Add support for 1.6 with RBAC and change install to use one file. #150

costinm · 2017-04-20T21:50:32Z

The change seems to allow manager and ingress to start if RBAC is enabled, see
istio/old_pilot_repo#561

I haven't tested if the change breaks non-RBAC yet :-), and most likely a more restricted
scope should be used. Also not sure in which file to define the service account, it is
used by manager in both istio-manager and istio-ingress. Or maybe 2 service accounts
should be used, for more granularity ? I'm new to this...

istio-testing · 2017-04-21T17:41:57Z

Jenkins job istio/presubmit passed

costinm · 2017-04-21T18:20:58Z

Updated the change to avoid breaking non-RBAC, instead a script will modify the configs and append the
rbac role bindings.

The generated file should be checked in - to allow easy installation (using kubectl -f https://... )

istio-testing · 2017-04-21T18:22:17Z

Jenkins job istio/presubmit passed

costinm · 2017-04-21T18:24:41Z

Few more comments:

jenkins should have failed, the original change clearly doesn't work on non-RBAC.
still bad - the permission granted is too broad, need the narrowest permission that manager requires,
likely read/monitor. Not clear if ingress and manager have the same needs - I would expect ingress to
need access to (domain) TLS certs and only read pod info, while the manager job has no need
to access the private TLS keys.

istio-testing · 2017-04-21T18:30:28Z

Jenkins job istio/presubmit passed

kyessenov · 2017-04-21T18:30:48Z

Can you make sure that manager tests pass with RBAC? The manager test suite is more comprehensive.

istio-testing · 2017-04-21T18:37:29Z

Jenkins job istio/presubmit passed

costinm · 2017-04-21T18:52:04Z

Talked with sebastienvas and andraxylia.

Jenkins is actually testing with a 1.6 cluster - which likely ignores (or doesn't enforce) the RBAC configs.
What would break with my change is older versions.

There is already a script to update version in the yaml file - the plan is to merge my script with that
one, and check in the generated files.

For naming - it'll not use 'rbac', but 1.6, because the merged file is intended for 1.6+. Will also
generate a merged file for pre-1.6 - not sure what's the best name, will go with 1.5 unless reviewers
have a better name.

istio-testing · 2017-04-21T19:09:08Z

Jenkins job istio/presubmit passed

lookuptable · 2017-04-21T20:54:02Z

kubernetes/istio-rbac/istio-rbac.yaml

+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin


I'm worrying that we are giving it cluster-admin role. This is against the principal of least privilege. We should find out a minimum set of permissions required to run manager.

Agreed, I'm testing with admin for the namespace only - and using separate accounts for
proxy and manager.

Ideally ingress will only have read access, plus restricted access to secrets, and manager
may need read/write access - I don't know if it can be narrowed to specific resources.

I think most important is restricting ingress - since it's exposed to outside access, and
second priority to make sure the sensitive ingress TLS certs are only visible to the ingress
server (since access to them allows intercepting all ingress traffic)

andraxylia · 2017-04-21T21:44:51Z

Can you please change the script so that istio-ca is not concatenated to the main istio file. The latest decision is to enable auth separately.

costinm · 2017-04-24T17:54:02Z

Andra: removed istio-ca. I'm still generating a 3rd file with authPolicy:MUTUAL_TLS and the auth included,
to make it easier to test that mode, will remove it if anyone objects.

Current blocker is getting the narrower permission - manager is using TPR, which is a cluster-wide resource - and I can't find the magic mapping of apiGroups/resources.
I'm going to try with the nonResourceURL and match the URLs (
https://kubernetes.io/docs/api-reference/v1.6/#thirdpartyresource-v1beta1-extensions ).

Worse case: we can use cluster-admin, it's not worse than what we have if RBAC is off. I confirmed
that namespace admin doesn't work ( due to TPR not being namespaced).

costinm · 2017-04-24T19:04:18Z

cluster-admin removed, finer grained access - can be refined further but should be good enough for alpha.

Not tested: auth and secrets access.

PTAL.

istio-testing · 2017-04-24T22:32:28Z

Jenkins job istio/presubmit passed

costinm · 2017-04-24T23:49:28Z

Solved for now by granting the default user permissions to read istio config. Long term we'll need a better way to split sidecar permissions - but more design/implementation is needed.

Tested the change with 1.6 with and without rbac and on GKE with 1.5.

* update version for testing (#147) Also update quota descriptors * Update copyright. * use lowercase zipkin trace headers (#152) * Add support for 1.6 with RBAC and change install to use one file. (#150) * Added RBAC roles and bindings * Script to generate merged configs for 1.5 and 1.6 - the 1.6 works wit rbac on or off. To avoid confusion, auth will be added in separate PR * Update the tag for manager/proxy containers * Port forward manager service and enable istio manager env var Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Run service port-forward in the background and tidy it up Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add yaml template for manager into istio-16.yaml * Remove errant local Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver to istio manager deploy Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * added egress proxy to istio install folder to be referenced by istio.io docs * bug fix * Remove apiserver address Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver and egress * Small doc updates. (#163)

…etup istioctl (#175) * update version for testing (#147) Also update quota descriptors * Update copyright. * use lowercase zipkin trace headers (#152) * Add support for 1.6 with RBAC and change install to use one file. (#150) * Added RBAC roles and bindings * Script to generate merged configs for 1.5 and 1.6 - the 1.6 works wit rbac on or off. To avoid confusion, auth will be added in separate PR * Update the tag for manager/proxy containers * Port forward manager service and enable istio manager env var Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Run service port-forward in the background and tidy it up Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add yaml template for manager into istio-16.yaml * Remove errant local Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver to istio manager deploy Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * added egress proxy to istio install folder to be referenced by istio.io docs * bug fix * Separate Istio CA installation from default. Istio CA should not be installed by default. Created istio-cluster-ca.yaml and istio-namespace-ca.yaml for deploying the per-cluster and per-namespace CAs, so that users do not need to modify the files for different use cases. * Remove apiserver address Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver and egress * Fix Istio CA files to create namespace. * Update one-off auth yaml files. * Small doc updates. (#163) * Improve Istio one-off yaml files for Istio auth. * Fix links. * Up the blanked rl to 5000, so it does not interfere with tests (#167) * Rename istio-ingress-controller to istio-ingress * Changed labels for ingress and ingress * update to rule schema to reflect switch from double to duration (#168) * update to rule schema to reflect switch from double to duration * pointed to my dockerhub * Updating istio version * Regenerate * Change in scripts * Install istio from istio-install, add os x support and add setupIstioctl * fix lineter * Get rule files from demos/apps, istioctl cleanable and comments fix * small change * appManager cleanablization

* update version for testing (#147) Also update quota descriptors * Update copyright. * use lowercase zipkin trace headers (#152) * Add support for 1.6 with RBAC and change install to use one file. (#150) * Added RBAC roles and bindings * Script to generate merged configs for 1.5 and 1.6 - the 1.6 works wit rbac on or off. To avoid confusion, auth will be added in separate PR * Update the tag for manager/proxy containers * Port forward manager service and enable istio manager env var Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Run service port-forward in the background and tidy it up Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add yaml template for manager into istio-16.yaml * Remove errant local Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver to istio manager deploy Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * added egress proxy to istio install folder to be referenced by istio.io docs * bug fix * Separate Istio CA installation from default. Istio CA should not be installed by default. Created istio-cluster-ca.yaml and istio-namespace-ca.yaml for deploying the per-cluster and per-namespace CAs, so that users do not need to modify the files for different use cases. * Remove apiserver address Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver and egress * Fix Istio CA files to create namespace. * Update one-off auth yaml files. * Small doc updates. (#163) * Improve Istio one-off yaml files for Istio auth. * Fix links. * Up the blanked rl to 5000, so it does not interfere with tests (#167) * Rename istio-ingress-controller to istio-ingress * Changed labels for ingress and ingress * update to rule schema to reflect switch from double to duration (#168) * update to rule schema to reflect switch from double to duration * pointed to my dockerhub * Updating istio version * Regenerate * Change in scripts * update to gcr.io/istio-testing versions (#170) 1. Update mixer, manager, proxy versions to include rate limit fixes 2. Remove mixer configmap. The default config is now baked inside mixer. 3. expose mixer metrics and configapi ports thru port forwarding. 4. Add "wrk" for testing. drive traffic and fetch metrics as a setup for full 5. ratelimit integration test. That PR will follow. * Add ingress service for correct status IP * Support for istio-ca in tests/updateVersion.sh (#180) * Update updateVersion.sh to take into account istio-ca * Updates with updateVersion.sh

* Initial version * Refactor for better testing * Update framework for testing and added test * Bazelify istio * Simplified interfaces * Refactor code to use Cleanable interface * go formating (#140) * go formating * Updated Jenkinsfile to run tests * Separate TestInfo to another module (#144) * Separete TestInfo to another module Implemented status file creation Implemented log upload to cloud storage Rename SetUp to Setup and TearDown to Teardown * Add more info in TestStatus * Rename InitLogging to InitGlog * Resolving comments * Return skipDir error on err * Adding Code Checks + Fix them (#151) * Not uploading logs_bucket_path flag is unset * Added code checks * Fix linter errors * Update Jenkins to use a goBuildNode * e2e test: Create namespace and deploy istio core and test app (#145) * Create namespace and deploy namespace * Get runtime source path * Correct pr comments, add GetGateWay() * Add default route test * Add version routing tests, fix linter and fix comments on pr * Add fault delay test and fix comments * Add version migration test * Add Hop App + testing (#162) * Implemented echo App * Adding test + refactoring * Added more tests * Resolved review comments * Use slices instead of pointers to slices * Fix formatting * Merge master to e2e (#165) * update version for testing (#147) Also update quota descriptors * Update copyright. * use lowercase zipkin trace headers (#152) * Add support for 1.6 with RBAC and change install to use one file. (#150) * Added RBAC roles and bindings * Script to generate merged configs for 1.5 and 1.6 - the 1.6 works wit rbac on or off. To avoid confusion, auth will be added in separate PR * Update the tag for manager/proxy containers * Port forward manager service and enable istio manager env var Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Run service port-forward in the background and tidy it up Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add yaml template for manager into istio-16.yaml * Remove errant local Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver to istio manager deploy Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * added egress proxy to istio install folder to be referenced by istio.io docs * bug fix * Remove apiserver address Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver and egress * Small doc updates. (#163) * Demo test update + Docker file creation for Hop App (#172) * Renamed default env const * Added support for server update for version * Added a binary for Hop + Docker Image * WIP * Modified kubernetes setup + demo test * Fixed Jenkinsfile * Fix comments * Fix format * Removing app_flag as set directly in template * Fixed resp.close() was called on empty resp * Moved test to their own folder * Fixes e2e.sh * Make e2e.sh more verbose * Merge from istio:master, change install source to istio-install and setup istioctl (#175) * update version for testing (#147) Also update quota descriptors * Update copyright. * use lowercase zipkin trace headers (#152) * Add support for 1.6 with RBAC and change install to use one file. (#150) * Added RBAC roles and bindings * Script to generate merged configs for 1.5 and 1.6 - the 1.6 works wit rbac on or off. To avoid confusion, auth will be added in separate PR * Update the tag for manager/proxy containers * Port forward manager service and enable istio manager env var Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Run service port-forward in the background and tidy it up Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add yaml template for manager into istio-16.yaml * Remove errant local Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver to istio manager deploy Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * added egress proxy to istio install folder to be referenced by istio.io docs * bug fix * Separate Istio CA installation from default. Istio CA should not be installed by default. Created istio-cluster-ca.yaml and istio-namespace-ca.yaml for deploying the per-cluster and per-namespace CAs, so that users do not need to modify the files for different use cases. * Remove apiserver address Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver and egress * Fix Istio CA files to create namespace. * Update one-off auth yaml files. * Small doc updates. (#163) * Improve Istio one-off yaml files for Istio auth. * Fix links. * Up the blanked rl to 5000, so it does not interfere with tests (#167) * Rename istio-ingress-controller to istio-ingress * Changed labels for ingress and ingress * update to rule schema to reflect switch from double to duration (#168) * update to rule schema to reflect switch from double to duration * pointed to my dockerhub * Updating istio version * Regenerate * Change in scripts * Install istio from istio-install, add os x support and add setupIstioctl * fix lineter * Get rule files from demos/apps, istioctl cleanable and comments fix * small change * appManager cleanablization * Merge master to e2e (#181) * update version for testing (#147) Also update quota descriptors * Update copyright. * use lowercase zipkin trace headers (#152) * Add support for 1.6 with RBAC and change install to use one file. (#150) * Added RBAC roles and bindings * Script to generate merged configs for 1.5 and 1.6 - the 1.6 works wit rbac on or off. To avoid confusion, auth will be added in separate PR * Update the tag for manager/proxy containers * Port forward manager service and enable istio manager env var Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Run service port-forward in the background and tidy it up Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add yaml template for manager into istio-16.yaml * Remove errant local Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver to istio manager deploy Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * added egress proxy to istio install folder to be referenced by istio.io docs * bug fix * Separate Istio CA installation from default. Istio CA should not be installed by default. Created istio-cluster-ca.yaml and istio-namespace-ca.yaml for deploying the per-cluster and per-namespace CAs, so that users do not need to modify the files for different use cases. * Remove apiserver address Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver and egress * Fix Istio CA files to create namespace. * Update one-off auth yaml files. * Small doc updates. (#163) * Improve Istio one-off yaml files for Istio auth. * Fix links. * Up the blanked rl to 5000, so it does not interfere with tests (#167) * Rename istio-ingress-controller to istio-ingress * Changed labels for ingress and ingress * update to rule schema to reflect switch from double to duration (#168) * update to rule schema to reflect switch from double to duration * pointed to my dockerhub * Updating istio version * Regenerate * Change in scripts * update to gcr.io/istio-testing versions (#170) 1. Update mixer, manager, proxy versions to include rate limit fixes 2. Remove mixer configmap. The default config is now baked inside mixer. 3. expose mixer metrics and configapi ports thru port forwarding. 4. Add "wrk" for testing. drive traffic and fetch metrics as a setup for full 5. ratelimit integration test. That PR will follow. * Add ingress service for correct status IP * Support for istio-ca in tests/updateVersion.sh (#180) * Update updateVersion.sh to take into account istio-ca * Updates with updateVersion.sh * Create README.md for e2e test framework (#182) * Create README.md for e2e test framework * small change

* First draft getting started * Added istio-installation and changed bookinfo * Fix display issue * Addressed code review comments * Address more review comments, istio-ca not part of the install * Use local files instead of raw github files * Addressed more review comments * Added note about istioctl and renamed istio-ingress-controller to istio-ingress * Fix the verb tense * Rename istio-ingress-controller to istio-ingress * Fixed installation instructions * Remove fault injection * Fix uninstall * Fix link * Correct path * Rbac clarification for alpha and beta versions * Add more clarity * Add a dot * Fix display error * Fix display error * Add clarification for Ingress * Update installation to point to latest release

* Add local pre-commit hook Run bin/pre-commit to install the pre-commit hook It will run fmt tests before allowing the commit * Add linters as part of pre-commit hook * Update doc Former-commit-id: 27e79e4ea2681e12ed8312add418a869ee41c2f9

* Added RBAC roles and bindings * Script to generate merged configs for 1.5 and 1.6 - the 1.6 works wit rbac on or off. To avoid confusion, auth will be added in separate PR Former-commit-id: a2049c9

* Initial version * Refactor for better testing * Update framework for testing and added test * Bazelify istio * Simplified interfaces * Refactor code to use Cleanable interface * go formating (#140) * go formating * Updated Jenkinsfile to run tests * Separate TestInfo to another module (#144) * Separete TestInfo to another module Implemented status file creation Implemented log upload to cloud storage Rename SetUp to Setup and TearDown to Teardown * Add more info in TestStatus * Rename InitLogging to InitGlog * Resolving comments * Return skipDir error on err * Adding Code Checks + Fix them (#151) * Not uploading logs_bucket_path flag is unset * Added code checks * Fix linter errors * Update Jenkins to use a goBuildNode * e2e test: Create namespace and deploy istio core and test app (#145) * Create namespace and deploy namespace * Get runtime source path * Correct pr comments, add GetGateWay() * Add default route test * Add version routing tests, fix linter and fix comments on pr * Add fault delay test and fix comments * Add version migration test * Add Hop App + testing (#162) * Implemented echo App * Adding test + refactoring * Added more tests * Resolved review comments * Use slices instead of pointers to slices * Fix formatting * Merge master to e2e (#165) * update version for testing (#147) Also update quota descriptors * Update copyright. * use lowercase zipkin trace headers (#152) * Add support for 1.6 with RBAC and change install to use one file. (#150) * Added RBAC roles and bindings * Script to generate merged configs for 1.5 and 1.6 - the 1.6 works wit rbac on or off. To avoid confusion, auth will be added in separate PR * Update the tag for manager/proxy containers * Port forward manager service and enable istio manager env var Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Run service port-forward in the background and tidy it up Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add yaml template for manager into istio-16.yaml * Remove errant local Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver to istio manager deploy Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * added egress proxy to istio install folder to be referenced by istio.io docs * bug fix * Remove apiserver address Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver and egress * Small doc updates. (#163) * Demo test update + Docker file creation for Hop App (#172) * Renamed default env const * Added support for server update for version * Added a binary for Hop + Docker Image * WIP * Modified kubernetes setup + demo test * Fixed Jenkinsfile * Fix comments * Fix format * Removing app_flag as set directly in template * Fixed resp.close() was called on empty resp * Moved test to their own folder * Fixes e2e.sh * Make e2e.sh more verbose * Merge from istio:master, change install source to istio-install and setup istioctl (#175) * update version for testing (#147) Also update quota descriptors * Update copyright. * use lowercase zipkin trace headers (#152) * Add support for 1.6 with RBAC and change install to use one file. (#150) * Added RBAC roles and bindings * Script to generate merged configs for 1.5 and 1.6 - the 1.6 works wit rbac on or off. To avoid confusion, auth will be added in separate PR * Update the tag for manager/proxy containers * Port forward manager service and enable istio manager env var Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Run service port-forward in the background and tidy it up Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add yaml template for manager into istio-16.yaml * Remove errant local Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver to istio manager deploy Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * added egress proxy to istio install folder to be referenced by istio.io docs * bug fix * Separate Istio CA installation from default. Istio CA should not be installed by default. Created istio-cluster-ca.yaml and istio-namespace-ca.yaml for deploying the per-cluster and per-namespace CAs, so that users do not need to modify the files for different use cases. * Remove apiserver address Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver and egress * Fix Istio CA files to create namespace. * Update one-off auth yaml files. * Small doc updates. (#163) * Improve Istio one-off yaml files for Istio auth. * Fix links. * Up the blanked rl to 5000, so it does not interfere with tests (#167) * Rename istio-ingress-controller to istio-ingress * Changed labels for ingress and ingress * update to rule schema to reflect switch from double to duration (#168) * update to rule schema to reflect switch from double to duration * pointed to my dockerhub * Updating istio version * Regenerate * Change in scripts * Install istio from istio-install, add os x support and add setupIstioctl * fix lineter * Get rule files from demos/apps, istioctl cleanable and comments fix * small change * appManager cleanablization * Merge master to e2e (#181) * update version for testing (#147) Also update quota descriptors * Update copyright. * use lowercase zipkin trace headers (#152) * Add support for 1.6 with RBAC and change install to use one file. (#150) * Added RBAC roles and bindings * Script to generate merged configs for 1.5 and 1.6 - the 1.6 works wit rbac on or off. To avoid confusion, auth will be added in separate PR * Update the tag for manager/proxy containers * Port forward manager service and enable istio manager env var Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Run service port-forward in the background and tidy it up Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add yaml template for manager into istio-16.yaml * Remove errant local Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver to istio manager deploy Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * added egress proxy to istio install folder to be referenced by istio.io docs * bug fix * Separate Istio CA installation from default. Istio CA should not be installed by default. Created istio-cluster-ca.yaml and istio-namespace-ca.yaml for deploying the per-cluster and per-namespace CAs, so that users do not need to modify the files for different use cases. * Remove apiserver address Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver and egress * Fix Istio CA files to create namespace. * Update one-off auth yaml files. * Small doc updates. (#163) * Improve Istio one-off yaml files for Istio auth. * Fix links. * Up the blanked rl to 5000, so it does not interfere with tests (#167) * Rename istio-ingress-controller to istio-ingress * Changed labels for ingress and ingress * update to rule schema to reflect switch from double to duration (#168) * update to rule schema to reflect switch from double to duration * pointed to my dockerhub * Updating istio version * Regenerate * Change in scripts * update to gcr.io/istio-testing versions (#170) 1. Update mixer, manager, proxy versions to include rate limit fixes 2. Remove mixer configmap. The default config is now baked inside mixer. 3. expose mixer metrics and configapi ports thru port forwarding. 4. Add "wrk" for testing. drive traffic and fetch metrics as a setup for full 5. ratelimit integration test. That PR will follow. * Add ingress service for correct status IP * Support for istio-ca in tests/updateVersion.sh (#180) * Update updateVersion.sh to take into account istio-ca * Updates with updateVersion.sh * Create README.md for e2e test framework (#182) * Create README.md for e2e test framework * small change Former-commit-id: 0adf4c4

* Add local pre-commit hook Run bin/pre-commit to install the pre-commit hook It will run fmt tests before allowing the commit * Add linters as part of pre-commit hook * Update doc Former-commit-id: a7e4171ffdb86cfdc463866b7f1c2c5082b48a28

* Added RBAC roles and bindings * Script to generate merged configs for 1.5 and 1.6 - the 1.6 works wit rbac on or off. To avoid confusion, auth will be added in separate PR Former-commit-id: a2049c9

* Initial version * Refactor for better testing * Update framework for testing and added test * Bazelify istio * Simplified interfaces * Refactor code to use Cleanable interface * go formating (#140) * go formating * Updated Jenkinsfile to run tests * Separate TestInfo to another module (#144) * Separete TestInfo to another module Implemented status file creation Implemented log upload to cloud storage Rename SetUp to Setup and TearDown to Teardown * Add more info in TestStatus * Rename InitLogging to InitGlog * Resolving comments * Return skipDir error on err * Adding Code Checks + Fix them (#151) * Not uploading logs_bucket_path flag is unset * Added code checks * Fix linter errors * Update Jenkins to use a goBuildNode * e2e test: Create namespace and deploy istio core and test app (#145) * Create namespace and deploy namespace * Get runtime source path * Correct pr comments, add GetGateWay() * Add default route test * Add version routing tests, fix linter and fix comments on pr * Add fault delay test and fix comments * Add version migration test * Add Hop App + testing (#162) * Implemented echo App * Adding test + refactoring * Added more tests * Resolved review comments * Use slices instead of pointers to slices * Fix formatting * Merge master to e2e (#165) * update version for testing (#147) Also update quota descriptors * Update copyright. * use lowercase zipkin trace headers (#152) * Add support for 1.6 with RBAC and change install to use one file. (#150) * Added RBAC roles and bindings * Script to generate merged configs for 1.5 and 1.6 - the 1.6 works wit rbac on or off. To avoid confusion, auth will be added in separate PR * Update the tag for manager/proxy containers * Port forward manager service and enable istio manager env var Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Run service port-forward in the background and tidy it up Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add yaml template for manager into istio-16.yaml * Remove errant local Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver to istio manager deploy Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * added egress proxy to istio install folder to be referenced by istio.io docs * bug fix * Remove apiserver address Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver and egress * Small doc updates. (#163) * Demo test update + Docker file creation for Hop App (#172) * Renamed default env const * Added support for server update for version * Added a binary for Hop + Docker Image * WIP * Modified kubernetes setup + demo test * Fixed Jenkinsfile * Fix comments * Fix format * Removing app_flag as set directly in template * Fixed resp.close() was called on empty resp * Moved test to their own folder * Fixes e2e.sh * Make e2e.sh more verbose * Merge from istio:master, change install source to istio-install and setup istioctl (#175) * update version for testing (#147) Also update quota descriptors * Update copyright. * use lowercase zipkin trace headers (#152) * Add support for 1.6 with RBAC and change install to use one file. (#150) * Added RBAC roles and bindings * Script to generate merged configs for 1.5 and 1.6 - the 1.6 works wit rbac on or off. To avoid confusion, auth will be added in separate PR * Update the tag for manager/proxy containers * Port forward manager service and enable istio manager env var Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Run service port-forward in the background and tidy it up Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add yaml template for manager into istio-16.yaml * Remove errant local Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver to istio manager deploy Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * added egress proxy to istio install folder to be referenced by istio.io docs * bug fix * Separate Istio CA installation from default. Istio CA should not be installed by default. Created istio-cluster-ca.yaml and istio-namespace-ca.yaml for deploying the per-cluster and per-namespace CAs, so that users do not need to modify the files for different use cases. * Remove apiserver address Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver and egress * Fix Istio CA files to create namespace. * Update one-off auth yaml files. * Small doc updates. (#163) * Improve Istio one-off yaml files for Istio auth. * Fix links. * Up the blanked rl to 5000, so it does not interfere with tests (#167) * Rename istio-ingress-controller to istio-ingress * Changed labels for ingress and ingress * update to rule schema to reflect switch from double to duration (#168) * update to rule schema to reflect switch from double to duration * pointed to my dockerhub * Updating istio version * Regenerate * Change in scripts * Install istio from istio-install, add os x support and add setupIstioctl * fix lineter * Get rule files from demos/apps, istioctl cleanable and comments fix * small change * appManager cleanablization * Merge master to e2e (#181) * update version for testing (#147) Also update quota descriptors * Update copyright. * use lowercase zipkin trace headers (#152) * Add support for 1.6 with RBAC and change install to use one file. (#150) * Added RBAC roles and bindings * Script to generate merged configs for 1.5 and 1.6 - the 1.6 works wit rbac on or off. To avoid confusion, auth will be added in separate PR * Update the tag for manager/proxy containers * Port forward manager service and enable istio manager env var Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Run service port-forward in the background and tidy it up Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add yaml template for manager into istio-16.yaml * Remove errant local Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver to istio manager deploy Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * added egress proxy to istio install folder to be referenced by istio.io docs * bug fix * Separate Istio CA installation from default. Istio CA should not be installed by default. Created istio-cluster-ca.yaml and istio-namespace-ca.yaml for deploying the per-cluster and per-namespace CAs, so that users do not need to modify the files for different use cases. * Remove apiserver address Signed-off-by: LIAM White <liamwhite@uk.ibm.com> * Add apiserver and egress * Fix Istio CA files to create namespace. * Update one-off auth yaml files. * Small doc updates. (#163) * Improve Istio one-off yaml files for Istio auth. * Fix links. * Up the blanked rl to 5000, so it does not interfere with tests (#167) * Rename istio-ingress-controller to istio-ingress * Changed labels for ingress and ingress * update to rule schema to reflect switch from double to duration (#168) * update to rule schema to reflect switch from double to duration * pointed to my dockerhub * Updating istio version * Regenerate * Change in scripts * update to gcr.io/istio-testing versions (#170) 1. Update mixer, manager, proxy versions to include rate limit fixes 2. Remove mixer configmap. The default config is now baked inside mixer. 3. expose mixer metrics and configapi ports thru port forwarding. 4. Add "wrk" for testing. drive traffic and fetch metrics as a setup for full 5. ratelimit integration test. That PR will follow. * Add ingress service for correct status IP * Support for istio-ca in tests/updateVersion.sh (#180) * Update updateVersion.sh to take into account istio-ca * Updates with updateVersion.sh * Create README.md for e2e test framework (#182) * Create README.md for e2e test framework * small change Former-commit-id: 0adf4c4

…nt from `Proxy.IPAddresses` (istio#150) Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

…nt from `Proxy.IPAddresses` (istio#150) (istio#172) Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

…nt from `Proxy.IPAddresses` (istio#150) (istio#172) (istio#218) Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

…nt from `Proxy.IPAddresses` (istio#150) (istio#172) (istio#218) (istio#234) Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

…nt from `Proxy.IPAddresses` (istio#150) (istio#172) (istio#218) (istio#272) Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

Use bitnami chart for kafka

…ter-merge_upstream_istio_master-6253864e Automator: merge upstream changes to openshift-service-mesh/istio@master

costinm added 3 commits April 20, 2017 14:35

Added RBAC roles - needs to be more narrow, but works

8554e04

Fix log level

af21d1b

Fix log level

02486b8

googlebot added the cla: yes label Apr 20, 2017

Merge branch 'master' of https://github.com/istio/istio

f6153e9

costinm and others added 3 commits April 21, 2017 11:15

Better RBAC, not breaking non-rbac

84bf6a6

Merge branch 'master' into master

24963b9

Add small comment

8e7cd3d

Merge branch 'master' of github.com:costinm/istio

87bd6d9

Consistent file ending, with ---\n, to allow easy concatenation.

9abf20e

Merged script with updateVersions, generate 2 merged files

697502c

costinm requested review from sebastienvas and andraxylia April 21, 2017 19:01

lookuptable reviewed Apr 21, 2017

View reviewed changes

costinm changed the title ~~DO NOT MERGE: adding RBAC roles~~ Add support for 1.6 with RBAC. Apr 21, 2017

andraxylia approved these changes Apr 21, 2017

View reviewed changes

sebastienvas approved these changes Apr 22, 2017

View reviewed changes

Finer grained permissions

7488b85

costinm mentioned this pull request Apr 24, 2017

Manager fails to start in RBAC cluster ( kubeadm ) istio/old_pilot_repo#561

Closed

andraxylia mentioned this pull request Apr 24, 2017

Move istio-install to one yaml file #149

Closed

andraxylia changed the title ~~Add support for 1.6 with RBAC.~~ Add support for 1.6 with RBAC and change install to use one file. Apr 24, 2017

costinm merged commit a2049c9 into istio:master Apr 24, 2017

andraxylia mentioned this pull request Apr 26, 2017

istioctl kube-inject -f bookinfo.yaml fails with Error: ... No Auth Provider found for name "oidc" istio/old_pilot_repo#593

Closed

rajusharma pushed a commit to rajusharma/istio that referenced this pull request Jul 2, 2019

Fix typo of ingressgateway (istio#150)

f4c586d

howardjohn pushed a commit to howardjohn/istio that referenced this pull request Jan 12, 2020

Add Morven to CODEOWNERS (istio#150)

63c45fa

vikaschoudhary16 pushed a commit to vikaschoudhary16/istio that referenced this pull request Feb 12, 2021

pilot: introduce a notion of Proxy.IdentityIP that might be differe…

f3dd87e

…nt from `Proxy.IPAddresses` (istio#150) Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

su225 pushed a commit to su225/istio that referenced this pull request Jul 15, 2021

pilot: introduce a notion of Proxy.IdentityIP that might be differe…

1d60423

…nt from `Proxy.IPAddresses` (istio#150) (istio#172) Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

su225 pushed a commit to su225/istio that referenced this pull request Sep 15, 2021

pilot: introduce a notion of Proxy.IdentityIP that might be differe…

86b1b1b

…nt from `Proxy.IPAddresses` (istio#150) (istio#172) Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

incfly pushed a commit to incfly/istio that referenced this pull request Dec 21, 2021

pilot: introduce a notion of Proxy.IdentityIP that might be differe…

db89677

…nt from `Proxy.IPAddresses` (istio#150) (istio#172) (istio#218) Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

l8huang pushed a commit to l8huang/istio that referenced this pull request Jun 16, 2022

update log rotation in ingress add egress gateway templates (istio#150)

ebbead4

antonioberben pushed a commit to antonioberben/istio that referenced this pull request Jan 29, 2024

Merge pull request istio#150 from appian/bitnami-kafka-chart

c733165

Use bitnami chart for kafka

luksa pushed a commit to luksa/istio that referenced this pull request Oct 14, 2024

Merge pull request istio#150 from openshift-service-mesh-bot/none-mas…

858346d

…ter-merge_upstream_istio_master-6253864e Automator: merge upstream changes to openshift-service-mesh/istio@master

Add support for 1.6 with RBAC and change install to use one file. #150

Add support for 1.6 with RBAC and change install to use one file. #150

Uh oh!

Conversation

costinm commented Apr 20, 2017

Uh oh!

istio-testing commented Apr 21, 2017

Uh oh!

costinm commented Apr 21, 2017

Uh oh!

istio-testing commented Apr 21, 2017

Uh oh!

costinm commented Apr 21, 2017

Uh oh!

istio-testing commented Apr 21, 2017

Uh oh!

kyessenov commented Apr 21, 2017

Uh oh!

istio-testing commented Apr 21, 2017

Uh oh!

costinm commented Apr 21, 2017

Uh oh!

istio-testing commented Apr 21, 2017

Uh oh!

lookuptable Apr 21, 2017

Choose a reason for hiding this comment

Uh oh!

costinm Apr 21, 2017

Choose a reason for hiding this comment

Uh oh!

andraxylia commented Apr 21, 2017

Uh oh!

costinm commented Apr 24, 2017

Uh oh!

costinm commented Apr 24, 2017

Uh oh!

istio-testing commented Apr 24, 2017

Uh oh!

costinm commented Apr 24, 2017

Uh oh!

Uh oh!