injector changes for health check, pilot agent take over app readiness check. by incfly · Pull Request #9266 · istio/istio

incfly · 2018-10-11T00:07:32Z

Injector part for #9150

Figure out the application probing path and port and fill that in the sidecar tmpl.
Rewrite the app liveness and readiness probe.

The part to figure out the statusPort is ugly, but considering the sidecartmpl can come from configmap, I don't think there's a better way. Feel free to comment.

Won't merge util #9204 is merged. Will add a E2E test before merging as well.

incfly · 2018-10-11T00:08:06Z

/hold

Add hold just to address e2e test.

…njector

codecov · 2018-10-19T17:52:19Z

Codecov Report

Merging #9266 into master will increase coverage by 1%.
The diff coverage is 100%.

@@           Coverage Diff           @@
##           master   #9266    +/-   ##
=======================================
+ Coverage      71%     71%    +1%     
=======================================
  Files         436     436            
  Lines       40702   40577   -125     
=======================================
- Hits        28529   28497    -32     
+ Misses      10791   10714    -77     
+ Partials     1382    1366    -16

Impacted Files	Coverage Δ
istioctl/cmd/istioctl/kubeinject.go	`46% <100%> (ø)`	⬆️
pilot/pkg/kube/inject/inject.go	`82% <100%> (+2%)`	⬆️
mixer/adapter/solarwinds/metrics_handler.go	`70% <0%> (-13%)`	⬇️
mixer/adapter/fluentd/fluentd.go	`76% <0%> (-9%)`	⬇️
galley/pkg/kube/source/listener.go	`98% <0%> (-2%)`	⬇️
pkg/mcp/client/monitoring.go	`68% <0%> (-2%)`	⬇️
galley/pkg/kube/converter/proto.go	`86% <0%> (-2%)`	⬇️
mixer/adapter/prometheus/server.go	`94% <0%> (-2%)`	⬇️
pkg/filewatcher/filewatcher.go	`86% <0%> (-1%)`	⬇️
mixer/pkg/config/crd/store.go	`86% <0%> (ø)`	⬇️
... and 21 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8e8f5e4...0b59a4a. Read the comment docs.

wattli · 2018-10-23T17:33:18Z

Any update?

incfly · 2018-10-24T21:34:24Z

@wattli I got the basic example working, readiness health check work under mTLS enabled for a pod. But still need some polishing for some corner cases handling.

…njector

incfly · 2018-10-25T21:45:28Z

/hold cancel

While the tests needs to be fixed, I think this PR is ready for review. PTAL @mandarjog @ayj thanks!

hzxuzhonghu · 2018-11-02T06:50:52Z

@incfly I have a doubt: when have multi-containers, and each has a readiness probe.
Seems appReadyUrl only support one url redirect.

istio-testing · 2018-11-27T23:31:02Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hzxuzhonghu, incfly, nmittler

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~istioctl/OWNERS~~ [nmittler]
~~pilot/OWNERS~~ [hzxuzhonghu,nmittler]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

istio-testing · 2018-11-28T00:26:22Z

@incfly: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
prow/build-tests.sh	`0444147`	link	`/test build-tests`
prow/istio-pilot-multicluster-e2e.sh	`0b59a4a`	link	`/test istio-pilot-multicluster-e2e`

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

hzxuzhonghu · 2018-11-28T04:14:29Z

@incfly Should this go to release-1.1 since the original part fir pilot-agent already in.

incfly · 2018-11-28T17:57:55Z

@hzxuzhonghu I'll check the 1.1 branch and if it works, I'll CP this PR to 1.1 branch.

…s check. (istio#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test.

…s check. (#9266) (#10175) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test.

* injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * add flags for controling istioctl kube-inject on whether rewrite app probe. * fix typo. * fix the typo. * fix the app_probe_test. * passing flags from kubeinject.

* injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * WIP adding test not working. * change k8s env applycontents. * pilot_test.go working adding the policy. * adding authn in the setup. * progress, app is in istio-system. * simplify the pilot_test.go * get config dump for app a. * config is dumped and testhttp pass. * WIP need to figure out why config dump is different than lds output. * finally hacked to get lds output. * almost ready to verify the listener config * get test working, remove some debugging print. * move to permissive_test.go * clean up on test file. * add back auth_permissive_test.go * add some doc and remove infolog. * refine comments. * goimports fix. * bin/fmt.sh * apply comments. * add one more test case. * rename the ConstructDiscoveryRequest. * comment out unimplemented test. * change back logging level.

* fix the test (#10837) Signed-off-by: Kuat Yessenov <kuat@google.com> * Allow prometheus scraper to fetch port outside of sidecar umbrella (#10492) See issue #10487 - kubernetes-pods job is now keeping all targets without sidecar or with expicit prometheus.io/scheme=http annotation - kubernetes-pods-istio-secure is now discarding targets with expicit prometheus.io/scheme=http annotation * Relax test for kubeenv metric to only error on 'unknowns' (#10787) * Relax test for kubeenv metric to only error on 'unknowns' * Add check to ensure that at least one metric is found * Address lint issues * Fix Citadel Kube JWT authentication result (#10836) * Fix Citadel Kube JWT authentication. * Small fix. * Fix unittest. * Add unit test for coverage. * Adding Sidecar CRD and renaming Sidecar role (#10852) * Sidecar config implementation Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * build fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * adding CRD template Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * model.Sidecar to model.SidecarProxy Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nits * gen files in galley Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * e2e tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * comments Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * compile fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * final snafu Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix yaml path * typo * bad file name * future work Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix bad namespace * assorted fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fixing CDS Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * formatting Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * vendor update Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * build fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nits Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * validation Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * comments Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * new crd yaml Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nix listener port Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * kubernetes hack for parsing namespace Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * some code cleanups and more TODOs Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * more undos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * spell check Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * more nits Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * leftovers Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo tests * more undos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * more undos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * del Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * sidecarproxy Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * compile fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * run log Configure before running server and validation (#10643) * run log Configure before running server and validation * remove p.logConfigure func from patchTable * fix lint * fix rebase error * fix rebase error * fix lint * add domain parameter to proxy of istio-policy. (#10857) * Use strings.EqualFold to compare strings (#10859) * Call check licenses only once (#10866) * add sample httpbin service in nodeport type (#10833) * Skip prow e2e test cleanup (#10878) * Use 128bit traceids in envoy (#10811) * Use 128bit traceids in envoy * Update unit test golden files for bootstrap config * Update to latest istio/api changes with MCP enhancements (#10628) * sync with latest istio.io/api This PR syncs to the latest changes from istio.io/api. Notably, this PR includes the enhanced MCP service definitions and protos (ResourceSink and ResourceSource) along with several API cleanups. Minimal changes have been made to fix the build and tests so that subsequent istio.io/api changes can be merged into istio/istio. An additional PR will be introduced to implement the enhanced MCP service layer. * address review comments * remove bad find/replace * Add a newline at the end of each certificate returned by Vault (#10879) * Add a newline at the end of a certificate * Fix the mock test * Fix a lint error * Filter flaky query from galley dashboard test (#10176) * IPv4 forwarding off for some CircleCI builds (#10777) * Log additional information about build machine * Attempt to enable IPv4 forwarding * tabs to spaces * stop mcpclient when mixer stops (#10772) * stop mcpclient when mixer stops * fix test * pushLds should not verify versions (#10861) * add integration test that mTLS through identity provisioned by SDS flow (#10887) * add integration test that mTLS through identity provisioned by SDS flow * format * remove unused files (#10890) * fix pilot goroutine leak (#10892) * fix pilot goroutine leak * remove done channel * Add missing copyright header (#10841) * Do not fail envoy health probe if a config was rejected (#9786) (#10154) * Do not fail envoy health probe if a config was rejected (#9786) * Adjust so that rejection is also an allowed state of health probe for envoy. Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Add unit tests for envoy health probe Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fixed linting Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix another linting problem Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Add new stats to String() method * Use better wording in log message * Fix linting Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Move everything related to spiffe URIs to package spiffe (#9090) * Move everything related to spiffe URIs to package spiffe Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Fix end-to-end tests after merge Co-authored-by: Julia Plachetka <julia.plachetka@sap.com> * Adapt and fix unit tests. Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Adapt and fix unit tests. * Fix lint errors and unit tests * Fix lint errors * Fix lint errors * Fix lint errors. Exit integration test in case of nonexisting secret * Remove duplicate trustDomain * Fixed compile errors * Fixed lint errors * Fixed lint errors * Do not panic and small fixes * Do not panic when spiffe uri is missing some configuration values * Remove environment variable ISTIO_SA_DOMAIN_CANONICAL * Fix SNA typo * Comment why testing for a kube registry Co-authored-by: Holger Oehm <holger.oehm@sap.com> * goimports-ed Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Adapt test to getSpiffeId no longer panicing Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Fix formatting Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Fix lint errors and unit tests Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Fix double declared imports Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix more import related linting Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Add retry to metrics check in TestTcpMetrics (#10816) * Add retry to metrics check in TestTcpMetrics * Small cleanup * Fix typo * set trust domain (#10905) * Fix New Test Framework tests running in kubernetes environment (#10889) * Fix New Test Framework tests running in kubernetes environment After the change #10562 Istio Deployment in new test framework started failing. This PR tries to fix that * Minor fix * Add Pod and Node sources to Galley. (#10846) * Add Pod and Node sources to Galley. Also plumbing annotations and labels through from the source. * adding access for pods/nodes to deployment. * plumbing labels/annotations through Pilot * implement empty header value expression (#10885) Signed-off-by: Kuat Yessenov <kuat@google.com> * provide some context on bootstrap errors (#10696) - rebased on release-1.1 * fix(#10911): add namespace for crd installation jobs (#10912) * restore MCP registry (#10921) * fix a typo to get familiar with the PR process (#10853) Signed-off-by: YaoZengzeng <yaozengzeng@zju.edu.cn> * Mixer route cache (#10539) * rebase * add test * fix lint * Revert "Mixer route cache (#10539)" (#10936) This reverts commit 024adb0. * Clean up the Helm readiness checking in test cases (#10929) * Clean up the Helm readiness checking in test cases The e2e test cases are often flakey because of the logic of Helm readiness checking in the test cases. Instead of checking of the Pod is in the "RUNNING" state, check that Tiller is able to provide service via the `helm version` operation. If the server is not ready, this will return 1, otherwise 0 will be returned. * Fix CLI call error We have an older version of helm which lacks the proper flag. Instead we rely on the retry with a 10 second context timer. * Test for PERMISSIVE mode, checks Pilot LDS output. (#10614) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * WIP adding test not working. * change k8s env applycontents. * pilot_test.go working adding the policy. * adding authn in the setup. * progress, app is in istio-system. * simplify the pilot_test.go * get config dump for app a. * config is dumped and testhttp pass. * WIP need to figure out why config dump is different than lds output. * finally hacked to get lds output. * almost ready to verify the listener config * get test working, remove some debugging print. * move to permissive_test.go * clean up on test file. * add back auth_permissive_test.go * add some doc and remove infolog. * refine comments. * goimports fix. * bin/fmt.sh * apply comments. * add one more test case. * rename the ConstructDiscoveryRequest. * comment out unimplemented test. * change back logging level. * Sidecar config implementation (#10717) * Sidecar config implementation Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * build fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * adding CRD template Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * model.Sidecar to model.SidecarProxy Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nits * gen files in galley Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * e2e tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * comments Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * compile fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * final snafu Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix yaml path * typo * bad file name * future work Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix bad namespace * assorted fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fixing CDS Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * formatting Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * vendor update Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * build fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nits Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * validation Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * comments Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * new crd yaml Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nix listener port Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * kubernetes hack for parsing namespace Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * some code cleanups and more TODOs Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * more undos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * spell check Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * more nits Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * leftovers Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * compile fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo lint fix * temp undo * ingress and egress listeners on ports Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nits Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * if-else Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * missing inbound port fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * remove constants Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * final fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lints Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix http host header Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * more if-elses Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * more lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * more lint and code cov Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * simplifications * remove GetSidecarScope Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * coverage Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * missing configs Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * 80 Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * remove invalid test case * fixing rds bug Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * remove comment Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * RDS unit tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint again Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Filter Nodes/Pods in Galley temporarily until custom sources land. (#10938) This is due to the fact that Pod yaml cannot currently be parsed into unstructured types. See: #10891. * fix concurrent map read/write (#10895) * fix concurrent map read/write * simplify EndpointShardsByService * Update integration test job (#10888) * Fix integration test scripts * Making TestMain exit with the proper return code * Update local env references to native * Fix linter errors * Skipping integration tests in codecov since they fail * grant execute permission to e2e_pilotv2_auth_sds.sh (#10908) * grant execute permission to e2e_pilotv2_auth_sds.sh * fix typo * fix typo * typo * coredump * remove deprecated plugin from nodeagent (#10952) * Fix flaky test by reducing poll interval. (#10962) * Add interceptor to create noop spans when sampling is false (#10826) * Add interceptor to create noop spans when sampling is false * Add tests using mocktracer to determine whether span is created * Update dependencies to include OpenTracing mocktracer * Minor change * Updated dependencies again * Add support for ErrSpanContextNotFound error * Fix test and add one for x-b3-sampled=true * Fix lint error * set cluster.LoadAssignment only when service discovery type equals Cluster_STATIC Cluster_STRICT_DNS or Cluster_LOGICAL_DNS (#10926) * Remove Envoy's deprecated --v2-config-only (release-1.1). (#10960) Signed-off-by: Piotr Sikora <piotrsikora@google.com> * update check proxy version (#10769) * Add AWS CloudwatchLogs Adapter (code from #10400) (#10882) * Add AWS CloudwatchLogs Adapter (code from #10400) * Improve codecov * Even moar coverage * remove duplicate LoadAssignment set (#10977) * Enable server side control over maximum connection age (#10870) * add server side maximum connection age control to keepalive options * add server maximum connection age to the gRPC server keepalive options * missing space between concatenated strings * added tests for default values and setting via command line * fix golangci unconvert comment * add helm value file to google ca param (#10563) * add helm value file to preconfig param for googleca * cleanup * Allow pulling images from private repository (#10763) * Only compute diff for ServiceEntry (#10446) * Only compute diff for ServiceEntry This change prevents coredatamodel controller to compute the diff for all the types and it narrows it down to only ServiceEntry. * Add a dummy event for other config types - this dummy event allows DiscoveryServer to purge it's cache * Trigger a single clear cache event * add exponential backoff for retryable CSR error in nodeagent (#10969) * backoff * add unit test * clean up * lint * lint * address comment * typo * Fix flakiness in redisquota tests (#10906) * Fix flakiness in redisquota tests by adding retry for getting requests reported by prometheus One of the things I observed in flaky tests is that total number of requests reported by prometheus was not equal to traffic sent by Fortio. Thus adding a retry to make sure prometheus is queries till we get all requests reported. * Add a buffer for 5 requests to be allowed to be not reported. This buffer is within the error we allow for 200s and 429s reporting. * Fix based on reviews * Fix lint errors * Adding make sync to integ test script (#10984) * Removing Galley pod and node datasets from tests (#10953) * Use common image for node agent (#10949) * Use comment image for node agent * Revert node-agent-k8s * Sort the package * fix MCP server goroutine leak (#10893) * fix MCP server goroutine leak * fix race condition * fix race condition between reqChannel blocking and stream context done (#10998) * add default namespce for istio-init namespace. (#11012) * Handle outbound traffic policy (#10869) * add passthru listener only for mesh config outbound traffic policy ALLOW_ANY * add outbound traffic policy to configmap template and values * add the listener and blackhole cluster in case of outbound policy REGISTRY_ONLY * update DefaultMeshConfig with OutboundTrafficPolicy * use ALLOW_ANY outbound policy by default in tests * add OutboundTrafficPolicy to the default meshconfig of galley * Revert "use ALLOW_ANY outbound policy by default in tests" This reverts commit 9045789. * use REGISTRY_ONLY OutboundTrafficPolicy for galley tests * adopt notion of collections throughout galley/mcp (#10963) * adopt notion of collections throughout galley/mcp * add missing 's/TypeURLs()/Collections()' * fix linter errors and missing dep * linter fixes * another linter fix * address review comments * use correct collection name in copilot test * fix TestConversion/config.istio.io_v1alpha2_circonus * update copilot e2e tests * fix pilot/pkg/config/coredatamodel/controller_test.go unit test * re-add TypeURL and remove typeurl from collections * add Bearer prefix in oauth token that passed to GoogleCA (#11018) * Add bionic and deb_slim base images, optimize size for xenial (#10992) * Remove redundant pieces of code (#11014) * Increase timeout (#11019) * mixer: gateway regression (#10966) * gateway test Signed-off-by: Kuat Yessenov <kuat@google.com> * prepare a test Signed-off-by: Kuat Yessenov <kuat@google.com> * Merge the new tests for isolation=none, some fixes (#10958) * Merge the new tests for isolation=none, some fixes * Add a local directory with certs, can be used with the basedir for local tests * If a BaseDir meta is specified, use it as prefix for the certs - so tests don't need / access * Add the pilot constant and doc * Fix mangled sidecarByNamespace, scope issue * Fix binding inbound listeners to 0.0.0.0, test * Format * Lint * Add back the validation * Reduce flakiness, golden diff reported as warning * Manual format, make fmt doesn't seem to help * Fix authn test * Fix authn test * Reduce parallel to avoid flakiness, fix copilot test * format * remove 'crds' option in relevant manifests (#11013) * remove crds option in istio chart. * delete crds option in values*.yaml * add istio-init as prerequisite of istio chart. * Delete this superfluous script. (#11028) * Refactor in preparation for reverse and incremental MCP (#11005) This PR refactors the MCP client, server, and monitoring packages in preparation for introducing reverse MCP. This includes the following changes: * Structs/Interfaces common to MCP sinks are moved into the sink package. * Structs/Interfaces common to MCP sources are moved into source packages. * The client and server metrics reporting logic is merged into a single reporter interface and implementation, since the majority of code is duplicated. This makes it easier to use a single reporter interface across all source/sink and client/server combinations. * Plumb through source/sink options * Port Mixer's TestTcpMetricTest in new Test framework (#10844) * Port Mixer's TestTcpMetricTest in new Test framework * Look at values file too to determine if mtls is enabled for the test or not. * Add unix domain socket client and server to pilot test apps (#10874) * Add unix domain socket client and server to pilot test apps Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * snafu Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * appends Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * compile fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * template fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * more gotpl Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undos * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Fixing new framework integration test (#11038) Fixes are as follows: 1) PolicyBackend close is failing when closing the listener in natice environment. Thus ignoring it's error and making policy backend a system component, so that it is just reset between the tests and not really closed. 2) Skipping conversion test in local environment as it requires kubernetes environment. 3) Increasing timeout of tests in kubernetes environment 4) Adding test namespace in mixer check test. * Use proxyLabels that were collected earlier (#11016) * Fix comment on defaultNodeSelector comment (#10980) * tracing: Provide default configuration when no host specified for k8s ingress (#10914) * tracing: Provide default configuration when no host specified for k8s ingress * Remove jaeger ingress in favour of one ingress with context based on provider * Updated to remove $ from .Values * Add ymesika to pilot owners (#11053) * Restart Galley in native test fw. component to avoid race. (#11048) There is a race between Galley reading the updated mesh config file and processing of input config files. This change restarts Galley every time mesh config is updated, to avoid race. * Update Istio API to include selector changes in AuthN/AuthZ. (#11046) The following changes are included from istio.io/api: aec9db9 Add option to select worload using lables for authn policy. (#755) 2dadb9e add optional incremental flag to ResponseSink and ResourceSource services (#762) d341fc8 assorted doc updates (#757) 48ad354 Update RBAC for Authorization v2 API. (#748) f818794 add optional header operations (#753) Signed-off-by: Yangmin Zhu <ymzhu@google.com> * update proxy SHA (#11036) * update proxy SHA * Update Proxy SHA to d2d0c62a045d12924180082e8e4b6fbe0a20de1d * Add an example helm values yaml for Vault integration user guide (#11024) * Add an example helm values yaml for Vault integration user guide * Add a comment * Add retry logic to the SDS grpc server of Node Agent (#11063) * Quick fix for #10779 (#11061) * Basic fix to Ingress conversion. * Makes changes based on Ingress changes. * Linter fix. * Remove labels as well. * session affinity (#10730) * handle special char in trustdomain (to construct sa for secure naming) (#11066) * replace special char * update comment * enabled customized cluster domain for chart. (#11050) * enabled customized cluster domain for chart. * update webhook unit test data. * Restructure Galley sources (#11062) * Restructure Galley sources This is a series of simple moves in preparation for #10995 * addressing comments * assign back to s.mesh when reload the mesh config file (#11000) Signed-off-by: YaoZengzeng <yaozengzeng@zju.edu.cn> * Moving Galley source to dynamic package. (#11081) This is in preparation for #10995. Trying to do this move in order to preserve history. * Add reasonable default retry policy. (#10566) Partially addresses #7665. * Reduce flakiness in metrics test in new test framework (#11070) * Reduce flakiness in metrics test in new test framework * Fix based on review * Fix merge

…g. (#11156) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * changing new server to unmarshal prober info. * add valid json for test case. * more checks on json format. * finish the status server and the test. * WIP on the istioctl kubeinject. * WIP on the istioctl kubeinject. * small code refactoring app_probe.go * fixing some test cases. * make sure status server also work with empty path. * some cleanup on status/server.go * fix the lint. * rename to be consistent. * fix the comments, matching the pattern string. * fix the lint.

…g. (istio#11156) * injector changes for health check, pilot agent take over app readiness check. (istio#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * changing new server to unmarshal prober info. * add valid json for test case. * more checks on json format. * finish the status server and the test. * WIP on the istioctl kubeinject. * WIP on the istioctl kubeinject. * small code refactoring app_probe.go * fixing some test cases. * make sure status server also work with empty path. * some cleanup on status/server.go * fix the lint. * rename to be consistent. * fix the comments, matching the pattern string. * fix the lint.

* injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277 4b7b13a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277 Merge: 98fd48f 744b07a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156 Merge: a2a7744 010d5c2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a7744 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922 Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d6 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e87 Merge: 256d963 ac78a55 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d963 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f700963 Merge: bdce721 c7eb603 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce721 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b5 Merge: d626bb8 5ea7962 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb8 Merge: 3561ae0 66153da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91 Merge: 3a7eb48 abc53e1 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b12034 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0eda Merge: 7f5c8cb e45242c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cb Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9 Merge: 20f02c0 1ae6b4f Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c0 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb1 Merge: 3b3bcbf d8c4579 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4f Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbf Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c1 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadf Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb Merge: af1a679 f6b0ddc Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a679 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8 Merge: fcca1f8 bd1631b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659da Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * DeepCopy used. * fix lint.

* injector changes for health check, pilot agent take over app readiness check. (istio#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277 4b7b13a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277 Merge: 98fd48f 744b07a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156 Merge: a2a7744 010d5c2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a7744 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922 Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d6 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e87 Merge: 256d963 ac78a55 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d963 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f700963 Merge: bdce721 c7eb603 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce721 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b5 Merge: d626bb8 5ea7962 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb8 Merge: 3561ae0 66153da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91 Merge: 3a7eb48 abc53e1 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b12034 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0eda Merge: 7f5c8cb e45242c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cb Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9 Merge: 20f02c0 1ae6b4f Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c0 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb1 Merge: 3b3bcbf d8c4579 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4f Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbf Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c1 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadf Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb Merge: af1a679 f6b0ddc Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a679 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8 Merge: fcca1f8 bd1631b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659da Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * DeepCopy used. * fix lint.

* Incremental EDS only need updated service names (#11117) * Configure envoy_bootstrap_v2.json to use the configured admin port (#11214) * Configure envoy_bootstrap_v2.json to use the configured admin port * Also set the prometheus_stats cluster's port * Fix bootstrap tests that override admin port * Allow ipv6 local traffic. (#10738) * Allow specifying multiple egress host entries with same namespace (#11258) * allow multiple hosts in same namespace in sidecar egress host Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * merge Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Galley: Include full Pod resource (#11323) The ServiceEntry transformation requires the Pod status, which is not included in the PodSpec. We need to pass through the entire Pod proto, so that it's available for the conversion. * Delete the obsolete service control adapter. (#11275) * [DO NOT MERGE] Rollout Status timeout during e2e tests (#10996) Addresses issue #9685 * Disable shared span context by default (#11281) * Add logic to kubeenv adapter Close() to clean-up resources (#10839) * Add logic to kubeenv adapter Close() to clean-up resources * Add extra logging and robustness to daemon shutdown checking in runtime * WIP * Revert "WIP" This reverts commit 74f22ec. * Increase unit test coverage * Address review comments * Ensure xenial base image present before building proxy_init (#11277) * Update codecov to use skip file as threshold as well (#11294) * Fix e2e-simple test flake (#11271) * Fix e2e-simple test flake istio-init.yaml was not being applied. Atleast on bare metal, this caused e2e-simple to fail nearly 100% of the time in a race between the kubeapi server applying CRD's and the applicaton of custom resources in the manifest. This problem is less pervasive on slower (vm) environments. * Fix a spelling error complaint from linter * integrate new MCP stack into galley, pilot, and mixer (#11292) This PR integrates the new MCP source/sink stack into Galley, Pilot, and Mixer. The old stack is temporarily retained while we complete extended scale/perf testing. * Revert "Fix e2e-simple test flake (#11271)" (#11331) This reverts commit f993e46. * Update README.md (#9501) * Add response_flags to metrics and logs (#9945) * Use sdsName from Gateway config as the resource name in sds config (#11239) * Use sdsName from Gateway config as the resource name in sds config * Add test * goimports * Fix lint * Fix test * mixer: pod policy override (#10886) * implement injection and override Signed-off-by: Kuat Yessenov <kuat@google.com> * lint Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * mend * annotation from node metadata Signed-off-by: Kuat Yessenov <kuat@google.com> * fix a bug Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding --controlPlaneBootstrap pilot-agent flag (#11212) * Adding --controlPlaneBootstrap pilot-agent flag to explicitly enable generation of Envoy bootstrap for Istio control plane components. Only effective when --templateFile is provided as well. If --templateFile is provided, but --controlPlaneBootstrap=false, then template file will be passed through regular bootstrap config processing, replacing default bootstrap config template. Default flag value is "true" to be backward-compatible with existing behavior, so that no other changes are required by other components that rely on pilot-agent for control plane bootstrap config generation. * Adding TODO to clean up Mixer and Pilot to use standard template Mixer and Pilot use custom Envoy bootstrap templates, that have special processing in pilot-agent. They should migrate to the standard bootstrap template and special processing should be removed from pilot-agent. * Fixing formatting errors on pilot/cmd/pilot-agent/main.go * [Galley] Restructure runtime package to support multiple states. (#11325) * [Galley] Restructure runtime package to support multiple states. This is a follow-on to #11162 that moves the runtime state as well as its previously package-private dependencies into their own packages. This allows new "states" to exist in separate packages under runtime. * addressing comments * addressing comments * extend istio-multi rbac rule (#11339) * Galley file-source was occluding resources with the same name with different types in the same file (#11257) * Only add localhost IP if no other IP address were found (#11367) * not make PDB configurable (#11330) * not allow users to configure pdb * remove maxUnavailable * incorporate google CA's merge APIs change in nodeagent (#11341) * merge api * remove extra line * Revert "Location based Load Balancing (#10720)" (#11371) This reverts commit 3f05706. * Support multiple Citadels running in one cluster. (#11312) * Support multiple Citadels running. * Small fix. * Small fix. * Small fix. * consistent autoscaling config among control plane components (#11376) * consistent autoscaling config among control plane components * address Yossi comment * add missing end * use spec here * support namespace/host in gateway (#11290) * assorted cleanups Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Loosen secret type for ingress gateway (#11385) * set conccurency according to cpu resource limit/request if it is not set (#11311) * set conccurency according to cpu resource request if it is not set * address comments * fix ut * fix ut * fix ut * run dep ensure * cache proxy service instances to improve performance (#11368) * cache proxy service instances to improve performance * address comments & fix ut * Support gateway agent to read TLS secret set by cert-manager (#11399) * read tls secret format * Update test * fix lint * fix lint * fix lint * update test * format * fix lint * fix lint * mixer: option for alternative language runtime (#11391) * split the original PR Signed-off-by: Kuat Yessenov <kuat@google.com> * add annotation support Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix simpletest flake in citadel testing (#11360) * Fix simpletest flake in citadel testing A PR was merged ~4 weeks ago which introduced built-in testing of the Helm charts. The readiness testing in these Helm chart tests were defective. This problem was masked by a silently failing gate. (cherry picked from commit bf9bc7b) * Fix a flaky e2e_simpleTests (#11408) * Add retries and delay trying to test connection to prometheus * Also retry on connection refused errors * Workaround due to old version of curl in proxy (cherry picked from commit 0e937c7) * Increase integ test deployment timeout (#11423) * Increase integ test deployment timeout * Skip flaky/failing TestTcpMetric * Remove post-install job and (kubectl) apply security policy CRs to k8s directly (#11248) (#11418) * Remove post-install job and (kubectl) apply security policy CRs to k8s directly * Fix condition logic * Exit on fatal logs (#11335) * Exit on fatal logs * Do not call Fatalf in the middle of Galley code * envoy: use any instead of struct (#11419) * fix tests Signed-off-by: Kuat Yessenov <kuat@google.com> * fix framework assuming json Signed-off-by: Kuat Yessenov <kuat@google.com> * add gates Signed-off-by: Kuat Yessenov <kuat@google.com> * Loops ends after first iteration (#11378) (#11383) * Adding istio-init chart to release (#11443) (#11445) * fix superfluous condition in pdb. (#11413) * Set seconds as the value of MaxAge instead of Duration.String (#11447) * Allow identity domain to be configured in istio: Ensure e2e tests are working with different identity domain (#9226) * Refactor identity domain handling and adapt unit tests Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Fix goimports error * set role.TrustDomain in pilot main Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Add end to end test e2e_bookinfo_trustdomain Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Use .Values.global.trustDomain as trustDomain for citadel Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Removed commented out code Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Remove fallback to domain for trust domain This became necessary due to #11050, which always set the domain command line flag for executables. But we didn't expect this flag to have two different meanings (dns-domain and domain-suffix). Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Tls fix (#11455) * revert deleted TLS validation logic * lint fixes * Make TestDuplicateResourceNamesDifferentTypes have consistent ordering. (#11456) * Adding support for named components to the test framework (#11440) Each component can be created with a name and optionally a configuration. This allows multiple echo instances, policy backends, envoy proxies, etcetera to be managed independently. Also adding a standard way to configure components but support for that is in a followup. * Galley support for MCP Source Client dial out (#11291) * Auth plugin to be used for Galley callout. * Lint * Add unit tests. * Mock Google credentials * Galley callout code. * Review comments, fix client_source test. * Lint * Switch callout.go to use patch table for test vars. * Rename callout cli args. * Increase coverage * newcallout args, syncWG change. * Fatal->Error * Review comments * Review comments. * Update metadata model. (#11477) This is split out from #11293 Supporting work for #10497 and #10589 * [pilot] Export virtual service and destination rule metadata (#11384) * [pilot] Export virtual service and destination rule metadata * fixup bad rebase * restore lost test * Small fixes * use URL for rule uid and config as key * goimports * update unit tests to match code changes in previous commit * goimports, redux * Randomize Galley ports for integration testing (#11285) * Randomize Galley port for code-coverage runs. * Remove runaway empty test. * Update istio-proxy for source.uid fix (#11428) * Update gateway_test.go to check for overrides * update to include new proxy * linter fix * update client tests for whitelisted attributes * use source fixed build * disable TestSecretCreationKubernetes (#11479) * Fix e2e-simple test flake (#11356) (#11481) istio-init.yaml was not being applied. Atleast on bare metal, this caused e2e-simple to fail nearly 100% of the time in a race between the kubeapi server applying CRD's and the applicaton of custom resources in the manifest. This problem is less pervasive on slower (vm) environments. (cherry picked from commit 1caa6ce) * Enhance MCP index function to support multiple groups (#11478) This is split out from #11293 In #11293 we modify the index function to return a different group when choosing the synthetic ServiceEntry collection. Support for #10497 and #10589 * Zipkin adapter supporting the tracespan template (#11282) (#11483) * Zipkin adapter supporting the tracespan template (#11282) * Zipkin adapter supporting the tracespan template * Refactored generic OpenCensus trace support into a helper package * Use this to implement Zipkin support using OpenCensus Zipkin exporter * regenerate template. * lint. move crd. * dep ensure. * new line. * add zipkin to galley. * dep ensure * Default exports, and config root namespace (#11387) * default exportTo flags Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * compile fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * helm stuff Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * istio-config namespace and default sidecar scope Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * spell fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nits Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * reorder initialization steps Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test compile fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * helm tweaks Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * missing helm file * allow ~ in sidecar imports Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad copy paste Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo framework change Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Revert "bad copy paste" This reverts commit 934b54a. * Revert "missing helm file" This reverts commit 992685d. * Revert "helm tweaks" This reverts commit 5b78b92. * redos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lists Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * quotes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Fixing race condition in Galley Server.Close() (#11484) The issue was introduced by #11285 It causes a race with the startup of the gRPC server, which leads to a segfault. From prow logs: ``` === RUN TestServer_Basic 2019-02-01T20:33:05.867746Z info ControlZ available at 10.44.58.28:9876 2019-02-01T20:33:05.867968Z info ControlZ terminated 2019-02-01T20:33:05.867987Z info runtime Stopping processor... 2019-02-01T20:33:05.868000Z warn runtime Processor has already stopped 2019-02-01T20:33:05.867798Z info runtime Starting processor... panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x9e4bc8] goroutine 148 [running]: istio.io/istio/vendor/google.golang.org/grpc.(*Server).Serve(0xc42046d080, 0x0, 0x0, 0x0, 0x0) /home/prow/go/src/istio.io/istio/vendor/google.golang.org/grpc/server.go:522 +0x748 istio.io/istio/galley/pkg/server.(*Server).Run.func1(0xc4202d9490) /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:242 +0xfb created by istio.io/istio/galley/pkg/server.(*Server).Run /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:233 +0x5c FAIL istio.io/istio/galley/pkg/server 0.383s ``` * add labels to services and deployments (#11503) * Quote accessLogFormat in configmap template in helm chart (#11449) (#11490) * Make custom gateway works (#11320) Signed-off-by: clyang82 <clyang@cn.ibm.com> * Add missing values global object and template (#11500) * Envoy Graceful Shutdown (#11485) * Add Draining bootstrap to Proxies Signed-off-by: Liam White <liam@tetrate.io> * Drain open connections Signed-off-by: Liam White <liam@tetrate.io> * typo and makefile fix for drain config Signed-off-by: Liam White <liam@tetrate.io> * Add proxy agent tests for draining Signed-off-by: Liam White <liam@tetrate.io> * appease our golangcibot overlord Signed-off-by: Liam White <liam@tetrate.io> * Windows Go doesn't have syscall.Kill Signed-off-by: Liam White <liam@tetrate.io> * Skip spybackend test when in racetest (#11497) (#11506) * Workaround to make racetest skip this test due to low memory * Lint * Add mixer status to access log (#11471) * Add mixer status to access log Signed-off-by: Lizan Zhou <lizan@tetrate.io> * review Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fixing default exports (#11507) Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Fix 10971 p1 injector (#11512) * Fix global DNS resolution in sidecar injector The dnsConfig key was not honored by the sidecar injector. This PR ensures the dnsConfig key is honored by the sidecar injector. This enables the injected application can resolve DNS, but does not solve routing via RDS. Routing via RDS needs a followup PR. * Fix syntax error in sidecar injector template * HTTP probe rewrite for webhook part. (#10470) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277 4b7b13a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277 Merge: 98fd48f 744b07a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156 Merge: a2a7744 010d5c2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a7744 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922 Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d6 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e87 Merge: 256d963 ac78a55 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d963 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f700963 Merge: bdce721 c7eb603 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce721 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b5 Merge: d626bb8 5ea7962 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb8 Merge: 3561ae0 66153da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91 Merge: 3a7eb48 abc53e1 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b12034 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0eda Merge: 7f5c8cb e45242c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cb Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9 Merge: 20f02c0 1ae6b4f Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c0 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb1 Merge: 3b3bcbf d8c4579 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4f Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbf Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c1 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadf Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb Merge: af1a679 f6b0ddc Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a679 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8 Merge: fcca1f8 bd1631b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659da Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * DeepCopy used. * fix lint. * Add longer timeouts for Galley tests. (#11517) Addresses #11464 * Locality based load balancing for strict dns clusters (#11381) * rework locality based load balancing Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * simplify Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad merge Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint again Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Update pilot/pkg/networking/core/v1alpha3/cluster.go Co-Authored-By: rshriram <rshriram@users.noreply.github.com> * move load balancer setting to a separate pkg * should also apply applyLocalityLBSetting for non-cached outbound clusters * set cluster locality_weighted_lb_config * fix ci * enable LocalityWeightedLbConfig only when cluster has outlier detection * address comments * Correct Citadel server log. (#11361) * Correct Citadel server log. * Small fix. * Remove sidecar injection in istio-init jobs (#11317) This PR aims to solve a problem where the injector is running but a new job is added in an upgrade scenario. In this condition the job is injected, which can result in errors contacting the injector. * Only require go.opencensus.io on Linux (#11327) * Only require go.opencensus.io on Linux * Ran fmt.sh and goimports against the stats_linux.go file. Signed-off-by: Jason Clark <jason.clark.oss@gmail.com> * Remove the istio-remote chart and make it an istio chart values (#11307) * Remove the istio-remote chart and make it an istio chart values * By default tracing should be disabled in remote as it's unsupported * Fixing the path to values file in e2e MC test * Fixing istio-pilot-multicluster-e2e.sh * Correction for previous commit * Better way to remove MeshPolicy on remote yaml * Newline * Newline * Remove redundant and * Fix for flakes in TestSource_MangledNames (#11538) The source of the panic appeared to be access to the labels, which were not being explicitly set on the Unstructured object. This PR sets them directly, so that should no longer be an issue. Fixes #11532 * Use istio namespace for global destination rule to avoid overwritting mixer policy (#11546) * Change default monitoring port (#11421) * Change default monitoring port Update the default monitoring port from 9093 to 15014. * Fix test cases * Hardcode the monitoringPort in istio-remote * Use credentialName to specify credential resource name and support mTLS for external cert management at ingress gateway. (#11496) * use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Add MCP stress test suite (#11465) * add -labels option to mcpc for testing and debug * fix typo in source CollectionOptions name * increase queue test coverage to 100% * add more tests for incremental mcp option (still off by default) * add mcp stress test suite * fix unit tests * review comments and add README.md * run goimports * fix some wording * fix bad merge * formatting * rebase stress test on latest snapshot group changes * math.Rand is not safe for concurrent use * address review comments * add missing file * plumb through serverIncSupported * rename test file * changing the default limits for init proxy (#11540) * Add readiness check for Ingress Gateway (#3063) (#11001) (#11548) Enabling the same readiness probe for Ingress Gateway that is being used for sidecars. * istioctl proxy-status should only exec into running pilot pods (#11539) istioctl proxy-status uses kubectl exec on pilot pods to extract debug and diagnostic information. Use `--field-selector=status.phase=Running` to only exec into pods that are actually running. fixes #11488 * increase control plane component replicas during upgrade test (#11389) * add multiple control plane component * remove space * Allow specify the path for SDS k8s token (#11460) * Allow specify SDS token path * Change the default value to empty string * Rephrase the comment for sds token path * Address review comments * Change to use node metadata to pass SDS token path * Address review comments (e.g., remove static variable) * Use SDS token path if it is set * remove chart.version label in pod template. (#11302) * remove deprecated 'refreshInterval' option in chart. (#11412) * remove deprecated option in chart. * fix CI issue. * Disable agent TestFull test. (#11562) * remove istio cni subchart tar from source. (#11230) * Moved subcharts into the istio chart (#11558) * Moved subcharts into istio charts * Removed helm dep update calls * Removed also programatic helmDepUpdate calls * Removing helm package call not necessary anymore * Fix non-Linux builds. (#11580) * add debug logs to print cert chain (#11575) * revert #11558 Moved subcharts into the istio chart (#11597) * add multiple control plane component * remove space * Revert "Moved subcharts into the istio chart (#11558)" This reverts commit a5f9e9b. * add missing attribute declarations (#11595) Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix a few doc issues. (#11596) * Update istio/api to #3094619 release 1.1 subject_alt_names in Service… (#11541) * Update istio/api to #3094619 release 1.1 subject_alt_names in ServiceEntry * Comment out sdsName * Linter fix * more linter fixes * Comment out SDS test * run bin/fmt.sh * Skip gateway sds test completely * Use issue # in t.Skip() * revert sds changes * Fix racetest in SDS service (#11615) * Set the serviceCluster namespace based on env var, to also support specifying namespace on cli after kubeinject (#11587) * Make image pull policy configurable in Makefile (#10269) * Adds missing 1.1 attribute data to testdata for integration tests (#11313) The request.url_path and request.query_params attributes have been added as of istio 1.1 These are required in the testdata attributes manifest in order for them to be useable in the integration test framework. * Doc fixes. (#11619) * [mixer:stackdriver] Initial changes to support dst svc edges in graph (#11426) * Initial changes to support dst svc edges * Add istio service to k8s service member relation * Refactor of edge logic and add test * Add <workload, service> relations * Fix routing when DNS is resolved (#11522) The DNSDomain variable needs to be enhanced to include more then one DNS entry. Change DNSDomain to DNSDomains as a meta and add the dnsConfig in the meta. As now DNSDomain is a slice of strings instead of a string, the variable needs consolidation. * adjust galley dashboard time range (#11627) * Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631) (cherry picked from commit f9b6866) * [release-1.1] Update fluentd adapter to be more robust (#11623) * Update fluentd adapter to be more robust * Minor touchup of bad merge * Lint fixes * Fix kubernetesenv workload attributes for multicluster with one control plane (#11581) * remove myself from pilot OWNERS (#11632) * remove me (#11636) Signed-off-by: Kuat Yessenov <kuat@google.com> * add debug logs for citadel authenticate fail (#11633) * move apply plugin below buildscript (#11625) The Cloud Foundry open source licensing scanner has a plugin that identifies dependencies from gradle scripts, but it requires the buildscript and plugins block be before anything else in the file. This change does not affect the build, but makes our lives a smidge easier. Co-authored-by: Teal Stannard <tstannard@pivotal.io> * check key.pem (#11599) * Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508) * Samples for accessing apt-get repo, Github, and pip repo * A Readme explaining the samples * Link to future doc on default external comm capability * Incorporate documentation feedback from venilnoronha * Add support for metadata constraints in RBAC (#11459) * Add support for metadata constraints in RBAC This adds support for mapping RBAC constraints with keys in the a[b] format to Envoy's filter metadata matcher. Signed-off-by: Venil Noronha <veniln@vmware.com> * Use SplitN instead of Split for completeness This updates the metadata matcher definition to use strings.SplitN instead of strings.Split in order to capture the whole binary key in two parts. Signed-off-by: Venil Noronha <veniln@vmware.com> * Accomodate [list] and plain value type constraints This adds logic to accomodate filter metadata matching over both [list] and value type constraints. Signed-off-by: Venil Noronha <veniln@vmware.com> * Add extra experimental. prefix test for matching This adds an extra experimental. prefix test while creating metadata matchers based on Envoy filters. Signed-off-by: Venil Noronha <veniln@vmware.com> * Update comments This updates code comments. Signed-off-by: Venil Noronha <veniln@vmware.com> * add POST to ratings service to demonstrate security policies on HTTP Methods (#10778) * add POST to ratings service * put a space between if and opening parenthesis * add comments * remove extra line-break * Enable remote clusters to check/report to local Mixer (#11585) * Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570) * Fix racetest in fluentd test (#11647) * Bump the number of connection that can be re-use in Citadel (#11641) * Bump the number of connection that can be re-use in Citadel * A small fix * First cut of xDS APi structural testing using the new integration tests (#11406) * Fixes for k8s ingress (#11343) * Fix ingress in pilot, writeback and multiple namespaces * Fix tests, format * Fix test - the generated service should be left in the namespace of ingress * Additional test fixes, match the new 1.1 semantics * Again make fmt and lint not matching * Break up the helloworld sample into versions (#11650) * Break up the helloworld sample into versions * Moved to default namespace * Seperated gateway file and added labels * Update the doc * Cleanup section updated too * Fix build break due to #11406. (#11677) https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215 * make stackdriver e2e test cluster wide (#11674) * Add handling for independent encoding in Report batches to Mixer (#11640) * Add handling for independent encoding in Report batches to Mixer * fix lll * Address review * protect protobag done * exit circleci test early if setup fails (#11572) * wip: exit circleci test early if setup fails Many of the circleci tests will attempt to run the e2e/integration tests even after the test setup fails. This leads to misleading test failures that suggest the problem is with the feature test and not the test setup itself. Example test runs where the setup failed and the test was run but immediately errored out because a dependency was missing: https://circleci.com/gh/istio/istio/316588 https://circleci.com/gh/istio/istio/317262 https://circleci.com/gh/istio/istio/318281 https://circleci.com/gh/istio/istio/316031 https://circleci.com/gh/istio/istio/315952 https://circleci.com/gh/istio/istio/315871 https://circleci.com/gh/istio/istio/315813 ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute ``` By default, CircleCI will execute job steps one at a time, in the order that they are defined in config.yml, until a step fails (returns a non-zero exit code). After a command fails, no further job steps will be executed. Adding the when attribute to a job step allows you to override this default behaviour, and selectively run or skip steps depending on the status of the job. The default value of on_success means that the step will run only if all of the previous steps have been successful (returned exit code 0). A value of always means that the step will run regardless of the exit status of previous steps. This is useful if you have a task that you want to run regardless of whether the previous steps are successful or not. For example, you might have a job step that needs to upload logs or code-coverage data somewhere. ``` * re-add `when: always` to codecov job * Implementation of isolation for EDS (#11672) * Implementation of isolation for EDS * Provide nil proxy for older calls * Always call loadAssignmentsForClusterIsolated * Revert "Always call loadAssignmentsForClusterIsolated" This reverts commit db2c997. * Env variable to disable * Lint * Environment Variable controlled Graceful Termination with low defaults. (#11630) * Feature flag graceful shutdown Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in. Signed-off-by: Liam White <liam@tetrate.io> * Address pr comments Signed-off-by: Liam White <liam@tetrate.io> * Clean up missed feature flag var Signed-off-by: Liam White <liam@tetrate.io> * Add turn off test case, todo comments and fix agent tests Signed-off-by: Liam White <liam@tetrate.io> * fix lint Signed-off-by: Liam White <liam@tetrate.io> * PR review comments Signed-off-by: Liam White <liam@tetrate.io> * Move TerminationDuration function and tests to Pilot features Signed-off-by: Liam White <liam@tetrate.io> * Update Proxy SHA to latest (release-1.1). (#11687) Signed-off-by: Piotr Sikora <piotrsikora@google.com> * Add empty check for proxy's locality (#11681) Make sure empty proxy locality will fall back to using proxy service's instance locality. * Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685) * cache ServiceAccounts and remove it drom Environment (#11442) * cache ServiceAccounts and remove it drom Environment * use allServices var * fix ut * Adding Envoy bootstrap template for a custom Pilot implementation. (#11395) * Adding Envoy bootstrap template for a custom Pilot implementation. New template connects to Pilot using Google gRPC Envoy client, which allows to perform authz by passing additional credentials. Placed into install/gcp due to being GCP installation specific. To enable this template, introducing {{ .discovery_address }} variable, which passes --discoveryAddress flag value "as is", without splitting it into address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable. * Removing static interception listener from gcp_envoy_bootstrap.json as it is generated by the Pilot. * Update bookinfo images, fix the script to bump bookinfo versions (#11701) * add wildcard to digits in the sed regex, for setting version * bump a minor version * Add cli option to Galley to allow metadata on outgoing sink connections. (#11602) * Add cli option to Galley to allow metadata on outgoing sink connections. For use with sinkAddress, outgoing connections to MCP sink servers will have gRPC stream metadata attached as defined by sinkMeta. * Update sinkMeta to use key=value. * Review comments. * Error message if istioctl version doesn't match data plane version (#11592) * Additional error text if istioctl version doesn't match data plane version * Fix typo * Revise wording of error msg * Allow Envoy listener stats to be turned off/on with a pod annotation (#11398) * If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection * Versionize annotation tag * Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid * pin goimports in make fmt (#11645) * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * just dont use circle Signed-off-by: Kuat Yessenov <kuat@google.com> * add comment Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding namespace declaration in Grafana PersistentVolumeClaim (#11314) When using the Helm chart with a user specific namespace and Grafana persistency enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace, leading in the Grafana pod to be stuck in the Pending state. * Fix the periodic builds, add a non-mcp to presubmit (#11703) * Update api sha (#11709) * issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715) (cherry picked from commit 1ad4e29) * [WIP] Fix sync issue with policy enablement and check enablement (#11707) * Fix sync issue with policy enablement and check enablement * Remove outdated comment * Fix deps and broken merge for mixer test * Fix overly restrictive golang version match * Fix integration test framework merge issues * Fix line length lint issue

* injector changes for health check, pilot agent take over app readiness check. (istio#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277 4b7b13a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277 Merge: 98fd48f 744b07a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156 Merge: a2a7744 010d5c2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a7744 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922 Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d6 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e87 Merge: 256d963 ac78a55 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d963 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f700963 Merge: bdce721 c7eb603 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce721 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b5 Merge: d626bb8 5ea7962 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb8 Merge: 3561ae0 66153da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91 Merge: 3a7eb48 abc53e1 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b12034 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0eda Merge: 7f5c8cb e45242c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cb Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9 Merge: 20f02c0 1ae6b4f Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c0 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb1 Merge: 3b3bcbf d8c4579 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4f Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbf Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c1 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadf Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb Merge: af1a679 f6b0ddc Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a679 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8 Merge: fcca1f8 bd1631b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659da Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * DeepCopy used. * fix lint.

* Merge release-1.1 to master (#11722) * Incremental EDS only need updated service names (#11117) * Configure envoy_bootstrap_v2.json to use the configured admin port (#11214) * Configure envoy_bootstrap_v2.json to use the configured admin port * Also set the prometheus_stats cluster's port * Fix bootstrap tests that override admin port * Allow ipv6 local traffic. (#10738) * Allow specifying multiple egress host entries with same namespace (#11258) * allow multiple hosts in same namespace in sidecar egress host Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * merge Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Galley: Include full Pod resource (#11323) The ServiceEntry transformation requires the Pod status, which is not included in the PodSpec. We need to pass through the entire Pod proto, so that it's available for the conversion. * Delete the obsolete service control adapter. (#11275) * [DO NOT MERGE] Rollout Status timeout during e2e tests (#10996) Addresses issue #9685 * Disable shared span context by default (#11281) * Add logic to kubeenv adapter Close() to clean-up resources (#10839) * Add logic to kubeenv adapter Close() to clean-up resources * Add extra logging and robustness to daemon shutdown checking in runtime * WIP * Revert "WIP" This reverts commit 74f22eced391bfbfb54834e7ffdc2505931b60b1. * Increase unit test coverage * Address review comments * Ensure xenial base image present before building proxy_init (#11277) * Update codecov to use skip file as threshold as well (#11294) * Fix e2e-simple test flake (#11271) * Fix e2e-simple test flake istio-init.yaml was not being applied. Atleast on bare metal, this caused e2e-simple to fail nearly 100% of the time in a race between the kubeapi server applying CRD's and the applicaton of custom resources in the manifest. This problem is less pervasive on slower (vm) environments. * Fix a spelling error complaint from linter * integrate new MCP stack into galley, pilot, and mixer (#11292) This PR integrates the new MCP source/sink stack into Galley, Pilot, and Mixer. The old stack is temporarily retained while we complete extended scale/perf testing. * Revert "Fix e2e-simple test flake (#11271)" (#11331) This reverts commit f993e46d69c2ae4f990eabdfa377034f23c3b807. * Update README.md (#9501) * Add response_flags to metrics and logs (#9945) * Use sdsName from Gateway config as the resource name in sds config (#11239) * Use sdsName from Gateway config as the resource name in sds config * Add test * goimports * Fix lint * Fix test * mixer: pod policy override (#10886) * implement injection and override Signed-off-by: Kuat Yessenov <kuat@google.com> * lint Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * mend * annotation from node metadata Signed-off-by: Kuat Yessenov <kuat@google.com> * fix a bug Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding --controlPlaneBootstrap pilot-agent flag (#11212) * Adding --controlPlaneBootstrap pilot-agent flag to explicitly enable generation of Envoy bootstrap for Istio control plane components. Only effective when --templateFile is provided as well. If --templateFile is provided, but --controlPlaneBootstrap=false, then template file will be passed through regular bootstrap config processing, replacing default bootstrap config template. Default flag value is "true" to be backward-compatible with existing behavior, so that no other changes are required by other components that rely on pilot-agent for control plane bootstrap config generation. * Adding TODO to clean up Mixer and Pilot to use standard template Mixer and Pilot use custom Envoy bootstrap templates, that have special processing in pilot-agent. They should migrate to the standard bootstrap template and special processing should be removed from pilot-agent. * Fixing formatting errors on pilot/cmd/pilot-agent/main.go * [Galley] Restructure runtime package to support multiple states. (#11325) * [Galley] Restructure runtime package to support multiple states. This is a follow-on to #11162 that moves the runtime state as well as its previously package-private dependencies into their own packages. This allows new "states" to exist in separate packages under runtime. * addressing comments * addressing comments * extend istio-multi rbac rule (#11339) * Galley file-source was occluding resources with the same name with different types in the same file (#11257) * Only add localhost IP if no other IP address were found (#11367) * not make PDB configurable (#11330) * not allow users to configure pdb * remove maxUnavailable * incorporate google CA's merge APIs change in nodeagent (#11341) * merge api * remove extra line * Revert "Location based Load Balancing (#10720)" (#11371) This reverts commit 3f0570653f37ecaa5ccb75df0cb9619f84419624. * Support multiple Citadels running in one cluster. (#11312) * Support multiple Citadels running. * Small fix. * Small fix. * Small fix. * consistent autoscaling config among control plane components (#11376) * consistent autoscaling config among control plane components * address Yossi comment * add missing end * use spec here * support namespace/host in gateway (#11290) * assorted cleanups Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Loosen secret type for ingress gateway (#11385) * set conccurency according to cpu resource limit/request if it is not set (#11311) * set conccurency according to cpu resource request if it is not set * address comments * fix ut * fix ut * fix ut * run dep ensure * cache proxy service instances to improve performance (#11368) * cache proxy service instances to improve performance * address comments & fix ut * Support gateway agent to read TLS secret set by cert-manager (#11399) * read tls secret format * Update test * fix lint * fix lint * fix lint * update test * format * fix lint * fix lint * mixer: option for alternative language runtime (#11391) * split the original PR Signed-off-by: Kuat Yessenov <kuat@google.com> * add annotation support Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix simpletest flake in citadel testing (#11360) * Fix simpletest flake in citadel testing A PR was merged ~4 weeks ago which introduced built-in testing of the Helm charts. The readiness testing in these Helm chart tests were defective. This problem was masked by a silently failing gate. (cherry picked from commit bf9bc7bada15288cd1e4d0c8fa4b04c39e4379b5) * Fix a flaky e2e_simpleTests (#11408) * Add retries and delay trying to test connection to prometheus * Also retry on connection refused errors * Workaround due to old version of curl in proxy (cherry picked from commit 0e937c77b2d037a9216698a7c93037ccb5062dcc) * Increase integ test deployment timeout (#11423) * Increase integ test deployment timeout * Skip flaky/failing TestTcpMetric * Remove post-install job and (kubectl) apply security policy CRs to k8s directly (#11248) (#11418) * Remove post-install job and (kubectl) apply security policy CRs to k8s directly * Fix condition logic * Exit on fatal logs (#11335) * Exit on fatal logs * Do not call Fatalf in the middle of Galley code * envoy: use any instead of struct (#11419) * fix tests Signed-off-by: Kuat Yessenov <kuat@google.com> * fix framework assuming json Signed-off-by: Kuat Yessenov <kuat@google.com> * add gates Signed-off-by: Kuat Yessenov <kuat@google.com> * Loops ends after first iteration (#11378) (#11383) * Adding istio-init chart to release (#11443) (#11445) * fix superfluous condition in pdb. (#11413) * Set seconds as the value of MaxAge instead of Duration.String (#11447) * Allow identity domain to be configured in istio: Ensure e2e tests are working with different identity domain (#9226) * Refactor identity domain handling and adapt unit tests Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Fix goimports error * set role.TrustDomain in pilot main Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Add end to end test e2e_bookinfo_trustdomain Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Use .Values.global.trustDomain as trustDomain for citadel Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Removed commented out code Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Remove fallback to domain for trust domain This became necessary due to #11050, which always set the domain command line flag for executables. But we didn't expect this flag to have two different meanings (dns-domain and domain-suffix). Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Tls fix (#11455) * revert deleted TLS validation logic * lint fixes * Make TestDuplicateResourceNamesDifferentTypes have consistent ordering. (#11456) * Adding support for named components to the test framework (#11440) Each component can be created with a name and optionally a configuration. This allows multiple echo instances, policy backends, envoy proxies, etcetera to be managed independently. Also adding a standard way to configure components but support for that is in a followup. * Galley support for MCP Source Client dial out (#11291) * Auth plugin to be used for Galley callout. * Lint * Add unit tests. * Mock Google credentials * Galley callout code. * Review comments, fix client_source test. * Lint * Switch callout.go to use patch table for test vars. * Rename callout cli args. * Increase coverage * newcallout args, syncWG change. * Fatal->Error * Review comments * Review comments. * Update metadata model. (#11477) This is split out from #11293 Supporting work for #10497 and #10589 * [pilot] Export virtual service and destination rule metadata (#11384) * [pilot] Export virtual service and destination rule metadata * fixup bad rebase * restore lost test * Small fixes * use URL for rule uid and config as key * goimports * update unit tests to match code changes in previous commit * goimports, redux * Randomize Galley ports for integration testing (#11285) * Randomize Galley port for code-coverage runs. * Remove runaway empty test. * Update istio-proxy for source.uid fix (#11428) * Update gateway_test.go to check for overrides * update to include new proxy * linter fix * update client tests for whitelisted attributes * use source fixed build * disable TestSecretCreationKubernetes (#11479) * Fix e2e-simple test flake (#11356) (#11481) istio-init.yaml was not being applied. Atleast on bare metal, this caused e2e-simple to fail nearly 100% of the time in a race between the kubeapi server applying CRD's and the applicaton of custom resources in the manifest. This problem is less pervasive on slower (vm) environments. (cherry picked from commit 1caa6cedcc7b0526f94bf3f9d3941df65ae4956f) * Enhance MCP index function to support multiple groups (#11478) This is split out from #11293 In #11293 we modify the index function to return a different group when choosing the synthetic ServiceEntry collection. Support for #10497 and #10589 * Zipkin adapter supporting the tracespan template (#11282) (#11483) * Zipkin adapter supporting the tracespan template (#11282) * Zipkin adapter supporting the tracespan template * Refactored generic OpenCensus trace support into a helper package * Use this to implement Zipkin support using OpenCensus Zipkin exporter * regenerate template. * lint. move crd. * dep ensure. * new line. * add zipkin to galley. * dep ensure * Default exports, and config root namespace (#11387) * default exportTo flags Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * compile fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * helm stuff Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * istio-config namespace and default sidecar scope Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * spell fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nits Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * reorder initialization steps Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test compile fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * helm tweaks Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * missing helm file * allow ~ in sidecar imports Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad copy paste Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo framework change Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Revert "bad copy paste" This reverts commit 934b54a922dd0a6102016901b77badba7774090f. * Revert "missing helm file" This reverts commit 992685db5e1fe3f68a484f01dac21f44c66acc8e. * Revert "helm tweaks" This reverts commit 5b78b920d18379253ea7c8ae37fd0c0611180c75. * redos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lists Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * quotes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Fixing race condition in Galley Server.Close() (#11484) The issue was introduced by #11285 It causes a race with the startup of the gRPC server, which leads to a segfault. From prow logs: ``` === RUN TestServer_Basic 2019-02-01T20:33:05.867746Z info ControlZ available at 10.44.58.28:9876 2019-02-01T20:33:05.867968Z info ControlZ terminated 2019-02-01T20:33:05.867987Z info runtime Stopping processor... 2019-02-01T20:33:05.868000Z warn runtime Processor has already stopped 2019-02-01T20:33:05.867798Z info runtime Starting processor... panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x9e4bc8] goroutine 148 [running]: istio.io/istio/vendor/google.golang.org/grpc.(*Server).Serve(0xc42046d080, 0x0, 0x0, 0x0, 0x0) /home/prow/go/src/istio.io/istio/vendor/google.golang.org/grpc/server.go:522 +0x748 istio.io/istio/galley/pkg/server.(*Server).Run.func1(0xc4202d9490) /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:242 +0xfb created by istio.io/istio/galley/pkg/server.(*Server).Run /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:233 +0x5c FAIL istio.io/istio/galley/pkg/server 0.383s ``` * add labels to services and deployments (#11503) * Quote accessLogFormat in configmap template in helm chart (#11449) (#11490) * Make custom gateway works (#11320) Signed-off-by: clyang82 <clyang@cn.ibm.com> * Add missing values global object and template (#11500) * Envoy Graceful Shutdown (#11485) * Add Draining bootstrap to Proxies Signed-off-by: Liam White <liam@tetrate.io> * Drain open connections Signed-off-by: Liam White <liam@tetrate.io> * typo and makefile fix for drain config Signed-off-by: Liam White <liam@tetrate.io> * Add proxy agent tests for draining Signed-off-by: Liam White <liam@tetrate.io> * appease our golangcibot overlord Signed-off-by: Liam White <liam@tetrate.io> * Windows Go doesn't have syscall.Kill Signed-off-by: Liam White <liam@tetrate.io> * Skip spybackend test when in racetest (#11497) (#11506) * Workaround to make racetest skip this test due to low memory * Lint * Add mixer status to access log (#11471) * Add mixer status to access log Signed-off-by: Lizan Zhou <lizan@tetrate.io> * review Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fixing default exports (#11507) Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Fix 10971 p1 injector (#11512) * Fix global DNS resolution in sidecar injector The dnsConfig key was not honored by the sidecar injector. This PR ensures the dnsConfig key is honored by the sidecar injector. This enables the injected application can resolve DNS, but does not solve routing via RDS. Routing via RDS needs a followup PR. * Fix syntax error in sidecar injector template * HTTP probe rewrite for webhook part. (#10470) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277d7 4b7b13aef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861 Merge: 98fd48f59 744b07ad2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07ad2406d1eb94bcf5492125f91486ad6b10 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002ff6f5dd4afe22afa984384addc1be1104 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5 Merge: a2a774498 010d5c266 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a774498e1021c1ca01c021c071e225fa330407 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c074bcc787702a5a9257d23103521f525c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922719e2c4723a334d1d8d959cac361b1ecb Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e871c640cdabead372eada2b17d717fa707f Merge: 256d9635f ac78a552a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d9635f4d590936c473bf3be0299064cb9c716 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f70096334464fd1d59a0e81997e8f0fd6623a564 Merge: bdce72119 c7eb603ee Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce72119ef78dab40b750861768c332811b9ee2 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c21000ba2b7fe9e2bc728783ce530cfe87 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695a2fea828f06a31f14ed7795a3b3716111 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b58f0212972d42e298fa4185275642d672c Merge: d626bb85d 5ea79622c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb85dee628771f8f41fc90335ac608dea923 Merge: 3561ae0a6 66153da4d Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0a69350730834e625c0710394968f9fcde Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f01964a14f6ace0da6217d7a36f364b661 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91189e16beb0dadee6c612464b1aa9bad21 Merge: 3a7eb48e6 abc53e120 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e488f875ffea0c3a279403277010160ee1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce9ddc55ce339aa65eac06602591d3113c9 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676 Merge: 7f5c8cbd8 e45242c0d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479 Merge: 20f02c045 1ae6b4fde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c04563fab9b81b418c00a5455994fda5148 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64 Merge: 3b3bcbff8 d8c4579fa Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c15d06054e4bb173ab2c37333a4de647c2d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f4144482874c1219c7da90e97f19f1172f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb6892509d8938be8d64f1435cf64e22317 Merge: af1a67989 f6b0ddc30 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a6798988f9fe70e40add2a6d4971efa9b50ed Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef3520037a81db8baa34d6e13849d20af10 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0 Merge: fcca1f89a bd1631be3 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517cfc4214994be1be848d40b12f09ba8a4b8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96ed8a3200fc91bc73aee86d471117232fc Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659dacbc569f4532dc6a37b2091f39c7cf115b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * DeepCopy used. * fix lint. * Add longer timeouts for Galley tests. (#11517) Addresses #11464 * Locality based load balancing for strict dns clusters (#11381) * rework locality based load balancing Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * simplify Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad merge Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint again Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Update pilot/pkg/networking/core/v1alpha3/cluster.go Co-Authored-By: rshriram <rshriram@users.noreply.github.com> * move load balancer setting to a separate pkg * should also apply applyLocalityLBSetting for non-cached outbound clusters * set cluster locality_weighted_lb_config * fix ci * enable LocalityWeightedLbConfig only when cluster has outlier detection * address comments * Correct Citadel server log. (#11361) * Correct Citadel server log. * Small fix. * Remove sidecar injection in istio-init jobs (#11317) This PR aims to solve a problem where the injector is running but a new job is added in an upgrade scenario. In this condition the job is injected, which can result in errors contacting the injector. * Only require go.opencensus.io on Linux (#11327) * Only require go.opencensus.io on Linux * Ran fmt.sh and goimports against the stats_linux.go file. Signed-off-by: Jason Clark <jason.clark.oss@gmail.com> * Remove the istio-remote chart and make it an istio chart values (#11307) * Remove the istio-remote chart and make it an istio chart values * By default tracing should be disabled in remote as it's unsupported * Fixing the path to values file in e2e MC test * Fixing istio-pilot-multicluster-e2e.sh * Correction for previous commit * Better way to remove MeshPolicy on remote yaml * Newline * Newline * Remove redundant and * Fix for flakes in TestSource_MangledNames (#11538) The source of the panic appeared to be access to the labels, which were not being explicitly set on the Unstructured object. This PR sets them directly, so that should no longer be an issue. Fixes #11532 * Use istio namespace for global destination rule to avoid overwritting mixer policy (#11546) * Change default monitoring port (#11421) * Change default monitoring port Update the default monitoring port from 9093 to 15014. * Fix test cases * Hardcode the monitoringPort in istio-remote * Use credentialName to specify credential resource name and support mTLS for external cert management at ingress gateway. (#11496) * use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Add MCP stress test suite (#11465) * add -labels option to mcpc for testing and debug * fix typo in source CollectionOptions name * increase queue test coverage to 100% * add more tests for incremental mcp option (still off by default) * add mcp stress test suite * fix unit tests * review comments and add README.md * run goimports * fix some wording * fix bad merge * formatting * rebase stress test on latest snapshot group changes * math.Rand is not safe for concurrent use * address review comments * add missing file * plumb through serverIncSupported * rename test file * changing the default limits for init proxy (#11540) * Add readiness check for Ingress Gateway (#3063) (#11001) (#11548) Enabling the same readiness probe for Ingress Gateway that is being used for sidecars. * istioctl proxy-status should only exec into running pilot pods (#11539) istioctl proxy-status uses kubectl exec on pilot pods to extract debug and diagnostic information. Use `--field-selector=status.phase=Running` to only exec into pods that are actually running. fixes https://github.com/istio/istio/issues/11488 * increase control plane component replicas during upgrade test (#11389) * add multiple control plane component * remove space * Allow specify the path for SDS k8s token (#11460) * Allow specify SDS token path * Change the default value to empty string * Rephrase the comment for sds token path * Address review comments * Change to use node metadata to pass SDS token path * Address review comments (e.g., remove static variable) * Use SDS token path if it is set * remove chart.version label in pod template. (#11302) * remove deprecated 'refreshInterval' option in chart. (#11412) * remove deprecated option in chart. * fix CI issue. * Disable agent TestFull test. (#11562) * remove istio cni subchart tar from source. (#11230) * Moved subcharts into the istio chart (#11558) * Moved subcharts into istio charts * Removed helm dep update calls * Removed also programatic helmDepUpdate calls * Removing helm package call not necessary anymore * Fix non-Linux builds. (#11580) * add debug logs to print cert chain (#11575) * revert #11558 Moved subcharts into the istio chart (#11597) * add multiple control plane component * remove space * Revert "Moved subcharts into the istio chart (#11558)" This reverts commit a5f9e9bb30eb4240ee0b00893796126b5b434c5d. * add missing attribute declarations (#11595) Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix a few doc issues. (#11596) * Update istio/api to #3094619 release 1.1 subject_alt_names in Service… (#11541) * Update istio/api to #3094619 release 1.1 subject_alt_names in ServiceEntry * Comment out sdsName * Linter fix * more linter fixes * Comment out SDS test * run bin/fmt.sh * Skip gateway sds test completely * Use issue # in t.Skip() * revert sds changes * Fix racetest in SDS service (#11615) * Set the serviceCluster namespace based on env var, to also support specifying namespace on cli after kubeinject (#11587) * Make image pull policy configurable in Makefile (#10269) * Adds missing 1.1 attribute data to testdata for integration tests (#11313) The request.url_path and request.query_params attributes have been added as of istio 1.1 These are required in the testdata attributes manifest in order for them to be useable in the integration test framework. * Doc fixes. (#11619) * [mixer:stackdriver] Initial changes to support dst svc edges in graph (#11426) * Initial changes to support dst svc edges * Add istio service to k8s service member relation * Refactor of edge logic and add test * Add <workload, service> relations * Fix routing when DNS is resolved (#11522) The DNSDomain variable needs to be enhanced to include more then one DNS entry. Change DNSDomain to DNSDomains as a meta and add the dnsConfig in the meta. As now DNSDomain is a slice of strings instead of a string, the variable needs consolidation. * adjust galley dashboard time range (#11627) * Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631) (cherry picked from commit f9b6866731aabe056c699b608a8e93eb850d13c0) * [release-1.1] Update fluentd adapter to be more robust (#11623) * Update fluentd adapter to be more robust * Minor touchup of bad merge * Lint fixes * Fix kubernetesenv workload attributes for multicluster with one control plane (#11581) * remove myself from pilot OWNERS (#11632) * remove me (#11636) Signed-off-by: Kuat Yessenov <kuat@google.com> * add debug logs for citadel authenticate fail (#11633) * move apply plugin below buildscript (#11625) The Cloud Foundry open source licensing scanner has a plugin that identifies dependencies from gradle scripts, but it requires the buildscript and plugins block be before anything else in the file. This change does not affect the build, but makes our lives a smidge easier. Co-authored-by: Teal Stannard <tstannard@pivotal.io> * check key.pem (#11599) * Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508) * Samples for accessing apt-get repo, Github, and pip repo * A Readme explaining the samples * Link to future doc on default external comm capability * Incorporate documentation feedback from venilnoronha * Add support for metadata constraints in RBAC (#11459) * Add support for metadata constraints in RBAC This adds support for mapping RBAC constraints with keys in the a[b] format to Envoy's filter metadata matcher. Signed-off-by: Venil Noronha <veniln@vmware.com> * Use SplitN instead of Split for completeness This updates the metadata matcher definition to use strings.SplitN instead of strings.Split in order to capture the whole binary key in two parts. Signed-off-by: Venil Noronha <veniln@vmware.com> * Accomodate [list] and plain value type constraints This adds logic to accomodate filter metadata matching over both [list] and value type constraints. Signed-off-by: Venil Noronha <veniln@vmware.com> * Add extra experimental. prefix test for matching This adds an extra experimental. prefix test while creating metadata matchers based on Envoy filters. Signed-off-by: Venil Noronha <veniln@vmware.com> * Update comments This updates code comments. Signed-off-by: Venil Noronha <veniln@vmware.com> * add POST to ratings service to demonstrate security policies on HTTP Methods (#10778) * add POST to ratings service * put a space between if and opening parenthesis * add comments * remove extra line-break * Enable remote clusters to check/report to local Mixer (#11585) * Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570) * Fix racetest in fluentd test (#11647) * Bump the number of connection that can be re-use in Citadel (#11641) * Bump the number of connection that can be re-use in Citadel * A small fix * First cut of xDS APi structural testing using the new integration tests (#11406) * Fixes for k8s ingress (#11343) * Fix ingress in pilot, writeback and multiple namespaces * Fix tests, format * Fix test - the generated service should be left in the namespace of ingress * Additional test fixes, match the new 1.1 semantics * Again make fmt and lint not matching * Break up the helloworld sample into versions (#11650) * Break up the helloworld sample into versions * Moved to default namespace * Seperated gateway file and added labels * Update the doc * Cleanup section updated too * Fix build break due to https://github.com/istio/istio/pull/11406. (#11677) https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215 * make stackdriver e2e test cluster wide (#11674) * Add handling for independent encoding in Report batches to Mixer (#11640) * Add handling for independent encoding in Report batches to Mixer * fix lll * Address review * protect protobag done * exit circleci test early if setup fails (#11572) * wip: exit circleci test early if setup fails Many of the circleci tests will attempt to run the e2e/integration tests even after the test setup fails. This leads to misleading test failures that suggest the problem is with the feature test and not the test setup itself. Example test runs where the setup failed and the test was run but immediately errored out because a dependency was missing: https://circleci.com/gh/istio/istio/316588 https://circleci.com/gh/istio/istio/317262 https://circleci.com/gh/istio/istio/318281 https://circleci.com/gh/istio/istio/316031 https://circleci.com/gh/istio/istio/315952 https://circleci.com/gh/istio/istio/315871 https://circleci.com/gh/istio/istio/315813 ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute ``` By default, CircleCI will execute job steps one at a time, in the order that they are defined in config.yml, until a step fails (returns a non-zero exit code). After a command fails, no further job steps will be executed. Adding the when attribute to a job step allows you to override this default behaviour, and selectively run or skip steps depending on the status of the job. The default value of on_success means that the step will run only if all of the previous steps have been successful (returned exit code 0). A value of always means that the step will run regardless of the exit status of previous steps. This is useful if you have a task that you want to run regardless of whether the previous steps are successful or not. For example, you might have a job step that needs to upload logs or code-coverage data somewhere. ``` * re-add `when: always` to codecov job * Implementation of isolation for EDS (#11672) * Implementation of isolation for EDS * Provide nil proxy for older calls * Always call loadAssignmentsForClusterIsolated * Revert "Always call loadAssignmentsForClusterIsolated" This reverts commit db2c99778edb69a9522320a2271ec8b965bad450. * Env variable to disable * Lint * Environment Variable controlled Graceful Termination with low defaults. (#11630) * Feature flag graceful shutdown Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in. Signed-off-by: Liam White <liam@tetrate.io> * Address pr comments Signed-off-by: Liam White <liam@tetrate.io> * Clean up missed feature flag var Signed-off-by: Liam White <liam@tetrate.io> * Add turn off test case, todo comments and fix agent tests Signed-off-by: Liam White <liam@tetrate.io> * fix lint Signed-off-by: Liam White <liam@tetrate.io> * PR review comments Signed-off-by: Liam White <liam@tetrate.io> * Move TerminationDuration function and tests to Pilot features Signed-off-by: Liam White <liam@tetrate.io> * Update Proxy SHA to latest (release-1.1). (#11687) Signed-off-by: Piotr Sikora <piotrsikora@google.com> * Add empty check for proxy's locality (#11681) Make sure empty proxy locality will fall back to using proxy service's instance locality. * Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685) * cache ServiceAccounts and remove it drom Environment (#11442) * cache ServiceAccounts and remove it drom Environment * use allServices var * fix ut * Adding Envoy bootstrap template for a custom Pilot implementation. (#11395) * Adding Envoy bootstrap template for a custom Pilot implementation. New template connects to Pilot using Google gRPC Envoy client, which allows to perform authz by passing additional credentials. Placed into install/gcp due to being GCP installation specific. To enable this template, introducing {{ .discovery_address }} variable, which passes --discoveryAddress flag value "as is", without splitting it into address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable. * Removing static interception listener from gcp_envoy_bootstrap.json as it is generated by the Pilot. * Update bookinfo images, fix the script to bump bookinfo versions (#11701) * add wildcard to digits in the sed regex, for setting version * bump a minor version * Add cli option to Galley to allow metadata on outgoing sink connections. (#11602) * Add cli option to Galley to allow metadata on outgoing sink connections. For use with sinkAddress, outgoing connections to MCP sink servers will have gRPC stream metadata attached as defined by sinkMeta. * Update sinkMeta to use key=value. * Review comments. * Error message if istioctl version doesn't match data plane version (#11592) * Additional error text if istioctl version doesn't match data plane version * Fix typo * Revise wording of error msg * Allow Envoy listener stats to be turned off/on with a pod annotation (#11398) * If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection * Versionize annotation tag * Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid * pin goimports in make fmt (#11645) * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * trying to run docker in circle Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * circling Signed-off-by: Kuat Yessenov <kuat@google.com> * just dont use circle Signed-off-by: Kuat Yessenov <kuat@google.com> * add comment Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding namespace declaration in Grafana PersistentVolumeClaim (#11314) When using the Helm chart with a user specific namespace and Grafana persistency enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace, leading in the Grafana pod to be stuck in the Pending state. * Fix the periodic builds, add a non-mcp to presubmit (#11703) * Update api sha (#11709) * issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715) (cherry picked from commit 1ad4e29576da6c722dcf19fc5df703beede92a4d) * [WIP] Fix sync issue with policy enablement and check enablement (#11707) * Fix sync issue with policy enablement and check enablement * Remove outdated comment * Fix deps and broken merge for mixer test * Fix overly restrictive golang version match * Fix integration test framework merge issues * Fix line length lint issue * handle multiple streams in nodeagent (#11738) * service change * unit test * debug log * lint * remove annoying log * Add duration time to stale EDS (#11568) * Revert "Merge release-1.1 to master (#11722)" (#11761) This reverts commit 727e719b56362060924cd75bef6ed731cc41b272. * Rename node agent in README.md (#11751) * Tests for drain duration function (#11691) * Tests for drain duration function Signed-off-by: Liam White <liam@tetrate.io> * Licenses... Signed-off-by: Liam White <liam@tetrate.io> * typo Signed-off-by: Liam White <liam@tetrate.io> * Ability to override SAN from destination rule for ISTIO_MUTUAL (#11747) * Add ability to override SAN from destination rule for ISTIO_MUTUAL Fixes issue https://github.com/istio/istio/issues/11737 * Reformat code. * Incremental EDS only need updated service names (#11117) * Configure envoy_bootstrap_v2.json to use the configured admin port (#11214) * Configure envoy_bootstrap_v2.json to use the configured admin port * Also set the prometheus_stats cluster's port * Fix bootstrap tests that override admin port * Allow ipv6 local traffic. (#10738) * Allow specifying multiple egress host entries with same namespace (#11258) * allow multiple hosts in same namespace in sidecar egress host Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * merge Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lint Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Galley: Include full Pod resource (#11323) The ServiceEntry transformation requires the Pod status, which is not included in the PodSpec. We need to pass through the entire Pod proto, so that it's available for the conversion. * Delete the obsolete service control adapter. (#11275) * [DO NOT MERGE] Rollout Status timeout during e2e tests (#10996) Addresses issue #9685 * Disable shared span context by default (#11281) * Add logic to kubeenv adapter Close() to clean-up resources (#10839) * Add logic to kubeenv adapter Close() to clean-up resources * Add extra logging and robustness to daemon shutdown checking in runtime * WIP * Revert "WIP" This reverts commit 74f22eced391bfbfb54834e7ffdc2505931b60b1. * Increase unit test coverage * Address review comments * Ensure xenial base image present before building proxy_init (#11277) * Update codecov to use skip file as threshold as well (#11294) * Fix e2e-simple test flake (#11271) * Fix e2e-simple test flake istio-init.yaml was not being applied. Atleast on bare metal, this caused e2e-simple to fail nearly 100% of the time in a race between the kubeapi server applying CRD's and the applicaton of custom resources in the manifest. This problem is less pervasive on slower (vm) environments. * Fix a spelling error complaint from linter * integrate new MCP stack into galley, pilot, and mixer (#11292) This PR integrates the new MCP source/sink stack into Galley, Pilot, and Mixer. The old stack is temporarily retained while we complete extended scale/perf testing. * Revert "Fix e2e-simple test flake (#11271)" (#11331) This reverts commit f993e46d69c2ae4f990eabdfa377034f23c3b807. * Update README.md (#9501) * Add response_flags to metrics and logs (#9945) * Use sdsName from Gateway config as the resource name in sds config (#11239) * Use sdsName from Gateway config as the resource name in sds config * Add test * goimports * Fix lint * Fix test * mixer: pod policy override (#10886) * implement injection and override Signed-off-by: Kuat Yessenov <kuat@google.com> * lint Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * mend * annotation from node metadata Signed-off-by: Kuat Yessenov <kuat@google.com> * fix a bug Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding --controlPlaneBootstrap pilot-agent flag (#11212) * Adding --controlPlaneBootstrap pilot-agent flag to explicitly enable generation of Envoy bootstrap for Istio control plane components. Only effective when --templateFile is provided as well. If --templateFile is provided, but --controlPlaneBootstrap=false, then template file will be passed through regular bootstrap config processing, replacing default bootstrap config template. Default flag value is "true" to be backward-compatible with existing behavior, so that no other changes are required by other components that rely on pilot-agent for control plane bootstrap config generation. * Adding TODO to clean up Mixer and Pilot to use standard template Mixer and Pilot use custom Envoy bootstrap templates, that have special processing in pilot-agent. They should migrate to the standard bootstrap template and special processing should be removed from pilot-agent. * Fixing formatting errors on pilot/cmd/pilot-agent/main.go * [Galley] Restructure runtime package to support multiple states. (#11325) * [Galley] Restructure runtime package to support multiple states. This is a follow-on to #11162 that moves the runtime state as well as its previously package-private dependencies into their own packages. This allows new "states" to exist in separate packages under runtime. * addressing comments * addressing comments * extend istio-multi rbac rule (#11339) * Galley file-source was occluding resources with the same name with different types in the same file (#11257) * not make PDB configurable (#11330) * not allow users to configure pdb * remove maxUnavailable * incorporate google CA's merge APIs change in nodeagent (#11341) * merge api * remove extra line * Revert "Location based Load Balancing (#10720)" (#11371) This reverts commit 3f0570653f37ecaa5ccb75df0cb9619f84419624. * Support multiple Citadels running in one cluster. (#11312) * Support multiple Citadels running. * Small fix. * Small fix. * Small fix. * consistent autoscaling config among control plane components (#11376) * consistent autoscaling config among control plane components * address Yossi comment * add missing end * use spec here * support namespace/host in gateway (#11290) * assorted cleanups Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Loosen secret type for ingress gateway (#11385) * set conccurency according to cpu resource limit/request if it is not set (#11311) * set conccurency according to cpu resource request if it is not set * address comments * fix ut * fix ut * fix ut * run dep ensure * cache proxy service instances to improve performance (#11368) * cache proxy service instances to improve performance * address comments & fix ut * Support gateway agent to read TLS secret set by cert-manager (#11399) * read tls secret format * Update test * fix lint * fix lint * fix lint * update test * format * fix lint * fix lint * mixer: option for alternative language runtime (#11391) * split the original PR Signed-off-by: Kuat Yessenov <kuat@google.com> * add annotation support Signed-off-by: Kuat Yessenov <kuat@google.com> * Exit on fatal logs (#11335) * Exit on fatal logs * Do not call Fatalf in the middle of Galley code * envoy: use any instead of struct (#11419) * fix tests Signed-off-by: Kuat Yessenov <kuat@google.com> * fix framework assuming json Signed-off-by: Kuat Yessenov <kuat@google.com> * add gates Signed-off-by: Kuat Yessenov <kuat@google.com> * fix superfluous condition in pdb. (#11413) * Allow identity domain to be configured in istio: Ensure e2e tests are working with different identity domain (#9226) * Refactor identity domain handling and adapt unit tests Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Fix goimports error * set role.TrustDomain in pilot main Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Add end to end test e2e_bookinfo_trustdomain Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Use .Values.global.trustDomain as trustDomain for citadel Co-authored-by: Holger Oehm <holger.oehm@sap.com> * Removed commented out code Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Remove fallback to domain for trust domain This became necessary due to #11050, which always set the domain command line flag for executables. But we didn't expect this flag to have two different meanings (dns-domain and domain-suffix). Co-authored-by: Ulrich Kramer <u.kramer@sap.com> * Make TestDuplicateResourceNamesDifferentTypes have consistent ordering. (#11456) * Adding support for named components to the test framework (#11440) Each component can be created with a name and optionally a configuration. This allows multiple echo instances, policy backends, envoy proxies, etcetera to be managed independently. Also adding a standard way to configure components but support for that is in a followup. * Galley support for MCP Source Client dial out (#11291) * Auth plugin to be used for Galley callout. * Lint * Add unit tests. * Mock Google credentials * Galley callout code. * Review comments, fix client_source test. * Lint * Switch callout.go to use patch table for test vars. * Rename callout cli args. * Increase coverage * newcallout args, syncWG change. * Fatal->Error * Review comments * Review comments. * Update metadata model. (#11477) This is split out from #11293 Supporting work for #10497 and #10589 * [pilot] Export virtual service and destination rule metadata (#11384) * [pilot] Export virtual service and destination rule metadata * fixup bad rebase * restore lost test * Small fixes * use URL for rule uid and config as key * goimports * update unit tests to match code changes in previous commit * goimports, redux * Randomize Galley ports for integration testing (#11285) * Randomize Galley port for code-coverage runs. * Remove runaway empty test. * Update istio-proxy for source.uid fix (#11428) * Update gateway_test.go to check for overrides * update to include new proxy * linter fix * update client tests for whitelisted attributes * use source fixed build * disable TestSecretCreationKubernetes (#11479) * Fix e2e-simple test flake (#11356) (#11481) istio-init.yaml was not being applied. Atleast on bare metal, this caused e2e-simple to fail nearly 100% of the time in a race between the kubeapi server applying CRD's and the applicaton of custom resources in the manifest. This problem is less pervasive on slower (vm) environments. (cherry picked from commit 1caa6cedcc7b0526f94bf3f9d3941df65ae4956f) * Enhance MCP index function to support multiple groups (#11478) This is split out from #11293 In #11293 we modify the index function to return a different group when choosing the synthetic ServiceEntry collection. Support for #10497 and #10589 * Zipkin adapter supporting the tracespan template (#11282) (#11483) * Zipkin adapter supporting the tracespan template (#11282) * Zipkin adapter supporting the tracespan template * Refactored generic OpenCensus trace support into a helper package * Use this to implement Zipkin support using OpenCensus Zipkin exporter * regenerate template. * lint. move crd. * dep ensure. * new line. * add zipkin to galley. * dep ensure * Default exports, and config root namespace (#11387) * default exportTo flags Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * compile fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * helm stuff Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * istio-config namespace and default sidecar scope Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * spell fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nits Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * reorder initialization steps Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test compile fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * helm tweaks Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * missing helm file * allow ~ in sidecar imports Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad copy paste Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo framework change Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Revert "bad copy paste" This reverts commit 934b54a922dd0a6102016901b77badba7774090f. * Revert "missing helm file" This reverts commit 992685db5e1fe3f68a484f01dac21f44c66acc8e. * Revert "helm tweaks" This reverts commit 5b78b920d18379253ea7c8ae37fd0c0611180c75. * redos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lists Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * quotes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Fixing race condition in Galley Server.Close() (#11484) The issue was introduced by #11285 It causes a race with the startup of the gRPC server, which leads to a segfault. From prow logs: ``` === RUN TestServer_Basic 2019-02-01T20:33:05.867746Z info ControlZ available at 10.44.58.28:9876 2019-02-01T20:33:05.867968Z info ControlZ terminated 2019-02-01T20:33:05.867987Z info runtime Stopping processor... 2019-02-01T20:33:05.868000Z warn runtime Processor has already stopped 2019-02-01T20:33:05.867798Z info runtime Starting processor... panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x9e4bc8] goroutine 148 [running]: istio.io/istio/vendor/google.golang.org/grpc.(*Server).Serve(0xc42046d080, 0x0, 0x0, 0x0, 0x0) /home/prow/go/src/istio.io/istio/vendor/google.golang.org/grpc/server.go:522 +0x748 istio.io/istio/galley/pkg/server.(*Server).Run.func1(0xc4202d9490) /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:242 +0xfb created by istio.io/istio/galley/pkg/server.(*Server).Run /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:233 +0x5c FAIL istio.io/istio/galley/pkg/server 0.383s ``` * add labels to services and deployments (#11503) * Make custom gateway works (#11320) Signed-off-by: clyang82 <clyang@cn.ibm.com> * Add missing values global object and template (#11500) * Envoy Graceful Shutdown (#11485) * Add Draining bootstrap to Proxies Signed-off-by: Liam White <liam@tetrate.io> * Drain open connections Signed-off-by: Liam White <liam@tetrate.io> * typo and makefile fix for drain config Signed-off-by: Liam White <liam@tetrate.io> * Add proxy agent tests for draining Signed-off-by: Liam White <liam@tetrate.io> * appease our golangcibot overlord Signed-off-by: Liam White <liam@tetrate.io> * Windows Go doesn't have syscall.Kill Signed-off-by: Liam White <liam@tetrate.io> * Add mixer status to access log (#11471) * Add mixer status to access log Signed-off-by: Lizan Zhou <lizan@tetrate.io> * review Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fixing default exports (#11507) Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * HTTP probe rewrite for webhook part. (#10470) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277d7 4b7b13aef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861 Merge: 98fd48f59 744b07ad2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07ad2406d1eb94bcf5492125f91486ad6b10 Author: Jianfei Hu <jianfeih@g…

* injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277 4b7b13a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277 Merge: 98fd48f 744b07a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156 Merge: a2a7744 010d5c2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a7744 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922 Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d6 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e87 Merge: 256d963 ac78a55 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d963 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f700963 Merge: bdce721 c7eb603 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce721 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b5 Merge: d626bb8 5ea7962 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb8 Merge: 3561ae0 66153da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91 Merge: 3a7eb48 abc53e1 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b12034 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0eda Merge: 7f5c8cb e45242c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cb Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9 Merge: 20f02c0 1ae6b4f Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c0 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb1 Merge: 3b3bcbf d8c4579 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4f Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbf Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c1 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadf Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb Merge: af1a679 f6b0ddc Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a679 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8 Merge: fcca1f8 bd1631b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659da Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * wip for adding health check test app. * wip very hack working solution app deployed * finally test starts working * make sure the test works if and only if the helm flag is turned on. * refactoring * small adjustment. * DeepCopy used. * working test only healthcheck test. * remove inline policy * change RegisterHelmValueOverrides. * unnecessary change. * Finish HelmValueMap refactor. * some cleanup. * clean up. * flags helm values takes higher priority. * fix the lint. * address comments. * revert chagnes on HelmValuesMap. * wip getting helm customizable with new configuration api. TODO: testing by rebuild image. * fix the helm value passing overrides. * wip the app is deployed but not ready and still finishes... * wip apps configuration not take effect. * working version of apps configuration. * clean up some debugging log. * test documentation. * WIP changing deploymentFactory to KubeApp. * verify test works. * clarify kubeappsconfig doc. * get the test pass, no apps configuration yet. * get test working. * clean up on apps/kube.go * few clean and update readme doc. * change the overrides by func callback. * fix the typo. * fix the comments.

* Testing: support retries in Structpath (#12539) * Testing: support retries in Structpath The current structpath library automatically fails the test as soon as an error occurs. This change splits structpath into 2 types: Instance: methods return errors. InstanceForTest: delegates to Instance and fails the test if an error occurs. Tests that allow retries will use Instance and handle the errors manually. * splitting out the test and non-test instances * Fixing TestMain for sidecar_api_test * fixing bug in ForTest * Switching to single fluent-style api * Move Distributor interface back to runtime. (#12242) Distributor is an interface consumed by the runtime package. * [Kiali][master] things needed for next version of Kiali (#11823) * things needed for next version of kiali * additions needed for https://issues.jboss.org/browse/KIALI-2417 * install kiali v0.15 * add read-only role for people to use if they don't want to grant write access to kiali * mount secret to volume now, not env vars * add rbacconfigs - https://issues.jboss.org/browse/KIALI-2564 * add prometheus scrape annotations to scrape the new metrics endpoint * everything is now up to date for kiali v0.16 * Canonicalize help strings for CLI (#12219) * Fix recently broken racetest on master (#12383) * Fix racetest * Lint * One more race * Added a todo with issue ref * missing comment on exported function ConstructCustomDNSNames (#12492) * missing comment on exported function ConstructCustomDNSNames * Document customization process * Merge collab-test-framework to master (#12574) * Fix deps and broken merge for mixer test * Fix overly restrictive golang version match * Fix integration test framework merge issues * Fix line length lint issue * Interim checkin of Test Framework refactorings. (#11718) Seeding collab-test-framework * Tf 11 scopes (#11772) Cleaning up the new prototype code. * Remove hardwired constants from the deployment file. * Fixup some tests * Use framework2 for pilot tests (#12243) * WIP updating sidecar test to new framework * Re-create Pilot tests based on framework2 * Merge master => collab-test-framework (#12374) * [Galley] Standardize worker thread lifecycles (#12125) * [Galley] Standardize worker thread lifecycles We currently have several worker classes that follow a similar lifecycle pattern, but are inconsistent. This PR makes standardizes the lifecycle management logic into a new Worker class. * addressing comments. * addressing comments. * Update to grafana 6.0.0 (#12191) * Support offline running productpage by packing js and css in image (#12218) * Make code more reusable in other contexts (#11353) * Make code more reusable in other contexts - Export processStream methods, they are useful when using the code outside of Istio - Move verifySentResourcesMultipleTypes to client_test.go * Add licence * Correct TestAdmitPilot Case (#12281) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Fix pilot grpc failure in Consul (#12273) * fix wrong link for mixer (#12347) * Update OWNERS (#12361) * Update OWNERS * Update OWNERS * mixer: CEL runtime (#12145) Signed-off-by: Kuat Yessenov <kuat@google.com> * Change IP addresses to show up as strings in label maps in accesslog (#11740) Change IP addresses to show up as strings in http req in accesslog Fix lint errors Fix lint errors Use stringify function Updated based on feedback * Improve resource lifecycle management and debuggability. (#12402) * Improve lifecycle model. - Add defer context.Done() to sidecar_api_test for resource cleanup. - Ensure that Pilot's Close returns after the background go-routine is torn down. - Properly register components/resources for cleanup purposes. - Reverse the resource cleanup loop to make sure resource dependencies are handled properly. - Add friendly ids to test framework components to help with debugging. - Refactor environment names to avoid cyclic dependencies. * Fix lint issues. * Major refactoring of the new framework & ensure the native mode tests work. * Fix runaway refactoring. * Make Istio deployment work. * Fix some Kubernetes based tests. - Accommodate code review feedback. * Fix all K8s tests. * Cleaning up of the core framework API surface. * More cleanup of the surface area. * Fix lint and formatting * Update Makefile & related settings. * Move collateral docs to framework2, remove framework and integration. * Move framework2 -> framework * Fixup echo. * Fix minor bug. * Fix lint issue. * Minor clarification to the output message. * Fix Makefile * Temporarily add debug log output for tf. * Improve in-CI debugging. * Fix lint problem. * Add CI Mode flag. * Convert Always to IfNotPresent * Convert Always to IfNotPresent * Fix Citadel component init. * Write pod state to files. * Fix galley.New() * Minor fix. * Refactor Hub/Tag/PullPolicy usage. * Increase deployment timeouts. * Fix formatting bug. * Make linter happy * More diagnostic output support. * minor cleanup * Fix Yaml deployment code. * link fixes. * Fix comment. * Set minikube ingress to minikube-none. * More minukube fixes. * Final cleanups. * extract namespace to its own component. * Major cleanup of structure/packages. * Post merge fixups. * Fixup sidecar api tests post-merge. * Fix structpath panic. * Increase the deployment timeouts in CI. * Add istio 1.2 CRD file. * Fix linting. * Fix imports. * Disable sidecar_api_test.go test (which is already disabled in master). * Remove debug flag. * Fix lint errors. * Fix testcontext format parameters * Disable the sidecar tests before the merge. * Fix CI Mode timings. * Fix CI Mode timings. * Make linter happy. * Cherry-pick Galley/MCP changes from 1.1 => master (#12604) * Add dynamic discovery and listener initialization for supported k8s resource types (#11871) * wip: dynamically discover supported crd types * fix linter errors * improve logs when resource type not found * increase code coverage * address review comments * add a comment * fix linter error * extract Galley root command to server. (#12073) * Replace root command of Galley with server mode. * Fix linter issue. * Wire-up excluded resource types list to the CRD check and update logging (#12143) * - Wire-up excluded resource types list to the CRD check. - Update logging. * Revert copyright. * Revert copyright. * Do not reject entire batch of updates, if items get past validation. (#12476) * Do not drop the whole batch, if validatin of a single resource fails. * minor comment cleanup. * Adding unit tests. * Make linter happy happy happy. * Remove myself from OWNERS files (#12608) * add a e2e test for oop (#12577) * Add a config package folder. (#12611) * Hide most logging CLI options from istioctl (#12633) * Log descriptions of pods when tests break (#11904) * Log descriptions of pods when tests break * Don't overwhelm the logs for a possibly transient error * Fix kubectl syntax * Back out change in retry behavior to avoid masking root cause * add istio-init.yaml to .gitignore (#12542) * authz: add authorization policy CRD to helm-init (#12541) * Fix bug in locality LB normalization (#12532) (#12579) The priority needs to be normalized (so it is always has no gaps), so priorities [0,2] should be changed to [0,1]. However, we were changing the wrong endpoint's priorities. * Apply locality weighted lb config correctly (#12588) Previously, this value was not set if the load balancer config was nil. However, it should actually set anytime outlier detection is enabled, so that locality lb can behave correctly. * Fix bug causing empty endpoints per locality (#12615) * Fix bug causing empty endpoints per locality Before, we were allocating the array then appending to it, creating empty endpoints at the start of the array. * Predefine slice size * Fix the MCP Client ConfigZ page (#12626) * Fix the MCP Client ConfigZ page. * Fix the tests * Update test name to clear confusion. * Add threshold for rds.go codecov (#12499) Test is flakey, saying it has droppped coverage when it has not due to it being nondeterministic. * Drop log level for missing service account for spiffe uri (#12239) * Don't require service account for spiffe Some kubernetes pods don't have a service account. This causes a log flood that the spiffe url is invalid, but this doesn't actually have any negative impact. We can just make it not an error to have no service account. * Revert "Don't require service account for spiffe" This reverts commit e88ff187963e97949d3b81c3575b997ddd7e7a6f. * Just drop error -> warn * Fix tests * Drop log level * [Authz v2] Add additional fields for bindings and validation. (#11800) (#12460) * Adding additional fields for bindings and validation. (#11800) * Implement namespaces for ServiceRoleBindings * Implement not_namespaces and refactor * Implement not_ips * Implement ips (no unit tests) * Add a unit tests for ips for ServiceRoleBinding * Implement groups and not_groups for ServiceRoleBinding * Implement names and not_names * Check for duplicated definition in constraints/properties and first-class fields * Disallow using * in names or not_names to prevent ambiguity * Disallow using * in names or not_names to prevent ambiguity * Refactor additional fields for bindings * Update validation.go * Update validation.go * enhance verify install command (#12174) * enhance verify install command * fix lint * fix lint * configure prometheus to monitor citadel. (#12175) * Add namespace scoping to the Gateway 'port' names (#11509) (#12500) (#12556) * Add namespace scoping to the Gateway 'port' names (#12500) (#12500) Currently in order to configure ingressgateway to do TLS termination using multiple secure virtual hosts with different certificates Istio requires Gateway 'port' names to be globally unique (i.e. distinct). I.e. two gateways cannot have secure port named 'https' even if they reside in different namespaces. Behavior in such case is undefined. This breaks namespace isolation as a user creating a Gateway in one namespace might not have access to other namespaces hence can't if the port name is already 'taken'. Behavior in such case is undefined and likely to render other virtual hosts unavailable. This change adds namespace scoping to Gateway port names by appending namespace suffix to the HTTPS RDS routes. Port names still have to be unique within the namespace boundaries, but this change makes adding more specific scoping rather trivial. * Increase Gateway 'port' names scoping granularity * Minimal changes to make locality lb not sigsegv (#12649) * Locality label istio-locality in k8s should not contain `/`, use `.` (#12592) * Locality label istio-locality in k8s should not contain `/`, use `.` instead * fix comments * Only use gateways for servers being processed (#12663) Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * Propagate Envoy Metrics Service Config (#12569) The plumbing for propagating the envoy metrics service address config is missing a step to copy the given address to the config object that is passed on to the template renderer. * mixer: add directive demo adapter (#12505) * finish demo Signed-off-by: Kuat Yessenov <kuat@google.com> * printf Signed-off-by: Kuat Yessenov <kuat@google.com> * publish keyval Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding sidecars to validating webhook configuration (#12233) (#12643) Addresses issue #12193 * Cleaning up Unit tests for RDS (#12581) Added a new case and cleaned up the existing test cases. * switching deployment to v1 api (#10578) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Cleanup Galley OWNERS file. (#12676) * fix uds socket (#12688) * uds fix * readonly * Add unit test to cover multiple different locality case (#12388) This PR only increases test coverage. Does not impact functionality. Signed-off-by: Liam White <liam@tetrate.io> * Build 1.1.1 (#12690) * Fix LB weight setting for split horizon eds (#12560) * lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint * fix typo in default envoy JSON log format (#12473) * Make release-1.1 changes compatible with master * Remove extra ingress template * cherry pick 10578 * reformat * Update rbac.go to use httpfilter when needed * Integration framework ensure apiVersion is top level * Update yaml make target * Disable setup on sidecar_api_test * clarified mesh connect timeout fields based on code impl (#12089) * Testing: configurable ports for Echo (#12681) The echo component currently assumes a hard-coded list of ports. We eventually want to replace the "apps" component with echo, but in order to do that we'll need to be able to tailor the port configuration for each instance. * add image pull secrets for zipkin. (#12327) * Refresh oop handler with connection config update (#12575) * refresh handler with connection update * sanitize test error message * Fixing coping of the data to the bucket during release (#12585) * Fixing coping of the data to the bucket. * Small fix * RM folder in any case * 'istioctl proxy-config clusters' cluster type column rendering (#12458) * Make error message explicit (#12675) * E2E test for health check under mtls using app prober rewrite. (#11531) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277d7 4b7b13aef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861 Merge: 98fd48f59 744b07ad2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07ad2406d1eb94bcf5492125f91486ad6b10 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002ff6f5dd4afe22afa984384addc1be1104 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5 Merge: a2a774498 010d5c266 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a774498e1021c1ca01c021c071e225fa330407 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c074bcc787702a5a9257d23103521f525c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922719e2c4723a334d1d8d959cac361b1ecb Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e871c640cdabead372eada2b17d717fa707f Merge: 256d9635f ac78a552a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d9635f4d590936c473bf3be0299064cb9c716 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f70096334464fd1d59a0e81997e8f0fd6623a564 Merge: bdce72119 c7eb603ee Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce72119ef78dab40b750861768c332811b9ee2 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c21000ba2b7fe9e2bc728783ce530cfe87 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695a2fea828f06a31f14ed7795a3b3716111 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b58f0212972d42e298fa4185275642d672c Merge: d626bb85d 5ea79622c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb85dee628771f8f41fc90335ac608dea923 Merge: 3561ae0a6 66153da4d Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0a69350730834e625c0710394968f9fcde Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f01964a14f6ace0da6217d7a36f364b661 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91189e16beb0dadee6c612464b1aa9bad21 Merge: 3a7eb48e6 abc53e120 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e488f875ffea0c3a279403277010160ee1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce9ddc55ce339aa65eac06602591d3113c9 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676 Merge: 7f5c8cbd8 e45242c0d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479 Merge: 20f02c045 1ae6b4fde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c04563fab9b81b418c00a5455994fda5148 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64 Merge: 3b3bcbff8 d8c4579fa Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c15d06054e4bb173ab2c37333a4de647c2d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f4144482874c1219c7da90e97f19f1172f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb6892509d8938be8d64f1435cf64e22317 Merge: af1a67989 f6b0ddc30 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a6798988f9fe70e40add2a6d4971efa9b50ed Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef3520037a81db8baa34d6e13849d20af10 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0 Merge: fcca1f89a bd1631be3 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517cfc4214994be1be848d40b12f09ba8a4b8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96ed8a3200fc91bc73aee86d471117232fc Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659dacbc569f4532dc6a37b2091f39c7cf115b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * wip for adding health check test app. * wip very hack working solution app deployed * finally test starts working * make sure the test works if and only if the helm flag is turned on. * refactoring * small adjustment. * DeepCopy used. * working test only healthcheck test. * remove inline policy * change RegisterHelmValueOverrides. * unnecessary change. * Finish HelmValueMap refactor. * some cleanup. * clean up. * flags helm values takes higher priority. * fix the lint. * address comments. * revert chagnes on HelmValuesMap. * wip getting helm customizable with new configuration api. TODO: testing by rebuild image. * fix the helm value passing overrides. * wip the app is deployed but not ready and still finishes... * wip apps configuration not take effect. * working version of apps configuration. * clean up some debugging log. * test documentation. * WIP changing deploymentFactory to KubeApp. * verify test works. * clarify kubeappsconfig doc. * get the test pass, no apps configuration yet. * get test working. * clean up on apps/kube.go * few clean and update readme doc. * change the overrides by func callback. * fix the typo. * fix the comments. * Hide ServiceAccounts from PushContext log (#12702) * Configure localityLbSetting in values.yaml (#12683) * Configure localityLbSetting in values.yaml * Update docs * Fix concurrent map access (#12706) * Remove when: always from CircleCI configuration for integration tests. (#12679) This causes the integration tests to run, even if the previous steps fail. * Removed unused code from EDS (#12221) * Should not add a worker in GoroutinePool construction func (#12619) * GoroutinePool does not add a worker in construction func * fix ut * remove redundant code (#12656) * remove redundant k8s discovery code * remove redundant * Configure logging level in proxy and control plane (#12639) * configure proxy log level via helm values for sidecar and gateways * configure istio control plane log level via helm * Put back a couple settings for Kiali that were accidentally deleted. (#12472) Some Kiali settings were accidently deleted when the new installation options for release-1.1 was published. This is because these settings were commented out in the values.yaml file for kiali under istio/kubernetes/helm/istio/charts/kiali. Bug:#3660 * remove to be deprecated critical pod annotation. (#12657) * remove to be deprecated critical pod annotation. * fix ci. * Adding timeouts in Galley processor tests (#12701) * Adding timeouts in Galley processor tests This is to help in debugging #12628. * making await method private * add pod antiaffinity. (#12691) * add pod antiaffinity. * fix gateways issue. * add pod antiaffnity to helm test pod. * remove local test file. * apply comments. * Adding galley test for sidecar config validation (#12247) * Adding galley test for sidecar config validation Test cases related to PR #12233 * Using istio-system as namespace for resource * Collect details/artifacts for failed tests in Prow. (#12753) * Add infrastructure to document env var usage. (#12727) - Introduce the pkg/env package containing a few functions to query environment variable values. It keeps track of the variables requested so they can be documented. - Extend pkg/collateral to recognize and output the environment variables used in the process. This is what is needed to make this stuff show up on istio.io. - Update all relevant call sites to use the new infrsstructure. It's still missing descriptions for all the variables, that'll be up to component authors. I'll file issues to get that work done. - Fixed bugs in the node_agent_k8s code that was using env vars as the default for Cobra command-line arguments, resulting in potentially variable default values produced in the generated docs. Default values need to be static. * Enable more linters. (#12751) - Flip on a couple more linters - Fix a bazzilion warnings produced by these linters, along with many warnings produced by other not-yet-enabled linters. - Fix pkg/version so the tests compile on Mac. This broke a while back, preventing the linter from running to completion on the Mac. * Convert galley to reload files via SIGUSR1 or a ctrlz handler (#11617) * Convert galley to reload files via SIGUSR1 or a ctrlz handler * Fix ctrlz shutdown not to block * Disable the mtls_healthcheck test until it can be fixed. (#12775) * Change IP addresses to show up as strings in label maps in accesslog (#11740) (#12502) Change IP addresses to show up as strings in http req in accesslog Fix lint errors Fix lint errors Use stringify function Updated based on feedback * upgrade prometheus version. (#12781) * Wait for endpoints of policy backend, before trying to use it. (#12763) * Wait for endpoints of policy backend, before trying to use it. * Minor fix to the structure. * Add wait logic for waiting Galley to come online. * Fix minor bug. * Rename the method so that it is clear what it is doing. * Add additional constraint check. * Remove redundant write header (#12731) Write already writes 200 status code, so this wasn't needed. This caused unneeded logging every time it was called. * Tell Kubernetes that Istio validation has no side effects (#12670) * Tell Kubernetes that Istio validation has no side effects * Add integration tests for --server-dry-run * Report version of kubectl and server * Version check error * Undo --server-dry-run tests which require K8s 1.12 or higher * fix uds socket (#12688) (#12802) * uds fix * readonly * mixer: switch to simplified config model (#12689) * take 2 compiled instances Signed-off-by: Kuat Yessenov <kuat@google.com> * try with apa Signed-off-by: Kuat Yessenov <kuat@google.com> * quota failure Signed-off-by: Kuat Yessenov <kuat@google.com> * false signal? Signed-off-by: Kuat Yessenov <kuat@google.com> * more crds Signed-off-by: Kuat Yessenov <kuat@google.com> * nil params Signed-off-by: Kuat Yessenov <kuat@google.com> * patching config Signed-off-by: Kuat Yessenov <kuat@google.com> * remove stale command Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix destination host validataion (#12804) * Implement AuthorizationPolicy with workload selector. (#12050) (#12667) * WIP AuthorizationPolicy with selector * WIP AuthorizationPolicy with selector * Check if need to use convertRbacRulesToFilterConfig and ignore permissive mode * Support TCP * Move new functions for RBAC v2 to rbac_v2.go * Change the structure and refactor tests * Put services field check back * Remove services field validation * Remove optimization * Add selector no match test * [Galley] Adding ServiceEntry synthesis (#12409) Added a new custom projection that is subscribed to events for k8s Pods, Nodes, Services and Endpoints. These events are absorbed and do not become part of the snapshot. Instead, synthetic ServiceEntry resources are generated and become part of the snapshot. Partially addresses #10497 and #10589 * Add a linter to prevent use of os.Getenv and os.LookupEnv (#12778) - Add more unit tests to pkg/env to bring coverage to 100% - Move existing linter sources from test/util/checker to tools/checker * Specify istio-init user explicitly (#5453) (#12708) Istio-init is supposed to be run as a superuser so it can configure iptables and this is the current default. However many popular Helm charts typically define a single container pod and specify `securityContext.runAsUser` on a pod level (rather than the container level) and that is what istio-init inherits. As the result many Helm charts aren't working with Istio auto-injection out of the box. A simple fix would be explicitly setting `securityContext.runAsUser` for istio-init on the container-level so it takes precedence. * Removing depencency on the order of returned IP addresses (#12812) * Removing depencency on the order of returned IP addresses Allows returned addresses by the default resolver to be in any order. The first IPv4 address returned by the resolver is used. If there are no IPv4 address is found, an IPv6 address is used. Added more unit tests. * Making logic for local IP the same as the rest * Disabling flaky parts of Galley integ test (#12837) This should deflake the test in #12820. Real fix is coming soon. * Set SAN as critical for workload certs. (#12838) * inject sds related param in pilot/mixer deployment (#12809) * inject sds related param in pilot/mixer deployment * remove args * Disabling Mixer tests using the new TF in K8s. (#12848) * Disabling Mixer tests using the new TF in K8s. * Make linter happy. * accommodate PR review comments. * galley: support optional crds (#12822) * optional galley crds Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * Removing a "TODO" that is not necessary any more (#12841) Cleaning up the comments. * mixer: add template CRD flag and set it to false (#12851) * template CRD flag Signed-off-by: Kuat Yessenov <kuat@google.com> * missed a flag Signed-off-by: Kuat Yessenov <kuat@google.com> * Zombie cleanup. (#12878) - Delete a bunch of dead code, dead variables, unused parameters, and superfluous type declarations. * Refactor Istio deployment code for clarity and add wait for webhook. (#12888) * Refactor Istio deployment code for clarity and add wait for webhook to come online. * Make linter happy. * Fix stupid bug. * Remove accidental file add (#12895) * Re-enable sidecar_api_test (#12887) * Re-enable sidecar_api_test * Remove kube setup * Fix race condition * Make Mixer readiness timeout configurable. (#12640) - Mixer waits for readiness of the config backend. It is currently hard-wired at 30 seconds. This change makes this configurable and sets the default as 2 minutes. - The pod was being killed because the liveness probe was not starting on time. It is blocked behind other readiness checks. This change enables readiness early on. * Minor improvements to the test framework. (#12858) * Add dump support to policy backend. * Add a suitecontext dir. * test: add dump pod events function (#12821) * Fix flush behavior in Stackdriver adapter. (#12853) * Fix prometheus and citadel connection tests (#12747) * Fix test-prometheus-connection.yaml: test never failed Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix test-citadel-connection.yaml: test never failed Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix a bunch more linter items. (#12897) * delete stale file (#12898) Signed-off-by: Kuat Yessenov <kuat@google.com> * Run dep ensure * Implement EnvoyXdsServer graceful shutdown (#12826) * update api sha (#12862) * update api sha * api files * Add two sample deployments for user guide of Istio Vault integration (#12917) * Rename types.go to types.gen.go. (#12921) * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * Update to latest doc gen tool. (#12932) * Fix the regular expression that splits the deployment scripts. (#12931) The script was fixed with a start-line anchor during the merge of 1.1. However the regular expressions in Go is not multi-line. * Add labels to the test framework. (#12819) * Add basic label support to the test framework. * Refactor test framework surface area to use fluent-style. * Apply labels to CircleCI tests & stable integration tests. * Add early exit support to avoid running setup functions when the label set can never match. * Add Citadel tests as presubmit tests. * Remove environments from label usage. * Fixup some of the label usages, and convert some of the test entry points. * Fixup label usage. * Redisable sidecar tests. * Accommodate PR feedback. * Accommodate CR feedback. * Add more CR fixup. * Introduce pkg/annotations (#12909) - pkg/annotations lets us track the annotations used by the calling process. - pkg/collateral now outputs annotations if there are any. This will make annotations show up on istio.io - Adjusted how pkg/collateral handles deprecated environment variabes to match how we handle deprecated fields in protos (by coloring them differently on istio.io) - Added another test to pkg/env to cover a case I missed originally. - Updated the sidecar injector and pilot to use pkg/annotations. - Fixed some invalid HTML generated by pkg/collateral. I'll file an issue to get descriptions added for the annotations. * remove unused pdb in remote values. (#12943) * prevent duplicate inbound listeners (#12937) * [Galley] Fix race in runtime strategy (#12927) This address a race condition that seems to only occur when using a very low timerFrequency (e.g. 1 microsecond) on a slow machine (e.g. prow). Under these conditions, the strategy can encounter a race condition when creating the timer. The code was setting the `timer` variable to the result of time.AfterFunc. However, due to the extremely low frequency used, the AfterFunc was invoking its handler, `onTimer` before returning. This led to accessing an uninitilized `timer` value. This PR swaps out AfterFunc for NewTimer. The use of time.Timer is now abstracted behind the `asyncTimer` object, which provides the semantics needed by the strategy. Now strategy.timer is set before it is started, avoiding the race. Fixes #12628 * Adding unit tests for sidecar scope (#12184) * Adding unit tests for sidecar scope * Removing unused variable * linters: enable errcheck (#12933) * enable errcheck Signed-off-by: Kuat Yessenov <kuat@google.com> * add maligned to exceptions Signed-off-by: Kuat Yessenov <kuat@google.com> * Istio does not use Cluster_LOGICAL_DNS, so remove it (#12905) * Istio does not use Cluster_LOGICAL_DNS, so remove it * clean up LOGICAL_DNS in comments * Clean up Helm README (#12914) The README has outdated information on the values, we should just defer to istio.io which is up to date. Additionally, we should point users to istio.io which has up to date install instructions. * 'istioctl experimental dashboard' command to show add-ons and sidecars (#12627) * 'istioctl experimental dashboard' command to show add-ons and sidecars * Test cases, output of URL, use of Cobra output stream * Refactor code into istioctl/pkg/kubernetes * Refactor to expose PortForward stop channel * Validate new mixer CRDs (#12918) * Validate new mixer CRDs * Add templates and adapters * Test cases for new mixer CRDs * Add environment variables to allow configuring bookinfo hostnames (#12646) * Allow bookinfo hostnames to be configurable - add DETAILS_HOSTNAME, RATINGS_HOSTNAME, REVIEWS_HOSTNAME environment variables to configure hostnames. Defaults to details, ratings, reviews respectively * Bump bookinfo sample to 1.11.0 * Update expected outputs for bookinfo tests - this is not related to our PR, but the tests were failing - the apps were changed, but images were not rebuilt * Add edsClusters should be atomic (#12942) * Add edsClusters should be atomic * fix lint * properly report errors on failure (#12945) The CI Infrastructure times out after 10 minutes of no activity. In one of the test case runners, 10 miniutes is specified causing the CI timeout to flush any debuggable output from the checks. This results in an in-exact error result to be returned. Instead a vague reponse about the test case timing out is reported, resulting in confusion for the PR authors. The typical max I was able to achieve was ~230 seconds, but I trimmed to 3 minutes so the test case fails in all conditions and properly reports the errors. * Hoist exemptLabels to top-level, so that they can apply to prs as well. (#12902) * [mixer-e2e-test] add retry to prometheus query in check cache test (#12680) * check cache test sleep longer * use retry instead of longer waiting * reword error message * Fixing typos in unit tests (#12661) Redoing PR #12035 * respect locality weight set from ServiceEntry (#12714) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * sidecars with workload selector takes precedence over namespace wide one (#12831) * Auto bind to services for Sidecar listeners with specific ports (#12724) * auto bind to TCP services for egress ports in Sidecar Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * fix test Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * minor patch (#12963) Signed-off-by: Kuat Yessenov <kuat@google.com> * Cleanup gateway vhost config gen (#12847) * check match direction * Cleanup http route generation * undo pickMatching change * golangbot comments * address review comments * fix validation bug * gofmt * check for intersection duplicates * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Support PKCS#8 private keys. (#12972) * Support PKCS#8 private keys. * Small fix. * Fix LB weight setting for split horizon eds (#12560) (#12827) * lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint * Restore dump_kubernetes.sh function on OSX (#12159) * Fixes for Bash 3.x and detecting non-running pods * Address shellcheck warnings * Remove Robert Li from tests OWNERS file (#12946) Robert has had a change in employment and can no longer contribute to Istio. * remove unnecessary namespace for webhook configuration (#12981) * remove deprecated mcpServerAddrs flag (#12954) * remove deprecated mcpServerAddrs * fix ut * support ip:port format configSource * fix ut * fix ut * supprt proxy https app probe (#12872) * supprt proxy https app probe * add ut * fix ut * add webhook inject test * fix test * fix comments by incfly * Allow some time for the configuration propagation (#12865) * Allow some time for the listeners config propogation * change to use watchDiscovery * samples/bookinfo: easier access to logs (#12584) * Use shorter namespace prefixes. (#13001) * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) (#12936) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * Update integration test env flag (#12977) The flag should be "kube" not "kubernetes" but it was not updated in some places before. * Support inline role definition in AuthorizationPolicy (#12849) * Don't fill test logs with "no provious log" (#12857) This isn't a real error, but it is misleading in the test output. We have no reason to output all of these errors that there is no previous container to get logs from. * mixer: delete old style CRDs from installation (#12710) * delete old style CRD from installation Signed-off-by: Kuat Yessenov <kuat@google.com> * disable galley from listening to old style CRDs Signed-off-by: Kuat Yessenov <kuat@google.com> * more hardcoded yamls Signed-off-by: Kuat Yessenov <kuat@google.com> * debuggin default install Signed-off-by: Kuat Yessenov <kuat@google.com> * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * keep galley pipeline Signed-off-by: Kuat Yessenov <kuat@google.com> * disable resource ready Signed-off-by: Kuat Yessenov <kuat@google.com> * delete debugging line Signed-off-by: Kuat Yessenov <kuat@google.com> * fixing testdata Signed-off-by: Kuat Yessenov <kuat@google.com> * delete deprecated configs Signed-off-by: Kuat Yessenov <kuat@google.com> * remove declarations Signed-off-by: Kuat Yessenov <kuat@google.com> * delete more yaml Signed-off-by: Kuat Yessenov <kuat@google.com> * merge fix Signed-off-by: Kuat Yessenov <kuat@google.com> * Add tests for the effect of mTLS setting to reachability (#11624) * Reachability test in new ingegration test framework * Add test for port specific policy * Expose KubeApp interface and move EndpointForPort to that instead * Use the retry.UntilSuccess from framework * Change to UntilSuccessOrFail instead of UntilSucces * remove deprecated code (#13005) * remove deprecated code * remove dep * Add examples/documentation for the test framework. (#13000) * Add examples/documentation for the test framework. * Add more prose about test lifecycle. * Fix typo. * Fix typos. * fix retry loop in mixer crd watch (#13003) * first change to apps/v1 for Install (#13015) * first change for install * appsv1 * indention * use only ipv4 for pilot and zipkin (#12997) * do ipv4 lookups for pilot and zipkin Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * update goldens Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * small fix for imports (#13013) * remove old mcp stack (#12092) * remove old mcp stack * remove legacy mcp server from galley * fix server build * fix linter * remove unused code in journal.go * fix build * s/server/source * fix linter errors * Exclude Prometheus traffic in rule so that Kiali does not show it. (#12251) * [Galley] Fix race in strategy shutdown. (#13004) * [Galley] Fix race in strategy shutdown. The Close() logic was holding onto the state lock, which can race with worker thread. Specifically, the worker thread could be in a call to onTimer awaiting the lock, which would never be acquired since the Close() method is stuck waiting for the stopped channel to close. * cleaning up reset logic to avoid holding on the stateLock * Add instructions and scripts to facilitate running E2E tests locally using KinD (#12641) * Adding check/install go in both macOS and Linux. * Install go if not installed. * Adding support to run e2e test on KinD locally. * Adding the ability to run e2e tests locally on KinD. * Update install_prereqs_debian.sh * Update setup_test.sh * Adding the ability to run e2e test on KinD for presubmit test. * Presubmit e2e test on KinD. * Adding the ability to run e2e_simple presubmit on KinD * Adding README file for testing on KinD locally. * Revert the changes on adding install_go function. * Revert install_go in common_macos.sh * Revert the file changes of deleting newline. * Reverting the changes. * Addressing reviews. * Fixing shellcheck * respect locality weight set from ServiceEntry (#12714) (#13012) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * Add documentation about -p 1 for integration test framework. (#13032) * Reduce logs in security/pkg/nodeagent/sds/ (#13035) * Reduce logs in security/pkg/nodeagent/sds/ https://github.com/istio/istio/issues/13033 * Count the log output times * Revise the PR based on review comments * move pkg/mcp/configz to pkg/mcp/configz/client (#12982) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Restore TestMtlsHealthCheck in postsubmit, prow. (#12969) * restore test to debug. * add presubmit label to the test for triggering. * change to only run in postsubmit. * remove postsubmit label just comment. * Enable more linters and fix warnings/errors (#12993) * Cherry pick cert file config from master to release-1.1 (#12707) * Cherry pick from master: Configuration: no longer hardcode mesh certs (#12189) * Configuration: Pilot-Agent: no longer hardcode certs to watch. Pilot-Discovery: no longer hardcode Envoy listener cert paths. * Address demands of golangcibot overlord * Change usages of github.com/stretchr/testify/require to github.com/stretchr/testify/assert * Address code style violation * Revert temporary api changes. Set cert paths in envoy node metadata and use them when setting up listeners * Use envoy node metadata cert paths (if available) when constructing clusters * Rename constants to make golint happy * Fix imports * Ignore ordering in test * Pass around proxy instead of proxy.Metadata (cherry picked from commit 7c342741df9bd4e313420b4d17e279089d8956da) * goimports file * Allow limiting Citadel to marked namespaces only (#12289) * Allow limiting Citadel to marked namespaces only - add command line flag to require explicit opt-in to secrets (defaults to false to retain current behavior of always create) - extend secret controller to consider namespace labels (reuses existing 'istio-injected=enabled') - modify unit tests to retain previous behavior (i.e., always create secrets, explicit opt-in not required) and account for additional namespace access * removed left-over debug print, check enable only when explicit opt-in is required * reverting k8s actions in tests: namespaces no longer checked when explicit opt-in is false * unit tests for checking labels and behavior * Namespace specified in command line is explicitly enabled - save namespace specified in the `--listened-namespace` option on the controller (allow multiple to prepare for r1.1) - check SA namespace against explicit namespaces * use dedicated label name to avoid overloading the injection label * use istio-managed label in tests * clarified explicit-opt-in is relevant for keys and certificates provided via a volume mount * refactor istio managed object test to a function so it can be called from secret deletion handler as well * fix left over istio-injection label in tests * manual merge fix * appsv1 galley (#13047) * Add support for datadog tracing (on release-1.1 branch) (#12687) * Add support for datadog tracing. Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * Use $(HOST_IP) instead of special-casing empty address value Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * add param to sidecar to ignore iptables changes (#12829) * add param to sidecar to ignore iptables changes * rephrase description * samples/bookinfo: migrate `apiVersion` of deployments to `apps/v1` (#13030) * fix validation logic so that port.name is no longer a valid PortSelector (#13054) * [Test Framework]: Galley support for deleting config (#13037) In order to properly support deleting resources, it was necessary to revisit how ApplyConfig is done as well. Previously, apply would just blindly copy the yaml to a new file in the configDir. The assumption was that the resource was always being "added" (rather than updated). I'm not certain what would happen if two resources appeared with the same name/namespace. This PR generalizes (and fixes) the way resources are handled so that it's not concerned with files, but rather the underlying resources. The code now parses the top-portion of the yaml to properly identify each resource. Once identified, the code now properly updates resources by writing back to the file where the resource was found. Deletes are similar, where the original resource in the file is replaced with "" (empty files are removed). * Support controlz for mcp server (#12980) * Support controlz for mcp server Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix lint error * Address review comments Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * generalize artifact injection into Docker images (#12203) Instead of just adding LICENSES.txt only, also optionally add in the source code as well, gating on the new EXTRA_ARTIFACTS and EXTRA_ARTIFACTS_CNI environment variables. Change-Id: Iab8fadfbcbbaa8906491e12324fae20185d9f33e * Keep going when problem happens checking remote version (#13060) * remove deprecated show-all flag (#13053) * Add x alias to experimental istioctl command (#11801) * Add x alias to experimental istioctl command I'm super lazy and experimental is far too much effort to type Signed-off-by: Liam White <liam@tetrate.io> * Add exp as an additional alias Signed-off-by: Liam White <liam@tetrate.io> * Correct the app label for Gateway (#12693) * update selector for gateway Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix build fail Signed-off-by: clyang82 <clyang@cn.ibm.com> * Update tracing_datadog_golden.json (#13082) * Fix small typo (#13089) can useful -> can be useful * Add jitter in CSR request (#12805) * Add jitter in CSR request * Add log * Fix comments * Fix test * Fix test * Fix comment * Allows cleanup.sh to run non-interactively when in terminal (#12635) This change allows cleanup.sh to run non-interactively in standard terminals. For example: NAMESPACE="test123" ./cleanup.sh * 'istioctl proxy-config clusters' cluster type column rendering (#12458) (#12730) * update sds secret mount. (#12733) * Copy data from right place (#12762) * Fix updateClusterInc for overlapping ports (#12766) * Fix updateClusterInc for overlapping ports It is possible that a service will have multiple ports, with the same port number. The typical example here is kube-dns, which uses port 53 for UDP and TCP. When we do an incremental push, we would select the first port to match the port number, which would sometimes causes us to ignore the correct port. This fix searches through all matching ports. * Ensure port number matches as well * Add unit tests * remove dead code * enable default sidecarscope (#12832) * [Galley] Fix for ServiceEntry event ordering (#12890) The integration test was encountering this, exposing a real bug. If nodes/pod events occur after service/endpoints (which should generally be unusual) then it is possible to have a ServiceEntry missing pod/node information (e.g. locality). Fixes #12820 * Adding sha for istio/tools to manifest.txt for future automation of perf tests (#11706) * Copy helm data from the right place (#12808) * Refactor solution based on Costin's feedback (#13027) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Enable more linters and fix warnings/errors (#13061) * Making tags requirement same as those in Kubernetes (#12852) * Making tags requirement same as those in Kubernetes Changing validation check to make sure non-empty tags start with an alphanumeric character * Validating label keys are not empty strings Allow empty string for label values Do not allow empty string for label keys * Added certmanager flag into helm chart values.yaml (#12953) * Added certmanager flag into helm chart values.yaml * Moved certmanager configuration * Pilot [networking]: Add upstream idle_timeout to cluster definition (#13066) * adding upstream idle_timeout to cluster definition. * reverting vendor changes before running dep ensure again. * running dep ensure update on api from master. * controlPlaneMtls renamed to controlPlaneSecurityEnabled (#13141) * Patch #12805 to master (#13104) * Patch #12805 to master * Fix lint * Fix HelmDelete command (#12515) * Fix HelmDelete command HelmDelete was called with the namespace it needs to be called with a chartname. Also created a constant to make it more obvious when called by the other Helm related commands. * Fix typo * Goimports fix * ight modification path (#13148) * Allow overriding of registry locality (#13077) Also fixes bug where non-kube envs could override to something that parsed incorrectly Signed-off-by: Liam White <liam@tetrate.io> * mixer: add support for standard CRDs for compiled-in adapters (#12815) * cherry pick subset of https://github.com/istio/istio/pull/12689/ Signed-off-by: Kuat Yessenov <kuat@google.com> * add support for compiled in adapters Signed-off-by: Kuat Yessenov <kuat@google.com> * patch log line Signed-off-by: Kuat Yessenov <kuat@google.com> * parse cert to get expire time (#13145) * parse cert * cleanup * unit test coverage * missing file * address comments * rebase and address comment * Installing istio for perf testing (#13159) * Perf scripts * gsutil * WD * perf running and geting metrics * Perf * perf * perf * Perf * remove * qq * Appsv1 pilot (#13050) * appsv1 for Pilot * appsv1 for Pilot * appsv1 for Pilot * dep update * fix test * fix test * fix test * fix test * fix test * typo * typo * typo * typo * typo * update go-control-plane (#13154) Signed-off-by: Kuat Yessenov <kuat@google.com> * added sidecar.istio.io/rewriteAppProbers annotation (#13112) * pilot: registered sidecar.istio.io/rewriteAppProbers annotation * pilot: checked from sidecar.istio.io/rewriteAppProbers too * pilot: added webhook inject tests TestWebhookInject_http_probe_rewrite_enabled_via_annotation case is a modification of TestWebhookInject_http_probe_rewrite case. The difference is rewriteAppHTTPProbe is false in template, but set to true in annotation. TestWebhookInject_http_probe_rewrite_disabled_via_annotation case is a modification of TestWebhookInject case. The difference is rewriteAppHTTPProbe is true in template, but set to false in annotation. * fixed linter issue in test * added http probe test for kubeinject case * added tests and fixed login upon checking RewriteAppHTTPProbe setting * Add more tests in app_probe_test.go * renamed RewriteAppProbers to RewriteAppHTTPProbers * fixed test case for webhook injection * add description to rewriteAppHTTPProbers annotation * updated tests in app probe to sync with recent master change * change validateBool to alwaysValidFunc as per review * Export inject.injectionData() (#12426) * Registrator should use master version (#13083) * dependencies: update cel-go and remove protoc-gen-docs (#12711) * experiment with COMPAT Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * stop validation Signed-off-by: Kuat Yessenov <kuat@google.com> * remove hack Signed-off-by: Kuat Yessenov <kuat@google.com> * testing Signed-off-by: Kuat Yessenov <kuat@google.com> * only access log Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * add runtimeconfig Signed-off-by: Kuat Yessenov <kuat@google.com> * add a benchmark Signed-off-by: Kuat Yessenov <kuat@google.com> * cel_perf Signed-off-by: Kuat Yessenov <kuat@google.com> * update cel Signed-off-by: Kuat Yessenov <kuat@google.com> * update examples Signed-off-by: Kuat Yessenov <kuat@google.com> * remove unnecessary dependencies Signed-off-by: Kuat Yessenov <kuat@google.com> * Fixing copy for helm, one more time. (#13186) * Run goimports on generated file (#13195) * Enable disabled mixer tests in New Test Framework (#13151) * Enable disabled mixer tests in NF * Change tests config to new style * Change tests config to new style * Change tests config to new style * Fix config for native policybackend * Fix report test * Reduce Pilot resource requests for demo (#12477) * Reduce Pilot resource requests for demo * Add limits as well * Added data source for Galley dashboard (#13041) Fixes: #13040 * fix values for pod anti-affinity. (#12798) * Add sensible defaults to istio-gateways (#12315) * report succeed after validation (#13165) * report succeed after validation * review comments * Change exposed port of istio-pilot in consul (#13170) `15003` and `15005` are never used in pilot under consul env. It would be confusing to expose the two ports. Instead, ``` --grpcAddr string Discovery service grpc address (default ":15010") --secureGrpcAddr string Discovery service grpc address, with https (default ":15012") ``` we know `15010` and `15012` are still using. * Cherrypick: Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) (#12973) * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Use new env var framework * Fix long line * Run format and linter * CEL checker mutex (#13192) * checker mutex Signed-off-by: Kuat Yessenov <kuat@google.com> * deadlock Signed-off-by: Kuat Yessenov <kuat@google.com> * Integration testing for Locality Load Balancing (#13084) * Initial testing functionality Signed-off-by: Liam White <liam@tetrate.io> * appease the linting gods Signed-off-by: Liam White <liam@tetrate.io> * Fall back to bootstrap locality as a last resort Signed-off-by: Liam White <liam@tetrate.io> * Move service instance check after we set them... Signed-off-by: Liam White <liam@tetr…

* add istio-init.yaml to .gitignore (#12542) * authz: add authorization policy CRD to helm-init (#12541) * Fix bug in locality LB normalization (#12532) (#12579) The priority needs to be normalized (so it is always has no gaps), so priorities [0,2] should be changed to [0,1]. However, we were changing the wrong endpoint's priorities. * Apply locality weighted lb config correctly (#12588) Previously, this value was not set if the load balancer config was nil. However, it should actually set anytime outlier detection is enabled, so that locality lb can behave correctly. * Fix bug causing empty endpoints per locality (#12615) * Fix bug causing empty endpoints per locality Before, we were allocating the array then appending to it, creating empty endpoints at the start of the array. * Predefine slice size * Fix the MCP Client ConfigZ page (#12626) * Fix the MCP Client ConfigZ page. * Fix the tests * Update test name to clear confusion. * Add threshold for rds.go codecov (#12499) Test is flakey, saying it has droppped coverage when it has not due to it being nondeterministic. * Drop log level for missing service account for spiffe uri (#12239) * Don't require service account for spiffe Some kubernetes pods don't have a service account. This causes a log flood that the spiffe url is invalid, but this doesn't actually have any negative impact. We can just make it not an error to have no service account. * Revert "Don't require service account for spiffe" This reverts commit e88ff187963e97949d3b81c3575b997ddd7e7a6f. * Just drop error -> warn * Fix tests * Drop log level * [Authz v2] Add additional fields for bindings and validation. (#11800) (#12460) * Adding additional fields for bindings and validation. (#11800) * Implement namespaces for ServiceRoleBindings * Implement not_namespaces and refactor * Implement not_ips * Implement ips (no unit tests) * Add a unit tests for ips for ServiceRoleBinding * Implement groups and not_groups for ServiceRoleBinding * Implement names and not_names * Check for duplicated definition in constraints/properties and first-class fields * Disallow using * in names or not_names to prevent ambiguity * Disallow using * in names or not_names to prevent ambiguity * Refactor additional fields for bindings * Update validation.go * Update validation.go * enhance verify install command (#12174) * enhance verify install command * fix lint * fix lint * configure prometheus to monitor citadel. (#12175) * Add namespace scoping to the Gateway 'port' names (#11509) (#12500) (#12556) * Add namespace scoping to the Gateway 'port' names (#12500) (#12500) Currently in order to configure ingressgateway to do TLS termination using multiple secure virtual hosts with different certificates Istio requires Gateway 'port' names to be globally unique (i.e. distinct). I.e. two gateways cannot have secure port named 'https' even if they reside in different namespaces. Behavior in such case is undefined. This breaks namespace isolation as a user creating a Gateway in one namespace might not have access to other namespaces hence can't if the port name is already 'taken'. Behavior in such case is undefined and likely to render other virtual hosts unavailable. This change adds namespace scoping to Gateway port names by appending namespace suffix to the HTTPS RDS routes. Port names still have to be unique within the namespace boundaries, but this change makes adding more specific scoping rather trivial. * Increase Gateway 'port' names scoping granularity * Minimal changes to make locality lb not sigsegv (#12649) * Locality label istio-locality in k8s should not contain `/`, use `.` (#12592) * Locality label istio-locality in k8s should not contain `/`, use `.` instead * fix comments * Only use gateways for servers being processed (#12663) Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * Propagate Envoy Metrics Service Config (#12569) The plumbing for propagating the envoy metrics service address config is missing a step to copy the given address to the config object that is passed on to the template renderer. * mixer: add directive demo adapter (#12505) * finish demo Signed-off-by: Kuat Yessenov <kuat@google.com> * printf Signed-off-by: Kuat Yessenov <kuat@google.com> * publish keyval Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding sidecars to validating webhook configuration (#12233) (#12643) Addresses issue #12193 * Cleaning up Unit tests for RDS (#12581) Added a new case and cleaned up the existing test cases. * switching deployment to v1 api (#10578) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Cleanup Galley OWNERS file. (#12676) * fix uds socket (#12688) * uds fix * readonly * Add unit test to cover multiple different locality case (#12388) This PR only increases test coverage. Does not impact functionality. Signed-off-by: Liam White <liam@tetrate.io> * Build 1.1.1 (#12690) * Fix LB weight setting for split horizon eds (#12560) * lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint * fix typo in default envoy JSON log format (#12473) * Make release-1.1 changes compatible with master * Remove extra ingress template * cherry pick 10578 * reformat * Update rbac.go to use httpfilter when needed * Integration framework ensure apiVersion is top level * Update yaml make target * Disable setup on sidecar_api_test * clarified mesh connect timeout fields based on code impl (#12089) * Testing: configurable ports for Echo (#12681) The echo component currently assumes a hard-coded list of ports. We eventually want to replace the "apps" component with echo, but in order to do that we'll need to be able to tailor the port configuration for each instance. * add image pull secrets for zipkin. (#12327) * Refresh oop handler with connection config update (#12575) * refresh handler with connection update * sanitize test error message * Fixing coping of the data to the bucket during release (#12585) * Fixing coping of the data to the bucket. * Small fix * RM folder in any case * 'istioctl proxy-config clusters' cluster type column rendering (#12458) * Make error message explicit (#12675) * E2E test for health check under mtls using app prober rewrite. (#11531) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277d7 4b7b13aef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861 Merge: 98fd48f59 744b07ad2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07ad2406d1eb94bcf5492125f91486ad6b10 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002ff6f5dd4afe22afa984384addc1be1104 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5 Merge: a2a774498 010d5c266 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a774498e1021c1ca01c021c071e225fa330407 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c074bcc787702a5a9257d23103521f525c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922719e2c4723a334d1d8d959cac361b1ecb Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e871c640cdabead372eada2b17d717fa707f Merge: 256d9635f ac78a552a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d9635f4d590936c473bf3be0299064cb9c716 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f70096334464fd1d59a0e81997e8f0fd6623a564 Merge: bdce72119 c7eb603ee Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce72119ef78dab40b750861768c332811b9ee2 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c21000ba2b7fe9e2bc728783ce530cfe87 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695a2fea828f06a31f14ed7795a3b3716111 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b58f0212972d42e298fa4185275642d672c Merge: d626bb85d 5ea79622c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb85dee628771f8f41fc90335ac608dea923 Merge: 3561ae0a6 66153da4d Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0a69350730834e625c0710394968f9fcde Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f01964a14f6ace0da6217d7a36f364b661 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91189e16beb0dadee6c612464b1aa9bad21 Merge: 3a7eb48e6 abc53e120 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e488f875ffea0c3a279403277010160ee1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce9ddc55ce339aa65eac06602591d3113c9 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676 Merge: 7f5c8cbd8 e45242c0d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479 Merge: 20f02c045 1ae6b4fde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c04563fab9b81b418c00a5455994fda5148 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64 Merge: 3b3bcbff8 d8c4579fa Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c15d06054e4bb173ab2c37333a4de647c2d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f4144482874c1219c7da90e97f19f1172f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb6892509d8938be8d64f1435cf64e22317 Merge: af1a67989 f6b0ddc30 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a6798988f9fe70e40add2a6d4971efa9b50ed Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef3520037a81db8baa34d6e13849d20af10 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0 Merge: fcca1f89a bd1631be3 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517cfc4214994be1be848d40b12f09ba8a4b8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96ed8a3200fc91bc73aee86d471117232fc Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659dacbc569f4532dc6a37b2091f39c7cf115b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * wip for adding health check test app. * wip very hack working solution app deployed * finally test starts working * make sure the test works if and only if the helm flag is turned on. * refactoring * small adjustment. * DeepCopy used. * working test only healthcheck test. * remove inline policy * change RegisterHelmValueOverrides. * unnecessary change. * Finish HelmValueMap refactor. * some cleanup. * clean up. * flags helm values takes higher priority. * fix the lint. * address comments. * revert chagnes on HelmValuesMap. * wip getting helm customizable with new configuration api. TODO: testing by rebuild image. * fix the helm value passing overrides. * wip the app is deployed but not ready and still finishes... * wip apps configuration not take effect. * working version of apps configuration. * clean up some debugging log. * test documentation. * WIP changing deploymentFactory to KubeApp. * verify test works. * clarify kubeappsconfig doc. * get the test pass, no apps configuration yet. * get test working. * clean up on apps/kube.go * few clean and update readme doc. * change the overrides by func callback. * fix the typo. * fix the comments. * Hide ServiceAccounts from PushContext log (#12702) * Configure localityLbSetting in values.yaml (#12683) * Configure localityLbSetting in values.yaml * Update docs * Fix concurrent map access (#12706) * Remove when: always from CircleCI configuration for integration tests. (#12679) This causes the integration tests to run, even if the previous steps fail. * Removed unused code from EDS (#12221) * Should not add a worker in GoroutinePool construction func (#12619) * GoroutinePool does not add a worker in construction func * fix ut * remove redundant code (#12656) * remove redundant k8s discovery code * remove redundant * Configure logging level in proxy and control plane (#12639) * configure proxy log level via helm values for sidecar and gateways * configure istio control plane log level via helm * Put back a couple settings for Kiali that were accidentally deleted. (#12472) Some Kiali settings were accidently deleted when the new installation options for release-1.1 was published. This is because these settings were commented out in the values.yaml file for kiali under istio/kubernetes/helm/istio/charts/kiali. Bug:#3660 * remove to be deprecated critical pod annotation. (#12657) * remove to be deprecated critical pod annotation. * fix ci. * Adding timeouts in Galley processor tests (#12701) * Adding timeouts in Galley processor tests This is to help in debugging #12628. * making await method private * add pod antiaffinity. (#12691) * add pod antiaffinity. * fix gateways issue. * add pod antiaffnity to helm test pod. * remove local test file. * apply comments. * Adding galley test for sidecar config validation (#12247) * Adding galley test for sidecar config validation Test cases related to PR #12233 * Using istio-system as namespace for resource * Collect details/artifacts for failed tests in Prow. (#12753) * Add infrastructure to document env var usage. (#12727) - Introduce the pkg/env package containing a few functions to query environment variable values. It keeps track of the variables requested so they can be documented. - Extend pkg/collateral to recognize and output the environment variables used in the process. This is what is needed to make this stuff show up on istio.io. - Update all relevant call sites to use the new infrsstructure. It's still missing descriptions for all the variables, that'll be up to component authors. I'll file issues to get that work done. - Fixed bugs in the node_agent_k8s code that was using env vars as the default for Cobra command-line arguments, resulting in potentially variable default values produced in the generated docs. Default values need to be static. * Enable more linters. (#12751) - Flip on a couple more linters - Fix a bazzilion warnings produced by these linters, along with many warnings produced by other not-yet-enabled linters. - Fix pkg/version so the tests compile on Mac. This broke a while back, preventing the linter from running to completion on the Mac. * Convert galley to reload files via SIGUSR1 or a ctrlz handler (#11617) * Convert galley to reload files via SIGUSR1 or a ctrlz handler * Fix ctrlz shutdown not to block * Disable the mtls_healthcheck test until it can be fixed. (#12775) * Change IP addresses to show up as strings in label maps in accesslog (#11740) (#12502) Change IP addresses to show up as strings in http req in accesslog Fix lint errors Fix lint errors Use stringify function Updated based on feedback * upgrade prometheus version. (#12781) * Wait for endpoints of policy backend, before trying to use it. (#12763) * Wait for endpoints of policy backend, before trying to use it. * Minor fix to the structure. * Add wait logic for waiting Galley to come online. * Fix minor bug. * Rename the method so that it is clear what it is doing. * Add additional constraint check. * Remove redundant write header (#12731) Write already writes 200 status code, so this wasn't needed. This caused unneeded logging every time it was called. * Tell Kubernetes that Istio validation has no side effects (#12670) * Tell Kubernetes that Istio validation has no side effects * Add integration tests for --server-dry-run * Report version of kubectl and server * Version check error * Undo --server-dry-run tests which require K8s 1.12 or higher * fix uds socket (#12688) (#12802) * uds fix * readonly * mixer: switch to simplified config model (#12689) * take 2 compiled instances Signed-off-by: Kuat Yessenov <kuat@google.com> * try with apa Signed-off-by: Kuat Yessenov <kuat@google.com> * quota failure Signed-off-by: Kuat Yessenov <kuat@google.com> * false signal? Signed-off-by: Kuat Yessenov <kuat@google.com> * more crds Signed-off-by: Kuat Yessenov <kuat@google.com> * nil params Signed-off-by: Kuat Yessenov <kuat@google.com> * patching config Signed-off-by: Kuat Yessenov <kuat@google.com> * remove stale command Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix destination host validataion (#12804) * Implement AuthorizationPolicy with workload selector. (#12050) (#12667) * WIP AuthorizationPolicy with selector * WIP AuthorizationPolicy with selector * Check if need to use convertRbacRulesToFilterConfig and ignore permissive mode * Support TCP * Move new functions for RBAC v2 to rbac_v2.go * Change the structure and refactor tests * Put services field check back * Remove services field validation * Remove optimization * Add selector no match test * [Galley] Adding ServiceEntry synthesis (#12409) Added a new custom projection that is subscribed to events for k8s Pods, Nodes, Services and Endpoints. These events are absorbed and do not become part of the snapshot. Instead, synthetic ServiceEntry resources are generated and become part of the snapshot. Partially addresses #10497 and #10589 * Add a linter to prevent use of os.Getenv and os.LookupEnv (#12778) - Add more unit tests to pkg/env to bring coverage to 100% - Move existing linter sources from test/util/checker to tools/checker * Specify istio-init user explicitly (#5453) (#12708) Istio-init is supposed to be run as a superuser so it can configure iptables and this is the current default. However many popular Helm charts typically define a single container pod and specify `securityContext.runAsUser` on a pod level (rather than the container level) and that is what istio-init inherits. As the result many Helm charts aren't working with Istio auto-injection out of the box. A simple fix would be explicitly setting `securityContext.runAsUser` for istio-init on the container-level so it takes precedence. * Removing depencency on the order of returned IP addresses (#12812) * Removing depencency on the order of returned IP addresses Allows returned addresses by the default resolver to be in any order. The first IPv4 address returned by the resolver is used. If there are no IPv4 address is found, an IPv6 address is used. Added more unit tests. * Making logic for local IP the same as the rest * Disabling flaky parts of Galley integ test (#12837) This should deflake the test in #12820. Real fix is coming soon. * Set SAN as critical for workload certs. (#12838) * inject sds related param in pilot/mixer deployment (#12809) * inject sds related param in pilot/mixer deployment * remove args * Disabling Mixer tests using the new TF in K8s. (#12848) * Disabling Mixer tests using the new TF in K8s. * Make linter happy. * accommodate PR review comments. * galley: support optional crds (#12822) * optional galley crds Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * Removing a "TODO" that is not necessary any more (#12841) Cleaning up the comments. * mixer: add template CRD flag and set it to false (#12851) * template CRD flag Signed-off-by: Kuat Yessenov <kuat@google.com> * missed a flag Signed-off-by: Kuat Yessenov <kuat@google.com> * Zombie cleanup. (#12878) - Delete a bunch of dead code, dead variables, unused parameters, and superfluous type declarations. * Refactor Istio deployment code for clarity and add wait for webhook. (#12888) * Refactor Istio deployment code for clarity and add wait for webhook to come online. * Make linter happy. * Fix stupid bug. * Remove accidental file add (#12895) * Re-enable sidecar_api_test (#12887) * Re-enable sidecar_api_test * Remove kube setup * Fix race condition * Make Mixer readiness timeout configurable. (#12640) - Mixer waits for readiness of the config backend. It is currently hard-wired at 30 seconds. This change makes this configurable and sets the default as 2 minutes. - The pod was being killed because the liveness probe was not starting on time. It is blocked behind other readiness checks. This change enables readiness early on. * Minor improvements to the test framework. (#12858) * Add dump support to policy backend. * Add a suitecontext dir. * test: add dump pod events function (#12821) * Fix flush behavior in Stackdriver adapter. (#12853) * Fix prometheus and citadel connection tests (#12747) * Fix test-prometheus-connection.yaml: test never failed Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix test-citadel-connection.yaml: test never failed Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix a bunch more linter items. (#12897) * delete stale file (#12898) Signed-off-by: Kuat Yessenov <kuat@google.com> * Run dep ensure * Implement EnvoyXdsServer graceful shutdown (#12826) * update api sha (#12862) * update api sha * api files * Add two sample deployments for user guide of Istio Vault integration (#12917) * Rename types.go to types.gen.go. (#12921) * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * Update to latest doc gen tool. (#12932) * Fix the regular expression that splits the deployment scripts. (#12931) The script was fixed with a start-line anchor during the merge of 1.1. However the regular expressions in Go is not multi-line. * Add labels to the test framework. (#12819) * Add basic label support to the test framework. * Refactor test framework surface area to use fluent-style. * Apply labels to CircleCI tests & stable integration tests. * Add early exit support to avoid running setup functions when the label set can never match. * Add Citadel tests as presubmit tests. * Remove environments from label usage. * Fixup some of the label usages, and convert some of the test entry points. * Fixup label usage. * Redisable sidecar tests. * Accommodate PR feedback. * Accommodate CR feedback. * Add more CR fixup. * Introduce pkg/annotations (#12909) - pkg/annotations lets us track the annotations used by the calling process. - pkg/collateral now outputs annotations if there are any. This will make annotations show up on istio.io - Adjusted how pkg/collateral handles deprecated environment variabes to match how we handle deprecated fields in protos (by coloring them differently on istio.io) - Added another test to pkg/env to cover a case I missed originally. - Updated the sidecar injector and pilot to use pkg/annotations. - Fixed some invalid HTML generated by pkg/collateral. I'll file an issue to get descriptions added for the annotations. * remove unused pdb in remote values. (#12943) * prevent duplicate inbound listeners (#12937) * [Galley] Fix race in runtime strategy (#12927) This address a race condition that seems to only occur when using a very low timerFrequency (e.g. 1 microsecond) on a slow machine (e.g. prow). Under these conditions, the strategy can encounter a race condition when creating the timer. The code was setting the `timer` variable to the result of time.AfterFunc. However, due to the extremely low frequency used, the AfterFunc was invoking its handler, `onTimer` before returning. This led to accessing an uninitilized `timer` value. This PR swaps out AfterFunc for NewTimer. The use of time.Timer is now abstracted behind the `asyncTimer` object, which provides the semantics needed by the strategy. Now strategy.timer is set before it is started, avoiding the race. Fixes #12628 * Adding unit tests for sidecar scope (#12184) * Adding unit tests for sidecar scope * Removing unused variable * linters: enable errcheck (#12933) * enable errcheck Signed-off-by: Kuat Yessenov <kuat@google.com> * add maligned to exceptions Signed-off-by: Kuat Yessenov <kuat@google.com> * Istio does not use Cluster_LOGICAL_DNS, so remove it (#12905) * Istio does not use Cluster_LOGICAL_DNS, so remove it * clean up LOGICAL_DNS in comments * Clean up Helm README (#12914) The README has outdated information on the values, we should just defer to istio.io which is up to date. Additionally, we should point users to istio.io which has up to date install instructions. * 'istioctl experimental dashboard' command to show add-ons and sidecars (#12627) * 'istioctl experimental dashboard' command to show add-ons and sidecars * Test cases, output of URL, use of Cobra output stream * Refactor code into istioctl/pkg/kubernetes * Refactor to expose PortForward stop channel * Validate new mixer CRDs (#12918) * Validate new mixer CRDs * Add templates and adapters * Test cases for new mixer CRDs * Add environment variables to allow configuring bookinfo hostnames (#12646) * Allow bookinfo hostnames to be configurable - add DETAILS_HOSTNAME, RATINGS_HOSTNAME, REVIEWS_HOSTNAME environment variables to configure hostnames. Defaults to details, ratings, reviews respectively * Bump bookinfo sample to 1.11.0 * Update expected outputs for bookinfo tests - this is not related to our PR, but the tests were failing - the apps were changed, but images were not rebuilt * Add edsClusters should be atomic (#12942) * Add edsClusters should be atomic * fix lint * properly report errors on failure (#12945) The CI Infrastructure times out after 10 minutes of no activity. In one of the test case runners, 10 miniutes is specified causing the CI timeout to flush any debuggable output from the checks. This results in an in-exact error result to be returned. Instead a vague reponse about the test case timing out is reported, resulting in confusion for the PR authors. The typical max I was able to achieve was ~230 seconds, but I trimmed to 3 minutes so the test case fails in all conditions and properly reports the errors. * Hoist exemptLabels to top-level, so that they can apply to prs as well. (#12902) * [mixer-e2e-test] add retry to prometheus query in check cache test (#12680) * check cache test sleep longer * use retry instead of longer waiting * reword error message * Fixing typos in unit tests (#12661) Redoing PR #12035 * respect locality weight set from ServiceEntry (#12714) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * sidecars with workload selector takes precedence over namespace wide one (#12831) * Auto bind to services for Sidecar listeners with specific ports (#12724) * auto bind to TCP services for egress ports in Sidecar Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * fix test Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * minor patch (#12963) Signed-off-by: Kuat Yessenov <kuat@google.com> * Cleanup gateway vhost config gen (#12847) * check match direction * Cleanup http route generation * undo pickMatching change * golangbot comments * address review comments * fix validation bug * gofmt * check for intersection duplicates * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Support PKCS#8 private keys. (#12972) * Support PKCS#8 private keys. * Small fix. * Fix LB weight setting for split horizon eds (#12560) (#12827) * lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint * Restore dump_kubernetes.sh function on OSX (#12159) * Fixes for Bash 3.x and detecting non-running pods * Address shellcheck warnings * Remove Robert Li from tests OWNERS file (#12946) Robert has had a change in employment and can no longer contribute to Istio. * remove unnecessary namespace for webhook configuration (#12981) * remove deprecated mcpServerAddrs flag (#12954) * remove deprecated mcpServerAddrs * fix ut * support ip:port format configSource * fix ut * fix ut * supprt proxy https app probe (#12872) * supprt proxy https app probe * add ut * fix ut * add webhook inject test * fix test * fix comments by incfly * Allow some time for the configuration propagation (#12865) * Allow some time for the listeners config propogation * change to use watchDiscovery * samples/bookinfo: easier access to logs (#12584) * Use shorter namespace prefixes. (#13001) * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) (#12936) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * Update integration test env flag (#12977) The flag should be "kube" not "kubernetes" but it was not updated in some places before. * Support inline role definition in AuthorizationPolicy (#12849) * Don't fill test logs with "no provious log" (#12857) This isn't a real error, but it is misleading in the test output. We have no reason to output all of these errors that there is no previous container to get logs from. * mixer: delete old style CRDs from installation (#12710) * delete old style CRD from installation Signed-off-by: Kuat Yessenov <kuat@google.com> * disable galley from listening to old style CRDs Signed-off-by: Kuat Yessenov <kuat@google.com> * more hardcoded yamls Signed-off-by: Kuat Yessenov <kuat@google.com> * debuggin default install Signed-off-by: Kuat Yessenov <kuat@google.com> * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * keep galley pipeline Signed-off-by: Kuat Yessenov <kuat@google.com> * disable resource ready Signed-off-by: Kuat Yessenov <kuat@google.com> * delete debugging line Signed-off-by: Kuat Yessenov <kuat@google.com> * fixing testdata Signed-off-by: Kuat Yessenov <kuat@google.com> * delete deprecated configs Signed-off-by: Kuat Yessenov <kuat@google.com> * remove declarations Signed-off-by: Kuat Yessenov <kuat@google.com> * delete more yaml Signed-off-by: Kuat Yessenov <kuat@google.com> * merge fix Signed-off-by: Kuat Yessenov <kuat@google.com> * Add tests for the effect of mTLS setting to reachability (#11624) * Reachability test in new ingegration test framework * Add test for port specific policy * Expose KubeApp interface and move EndpointForPort to that instead * Use the retry.UntilSuccess from framework * Change to UntilSuccessOrFail instead of UntilSucces * remove deprecated code (#13005) * remove deprecated code * remove dep * Add examples/documentation for the test framework. (#13000) * Add examples/documentation for the test framework. * Add more prose about test lifecycle. * Fix typo. * Fix typos. * fix retry loop in mixer crd watch (#13003) * first change to apps/v1 for Install (#13015) * first change for install * appsv1 * indention * use only ipv4 for pilot and zipkin (#12997) * do ipv4 lookups for pilot and zipkin Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * update goldens Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * small fix for imports (#13013) * remove old mcp stack (#12092) * remove old mcp stack * remove legacy mcp server from galley * fix server build * fix linter * remove unused code in journal.go * fix build * s/server/source * fix linter errors * Exclude Prometheus traffic in rule so that Kiali does not show it. (#12251) * [Galley] Fix race in strategy shutdown. (#13004) * [Galley] Fix race in strategy shutdown. The Close() logic was holding onto the state lock, which can race with worker thread. Specifically, the worker thread could be in a call to onTimer awaiting the lock, which would never be acquired since the Close() method is stuck waiting for the stopped channel to close. * cleaning up reset logic to avoid holding on the stateLock * Add instructions and scripts to facilitate running E2E tests locally using KinD (#12641) * Adding check/install go in both macOS and Linux. * Install go if not installed. * Adding support to run e2e test on KinD locally. * Adding the ability to run e2e tests locally on KinD. * Update install_prereqs_debian.sh * Update setup_test.sh * Adding the ability to run e2e test on KinD for presubmit test. * Presubmit e2e test on KinD. * Adding the ability to run e2e_simple presubmit on KinD * Adding README file for testing on KinD locally. * Revert the changes on adding install_go function. * Revert install_go in common_macos.sh * Revert the file changes of deleting newline. * Reverting the changes. * Addressing reviews. * Fixing shellcheck * respect locality weight set from ServiceEntry (#12714) (#13012) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * Add documentation about -p 1 for integration test framework. (#13032) * Reduce logs in security/pkg/nodeagent/sds/ (#13035) * Reduce logs in security/pkg/nodeagent/sds/ https://github.com/istio/istio/issues/13033 * Count the log output times * Revise the PR based on review comments * move pkg/mcp/configz to pkg/mcp/configz/client (#12982) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Restore TestMtlsHealthCheck in postsubmit, prow. (#12969) * restore test to debug. * add presubmit label to the test for triggering. * change to only run in postsubmit. * remove postsubmit label just comment. * Enable more linters and fix warnings/errors (#12993) * Cherry pick cert file config from master to release-1.1 (#12707) * Cherry pick from master: Configuration: no longer hardcode mesh certs (#12189) * Configuration: Pilot-Agent: no longer hardcode certs to watch. Pilot-Discovery: no longer hardcode Envoy listener cert paths. * Address demands of golangcibot overlord * Change usages of github.com/stretchr/testify/require to github.com/stretchr/testify/assert * Address code style violation * Revert temporary api changes. Set cert paths in envoy node metadata and use them when setting up listeners * Use envoy node metadata cert paths (if available) when constructing clusters * Rename constants to make golint happy * Fix imports * Ignore ordering in test * Pass around proxy instead of proxy.Metadata (cherry picked from commit 7c342741df9bd4e313420b4d17e279089d8956da) * goimports file * Allow limiting Citadel to marked namespaces only (#12289) * Allow limiting Citadel to marked namespaces only - add command line flag to require explicit opt-in to secrets (defaults to false to retain current behavior of always create) - extend secret controller to consider namespace labels (reuses existing 'istio-injected=enabled') - modify unit tests to retain previous behavior (i.e., always create secrets, explicit opt-in not required) and account for additional namespace access * removed left-over debug print, check enable only when explicit opt-in is required * reverting k8s actions in tests: namespaces no longer checked when explicit opt-in is false * unit tests for checking labels and behavior * Namespace specified in command line is explicitly enabled - save namespace specified in the `--listened-namespace` option on the controller (allow multiple to prepare for r1.1) - check SA namespace against explicit namespaces * use dedicated label name to avoid overloading the injection label * use istio-managed label in tests * clarified explicit-opt-in is relevant for keys and certificates provided via a volume mount * refactor istio managed object test to a function so it can be called from secret deletion handler as well * fix left over istio-injection label in tests * manual merge fix * appsv1 galley (#13047) * Add support for datadog tracing (on release-1.1 branch) (#12687) * Add support for datadog tracing. Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * Use $(HOST_IP) instead of special-casing empty address value Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * add param to sidecar to ignore iptables changes (#12829) * add param to sidecar to ignore iptables changes * rephrase description * samples/bookinfo: migrate `apiVersion` of deployments to `apps/v1` (#13030) * fix validation logic so that port.name is no longer a valid PortSelector (#13054) * [Test Framework]: Galley support for deleting config (#13037) In order to properly support deleting resources, it was necessary to revisit how ApplyConfig is done as well. Previously, apply would just blindly copy the yaml to a new file in the configDir. The assumption was that the resource was always being "added" (rather than updated). I'm not certain what would happen if two resources appeared with the same name/namespace. This PR generalizes (and fixes) the way resources are handled so that it's not concerned with files, but rather the underlying resources. The code now parses the top-portion of the yaml to properly identify each resource. Once identified, the code now properly updates resources by writing back to the file where the resource was found. Deletes are similar, where the original resource in the file is replaced with "" (empty files are removed). * Support controlz for mcp server (#12980) * Support controlz for mcp server Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix lint error * Address review comments Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * generalize artifact injection into Docker images (#12203) Instead of just adding LICENSES.txt only, also optionally add in the source code as well, gating on the new EXTRA_ARTIFACTS and EXTRA_ARTIFACTS_CNI environment variables. Change-Id: Iab8fadfbcbbaa8906491e12324fae20185d9f33e * Keep going when problem happens checking remote version (#13060) * remove deprecated show-all flag (#13053) * Add x alias to experimental istioctl command (#11801) * Add x alias to experimental istioctl command I'm super lazy and experimental is far too much effort to type Signed-off-by: Liam White <liam@tetrate.io> * Add exp as an additional alias Signed-off-by: Liam White <liam@tetrate.io> * Correct the app label for Gateway (#12693) * update selector for gateway Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix build fail Signed-off-by: clyang82 <clyang@cn.ibm.com> * Update tracing_datadog_golden.json (#13082) * Fix small typo (#13089) can useful -> can be useful * Add jitter in CSR request (#12805) * Add jitter in CSR request * Add log * Fix comments * Fix test * Fix test * Fix comment * Allows cleanup.sh to run non-interactively when in terminal (#12635) This change allows cleanup.sh to run non-interactively in standard terminals. For example: NAMESPACE="test123" ./cleanup.sh * 'istioctl proxy-config clusters' cluster type column rendering (#12458) (#12730) * update sds secret mount. (#12733) * Copy data from right place (#12762) * Fix updateClusterInc for overlapping ports (#12766) * Fix updateClusterInc for overlapping ports It is possible that a service will have multiple ports, with the same port number. The typical example here is kube-dns, which uses port 53 for UDP and TCP. When we do an incremental push, we would select the first port to match the port number, which would sometimes causes us to ignore the correct port. This fix searches through all matching ports. * Ensure port number matches as well * Add unit tests * remove dead code * enable default sidecarscope (#12832) * [Galley] Fix for ServiceEntry event ordering (#12890) The integration test was encountering this, exposing a real bug. If nodes/pod events occur after service/endpoints (which should generally be unusual) then it is possible to have a ServiceEntry missing pod/node information (e.g. locality). Fixes #12820 * Adding sha for istio/tools to manifest.txt for future automation of perf tests (#11706) * Copy helm data from the right place (#12808) * Refactor solution based on Costin's feedback (#13027) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Enable more linters and fix warnings/errors (#13061) * Making tags requirement same as those in Kubernetes (#12852) * Making tags requirement same as those in Kubernetes Changing validation check to make sure non-empty tags start with an alphanumeric character * Validating label keys are not empty strings Allow empty string for label values Do not allow empty string for label keys * Added certmanager flag into helm chart values.yaml (#12953) * Added certmanager flag into helm chart values.yaml * Moved certmanager configuration * Pilot [networking]: Add upstream idle_timeout to cluster definition (#13066) * adding upstream idle_timeout to cluster definition. * reverting vendor changes before running dep ensure again. * running dep ensure update on api from master. * controlPlaneMtls renamed to controlPlaneSecurityEnabled (#13141) * Patch #12805 to master (#13104) * Patch #12805 to master * Fix lint * Fix HelmDelete command (#12515) * Fix HelmDelete command HelmDelete was called with the namespace it needs to be called with a chartname. Also created a constant to make it more obvious when called by the other Helm related commands. * Fix typo * Goimports fix * ight modification path (#13148) * Allow overriding of registry locality (#13077) Also fixes bug where non-kube envs could override to something that parsed incorrectly Signed-off-by: Liam White <liam@tetrate.io> * mixer: add support for standard CRDs for compiled-in adapters (#12815) * cherry pick subset of https://github.com/istio/istio/pull/12689/ Signed-off-by: Kuat Yessenov <kuat@google.com> * add support for compiled in adapters Signed-off-by: Kuat Yessenov <kuat@google.com> * patch log line Signed-off-by: Kuat Yessenov <kuat@google.com> * parse cert to get expire time (#13145) * parse cert * cleanup * unit test coverage * missing file * address comments * rebase and address comment * Installing istio for perf testing (#13159) * Perf scripts * gsutil * WD * perf running and geting metrics * Perf * perf * perf * Perf * remove * qq * Appsv1 pilot (#13050) * appsv1 for Pilot * appsv1 for Pilot * appsv1 for Pilot * dep update * fix test * fix test * fix test * fix test * fix test * typo * typo * typo * typo * typo * update go-control-plane (#13154) Signed-off-by: Kuat Yessenov <kuat@google.com> * added sidecar.istio.io/rewriteAppProbers annotation (#13112) * pilot: registered sidecar.istio.io/rewriteAppProbers annotation * pilot: checked from sidecar.istio.io/rewriteAppProbers too * pilot: added webhook inject tests TestWebhookInject_http_probe_rewrite_enabled_via_annotation case is a modification of TestWebhookInject_http_probe_rewrite case. The difference is rewriteAppHTTPProbe is false in template, but set to true in annotation. TestWebhookInject_http_probe_rewrite_disabled_via_annotation case is a modification of TestWebhookInject case. The difference is rewriteAppHTTPProbe is true in template, but set to false in annotation. * fixed linter issue in test * added http probe test for kubeinject case * added tests and fixed login upon checking RewriteAppHTTPProbe setting * Add more tests in app_probe_test.go * renamed RewriteAppProbers to RewriteAppHTTPProbers * fixed test case for webhook injection * add description to rewriteAppHTTPProbers annotation * updated tests in app probe to sync with recent master change * change validateBool to alwaysValidFunc as per review * Export inject.injectionData() (#12426) * Registrator should use master version (#13083) * dependencies: update cel-go and remove protoc-gen-docs (#12711) * experiment with COMPAT Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * stop validation Signed-off-by: Kuat Yessenov <kuat@google.com> * remove hack Signed-off-by: Kuat Yessenov <kuat@google.com> * testing Signed-off-by: Kuat Yessenov <kuat@google.com> * only access log Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * add runtimeconfig Signed-off-by: Kuat Yessenov <kuat@google.com> * add a benchmark Signed-off-by: Kuat Yessenov <kuat@google.com> * cel_perf Signed-off-by: Kuat Yessenov <kuat@google.com> * update cel Signed-off-by: Kuat Yessenov <kuat@google.com> * update examples Signed-off-by: Kuat Yessenov <kuat@google.com> * remove unnecessary dependencies Signed-off-by: Kuat Yessenov <kuat@google.com> * Fixing copy for helm, one more time. (#13186) * Run goimports on generated file (#13195) * Enable disabled mixer tests in New Test Framework (#13151) * Enable disabled mixer tests in NF * Change tests config to new style * Change tests config to new style * Change tests config to new style * Fix config for native policybackend * Fix report test * Reduce Pilot resource requests for demo (#12477) * Reduce Pilot resource requests for demo * Add limits as well * Added data source for Galley dashboard (#13041) Fixes: #13040 * fix values for pod anti-affinity. (#12798) * Add sensible defaults to istio-gateways (#12315) * report succeed after validation (#13165) * report succeed after validation * review comments * Change exposed port of istio-pilot in consul (#13170) `15003` and `15005` are never used in pilot under consul env. It would be confusing to expose the two ports. Instead, ``` --grpcAddr string Discovery service grpc address (default ":15010") --secureGrpcAddr string Discovery service grpc address, with https (default ":15012") ``` we know `15010` and `15012` are still using. * Cherrypick: Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) (#12973) * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Use new env var framework * Fix long line * Run format and linter * CEL checker mutex (#13192) * checker mutex Signed-off-by: Kuat Yessenov <kuat@google.com> * deadlock Signed-off-by: Kuat Yessenov <kuat@google.com> * Integration testing for Locality Load Balancing (#13084) * Initial testing functionality Signed-off-by: Liam White <liam@tetrate.io> * appease the linting gods Signed-off-by: Liam White <liam@tetrate.io> * Fall back to bootstrap locality as a last resort Signed-off-by: Liam White <liam@tetrate.io> * Move service instance check after we set them... Signed-off-by: Liam White <liam@tetrate.io> * Add EDS test Signed-off-by: Liam White <liam@tetrate.io> * Reorganise tests to run in parallel Signed-off-by: Liam White <liam@tetrate.io> * Move to pilot directory Signed-off-by: Liam White <liam@tetrate.io> * minor Infof fixes Signed-off-by: Liam White <liam@tetrate.io> * fix package name Signed-off-by: Liam White <liam@tetrate.io> * Increase propagation sleep and add warning Signed-off-by: Liam White <liam@tetrate.io> * [test-framework] Support helm values containing spaces (#13127) * Support helm values containing spaces in integration test framework For a helm template command, e.g., "helm template --set key1=value1 --set key2=value2", the existing integration test framework assumes the values do not contain spaces and splits the command argument using the space character before executing the helm command. Thus, the existing implementation does not support helm values (e.g., certificates) containing spaces. This PR adds the support of helm values that contain spaces. * Revised to use array based on review comments * Adding servicegraph testing to postsubmit (#13190) * Adding servicegraph testing to postsubmit * m * perf * change * pod * fix * Adding E2E Test for kiali (#11448) * Add Kiali E2E Test * Minor Fixings on Kiali E2E Test * Remove unused mixer.enabled value (#13214) This is not a functional change; this value is never used so it is misleading/confusing. mixer.policy.enabled and mixer.telemetry.enabled are used. * Adding aliases for OWNERS (#13194) * Fixing copy for helm, one more time. * Adding aliases for test group. Setting up labels and no parent_owners * prow * owners * Fixing helm order (#13224) * Fixing copy for helm, one more time. * Fix order of the helm command * fix lint (#12988) * update certificates with expiration time 100 years (#13233) * update certificates with expiration time 100 years * update testdata/local/etc/certs * fix original destination bug (#13011) * fix original destination bug * add ut * align init role label. (#13172) * Remove --platform option (#13187) * Fix #10380: Remove hardcoded sidecar template for istioctl kube-inject (#10830) * Remove the hardcoded sidecar template for * Remove deprecated flags in istioctl kube-inject * update testdata after rebase * add rule for kubeinject.go in codecov.threshold * push client the new root cert when it's changed (#13163) * refresh root * refresh root * unit test * add logs * address comment * more comment * address comment * Implement `role` field in AuthorizationPolicy (#13181) * Add check for role in ServiceRoleBinding * Implement global role * Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow (#13199) * Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow. The mutual TLS connection uses the certificates issued by SDS-Vault CA flow and SDS-Citadel CA flow. * Use the flag EnableCDSPrecomputation() * Address review comments * Ignore missing resources on kubectl delete (#13225) This makes it so tests won't fail on cleanup for resources that are already deleted. * [Testing] Cleanup PortForwarder (#13250) * Add generated LICENSES.txt to gitignore (#13209) * remove myself from owners (#13231) Signed-off-by: Kuat Yessenov <kuat@google.com> * add upstream_transport_failure_reason to access log (#12434) * add upstream_transport_failure_reason to access log Signed-off-by: Lizan Zhou <lizan@tetrate.io> * update proxy to latest Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fix Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fix format Signed-off-by: Lizan Zhou <lizan@tetrate.io> * Fix integration test errors and refactor security integration tests (#13253) * Fix integration test errors and refactor security integration tests - Fix the failure of integration tests when --istio.test.nocleanup=false, which is the default test setting. The failures of integration tests when --istio.test.nocleanup=false are caused by that the errors during cleaning up tests are treated as test failures while the actual tests have succeeded when --istio.test.nocleanup=true. - Organize security integration tests under testss/integration/security. - Refactor the code to share common utility functions and remove duplicate code. - Misc fixes. * Address review comments * Use a const to represent the test policy directory * Address review comments * Fixes the multicluster e2e test (#13246) The secret was being created after the apps where deployed on the remote. This was causes the test to never think the apps successfully deployed since the envoy sidecar was continually restarting. * pre-check: fix a logic error (#13278) `getNameSpace()` always returns an object, even if namespace does not exist. Checking the error status is safer. * Remove kubectl from dockerfile prereqs since it pulls it (#13256) * Fixing EDS unit tests (#12995) The current EDS test is incorrect and passes because the check calls time out rather than sucessfully completing. This PR fixes the problem and add one more test. fixes issue #12994 * rbac: fix a data race in listener generation (#13308) * Include js/css files into static folder (#12983) * Include js/css files Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Append version to file Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * ignore assets.gen.go in code coverage Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * remove assets.gen.go from codecov test Signed-off-by: clyang82 <clyang@cn.ibm.com> * remove skipped test from .cov file Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix check chell issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix shell check issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Fix galley integration test race (#13303) * [Test Framework] Integrate apps with Galley (#13115) The most recent refactoring broke the apps component when Pilot is being used with Galley. The apps register their services with the ServiceManager directly. When Pilot is configured with Galley, however, it doesn't use the ServiceManager, which means that the app services are never properly registered with Pilot. - Changed the Pilot and Apps component to require Galley to be configured, to avoid confusion. - Removed the ServiceManager altogether - Galley is used for service registration. Fixes #13090 * Fix again helm copy, was reverted during merge from release 1.1 (#13337) * Fixing copy for helm, one more time. * Fixing copy again for master * Update OpenShift dependencies; Drop [deprecated] legacy schema (#13160) * Extend istioctl mocking library to allow mocking of authn etc (#13118) * Fixing iptabes ranges (#13291) * Fixing iptabes ranges Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fix shellcheck errors Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures #1 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures #2 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com…

* Drop log level for missing service account for spiffe uri (#12239) * Don't require service account for spiffe Some kubernetes pods don't have a service account. This causes a log flood that the spiffe url is invalid, but this doesn't actually have any negative impact. We can just make it not an error to have no service account. * Revert "Don't require service account for spiffe" This reverts commit e88ff187963e97949d3b81c3575b997ddd7e7a6f. * Just drop error -> warn * Fix tests * Drop log level * [Authz v2] Add additional fields for bindings and validation. (#11800) (#12460) * Adding additional fields for bindings and validation. (#11800) * Implement namespaces for ServiceRoleBindings * Implement not_namespaces and refactor * Implement not_ips * Implement ips (no unit tests) * Add a unit tests for ips for ServiceRoleBinding * Implement groups and not_groups for ServiceRoleBinding * Implement names and not_names * Check for duplicated definition in constraints/properties and first-class fields * Disallow using * in names or not_names to prevent ambiguity * Disallow using * in names or not_names to prevent ambiguity * Refactor additional fields for bindings * Update validation.go * Update validation.go * enhance verify install command (#12174) * enhance verify install command * fix lint * fix lint * configure prometheus to monitor citadel. (#12175) * Add namespace scoping to the Gateway 'port' names (#11509) (#12500) (#12556) * Add namespace scoping to the Gateway 'port' names (#12500) (#12500) Currently in order to configure ingressgateway to do TLS termination using multiple secure virtual hosts with different certificates Istio requires Gateway 'port' names to be globally unique (i.e. distinct). I.e. two gateways cannot have secure port named 'https' even if they reside in different namespaces. Behavior in such case is undefined. This breaks namespace isolation as a user creating a Gateway in one namespace might not have access to other namespaces hence can't if the port name is already 'taken'. Behavior in such case is undefined and likely to render other virtual hosts unavailable. This change adds namespace scoping to Gateway port names by appending namespace suffix to the HTTPS RDS routes. Port names still have to be unique within the namespace boundaries, but this change makes adding more specific scoping rather trivial. * Increase Gateway 'port' names scoping granularity * Minimal changes to make locality lb not sigsegv (#12649) * Locality label istio-locality in k8s should not contain `/`, use `.` (#12592) * Locality label istio-locality in k8s should not contain `/`, use `.` instead * fix comments * Only use gateways for servers being processed (#12663) Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * Propagate Envoy Metrics Service Config (#12569) The plumbing for propagating the envoy metrics service address config is missing a step to copy the given address to the config object that is passed on to the template renderer. * mixer: add directive demo adapter (#12505) * finish demo Signed-off-by: Kuat Yessenov <kuat@google.com> * printf Signed-off-by: Kuat Yessenov <kuat@google.com> * publish keyval Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding sidecars to validating webhook configuration (#12233) (#12643) Addresses issue #12193 * Cleaning up Unit tests for RDS (#12581) Added a new case and cleaned up the existing test cases. * switching deployment to v1 api (#10578) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Cleanup Galley OWNERS file. (#12676) * fix uds socket (#12688) * uds fix * readonly * Add unit test to cover multiple different locality case (#12388) This PR only increases test coverage. Does not impact functionality. Signed-off-by: Liam White <liam@tetrate.io> * Build 1.1.1 (#12690) * Fix LB weight setting for split horizon eds (#12560) * lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint * fix typo in default envoy JSON log format (#12473) * Make release-1.1 changes compatible with master * Remove extra ingress template * cherry pick 10578 * reformat * Update rbac.go to use httpfilter when needed * Integration framework ensure apiVersion is top level * Update yaml make target * Disable setup on sidecar_api_test * clarified mesh connect timeout fields based on code impl (#12089) * Testing: configurable ports for Echo (#12681) The echo component currently assumes a hard-coded list of ports. We eventually want to replace the "apps" component with echo, but in order to do that we'll need to be able to tailor the port configuration for each instance. * add image pull secrets for zipkin. (#12327) * Refresh oop handler with connection config update (#12575) * refresh handler with connection update * sanitize test error message * Fixing coping of the data to the bucket during release (#12585) * Fixing coping of the data to the bucket. * Small fix * RM folder in any case * 'istioctl proxy-config clusters' cluster type column rendering (#12458) * Make error message explicit (#12675) * E2E test for health check under mtls using app prober rewrite. (#11531) * injector changes for health check, pilot agent take over app readiness check. (#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test. * webhook autoinject is ready for review. * Squashed commit of the following: commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 18:13:30 2019 -0800 renaming env var. commit 1a82b2c0de292a34643f59ce802858c8d26a7a46 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 17:59:25 2019 -0800 finish migrating test to yaml file based. commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:55:00 2019 -0800 get test working. commit 28225cd409c7790636c11da74ad8f69d0e7cf89b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:49:58 2019 -0800 WIP add some test files. commit 612b8aa3db468850d8e34f47d0dc05c536f57dde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 13:13:06 2019 -0800 WIP changing to using the environment var. commit 7dabcb1695fa375de1b93add014528ae7509c94c Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:52:47 2019 -0800 add todo for the tests. commit 7af6ba524176616d67d35867665225e27f4a96ce Merge: ca22277d7 4b7b13aef Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 29 10:47:17 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861 Merge: 98fd48f59 744b07ad2 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:34 2019 -0800 Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 23:15:00 2019 -0800 findsidecar. commit 744b07ad2406d1eb94bcf5492125f91486ad6b10 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 22:29:28 2019 -0800 add FindSidecar. commit 40ed002ff6f5dd4afe22afa984384addc1be1104 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 21:55:51 2019 -0800 refactor some code. commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 18:19:32 2019 -0800 Integration test works and fixing a bug. commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 16:09:13 2019 -0800 all inject tests pass. commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5 Merge: a2a774498 010d5c266 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:22:18 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip commit a2a774498e1021c1ca01c021c071e225fa330407 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Jan 28 15:16:04 2019 -0800 update the TestWebhookInject. commit 36fd45c074bcc787702a5a9257d23103521f525c Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 12:13:21 2019 -0800 some document commit 88dc922719e2c4723a334d1d8d959cac361b1ecb Author: Jianfei Hu <jianfeih@google.com> Date: Fri Jan 25 11:43:44 2019 -0800 new version works for kubeinject, webhook unit test. commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 18:17:38 2019 -0800 WIP working on modifying sidecar.Args first, then modify app container patch. commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 15:20:36 2019 -0800 WIP add what's missing to get e2e test working. commit 1595e871c640cdabead372eada2b17d717fa707f Merge: 256d9635f ac78a552a Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 13:26:05 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 256d9635f4d590936c473bf3be0299064cb9c716 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 12:14:04 2019 -0800 add some debugging log. commit f70096334464fd1d59a0e81997e8f0fd6623a564 Merge: bdce72119 c7eb603ee Author: Jianfei Hu <jianfeih@google.com> Date: Thu Jan 24 10:57:43 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit bdce72119ef78dab40b750861768c332811b9ee2 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 18:04:37 2019 -0800 refactor to host something up to caller. commit b51763c21000ba2b7fe9e2bc728783ce530cfe87 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 16:31:32 2019 -0800 get everything works. commit 0815695a2fea828f06a31f14ed7795a3b3716111 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:48:27 2019 -0800 kubeinject test is working. commit 14c99b58f0212972d42e298fa4185275642d672c Merge: d626bb85d 5ea79622c Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:30 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit d626bb85dee628771f8f41fc90335ac608dea923 Merge: 3561ae0a6 66153da4d Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 23 15:38:23 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3561ae0a69350730834e625c0710394968f9fcde Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:49:44 2019 -0800 WIP, policy is not taking effect, test passing without rewrite. commit a9bef0f01964a14f6ace0da6217d7a36f364b661 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 16:31:08 2019 -0800 fix the json path in the patch. commit f1aee91189e16beb0dadee6c612464b1aa9bad21 Merge: 3a7eb48e6 abc53e120 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 14:03:49 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957 Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 13:57:55 2019 -0800 fix it, removing namespace since metadata not matching will fail for kubeapply commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da Author: Jianfei Hu <jianfeih@google.com> Date: Wed Jan 16 11:58:39 2019 -0800 WIP, debuggin why mtls policy is not showed up. commit 72e9c4e488f875ffea0c3a279403277010160ee1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:24:16 2019 -0800 working on integration2 test framework. commit 90c1cce9ddc55ce339aa65eac06602591d3113c9 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 17:04:38 2019 -0800 add small comments. commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676 Merge: 7f5c8cbd8 e45242c0d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Jan 15 16:43:47 2019 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:37:53 2018 -0800 check rewriteAppProbe separately. commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479 Merge: 20f02c045 1ae6b4fde Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 09:01:37 2018 -0800 Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject commit 20f02c04563fab9b81b418c00a5455994fda5148 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:59:57 2018 -0800 duplicate the rewrite logic. commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64 Merge: 3b3bcbff8 d8c4579fa Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 18 08:53:44 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1 Author: Jianfei Hu <jianfeih@google.com> Date: Mon Dec 17 21:56:51 2018 -0800 address comments. commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:24:33 2018 -0800 massage comments. commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:15:50 2018 -0800 helm flag is off, so change the expected outoupt. commit 43522c15d06054e4bb173ab2c37333a4de647c2d Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 15:09:46 2018 -0800 make webhook support rewriteAppHTTPProbe flag. commit f60f18f4144482874c1219c7da90e97f19f1172f Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 12:03:04 2018 -0800 fixing the merge typo. commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:56:38 2018 -0800 remove unnecessary changes in test for debugging. commit a81eacb6892509d8938be8d64f1435cf64e22317 Merge: af1a67989 f6b0ddc30 Author: Jianfei Hu <jianfeih@google.com> Date: Thu Dec 13 11:53:07 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit af1a6798988f9fe70e40add2a6d4971efa9b50ed Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 18:07:19 2018 -0800 fixing all the test. commit 58d0bef3520037a81db8baa34d6e13849d20af10 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:51:34 2018 -0800 Get TestInject happy. commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 17:49:42 2018 -0800 make TestHelmInject happy. commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0 Merge: fcca1f89a bd1631be3 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:53:01 2018 -0800 Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:18:20 2018 -0800 get webhook_test.TestInject working. commit 06f517cfc4214994be1be848d40b12f09ba8a4b8 Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 16:10:55 2018 -0800 restructure app_probe_test working for both. commit 7142e96ed8a3200fc91bc73aee86d471117232fc Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 13:19:41 2018 -0800 starting to work on serious test commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:50:19 2018 -0800 prototyping get familar with the test. commit 51659dacbc569f4532dc6a37b2091f39c7cf115b Author: Jianfei Hu <jianfeih@google.com> Date: Tue Dec 11 11:05:51 2018 -0800 wip for adding test. * resolve appprobetest. * update the golden due to another injector change. * remove unnecessary files in this pr. * remove the test framework change. * remove unnecessary testdata file. * wip for adding health check test app. * wip very hack working solution app deployed * finally test starts working * make sure the test works if and only if the helm flag is turned on. * refactoring * small adjustment. * DeepCopy used. * working test only healthcheck test. * remove inline policy * change RegisterHelmValueOverrides. * unnecessary change. * Finish HelmValueMap refactor. * some cleanup. * clean up. * flags helm values takes higher priority. * fix the lint. * address comments. * revert chagnes on HelmValuesMap. * wip getting helm customizable with new configuration api. TODO: testing by rebuild image. * fix the helm value passing overrides. * wip the app is deployed but not ready and still finishes... * wip apps configuration not take effect. * working version of apps configuration. * clean up some debugging log. * test documentation. * WIP changing deploymentFactory to KubeApp. * verify test works. * clarify kubeappsconfig doc. * get the test pass, no apps configuration yet. * get test working. * clean up on apps/kube.go * few clean and update readme doc. * change the overrides by func callback. * fix the typo. * fix the comments. * Hide ServiceAccounts from PushContext log (#12702) * Configure localityLbSetting in values.yaml (#12683) * Configure localityLbSetting in values.yaml * Update docs * Fix concurrent map access (#12706) * Remove when: always from CircleCI configuration for integration tests. (#12679) This causes the integration tests to run, even if the previous steps fail. * Removed unused code from EDS (#12221) * Should not add a worker in GoroutinePool construction func (#12619) * GoroutinePool does not add a worker in construction func * fix ut * remove redundant code (#12656) * remove redundant k8s discovery code * remove redundant * Configure logging level in proxy and control plane (#12639) * configure proxy log level via helm values for sidecar and gateways * configure istio control plane log level via helm * Put back a couple settings for Kiali that were accidentally deleted. (#12472) Some Kiali settings were accidently deleted when the new installation options for release-1.1 was published. This is because these settings were commented out in the values.yaml file for kiali under istio/kubernetes/helm/istio/charts/kiali. Bug:#3660 * remove to be deprecated critical pod annotation. (#12657) * remove to be deprecated critical pod annotation. * fix ci. * Adding timeouts in Galley processor tests (#12701) * Adding timeouts in Galley processor tests This is to help in debugging #12628. * making await method private * add pod antiaffinity. (#12691) * add pod antiaffinity. * fix gateways issue. * add pod antiaffnity to helm test pod. * remove local test file. * apply comments. * Adding galley test for sidecar config validation (#12247) * Adding galley test for sidecar config validation Test cases related to PR #12233 * Using istio-system as namespace for resource * Collect details/artifacts for failed tests in Prow. (#12753) * Add infrastructure to document env var usage. (#12727) - Introduce the pkg/env package containing a few functions to query environment variable values. It keeps track of the variables requested so they can be documented. - Extend pkg/collateral to recognize and output the environment variables used in the process. This is what is needed to make this stuff show up on istio.io. - Update all relevant call sites to use the new infrsstructure. It's still missing descriptions for all the variables, that'll be up to component authors. I'll file issues to get that work done. - Fixed bugs in the node_agent_k8s code that was using env vars as the default for Cobra command-line arguments, resulting in potentially variable default values produced in the generated docs. Default values need to be static. * Enable more linters. (#12751) - Flip on a couple more linters - Fix a bazzilion warnings produced by these linters, along with many warnings produced by other not-yet-enabled linters. - Fix pkg/version so the tests compile on Mac. This broke a while back, preventing the linter from running to completion on the Mac. * Convert galley to reload files via SIGUSR1 or a ctrlz handler (#11617) * Convert galley to reload files via SIGUSR1 or a ctrlz handler * Fix ctrlz shutdown not to block * Disable the mtls_healthcheck test until it can be fixed. (#12775) * Change IP addresses to show up as strings in label maps in accesslog (#11740) (#12502) Change IP addresses to show up as strings in http req in accesslog Fix lint errors Fix lint errors Use stringify function Updated based on feedback * upgrade prometheus version. (#12781) * Wait for endpoints of policy backend, before trying to use it. (#12763) * Wait for endpoints of policy backend, before trying to use it. * Minor fix to the structure. * Add wait logic for waiting Galley to come online. * Fix minor bug. * Rename the method so that it is clear what it is doing. * Add additional constraint check. * Remove redundant write header (#12731) Write already writes 200 status code, so this wasn't needed. This caused unneeded logging every time it was called. * Tell Kubernetes that Istio validation has no side effects (#12670) * Tell Kubernetes that Istio validation has no side effects * Add integration tests for --server-dry-run * Report version of kubectl and server * Version check error * Undo --server-dry-run tests which require K8s 1.12 or higher * fix uds socket (#12688) (#12802) * uds fix * readonly * mixer: switch to simplified config model (#12689) * take 2 compiled instances Signed-off-by: Kuat Yessenov <kuat@google.com> * try with apa Signed-off-by: Kuat Yessenov <kuat@google.com> * quota failure Signed-off-by: Kuat Yessenov <kuat@google.com> * false signal? Signed-off-by: Kuat Yessenov <kuat@google.com> * more crds Signed-off-by: Kuat Yessenov <kuat@google.com> * nil params Signed-off-by: Kuat Yessenov <kuat@google.com> * patching config Signed-off-by: Kuat Yessenov <kuat@google.com> * remove stale command Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix destination host validataion (#12804) * Implement AuthorizationPolicy with workload selector. (#12050) (#12667) * WIP AuthorizationPolicy with selector * WIP AuthorizationPolicy with selector * Check if need to use convertRbacRulesToFilterConfig and ignore permissive mode * Support TCP * Move new functions for RBAC v2 to rbac_v2.go * Change the structure and refactor tests * Put services field check back * Remove services field validation * Remove optimization * Add selector no match test * [Galley] Adding ServiceEntry synthesis (#12409) Added a new custom projection that is subscribed to events for k8s Pods, Nodes, Services and Endpoints. These events are absorbed and do not become part of the snapshot. Instead, synthetic ServiceEntry resources are generated and become part of the snapshot. Partially addresses #10497 and #10589 * Add a linter to prevent use of os.Getenv and os.LookupEnv (#12778) - Add more unit tests to pkg/env to bring coverage to 100% - Move existing linter sources from test/util/checker to tools/checker * Specify istio-init user explicitly (#5453) (#12708) Istio-init is supposed to be run as a superuser so it can configure iptables and this is the current default. However many popular Helm charts typically define a single container pod and specify `securityContext.runAsUser` on a pod level (rather than the container level) and that is what istio-init inherits. As the result many Helm charts aren't working with Istio auto-injection out of the box. A simple fix would be explicitly setting `securityContext.runAsUser` for istio-init on the container-level so it takes precedence. * Removing depencency on the order of returned IP addresses (#12812) * Removing depencency on the order of returned IP addresses Allows returned addresses by the default resolver to be in any order. The first IPv4 address returned by the resolver is used. If there are no IPv4 address is found, an IPv6 address is used. Added more unit tests. * Making logic for local IP the same as the rest * Disabling flaky parts of Galley integ test (#12837) This should deflake the test in #12820. Real fix is coming soon. * Set SAN as critical for workload certs. (#12838) * inject sds related param in pilot/mixer deployment (#12809) * inject sds related param in pilot/mixer deployment * remove args * Disabling Mixer tests using the new TF in K8s. (#12848) * Disabling Mixer tests using the new TF in K8s. * Make linter happy. * accommodate PR review comments. * galley: support optional crds (#12822) * optional galley crds Signed-off-by: Kuat Yessenov <kuat@google.com> * review Signed-off-by: Kuat Yessenov <kuat@google.com> * Removing a "TODO" that is not necessary any more (#12841) Cleaning up the comments. * mixer: add template CRD flag and set it to false (#12851) * template CRD flag Signed-off-by: Kuat Yessenov <kuat@google.com> * missed a flag Signed-off-by: Kuat Yessenov <kuat@google.com> * Zombie cleanup. (#12878) - Delete a bunch of dead code, dead variables, unused parameters, and superfluous type declarations. * Refactor Istio deployment code for clarity and add wait for webhook. (#12888) * Refactor Istio deployment code for clarity and add wait for webhook to come online. * Make linter happy. * Fix stupid bug. * Remove accidental file add (#12895) * Re-enable sidecar_api_test (#12887) * Re-enable sidecar_api_test * Remove kube setup * Fix race condition * Make Mixer readiness timeout configurable. (#12640) - Mixer waits for readiness of the config backend. It is currently hard-wired at 30 seconds. This change makes this configurable and sets the default as 2 minutes. - The pod was being killed because the liveness probe was not starting on time. It is blocked behind other readiness checks. This change enables readiness early on. * Minor improvements to the test framework. (#12858) * Add dump support to policy backend. * Add a suitecontext dir. * test: add dump pod events function (#12821) * Fix flush behavior in Stackdriver adapter. (#12853) * Fix prometheus and citadel connection tests (#12747) * Fix test-prometheus-connection.yaml: test never failed Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix test-citadel-connection.yaml: test never failed Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com> * Fix a bunch more linter items. (#12897) * delete stale file (#12898) Signed-off-by: Kuat Yessenov <kuat@google.com> * Run dep ensure * Implement EnvoyXdsServer graceful shutdown (#12826) * update api sha (#12862) * update api sha * api files * Add two sample deployments for user guide of Istio Vault integration (#12917) * Rename types.go to types.gen.go. (#12921) * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * Update to latest doc gen tool. (#12932) * Fix the regular expression that splits the deployment scripts. (#12931) The script was fixed with a start-line anchor during the merge of 1.1. However the regular expressions in Go is not multi-line. * Add labels to the test framework. (#12819) * Add basic label support to the test framework. * Refactor test framework surface area to use fluent-style. * Apply labels to CircleCI tests & stable integration tests. * Add early exit support to avoid running setup functions when the label set can never match. * Add Citadel tests as presubmit tests. * Remove environments from label usage. * Fixup some of the label usages, and convert some of the test entry points. * Fixup label usage. * Redisable sidecar tests. * Accommodate PR feedback. * Accommodate CR feedback. * Add more CR fixup. * Introduce pkg/annotations (#12909) - pkg/annotations lets us track the annotations used by the calling process. - pkg/collateral now outputs annotations if there are any. This will make annotations show up on istio.io - Adjusted how pkg/collateral handles deprecated environment variabes to match how we handle deprecated fields in protos (by coloring them differently on istio.io) - Added another test to pkg/env to cover a case I missed originally. - Updated the sidecar injector and pilot to use pkg/annotations. - Fixed some invalid HTML generated by pkg/collateral. I'll file an issue to get descriptions added for the annotations. * remove unused pdb in remote values. (#12943) * prevent duplicate inbound listeners (#12937) * [Galley] Fix race in runtime strategy (#12927) This address a race condition that seems to only occur when using a very low timerFrequency (e.g. 1 microsecond) on a slow machine (e.g. prow). Under these conditions, the strategy can encounter a race condition when creating the timer. The code was setting the `timer` variable to the result of time.AfterFunc. However, due to the extremely low frequency used, the AfterFunc was invoking its handler, `onTimer` before returning. This led to accessing an uninitilized `timer` value. This PR swaps out AfterFunc for NewTimer. The use of time.Timer is now abstracted behind the `asyncTimer` object, which provides the semantics needed by the strategy. Now strategy.timer is set before it is started, avoiding the race. Fixes #12628 * Adding unit tests for sidecar scope (#12184) * Adding unit tests for sidecar scope * Removing unused variable * linters: enable errcheck (#12933) * enable errcheck Signed-off-by: Kuat Yessenov <kuat@google.com> * add maligned to exceptions Signed-off-by: Kuat Yessenov <kuat@google.com> * Istio does not use Cluster_LOGICAL_DNS, so remove it (#12905) * Istio does not use Cluster_LOGICAL_DNS, so remove it * clean up LOGICAL_DNS in comments * Clean up Helm README (#12914) The README has outdated information on the values, we should just defer to istio.io which is up to date. Additionally, we should point users to istio.io which has up to date install instructions. * 'istioctl experimental dashboard' command to show add-ons and sidecars (#12627) * 'istioctl experimental dashboard' command to show add-ons and sidecars * Test cases, output of URL, use of Cobra output stream * Refactor code into istioctl/pkg/kubernetes * Refactor to expose PortForward stop channel * Validate new mixer CRDs (#12918) * Validate new mixer CRDs * Add templates and adapters * Test cases for new mixer CRDs * Add environment variables to allow configuring bookinfo hostnames (#12646) * Allow bookinfo hostnames to be configurable - add DETAILS_HOSTNAME, RATINGS_HOSTNAME, REVIEWS_HOSTNAME environment variables to configure hostnames. Defaults to details, ratings, reviews respectively * Bump bookinfo sample to 1.11.0 * Update expected outputs for bookinfo tests - this is not related to our PR, but the tests were failing - the apps were changed, but images were not rebuilt * Add edsClusters should be atomic (#12942) * Add edsClusters should be atomic * fix lint * properly report errors on failure (#12945) The CI Infrastructure times out after 10 minutes of no activity. In one of the test case runners, 10 miniutes is specified causing the CI timeout to flush any debuggable output from the checks. This results in an in-exact error result to be returned. Instead a vague reponse about the test case timing out is reported, resulting in confusion for the PR authors. The typical max I was able to achieve was ~230 seconds, but I trimmed to 3 minutes so the test case fails in all conditions and properly reports the errors. * Hoist exemptLabels to top-level, so that they can apply to prs as well. (#12902) * [mixer-e2e-test] add retry to prometheus query in check cache test (#12680) * check cache test sleep longer * use retry instead of longer waiting * reword error message * Fixing typos in unit tests (#12661) Redoing PR #12035 * respect locality weight set from ServiceEntry (#12714) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * sidecars with workload selector takes precedence over namespace wide one (#12831) * Auto bind to services for Sidecar listeners with specific ports (#12724) * auto bind to TCP services for egress ports in Sidecar Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * fix test Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * minor patch (#12963) Signed-off-by: Kuat Yessenov <kuat@google.com> * Cleanup gateway vhost config gen (#12847) * check match direction * Cleanup http route generation * undo pickMatching change * golangbot comments * address review comments * fix validation bug * gofmt * check for intersection duplicates * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Support PKCS#8 private keys. (#12972) * Support PKCS#8 private keys. * Small fix. * Fix LB weight setting for split horizon eds (#12560) (#12827) * lb weight for split-horizon-eds shoulb be set correctly * fix ut * rename * fix ut * fix lint * fix lint * Restore dump_kubernetes.sh function on OSX (#12159) * Fixes for Bash 3.x and detecting non-running pods * Address shellcheck warnings * Remove Robert Li from tests OWNERS file (#12946) Robert has had a change in employment and can no longer contribute to Istio. * remove unnecessary namespace for webhook configuration (#12981) * remove deprecated mcpServerAddrs flag (#12954) * remove deprecated mcpServerAddrs * fix ut * support ip:port format configSource * fix ut * fix ut * supprt proxy https app probe (#12872) * supprt proxy https app probe * add ut * fix ut * add webhook inject test * fix test * fix comments by incfly * Allow some time for the configuration propagation (#12865) * Allow some time for the listeners config propogation * change to use watchDiscovery * samples/bookinfo: easier access to logs (#12584) * Use shorter namespace prefixes. (#13001) * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) (#12936) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * Update integration test env flag (#12977) The flag should be "kube" not "kubernetes" but it was not updated in some places before. * Support inline role definition in AuthorizationPolicy (#12849) * Don't fill test logs with "no provious log" (#12857) This isn't a real error, but it is misleading in the test output. We have no reason to output all of these errors that there is no previous container to get logs from. * mixer: delete old style CRDs from installation (#12710) * delete old style CRD from installation Signed-off-by: Kuat Yessenov <kuat@google.com> * disable galley from listening to old style CRDs Signed-off-by: Kuat Yessenov <kuat@google.com> * more hardcoded yamls Signed-off-by: Kuat Yessenov <kuat@google.com> * debuggin default install Signed-off-by: Kuat Yessenov <kuat@google.com> * fix fmt Signed-off-by: Kuat Yessenov <kuat@google.com> * keep galley pipeline Signed-off-by: Kuat Yessenov <kuat@google.com> * disable resource ready Signed-off-by: Kuat Yessenov <kuat@google.com> * delete debugging line Signed-off-by: Kuat Yessenov <kuat@google.com> * fixing testdata Signed-off-by: Kuat Yessenov <kuat@google.com> * delete deprecated configs Signed-off-by: Kuat Yessenov <kuat@google.com> * remove declarations Signed-off-by: Kuat Yessenov <kuat@google.com> * delete more yaml Signed-off-by: Kuat Yessenov <kuat@google.com> * merge fix Signed-off-by: Kuat Yessenov <kuat@google.com> * Add tests for the effect of mTLS setting to reachability (#11624) * Reachability test in new ingegration test framework * Add test for port specific policy * Expose KubeApp interface and move EndpointForPort to that instead * Use the retry.UntilSuccess from framework * Change to UntilSuccessOrFail instead of UntilSucces * remove deprecated code (#13005) * remove deprecated code * remove dep * Add examples/documentation for the test framework. (#13000) * Add examples/documentation for the test framework. * Add more prose about test lifecycle. * Fix typo. * Fix typos. * fix retry loop in mixer crd watch (#13003) * first change to apps/v1 for Install (#13015) * first change for install * appsv1 * indention * use only ipv4 for pilot and zipkin (#12997) * do ipv4 lookups for pilot and zipkin Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * update goldens Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * small fix for imports (#13013) * remove old mcp stack (#12092) * remove old mcp stack * remove legacy mcp server from galley * fix server build * fix linter * remove unused code in journal.go * fix build * s/server/source * fix linter errors * Exclude Prometheus traffic in rule so that Kiali does not show it. (#12251) * [Galley] Fix race in strategy shutdown. (#13004) * [Galley] Fix race in strategy shutdown. The Close() logic was holding onto the state lock, which can race with worker thread. Specifically, the worker thread could be in a call to onTimer awaiting the lock, which would never be acquired since the Close() method is stuck waiting for the stopped channel to close. * cleaning up reset logic to avoid holding on the stateLock * Add instructions and scripts to facilitate running E2E tests locally using KinD (#12641) * Adding check/install go in both macOS and Linux. * Install go if not installed. * Adding support to run e2e test on KinD locally. * Adding the ability to run e2e tests locally on KinD. * Update install_prereqs_debian.sh * Update setup_test.sh * Adding the ability to run e2e test on KinD for presubmit test. * Presubmit e2e test on KinD. * Adding the ability to run e2e_simple presubmit on KinD * Adding README file for testing on KinD locally. * Revert the changes on adding install_go function. * Revert install_go in common_macos.sh * Revert the file changes of deleting newline. * Reverting the changes. * Addressing reviews. * Fixing shellcheck * respect locality weight set from ServiceEntry (#12714) (#13012) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * Add documentation about -p 1 for integration test framework. (#13032) * Reduce logs in security/pkg/nodeagent/sds/ (#13035) * Reduce logs in security/pkg/nodeagent/sds/ https://github.com/istio/istio/issues/13033 * Count the log output times * Revise the PR based on review comments * move pkg/mcp/configz to pkg/mcp/configz/client (#12982) Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Restore TestMtlsHealthCheck in postsubmit, prow. (#12969) * restore test to debug. * add presubmit label to the test for triggering. * change to only run in postsubmit. * remove postsubmit label just comment. * Enable more linters and fix warnings/errors (#12993) * Cherry pick cert file config from master to release-1.1 (#12707) * Cherry pick from master: Configuration: no longer hardcode mesh certs (#12189) * Configuration: Pilot-Agent: no longer hardcode certs to watch. Pilot-Discovery: no longer hardcode Envoy listener cert paths. * Address demands of golangcibot overlord * Change usages of github.com/stretchr/testify/require to github.com/stretchr/testify/assert * Address code style violation * Revert temporary api changes. Set cert paths in envoy node metadata and use them when setting up listeners * Use envoy node metadata cert paths (if available) when constructing clusters * Rename constants to make golint happy * Fix imports * Ignore ordering in test * Pass around proxy instead of proxy.Metadata (cherry picked from commit 7c342741df9bd4e313420b4d17e279089d8956da) * goimports file * Allow limiting Citadel to marked namespaces only (#12289) * Allow limiting Citadel to marked namespaces only - add command line flag to require explicit opt-in to secrets (defaults to false to retain current behavior of always create) - extend secret controller to consider namespace labels (reuses existing 'istio-injected=enabled') - modify unit tests to retain previous behavior (i.e., always create secrets, explicit opt-in not required) and account for additional namespace access * removed left-over debug print, check enable only when explicit opt-in is required * reverting k8s actions in tests: namespaces no longer checked when explicit opt-in is false * unit tests for checking labels and behavior * Namespace specified in command line is explicitly enabled - save namespace specified in the `--listened-namespace` option on the controller (allow multiple to prepare for r1.1) - check SA namespace against explicit namespaces * use dedicated label name to avoid overloading the injection label * use istio-managed label in tests * clarified explicit-opt-in is relevant for keys and certificates provided via a volume mount * refactor istio managed object test to a function so it can be called from secret deletion handler as well * fix left over istio-injection label in tests * manual merge fix * appsv1 galley (#13047) * Add support for datadog tracing (on release-1.1 branch) (#12687) * Add support for datadog tracing. Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * Use $(HOST_IP) instead of special-casing empty address value Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * add param to sidecar to ignore iptables changes (#12829) * add param to sidecar to ignore iptables changes * rephrase description * samples/bookinfo: migrate `apiVersion` of deployments to `apps/v1` (#13030) * fix validation logic so that port.name is no longer a valid PortSelector (#13054) * [Test Framework]: Galley support for deleting config (#13037) In order to properly support deleting resources, it was necessary to revisit how ApplyConfig is done as well. Previously, apply would just blindly copy the yaml to a new file in the configDir. The assumption was that the resource was always being "added" (rather than updated). I'm not certain what would happen if two resources appeared with the same name/namespace. This PR generalizes (and fixes) the way resources are handled so that it's not concerned with files, but rather the underlying resources. The code now parses the top-portion of the yaml to properly identify each resource. Once identified, the code now properly updates resources by writing back to the file where the resource was found. Deletes are similar, where the original resource in the file is replaced with "" (empty files are removed). * Support controlz for mcp server (#12980) * Support controlz for mcp server Signed-off-by: clyang82 <clyang@cn.ibm.com> * fix lint error * Address review comments Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * generalize artifact injection into Docker images (#12203) Instead of just adding LICENSES.txt only, also optionally add in the source code as well, gating on the new EXTRA_ARTIFACTS and EXTRA_ARTIFACTS_CNI environment variables. Change-Id: Iab8fadfbcbbaa8906491e12324fae20185d9f33e * Keep going when problem happens checking remote version (#13060) * remove deprecated show-all flag (#13053) * Add x alias to experimental istioctl command (#11801) * Add x alias to experimental istioctl command I'm super lazy and experimental is far too much effort to type Signed-off-by: Liam White <liam@tetrate.io> * Add exp as an additional alias Signed-off-by: Liam White <liam@tetrate.io> * Correct the app label for Gateway (#12693) * update selector for gateway Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix build fail Signed-off-by: clyang82 <clyang@cn.ibm.com> * Update tracing_datadog_golden.json (#13082) * Fix small typo (#13089) can useful -> can be useful * Add jitter in CSR request (#12805) * Add jitter in CSR request * Add log * Fix comments * Fix test * Fix test * Fix comment * Allows cleanup.sh to run non-interactively when in terminal (#12635) This change allows cleanup.sh to run non-interactively in standard terminals. For example: NAMESPACE="test123" ./cleanup.sh * 'istioctl proxy-config clusters' cluster type column rendering (#12458) (#12730) * update sds secret mount. (#12733) * Copy data from right place (#12762) * Fix updateClusterInc for overlapping ports (#12766) * Fix updateClusterInc for overlapping ports It is possible that a service will have multiple ports, with the same port number. The typical example here is kube-dns, which uses port 53 for UDP and TCP. When we do an incremental push, we would select the first port to match the port number, which would sometimes causes us to ignore the correct port. This fix searches through all matching ports. * Ensure port number matches as well * Add unit tests * remove dead code * enable default sidecarscope (#12832) * [Galley] Fix for ServiceEntry event ordering (#12890) The integration test was encountering this, exposing a real bug. If nodes/pod events occur after service/endpoints (which should generally be unusual) then it is possible to have a ServiceEntry missing pod/node information (e.g. locality). Fixes #12820 * Adding sha for istio/tools to manifest.txt for future automation of perf tests (#11706) * Copy helm data from the right place (#12808) * Refactor solution based on Costin's feedback (#13027) Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Enable more linters and fix warnings/errors (#13061) * Making tags requirement same as those in Kubernetes (#12852) * Making tags requirement same as those in Kubernetes Changing validation check to make sure non-empty tags start with an alphanumeric character * Validating label keys are not empty strings Allow empty string for label values Do not allow empty string for label keys * Added certmanager flag into helm chart values.yaml (#12953) * Added certmanager flag into helm chart values.yaml * Moved certmanager configuration * Pilot [networking]: Add upstream idle_timeout to cluster definition (#13066) * adding upstream idle_timeout to cluster definition. * reverting vendor changes before running dep ensure again. * running dep ensure update on api from master. * controlPlaneMtls renamed to controlPlaneSecurityEnabled (#13141) * Patch #12805 to master (#13104) * Patch #12805 to master * Fix lint * Fix HelmDelete command (#12515) * Fix HelmDelete command HelmDelete was called with the namespace it needs to be called with a chartname. Also created a constant to make it more obvious when called by the other Helm related commands. * Fix typo * Goimports fix * ight modification path (#13148) * Allow overriding of registry locality (#13077) Also fixes bug where non-kube envs could override to something that parsed incorrectly Signed-off-by: Liam White <liam@tetrate.io> * mixer: add support for standard CRDs for compiled-in adapters (#12815) * cherry pick subset of https://github.com/istio/istio/pull/12689/ Signed-off-by: Kuat Yessenov <kuat@google.com> * add support for compiled in adapters Signed-off-by: Kuat Yessenov <kuat@google.com> * patch log line Signed-off-by: Kuat Yessenov <kuat@google.com> * parse cert to get expire time (#13145) * parse cert * cleanup * unit test coverage * missing file * address comments * rebase and address comment * Installing istio for perf testing (#13159) * Perf scripts * gsutil * WD * perf running and geting metrics * Perf * perf * perf * Perf * remove * qq * Appsv1 pilot (#13050) * appsv1 for Pilot * appsv1 for Pilot * appsv1 for Pilot * dep update * fix test * fix test * fix test * fix test * fix test * typo * typo * typo * typo * typo * update go-control-plane (#13154) Signed-off-by: Kuat Yessenov <kuat@google.com> * added sidecar.istio.io/rewriteAppProbers annotation (#13112) * pilot: registered sidecar.istio.io/rewriteAppProbers annotation * pilot: checked from sidecar.istio.io/rewriteAppProbers too * pilot: added webhook inject tests TestWebhookInject_http_probe_rewrite_enabled_via_annotation case is a modification of TestWebhookInject_http_probe_rewrite case. The difference is rewriteAppHTTPProbe is false in template, but set to true in annotation. TestWebhookInject_http_probe_rewrite_disabled_via_annotation case is a modification of TestWebhookInject case. The difference is rewriteAppHTTPProbe is true in template, but set to false in annotation. * fixed linter issue in test * added http probe test for kubeinject case * added tests and fixed login upon checking RewriteAppHTTPProbe setting * Add more tests in app_probe_test.go * renamed RewriteAppProbers to RewriteAppHTTPProbers * fixed test case for webhook injection * add description to rewriteAppHTTPProbers annotation * updated tests in app probe to sync with recent master change * change validateBool to alwaysValidFunc as per review * Export inject.injectionData() (#12426) * Registrator should use master version (#13083) * dependencies: update cel-go and remove protoc-gen-docs (#12711) * experiment with COMPAT Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * stop validation Signed-off-by: Kuat Yessenov <kuat@google.com> * remove hack Signed-off-by: Kuat Yessenov <kuat@google.com> * testing Signed-off-by: Kuat Yessenov <kuat@google.com> * only access log Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * add runtimeconfig Signed-off-by: Kuat Yessenov <kuat@google.com> * add a benchmark Signed-off-by: Kuat Yessenov <kuat@google.com> * cel_perf Signed-off-by: Kuat Yessenov <kuat@google.com> * update cel Signed-off-by: Kuat Yessenov <kuat@google.com> * update examples Signed-off-by: Kuat Yessenov <kuat@google.com> * remove unnecessary dependencies Signed-off-by: Kuat Yessenov <kuat@google.com> * Fixing copy for helm, one more time. (#13186) * Run goimports on generated file (#13195) * Enable disabled mixer tests in New Test Framework (#13151) * Enable disabled mixer tests in NF * Change tests config to new style * Change tests config to new style * Change tests config to new style * Fix config for native policybackend * Fix report test * Reduce Pilot resource requests for demo (#12477) * Reduce Pilot resource requests for demo * Add limits as well * Added data source for Galley dashboard (#13041) Fixes: #13040 * fix values for pod anti-affinity. (#12798) * Add sensible defaults to istio-gateways (#12315) * report succeed after validation (#13165) * report succeed after validation * review comments * Change exposed port of istio-pilot in consul (#13170) `15003` and `15005` are never used in pilot under consul env. It would be confusing to expose the two ports. Instead, ``` --grpcAddr string Discovery service grpc address (default ":15010") --secureGrpcAddr string Discovery service grpc address, with https (default ":15012") ``` we know `15010` and `15012` are still using. * Cherrypick: Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) (#12973) * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Use new env var framework * Fix long line * Run format and linter * CEL checker mutex (#13192) * checker mutex Signed-off-by: Kuat Yessenov <kuat@google.com> * deadlock Signed-off-by: Kuat Yessenov <kuat@google.com> * Integration testing for Locality Load Balancing (#13084) * Initial testing functionality Signed-off-by: Liam White <liam@tetrate.io> * appease the linting gods Signed-off-by: Liam White <liam@tetrate.io> * Fall back to bootstrap locality as a last resort Signed-off-by: Liam White <liam@tetrate.io> * Move service instance check after we set them... Signed-off-by: Liam White <liam@tetrate.io> * Add EDS test Signed-off-by: Liam White <liam@tetrate.io> * Reorganise tests to run in parallel Signed-off-by: Liam White <liam@tetrate.io> * Move to pilot directory Signed-off-by: Liam White <liam@tetrate.io> * minor Infof fixes Signed-off-by: Liam White <liam@tetrate.io> * fix package name Signed-off-by: Liam White <liam@tetrate.io> * Increase propagation sleep and add warning Signed-off-by: Liam White <liam@tetrate.io> * [test-framework] Support helm values containing spaces (#13127) * Support helm values containing spaces in integration test framework For a helm template command, e.g., "helm template --set key1=value1 --set key2=value2", the existing integration test framework assumes the values do not contain spaces and splits the command argument using the space character before executing the helm command. Thus, the existing implementation does not support helm values (e.g., certificates) containing spaces. This PR adds the support of helm values that contain spaces. * Revised to use array based on review comments * Adding servicegraph testing to postsubmit (#13190) * Adding servicegraph testing to postsubmit * m * perf * change * pod * fix * Adding E2E Test for kiali (#11448) * Add Kiali E2E Test * Minor Fixings on Kiali E2E Test * Remove unused mixer.enabled value (#13214) This is not a functional change; this value is never used so it is misleading/confusing. mixer.policy.enabled and mixer.telemetry.enabled are used. * Adding aliases for OWNERS (#13194) * Fixing copy for helm, one more time. * Adding aliases for test group. Setting up labels and no parent_owners * prow * owners * Fixing helm order (#13224) * Fixing copy for helm, one more time. * Fix order of the helm command * fix lint (#12988) * update certificates with expiration time 100 years (#13233) * update certificates with expiration time 100 years * update testdata/local/etc/certs * fix original destination bug (#13011) * fix original destination bug * add ut * align init role label. (#13172) * Remove --platform option (#13187) * Fix #10380: Remove hardcoded sidecar template for istioctl kube-inject (#10830) * Remove the hardcoded sidecar template for * Remove deprecated flags in istioctl kube-inject * update testdata after rebase * add rule for kubeinject.go in codecov.threshold * push client the new root cert when it's changed (#13163) * refresh root * refresh root * unit test * add logs * address comment * more comment * address comment * Implement `role` field in AuthorizationPolicy (#13181) * Add check for role in ServiceRoleBinding * Implement global role * Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow (#13199) * Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow. The mutual TLS connection uses the certificates issued by SDS-Vault CA flow and SDS-Citadel CA flow. * Use the flag EnableCDSPrecomputation() * Address review comments * Ignore missing resources on kubectl delete (#13225) This makes it so tests won't fail on cleanup for resources that are already deleted. * [Testing] Cleanup PortForwarder (#13250) * Add generated LICENSES.txt to gitignore (#13209) * remove myself from owners (#13231) Signed-off-by: Kuat Yessenov <kuat@google.com> * add upstream_transport_failure_reason to access log (#12434) * add upstream_transport_failure_reason to access log Signed-off-by: Lizan Zhou <lizan@tetrate.io> * update proxy to latest Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fix Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fix format Signed-off-by: Lizan Zhou <lizan@tetrate.io> * Fix integration test errors and refactor security integration tests (#13253) * Fix integration test errors and refactor security integration tests - Fix the failure of integration tests when --istio.test.nocleanup=false, which is the default test setting. The failures of integration tests when --istio.test.nocleanup=false are caused by that the errors during cleaning up tests are treated as test failures while the actual tests have succeeded when --istio.test.nocleanup=true. - Organize security integration tests under testss/integration/security. - Refactor the code to share common utility functions and remove duplicate code. - Misc fixes. * Address review comments * Use a const to represent the test policy directory * Address review comments * Fixes the multicluster e2e test (#13246) The secret was being created after the apps where deployed on the remote. This was causes the test to never think the apps successfully deployed since the envoy sidecar was continually restarting. * pre-check: fix a logic error (#13278) `getNameSpace()` always returns an object, even if namespace does not exist. Checking the error status is safer. * Remove kubectl from dockerfile prereqs since it pulls it (#13256) * Fixing EDS unit tests (#12995) The current EDS test is incorrect and passes because the check calls time out rather than sucessfully completing. This PR fixes the problem and add one more test. fixes issue #12994 * rbac: fix a data race in listener generation (#13308) * Include js/css files into static folder (#12983) * Include js/css files Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Append version to file Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * ignore assets.gen.go in code coverage Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * remove assets.gen.go from codecov test Signed-off-by: clyang82 <clyang@cn.ibm.com> * remove skipped test from .cov file Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix check chell issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix shell check issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Fix galley integration test race (#13303) * [Test Framework] Integrate apps with Galley (#13115) The most recent refactoring broke the apps component when Pilot is being used with Galley. The apps register their services with the ServiceManager directly. When Pilot is configured with Galley, however, it doesn't use the ServiceManager, which means that the app services are never properly registered with Pilot. - Changed the Pilot and Apps component to require Galley to be configured, to avoid confusion. - Removed the ServiceManager altogether - Galley is used for service registration. Fixes #13090 * Fix again helm copy, was reverted during merge from release 1.1 (#13337) * Fixing copy for helm, one more time. * Fixing copy again for master * Update OpenShift dependencies; Drop [deprecated] legacy schema (#13160) * Extend istioctl mocking library to allow mocking of authn etc (#13118) * Fixing iptabes ranges (#13291) * Fixing iptabes ranges Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fix shellcheck errors Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures #1 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures #2 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures #3 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Addressing comments Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Don't apply locality label unless provided (#13297) * Single Template injection spec fully at runtime (#13147) * Template injection spec fully at runtime This eliminates the need to have two layers of templates, which adds a lot of complexity to the template. * Get tests working and rebase on removal of hardcoded template * Remove unused vars * Fix istioctl tests * Report circleci status to testgrid k8s dump (#13340) The dump script often fails for the same reason the test fails. The dump script should probably be hardened, but in the mean time we can just make sure we report the failure (high priority) before we dump the state. * Add integration tests for RBAC v2 (#13353) * Implement RBAC v2 intergration test * Add Galley to app for security tests * Disable locality LB tests (#13305) * [Galley] Add NotReadyEndpoints to Synthetic ServiceEntry (#13255) * [Galley] Add NotReadyEndpoints to Synthetic ServiceEntry …

Jianfei Hu added 3 commits October 10, 2018 15:23

WIP injector change to modify istio-proxy.

3586b54

move out to app_probe.go

92e2066

Iterating sidecartmpl to find the statusPort.

a38602d

incfly requested review from ayj and mandarjog October 11, 2018 00:07

googlebot added the cla: yes label Oct 11, 2018

istio-testing requested a review from GregHanson October 11, 2018 00:07

incfly requested a review from costinm October 11, 2018 00:07

istio-testing added the do-not-merge/hold Block automatic merging of a PR. label Oct 11, 2018

Jianfei Hu added 3 commits October 16, 2018 11:22

Merge branch 'master' of https://github.com/istio/istio into health-i…

17f3417

…njector

use the same name for ready path.

ae15784

Merge branch 'master' of https://github.com/istio/istio into health-i…

200b602

…njector

istio-testing added the needs-rebase Indicates a PR needs to be rebased before being merged label Oct 21, 2018

Get rewrite work, almost.

7a34c18

Jianfei Hu added 5 commits October 24, 2018 14:55

Some clean up on test and check one container criteria.

ddc2858

Merge branch 'master' of https://github.com/istio/istio into health-i…

8b30b5b

…njector

fix the injected test file.

1cbddef

Merge branch 'master' of https://github.com/istio/istio into health-i…

847920d

…njector

Add inject test for readiness probe itself.

bf01af9

istio-testing removed the needs-rebase Indicates a PR needs to be rebased before being merged label Oct 25, 2018

Jianfei Hu added 3 commits October 25, 2018 13:18

Add missing added test file.

9c0a557

fix helm test.

ec56cd9

fix lint.

49ec933

istio-testing removed the do-not-merge/hold Block automatic merging of a PR. label Oct 25, 2018

istio-testing assigned nmittler Nov 27, 2018

istio-testing added the lgtm label Nov 27, 2018

istio-testing added the approved label Nov 27, 2018

nmittler approved these changes Nov 27, 2018

View reviewed changes

istio-testing merged commit c0f8cb0 into istio:master Nov 28, 2018

incfly deleted the health-injector branch November 28, 2018 20:41

incfly mentioned this pull request Nov 28, 2018

injector changes for health check, pilot agent take over app readines… #10175

Merged

incfly mentioned this pull request Dec 18, 2018

Potential cni e2e-simple breakage due to app http probe rewrite #10557

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

injector changes for health check, pilot agent take over app readiness check.#9266

injector changes for health check, pilot agent take over app readiness check.#9266
istio-testing merged 34 commits intoistio:masterfrom
incfly:health-injector

incfly commented Oct 11, 2018

Uh oh!

incfly commented Oct 11, 2018

Uh oh!

codecov bot commented Oct 19, 2018 •

edited

Loading

Uh oh!

wattli commented Oct 23, 2018

Uh oh!

incfly commented Oct 24, 2018

Uh oh!

incfly commented Oct 25, 2018

Uh oh!

hzxuzhonghu commented Nov 2, 2018

Uh oh!

istio-testing commented Nov 27, 2018

Uh oh!

istio-testing commented Nov 28, 2018

Uh oh!

hzxuzhonghu commented Nov 28, 2018

Uh oh!

incfly commented Nov 28, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

incfly commented Oct 11, 2018

Uh oh!

incfly commented Oct 11, 2018

Uh oh!

codecov bot commented Oct 19, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

wattli commented Oct 23, 2018

Uh oh!

incfly commented Oct 24, 2018

Uh oh!

incfly commented Oct 25, 2018

Uh oh!

hzxuzhonghu commented Nov 2, 2018

Uh oh!

istio-testing commented Nov 27, 2018

Uh oh!

istio-testing commented Nov 28, 2018

Uh oh!

hzxuzhonghu commented Nov 28, 2018

Uh oh!

incfly commented Nov 28, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

codecov bot commented Oct 19, 2018 •

edited

Loading