Add support for Envoy max path tag length when specified in MeshConfig #23089
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes envoyproxy/envoy#8095 When the user has specified a max_path_tag_length in MeshConfig, propagate that setting to the http_connection_manager filter for proxies.
It is possible that incoming client requests external to the service mesh may have an outrageously large value. Do not support max_path_tag_length in gateways since it cannot be sanitized. Only use Envoy defaults.
douglas-reid
approved these changes
Apr 20, 2020
howardjohn
approved these changes
Apr 20, 2020
| @@ -2006,13 +2007,29 @@ func buildTracingConfig(config *meshconfig.ProxyConfig, proxyType model.NodeType | |||
| }, | |||
| } | |||
|
|
|||
| if config.Tracing != nil && proxyType == model.SidecarProxy { | |||
| buildSidecarTracingConfig(config, proxyType, tracingCfg) | |||
There was a problem hiding this comment.
can you comment why this is for sidecars only?
There was a problem hiding this comment.
My rationale is that gateways serve incoming client requests. It's possible that client reuests can create issues (e.g. filling up tracing backend causing fewer traces to be stored, slow backend due to large of incoming requests being written to disk).
@douglas-reid and @nrjpoddar thoughts? I'll add some comments when we agree to a final decision.
There was a problem hiding this comment.
Custom tags should not be exposed to clients as there's a possibility of abuse/ddos.
Max path length otoh should be applied to all proxies (sidecars + gateways).
| return tracingCfg | ||
| } | ||
|
|
||
| func buildSidecarTracingConfig(config *meshconfig.ProxyConfig, proxyType model.NodeType, tracingCfg *http_conn.HttpConnectionManager_Tracing) { |
There was a problem hiding this comment.
once #23082 merges this will be wrong, so just need to be sure we update it whichever merges first
There was a problem hiding this comment.
Actually looks like your other PR already made #23082 wrong (it should use the proxyconfig from metadata, not from Pilot) so i'll update mine
There was a problem hiding this comment.
I'd prefer whatever you feel is a best approach code-wise. I had adapted the unit test from an already existing test. Let me know.
There was a problem hiding this comment.
I just mean that we need to make sure config comes from the node metadata rather than meshConfig.defaultConfig. Since a proxy can override it (once that PR merges)
There was a problem hiding this comment.
@howardjohn have you done the same for all other places which use ProxyConfig?
My suggestion would be to start using ProxyConfig from node metadata in one PR (if possible), easier to review and reason.
There was a problem hiding this comment.
When I looked earlier today there were no usages prior to this morning, when the other one for extra tags was merged
Fix lint/gen issues
weibohe
pushed a commit
to airbnb/istio
that referenced
this pull request
May 2, 2020
istio#23089) * Support Envoy max_path_tag_length used in tracing Fixes envoyproxy/envoy#8095 When the user has specified a max_path_tag_length in MeshConfig, propagate that setting to the http_connection_manager filter for proxies. * max_path_tag_length should not be supported in gateways It is possible that incoming client requests external to the service mesh may have an outrageously large value. Do not support max_path_tag_length in gateways since it cannot be sanitized. Only use Envoy defaults. * slight refactor * Add gateway support for max_path_tag_length in Envoy Fix lint/gen issues
weibohe
added a commit
to airbnb/istio
that referenced
this pull request
May 2, 2020
…eshConfig (istio#23089)" This reverts commit 59f009b.
deva26
added a commit
to deva26/istio
that referenced
this pull request
Jun 24, 2020
* Align manifests directory structure to be compatible with istioctl install (#22941) * Align manifests directory structure to be compatible with istioctl install * Change parths to manifests/charts * Path fixes, make gen * Temporarily make a copy of script for release test * Remove duplicate script since release builder is updated * Support for new manifest dir in URL installs * Update release buider sha * Make gen * feat(metadata exchange): add cluster_id to exchange set (#22975) * Stub assets.gen.go to remove merge conflicts (#22940) * Stub assets.gen.go to remove merge conflicts * Add gen charts to prow tests * Change flag name * add nilcheck before stderr extraction (#22977) * Fix allowed file path formats for charts (#22979) * Allow adding additional metadata exchange keys (#22984) Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * MultiCluster: rework on nodePort type gateway service (#22962) * Optimize * fix a legacy bug * protect service's .Attributes * fix lint * fix comments * remove unused mutex * Further optimize node call back * fix go mod check * fix some lock issues * remove node label selector * Automator: update istio/api@master dependency in istio/istio@master (#22996) * Allow Integ Tests to declare feature coverage (#22760) * Add feature labels and outcomes to integration framework. * fmt * Add test stub * Make not yet implemented tests more fluent * Refactor and clean up features * move features to simple constants * use constants * abandon stringer generation, and add copyright * fmt and fix hanging chad on test * try to satiate lint * please let this satisfy all linters * fix race * please pass lint * dont panic on test * Track not implemented and test type * Automator: update istio/api@master dependency in istio/istio@master (#22999) * Make missing charts error message more helpful (#23005) * Use a distinct lock id for Istiod (#22905) * Individual locks * Update controller.go * Add a new Generator interface and tracking for generic resources (#22949) * Add a new Generator interface and tracking for generic resources * Update comments based on feedback * Remove Generator from WatchedResource, based on review feedback. Remove interception mode overload. * Add an explicit node metadata for generator plug in * Forgot one reference to interception mode * authz: remove more v1alpha1 RBAC code (#22985) * send more requests (#23007) * Add gateway labels implementation (#22981) * Add gateway labels implementation * Comments * Lint, make gen * Full push scoping (#22667) * Add full-push scoping via ConfigsUpdated * Correct merging ConfigsUpdated in in PushRequest * SidecarScope.serviceMap use host.Name key type * PushAffectProxy support VirtualService and DestinationRule kind * Add test cases for full-push-scoping * Fix pushResourceScope replacement in test case * Merge variable declaration with assignment in edsUpdate according to lint_istio * Run goimports * Fix pushResourceScope functions link error unused param * Fix TestProxyNeedsPush lint error unused param * Some code changes according to comments * Refactor TestProxyNeedsPush to avoid changing global var * Only apply check-configsUpdated for PushAffectsProxy to SidecarProxy type * Aggregate the *Dependencies fields in SidecarScope to a single one to make it more generic * Do not put nil destinationRule to SidecarScope.destinationRules * Refactor DependsOnConfig a bit accoding to lint prompt * Remove xxDependencies variables while building SidecarScope * Change naming of vara/fields accoding to comments * Refactor ProxyNeedsPush to make it more clear and add some comments * Add namespaceUpdated to some PushRequest construct scenarios except for external ServiceDiscovery * Add more test case scenarios to TestProxyNeedsPush * Some code clean according to lint result and revert some PushRequest.NamespacesUpdated * Refactor configsUpdates and configDependencies to use ConfigKey rather string key * Remove namespaceUpdated and namespaceDependencies * Add some test cases and comments * Let DependOnConfig just return a boolean result * Apply full-push scoping to external serviceEntryStore * Add SidecarScope.prevConfigDependencies to handle delete config changes * Use Proxy.PrevSidecarScope instead of SidecarScope.prevConfigDependencies * Add TestAdsPushScoping case * Add virtualService/destinationRules cases to TestAdsPushScoping * build: add env var to build istio-proxy with custom bootstrap file (#23015) This CL adds ISTIO_ENVOY_BOOTSTRAP_CONFIG_PATH for users to specify a custom boostrap file when building istio proxy. Change-Id: If7f296ab1d88f1dc1f33b523ca0020b660efe1ae Reviewed-on: https://gerrit.musta.ch/c/public/istio/+/335 Reviewed-by: Jungho Ahn <jungho.ahn@airbnb.com> * Use manifests dir for integration tests (#23012) * Automator: update common-files@master in istio/istio@master (#23013) * Automator: update common-files@master in istio/istio@master * Remove usage of 'check-no-modify' Co-authored-by: Travis Clarke <clarketm@google.com> * Fix setting locality in bootstrap (#22998) * Fix setting locality in bootstrap The `nil` case never matches, so we never attempted to set it * fix * lint * Bugfix format for bootstrap configuration file. (#22994) * Bugfix format for bootstrap configuration file. * Update test data. * Modify some files for bootstrap test case. * Delete trailing comma. * Add proper validation to mesh config (#22951) * Add proper validation to mesh config WIP until https://github.com/istio/api/pull/1384 lands * lint * Update CRDs * update * Remove special telemetry ports (#23008) * Remove special telemetry ports Fixes https://github.com/istio/istio/issues/22911 Docs update https://github.com/istio/istio.io/pull/7069 * fix test * Revert "fix test" This reverts commit 509049ae1cf29711c71e0772f07903671e4530f8. * add k8s * typo fix (#23039) Signed-off-by: Yuchen Dai <silentdai@gmail.com> * Evaluate changing the defaults to match reality (#22687) * Evaluate changing the defaults to match reality * Fix duration, add todo * Move connect timeout, add missing * Make gen - since now the default is with SDS enabled the golden files have the additional fsGroup * Test fixing, adjustments based on running tests locally * Use TestMode for tests that rely on the test mesh config * 2 more tests using test mode * Format * update controller test (#22980) * update controller test * unskip the test * build image for operator * add charts flag, add update-charts dependency * fix image build * print log when svc not ready * add installPackagePath to CR * copy manifests into container for controller * add charts for manifest generate * fix lint * disable go grpc tracing (#23055) Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * Skip controller test again (#23066) * fix lightstep secret volume issue. (#23054) * fix lightstep secret volume issue. * fix ut. * refactor generator interface (#23057) * refactor generator interface Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * lint Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * update image and cleanup resources for controller test (#23067) * update image and cleanup resources * fix lint * use t.cleanup instead * server: rename some functions and variables in server (#23056) * rename some functions and variables in server Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * fix lint Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * refactor http proxy listener (#23069) Signed-off-by: Yuchen Dai <silentdai@gmail.com> * Fix EnvoyFilter listener portNumber match (#23030) * fix envoyfilter listener match - implement portnumber match for virtual listeners * add comments and fix linter issue * only skip virtual listeners port check if the patch not applied to the listener * add test * remove flag secureGrpcAddr (#23062) * rename ResourceGenerator to XdsResourceGenerator (#23070) Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * skip the test (#23081) * exclude stats with suffix ssl_context_update_by_sds (#23016) * listener: tiny refactor (#23046) * sidecar: micro refactor Signed-off-by: Yuchen Dai <silentdai@gmail.com> * more Signed-off-by: Yuchen Dai <silentdai@gmail.com> * refactor cont Signed-off-by: Yuchen Dai <silentdai@gmail.com> * address comment Signed-off-by: Yuchen Dai <silentdai@gmail.com> * Revert "refactor cont" This reverts commit ad59b71152af86283e86245ef5e332a1c28b8f72. * Use custom_tags in http_connection_manager filter for sidecar proxies (#22880) * Use custom_tags in http_connection_manager filter When the user has specified mesh wide configuration for proxies to use custom_tags, propagate thos settings to http_connection_manager filter. * Sort custom tags read in from mesh config before applied to envoy filter Modify unit test to account for sorting behavior. * Do not add custom_tags for gateways * Fix linting errors * Use proxygateway var instead of conditional check * Add guard clause around custom tag check * Fix undefined “IOPS” wording and confusing validation in upgrade (#22908) * Fix undefined “IOPS” wording and a validation in upgrade * Fix lint * Configure standard Prometheus scraping (#22318) * Configure standard prometheus annotations * Fix profile * Make meshconfig utilize values.meshConfig (#22593) This way we only have to maintain one code path. * Pass ProxyConfig to istiod (#23082) * Pass ProxyConfig to istiod This is needed to implement all the new things we are adding here, such as extra stats and gateway topology * Add comment * Update name and tests * Fix platform specific values * Enable connection reuse for kube app probers (#23093) * Enable connection reuse for kube app probers * fix lint * authz: only use url_path for Envoy version >= 1.5 (#23086) * Add support for Envoy max path tag length when specified in MeshConfig (#23089) * Support Envoy max_path_tag_length used in tracing Fixes https://github.com/envoyproxy/envoy/pull/8095 When the user has specified a max_path_tag_length in MeshConfig, propagate that setting to the http_connection_manager filter for proxies. * max_path_tag_length should not be supported in gateways It is possible that incoming client requests external to the service mesh may have an outrageously large value. Do not support max_path_tag_length in gateways since it cannot be sanitized. Only use Envoy defaults. * slight refactor * Add gateway support for max_path_tag_length in Envoy Fix lint/gen issues * Refactor ADS code a bit to break out resource logic (#23094) This will be useful for the v3 migration to allow us to reuse some of the functionality. This should have no real impact, just breaking out into functions * Add tests to operator/pkg/httprequest and helm (#22976) * Add tests to operator/pkg/httprequest and helm * Fix/Cleanup * Add actual template tests * I love lint for my lifegit diff * Refactor http test into table format * Add unspecified to ingressControllerMode (#23110) * Update operator data snapshot (#23120) * Cleanup junk * Update data snapshot * Update goldens * Fix lint * support jwt token authen using remote cluster (#22989) * support jwt token authen using remote cluster * get remote cluster when handle CSR happens * address review comments * grant istio-reader tokenreview create right * remove redundant APIVersion, Kind and fix typo * retry cluster under some errors * fix minor issues and typos in manifests/ (#23127) * Use NodeMetadata proxyconfig for tracing (#23119) * update multicluster example (#23117) * update multicluster example * add a comment * add another comment * move comment * Automator: update common-files@master in istio/istio@master (#23131) * feat(bootstrap): add support for metrics with cluster_id labels (#23095) * feat(bootstrap): add support for metrics with cluster_id labels * refresh goldens * Converge istioctl and controller apply code (#23014) * Converge controller and istioctl apply code * Add waiting for base component * Remove dead code, undo accidental symbol change * Apply annotations and labels * Back out logging changes * Remove ClusterIssuer from pruned resources * Skip status handling in CLI mode * Lint * Flush the cache before running apply * remove control plane items off version cmd (#22013) * update for istioctl * add prometheus * format * remove gateway off control plane list * Console logging for apply operations (#23139) * Console logging in controller apply operations * Fix test, lint * Update comment * Fix webhook test * Licenses, spelling * One more lint * Make istioctl install much faster (#23136) * Ensure /opt/ibm/wlp/output/defaultServer is writable to group members (#23023) When running the container with a random user id, it failed because the process couldn't write to /opt/ibm/wlp/output/defaultServer/workarea. * Ensure bookinfo mysql and mongodb pods work with any user id (#23122) When running either container with a random user id, it failed because the process couldn't write to a local directory due to bad ownership / permissions (/data/db for MongoDB and /var/lib/mysql in MySQL). Modifying the Dockerfile to change the permissions on the directories doesn't work because the directories are marked as Docker volumes. The solution is to mount an emptyDir volume in these directories. By doing this, the process can write to the directory and we ensure that data isn't lost when the container is restarted. * Fix PREFIX in build_push_update_images.sh (#23022) Previously, you couldn't use PREFIX to override the docker.io prefix. Also, the prefix wasn't used when the script modified the YAML files. Now, you can use PREFIX to specify the whole prefix (e.g. use a different registry) and the YAML files are updated properly. Also, the VERSION could only contain digits and dots. Now it can be any string (e.g. something-1.0.0). * Remove alpha authn CRDs. (#22972) * Remove alpha authn policy CRDs * Delete example resources. * Roll up to api change that remove CRD * Re-gen * Fix build * Fix build * Fix another test * Fix more tests * Remove conformance test for alpha authn * Fix integration tests * Remove alpha yaml from integration tests * Fix yaml * Remove more obsolete tests with v1alpha1 api * Typo * Update telemetry op yaml * Regen * Update grafana policy * Fix PSP sample is dangling in website (#22577) (#23002) Remove PSP files with dangling links. * Automator: update common-files@master in istio/istio@master (#23156) * Part 2 of generic generators (#23128) * Part 2 of generic generators * Missing file * lint and test errors * make gen * Add support for MeshConfig.ProxyConfig.Trace.Sampling (#23098) * Add support for MeshConfig.ProxyConfig.Trace.Sampling When both PILOT_RANDOM_SAMPLING and MeshConfig trace sampling is used, have the later override the environmental variable. * Fix linting errors * Remove excess logging; only capture env on startup * Add tests for when random sampling is OOB * Add support for gateways supporting custom_tags * Fix lint * Remove unused parameter * Automator: update common-files@master in istio/istio@master (#23158) * pilot: Support swapping type URL for minimal v2/v3 support (#23129) * wip * Support swapping type url for XDS responses For https://github.com/istio/istio/issues/19885 * Add comment * Fix lint * Fix lint * Fix nonce * Fix lint * check pod status during test (#23137) * Allow override proxy config from agent (#22879) * Allow override mesh config from agent * pass override through to injection template * fix build * Add validation * Use proxy config instead * remove debug log * Extend comment * Rework nodePort gateway service (#23109) * Rework nodePort gateway service * rm log * go mod fix * Reduce lock use * fix lint * add test cases for operator/pkg/manifest (#23143) * improve test coverage in operator/pkg/controlplane (#23121) * Add tests * Add tests * Unexport OrderedKeys() * not sure * unexport * Fix issues & lint * Fix issues & lint * Upgrade to helm v3 libraries (#23130) * cleanup (#23175) * remove extra hyphen (#23171) * Update to new cluster-local API (#23150) Moving the logic into PushContext so that it can leverage existing utilities for host matching. * fix incluster controller resource pruning. (#23142) * Add validation for MeshConfig.ServiceSettings (#23193) * Automator: update istio/api@master dependency in istio/istio@master (#23041) * stats: append proxy config extra stat tags (#23196) * update Signed-off-by: Kuat Yessenov <kuat@google.com> * append extra stat tags Signed-off-by: Kuat Yessenov <kuat@google.com> * add test Signed-off-by: Kuat Yessenov <kuat@google.com> * make gen strikes again Signed-off-by: Kuat Yessenov <kuat@google.com> * Change mesh config injection to proxy config (#23180) * Change mesh config injection to proxy config We recently decided to move from injecting the mesh config to the proxy config. This aligns with the annotation override we added. The intent here is that all config for the proxy will be in proxy config -- if there is ever a meshconfig field we want in the proxy we will need to move it. * fix vms * format * Better error messages for failure to create resources (#23204) * Move crds to crds/ (#23192) * Move crds to crds/ This provides better support for helm3 For https://github.com/istio/istio/issues/22874 * fix gen * fix gen * guard test output against race conditions (#23212) * Prevent assets.gen.go from being accidentally modified (#23213) * Modify the istioctl status bar (#23152) * Modify the istioctl status bar * license * minor tweaks * istioctl x precheck (#23087) * New 'istioctl x precheck'; moved precheck out out 'istioctl verify-install' * Don't use genericclioptions to deserialize IstioOperator; it can't unless there is a CRD on the cluster * add emptydir volume for coredump (#23154) * add emptydir volume mount for coredump * update path * make gen * Stop using deprecated settings in demo (#23210) * support define `IsServer` when generating cert (#23106) * support IsServer for generating cert * add comments to explain IsServer usage * address review comments * init progressLog for helm reconciler. (#23222) * Set clusterID correctly (#23229) * Set clusterID correctly * fix descript * manifests: run gateways as non-root user (#23174) * manifests: run gateways as non-root user * Add feature flag runAsRoot, default to true for now * Fix location of policy envoy bootstrap template * Change volume name to istio-envoy to align with injection template * Fix download scripts (#23191) * Fix download scripts * Added architecture detection * Updated to match posix if * Make shellcheck happy * CR comments * Remove kubectl from istioctl (#23165) * Remove kubectl from istioctl * Comments * Remove redundant client init * Fix operator remove test * Lint * Merge from master. * Remove ineffective tests * Remove redundant create namespace code (#23248) * Remove redundant create namespace code * Lint * test framework: split istioctl stdout and stderr (#23214) * test framework: split istioctl stdout and stderr otherwise we end up writing errors to the output, which breaks our cleanup. This *might* fix https://github.com/istio/istio/issues/23149 * Fix lint * Fix analyze test * Retry conflicts on reconcile (#23244) Fixes https://github.com/istio/istio/issues/23147 This occurs when there is a change between Get and Update. This seems to happen occasionally on the PBD - I think because the PBD will have status related to number of healthy/unhealthy pods, so when we change the Deployment that number changes, and we trigger the race. Its pretty easily reproducible if you tamper with some of the code to purposely introduce conflicts. The fix here is just to do what Kubernetes does internally (and provides a help library for!) - retry. * initial working 1.4 helm upgrade support (#23194) * Make cluster objects distinct names * Gen * Stop trying to prune alpha CRDs (#23245) These cause a pretty large delay to the install, since errors are slow. Additionally, we don't actually want to prune these - the user is now in control of these objects * add request_host to default stats tags (#23250) * Update release builder SHA for gen-charts fix (#23252) * Remove unused controller code (#23256) * Remove unused controller code * Make gen * Remove logtostderr flag from istioctl manifest, it should always be true (#23254) * Remove logtostderr flag for istioctl manifest, it should always be true * Fix a couple of external usage cases * Add option to enable Stackdriver AccessLog Sampling Filter (#22953) * Add option to enable Stackdriver AccessLog Sampling Filter Signed-off-by: gargnupur <gargnupur@google.com> Run make gen again Run make gen again Add comment run make gen remove comma * run make gen * Change AccessLog to AccessLogPolicy * fix for operator init (#23259) * skip tests (#23258) * Write Distribution Status from Istiod (#22873) * Add status leader * Create statuscontroller for status leader * fmt * Replace gotest with gomega * fix a few nits * add copyright banners * Fix pointer issue * more lint * reorganize imports * cleanup imports * fix gomega setup * Revert "dont panic on test" This reverts commit 689af9d75e9ddfcecc7c6c53ec54ce1ec5286d92. * first stab at follower status * Add copyright * Remove dependency loop and satiate lint * use pilot args for pod name * prevent calling handler when nil * Add RegisterDisconnect and test * Add tests and type information for resources * lint * Fix PR feedback * update test case messages to represent dataplanes->proxies * Follow PR feedback * Add integration test, fix a few issues * Fix ledger utilization from kube crd controller * Add test for status conditions, fix bugs * Use leaderelection for status, improve inprocess tracking * lint stuff * update reporter test to reflect removal of out of date resources * improve status controller speed, and reduce frequency until we have better locking * fmt * move to proper ctx, placate lint * fix merge copypasta * add resourcelock for a sort of backpressure * fmt * remove duplicate tests * Add completion for skipped envoys, and make tests deeply introspect Reconciled condition * Allow tuning status qps and burst speeds, with sane defaults * Request proper shutdown for status controllers * improve report serialization per PR feedback * Reduce goroutine impact in ads with queueing, per costinm * Refactor DistributionEventHandler into v2 package * Add explanatory comments per PR feedback * Make reporter use existing kubeclient * incorporate final PR feedback * Fix merge pasta * create istio-ca-root-cert cm for each remote ns (#23173) * create istio-ca-root-cert cm for each remote ns * merge code * fix lint * update 16 owner and common files (#23268) * Stop publishing latest (#23273) * Bump base image (#23272) Co-authored-by: John Howard <howardjohn@google.com> * remove default traffic inboud setting in tests (#23270) Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> * [release-1.6] update proxy sha (#23276) * update proxy sha * update telemetry v2 Wasm to v3 * revert network stats filter semantic naming * fix stats filter to use valid config * add configuration to metadata exchange filter * fix sd integration test Co-authored-by: Pengyuan Bian <bianpengyuan@google.com> * remove security self signed from examples (#23304) (#23306) * update multicluster example * add a comment * add another comment * move comment * remove self signed in examples * remove empty line * Pass --to-ports to iptables instead of --to-port (#23294) The iptables docs only specify --to-ports, even though vanilla iptables silently accepts --to-port. nftables's iptables is more strict and rejects --to-port. Fixes https://github.com/istio/istio/issues/23279 Co-authored-by: Romain Lenglet <rlenglet@google.com> * Fix kiali login (#23325) Co-authored-by: John Howard <howardjohn@google.com> * [release-1.6] fix k8s overlay for addon components. (#23308) * fix k8s overlay for addon components. * add ut cases for tpath. Co-authored-by: llcao <llcao@cn.ibm.com> * Do not warn on conflict (#23335) This is a normal expected warning in day to day operations - we should not warn. Co-authored-by: John Howard <howardjohn@google.com> * Upgrade helm3 library from rc1 to stable release (#23349) Co-authored-by: John Howard <howardjohn@google.com> * fix: TestController_GetPodLocality using t.Parallel() on loop iterator variables (#23350) Co-authored-by: Bradley Wilson-Hunt <bwilsonhunt@gmail.com> * [release-1.6] add support for selecting pods from service entries (#23334) * add support for selecting pods from service entries Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * updates Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * undos Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * more undos Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * missing function Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * make gen Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * fixes Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * updates Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * fixes Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * reuse existing interfaces Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * compile fix Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * nil pointer check Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * nolint Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> Co-authored-by: Shriram Rajagopalan <rshriram@tetrate.io> * Manual cherry-pick of #23220 (#23384) * Add TLS settings to tracer (#23220) * Add TLS settings to tracer Signed-off-by: Gao Hongtao <hanahmily@gmail.com> * Add TLS settings to tracer Signed-off-by: Gao Hongtao <hanahmily@gmail.com> * Polish codes Signed-off-by: Gao Hongtao <hanahmily@gmail.com> * Fixup test cases according to new api Signed-off-by: Gao Hongtao <hanahmily@gmail.com> * Fixed errors from lint Signed-off-by: Gao Hongtao <hanahmily@gmail.com> * Refresh istio.io/api version from release-1.6 * Re-run 1.6 gencheck Co-authored-by: Gao Hongtao <hanahmily@gmail.com> * manifests: align securityContext of gateways and sidecars (#23382) Co-authored-by: Daniel Grimm <dgrimm@redhat.com> * [release-1.6] Added ability to configure Gateway Topology (#23365) * Added ability to configure Gateway Topology * Convert meshconfig to envoy config Co-authored-by: Neeraj Poddar <neeraj.poddar@volunteers.acasi.info> * [release-1.6] Make console logger compatible with scopes, cleanup (#23385) * Make console logger compatible with scopes, cleanup * Fix call in external package Co-authored-by: Martin Ostrowski <mostrowski@google.com> * [release-1.6] Fix operator remove (#23386) * Fix operator remove command * Cleanup * Remove unused code Co-authored-by: Martin Ostrowski <mostrowski@google.com> * [release-1.6] Fix type url of stats tcp extension (#23367) * Fix type url of stats tcp extension * change path to envoy.extensions.filters.network.wasm.v3.Wasm Co-authored-by: gargnupur <gargnupur@google.com> * Code cleanup (#23362) (#23394) * Code cleanup * More cleanup * Fix rename damage and other minor issues * Lint, revert accidental changes * Update external refs * ServiceEntry - fix full push issues (#23360) Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> Co-authored-by: Shriram Rajagopalan <rshriram@tetrate.io> * [release-1.6] Remove helm type dependency (#23405) * Remove helm type dependency * Lint Co-authored-by: Martin Ostrowski <mostrowski@google.com> * Allow meshConfig.enablePrometheusMerge (#23418) Because we define it in values.meshConfig in the profile, the user cannot actually override this with meshConfig.enablePrometheusMerge. This fixes this issue, and updates the test to show this. Additionally, the test is changed to not capture stderr in the test which fixes some errors (that happen to not break tests) Co-authored-by: John Howard <howardjohn@google.com> * Validate missing fields in mesh config during install (#23427) Co-authored-by: John Howard <howardjohn@google.com> * Update to latest common files and update redigo (#23459) * unit tests for ServiceEntry update fix (#23361) Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> Co-authored-by: Shriram Rajagopalan <rshriram@tetrate.io> * [release-1.6] Send gateway readiness probe through envoy (#23449) * Use another port for health check * gen Co-authored-by: John Howard <howardjohn@google.com> * [release-1.6] Allow users to add a custom host name for Istiod (#23456) * add custom hostname * add logs * address comments * more update * Update to latest common files and update redigo (#23459) Co-authored-by: Lin Sun <linsun@us.ibm.com> Co-authored-by: Brian Avery <bavery@redhat.com> * Update RDS on DestinationRule change (#23451) Fixes https://github.com/istio/istio/issues/23434 Co-authored-by: John Howard <howardjohn@google.com> * [release-1.6] Bypass iptables for port 15021 (#23467) * Bypass iptables for port 15021 Otherwise the health check is captured which leads to weird behaviors * Update golden Co-authored-by: John Howard <howardjohn@google.com> * BUGFIX: Default to InClusterConfig (#23500) Now that we are defaulting to SDS in Pilot instead of secrets as in citadel, this code path is going to be hit a lot more, and I think that it may be a problem that we don't use ClusterConfig. For example, an apiserver doesn't really need to have a cert for kubernetes.default.svc, as most clients will call it by IP due to ClusterConfig We should default to calling InClusterConfig and fall back to our existing configuration Add unit test for obtaining an authenticator Co-authored-by: Jack Kleeman <jackkleeman@gmail.com> * [release-1.6] Preserve source ip in TPROXY mode (#23446) * mark outgoing packet with source ip 127.0.0.1 * add listener filter original_src for inbound listener Co-authored-by: Alex Wong <wangzhen711@pingan.com.cn> Co-authored-by: Alex Wong <gmem@me.com> * [release-1.6] Avoid accidental dynamic concurrency (#23472) (#23518) * Avoid accidental dynamic concurrency (#23472) * Avoid accidental dynamic concurrency Hopefully this will resolve https://github.com/istio/istio/issues/22845 Previously, we were setting concurrency from proxy config if it was set. By default this was set to "2". https://github.com/istio/istio/pull/21162 caused a regression switching it to read from the CPU requests instead. This is the minimal fix to undo that. Further improvements in master will be done, tracked in https://github.com/istio/istio/issues/23470 * fix indent * goldens * make gen Co-authored-by: John Howard <howardjohn@google.com> * update tcp stats configuration to use different vm id (#23522) (#23535) * Automator: update common-files@release-1.6 in istio/istio@release-1.6 (#23545) * Cherrypick #23533 (#23546) * Remove tcp mx alpn from http filter chains in downstreamtlscontext (#23465) (#23552) * fix alpn * update alpn * Fix utils test * Fix lint error Signed-off-by: gargnupur <gargnupur@google.com> * Fix lint error Signed-off-by: gargnupur <gargnupur@google.com> * Fix lint error Signed-off-by: gargnupur <gargnupur@google.com> * Fix lint error Signed-off-by: gargnupur <gargnupur@google.com> * Update pilot/pkg/networking/core/v1alpha3/listener.go Co-authored-by: Tariq Ibrahim <tariq181290@gmail.com> * Update pilot/pkg/networking/core/v1alpha3/listener.go Co-authored-by: Tariq Ibrahim <tariq181290@gmail.com> * Fixed based on feedback Signed-off-by: gargnupur <gargnupur@google.com> Co-authored-by: Tariq Ibrahim <tariq181290@gmail.com> Co-authored-by: Tariq Ibrahim <tariq181290@gmail.com> * [release-1.6] Add validation and analysis for meshnetworks (#23549) * Add validation for meshnetworks * fix linter * Update local validation * Add meshnetworks analyzer * fix unit tests * fix lint * fix comments Co-authored-by: Jason Wang <jasonwzm@gmail.com> * Improvements to operator pruning (#23314) (#23555) * Improvements to operator pruning (#23314) * Improvements to operator pruning Currently the pruning is very slow and offers no feedback to the user. This results in a ~15s period of nothing happening, which is confusing. This PR improves this: * Install time 32s -> 20s on my GKE cluster * New logging for prune This is done by reducing the number of list calls. Previously this was O(config types * components), now its just O(config types). Additionally, we can reduce the number of config types by only looking at resources we actually are producing in our installation. * Fix lint (cherry picked from commit 364a0d56f7e5218f96f2d7dd8cf62a535e90d192) * fix tests * [release-1.6] Add command args to configure Isitod with externally managed certificates (#23532) * Read sidecar-injector certificates default values from env variables if it exists * rename vars * Add prefix INJECTION_WEBHOOK_ * Add optional defaults for Istiod servers TLS certs * Fix lint checks * Add command args to configure Isitod with externally managed certificates * Handler for failed CA read Co-authored-by: Shakti <shaktiprakash.das@salesforce.com> * During upgrade, skip validation and warning for old defaults. (#23574) Co-authored-by: Tao He <taohe@google.com> * Use derived ProxyConfig for tracing tls settings (#23406) (#23571) * Use derived ProxyConfig for tracing tls settings Follow up to https://github.com/istio/istio/pull/23220 This should be using .ProxyConfig which is Istiod's internal representation of the proxy config and takes annotation overrides into account, rather than .Values which may or may not be accurate * fix types (cherry picked from commit 52b751dd8c9c022ae0c933cc629442d98a3fea68) * Update istio.io/api (#23579) Cannot fetch head of istio.io/api@release-1.6 since the crd changes require other changes. * authz: add upgrade check for v1alpha1 security CRDs (#23585) Co-authored-by: Yangmin Zhu <ymzhu@google.com> * [release-1.6] fix(canonical service): add env vars for canonical service (#23588) * fix(canonical service): add env vars for canonical service * include gateways Co-authored-by: Douglas Reid <dougreid@google.com> * cherrypick 23282. (#23592) * [release-1.6] SDS agent bring clusterID meta when send csr request (#23563) * SDS agent bring clusterID meta when send csr request * fix lint * fix lint * update * Fix nits * fix comments and add remote cluster auth test * fix lint Co-authored-by: xuzhonghu <xuzhonghu@huawei.com> * [release-1.6] Serve DestinationRule file mounts over SDS (#23598) * Support reading files via SDS * Add ca cert * Add more tests * fix lint Co-authored-by: John Howard <howardjohn@google.com> * change log level (#23597) Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> * [release-1.6] sds: add file watcher support (#23636) * add server certs Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add file watcher, some tests Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * lint Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * address review comments Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add tests Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * lint Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * remove unnecessary change Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * revert jwt util test Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * address comments Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * address review comments, watch only cert Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * close watcher Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * close cert watcher Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * refresh secret item Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * test improvements Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * handle multiple conections refering to same file Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * simplify exists check and add logs Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * change log lines Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> * [release-1.6] Fix panic when some operator values are null during "manifest generate" or apply (#23657) * Panic when values is null; panic when values.global.controlPlaneSecurityEnabled is null * Remove incorrect comment * Simplify security check Co-authored-by: Ed Snible <snible@us.ibm.com> * [release-1.6] Simplified addons implementation (#23660) * Initial prometheus * Add jaeger and kiali * Comments and fix kiali * fix jaeger+kiali integration * Kiali accessible_namespaces * add readme * fix kiali * Update zipkin to extras folder * Add note about removing Jaeger * Jaeger -> Zipkin * Update samples/addons/README.md Co-authored-by: Lin Sun <linsun@us.ibm.com> Co-authored-by: John Howard <howardjohn@google.com> Co-authored-by: Lin Sun <linsun@us.ibm.com> * update proxy sha (#23665) * Add a feature flag for se selecting pods (#23608) (#23667) * Add a feature flag for se selecting pods * Enable it by default * Use CA bundle if provided via command args. (#23645) Signed-off-by: Shakti <shaktiprakash.das@salesforce.com> * issue 23677 - pilot version endpoint is gone, use the new istiod replacement (#23679) Co-authored-by: John Mazzitelli <mazz@redhat.com> * fix hub and tag override for operator test (#23099) (#23581) * fix hub and tag override * update err log * update logs for components * check prometheus issue * rebase latest change, add back status wait * use profile name directly * rebase * remove redundant wait * [release-1.6] cherry pick use istiod flag to create istiod or Istiod-remote service and #23659 (#23693) * use istiod flag to create istiod or Istiod-remote service (#23624) * use istiod flag to create service * update ns * address comment * check for Values.pilot instead of Values.global.pilot (#23659) Co-authored-by: Steven Landow <landow@google.com> * [kiali] move to v1.18 to address compatibility fixes for istio 1.6 (#23682) * [kiali] move to v1.18 to address compatibility fixes for istio 1.6 (#23577) (cherry picked from commit ff77aa24363513406773e2cc7c7261931fad7faa) Signed-off-by: John Mazzitelli <mazz@redhat.com> * makes so sense, but ok, downgrading kiali to 1.15 in this generated file even though this PR is moving it up to 1.18 * Update proxy sha to latest rel-1.6 branch (#23699) * Support creation of CSRs using ECC based on root CA certs using ECC (… (#23671) * Support creation of CSRs using ECC based on root CA certs using ECC (#23226) * Fix typo * Add support for generation of EC certs * Modify GenCSR to work with EC CA * Have generate_cert generate ec certificates * Get keycertbundle to respect EC certs * bootstrap pilot * Get dns certs to be generated off of the key bundle * Update the probe controller to respect the ca cert bundle * Make lint * Make gen/lint * Remove unnecessary comments * Simplify creation of certs in test * Refactor code If user specifies EC use that and disregard RSA. Use table driven tests for EC tests. * Enforce minimum rsa key size of 2048 * Add env for ecc cert generation similar to pkcs8 * Unit tests for CA certs Use table tests for adding ECC tests. * Create chain of certs with ECC * Run ecc-certs.sh * Add test case for GenKeyCert when cert bundle uses ECC * Add more testing for key bundles using ECC * Add more unit tests and slight refactor * Make getting the server certificate more resilient Add unit tests * Run make gen * Cleanup testing for RSA/EC GenCertKeyFromOptions and VerifyCertificate * Fix failing unit test * Fix rsa key size to pass unit test * Do not enable using ECC by default User error due to internal tests. * Code cleanup * Code cleanup * Change ECC_KEY env var to ECC_SIGNATURE_ALGORITHM env var * Change from a bool to a string where the string is a supported ECC signature algorithm to choose from. Currently, only ECDSA is supported. The curve to use cannot also be specified and P-256 is always chosen. * Support an enum-like list of supported ECC signature algorithms for future maintainers. * Add unit test unsupported ec signature algorithms * Run make gen * pass linter * Fix unit tests * Automator: update common-files@release-1.6 in istio/istio@release-1.6 (#23728) * [release-1.6] support generate workload certs using the generated intermediate ca (#23733) * support generate workload certs using the generated intermediate ca * fix markdown lint * remove condition var * make sa and ns congigurable Co-authored-by: “irisdingbj” <irisdingbj@gmail.com> * Add an Istiod-remote chart (#23548) (#23739) * add custom hostname * add logs * address comments * more update * typo * WIP istiod remote * update file name * correct reference * add gen file * add a make target * add make gen content * update ignore * Update Chart.yaml * fix gen issue * fix trailing * Update .gitignore * add files back * fix make gen * address comments * Fail with exit code in check-no-modify (#23425) (#23519) * WIP: do not merge, test * Exit with error code * Revert assets.gen.go * Update md5 for assets * Fix update script * [release-1.6] initial sidecar-bootstrap command (#23734) * vm-bootstrap initial an initial implementation of vm-bootstrap * fix naming/inconsistencies with vm-boostrap * fix key size on vmbs, and remove unneeded hosts * fix setting of sshAuthMethod with encrypted keys * adjust cert-params in vm-bootstrap * use spiffe uri for vm-bootstrap * run make gen * fix up cli args for vm-bootstrap * vm-bootstrap -> sidecar-bootstrap * clean up sidecar-bootstrap helps Co-authored-by: Cynthia <cynthia@coan.dev> * update the simplified addon gen.sh script to use the new kiali v1.18 (#23736) Co-authored-by: John Mazzitelli <mazz@redhat.com> * Update proxy sha in istio (#23747) * [release-1.6] cherry pick update webhook config for remote webhook url #23649 (#23743) * cherry pick * cherry pick partially from 23413 * operator proto * undo change in proto * operator-proto update * Revert "operator-proto update" This reverts commit 62323b20b5735abe2bfce54c6d8ed972ad19e7f3. * Revert "undo change in proto" This reverts commit 20529e2ceeced07e34796a25c59251c992d39b59. * partial cherry pick of 23729 * update proto gen * [release-1.6] Make istioctl install output more user friendly (#23424) (#23741) * Make istioctl install output more user friendly (#23424) * Make istioctl install output more user friendly * Lint, indentation * Fix unit test * Fix test * Show RBAC rules when they live under the VirtualInboundListener (#23755) Co-authored-by: Ed Snible <snible@us.ibm.com> * Tpath cleanup (#23596) (#23774) * WIP: testing assets.gen gencheck merge block * Fix ordering * Revert test changes * Clean up tpath * Add map value handling * Delete from map * Fix test cases * Clean up DeleteFromTree * Cleanup * Add generate test case * fix(multicluster): add config time support for metrics (#23775) Co-authored-by: Douglas Reid <douglas-reid@users.noreply.github.com> * Esnible manual cherry pick (#23768) * Let --force really work in 'manifest apply' (#23458) * Let --force really work in 'manifest apply' * Report validation problems even if --force * Lift creationTime hack out of util.UnmarshalWithJSONPB and into UnmarshalIOP * Guard against null bool (#23613) * Update release-1.6 api (#23787) * Apply --set flags using tpath instead of building tree (#23670) (#23786) * Apply --set flags using tpath instead of building tree * Add name selection test * Fix tests * Comments * Lint * Add test for overlay deletion (#23789) Co-authored-by: Martin Ostrowski <mostrowski@google.com> * [release-1.6] Normal Service takes priority over Externalname service (#23796) * minor fix for externalNameSvc * Takes k8s internal service priority over externalname svc * fix Co-authored-by: xuzhonghu <xuzhonghu@huawei.com> * [release-1.6] cherry pick istiod-remote for operator (#23810) * allow user to configure injection url from operator (#23771) * add injection url * update * add istiodRemote * pick up latest api * more update from make gen * Revert "pick up latest api" This reverts commit 4c8322b8d425b58b498fade2e9afe6ee2acb8564. * Revert "more update from make gen" This reverts commit 072c9031f708fcc8d6320571544b82798c93f4d2. * update api version * cherry pick * correct merge * fix merge error * Revert "fix merge error" This reverts commit 64b155c700b1e7cce5f3caa1c90b57c71c0401ee. * Revert "correct merge" This reverts commit 28e83525bc28829f82e39f2726e8018c7aaed1a1. * add istiod remote config * update assets.gen * fix typo * update assets gen * gen check * update md5sum * mark sidecar-bootstrap as experimental (#23826) Co-authored-by: Cynthia <cynthia@coan.dev> * Deprecate --wait in install and upgrade (#23784) * Deprecate --wait in install and upgrade * Lint * Update proxy sha (#23811) * cherry-pick 23758 and 23331 (#23839) * cherry-pick 23758 and 23263 * fix lint * Update cni/sha and other dependencies (#23841) Run UPDATE_BRANCH=release-1.6 ./bin/update_deps.sh; make gen * Manual cherry pick of https://github.com/istio/istio/pull/23756 (#23812) * Add --revision flag alias (#23547) (#23800) * set discoveryAddress to be cluster-local by default (#23625) (#23718) * set discoveryAddress to be cluster-local by default * fallback to default proxyconfig * organize imports * robust to be clusterLocal with or without domain suffix * only add the host with fqdn * format * pilot: cluster use select all endpoints if label is empty (#23898) Signed-off-by: Yuchen Dai <silentdai@gmail.com> * Updating CNI Sha for release-1.6 branch (#23904) * Automator: update istio/api@release-1.6 dependency in istio/istio@release-1.6 (#23935) * Fix tar name to directory translation (#23869) Co-authored-by: Martin Ostrowski <mostrowski@google.com> * [release-1.6] Move Muticluster/VM cert setup tool to install/ dir. (#23897) * Move Muticluster/VM cert setup tool to install/ dir. * Fix linter. Co-authored-by: Oliver Liu <yonggangl@google.com> * [release-1.6] istioctl: add links to istio.io in the upgrade error message (#23873) * istioctl: add links to istio.io in the upgrade error message * fix lint Co-authored-by: Yangmin Zhu <ymzhu@google.com> * [release-1.6] Use labels and annotations from istio/api repo (#23393) (#23936) * Use labels and annotations from istio/api repo (#23393) * Use revision label * Use new proxy config annotation * Move TLS label * Run make gen Co-authored-by: John Howard <howardjohn@google.com> * Import and enforce all XDS config types (#23932) (#23937) * Import and enforce all XDS config types * Fix echo (cherry picked from commit 6c4e33d41ce8995b183933488547fc8f2bee6ae3) * [release-1.6] Backport PR #23570 to release-1.6 (#23852) * Backport PR #23570 to release-1.6 * Correct test case * check for being empty string before adding als certs (#23866) Co-authored-by: Devarajan Ramaswamy <deva.ramaswamy@tetrate.io> * [release-1.6] cherry pick update cluster info based on injection url #23942 (#23979) * cherry pick * fix merge error * fix merge error * [release-1.6] do not check istiod ready on remote cluster's validation controller (#23974) * do not check istiod ready on remote cluster's validation controller * fix lint error Co-authored-by: “irisdingbj” <irisdingbj@gmail.com> * Typo in logging scope description; missing logging scope descriptions (#24043) Co-authored-by: Ed Snible <snible@us.ibm.com> * Treat v1beta1 as v1alpha1 (#24067) Co-authored-by: Ed Snible <snible@us.ibm.com> * Cherry pick PR 24022 and re-run go-gen (#24049) * Remove vestige of a failed experiment (#23900) Co-authored-by: Steven Dake <sdake@ibm.com> * Fix release URL name for upgrade (#24051) Co-authored-by: Martin Ostrowski <mostrowski@google.com> * [release-1.6] Overlays for cluster resources (#23864) * Overlays for cluster resources * Lint, fix test * Add cluster scope test * Revent namespace back to istio-control Co-authored-by: Martin Ostrowski <mostrowski@google.com> * [release-1.6] Fix HTTP2/HTTP conflict at Gateway (#24129) * Fix HTTP2/HTTP conflict at Gateway Currently if both of these exist, only one is used. However, we generate literally the same config for http 1 and 2 - so no reason not to merge. Fixes https://github.com/istio/istio/issues/24061 Fixes https://github.com/istio/istio/issues/19690 * fix lint Co-authored-by: John Howard <howardjohn@google.com> * Fix operator namespace hard code (#24079) Co-authored-by: Kebe <kebe.liu@daocloud.io> * fix manifest rendering issue when iop is deleted. (#24116) Co-authored-by: llcao <llcao@cn.ibm.com> * [Release-1.6] Add TCP MX Alpn in UpstreamTlsContext for clusters that specify http2_protocol_options too (#24108) * Add TCP MX Alpn in UpstreamTlsContext for clusters that specify http2_protocol_options too (#23929) * Add TCP MX Alpn in UpstreamTlsContext for clusters that specify http2_protocol_options too Ref: https://github.com/istio/istio/issues/23907 Signed-off-by: gargnupur <gargnupur@google.com> Updated based on feedback Signed-off-by: gargnupur <gargnupur@google.com> Updated based on feedback Signed-off-by: gargnupur <gargnupur@google.com> * fix lint error after rebase Signed-off-by: gargnupur <gargnupur@google.com> * fix test * fix lint * [release-1.6] Add sideEffects field to webhook (#24136) * Add sideEffects field to webhook Fixes https://github.com/istio/istio/issues/23485 The validation webhook already has this * fix caps Co-authored-by: John Howard <howardjohn@google.com> * Update proxy sha (#24127) UPDATE_BRANCH=release-1.6 ./bin/update_deps.sh; make gen * [release-1.6] Update min k8 version required for Istio (#24150) * Update min k8 version required for Istio * Update test * Remove preliminary and use actual site Co-authored-by: shamsher31 <shaansar@redhat.com> * [release-1.6] Fix istioctl wait failure, add test. (#24156) * Improve distributedVersions to account for skipped nonces * Add integ test to detect wait failure * Make status reporter data available when status is disabled * Add istioctl wait test in its own package * Move wait test to pilot/istioctl_test * fix nits * fmt * Dont run wait test locally * remove unnecessary print statement * Adapt test for 1.6 framework Co-authored-by: therealmitchconnors <mitchconnors@gmail.com> * Update CNI sha (#24178) * [release-1.6] Disable TransportSocket for headless service when mtls is auto detected (#24168) * Disable TransportSocket for headless service when mtls is auto detected (#21987) * disable tls for headless service when mtls is auto detected * update * Integration test * update * fix * Update tests * remove alpha api * address comments * rebase and fix * Fix * Update base image (#24207) * Automator: update istio/api@release-1.6 dependency in istio/istio@release-1.6 (#24215) * [release-1.6] Support mesh config ingressSelector (#24224) * Support mesh config ingressSelector * Update default Co-authored-by: John Howard <howardjohn@google.com> * Revert "[release-1.6] Disable TransportSocket for headless service when mtls is auto detected (#24168)" (#24226) This reverts commit 6019b19d8d13d9d124cd322aa62cf821d00e52c4. * Fix few broken links (#24201) * fix namespace mismatch when prune resources. (#24249) Co-authored-by: llcao <llcao@cn.ibm.com> * file mounted cert support for sds agent (#24248) Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * [release-1.6] sds: skip reading jwt token for file mounted certs (#24253) * skip reading jwt token for file mounted certs Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add test for file mounted cert Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * remove fmt Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> * [release-1.6] sds: skip waiting for ingress gateway secret for file mounted certs (#24254) * skip waiting for ingress gateway secret Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add test case Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add more comments Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add more comments and test Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add more explanation for file mounted certs Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * lint Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * lint again Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add usage scenario for file mounted certs Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * change comment Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * correct comment, fix var name Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * fix var name Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> * Fix incorrect service account name used in Deployment (#24247) Co-authored-by: Ryota <rytswd@gmail.com> * add label selectors to service attributes (#23997) * add label selectors to service attributes Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * lint and tests Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * last minute fix Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * imports Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * Fix TCP over HTTP conflicts causing invalid configs (#24131) (#24274) * Fix TCP over HTTP conflicts causing invalid configs This was introduced in https://github.com/istio/istio/pull/17169 Fixes https://github.com/istio/istio/issues/24084 * Fix lint * Fix bug * Stop caring about FC ordering (cherry picked from commit 78d20b470d59fcd584813911b6cbc7a5fd051696) * custom env addition to istio-proxy template deployment for ingress and egress to reflect correct serviceaccount * [release-1.6] cherry pick use external name when remote pilot addr is hostname #24219 (#24273) * cherry pick * fix merge error * fix merge error * fix conflict * ran create_assets_gen.sh * ran create_assets_gen.sh * clean up Co-authored-by: Martin Ostrowski <mostrowski@google.com> Co-authored-by: Douglas Reid <douglas-reid@users.noreply.github.com> Co-authored-by: Tariq Ibrahim <tariq181290@gmail.com> Co-authored-by: Shriram Rajagopalan <rshriram@users.noreply.github.com> Co-authored-by: Zhonghu Xu <xuzhonghu@huawei.com> Co-authored-by: Istio Automation <istio.testing@gmail.com> Co-authored-by: Mitch Connors <mitchconnors@gmail.com> Co-authored-by: John Howard <howardjohn@google.com> Co-authored-by: Costin Manolache <costin@gmail.com> Co-authored-by: Yangmin Zhu <ymzhu@google.com> Co-authored-by: Jimmy Chen <28548492+JimmyCYJ@users.noreply.github.com> Co-authored-by: YonkaFang <zhiheng.fzh@alibaba-inc.com> Co-authored-by: Ying Zhu <ying.zhu@airbnb.com> Co-authored-by: Travis Clarke <clarketm@google.com> Co-authored-by: sky <fakangwang@gmail.com> Co-authored-by: Yuchen Dai <silentdai@gmail.com> Co-authored-by: Xinnan Wen <iamwen@google.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Morven Cao <llcao@cn.ibm.com> Co-authored-by: Varga Zsolt <waynz0r@users.noreply.github.com> Co-authored-by: erdun <494251936@qq.com> Co-authored-by: jacob-delgado <38300436+jacob-delgado@users.noreply.github.com> Co-authored-by: Tao HE <1579288+elfinhe@users.noreply.github.com> Co-authored-by: Aditya Prerepa <adiprerepa@gmail.com> Co-authored-by: Shamsher Ansari <shaansar@redhat.com> Co-authored-by: Iris <irisdingbj@gmail.com> Co-authored-by: Lin Sun <linsun@us.ibm.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Diem Vu <25132401+diemtvu@users.noreply.github.com> Co-authored-by: Samprit Biswas <sampritbiswas@google.com> Co-authored-by: 行颠 <tanjunchen20@gmail.com> Co-authored-by: Jian Zeng <anonymousknight96@gmail.com> Co-authored-by: Nathan Mittler <nmittler@gmail.com> Co-authored-by: Kuat <kyessenov@users.noreply.github.com> Co-authored-by: Ed Snible <snible@us.ibm.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Brian Avery <bavery@redhat.com> Co-authored-by: Pengyuan Bian <bianpengyuan@google.com> Co-authored-by: Nupur Garg <37600866+gargnupur@users.noreply.github.com> Co-authored-by: Romain Lenglet <rlenglet@google.com> Co-authored-by: Istio Automation <istio-testing-bot@google.com> Co-authored-by: Bradley Wilson-Hunt <bwilsonhunt@gmail.com> Co-authored-by: Shriram Rajagopalan <rshriram@tetrate.io> Co-authored-by: Neeraj Poddar <neeraj.poddar@volunteers.acasi.info> Co-authored-by: Gao Hongtao <hanahmily@gmail.com> Co-authored-by: gargnupur <gargnupur@google.com> Co-authored-by: Jack Kleeman <jackkleeman@gmail.com> Co-authored-by: Alex Wong <wangzhen711@pingan.com.cn> Co-authored-by: Alex Wong <gmem@me.com> Co-authored-by: Jason Wang <jasonwzm@gmail.com> Co-authored-by: Shakti <shaktiprakash.das@salesforce.com> Co-authored-by: Tao He <taohe@google.com> Co-authored-by: Douglas Reid <dougreid@google.com> Co-authored-by: John Mazzitelli <mazz@redhat.com> Co-authored-by: Steven Landow <landow@google.com> Co-authored-by: Cynthia <cynthia@coan.dev> Co-authored-by: stewartbutler <stewartbutler@google.com> Co-authored-by: Oliver Liu <yonggangl@google.com> Co-authored-by: Ryota <rytswd@gmail.com> Co-authored-by: Steven Dake <sdake@ibm.com> Co-authored-by: Kebe <kebe.liu@daocloud.io> Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #14563
Allow the user to use Envoy max_path_tag_length as specified in MeshConfig for sidecar proxies.