remove cni initContainers and volumes in remove-from-mesh #26812
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tariq1890
added
the
release-notes-none
googlebot
added
the
cla: yes
istio-testing
added
the
size/XS
|
@esnible Requesting your review on this |
esnible
approved these changes
Aug 26, 2020
|
@tariq1890 This PR targets Master. I approved this but removed the Do you know how to check out the release-1.7 branch, cherry-pick, and create PR? If so, do that and in the comments link to the merged Master PRs. |
|
Yes i do. I can get around to doing that later in the day |
tariq1890
added a commit
that referenced
this pull request
Aug 27, 2020
(cherry picked from commit 707b28d)
|
@esnible Done! |
tariq1890
added a commit
that referenced
this pull request
Aug 31, 2020
(cherry picked from commit 707b28d)
istio-testing
pushed a commit
that referenced
this pull request
Aug 31, 2020
This was referenced Sep 9, 2020
vikaschoudhary16
pushed a commit
to vikaschoudhary16/istio
that referenced
this pull request
Feb 12, 2021
* Automator: update common-files@master in istio/istio@master (#25583)
* echo: sort headers (#25582)
* echo: sort headers
Currently the response bounces around a lot as header order is not
defined which makes debugging annoying sometimes
* format
* Add release note for adding release notes process (#25509)
* Add release note for adding release notes process
* Add readme
* Fix readme
* Fix linter errors
* Updates based on PR comments
* Moved 25519 into the notes directory
* Added 25519.yaml
* Updated 25519.yaml to v2
* Update add-release-notes-generation.yaml
* Update add-release-notes-generation.yaml
* GCP instance labels support (#24687)
* added gcp labels support
* labels are only retrieved for gce vm instances, changed timeout behavior
* handle no instance labels case
* don't pull labels if running on kubernetes
* cleaned up platform interface
* cache metadata inside gcpEnv
* Revert "cache metadata inside gcpEnv"
This reverts commit 361ff7fbaa609c62af4987b708890ff068899aef.
* restructured cache metadata inside gcpEnv
* minor fixes
Co-authored-by: Justin Wei <juswei@google.com>
* fix dns rules on v4 only system (#25590)
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
* Automator: update common-files@master in istio/istio@master (#25593)
* add uninstall by revision change (#25076)
* add uninstall change
* add test
* add filename flag, refactor
* refactor, move common function from cmd/mesh to pkg
* clean up the pruning and deleting approaches
* address comment
* address comments
* add --purge option and prune_test
* clean up code and add tests
* address more comments
* update label logic
* rebase
* update label logic
* address comments and fix lint
* fix test
* Update proxy SHA (#25594)
* update istio proxy sha
* fix test
* lint
* Allow users to delay application start until proxy is ready (#24737)
* Reenable GatewayTLSOrigination Test (#25424)
* renable test
* switch back ports
* fix test
* tests pass locally
* make gen
* add subset for route to gateway
* add sni
* change timeout
* Update egress_gateway_origination_test.go
* split virtual service
* add more wait
* more wait
* I think this works
* decrease sleep time
* remove sleep and increase timeout
* rename foreign instances to workload instances (#25605)
* rename foreign instances to workload instances
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* fix race
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* Update template.yaml (#25608)
* Config file and env var for istioctl --istioNamespace, --xds-address, and --cert-dir (#25280)
* Config file and env var for some istioctl CLI options
* ISTIOCONFIG variable for overriding default istioctl configuration
* 'prefer-experimental' option for commands with regular and experimental variants
* Defaults for --xds-san and --insecure
* Column for 'istioctl x config list' that lets users tell defaults from configured values
* Fail if user supplies invalid ISTIOCONFIG env var
* Don't fail if config file does not exist
* Initialize defaults in tests
* Show origin of config var; move defaulting close to command so tests work
* Use Istio RegisterXXXVar for environment overrides to istioctl
* Allow user to make XDS-based proxy-status the default with env or config setting
* Added release note
* Sort 'x config list' output
* release note fix
* Egress Gateway TLS Origination fix (#25588)
* add tlsMode=istio label to egress gateway
* Revert "add tlsMode=istio label to egress gateway"
This reverts commit a8310ddf0b21db928abbf83a5df34194ab76bd48.
* clean out TransportSocketMatches on subsequent applyTrafficPolicy calls
* sidecar scope matches ns for envoy filter and authn/z (#25430)
* sidecar scope matches ns for envoy filter and authn/z
* format
* remove peer authn
* Optimize memory usage of SDS cluster config generation (#25511)
* Add TLS to bench tests
* Apply optimizations for SDS generation
* Fix tests
* fix test
* update MutatingWebhook apiVersion to v1 and other minor fixes (#24723)
Co-authored-by: John Howard <howardjohn@google.com>
Co-authored-by: John Howard <howardjohn@google.com>
* Add testcase/documentation for add entry to unset list (#25604)
* Add testcase/documentation for add entry to unset list
Signed-off-by: Liam White <liam@tetrate.io>
* fix broken test and ensure we test want
Signed-off-by: Liam White <liam@tetrate.io>
* TLS Origination using SDS Integration Test Suite (#25520)
* init test
* clear clutter
* tests pass
* add copyrights
* fix pilt
* not sure what this gen check error is
* try removing pilot
* make gen
* lint
* comment code
* init mutual TLS mode
* add unknown secret test
* finish mtls test draft
* lint
* new test
* add more tests
* verify client cert
* lint
* refactor
* make genn
* increase retry
* fix env
* remove timeout
* try this
* add wait
* sleep is good
* test failing
* verifycert
* another try
* fix template
* decrease to reasonable time
* revert old
* reduce time hack
* revert client file
* remove sleep and increase timeout
* fix comment
* listener: rewrite passthrough filter chain (#23071)
* listener: rewrite passthrough filter chain filter chain
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
* delete appendListenerFallthroughRoute
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
* erase the concept of merging and testing fallthroughfilterchain
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
* add better transport security iptables rules
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
* lint
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
* address comment
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
* typo
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
* Enable the workload cert rotate automatically (#25526)
* add rorate feature
* add certificate for response
* add add reconnect features
* refactor to use interface
(cherry picked from commit 3055ad8cfd79d8ba1ba1da76746f0e39e5b8115e)
* reset GetClientCertificate logic
* ret the public type code
* fix lint
* address comment
* fix when key,cert not loaded successfully
* refactor and remove interface logic to simplify code
* remove useless function
* fix err
(cherry picked from commit ad1c4c8bf70378b6361bd11f0a5342873a9303c0)
* refactor to use reconnect logic
* remove useless releaseResourceCode
* fix lint
* add unit test
* fix lint and address comments
* add release note
* address comments
* address comments
* add retry logic
* address comments
* address comment
* address comment
* fix lint
* Fix listener generation for passthrough services (#25620)
* temp
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* fixes
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* fixes
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* tests
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* test fixes
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* ads: handle reconnect with empty resources (#25629)
* handle previous info nil
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* handle previous info nil
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* add tests
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* log level
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* lint
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* minor refactor
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* remove useless import (#25639)
Signed-off-by: Xiang Dai <long0dai@foxmail.com>
* Output in kubernetes style format for debug/configz (#25541)
* Output in kubernetes style format for debug/configz
Fixes https://github.com/istio/istio/issues/24651
* fix lint
* lint
* log only virtualservice's name and namespace (#25647)
* verify if namespace exists during bookinfo cleanup (#25649)
* verify if namespace exists during bookinfo cleanup
* fix lint
* fix broken multicluster tests (#25633)
* test framework: temporarily deploy istio synchronously
* Revert "test framework: temporarily deploy istio synchronously"
This reverts commit 3914a15d6578ad3f1d8985fcf89efbeacd208d18.
* remove viper default (breaks mc tests)
* revert test
* fix table indent in test
* Add wait for proxy to be built to upadte_proxy.sh (#25651)
* Incorrect handling of 'istioctl experimental version --revision <x>' (#25615)
* The default label selector changed
* Add release note
* No need for release notes; change is not user-facing
* Port Install CNI to golang (#25332)
* Port CNI installer from shell to golang
* Capitalize acronyms in constant names
* Decouple environment variables from functions
* Make variable and function names more clear
* Convert array to set
* Fix filepath bug in tests
* Wait until main CNI config file exists to intall Istio CNI as a chained CNI plugin
* Add check install and cleanup; Keep container alive
* Cleanup on SIGINT and SIGTERM caused by killing container
* Refactor, clean up, add comments
* Sort test data JSON map keys and update cniVersions
* Remove unnecessary prefix characters for creating temp dirs
* Fix and clean up unit tests
* Extend context to createCNIConfigFile; Add unit test
* Remove relative paths and clean up CNI config e2e tests
* Fix lint errors
* Fix kubeconfig template; Add unit tests for creating kubeconfig file
* Remove install-cni.sh and dependencies; Update Dockerfile and charts
* Write kubeconfig file with default 0600 permissions
* Test script restart in CNI config integration test; cleanup
* Add unit test for checkInstall
* Add helper functions to handle json unmarshalling panic; add unit tests
* Address PR comments; cleanup
* Add test cases for standalone CNI plugin in integration tests
* Add make target for install-cni integration test
* Address PR comments; cleanup
* Decouple signal handling from install process
* Add Installer struct and refactor
* Fix lint error
* Remove absolute path to install-cni binary
Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com>
* pilot tests: move config generation tests out of kube integration tests (#25655)
* initial
* more tests
* remove dead code
* cleanup
* fix license
* fix lint
* Track deprecated Istio types (#25454)
* Track deprecated Istio types
* Include QuotaSpec and QuotaSpecBinding
* Regenerate collections
* Test generated code
* Export all environment variables in sidecar.env (#25546)
* Export all environment variables in sidecar.env
Currently we only export a few variables, making it impossible to
configure a large set of options in the agent
* debug
* more debug
* fixes
* Add tests and fix named target port for WE (#25576)
This adds some tests for selecting pods/workload entries with target
ports.
As far as I know this covers all combinations. In the process, I found a
bug/unimplemented feature, where named target ports were not working.
* Backfill some release notes (#25609)
* Add --file param to proxy-status (#25627)
* Add --file param to proxy-status
* fmt
* make file flag optional
* add missing feature label
* add example
* release note
* remove dead prow scripts (#25631)
* Build in push and parallel (#25637)
* Build in push and parallel
* Setup builder
* enable experimental
* Automator: update common-files@master in istio/istio@master (#25663)
* fix spelling mistake in file init.sh (#25665)
* mixer-telemetry chart should not depend on global.yaml (#25394)
* mixer-telemetry chart should not depend on global.yaml
* Important values that affect multiple charts should be called out explicitly
* Code review comments
* Remove istio-policy chart depdency on global.yaml (#25393)
* Remove istio-policy chart depdency on global.yaml
* Important values that affect multiple charts should be called out explicitly
* Code review comments
* Change to comma separated value for app_container (#25441)
* Change to comma separated value for app_container
Signed-off-by: gargnupur <gargnupur@google.com>
Run make gen
Signed-off-by: gargnupur <gargnupur@google.com>
Add test for container name
Signed-off-by: gargnupur <gargnupur@google.com>
Update VM test files
Signed-off-by: gargnupur <gargnupur@google.com>
Change to comma separated value for app_container
Signed-off-by: gargnupur <gargnupur@google.com>
Run make gen
Signed-off-by: gargnupur <gargnupur@google.com>
Add test for container name
Signed-off-by: gargnupur <gargnupur@google.com>
* Fix vm test
Signed-off-by: gargnupur <gargnupur@google.com>
* remove endpoint ready check (#25461)
* remove endpoint ready check
* fix lint
* integration tests: share echo deployment between many tests (#25636)
* most done
* disable grpc log
* Add istioctl tests
* add comments
* fix reference
* lint
* fix merge conflict
* Add stableNamespaces option to test framework (#25673)
Especially combined with https://github.com/istio/istio/pull/25636, this
makes local test development *much* faster. There is a basically no
overhead of test setup, so most tests which are of the form apply
config,send traffic, check result can run completely in under 1s.
* Move Viper default setting to init() (#25664)
* Add endpoint builder to define EDS dependencies (#25598)
* Add endpoint builder to define EDS dependencies
Goals:
* Scope down the set of inputs to the EDS pipeline so it doesn't depend
on proxy
* Compute some things up front to reduce recomputation
* Define a key that can be used for caching EDS responses (future PR)
* Fix lint
* fix misleading names
* fix merge conflict
* enhance Makefile (#25607)
* Refactor kube controller (#25527)
* Refactor kube controller
* refactor kube controller
* Enable make deb/docker from CI or local build environment (#25682)
* Update Proxy SHA (#25686)
* Update Proxy SHA
* fix test
Signed-off-by: gargnupur <gargnupur@google.com>
* listener: fix listener comments (#25679)
* change listener comments
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* correct comment
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* tests: allow pilot suite to run with more than one cluster (#25432)
* setup topology with multi-primary and remote clusters
* DRY creating pilots for each control plane cluster
* allow root of tests/pilot/ to run in multicluster
* cleanup pilot helper
* util methods for istio instnace
* remove pilot usages
* format
* Expose istio-agent metrics and remodel error handling (#25668)
* Expose istio-agent metrics and remodel error handling
Co-authored-by: Aditya Prerepa <adiprerepa@gmail.com>
This is a superset of https://github.com/istio/istio/pull/24798
https://github.com/istio/istio/pull/22318#discussion_r456887079. If its
controversial we can split the two out, but there is a lot of
overlapping code between the two so I kept them together.
Basically, this adds istio agent metrics. Because of conflicts with
applications, we do some special things to export them with istio_agent_
prefix to avoid collisions.
Additionally, we stop returning errors if envoy or the app return errors
in the scrape. This avoids the situation where we suddenly drop envoy
metrics because the app is down or vis-versa, making the situation even
worse as we lose visibility. To add some extra visibility into this, we
also add metrics for total scrapes and failed scrapes.
* bad metric
* add discovery host as sni host to xds-grpc cluster (#25691)
* add discovery host
* remove log
* add relnote
* feat(testing): Add traces and edge validation for Stackdriver testing (#25443)
* Add traces and edge validation for Stackdriver testing
* remove unnecessary bits
* add license for meshtelemetry proto (set to same as istio/istio)
* add proper license, fix tests
* remove pilot sampling config
* remove forced tracing, rely on pilot trace sampling
* make gen update
* remove fake module
* 'istioctl experimental proxy-status': use --authority instead of --xds-san (#25617)
* Use --authority instead of --xds-san
* Added release note
* Reformat release note
* Don't need to check in release notes for non-user-facing change
* New expected output
* Analyze deprecated crs (#25694)
* CR deprecation analyzer
* Detect deprecated CRs and removed CRDs
* Lint
* Disable debug logging in CI (#25638)
This may just be personal preference, but in my opinion the debug
logging obscures the logs we want to look for during failures, and I
often find people who are not experts in the integration tests being
confused by them.
Up until ~1 month ago we did not have debug logging, which I think was
the right move personally.
* Update Proxy SHA (#25705)
Signed-off-by: gargnupur <gargnupur@google.com>
* Wait for .wasm file before continuing in update_proxy.sh (#25708)
* Update CA API repo and incorporate API changes in Sidecar resource (#25677)
* Point the CA proto to istio/api repo.
* Merging changes from #25585.
* Revert assets.gen.go.
* Small fix.
* Move the istio/api repo reference back.
* Pin to the newest istio/api repo.
* test framework: ensure centralistio patched pods are ready (#25710)
* Update dependencies (#25707)
* update dependencies
* remove api and proxy update
* make gen
* rebase
* Set release managers as CODEOWNERS for release-1.7 (#25715)
* Automator: update istio/api@release-1.7 dependency in istio/istio@release-1.7 (#25717)
* Update files for 1.7 (#25759)
* update files for 1.7
* change latest to 1.7-dev
* update branches in files
* Stop publishing latest tags (#25764)
* update files for 1.7
* change latest to 1.7-dev
* update branches in files
* Stop publishing latest tags
* Bump proxy SHA (#25772)
* [release-1.7] add support of revision for operator commands (#25729)
* add support of revision for operator commands
* address comments
* fix lint
Co-authored-by: Xinnan Wen <iamwen@google.com>
* Remove ISTIO_CNI variables, they are not used anywhere (#25767)
Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com>
* Automator: update istio/api@release-1.7 dependency in istio/istio@release-1.7 (#25776)
* Automator: update common-files@release-1.7 in istio/istio@release-1.7 (#25775)
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#25777)
* [release-1.7] Use standard base image and remove unused dependencies in install-cni Dockerfile (#25756)
* Use istio base image for install-cni
* Remove use of jq in install-cni e2e tests
* Remove unused istio-cni.conf.default file
Co-authored-by: Brian Cheung <bscheung@google.com>
* add releasenotes for istioctl change for multiple control plane upgrade (#25758)
Co-authored-by: Xinnan Wen <iamwen@google.com>
* [release-1.7] Set transport version for SDS as well (#25762)
* Set transport version for SDS as well
* update tests
Co-authored-by: John Howard <howardjohn@google.com>
* create dynamic release tar url for verify and upgrade msg (#25799)
Co-authored-by: shamsher31 <shaansar@redhat.com>
* Update base image (#25805)
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#25810)
* update istio-operator version to 1.7 (#25828)
Co-authored-by: shamsher31 <shaansar@redhat.com>
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#25836)
* Automator: update istio/api@release-1.7 dependency in istio/istio@release-1.7 (#25838)
* [release-1.7] Fix a few bugs in security code. (#25856)
* Fix a few bugs in security code.
1. isJwtExpired is using the wrong claim. Fixed it and fixed the corresponding test.
2. Token exchanger plugin was not set.
3. Token rotation using old cert should check if CA supports the
feature.
4. UseLocalJwt was set incorrectly (should not depend on the value of
certPath).
* Add unit test for sds agent.
* Add UseTokenForCSR flag.
* Fix format.
Co-authored-by: Limin Wang <liminwang@google.com>
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#25865)
* Remove DNS hacks in dns listener (#25619) (#25795)
* fix dns hack
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* enable dns in tests by default
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* fixes and debug
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* remove ignore case
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* checking vm grpc
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* undo test change
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* more undo
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* Revert "checking vm grpc"
This reverts commit 9c61504f51b61a8480eea0df3e44ca36078b54e0.
* Revert "undo test change"
This reverts commit 128db7cb23ea260ad800fc3858c69fa6381964af.
* temp hack
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* fix tests
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* [release-1.7] Avoid Sidecar Cluster Config Generation for UpstreamClusters when CredentialName is set (#25902)
* hack
* add tests
* lint
Co-authored-by: nschhina <navuchhina@live.com>
* Update deps (#25881)
* [release-1.7] add integration test for operator revision and update uninstall output (#25905)
* add integration test for operator revision
* fix test
* update uninstall output format
Co-authored-by: Xinnan Wen <iamwen@google.com>
* Fix inaccurate endpointsPendingPodUpdate metric (#25907)
This currently will be outdate when an update comes in, and is only
updated when the error is retriggered
Co-authored-by: John Howard <howardjohn@google.com>
* [release-1.7] Remove deprecated manifest apply for 1.7 (#25908)
* Remove deprecated manifest apply
* Add release note
* Update release note
Co-authored-by: Brian Avery <bavery@redhat.com>
* Fix test and comments
Co-authored-by: shamsher31 <shaansar@redhat.com>
Co-authored-by: Brian Avery <bavery@redhat.com>
* Use strict YAML parsing in validate (#25903)
Co-authored-by: Ed Snible <snible@us.ibm.com>
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#25941)
* Explicitly error on cases that can lead to recurisve scraping (#25938)
Co-authored-by: John Howard <howardjohn@google.com>
* remove (#25948)
Co-authored-by: nschhina <navuchhina@live.com>
* [release-1.7] Add prometheus operator ServiceMonitor samples (#25953)
* Add prometheus operator ServiceMonitor samples
* lint
* Just istio configs
Co-authored-by: John Howard <howardjohn@google.com>
* Fix deprecated setting in demo profile (#25958)
Partial backport of a massive PR in master. This fixes the deprecation
warning when installing with demo profile, and adds a regression test.
this has no impact on the generated manifests; the option does nothing.
* Fix merge conflict (#25972)
* [release-1.7] Manual cherry pick 25927 (#25957)
* Use encoding/json to decode JSON
* Use encoding/json to decode mixer JSON
* [release-1.7] Fix the lifetime format used by accesstoken request. (#25994)
* Fix the lifetime format used by accesstoken request.
* Fix lint and not use the protobuf struct in a struct that is marshalled with json.Marshal
Co-authored-by: Tao He <taohe@google.com>
* [release-1.7] [kiali] use kiali helm chart when generating the demo addons script (#25984)
* use kiali helm chart when generating the demo addons script
This converts the gen.sh script to now use the Kiali Helm Chart.
The Kiali Helm Chart is currently under review. There is a test chart published that this PR uses. When the first release of the true Kiali Helm Chart is done, we'll change this PR to point to that first release rather than the test SNAPSHOT this PR is currently using. However, because this PR uses a test chart that is published, it can be tested and reviewed for correctness.
See the Kiali Operator PR #93 that is introducing the new Helm Chart.
[ ] Configuration Infrastructure
[ ] Docs
[x] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
* add generated kiali.yaml
* use the first official helm chart v1.22.0
Co-authored-by: John Mazzitelli <mazz@redhat.com>
* Fix regression for Endpoints without pod reference (#25978) (#25985)
(cherry picked from commit d5ab2ebfa13107099a6fed596b5201f88ad28d24)
* Expand endpoints before pod test to check pod (#26033)
This ensures we are actually getting the right pod, and populating the
correct service account information. It doesn't fix any bug - the code
works today, just expanding the testing
Co-authored-by: John Howard <howardjohn@google.com>
* fixing dns resolution issues (#25964) (#26044)
* fixing dns resolution issues
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* more debug
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* wildcard dns listener
* shorter timeouts
* dns iptables fix
* Undo
* ndots = 1
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* lint
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* undo
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* undo
* trying dns agent
* undo
* restore costin's vodoo iptables
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* try envoy dns
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* iptables hack/fix
* wildcard dns
* qualify tcp vs udp
* Revert "qualify tcp vs udp"
This reverts commit 307143c9f1ab511a3afd6344ca4bc8b9750fb976.
* snat fixes
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* undo
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* wildcard
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* unspam
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* add more tools to base image
* fix istioctl
* fix iptables - add uid return
* remove dot hack in pilot tests
* report actual host in test failures
* fix vm test dns
* global options to enable/disable dns
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* release notes
* undo defaults
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* leftover
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* undo
* fixups
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* more undo
* more undo
* make gen
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* exclude uid 0
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* how about include all uid/gids?
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* Add credential fetcher in istio agent (#25614) (#26047)
* Add credential fetcher in istio agent.
In addition,
1. add logic to handle platform difference in cert provisioning flow.
2. Fix the cert rotation logic to handle token expiration.
3. Fix a bug in isJwtExpired function and fix the correpsonding test.
* Move CredFetcher to security option.
* pick 937732161 Add credential fetcher in istio agent.
pick ce170cb69 Move CredFetcher to security option.
* Fix format.
* Fix setting platform.
* Fixes a few places that set security configuration incorrectly.
* Address comments.
* Additional fix and formating.
* Fix lint.
* Fix lint.
* Fit typo.
* Refactor code.
* Fix secretcache test.
* Rebase and fix format.
* Addressed William's comment.
* Reverted unneeded chagnes in help.go.
* Address John's comments.
* Fix lint and address comments.
* Fix lint.
* Remove trust domain related changes.
* Remove k8s as a credential fetcher type.
* Clean up comments and unneeded code.
* Fix format.
* Update comments.
* Fix lint error.
* Fit test jwt formating.
* Fix format.
* Clean up unneeded line.
* Fix format.
* Removed checking for GCE platform.
* Fix networking.HTTPMatchRequest.WithoutHeaders conflict detect (#26065)
Co-authored-by: xuzhonghu <xuzhonghu@huawei.com>
* Automator: update common-files@release-1.7 in istio/istio@release-1.7 (#26067)
* Automator: update istio/api@release-1.7 dependency in istio/istio@release-1.7 (#26069)
* [release-1.7] properly drain gateway listeners (#26054)
* drain all listeners for gateway
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* lint
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
Co-authored-by: Rama Chavali <rama.rao@salesforce.com>
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#26076)
* [release-1.7] Update Mixer server to enable Ext-Authz and Access Log Service (#25624)
* draft update
* copyright
* formatting updates
* fixed changes
* remove print
* lint
* lint
* changes
* integration test draft
* addressing comments
* remove throttler
* spacing fix:
* renamed getters
* minor change
* flags
* response flags
* extra fle
* test fix
* fix test
* fix test
* small change
* headers
* grpc protocol detection
* fixes from review
* cleaned names
* import names
* increased unit tests
* condensed protobag functionality
* clean up member variables
* fixed small conversion error
* simplified formatting
* final small changes
* gofmt responseFlagParser
* final touches
* small change
Co-authored-by: Jonathan Kogan <jonathankogan@google.com>
* [release-1.7] DestinationRule Analyzer against no caCertificates (#26088)
* add test
* add release note
* oops
* add upgradeNotes
* update
* change to securityNotes
Co-authored-by: nschhina <navuchhina@live.com>
* Namespace all addons (#26093)
https://github.com/istio/istio/issues/26037
Co-authored-by: John Howard <howardjohn@google.com>
* [release-1.7] Add ParseToken flag (#26096)
* Add ParseToken flag.
1. Parsing token content only if ParseToken flag is true.
2. Simplify getToken logic.
3. Remove redundant secOps in secretCache.
* Updated comments.
Co-authored-by: Limin Wang <liminwang@google.com>
* Update deps (#26114)
* Update installation guide URL for download Istio candidate (#26113)
Co-authored-by: shamsher31 <shaansar@redhat.com>
* Fix pilot race errors (#26077) (#26120)
(cherry picked from commit 54204592e9d3f3f90cfc9f8c18b503acc9d6d214)
* Fix issues in manifests (#26124)
Broken out of https://github.com/istio/istio/pull/25363
Helm template was dependant on the current kube-config namespace, and
there was an indent issue in the injection
Co-authored-by: John Howard <howardjohn@google.com>
* Don't claim 'istioctl validate' is deprecated; we can't yet (#26117)
Co-authored-by: Ed Snible <snible@us.ibm.com>
* ApplyMeshConfig allow overriding with default value (#26129)
Fixes https://github.com/istio/istio/issues/25503
Co-authored-by: John Howard <howardjohn@google.com>
* [Release 1.7] Manual cherrypick of #25818 (#26137)
* manual cherrypick
* make gen
* release notes
* missing newline
* [release-1.7] manual add an example of using holdApplicationUntilProxyStarts #26022 (#26149)
* manual cherry pick
* manual cherry pick - make gen
* [release-1.7] fix operator remove (#26156)
* fix operator remove
* fix test
Co-authored-by: Xinnan Wen <iamwen@google.com>
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#26165)
* Automator: update istio/api@release-1.7 dependency in istio/istio@release-1.7 (#26166)
* [kiali] use the new kiali server helm chart (#26163) (#26170)
(cherry picked from commit f03d473014b78797700f12a2f91b7bffa7fc3572)
# Conflicts:
# manifests/addons/values-kiali.yaml
# samples/addons/kiali.yaml
* Rename manifest apply to install (#26167)
Co-authored-by: shamsher31 <shaansar@redhat.com>
* add mwc v1beta1 api to runtime scheme (#26193)
Co-authored-by: Tariq Ibrahim <tariq181290@gmail.com>
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#26179)
* [release-1.7] add max program size back (#26196)
* add max program length back
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* fix test
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* add docs
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
Co-authored-by: Rama Chavali <rama.rao@salesforce.com>
* Remove SDS Timeout for default and root case (#26194)
Co-authored-by: Aditya Prerepa <adiprerepa@gmail.com>
* [release-1.7] Extra Envoy Access Log Attribute and Bag Preprocess Fix (#26197)
* initial update
* improved comment
* comment nit
Co-authored-by: Jonathan Kogan <jonathankogan@google.com>
* remove istio-validation container when running istioctl rm (#26190)
Co-authored-by: Tariq Ibrahim <tariq181290@gmail.com>
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#26207)
* [release-1.7] Fix duplicate SDS resource (#26241)
* Fix duplicate SDS resource
* fix golden
Co-authored-by: John Howard <howardjohn@google.com>
* update version of prune list (#26245)
Co-authored-by: Xinnan Wen <iamwen@google.com>
* [release-1.7] Refresh token periodically through credential fetcher (#26251)
* Refresh token periodically through credential fetcher.
* Format.
* Updated error message.
Co-authored-by: Limin Wang <liminwang@google.com>
* Automator: update istio/api@release-1.7 dependency in istio/istio@release-1.7 (#26247)
* [Release-1.7] Enable TCP Telemetry v2 export via Stackdriver filter (#25646) (#26268)
* Enable TCP Telemetry v2 export via Stackdriver filter (#25646)
* Enable TCP Telemetry v2 export via Stackdriver filter
Fix context and vm_id
Add test using fake SD and telemetryv2_1.8.yaml
Enable TCP Telemetry v2 export via Stackdriver filter
Fix context and vm_id
Fix istio.deps added
Enable TCP Telemetry v2 export via Stackdriver filter
Fix context and vm_id
Add test using fake SD and telemetryv2_1.8.yaml
Enable TCP Telemetry v2 export via Stackdriver filter
Fix context and vm_id
Fixed based on feedback
Debug TCP test..
* Fix lint error
* Debug test
* Fix test after rebase
* fix test
* Automator: update common-files@release-1.7 in istio/istio@release-1.7 (#26272)
* Automator: update common-files@release-1.7 in istio/istio@release-1.7 (#26278)
* added grpc keepalive params to gcp_envoy_bootstrap (#26274)
Signed-off-by: Yutong Li <yutongli@google.com>
Co-authored-by: Yutong Li <yutongli@google.com>
* Automator: update istio/api@release-1.7 dependency in istio/istio@release-1.7 (#26279)
* [Release-1.7] Update Proxy SHA (#26030) (#26269)
* Update Proxy SHA (#26030)
Signed-off-by: gargnupur <gargnupur@google.com>
Update Proxy SHA after the fix in proxy
Signed-off-by: gargnupur <gargnupur@google.com>
* Add extra fields in tcp test too
Signed-off-by: gargnupur <gargnupur@google.com>
* Update SHA
* [release-1.7] change the PARSE_TOKEN to skipParseTokenEnv and fix the isTokenExpired logic issue (#26295)
* set the PARSE_TOKEN default value to true
* change parse Token to skipparsetoken and use default value false
* fix lint
* add testexpiredtoken
* rephrase description
* fix lint
* fix lint
Co-authored-by: williamaronli <fengxiangli@google.com>
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#26288)
* Revert "update MutatingWebhook apiVersion to v1 and other minor fixes (#24723)" (#26285) (#26310)
Retain "add mwc v1beta1 api to runtime scheme (#26187)"
This reverts commit 1772c281
(cherry picked from commit 02210d3452acdc782cd842f1560621c8504d50c2)
* Don't parse null IstioOperator overlays (#26305)
Co-authored-by: Ed Snible <snible@us.ibm.com>
* add namespace flag for istioctl dashboard (#26319)
Co-authored-by: Xinnan Wen <iamwen@google.com>
* Update dependencies (#26322)
* [release-1.7] Update kiali in profiles (#26326)
Matching what is in addons
* Fix release notes (#26342)
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#26344)
* Add filter configuration override to telemetry v2 (#26286) (#26351)
* Add filter configuration override to telemetry v2
* fix
* Fix regression in gateway name resolution (#26353)
Fixes https://github.com/istio/istio/issues/26264
Co-authored-by: John Howard <howardjohn@google.com>
* Fix description for istioctl verify-install (#26359)
Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com>
* [release-1.7] istioctl: Emit a warning if Kubernetes version is not minimum (#26364)
Manual cherry-pick of https://github.com/istio/istio/pull/26145
This is to avoid proceed with the installation and present the user
with criptograpyic messages like
`Istio core encountered an error: failed to wait for resource: failed to verify CRD creation: the server could not find the requested resource`
* [release-1.7] Change Info log to debug log to avoid log span. (#26368)
* Change Info log to debug log to avoid log span.
* Change error to warning if fail to get a new token.
* Add logprefix.
Co-authored-by: Limin Wang <liminwang@google.com>
* [release-1.7] Cherry-pick fix for CVE ISTIO-SECURITY-2020-009 (#26374)
* fix authz suffix matching in TCP (#29)
* update the tests (#31)
* Run gofmt
Co-authored-by: Yangmin Zhu <ymzhu@google.com>
Co-authored-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>
* add forward compatibility with k8s admissions api v1 (#26312) (#26383)
* add forward compatibility with k8s admissions api v1
* add support for v1 and v1beta1 AdmissionReview versions
* use admission API adapter in validating webhooks
(cherry picked from commit c4a14db008d6546d27b00d7318e3100eda8e2603)
* Update release notes to use arrays (#26384)
* Make notes arrays
* Update readme
* cherry pick 1.7: sync initial resources in order when starting registry (#26142) (#26394)
* Refactor benchmark test (#25671)
* Refactor benchmark test
This aligns with the new FakeDiscoveryServer to reduce code duplication
* fix
* Fix index refresh
(cherry picked from commit f865b0104ef189950510d498ca4682bb9143b488)
* test kube ServiceRegistry in xds_test (#25698)
* allow using k8s objects in xds_test
* setup node for fake kube service discovery
* setup mesh networks to use kube controller instead of just serviceentry
* format
* correct cluster name in assertions
* setup network watcher and pass xds updater
* fix rebase fails
* more rebase fail
* lint
* resync endpoints to deal with race
* fix rename errors
* more fakeController errors
* fix error text for ResyncEndpoints
* formatting
* allow empty ObjectString
* rename
* also test serviceentry
* format
(cherry picked from commit 9fb131793daa14e5684d66abeaa1475d0aab2187)
* add: ensure envoys can only connect after caches have been synced (#25733)
* add caches synced to readiness probe
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* reject connections till caches are synced
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* lint and unit tests
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* call isserver ready
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* rename
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
(cherry picked from commit fbfd7ba3e885c4665bcc46bd24b831f854422bbf)
* fix NodePort services for meshNetworks gateway (#25990)
* create test cases for different ingress Service types
* fix by NOT requiring node selector
* Revert "fix by NOT requiring node selector"
* fix by requiring NodeSelector annotation
* add release notes
* import lint
(cherry picked from commit 64f0b0f07090225ce755dd10e89941bb61678128)
* fix mesh network flakes (#26085)
* fix race when merging Service aggregate
* dont skip
* re-initialize push context
* force sync all k8s resources
* fix contention on context
(cherry picked from commit 26e59e87ffe2a7d72e6872e903c5c6f080ef4aab)
* sync initial resources in order when starting registry (#26142)
* remove hack for registry init in test
* simple force-sync before marking ready
* sync lock
* wait for sync in fake
* check index for latest object whe processing queue
* ensure all cluster registries are synced
* nil check mulitcluster
* remove todosa
(cherry picked from commit 096aff3545f9ccffb8ec974f2afae10775d5ae36)
Co-authored-by: John Howard <howardjohn@google.com>
Co-authored-by: Rama Chavali <rama.rao@salesforce.com>
* manually cherry-pick of #25589 (#26399)
* Cherry-pick 1.7: Fix remote clusters when caAddress is not specified (#26334) (#26421)
The installation of remote clusters now requires manually setting `caAddress`. This breaks our docs and is a general regression WRT multi-cluster installation.
This change manually sets `CA_ADDR` correctly based on the existence of `caAddress`. It also reverts changes to tests to manually specify `caAddress`, so that the tests are more closely aligned with what we're telling users to do.
Fixes #26325
* log warning if prune list is empty (#26417)
Co-authored-by: Xinnan Wen <iamwen@google.com>
* [release-1.7] reload services and endpoints when networks change (#26236) (#26424)
* reload services and endpoints when services change (#26236)
(cherry picked from commit 1b626657fc015252eee12ecd71d7c4e30e9d83c4)
* cleanup networks resync and add tests (#26249)
(cherry picked from commit 613b95e3c56e44b5c1413490ce86a34080b34b15)
* fix race when reloading kube controller networks (#26290)
* fix race when reloading kube controller networks
* synchronize access to env push context
(cherry picked from commit eb44fe2b4c1ae45af38107e3a4bbe3b775d0bf85)
* dont test reloading meshNetworks in xds_test (#26331)
(cherry picked from commit 1c7c2f1b020ae21188445e4c812f01c971a554af)
* Cherry-pick 1.7: Change sample cross-network port to 15443 (#26389) (#26422)
Goal is to not mix TLS and mTLS on the same port. TLS is on 443, mTLS is on 15443.
* cherrypick (#26441)
* grant read permission to component in the same group (#26444)
Co-authored-by: Jimmy Chen <yinjie@google.com>
* Log error that prevented authenticator from accepting XDS connection (#26430)
Co-authored-by: Ed Snible <snible@us.ibm.com>
* [release-1.7] Mixer Server Integration Tests (#26363)
* first changes
* small fix
* test renames
* added tests
* formatting and test name
* log test
* lint
* field updates
* lint
* small change
* small chaneg
* als test
* als test
* test fix
* gofmt
* destination.ip fix
* fmt
* test new metric
* fixes
* gofmt
* unit test fix
* small fixes
* added line
* added line
* gofmt
Co-authored-by: Jonathan Kogan <jonathankogan@google.com>
* fix some ux problems of uninstall (#26455)
Co-authored-by: Xinnan Wen <iamwen@google.com>
* Fix egressgateway ports (#26461)
Cannot bind to port 80/443 since we run as non root by default
Co-authored-by: John Howard <howardjohn@google.com>
* Update Mongo version (#26447)
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
* add warnings for gateway during uninstall (#26490)
Co-authored-by: Xinnan Wen <iamwen@google.com>
* Automator: update istio/api@release-1.7 dependency in istio/istio@release-1.7 (#26494)
* Allow unknown fields in the old-ver IstioOperator when running istioctl upgrade (#26497)
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#26512)
* A vm specific makefile - stright copy from 1.6.8 (#26515)
This makefile has been extensively tested, 4 or 5 times, and was
the original plan from the workgroup leads meeting and environments
meeting. We will have two makefiles for now, until we can conslidate
the various makefile operations around certs and tokens into one makefile.
Co-authored-by: Steve Dake <sdake@ibm.com>
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#26529)
* [release-1.7] Dashboard is no longer experimental (#26560)
* Dashboard is no longer experimental
* Remove unused code to fix lint
Co-authored-by: shamsher31 <shaansar@redhat.com>
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#26592)
* [release-1.7] Apply standard prom annotations in manual injection mode (#26593)
* implement prometheus merge and apply standard prom annotations
* fix test
* comment
* fix test
Co-authored-by: Pengyuan Bian <bianpengyuan@google.com>
* [release-1.7]Use k8s strategic merge lib for IOP overlays (#26289) (#26521)
* Use k8s strategic merge lib for IOP overlays (#26289)
* Use k8s strategic merge lib for IOP overlays
* Fix some tests
* Restore edited values_types generated file
* Lint
* Add tests, some missing merge paths
* Add missing gateways names to various tests
* Lint
* move configOverride to file directly instead of set override
Co-authored-by: Xinnan Wen <iamwen@google.com>
* fix test for 1.7
* Remove some unneded fields, fix missing name key
* Fix spacing
Co-authored-by: Martin Ostrowski <mostrowski@google.com>
* [release-1.7] add e2e tests for trust domain validation (#26659)
* Fix NONE resolution ServiceEntry (#26619) (#26665)
* Fix NONE resolution ServiceEntry
Fixes https://github.com/istio/istio/issues/25844
* Clean up 0 instances logic for label selector
(cherry picked from commit bd6d9eceb1565b6fbfb2586dec7b4ac154e2d1cc)
* [1.7] Validate Gateway specs attempting to bind with <1024 port without root (#26699) (#26710)
* Validate Gateway specs attempting to bind with <1024 port without root (#26699)
* Add validation
* Update golden files
* Address comments
(cherry picked from commit 02863894d52871e76364b5ae88697b2710d401eb)
* fix
* Bump base image (#26714)
* Read GKE_CLUSTER_URL from GCP Metadata server (#26671)
Co-authored-by: Tao He <taohe@google.com>
* feat:istioctl x add-to-mesh and remove-from-mesh Should not affect OwnerReferences (#26771)
Co-authored-by: tanjunchen <tanjunchen20@gmail.com>
* Update auto-mtls-headless.yaml (#26525)
fix a typo
* Fix doc typo (#26613)
Co-authored-by: Ed Snible <snible@us.ibm.com>
* [release-1.7] fix serviceaccount mismatch issue for operator. (#26761)
* fix serviceaccount mismatch issue for operator.
* fix operator tests.
Co-authored-by: morvencao <morvencao@gmail.com>
* Fix headless svc instances scale (#26636) (#26680)
* Fix configupdate for service
* Add unit test
* add release-note
* [release-1.7] cache readiness state with TTL (#26743)
* remove stats filter in readiness probe
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* cache readiness state with a TTL
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* revert the parse state change
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* rename variable
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* add tests
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* make readiness timeout configurable
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* lint
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* continuously check for readiness on failure
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* lint
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
Co-authored-by: Rama Chavali <rama.rao@salesforce.com>
* manual backport of 25966 (#26768)
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* [release-1.7] allow specifying network for cluster without meshNetworks being configured (#26650)
* allow specifying network without meshNetworks fully configured
* remove redundant slice alloc and add safety check for clusterID
* move cluster id check
* set clustername to match in tests
* isControllerForProxy
Co-authored-by: Steven Landow <landow@google.com>
* filter out cross-network non mTLS lb eps (#26486) (#26723)
* filter out cross-network non mTLS lb eps
* release note
* format
* set service account on xds_test servieentry ep
* remove dr
* release note wording
(cherry picked from commit 755e6411530817897cfb0437d44da06b150aad48)
* remove all injected volumes when running remove-from-mesh/uninject (#26784)
Co-authored-by: Tariq Ibrahim <tariq181290@gmail.com>
* Automator: update istio/api@release-1.7 dependency in istio/istio@release-1.7 (#26810)
* [release-1.7] handle custom sni in bootstrap clusters (#26685)
* handle custom tls sni in bootstrap
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* fix ut
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
Co-authored-by: Rama Chavali <rama.rao@salesforce.com>
* remove-from-mesh should also restore rewritten app probes (#26808)
Co-authored-by: Tariq Ibrahim <tariq181290@gmail.com>
* [release-1.7] Fix RPM post-install script (#26832)
* Fix RPM post-install script
* fix lint
* fix comments
* Change location of sudoer assignment
Co-authored-by: Jason Wang <jasonwzm@gmail.com>
* Automator: update istio/api@release-1.7 dependency in istio/istio@release-1.7 (#26928)
* remove cni initContainers and volumes in remove-from-mesh (#26812) (#26840)
(cherry picked from commit 707b28d8b8e6dac582f55fe40403109f4d3cbb4e)
* apply rewrite probe patch before re-ordering containers (#26898) (#26942)
(cherry picked from commit 31213a84d95d3cc67478222b16e84fcee0c990f1)
* [release-1.7] cleanup services when removing cluster secret (#26931)
* cleanup services when removing cluster secret
* release note
Co-authored-by: Steven Landow <landow@google.com>
* [release 1.7] fix istioctl authz check to print authz policies applied in pod (#26676)
* [release 1.7] fix istioctl authz check to print authz policies applied in pod (#26625)
* fix istioctl authz check for gateway
* add update permission to servicemonitor. (#26977)
* Automator: update istio/api@release-1.7 dependency in istio/istio@release-1.7 (#27000)
* [Release 1.7] Fix eds: when endpoint occur later than svc, the eds cache will not updated (#26985)
* Fix bug: service occur later than endpoint
* add release note
* Fix relase note
* Several small fixes to mixer envoy ext authz and gRPC access log API support (#26952)
* several small fixes to mixer envoy ext authz and gRPC access log API support.
* fix test
* update
* Automator: update istio/api@release-1.7 dependency in istio/istio@release-1.7 (#27051)
* [release-1.7] Large index or -1 inserts at the end of list (#26896)
* Large index or -1 inserts at the end of list
* Fix test
Co-authored-by: Martin Ostrowski <mostrowski@google.com>
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#27077)
* Manual cherrypick of #27075 (#27082)
* [release-1.7] Update example command to use non-deprecated flags (#27124)
* Update example command to use non-deprecated flags
* update example
Co-authored-by: shamsher31 <shaansar@redhat.com>
* Remove clusterrole and clusterrolebinding during istioctl operator remove (#27127)
Co-authored-by: shamsher31 <shaansar@redhat.com>
* Revert "Remove clusterrole and clusterrolebinding during istioctl operator remove (#27127)" (#27131)
This reverts commit 6eb190d5b18f5680fbc10d8d9ff74a03becb1ec6.
* Fix Kiali RBAC and bump to latest stable version that is compatible with Istio 1.7+ (#27126)
* Kiali: Bump minor version to 1.23
Signed-off-by: dntosas <ntosas@gmail.com>
* Kiali: Add rbac.istio.io apiGroup to clusterRoles
Newer versions of Kiali that are compatible with Istio 1.7 require some
additional permissions on the utilized clusterRoles.
In this commit, we include the missing apiGroup to corresponding Kiali
manifests.
Signed-off-by: dntosas <ntosas@gmail.com>
* Kiali: Switch to anonymous auth strategy
In newer versions of Kiali that are compatible with Istio 1.7, auth
login strategy has been removed thus not supported.
In this commit, we are migrating to anonymous auth strategy which is
also Kiali's default one.
Signed-off-by: dntosas <ntosas@gmail.com>
* Kiali: Add releaseNote
Signed-off-by: dntosas <ntosas@gmail.com>
* Fix eds: gateways missing endpoint instances of headless service (#27120)
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#27158)
* Trim job suffix to extract out cron job name for workload metadata (#27195) (#27253)
* special case cron job processing in webhook
* update
* Add quotes in log sampling config and add it in the stackdriver test (#27007) (#27212)
Signed-off-by: gargnupur <gargnupur@google.com>
* cache envoy readiness value (#27263)
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
Co-authored-by: Rama Chavali <rama.rao@salesforce.com>
* [release-1.7] Fix and test startup probe (#27172)
* Fix and test startup probe
Fixes https://github.com/istio/istio/issues/26814
* Fix unit tests
Co-authored-by: John Howard <howardjohn@google.com>
* Automator: update istio/api@release-1.7 dependency in istio/istio@release-1.7 (#27256)
* Automator: update proxy@release-1.7 in istio/istio@release-1.7 (#27258)
* [release-1.7] do not apply locality load balancer settings for inbound clusters (#27352)
* manual cherrypick of 27295
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* add release notes
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* fix compile
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* manual cherry-pick of #26729 (#27366)
* manual cherry-pick of #26729
* port unit tests
* release note
* Istiod/Pilot is the only control plane pod (#27357)
Co-authored-by: Ed Snible <snible@us.ibm.com>
* cherry pick 27358. (#27381)
* cherry pick 27358.
* fix lint.
* [1.7] Fix WorkloadEntry Updates (#27336)
* wip
* Skip if not using workload entry
* Proper testing
* fix lint
* fix race
* docs: update Istio update instructions
Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>
* fix merge mistake
Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>
* ci: former `istio/cni` has been moved into `istio/istio`; no more need in a separate build
Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>
* Patch for issue #27427 (#27460)
* default min TLS version and configure cipher suites (#27613)
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* update UPSTREAM-SHA
Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>
* revert #136 and #137 in favour of upstream change #27613
Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>
* Add security note for CVE-2020-25017
* Update istio.deps with new proxy sha
* Update base image
* Automator: update common-files@master in istio/istio@master (#26664)
* Revert CRDs move to v1, move back to v1beta1 (#26587)
* Revert 7c551404a38c3d61f7816053daede956cb4756ce
* fixes
* fixes
* fixes
* fixes
* Revert setup_env.sh changes
* Update CRDs
* update artifacts
* update analyzers
* revert changes in update_crds
* fix indentation in update_crds
Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>
* ci: fix build on CircleCI
Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>
* ci: build on both branches and tags
Co-authored-by: Istio Automation <istio-testing-bot@google.com>
Co-authored-by: John Howard <howardjohn@google.com>
Co-authored-by: Brian Avery <bavery@redhat.com>
Co-authored-by: Justin Wei <justinwei2@gmail.com>
Co-authored-by: Justin Wei <juswei@google.com>
Co-authored-by: Yuchen Dai <silentdai@gmail.com>
Co-authored-by: Xinnan Wen <iamwen@google.com>
Co-authored-by: Pengyuan Bian <bianpengyuan@google.com>
Co-authored-by: Marko Lukša <marko.luksa@gmail.com>
Co-authored-by: Navraj Singh Chhina <navuchhina@live.com>
Co-authored-by: Rama Chavali <rama.rao@salesforce.com>
Co-authored-by: Ed Snible <snible@us.ibm.com>
Co-authored-by: Gregory Hanson <gihanson@us.ibm.com>
Co-authored-by: Steven Landow <steven@stlcomputerservices.com>
Co-authored-by: Tariq Ibrahim <tariq181290@gmail.com>
Co-authored-by: Liam White <liam@tetrate.io>
Co-authored-by: williamaronli <64571891+williamaronli@users.noreply.github.com>
Co-authored-by: Shriram Rajagopalan <rshriram@users.noreply.github.com>
Co-authored-by: Xiang Dai <long0dai@foxmail.com>
Co-authored-by: Zhonghu Xu <xuzhonghu@huawei.com>
Co-authored-by: Shamsher Ansari <shaansar@redhat.com>
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
Co-authored-by: Brian Cheung <bscheung@google.com>
Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com>
Co-authored-by: Mitch Connors <mitchconnors@gmail.com>
Co-authored-by: VariableExp0rt <62133605+VariableExp0rt@users.noreply.github.com>
Co-authored-by: jacob-delgado <jacob.delgado@volunteers.acasi.info>
Co-authored-by: Nupur Garg <37600866+gargnupur@users.noreply.github.com>
Co-authored-by: Iris <irisdingbj@gmail.com>
Co-authored-by: Steven Dake <sdake@ibm.com>
Co-authored-by: Lin Sun <linsun@us.ibm.com>
Co-authored-by: Douglas Reid <douglas-reid@users.noreply.github.com>
Co-authored-by: Oliver Liu <yonggangl@google.com>
Co-authored-by: Jimmy Chen <28548492+JimmyCYJ@users.noreply.github.com>
Co-authored-by: Limin Wang <liminwang@google.com>
Co-authored-by: Tao He <taohe@google.com>
Co-authored-by: John Mazzitelli <mazz@redhat.com>
Co-authored-by: Jonathan Kogan <jgkogan99@gmail.com>
Co-authored-by: Jonathan Kogan <jonathankogan@google.com>
Co-authored-by: Aditya Prerepa <adiprerepa@gmail.com>
Co-authored-by: Yutong Li <yutongli@google.com>
Co-authored-by: williamaronli <fengxiangli@google.com>
Co-authored-by: Yangmin Zhu <ymzhu@google.com>
Co-authored-by: mandarjog <mjog@google.com>
Co-authored-by: Nathan Mittler <nmittler@gmail.com>
Co-authored-by: Jimmy Chen <yinjie@google.com>
Co-authored-by: Tao HE <1579288+elfinhe@users.noreply.github.com>
Co-authored-by: Martin Ostrowski <mostrowski@google.com>
Co-authored-by: tanjunchen <tanjunchen20@gmail.com>
Co-authored-by: craigbox <craigbox@google.com>
Co-authored-by: morvencao <morvencao@gmail.com>
Co-authored-by: Steven Landow <landow@google.com>
Co-authored-by: Jason Wang <jasonwzm@gmail.com>
Co-authored-by: Jim Ntosas <ntosas@gmail.com>
Co-authored-by: aattuluri <44482891+aattuluri@users.noreply.github.com>
Co-authored-by: Nikolay Pshenichnyy <nikolay-pshenichny@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Committing files which I had forgotten to push in my earlier PRs. I was wondering why my master builds were working and not the release ones facepalm
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[X] User Experience
[ ] Developer Infrastructure
Pull Request Attributes
Please check any characteristics that apply to this pull request.
[ ] Does not have any changes that may affect Istio users.