Fix Gateway API tests to consider istio test cli flags by german1608 · Pull Request #56704 · istio/istio

german1608 · 2025-06-19T21:10:04Z

Please provide a description of this PR:

Some of the gateway API tests didn't consider some of the istio.test flags to locate the istio deploy (e.g. --istio.test.revision, --istio.test.kube.systemNamespace, --istio.test.kube.ingressGatewayServiceName, --istio.test.kube.ingressGatewayServiceNamespace).

This PR:

Sets istio.io/rev=rev when revision is supplied in tests that installed Gateway resources (otherwise they are not considered by istiod)
Installs the Gateway object in the ingress service namespace (which might be different than the istio namespace) for the UnmanagedGatewayTest
Updates the istioctl.Config to include the istioNamespace when running istioctl commands in the TaggedGatewayTest (which is something that might be useful in other modules)

To help us figure out who should review this PR, please put an X in all the areas that this PR affects.

Please check any characteristics that apply to this pull request.

Does not have any user-facing changes. This may include CLI changes, API changes, behavior changes, performance improvements, etc.

istio-testing · 2025-06-19T21:10:16Z

Hi @german1608. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

keithmattix · 2025-06-19T21:12:47Z

/ok-to-test

keithmattix · 2025-06-19T21:13:56Z

tests/integration/pilot/gateway_test.go

 kind: Gateway
 metadata:
  name: gateway
+  {{- if .revision }}


If the revision is the default revision, we shouldn't need to label the gateway right? It would get created by whatever revision is the default revision

Yes. Should we add logic to not set this label if so? Also: How can I get the default revision?

nvm, I figured it out! .Revisions.Default()

But why do we need to set the label to begin with? Are we trying to test a story where a gateway is owned by a different revision?

If the tests are ran using an specific istio revision, which is not the default, the gateway will not be programmed unless we explicitly set this label

But the environment should be setting default revision probably right?

What do you mean here with the "environment"?

The pre-installed istio installation should be setting the default revision. My concern with this change is that it's different from the typical/correct user experience. If the defaultRevision is correctly set, no user should need to set revision explicitly on the gateway

I understand your concern.

I ran the tests again without setting the revision label in all the tests (TestManagedGateway, TestUnmanagedGateway) and:

In TestManagedGateway is not necessary as we install the gateway in the test namespace, which already has the istio.io/rev label

In TestUnmanagedGateway, the Gateway is installed in istio-system (by default, which is where the ingress gateway is installed by default), and that namespace does not have istio.io/rev label. Thus, we still need the tag in here to make sure the test passes if a different namespace is provided

Thus, we still need the tag in here to make sure the test passes if a different namespace is provided

This is exactly my point; it shouldn't matter if the namespace is provided, labeled or not. If there is a default revision set in the mesh installation, the gateway should be injected and come up no matter what. I'm being a bit insistent on this because I've seen bugs around this in the past and I want to make sure they're caught in tests

keithmattix · 2025-06-19T21:14:02Z

tests/integration/pilot/gateway_test.go

 func ManagedGatewayTest(t framework.TestContext) {
-	t.ConfigIstio().YAML(apps.Namespace.Name(), `apiVersion: gateway.networking.k8s.io/v1beta1
+	templateArgs := map[string]string{
+		"revision": t.Settings().Revision,


What if revision is ""? We probably shouldn't set anything

It's being handled by the template already.

german1608 · 2025-06-20T16:55:55Z

/ok-to-test

german1608 · 2025-06-21T00:35:18Z

/test integ-pilot

german1608 · 2025-06-21T01:52:05Z

/test integ-pilot

german1608 · 2025-06-21T04:41:33Z

/test integ-pilot

german1608 · 2025-06-21T04:58:21Z

I think I'll need the help of an admin/owner to bypass the release-notes_istio as this PR does not require it really.

dhawton · 2025-06-21T18:25:18Z

/test release-notes

…t for remaining test

german1608 · 2025-06-24T22:32:31Z

/test integ-ipv6

german1608 · 2025-06-24T22:34:26Z

Can I have a set of eyes from @istio/wg-test-and-release-maintainers ?

* set revision when running istioctl * Add revision to gateway in ManagedGatewayTest * Do not hardcode istio-system in UnamagedGatewayTest * include istioNamespace in istioctl commands for TaggedGatewayTest * Use Revisions instead of Revision (later is deprecated) * only set --istioNamespace is c.istioNamespace * If ingress gateway ns not set, use istio-system * set also ingress gateway svc name * remove revision from ManagedGatewayTest (not needed), add TODO comment for remaining test

* Initial changes to reach label selector from mesh config to update endpoints Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Pass MeshConfig to GlobalMergedWorkloadServicesCollection Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Add cluster and listener service filtering for waypoints and e/w gateways Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Respond to PR feedback Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Add more tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Fix incorrect waypoint logic. In ambient mode, e/w gateways and waypoints are both node.Type Waypoints Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Remove unused ServicesForGateway Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Updated failing lint and add a release note Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Filter services in ServiceServiceBuilder and check feature flag for ambient multi network. Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Move feature flag set to avoid race Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix race Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Remove ScopeByService on workload Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix fmt Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add scope to serviceInfo equality check Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Also add Service SANS * [REMOVE ME] enable multinetwork ambient by default * Move number theory functions to math module * Even capacity distribution with multiple gateways * Automatically include waypoint svc of global svcs * Some refactoring too * Messy checkpoint * Random * Jackie rebase * Jackie rebase * Tests passing (?) * Lint * Enable domain suffixes * fix tests again * Make gen * Add e/w gateway support for ambient multi network tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix integration tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix lint/gen and test failures Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Tests passing (?) * Lint * Automator: update proxy@master in istio/istio@master (#56771) * Fix Gateway API tests to consider istio test cli flags (#56704) * set revision when running istioctl * Add revision to gateway in ManagedGatewayTest * Do not hardcode istio-system in UnamagedGatewayTest * include istioNamespace in istioctl commands for TaggedGatewayTest * Use Revisions instead of Revision (later is deprecated) * only set --istioNamespace is c.istioNamespace * If ingress gateway ns not set, use istio-system * set also ingress gateway svc name * remove revision from ManagedGatewayTest (not needed), add TODO comment for remaining test * feat: represent revision tags using services (#56141) * first iteration of using services and mutatingwebhooks as tags * include namespaces * log warnings on conflict * rename revision-tags to revision-tags-mwc.yaml * Create service tags on helm istiod chart * initial iteration for istioctl tag set * include IstioNamespace in GenerateOptions * Update signature of Generate to return a list of objects to generate * consider service if running ambient * go back to strings when returning * go back to string completely, delete TagResources * rename service object * move break to correct line * implement istioctl tag remove * add uniqTagsFromServices and uniqTagsFromWebhooks * istioctl tag list consider services * add operatorManageWebhooks guard to revision-tags-mwc.yaml * rename revision-tags.yaml to revision-tags-svc.yaml * refactor delete test case * test istioctl tag list * remove ambient check, create and manage both resources at the same time * wip test cases * remove controlplane mode * fix test * my own code review * fix compilation error * fix lint * wip integ-helm_istio * add app=istiod label filter * merge override labels in generate.go * add release note * set owner labels to revision service tag * rollback changes on e2e for helm * fix helm e2e * use servicesAfters instead of webhooksAfter in tag_test.go assertion log * Remove unnecessary deprecation message * refactor tag_test.go to reduce diff size * Update client go (#56780) * Automator: update istio/client-go@master dependency in istio/istio@master * fix test * fix more * fix TestTelemetryMetricsExhaustiveness --------- Co-authored-by: istio-testing <istio-testing-bot@google.com> * Automator: update istio/client-go@master dependency in istio/istio@master (#56781) * Impl RetryBudget in DestinationRule (#56782) * impl RetryBudget * release notes * add test case * add release notes for ClusterTrustBundle (#56748) * Add domain resolve to Ambient TestServiceEntryInlinedWorkloadEntry test (#56784) When executing TestServiceEntryInlinedWorkloadEntry Ambient test in a public cloud based cluster, the created ingress is a domain based name and the test fails with the following error: configuration is invalid: endpoint address "a6eec2a91721a42b0aa8e140fc6611fc-1873540778.us-east-1.elb.amazonaws.com" is not a valid IP address Add a domain name resolution to ip based address. Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> * Automator: update common-files@master in istio/istio@master (#56788) * Automator: update proxy@master in istio/istio@master (#56789) * Do not transitively import net/trace (#56637) * Do not transitively import net/trace This drops 300kb off the binary. Note a big deal but #56636 is a 5mb potentional and this is a step to it * drop license * Automator: update istio/client-go@master dependency in istio/istio@master (#56790) * do not use discovery filter for system namespace network (#56687) * do not use discovery filter for system namespace network * relnote * revert label selector * Automator: update proxy@master in istio/istio@master (#56794) * status: fix busyloop (#56798) This has been observed to cause extremely high CPU usage as we busyloop. Basically if we have at least 1 pending item, and we re-enqueue and actively worked on item, it will busy loop until the actively worked on item is handled. We should instead kill this worker. The other worker will handle the task when it completes * Gateway: provide stable HTTPRoute status ordering (#56504) * Add test cases * gateway: emit HTTPRoute status in a stable ordering * Update tests * fix test * Automator: update ztunnel@master in istio/istio@master (#56803) * manifests: refactor conditions for tproxy and capNetBindService (#56809) * manifests: refactor conditions for TPROXY Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Encapsulate checking capNetBindService Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * tests: assign privileged SCC to tproxy SA on OpenShift (#56799) * tests: assign privileged SCC to tproxy SA on OpenShift Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Rename bool variable `openshift` to `isOpenShift` Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Fix a typo in CRB name Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * fix dns althost name generation (#56806) * fix dns althost name generation Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * remove unnecessary test change Signed-off-by: Rama Chavali <rama.rao@salesforce.com> --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add gateway implementation for retry budget (#56808) * add gateway implementation for retry budget Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * comments Signed-off-by: Rama Chavali <rama.rao@salesforce.com> --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * tcp/tls route: fix multiple parent binds (#56818) Fixes #56769 The problem was we had non-unique names for each generated object. Add unit tests and fix to use the same counting appraoch HTTP/GRPC uses * Automator: update proxy@master in istio/istio@master (#56813) * Add annotation support to deployment object in istio discovery chart (#56787) * Add deployment object annotation support to istio discovery chart * Add release note for deployment object annotation support to istiod chart * Automator: update go-control-plane in istio/istio@master (#56821) * Automator: update proxy@master in istio/istio@master (#56822) * Automator: update proxy@master in istio/istio@master (#56823) * Automator: update proxy@master in istio/istio@master (#56829) * Create Istio owned CNI config (#56156) * Create Istio owned CNI config Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Set CNIConfName to primary CNI config file name Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Make Istio owned cni config opt in and the config name configurable Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add warning for invalid istio own cni config filename priority Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add release note Signed-off-by: Jackie Elliott <jaellio@microsoft.com> --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Revert "feat: represent revision tags using services (#56141)" (#56833) This reverts commit 0550a31. * Automator: update istio/client-go@master dependency in istio/istio@master (#56835) * Automator: update ztunnel@master in istio/istio@master (#56840) * improve istioctl dashboard example (#56842) Signed-off-by: xin.li <xin.li@daocloud.io> * Automator: update common-files@master in istio/istio@master (#56834) * Automator: update proxy@master in istio/istio@master (#56846) * Enable domain suffixes * fix tests again * Make gen * Respond to Keith's PR feedback Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix get and comparison * review part 1 * Fix gen Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add support waypoint visibility at network gateways when the waypoint has globally scoped services Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Get rid of splithorizon specific stuff * lint * lint * - deploy e/w gateway with blackhole listener/cluster if ambient multinetwork is enable to allow for existence even if no globally scoped services exist - utilize existing apps for integration tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * wait on eastwest gateway by checking programmed status Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Minimize diff * Update default servicescopeconfig and duplicate DeployGatewayAPI for simplicity Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix indentation and remove unrelated file Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Compare networks rather than cluster id to determine locality Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * review part 2 * correct east west gw svc name * Use correct address for e/w gateway and compare networks rather than clusterids Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add todo and remove duplicate config Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix flakes * Add comment to fix e/w gateway service lookup perf in beta Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Include network gateways * use other network gateway * Use name when generating ewgateway workloads * Keith review * Don't use gateway suffixes * releasenotes * Fix service merging and nwgateway naming * Issue about multiple network gateways * Lint, fix test, and remove release note * Jackie review * More docs --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Signed-off-by: xin.li <xin.li@daocloud.io> Co-authored-by: Jackie Elliott <jaellio@microsoft.com> Co-authored-by: Istio Automation <istio-testing-bot@google.com> Co-authored-by: German Robayo <germanrobayo33@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Maxim Babushkin <mbabushk@redhat.com> Co-authored-by: John Howard <howardjohn@google.com> Co-authored-by: Steven Landow <steven@landow.dev> Co-authored-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Ramal Abeysekera <ramal.abeysekera@hotmail.com> Co-authored-by: Jackie Maertens (Elliott) <64559656+jaellio@users.noreply.github.com> Co-authored-by: Keith Mattix II <keithmattix2@gmail.com> Co-authored-by: my-git9 <xin.li@daocloud.io>

* Initial changes to reach label selector from mesh config to update endpoints Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Pass MeshConfig to GlobalMergedWorkloadServicesCollection Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Add cluster and listener service filtering for waypoints and e/w gateways Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Respond to PR feedback Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Add more tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Fix incorrect waypoint logic. In ambient mode, e/w gateways and waypoints are both node.Type Waypoints Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Remove unused ServicesForGateway Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Updated failing lint and add a release note Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Filter services in ServiceServiceBuilder and check feature flag for ambient multi network. Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Move feature flag set to avoid race Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix race Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Remove ScopeByService on workload Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix fmt Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add scope to serviceInfo equality check Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Also add Service SANS * [REMOVE ME] enable multinetwork ambient by default * Move number theory functions to math module * Even capacity distribution with multiple gateways * Automatically include waypoint svc of global svcs * Some refactoring too * Messy checkpoint * Random * Jackie rebase * Jackie rebase * Tests passing (?) * Lint * Enable domain suffixes * fix tests again * Make gen * Add e/w gateway support for ambient multi network tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix integration tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix lint/gen and test failures Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Tests passing (?) * Lint * Automator: update proxy@master in istio/istio@master (istio#56771) * Fix Gateway API tests to consider istio test cli flags (istio#56704) * set revision when running istioctl * Add revision to gateway in ManagedGatewayTest * Do not hardcode istio-system in UnamagedGatewayTest * include istioNamespace in istioctl commands for TaggedGatewayTest * Use Revisions instead of Revision (later is deprecated) * only set --istioNamespace is c.istioNamespace * If ingress gateway ns not set, use istio-system * set also ingress gateway svc name * remove revision from ManagedGatewayTest (not needed), add TODO comment for remaining test * feat: represent revision tags using services (istio#56141) * first iteration of using services and mutatingwebhooks as tags * include namespaces * log warnings on conflict * rename revision-tags to revision-tags-mwc.yaml * Create service tags on helm istiod chart * initial iteration for istioctl tag set * include IstioNamespace in GenerateOptions * Update signature of Generate to return a list of objects to generate * consider service if running ambient * go back to strings when returning * go back to string completely, delete TagResources * rename service object * move break to correct line * implement istioctl tag remove * add uniqTagsFromServices and uniqTagsFromWebhooks * istioctl tag list consider services * add operatorManageWebhooks guard to revision-tags-mwc.yaml * rename revision-tags.yaml to revision-tags-svc.yaml * refactor delete test case * test istioctl tag list * remove ambient check, create and manage both resources at the same time * wip test cases * remove controlplane mode * fix test * my own code review * fix compilation error * fix lint * wip integ-helm_istio * add app=istiod label filter * merge override labels in generate.go * add release note * set owner labels to revision service tag * rollback changes on e2e for helm * fix helm e2e * use servicesAfters instead of webhooksAfter in tag_test.go assertion log * Remove unnecessary deprecation message * refactor tag_test.go to reduce diff size * Update client go (istio#56780) * Automator: update istio/client-go@master dependency in istio/istio@master * fix test * fix more * fix TestTelemetryMetricsExhaustiveness --------- Co-authored-by: istio-testing <istio-testing-bot@google.com> * Automator: update istio/client-go@master dependency in istio/istio@master (istio#56781) * Impl RetryBudget in DestinationRule (istio#56782) * impl RetryBudget * release notes * add test case * add release notes for ClusterTrustBundle (istio#56748) * Add domain resolve to Ambient TestServiceEntryInlinedWorkloadEntry test (istio#56784) When executing TestServiceEntryInlinedWorkloadEntry Ambient test in a public cloud based cluster, the created ingress is a domain based name and the test fails with the following error: configuration is invalid: endpoint address "a6eec2a91721a42b0aa8e140fc6611fc-1873540778.us-east-1.elb.amazonaws.com" is not a valid IP address Add a domain name resolution to ip based address. Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> * Automator: update common-files@master in istio/istio@master (istio#56788) * Automator: update proxy@master in istio/istio@master (istio#56789) * Do not transitively import net/trace (istio#56637) * Do not transitively import net/trace This drops 300kb off the binary. Note a big deal but istio#56636 is a 5mb potentional and this is a step to it * drop license * Automator: update istio/client-go@master dependency in istio/istio@master (istio#56790) * do not use discovery filter for system namespace network (istio#56687) * do not use discovery filter for system namespace network * relnote * revert label selector * Automator: update proxy@master in istio/istio@master (istio#56794) * status: fix busyloop (istio#56798) This has been observed to cause extremely high CPU usage as we busyloop. Basically if we have at least 1 pending item, and we re-enqueue and actively worked on item, it will busy loop until the actively worked on item is handled. We should instead kill this worker. The other worker will handle the task when it completes * Gateway: provide stable HTTPRoute status ordering (istio#56504) * Add test cases * gateway: emit HTTPRoute status in a stable ordering * Update tests * fix test * Automator: update ztunnel@master in istio/istio@master (istio#56803) * manifests: refactor conditions for tproxy and capNetBindService (istio#56809) * manifests: refactor conditions for TPROXY Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Encapsulate checking capNetBindService Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * tests: assign privileged SCC to tproxy SA on OpenShift (istio#56799) * tests: assign privileged SCC to tproxy SA on OpenShift Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Rename bool variable `openshift` to `isOpenShift` Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Fix a typo in CRB name Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * fix dns althost name generation (istio#56806) * fix dns althost name generation Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * remove unnecessary test change Signed-off-by: Rama Chavali <rama.rao@salesforce.com> --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add gateway implementation for retry budget (istio#56808) * add gateway implementation for retry budget Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * comments Signed-off-by: Rama Chavali <rama.rao@salesforce.com> --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * tcp/tls route: fix multiple parent binds (istio#56818) Fixes istio#56769 The problem was we had non-unique names for each generated object. Add unit tests and fix to use the same counting appraoch HTTP/GRPC uses * Automator: update proxy@master in istio/istio@master (istio#56813) * Add annotation support to deployment object in istio discovery chart (istio#56787) * Add deployment object annotation support to istio discovery chart * Add release note for deployment object annotation support to istiod chart * Automator: update go-control-plane in istio/istio@master (istio#56821) * Automator: update proxy@master in istio/istio@master (istio#56822) * Automator: update proxy@master in istio/istio@master (istio#56823) * Automator: update proxy@master in istio/istio@master (istio#56829) * Create Istio owned CNI config (istio#56156) * Create Istio owned CNI config Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Set CNIConfName to primary CNI config file name Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Make Istio owned cni config opt in and the config name configurable Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add warning for invalid istio own cni config filename priority Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add release note Signed-off-by: Jackie Elliott <jaellio@microsoft.com> --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Revert "feat: represent revision tags using services (istio#56141)" (istio#56833) This reverts commit 0550a31. * Automator: update istio/client-go@master dependency in istio/istio@master (istio#56835) * Automator: update ztunnel@master in istio/istio@master (istio#56840) * improve istioctl dashboard example (istio#56842) Signed-off-by: xin.li <xin.li@daocloud.io> * Automator: update common-files@master in istio/istio@master (istio#56834) * Automator: update proxy@master in istio/istio@master (istio#56846) * Enable domain suffixes * fix tests again * Make gen * Respond to Keith's PR feedback Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix get and comparison * review part 1 * Fix gen Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add support waypoint visibility at network gateways when the waypoint has globally scoped services Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Get rid of splithorizon specific stuff * lint * lint * - deploy e/w gateway with blackhole listener/cluster if ambient multinetwork is enable to allow for existence even if no globally scoped services exist - utilize existing apps for integration tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * wait on eastwest gateway by checking programmed status Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Minimize diff * Update default servicescopeconfig and duplicate DeployGatewayAPI for simplicity Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix indentation and remove unrelated file Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Compare networks rather than cluster id to determine locality Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * review part 2 * correct east west gw svc name * Use correct address for e/w gateway and compare networks rather than clusterids Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add todo and remove duplicate config Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix flakes * Add comment to fix e/w gateway service lookup perf in beta Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Include network gateways * use other network gateway * Use name when generating ewgateway workloads * Keith review * Don't use gateway suffixes * releasenotes * Fix service merging and nwgateway naming * Issue about multiple network gateways * Lint, fix test, and remove release note * Jackie review * More docs --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Signed-off-by: xin.li <xin.li@daocloud.io> Co-authored-by: Jackie Elliott <jaellio@microsoft.com> Co-authored-by: Istio Automation <istio-testing-bot@google.com> Co-authored-by: German Robayo <germanrobayo33@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Maxim Babushkin <mbabushk@redhat.com> Co-authored-by: John Howard <howardjohn@google.com> Co-authored-by: Steven Landow <steven@landow.dev> Co-authored-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Ramal Abeysekera <ramal.abeysekera@hotmail.com> Co-authored-by: Jackie Maertens (Elliott) <64559656+jaellio@users.noreply.github.com> Co-authored-by: Keith Mattix II <keithmattix2@gmail.com> Co-authored-by: my-git9 <xin.li@daocloud.io>

* Initial changes to reach label selector from mesh config to update endpoints Pass MeshConfig to GlobalMergedWorkloadServicesCollection Add cluster and listener service filtering for waypoints and e/w gateways Respond to PR feedback Add more tests Fix incorrect waypoint logic. In ambient mode, e/w gateways and waypoints are both node.Type Waypoints Remove unused ServicesForGateway Updated failing lint and add a release note * Filter services in ServiceServiceBuilder and check feature flag for ambient multi network. * Move feature flag set to avoid race * Fix race * Remove ScopeByService on workload * Fix fmt * Add scope to serviceInfo equality check * Also add Service SANS * [REMOVE ME] enable multinetwork ambient by default * Move number theory functions to math module * Even capacity distribution with multiple gateways * Automatically include waypoint svc of global svcs * Some refactoring too * Messy checkpoint * Random * Jackie rebase * Jackie rebase * Tests passing (?) * Lint * Enable domain suffixes * fix tests again * Make gen * Add e/w gateway support for ambient multi network tests * Fix integration tests * Fix lint/gen and test failures * Tests passing (?) * Lint * Automator: update proxy@master in istio/istio@master (#56771) * Fix Gateway API tests to consider istio test cli flags (#56704) * set revision when running istioctl * Add revision to gateway in ManagedGatewayTest * Do not hardcode istio-system in UnamagedGatewayTest * include istioNamespace in istioctl commands for TaggedGatewayTest * Use Revisions instead of Revision (later is deprecated) * only set --istioNamespace is c.istioNamespace * If ingress gateway ns not set, use istio-system * set also ingress gateway svc name * remove revision from ManagedGatewayTest (not needed), add TODO comment for remaining test * feat: represent revision tags using services (#56141) * first iteration of using services and mutatingwebhooks as tags * include namespaces * log warnings on conflict * rename revision-tags to revision-tags-mwc.yaml * Create service tags on helm istiod chart * initial iteration for istioctl tag set * include IstioNamespace in GenerateOptions * Update signature of Generate to return a list of objects to generate * consider service if running ambient * go back to strings when returning * go back to string completely, delete TagResources * rename service object * move break to correct line * implement istioctl tag remove * add uniqTagsFromServices and uniqTagsFromWebhooks * istioctl tag list consider services * add operatorManageWebhooks guard to revision-tags-mwc.yaml * rename revision-tags.yaml to revision-tags-svc.yaml * refactor delete test case * test istioctl tag list * remove ambient check, create and manage both resources at the same time * wip test cases * remove controlplane mode * fix test * my own code review * fix compilation error * fix lint * wip integ-helm_istio * add app=istiod label filter * merge override labels in generate.go * add release note * set owner labels to revision service tag * rollback changes on e2e for helm * fix helm e2e * use servicesAfters instead of webhooksAfter in tag_test.go assertion log * Remove unnecessary deprecation message * refactor tag_test.go to reduce diff size * Update client go (#56780) * Automator: update istio/client-go@master dependency in istio/istio@master * fix test * fix more * fix TestTelemetryMetricsExhaustiveness --------- * Automator: update istio/client-go@master dependency in istio/istio@master (#56781) * Impl RetryBudget in DestinationRule (#56782) * impl RetryBudget * release notes * add test case * add release notes for ClusterTrustBundle (#56748) * Add domain resolve to Ambient TestServiceEntryInlinedWorkloadEntry test (#56784) When executing TestServiceEntryInlinedWorkloadEntry Ambient test in a public cloud based cluster, the created ingress is a domain based name and the test fails with the following error: configuration is invalid: endpoint address "a6eec2a91721a42b0aa8e140fc6611fc-1873540778.us-east-1.elb.amazonaws.com" is not a valid IP address Add a domain name resolution to ip based address. * Automator: update common-files@master in istio/istio@master (#56788) * Automator: update proxy@master in istio/istio@master (#56789) * Do not transitively import net/trace (#56637) * Do not transitively import net/trace This drops 300kb off the binary. Note a big deal but #56636 is a 5mb potentional and this is a step to it * drop license * Automator: update istio/client-go@master dependency in istio/istio@master (#56790) * do not use discovery filter for system namespace network (#56687) * do not use discovery filter for system namespace network * relnote * revert label selector * Automator: update proxy@master in istio/istio@master (#56794) * status: fix busyloop (#56798) This has been observed to cause extremely high CPU usage as we busyloop. Basically if we have at least 1 pending item, and we re-enqueue and actively worked on item, it will busy loop until the actively worked on item is handled. We should instead kill this worker. The other worker will handle the task when it completes * Gateway: provide stable HTTPRoute status ordering (#56504) * Add test cases * gateway: emit HTTPRoute status in a stable ordering * Update tests * fix test * Automator: update ztunnel@master in istio/istio@master (#56803) * manifests: refactor conditions for tproxy and capNetBindService (#56809) * manifests: refactor conditions for TPROXY * Encapsulate checking capNetBindService --------- * tests: assign privileged SCC to tproxy SA on OpenShift (#56799) * tests: assign privileged SCC to tproxy SA on OpenShift * Rename bool variable `openshift` to `isOpenShift` * Fix a typo in CRB name --------- * fix dns althost name generation (#56806) * fix dns althost name generation * remove unnecessary test change --------- * add gateway implementation for retry budget (#56808) * add gateway implementation for retry budget * comments --------- * tcp/tls route: fix multiple parent binds (#56818) Fixes #56769 The problem was we had non-unique names for each generated object. Add unit tests and fix to use the same counting appraoch HTTP/GRPC uses * Automator: update proxy@master in istio/istio@master (#56813) * Add annotation support to deployment object in istio discovery chart (#56787) * Add deployment object annotation support to istio discovery chart * Add release note for deployment object annotation support to istiod chart * Automator: update go-control-plane in istio/istio@master (#56821) * Automator: update proxy@master in istio/istio@master (#56822) * Automator: update proxy@master in istio/istio@master (#56823) * Automator: update proxy@master in istio/istio@master (#56829) * Create Istio owned CNI config (#56156) * Create Istio owned CNI config * Set CNIConfName to primary CNI config file name * Make Istio owned cni config opt in and the config name configurable * Add warning for invalid istio own cni config filename priority * Add release note --------- * Revert "feat: represent revision tags using services (#56141)" (#56833) This reverts commit 0550a31. * Automator: update istio/client-go@master dependency in istio/istio@master (#56835) * Automator: update ztunnel@master in istio/istio@master (#56840) * improve istioctl dashboard example (#56842) * Automator: update common-files@master in istio/istio@master (#56834) * Automator: update proxy@master in istio/istio@master (#56846) * Enable domain suffixes * fix tests again * Make gen * Respond to Keith's PR feedback * Fix get and comparison * review part 1 * Fix gen * Add support waypoint visibility at network gateways when the waypoint has globally scoped services * Get rid of splithorizon specific stuff * lint * lint * - deploy e/w gateway with blackhole listener/cluster if ambient multinetwork is enable to allow for existence even if no globally scoped services exist - utilize existing apps for integration tests * wait on eastwest gateway by checking programmed status * Minimize diff * Update default servicescopeconfig and duplicate DeployGatewayAPI for simplicity * Fix indentation and remove unrelated file * Compare networks rather than cluster id to determine locality * review part 2 * correct east west gw svc name * Use correct address for e/w gateway and compare networks rather than clusterids * Add todo and remove duplicate config * Fix flakes * Add comment to fix e/w gateway service lookup perf in beta * Include network gateways * use other network gateway * Use name when generating ewgateway workloads * Keith review * Don't use gateway suffixes * releasenotes * Fix service merging and nwgateway naming * Issue about multiple network gateways * Lint, fix test, and remove release note * Jackie review * More docs --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Signed-off-by: xin.li <xin.li@daocloud.io> Co-authored-by: Jackie Elliott <jaellio@microsoft.com> Co-authored-by: Istio Automation <istio-testing-bot@google.com> Co-authored-by: German Robayo <germanrobayo33@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Maxim Babushkin <mbabushk@redhat.com> Co-authored-by: John Howard <howardjohn@google.com> Co-authored-by: Steven Landow <steven@landow.dev> Co-authored-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Ramal Abeysekera <ramal.abeysekera@hotmail.com> Co-authored-by: Jackie Maertens (Elliott) <64559656+jaellio@users.noreply.github.com> Co-authored-by: Keith Mattix II <keithmattix2@gmail.com> Co-authored-by: my-git9 <xin.li@daocloud.io>

* upstream/master: Update client go (istio#56780) feat: represent revision tags using services (istio#56141) Fix Gateway API tests to consider istio test cli flags (istio#56704) Automator: update proxy@master in istio/istio@master (istio#56771)

german1608 added 4 commits June 17, 2025 20:27

set revision when running istioctl

a363441

Add revision to gateway in ManagedGatewayTest

388039a

Do not hardcode istio-system in UnamagedGatewayTest

0b64a8c

include istioNamespace in istioctl commands for TaggedGatewayTest

a8bfe4c

german1608 requested review from a team as code owners June 19, 2025 21:10

istio-policy-bot added the area/test and release label Jun 19, 2025

istio-testing added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. needs-ok-to-test labels Jun 19, 2025

german1608 changed the title ~~Fix/gateway api e2es~~ Fix Gateway API tests to consider istio test cli flags Jun 19, 2025

istio-testing added ok-to-test Set this label allow normal testing to take place for a PR not submitted by an Istio org member. and removed needs-ok-to-test labels Jun 19, 2025

keithmattix reviewed Jun 19, 2025

View reviewed changes

Use Revisions instead of Revision (later is deprecated)

e58112d

only set --istioNamespace is c.istioNamespace

9e07a0d

If ingress gateway ns not set, use istio-system

b429e39

set also ingress gateway svc name

e61d66b

dhawton added the release-notes-none Indicates a PR that does not require release notes. label Jun 21, 2025

keithmattix self-assigned this Jun 23, 2025

remove revision from ManagedGatewayTest (not needed), add TODO commen…

b539887

…t for remaining test

keithmattix approved these changes Jun 24, 2025

View reviewed changes

jacob-delgado approved these changes Jun 25, 2025

View reviewed changes

istio-testing merged commit e868de0 into istio:master Jun 25, 2025
30 checks passed

german1608 mentioned this pull request Jul 1, 2025

Update members.yaml istio/community#1633

Merged

6 tasks

Conversation

german1608 commented Jun 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

istio-testing commented Jun 19, 2025

Uh oh!

keithmattix commented Jun 19, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

german1608 commented Jun 20, 2025

Uh oh!

german1608 commented Jun 21, 2025

Uh oh!

german1608 commented Jun 21, 2025

Uh oh!

german1608 commented Jun 21, 2025

Uh oh!

german1608 commented Jun 21, 2025

Uh oh!

dhawton commented Jun 21, 2025

Uh oh!

german1608 commented Jun 24, 2025

Uh oh!

german1608 commented Jun 24, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

german1608 commented Jun 19, 2025 •

edited

Loading