* Testing: support retries in Structpath

The current structpath library automatically fails the test as soon as an error occurs.

This change splits structpath into 2 types:

Instance: methods return errors.

InstanceForTest: delegates to Instance and fails the test if an error occurs.

Tests that allow retries will use Instance and handle the errors manually.

* splitting out the test and non-test instances

* Fixing TestMain for sidecar_api_test

* fixing bug in ForTest

* Switching to single fluent-style api

Distributor is an interface consumed by the runtime package.

* things needed for next version of kiali

* additions needed for https://issues.jboss.org/browse/KIALI-2417

* install kiali v0.15

* add read-only role for people to use if they don't want to grant write access to kiali

* mount secret to volume now, not env vars

* add rbacconfigs - https://issues.jboss.org/browse/KIALI-2564

* add prometheus scrape annotations to scrape the new metrics endpoint

* everything is now up to date for kiali v0.16

* Fix racetest

* Lint

* One more race

* Added a todo with issue ref

* missing comment on exported function ConstructCustomDNSNames

* Document customization process

* Fix deps and broken merge for mixer test

* Fix overly restrictive golang version match

* Fix integration test framework merge issues

* Fix line length lint issue

* Interim checkin of Test Framework refactorings. (#11718)

Seeding collab-test-framework

* Tf 11 scopes (#11772)

Cleaning up the new prototype code.

* Remove hardwired constants from the deployment file.

* Fixup some tests

* Use framework2 for pilot tests (#12243)

* WIP updating sidecar test to new framework

* Re-create Pilot tests based on framework2

* Merge master => collab-test-framework (#12374)

* [Galley] Standardize worker thread lifecycles (#12125)

* [Galley] Standardize worker thread lifecycles

We currently have several worker classes that follow a similar lifecycle pattern, but are inconsistent. This PR makes standardizes the lifecycle management logic into a new Worker class.

* addressing comments.

* addressing comments.

* Update to grafana 6.0.0 (#12191)

* Support offline running productpage by packing js and css in image (#12218)

* Make code more reusable in other contexts (#11353)

* Make code more reusable in other contexts
- Export processStream methods, they are useful when using the code
outside of Istio
- Move verifySentResourcesMultipleTypes to client_test.go

* Add licence

* Correct TestAdmitPilot Case (#12281)

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* Fix pilot grpc failure in Consul (#12273)

* fix wrong link for mixer (#12347)

* Update OWNERS (#12361)

* Update OWNERS

* Update OWNERS

* mixer: CEL runtime (#12145)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Change IP addresses to show up as strings in label maps in accesslog (#11740)

Change IP addresses to show up as strings in http req  in accesslog

Fix lint errors

Fix lint errors

Use stringify function

Updated based on feedback

* Improve resource lifecycle management and debuggability. (#12402)

* Improve lifecycle model.

- Add defer context.Done() to sidecar_api_test for resource cleanup.
- Ensure that Pilot's Close returns after the background go-routine is torn down.
- Properly register components/resources for cleanup purposes.
- Reverse the resource cleanup loop to make sure resource dependencies are
handled properly.
- Add friendly ids to test framework components to help with debugging.
- Refactor environment names to avoid cyclic dependencies.

* Fix lint issues.

* Major refactoring of the new framework & ensure the native mode tests work.

* Fix runaway refactoring.

* Make Istio deployment work.

* Fix some Kubernetes based tests.

- Accommodate code review feedback.

* Fix all K8s tests.

* Cleaning up of the core framework API surface.

* More cleanup of the surface area.

* Fix lint and formatting

* Update Makefile & related settings.

* Move collateral docs to framework2, remove framework and integration.

* Move framework2 -> framework

* Fixup echo.

* Fix minor bug.

* Fix lint issue.

* Minor clarification to the output message.

* Fix Makefile

* Temporarily add debug log output for tf.

* Improve in-CI debugging.

* Fix lint problem.

* Add CI Mode flag.

* Convert Always to IfNotPresent

* Convert Always to IfNotPresent

* Fix Citadel component init.

* Write pod state to files.

* Fix galley.New()

* Minor fix.

* Refactor Hub/Tag/PullPolicy usage.

* Increase deployment timeouts.

* Fix formatting bug.

* Make linter happy

* More diagnostic output support.

* minor cleanup

* Fix Yaml deployment code.

* link fixes.

* Fix comment.

* Set minikube ingress to minikube-none.

* More minukube fixes.

* Final cleanups.

* extract namespace to its own component.

* Major cleanup of structure/packages.

* Post merge fixups.

* Fixup sidecar api tests post-merge.

* Fix structpath panic.

* Increase the deployment timeouts in CI.

* Add istio 1.2 CRD file.

* Fix linting.

* Fix imports.

* Disable sidecar_api_test.go test (which is already disabled in master).

* Remove debug flag.

* Fix lint errors.

* Fix testcontext format parameters

* Disable the sidecar tests before the merge.

* Fix CI Mode timings.

* Fix CI Mode timings.

* Make linter happy.

* Add dynamic discovery and listener initialization for supported k8s resource types (#11871)

* wip: dynamically discover supported crd types

* fix linter errors

* improve logs when resource type not found

* increase code coverage

* address review comments

* add a comment

* fix linter error

* extract Galley root command to server. (#12073)

* Replace root command of Galley with server mode.

* Fix linter issue.

* Wire-up excluded resource types list to the CRD check and update logging (#12143)

* - Wire-up excluded resource types list to the CRD check.
- Update logging.

* Revert copyright.

* Revert copyright.

* Do not reject entire batch of updates, if items get past validation. (#12476)

* Do not drop the whole batch, if validatin of a single resource fails.

* minor comment cleanup.

* Adding unit tests.

* Make linter happy happy happy.

* Log descriptions of pods when tests break

* Don't overwhelm the logs for a possibly transient error

* Fix kubectl syntax

* Back out change in retry behavior to avoid masking root cause

The priority needs to be normalized (so it is always has no gaps), so
priorities [0,2] should be changed to [0,1]. However, we were changing
the wrong endpoint's priorities.

Previously, this value was not set if the load balancer config was nil.
However, it should actually set anytime outlier detection is enabled, so
that locality lb can behave correctly.

* Fix bug causing empty endpoints per locality

Before, we were allocating the array then appending to it, creating
empty endpoints at the start of the array.

* Predefine slice size

* Fix the MCP Client ConfigZ page.

* Fix the tests

* Update test name to clear confusion.

Test is flakey, saying it has droppped coverage when it has not due to
it being nondeterministic.

* Don't require service account for spiffe

Some kubernetes pods don't have a service account. This causes a log
flood that the spiffe url is invalid, but this doesn't actually have any
negative impact. We can just make it not an error to have no service
account.

* Revert "Don't require service account for spiffe"

This reverts commit e88ff18.

* Just drop error -> warn

* Fix tests

* Drop log level

#12460)

* Adding additional fields for bindings and validation. (#11800)

* Implement namespaces for ServiceRoleBindings

* Implement not_namespaces and refactor

* Implement not_ips

* Implement ips (no unit tests)

* Add a unit tests for ips for ServiceRoleBinding

* Implement groups and not_groups for ServiceRoleBinding

* Implement names and not_names

* Check for duplicated definition in constraints/properties and first-class fields

* Disallow using * in names or not_names to prevent ambiguity

* Disallow using * in names or not_names to prevent ambiguity

* Refactor additional fields for bindings

* Update validation.go

* Update validation.go

* enhance verify install command

* fix lint

* fix lint

…12556)

* Add namespace scoping to the Gateway 'port' names (#12500) (#12500)

Currently in order to configure ingressgateway to do TLS termination
using multiple secure virtual hosts with different certificates Istio
requires Gateway 'port' names to be globally unique (i.e. distinct).
I.e. two gateways cannot have secure port named 'https' even if they
reside in different namespaces. Behavior in such case is undefined.

This breaks namespace isolation as a user creating a Gateway in one
namespace might not have access to other namespaces hence can't
if the port name is already 'taken'. Behavior in such case is undefined
and likely to render other virtual hosts unavailable.

This change adds namespace scoping to Gateway port names by appending
namespace suffix to the HTTPS RDS routes. Port names still have to be
unique within the namespace boundaries, but this change makes adding
more specific scoping rather trivial.

* Increase Gateway 'port' names scoping granularity

…12592)

* Locality label istio-locality in k8s should not contain `/`, use `.` instead

* fix comments

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

The plumbing for propagating the envoy metrics service address config is missing a step to copy the given address to the config object that is passed on to the template renderer.

* finish demo

Signed-off-by: Kuat Yessenov <kuat@google.com>

* printf

Signed-off-by: Kuat Yessenov <kuat@google.com>

* publish keyval

Signed-off-by: Kuat Yessenov <kuat@google.com>

This is not a functional change; this value is never used so it is
misleading/confusing. mixer.policy.enabled and mixer.telemetry.enabled
are used.

* Fixing copy for helm, one more time.

* Adding aliases for test group. Setting up labels and no parent_owners

* prow

* owners

* Fixing copy for helm, one more time.

* Fix order of the helm command

* update certificates with expiration time 100 years

* update testdata/local/etc/certs

* fix original destination bug

* add ut

Merge release-1.1 into master

#10830)

* Remove the hardcoded sidecar template for

* Remove deprecated flags in istioctl kube-inject

* update testdata after rebase

* add rule for kubeinject.go in codecov.threshold

* refresh root

* refresh root

* unit test

* add logs

* address comment

* more comment

* address comment

* Add check for role in ServiceRoleBinding

* Implement global role

…ow (#13199)

* Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow

Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow.
The mutual TLS connection uses the certificates issued by SDS-Vault CA flow
and SDS-Citadel CA flow.

* Use the flag EnableCDSPrecomputation()

* Address review comments

This makes it so tests won't fail on cleanup for resources that are
already deleted.

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add upstream_transport_failure_reason to access log

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* update proxy to latest

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* fix

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* fix format

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

…13253)

* Fix integration test errors and refactor security integration tests

- Fix the failure of integration tests when --istio.test.nocleanup=false,
which is the default test setting. The failures of integration tests when
--istio.test.nocleanup=false are caused by that the errors during
cleaning up tests are treated as test failures while the actual tests
have succeeded when --istio.test.nocleanup=true.
- Organize security integration tests under testss/integration/security.
- Refactor the code to share common utility functions and remove
duplicate code.
- Misc fixes.

* Address review comments

* Use a const to represent the test policy directory

* Address review comments

The secret was being created after the apps where
deployed on the remote.  This was causes the test
to never think the apps successfully deployed since
the envoy sidecar was continually restarting.

`getNameSpace()` always returns an object, even if namespace does
not exist. Checking the error status is safer.

The current EDS test is incorrect and passes because the check calls time
out rather than sucessfully completing. This PR fixes the problem and
add one more test.

fixes issue #12994