019

Uh oh!

ozevren commented Feb 28, 2019

Uh oh!

istio-testing commented Feb 28, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ayj left a comment

Choose a reason for hiding this comment

Uh oh!

istio-testing commented Feb 28, 2019

Uh oh!

ozevren commented Feb 28, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

istio-testing commented Feb 28, 2019 •

edited

Loading