following istio/istio#5113

* add a step to define ingress gateway in bookinfo guide

following istio/istio#5113

* make ingress gateway lower case

* [test pr] check if 503s and other known bugs are fixed

removing the t.Skip()

Should fail in CI until we have a fix

* prune old version resources that no longer exist (#5107)

Automatic merge from submit-queue.

prune old version resources that no longer exist

* [vendor-change] CloudWatch Mixer adapter (#4617)

Automatic merge from submit-queue.

[vendor-change] CloudWatch Mixer adapter

Adding an adapter to send metrics to cloudwatch

* Enable Ingress/Egress gateways in Helm for bookinfo demos (#5120)

Automatic merge from submit-queue.

Enable Ingress/Egress gateways in Helm for bookinfo demos

* Consume labeled multicluster secrets on startup (#5117)

Automatic merge from submit-queue.

Consume labeled multicluster secrets on startup

This patch when run against istio.yaml or istio-auth.yaml
runs in the new config mode using only labels rather than
configmaps.  The configmap functionality can be removed in
0.9.

* Add a linter check to make sure types.go are generated. (#5110)

Automatic merge from submit-queue.

Add a linter check to make sure types.go are generated.

addresses #4418

* Remove outdated manifests from install/kubernetes (#4882)

* Remove orig_ manifests

* Remove istio-mixer-validator and istio-mixer-with-health-check manifests

* Remove unwanted manifests before archiving

* Remove istio-sidecar-injector.yaml from install/README.md

* Remove *one-namespace*.yaml from install/README.md

* Make helm-generated manifests overwrite updateVersion_orig.sh manifests

* Add support for per-metric namespace configuration to prom config (#5112)

* Adding CI workflow for checking vendor diff (#5051)

Automatic merge from submit-queue.

Adding CI workflow for checking vendor diff

This aims to help ensure that a PR contains the correct vendor change,
by running `dep ensure` and seeing if git detects any changes.

* Introduce galley/pkg/server (#4974)

Automatic merge from submit-queue.

Introduce galley/pkg/server

galley/pkg/server implements logic performs both CRD synchronization, along with resource synchronization operations. The resource synchronizers are started/stopped as CRDs (of interest) are added/deleted.

* [vendor change] Add metrics command to istioctl experimental cli (#4945)

Automatic merge from submit-queue.

[vendor change] Add metrics command to istioctl experimental cli

This PR adds a new command for retrieving service-level metrics
for services within an Istio service mesh. In combination with
the `watch` command, this tool may be used to display a rudimentary
service dashboard from the commandline.

This command requires the deployment of a prometheus instance for
monitoring the mesh. It discovers a prometheus pod, establishes a
port-forward to that pod, and executes a series of queries to extract
the metrics for display.

Currently, this command pulls all metrics from the current time, 
calculating rates and latencies over a time window of 1 minute. In 
the future, it will be possible to add support for flexible time
windows.

Example usage (bookinfo example):

```
$ istioctl experimental metrics productpage reviews ratings details
productpage:
  Total RPS:     7.872870
  Error RPS:     0.000000
  P50 Latency:   40ms
  P90 Latency:   80ms
  P99 Latency:   98ms
reviews:
  Total RPS:     7.909235
  Error RPS:     0.000000
  P50 Latency:   4ms
  P90 Latency:   9ms
  P99 Latency:   21ms
ratings:
  Total RPS:     5.309187
  Error RPS:     0.000000
  P50 Latency:   2ms
  P90 Latency:   4ms
  P99 Latency:   4ms
details:
  Total RPS:     7.872870
  Error RPS:     0.000000
  P50 Latency:   3ms
  P90 Latency:   38ms
  P99 Latency:   48ms
``` 

This tool is intended primarily to aid with debugging, as discovering
what is happening with a mesh and/or a particular service can be somewhat
cumbersome.

Reviewers: please let me know if there is a more appropriate place for 
such a tool and if there is more/different information that you think
is relevant to display for a service.

Vendor PR: istio/old_vendor-istio_repo#58

* unset IFS, minor fix for perf setup (#5124)

Automatic merge from submit-queue.

unset IFS, minor fix for perf setup

* perf setup update: add grafana, misc fixes (#5028)

* need git pull --tags to get latest_release movement, use DUR variable for duration

* Add grafana ingress

Doesn’t work because of mixer/telemetry split yet but almost

Also had to disable mtls for grafana - this should be the default

* Add annotation for no mtls in helm template

* From 0.8 prometheus is already in the yaml

See #5111

* Assert requried circle CI envs in ci2gubernator (#5137)

Automatic merge from submit-queue.

Assert requried circle CI envs in ci2gubernator

There has been cases where tests on circle failed when calling ci2gubernator because `CIRCLE_PR_NUMBER` unbound. This PR asserts the existence of the circle ci envs required by ci2gubernator and resort to no op if any of those is not defined.

* Add Mixer perf tests that includes the RPC path. (#5013)

Automatic merge from submit-queue.

Add Mixer perf tests that includes the RPC path.

The perf tests included two sets of tests (proper v.s. with _R2 suffix).
The tests with _R2 suffix was for testing runtime2 implementation.

Now that there is only one runtime, repurposing some of the tests to
include the gRpc layer as well.

* verify 200 status code in addition to header value (#5163)

* Add/Update Mixer e2e tests to cover more attributes sent from Envoy. (#5152)

* Add/Update Mixer e2e tests to cover more attributes sent from Envoy.

* Fix indent.

* Assorted bug fixes for 0.8 (#5133)

* assorted bug fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Updated zipkin to 2.7 for istio. (#5155)

Automatic merge from submit-queue.

Updated zipkin to 2.7 for istio.

This is a follow up PR for #4726

/cc @ldemailly

* fix path for go 1.10 on perf vm (#5168)

* Move mixer filter to per_filter_config (#5073)

Automatic merge from submit-queue.

Move mixer filter to per_filter_config

Move the per route mixer filter config from the metadata field to per_filter_config and turn it into a ServiceConfig proto.

* [vendor change] Add B3 codec to Jaeger tracer to enable mixer trace to be included in… (#5116)

Automatic merge from submit-queue.

[vendor change] Add B3 codec to Jaeger tracer to enable mixer trace to be included in…

… the application trace - and extended zipkin test to check for the mixer span

Installs the B3 codec into the Jaeger tracer to enable B3 headers to be understood and therefore associate any spans with the existing application trace.

The PR also updates the zipkin e2e test to check that the mixer spans are included in the application trace instance. 

Once an initial review of the PR has been approved I'll commit the vendor change - using "dep ensure"? Locally this has resulted in a number of dependencies being deleted under `vendor/k8s.io/client-go/`.

Signed-off-by: Gary Brown <gary@brownuk.com>

* remove prometheus from release archives (#5150)

Automatic merge from submit-queue.

remove prometheus from release archives

* Add Galley command-line flags "server" and "purge" (#4977)

Automatic merge from submit-queue.

Add Galley command-line flags "server" and "purge"

Add command-line flags for server and purge commands.

* Simplify the auth test

Thanks Andra for pointing out that version should fail/work the same as
using pod IP directly as the destination container never sees the
original cluster IP

* adds guard for kube client (#5140)

* adds guard for kube client

- there may not always be one, especially in
the case of CF.
- made CF case more explicit

* ci2gubernator: stop checking for unset variables

* Fix single endpoint pilot ads look up (#5165)

* Add an experiment subcommand rbac to istioctl. (#5093)

Automatic merge from submit-queue.

Add an experiment subcommand rbac to istioctl.

The subcommand is used to interact with Istio RBAC policies, this PR
adds the basic interface and the actual logic will be added in a later
PR.

See #4856.

* Fixing race test failure in TestAdsEds (#5161)

Automatic merge from submit-queue.

Fixing race test failure in TestAdsEds

introduced by #4694
addresses #4235

* v1alpha1 to v1alpha3 rule conversion tool bug fixes and subset merging (#5178)

* v1 to v3 conversion enhancements and tests

* Handle DestinationPolicy w/o labels

* Remove AddJwtAuth (#5194)

Automatic merge from submit-queue.

Remove AddJwtAuth

There is a compile error.
# istio.io/istio/mixer/test/client/env
../../../../../mixer/test/client/env/mixer_filter_config.go:167:47: undefined: client.JWT
../../../../../mixer/test/client/env/mixer_filter_config.go:168:21: mfConf.PerRouteConf.EndUserAuthnSpec undefined (type *client.ServiceConfig has no field or method EndUserAuthnSpec)
../../../../../mixer/test/client/env/mixer_filter_config.go:168:42: undefined: client.EndUserAuthenticationPolicySpec
../../../../../mixer/test/client/env/mixer_filter_config.go:169:21: mfConf.PerRouteConf.EndUserAuthnSpec undefined (type *client.ServiceConfig has no field or method EndUserAuthnSpec)

Remove AddJwtAuth function.

cc @diemtvu

* Skip bad routes instead of erroring (#5183)

* Skip bad routes instead of erroring

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* final nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix rules

* BlackHole with a capital H

* validate clusters false

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Fetch/cache/refresh JWT public key, construct localJwks in sidecar filter config (#5061)

Automatic merge from submit-queue.

Fetch/cache/refresh JWT public key, construct localJwks in sidecar filter config

#4917

This PR includes 
1. fetch JWT public key, and cache the key.
2. key rotation - a refresher job refresh key periodically.
3. use the key to construct localJwks in sidecar filter config.

* Introduce dynamic proto3 encoder (#5122)

* WIP commit

* Remove dead code

* Rearrange code

* split code into encoderUtil

* Everything except ENUM

* use protoc 3.5.1 to ensure json names are generated

* expose internal funcs

* WIP3. all dynamic and static elementry types. No repeated or packed

* support packed static primitive types

* use switch in place of if

* primitives with eval and packed repeated

* all primitives with expressions

* add test with enum constants and expressions

* add expressions in repeated fields

* Refactor 2

* linter checks

* fix linter2

* split encoder and builder

* rename eval to primitive

* add all dynamic tests

* Add dependency for messagediff

* add full dynamic test

* update comment

* fix linter error

* Update vendor. Add messagediff.v1 for test verification

* add all positive tests

* improve test coverage

* remove updated to lang.compiled

* fix linter error

* handle float64 inputs for integers

* Builder.Build() takes msgName and data

* WIP2

* review comments

* review comments

* rename messagediff to diff

* add more tests

* Update deps

* improve test coverage

* add log message while skipping fields

* increase test coverage

* update dep status

* Add more files to gitignore (#5198)

* Fix Mixer dashboard CPU reporting (#5145)

Automatic merge from submit-queue.

Fix Mixer dashboard CPU reporting

A previous PR seems to have accidentally removed the "rate" component of
the CPU calculations for the Mixer Dashboard. This results in an ever-increasing
CPU graph.

This PR restores a proper rate-based display for CPU calculation. It also
renames the jobs in the Prometheus config to better align with the split
from Mixer to Istio-Telemetry and Istio-Mixer (providing easier to understand
tracking between cAdvisor metrics and the self-reported metrics.

This PR should be cherry-picked onto the 0.8 branch.

* fix nil reference error when mock server fails to start (#5216)

* [WIP] refactor bookinfo to use different gateway definitions for envoy v1/routing v1alpha1 and envoy v2/routing v1alpha3  (#5113)

* restrict the tests to either v1alpha1 or v1alpha3

* move applying defaultRules into setUpDefaultRouting

* extract Ingress (Gateway) definition from bookinfo.yaml

it is different for v1alpha1 and v1alpha3

* make the gateway rule first in defaultRules, so it will be applied first

* fixed wrong variable names in mixer tests

* fixed the location of bookinfo gateway yaml

* fixed wrong variable in mixer test

* add missing spec and name to destination-policy-reviews

* remove comment line in samples/bookinfo/routing/bookinfo-gateway.yaml

* add port 9080 to the new bookinfo gateway

* remove using a special destination rule for reviews

* refactor GetIngress to make it reusable for GetIngressGateway

extract functions for getting Kubernetes Ingress and NodePort

* remove a shadowing variable

* refactor GetIngressPod, add GetIngressGateway

* add IngressGateway() to framework Kube

* added using IngressGateway() of framework Kube in bookinfo e2e tests

* use load balancer ingress IP to get the IP of the nodeport

* use ingress IP for nodeport

* remove commented out line

* fixed getting the ingress as the IP for a NodePort

* Revert "fixed getting the ingress as the IP for a NodePort"

This reverts commit 594e58d.

* Revert "use ingress IP for nodeport"

This reverts commit 333b80f.

* Revert "use load balancer ingress IP to get the IP of the nodeport"

This reverts commit 3c138e4.

* add generate_yaml-envoyv2_transition_loadbalancer_ingressgateway

to generate istio configurations without ingress and with ingressgateway as
a LoadBalancer service

* use generate_yaml-envoyv2_transition_loadbalancer_ingressgateway in test/local/noauth/e2e_bookinfo_envoyv2

* added LoadBalancerServiceType and NodePortServiceType constants

* rewrote the ingress related logic

use LoadBalancer type for non-local and NodePort for local tests

* lint fixes

* fix lint errors

* *sync.Locker -> sync.Locker, use interface instead of a pointer to interface

* refactor: extract getServicePort() from getServiceNodePort()

* add isKubernetesIngress flag to tests/util.GetIngress()

* fix the destination port in the virtual service of the gateway

* Revert "add isKubernetesIngress flag to tests/util.GetIngress()"

This reverts commit 8dbe13c.

* set different retry values for LoadBalancer and NodePort

according to the original implementation

* fix logging message

* fix a typo

* Introduce pkg/ctrlz, Istio's introspection package. (#5123)

* Introduce pkg/ctrlz, Istio's introspection package.

Processes that integrate with ControlZ open up a port that enables operators
to connect with a web browser and interact with the process. Through the browser,
the operator can adjust logging scope levels, see the process' command-line arguments
and envirinment variables, see statistics about heap use, and more.

Integration with ControlZ is nominally two line deal for processes. Optionally,
processes can extend the base ControlZ UI and integrate their own screens into the
main UI.

In addition to the browser interface, there is a REST API enabling access to all
the same things that the UI shows.

Mixer is integrated with ControlZ but doesn't currently have custom UI. We should
integrate ControlZ with our other server components in due time.

* Add myself to owners. (#5039)

* pod Ip is actually required

Service vip doesn’t exist for non existent port and we need a non
existent port to get the bad routing behavior

* Expose image of each istio component for istio chart. (#5222)

Automatic merge from submit-queue.

Expose image of each istio component for istio chart.

Make `image` for each Istio component be configurable. 
This is useful in case that users build or retag Istio image.

/cc @gyliu513 @linsun @sdake

* Undoing accidental merge to master

* Adding zone/region node labeling if missing (#5164)

* Fixing missing INSTANCE_IP

* Fix yaml error

* Rename v1alpha3.ExternalSerivce to v1alpha3.ServiceEntry (#5195)

* first pass renaming v1alpha3.ExternalSerivce to v1alpha3.ServiceEntry

* rename ServiceEntry.Discovery to ServiceEntry.Resolution

* update vendor to latest istio/api

* fix cloudfoundry copilot e2e test (#5188)

* initial changes to fix both pilot endpoints

* they now should be curl'ing the right things

properly booting an envoy with dynamic
template now

new port name for building listeners

Include port for Cloud Foundry services

* Building listeners now requires named ports.

* always run cloudfoundry tests

* moves cloudfoundry circleci test to own run

* adds cloudfoundry test to all

* want to just use default env vars

* need GOPATH/bin on path for envoy

* switch to defaults which uses da container

* disable zipkin test in pilot

* add missing clusters to ads mesh response (#5221)

* e2e test for JWT authn policy (#5144)

Automatic merge from submit-queue.

e2e test for JWT authn policy

#5078

1. JWT token used here expires in year 2132 (borrowed from https://github.com/istio/proxy/blob/master/src/envoy/http/jwt_auth/sample/correct_jwt). 
2. will add another e2e test for fetching JWT public key scenario after #5061 is in.

* Set listeners h2 max streams to override nghttp2 client default of 100 (#5232)

Automatic merge from submit-queue.

Set listeners h2 max streams to override nghttp2 client default of 100

Reference issue: envoyproxy/envoy#3076
Signed-off-by: Kuat Yessenov <kuat@google.com>

* Enable ControlZ to fetch the current process' known logging scopes. (#5245)

Automatic merge from submit-queue.

Enable ControlZ to fetch the current process' known logging scopes.

* Add more parameters to sidecar injector helm template (#5044)

Automatic merge from submit-queue.

Add enableCoreDump and policy parameters to sidecar injector helm template

* Fixing fallout of renames in earlier commit + restore auth for e2e-simple on circle (#5241)

* Fixing fallout of renames in earlier commit

* Re fixing lost fix that e2e-simple should run with auth

Technically it should run with both auth and no auth like on prow but
if it runs only 1 mode it should be with auth

* follow output log pattern for cloudfoundry e2e test (#5234)

- and tee to a new file so it doesn't overwrite

* bootstrapv2: Stop using deprecated cluster_names (#5225)

Using cluster_names in GRPC resource config is deprecated:
envoyproxy/envoy@ad02e4a

Signed-off-by: Romain Lenglet <romain@covalent.io>

* Address a few causes of Gateway/Filterchain failures (#5185)

* Sort HTTP route virtual hosts before sending listeners to Envoy.
Listeners with multiple filter chains containing HTTP filters require
that the HTTP filters have consistent ordering due to how Envoy computes
updates.

* don't respond with empty listeners

* address review comments

* fix linter

* linters, once more

* use configurable paths for envoy and envoy config locations (#5248)

* re-add istioctl unit tests to Makefile (#5205)

* re-add istioctl unit tests to Makefile

#3820 moved istioctl out of pilot
subdirectory but forgot to re-add istioctl unit tests to top-level
Makefile. Fix that problem and also the currently broken tests.

* add missing test data

* return an error when Envoy fails to start (#5251)

mixer and backend should also do this, but that involves slightly more
work.

* Adde list of container ports to the injected inbound ports

* Add support for helm

* [test pr] check if 503s and other known bugs are fixed

removing the t.Skip()

Should fail in CI until we have a fix

* prune old version resources that no longer exist (#5107)

Automatic merge from submit-queue.

prune old version resources that no longer exist

* [vendor-change] CloudWatch Mixer adapter (#4617)

Automatic merge from submit-queue.

[vendor-change] CloudWatch Mixer adapter

Adding an adapter to send metrics to cloudwatch

* Enable Ingress/Egress gateways in Helm for bookinfo demos (#5120)

Automatic merge from submit-queue.

Enable Ingress/Egress gateways in Helm for bookinfo demos

* Consume labeled multicluster secrets on startup (#5117)

Automatic merge from submit-queue.

Consume labeled multicluster secrets on startup

This patch when run against istio.yaml or istio-auth.yaml
runs in the new config mode using only labels rather than
configmaps.  The configmap functionality can be removed in
0.9.

* Add a linter check to make sure types.go are generated. (#5110)

Automatic merge from submit-queue.

Add a linter check to make sure types.go are generated.

addresses #4418

* Remove outdated manifests from install/kubernetes (#4882)

* Remove orig_ manifests

* Remove istio-mixer-validator and istio-mixer-with-health-check manifests

* Remove unwanted manifests before archiving

* Remove istio-sidecar-injector.yaml from install/README.md

* Remove *one-namespace*.yaml from install/README.md

* Make helm-generated manifests overwrite updateVersion_orig.sh manifests

* Add support for per-metric namespace configuration to prom config (#5112)

* Adding CI workflow for checking vendor diff (#5051)

Automatic merge from submit-queue.

Adding CI workflow for checking vendor diff

This aims to help ensure that a PR contains the correct vendor change,
by running `dep ensure` and seeing if git detects any changes.

* Introduce galley/pkg/server (#4974)

Automatic merge from submit-queue.

Introduce galley/pkg/server

galley/pkg/server implements logic performs both CRD synchronization, along with resource synchronization operations. The resource synchronizers are started/stopped as CRDs (of interest) are added/deleted.

* [vendor change] Add metrics command to istioctl experimental cli (#4945)

Automatic merge from submit-queue.

[vendor change] Add metrics command to istioctl experimental cli

This PR adds a new command for retrieving service-level metrics
for services within an Istio service mesh. In combination with
the `watch` command, this tool may be used to display a rudimentary
service dashboard from the commandline.

This command requires the deployment of a prometheus instance for
monitoring the mesh. It discovers a prometheus pod, establishes a
port-forward to that pod, and executes a series of queries to extract
the metrics for display.

Currently, this command pulls all metrics from the current time, 
calculating rates and latencies over a time window of 1 minute. In 
the future, it will be possible to add support for flexible time
windows.

Example usage (bookinfo example):

```
$ istioctl experimental metrics productpage reviews ratings details
productpage:
  Total RPS:     7.872870
  Error RPS:     0.000000
  P50 Latency:   40ms
  P90 Latency:   80ms
  P99 Latency:   98ms
reviews:
  Total RPS:     7.909235
  Error RPS:     0.000000
  P50 Latency:   4ms
  P90 Latency:   9ms
  P99 Latency:   21ms
ratings:
  Total RPS:     5.309187
  Error RPS:     0.000000
  P50 Latency:   2ms
  P90 Latency:   4ms
  P99 Latency:   4ms
details:
  Total RPS:     7.872870
  Error RPS:     0.000000
  P50 Latency:   3ms
  P90 Latency:   38ms
  P99 Latency:   48ms
``` 

This tool is intended primarily to aid with debugging, as discovering
what is happening with a mesh and/or a particular service can be somewhat
cumbersome.

Reviewers: please let me know if there is a more appropriate place for 
such a tool and if there is more/different information that you think
is relevant to display for a service.

Vendor PR: istio/old_vendor-istio_repo#58

* unset IFS, minor fix for perf setup (#5124)

Automatic merge from submit-queue.

unset IFS, minor fix for perf setup

* perf setup update: add grafana, misc fixes (#5028)

* need git pull --tags to get latest_release movement, use DUR variable for duration

* Add grafana ingress

Doesn’t work because of mixer/telemetry split yet but almost

Also had to disable mtls for grafana - this should be the default

* Add annotation for no mtls in helm template

* From 0.8 prometheus is already in the yaml

See #5111

* Assert requried circle CI envs in ci2gubernator (#5137)

Automatic merge from submit-queue.

Assert requried circle CI envs in ci2gubernator

There has been cases where tests on circle failed when calling ci2gubernator because `CIRCLE_PR_NUMBER` unbound. This PR asserts the existence of the circle ci envs required by ci2gubernator and resort to no op if any of those is not defined.

* Add Mixer perf tests that includes the RPC path. (#5013)

Automatic merge from submit-queue.

Add Mixer perf tests that includes the RPC path.

The perf tests included two sets of tests (proper v.s. with _R2 suffix).
The tests with _R2 suffix was for testing runtime2 implementation.

Now that there is only one runtime, repurposing some of the tests to
include the gRpc layer as well.

* verify 200 status code in addition to header value (#5163)

* Add/Update Mixer e2e tests to cover more attributes sent from Envoy. (#5152)

* Add/Update Mixer e2e tests to cover more attributes sent from Envoy.

* Fix indent.

* Assorted bug fixes for 0.8 (#5133)

* assorted bug fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Updated zipkin to 2.7 for istio. (#5155)

Automatic merge from submit-queue.

Updated zipkin to 2.7 for istio.

This is a follow up PR for #4726

/cc @ldemailly

* fix path for go 1.10 on perf vm (#5168)

* Move mixer filter to per_filter_config (#5073)

Automatic merge from submit-queue.

Move mixer filter to per_filter_config

Move the per route mixer filter config from the metadata field to per_filter_config and turn it into a ServiceConfig proto.

* Enable test

* [vendor change] Add B3 codec to Jaeger tracer to enable mixer trace to be included in… (#5116)

Automatic merge from submit-queue.

[vendor change] Add B3 codec to Jaeger tracer to enable mixer trace to be included in…

… the application trace - and extended zipkin test to check for the mixer span

Installs the B3 codec into the Jaeger tracer to enable B3 headers to be understood and therefore associate any spans with the existing application trace.

The PR also updates the zipkin e2e test to check that the mixer spans are included in the application trace instance. 

Once an initial review of the PR has been approved I'll commit the vendor change - using "dep ensure"? Locally this has resulted in a number of dependencies being deleted under `vendor/k8s.io/client-go/`.

Signed-off-by: Gary Brown <gary@brownuk.com>

* remove prometheus from release archives (#5150)

Automatic merge from submit-queue.

remove prometheus from release archives

* Add Galley command-line flags "server" and "purge" (#4977)

Automatic merge from submit-queue.

Add Galley command-line flags "server" and "purge"

Add command-line flags for server and purge commands.

* Simplify the auth test

Thanks Andra for pointing out that version should fail/work the same as
using pod IP directly as the destination container never sees the
original cluster IP

* adds guard for kube client (#5140)

* adds guard for kube client

- there may not always be one, especially in
the case of CF.
- made CF case more explicit

* ci2gubernator: stop checking for unset variables

* Fix single endpoint pilot ads look up (#5165)

* Add an experiment subcommand rbac to istioctl. (#5093)

Automatic merge from submit-queue.

Add an experiment subcommand rbac to istioctl.

The subcommand is used to interact with Istio RBAC policies, this PR
adds the basic interface and the actual logic will be added in a later
PR.

See #4856.

* Fixing race test failure in TestAdsEds (#5161)

Automatic merge from submit-queue.

Fixing race test failure in TestAdsEds

introduced by #4694
addresses #4235

* v1alpha1 to v1alpha3 rule conversion tool bug fixes and subset merging (#5178)

* v1 to v3 conversion enhancements and tests

* Handle DestinationPolicy w/o labels

* Remove AddJwtAuth (#5194)

Automatic merge from submit-queue.

Remove AddJwtAuth

There is a compile error.
# istio.io/istio/mixer/test/client/env
../../../../../mixer/test/client/env/mixer_filter_config.go:167:47: undefined: client.JWT
../../../../../mixer/test/client/env/mixer_filter_config.go:168:21: mfConf.PerRouteConf.EndUserAuthnSpec undefined (type *client.ServiceConfig has no field or method EndUserAuthnSpec)
../../../../../mixer/test/client/env/mixer_filter_config.go:168:42: undefined: client.EndUserAuthenticationPolicySpec
../../../../../mixer/test/client/env/mixer_filter_config.go:169:21: mfConf.PerRouteConf.EndUserAuthnSpec undefined (type *client.ServiceConfig has no field or method EndUserAuthnSpec)

Remove AddJwtAuth function.

cc @diemtvu

* Skip bad routes instead of erroring (#5183)

* Skip bad routes instead of erroring

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* final nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix rules

* BlackHole with a capital H

* validate clusters false

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Fetch/cache/refresh JWT public key, construct localJwks in sidecar filter config (#5061)

Automatic merge from submit-queue.

Fetch/cache/refresh JWT public key, construct localJwks in sidecar filter config

#4917

This PR includes 
1. fetch JWT public key, and cache the key.
2. key rotation - a refresher job refresh key periodically.
3. use the key to construct localJwks in sidecar filter config.

* Introduce dynamic proto3 encoder (#5122)

* WIP commit

* Remove dead code

* Rearrange code

* split code into encoderUtil

* Everything except ENUM

* use protoc 3.5.1 to ensure json names are generated

* expose internal funcs

* WIP3. all dynamic and static elementry types. No repeated or packed

* support packed static primitive types

* use switch in place of if

* primitives with eval and packed repeated

* all primitives with expressions

* add test with enum constants and expressions

* add expressions in repeated fields

* Refactor 2

* linter checks

* fix linter2

* split encoder and builder

* rename eval to primitive

* add all dynamic tests

* Add dependency for messagediff

* add full dynamic test

* update comment

* fix linter error

* Update vendor. Add messagediff.v1 for test verification

* add all positive tests

* improve test coverage

* remove updated to lang.compiled

* fix linter error

* handle float64 inputs for integers

* Builder.Build() takes msgName and data

* WIP2

* review comments

* review comments

* rename messagediff to diff

* add more tests

* Update deps

* improve test coverage

* add log message while skipping fields

* increase test coverage

* update dep status

* Add more files to gitignore (#5198)

* Fix Mixer dashboard CPU reporting (#5145)

Automatic merge from submit-queue.

Fix Mixer dashboard CPU reporting

A previous PR seems to have accidentally removed the "rate" component of
the CPU calculations for the Mixer Dashboard. This results in an ever-increasing
CPU graph.

This PR restores a proper rate-based display for CPU calculation. It also
renames the jobs in the Prometheus config to better align with the split
from Mixer to Istio-Telemetry and Istio-Mixer (providing easier to understand
tracking between cAdvisor metrics and the self-reported metrics.

This PR should be cherry-picked onto the 0.8 branch.

* fix nil reference error when mock server fails to start (#5216)

* [WIP] refactor bookinfo to use different gateway definitions for envoy v1/routing v1alpha1 and envoy v2/routing v1alpha3  (#5113)

* restrict the tests to either v1alpha1 or v1alpha3

* move applying defaultRules into setUpDefaultRouting

* extract Ingress (Gateway) definition from bookinfo.yaml

it is different for v1alpha1 and v1alpha3

* make the gateway rule first in defaultRules, so it will be applied first

* fixed wrong variable names in mixer tests

* fixed the location of bookinfo gateway yaml

* fixed wrong variable in mixer test

* add missing spec and name to destination-policy-reviews

* remove comment line in samples/bookinfo/routing/bookinfo-gateway.yaml

* add port 9080 to the new bookinfo gateway

* remove using a special destination rule for reviews

* refactor GetIngress to make it reusable for GetIngressGateway

extract functions for getting Kubernetes Ingress and NodePort

* remove a shadowing variable

* refactor GetIngressPod, add GetIngressGateway

* add IngressGateway() to framework Kube

* added using IngressGateway() of framework Kube in bookinfo e2e tests

* use load balancer ingress IP to get the IP of the nodeport

* use ingress IP for nodeport

* remove commented out line

* fixed getting the ingress as the IP for a NodePort

* Revert "fixed getting the ingress as the IP for a NodePort"

This reverts commit 594e58d.

* Revert "use ingress IP for nodeport"

This reverts commit 333b80f.

* Revert "use load balancer ingress IP to get the IP of the nodeport"

This reverts commit 3c138e4.

* add generate_yaml-envoyv2_transition_loadbalancer_ingressgateway

to generate istio configurations without ingress and with ingressgateway as
a LoadBalancer service

* use generate_yaml-envoyv2_transition_loadbalancer_ingressgateway in test/local/noauth/e2e_bookinfo_envoyv2

* added LoadBalancerServiceType and NodePortServiceType constants

* rewrote the ingress related logic

use LoadBalancer type for non-local and NodePort for local tests

* lint fixes

* fix lint errors

* *sync.Locker -> sync.Locker, use interface instead of a pointer to interface

* refactor: extract getServicePort() from getServiceNodePort()

* add isKubernetesIngress flag to tests/util.GetIngress()

* fix the destination port in the virtual service of the gateway

* Revert "add isKubernetesIngress flag to tests/util.GetIngress()"

This reverts commit 8dbe13c.

* set different retry values for LoadBalancer and NodePort

according to the original implementation

* fix logging message

* fix a typo

* Introduce pkg/ctrlz, Istio's introspection package. (#5123)

* Introduce pkg/ctrlz, Istio's introspection package.

Processes that integrate with ControlZ open up a port that enables operators
to connect with a web browser and interact with the process. Through the browser,
the operator can adjust logging scope levels, see the process' command-line arguments
and envirinment variables, see statistics about heap use, and more.

Integration with ControlZ is nominally two line deal for processes. Optionally,
processes can extend the base ControlZ UI and integrate their own screens into the
main UI.

In addition to the browser interface, there is a REST API enabling access to all
the same things that the UI shows.

Mixer is integrated with ControlZ but doesn't currently have custom UI. We should
integrate ControlZ with our other server components in due time.

* Add myself to owners. (#5039)

* pod Ip is actually required

Service vip doesn’t exist for non existent port and we need a non
existent port to get the bad routing behavior

* Expose image of each istio component for istio chart. (#5222)

Automatic merge from submit-queue.

Expose image of each istio component for istio chart.

Make `image` for each Istio component be configurable. 
This is useful in case that users build or retag Istio image.

/cc @gyliu513 @linsun @sdake

* Undoing accidental merge to master

* Adding zone/region node labeling if missing (#5164)

* Fixing missing INSTANCE_IP

* Fix yaml error

* Rename v1alpha3.ExternalSerivce to v1alpha3.ServiceEntry (#5195)

* first pass renaming v1alpha3.ExternalSerivce to v1alpha3.ServiceEntry

* rename ServiceEntry.Discovery to ServiceEntry.Resolution

* update vendor to latest istio/api

* fix cloudfoundry copilot e2e test (#5188)

* initial changes to fix both pilot endpoints

* they now should be curl'ing the right things

properly booting an envoy with dynamic
template now

new port name for building listeners

Include port for Cloud Foundry services

* Building listeners now requires named ports.

* always run cloudfoundry tests

* moves cloudfoundry circleci test to own run

* adds cloudfoundry test to all

* want to just use default env vars

* need GOPATH/bin on path for envoy

* switch to defaults which uses da container

* disable zipkin test in pilot

* add missing clusters to ads mesh response (#5221)

* e2e test for JWT authn policy (#5144)

Automatic merge from submit-queue.

e2e test for JWT authn policy

#5078

1. JWT token used here expires in year 2132 (borrowed from https://github.com/istio/proxy/blob/master/src/envoy/http/jwt_auth/sample/correct_jwt). 
2. will add another e2e test for fetching JWT public key scenario after #5061 is in.

* Set listeners h2 max streams to override nghttp2 client default of 100 (#5232)

Automatic merge from submit-queue.

Set listeners h2 max streams to override nghttp2 client default of 100

Reference issue: envoyproxy/envoy#3076
Signed-off-by: Kuat Yessenov <kuat@google.com>

* Enable ControlZ to fetch the current process' known logging scopes. (#5245)

Automatic merge from submit-queue.

Enable ControlZ to fetch the current process' known logging scopes.

* Add more parameters to sidecar injector helm template (#5044)

Automatic merge from submit-queue.

Add enableCoreDump and policy parameters to sidecar injector helm template

* Fixing fallout of renames in earlier commit + restore auth for e2e-simple on circle (#5241)

* Fixing fallout of renames in earlier commit

* Re fixing lost fix that e2e-simple should run with auth

Technically it should run with both auth and no auth like on prow but
if it runs only 1 mode it should be with auth

* follow output log pattern for cloudfoundry e2e test (#5234)

- and tee to a new file so it doesn't overwrite

* bootstrapv2: Stop using deprecated cluster_names (#5225)

Using cluster_names in GRPC resource config is deprecated:
envoyproxy/envoy@ad02e4a

Signed-off-by: Romain Lenglet <romain@covalent.io>

* Address a few causes of Gateway/Filterchain failures (#5185)

* Sort HTTP route virtual hosts before sending listeners to Envoy.
Listeners with multiple filter chains containing HTTP filters require
that the HTTP filters have consistent ordering due to how Envoy computes
updates.

* don't respond with empty listeners

* address review comments

* fix linter

* linters, once more

* use configurable paths for envoy and envoy config locations (#5248)

* re-add istioctl unit tests to Makefile (#5205)

* re-add istioctl unit tests to Makefile

#3820 moved istioctl out of pilot
subdirectory but forgot to re-add istioctl unit tests to top-level
Makefile. Fix that problem and also the currently broken tests.

* add missing test data

* return an error when Envoy fails to start (#5251)

mixer and backend should also do this, but that involves slightly more
work.

* Adde list of container ports to the injected inbound ports

* Add support for helm

* [test pr] check if 503s and other known bugs are fixed

removing the t.Skip()

Should fail in CI until we have a fix

* prune old version resources that no longer exist (istio#5107)

Automatic merge from submit-queue.

prune old version resources that no longer exist

* [vendor-change] CloudWatch Mixer adapter (istio#4617)

Automatic merge from submit-queue.

[vendor-change] CloudWatch Mixer adapter

Adding an adapter to send metrics to cloudwatch

* Enable Ingress/Egress gateways in Helm for bookinfo demos (istio#5120)

Automatic merge from submit-queue.

Enable Ingress/Egress gateways in Helm for bookinfo demos

* Consume labeled multicluster secrets on startup (istio#5117)

Automatic merge from submit-queue.

Consume labeled multicluster secrets on startup

This patch when run against istio.yaml or istio-auth.yaml
runs in the new config mode using only labels rather than
configmaps.  The configmap functionality can be removed in
0.9.

* Add a linter check to make sure types.go are generated. (istio#5110)

Automatic merge from submit-queue.

Add a linter check to make sure types.go are generated.

addresses istio#4418

* Remove outdated manifests from install/kubernetes (istio#4882)

* Remove orig_ manifests

* Remove istio-mixer-validator and istio-mixer-with-health-check manifests

* Remove unwanted manifests before archiving

* Remove istio-sidecar-injector.yaml from install/README.md

* Remove *one-namespace*.yaml from install/README.md

* Make helm-generated manifests overwrite updateVersion_orig.sh manifests

* Add support for per-metric namespace configuration to prom config (istio#5112)

* Adding CI workflow for checking vendor diff (istio#5051)

Automatic merge from submit-queue.

Adding CI workflow for checking vendor diff

This aims to help ensure that a PR contains the correct vendor change,
by running `dep ensure` and seeing if git detects any changes.

* Introduce galley/pkg/server (istio#4974)

Automatic merge from submit-queue.

Introduce galley/pkg/server

galley/pkg/server implements logic performs both CRD synchronization, along with resource synchronization operations. The resource synchronizers are started/stopped as CRDs (of interest) are added/deleted.

* [vendor change] Add metrics command to istioctl experimental cli (istio#4945)

Automatic merge from submit-queue.

[vendor change] Add metrics command to istioctl experimental cli

This PR adds a new command for retrieving service-level metrics
for services within an Istio service mesh. In combination with
the `watch` command, this tool may be used to display a rudimentary
service dashboard from the commandline.

This command requires the deployment of a prometheus instance for
monitoring the mesh. It discovers a prometheus pod, establishes a
port-forward to that pod, and executes a series of queries to extract
the metrics for display.

Currently, this command pulls all metrics from the current time, 
calculating rates and latencies over a time window of 1 minute. In 
the future, it will be possible to add support for flexible time
windows.

Example usage (bookinfo example):

```
$ istioctl experimental metrics productpage reviews ratings details
productpage:
  Total RPS:     7.872870
  Error RPS:     0.000000
  P50 Latency:   40ms
  P90 Latency:   80ms
  P99 Latency:   98ms
reviews:
  Total RPS:     7.909235
  Error RPS:     0.000000
  P50 Latency:   4ms
  P90 Latency:   9ms
  P99 Latency:   21ms
ratings:
  Total RPS:     5.309187
  Error RPS:     0.000000
  P50 Latency:   2ms
  P90 Latency:   4ms
  P99 Latency:   4ms
details:
  Total RPS:     7.872870
  Error RPS:     0.000000
  P50 Latency:   3ms
  P90 Latency:   38ms
  P99 Latency:   48ms
``` 

This tool is intended primarily to aid with debugging, as discovering
what is happening with a mesh and/or a particular service can be somewhat
cumbersome.

Reviewers: please let me know if there is a more appropriate place for 
such a tool and if there is more/different information that you think
is relevant to display for a service.

Vendor PR: istio/old_vendor-istio_repo#58

* unset IFS, minor fix for perf setup (istio#5124)

Automatic merge from submit-queue.

unset IFS, minor fix for perf setup

* perf setup update: add grafana, misc fixes (istio#5028)

* need git pull --tags to get latest_release movement, use DUR variable for duration

* Add grafana ingress

Doesn’t work because of mixer/telemetry split yet but almost

Also had to disable mtls for grafana - this should be the default

* Add annotation for no mtls in helm template

* From 0.8 prometheus is already in the yaml

See istio#5111

* Assert requried circle CI envs in ci2gubernator (istio#5137)

Automatic merge from submit-queue.

Assert requried circle CI envs in ci2gubernator

There has been cases where tests on circle failed when calling ci2gubernator because `CIRCLE_PR_NUMBER` unbound. This PR asserts the existence of the circle ci envs required by ci2gubernator and resort to no op if any of those is not defined.

* Add Mixer perf tests that includes the RPC path. (istio#5013)

Automatic merge from submit-queue.

Add Mixer perf tests that includes the RPC path.

The perf tests included two sets of tests (proper v.s. with _R2 suffix).
The tests with _R2 suffix was for testing runtime2 implementation.

Now that there is only one runtime, repurposing some of the tests to
include the gRpc layer as well.

* verify 200 status code in addition to header value (istio#5163)

* Add/Update Mixer e2e tests to cover more attributes sent from Envoy. (istio#5152)

* Add/Update Mixer e2e tests to cover more attributes sent from Envoy.

* Fix indent.

* Assorted bug fixes for 0.8 (istio#5133)

* assorted bug fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Updated zipkin to 2.7 for istio. (istio#5155)

Automatic merge from submit-queue.

Updated zipkin to 2.7 for istio.

This is a follow up PR for istio#4726

/cc @ldemailly

* fix path for go 1.10 on perf vm (istio#5168)

* Move mixer filter to per_filter_config (istio#5073)

Automatic merge from submit-queue.

Move mixer filter to per_filter_config

Move the per route mixer filter config from the metadata field to per_filter_config and turn it into a ServiceConfig proto.

* Enable test

* [vendor change] Add B3 codec to Jaeger tracer to enable mixer trace to be included in… (istio#5116)

Automatic merge from submit-queue.

[vendor change] Add B3 codec to Jaeger tracer to enable mixer trace to be included in…

… the application trace - and extended zipkin test to check for the mixer span

Installs the B3 codec into the Jaeger tracer to enable B3 headers to be understood and therefore associate any spans with the existing application trace.

The PR also updates the zipkin e2e test to check that the mixer spans are included in the application trace instance. 

Once an initial review of the PR has been approved I'll commit the vendor change - using "dep ensure"? Locally this has resulted in a number of dependencies being deleted under `vendor/k8s.io/client-go/`.

Signed-off-by: Gary Brown <gary@brownuk.com>

* remove prometheus from release archives (istio#5150)

Automatic merge from submit-queue.

remove prometheus from release archives

* Add Galley command-line flags "server" and "purge" (istio#4977)

Automatic merge from submit-queue.

Add Galley command-line flags "server" and "purge"

Add command-line flags for server and purge commands.

* Simplify the auth test

Thanks Andra for pointing out that version should fail/work the same as
using pod IP directly as the destination container never sees the
original cluster IP

* adds guard for kube client (istio#5140)

* adds guard for kube client

- there may not always be one, especially in
the case of CF.
- made CF case more explicit

* ci2gubernator: stop checking for unset variables

* Fix single endpoint pilot ads look up (istio#5165)

* Add an experiment subcommand rbac to istioctl. (istio#5093)

Automatic merge from submit-queue.

Add an experiment subcommand rbac to istioctl.

The subcommand is used to interact with Istio RBAC policies, this PR
adds the basic interface and the actual logic will be added in a later
PR.

See istio#4856.

* Fixing race test failure in TestAdsEds (istio#5161)

Automatic merge from submit-queue.

Fixing race test failure in TestAdsEds

introduced by istio#4694
addresses istio#4235

* v1alpha1 to v1alpha3 rule conversion tool bug fixes and subset merging (istio#5178)

* v1 to v3 conversion enhancements and tests

* Handle DestinationPolicy w/o labels

* Remove AddJwtAuth (istio#5194)

Automatic merge from submit-queue.

Remove AddJwtAuth

There is a compile error.
# istio.io/istio/mixer/test/client/env
../../../../../mixer/test/client/env/mixer_filter_config.go:167:47: undefined: client.JWT
../../../../../mixer/test/client/env/mixer_filter_config.go:168:21: mfConf.PerRouteConf.EndUserAuthnSpec undefined (type *client.ServiceConfig has no field or method EndUserAuthnSpec)
../../../../../mixer/test/client/env/mixer_filter_config.go:168:42: undefined: client.EndUserAuthenticationPolicySpec
../../../../../mixer/test/client/env/mixer_filter_config.go:169:21: mfConf.PerRouteConf.EndUserAuthnSpec undefined (type *client.ServiceConfig has no field or method EndUserAuthnSpec)

Remove AddJwtAuth function.

cc @diemtvu

* Skip bad routes instead of erroring (istio#5183)

* Skip bad routes instead of erroring

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* final nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix rules

* BlackHole with a capital H

* validate clusters false

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Fetch/cache/refresh JWT public key, construct localJwks in sidecar filter config (istio#5061)

Automatic merge from submit-queue.

Fetch/cache/refresh JWT public key, construct localJwks in sidecar filter config

istio#4917

This PR includes 
1. fetch JWT public key, and cache the key.
2. key rotation - a refresher job refresh key periodically.
3. use the key to construct localJwks in sidecar filter config.

* Introduce dynamic proto3 encoder (istio#5122)

* WIP commit

* Remove dead code

* Rearrange code

* split code into encoderUtil

* Everything except ENUM

* use protoc 3.5.1 to ensure json names are generated

* expose internal funcs

* WIP3. all dynamic and static elementry types. No repeated or packed

* support packed static primitive types

* use switch in place of if

* primitives with eval and packed repeated

* all primitives with expressions

* add test with enum constants and expressions

* add expressions in repeated fields

* Refactor 2

* linter checks

* fix linter2

* split encoder and builder

* rename eval to primitive

* add all dynamic tests

* Add dependency for messagediff

* add full dynamic test

* update comment

* fix linter error

* Update vendor. Add messagediff.v1 for test verification

* add all positive tests

* improve test coverage

* remove updated to lang.compiled

* fix linter error

* handle float64 inputs for integers

* Builder.Build() takes msgName and data

* WIP2

* review comments

* review comments

* rename messagediff to diff

* add more tests

* Update deps

* improve test coverage

* add log message while skipping fields

* increase test coverage

* update dep status

* Add more files to gitignore (istio#5198)

* Fix Mixer dashboard CPU reporting (istio#5145)

Automatic merge from submit-queue.

Fix Mixer dashboard CPU reporting

A previous PR seems to have accidentally removed the "rate" component of
the CPU calculations for the Mixer Dashboard. This results in an ever-increasing
CPU graph.

This PR restores a proper rate-based display for CPU calculation. It also
renames the jobs in the Prometheus config to better align with the split
from Mixer to Istio-Telemetry and Istio-Mixer (providing easier to understand
tracking between cAdvisor metrics and the self-reported metrics.

This PR should be cherry-picked onto the 0.8 branch.

* fix nil reference error when mock server fails to start (istio#5216)

* [WIP] refactor bookinfo to use different gateway definitions for envoy v1/routing v1alpha1 and envoy v2/routing v1alpha3  (istio#5113)

* restrict the tests to either v1alpha1 or v1alpha3

* move applying defaultRules into setUpDefaultRouting

* extract Ingress (Gateway) definition from bookinfo.yaml

it is different for v1alpha1 and v1alpha3

* make the gateway rule first in defaultRules, so it will be applied first

* fixed wrong variable names in mixer tests

* fixed the location of bookinfo gateway yaml

* fixed wrong variable in mixer test

* add missing spec and name to destination-policy-reviews

* remove comment line in samples/bookinfo/routing/bookinfo-gateway.yaml

* add port 9080 to the new bookinfo gateway

* remove using a special destination rule for reviews

* refactor GetIngress to make it reusable for GetIngressGateway

extract functions for getting Kubernetes Ingress and NodePort

* remove a shadowing variable

* refactor GetIngressPod, add GetIngressGateway

* add IngressGateway() to framework Kube

* added using IngressGateway() of framework Kube in bookinfo e2e tests

* use load balancer ingress IP to get the IP of the nodeport

* use ingress IP for nodeport

* remove commented out line

* fixed getting the ingress as the IP for a NodePort

* Revert "fixed getting the ingress as the IP for a NodePort"

This reverts commit 594e58d.

* Revert "use ingress IP for nodeport"

This reverts commit 333b80f.

* Revert "use load balancer ingress IP to get the IP of the nodeport"

This reverts commit 3c138e4.

* add generate_yaml-envoyv2_transition_loadbalancer_ingressgateway

to generate istio configurations without ingress and with ingressgateway as
a LoadBalancer service

* use generate_yaml-envoyv2_transition_loadbalancer_ingressgateway in test/local/noauth/e2e_bookinfo_envoyv2

* added LoadBalancerServiceType and NodePortServiceType constants

* rewrote the ingress related logic

use LoadBalancer type for non-local and NodePort for local tests

* lint fixes

* fix lint errors

* *sync.Locker -> sync.Locker, use interface instead of a pointer to interface

* refactor: extract getServicePort() from getServiceNodePort()

* add isKubernetesIngress flag to tests/util.GetIngress()

* fix the destination port in the virtual service of the gateway

* Revert "add isKubernetesIngress flag to tests/util.GetIngress()"

This reverts commit 8dbe13c.

* set different retry values for LoadBalancer and NodePort

according to the original implementation

* fix logging message

* fix a typo

* Introduce pkg/ctrlz, Istio's introspection package. (istio#5123)

* Introduce pkg/ctrlz, Istio's introspection package.

Processes that integrate with ControlZ open up a port that enables operators
to connect with a web browser and interact with the process. Through the browser,
the operator can adjust logging scope levels, see the process' command-line arguments
and envirinment variables, see statistics about heap use, and more.

Integration with ControlZ is nominally two line deal for processes. Optionally,
processes can extend the base ControlZ UI and integrate their own screens into the
main UI.

In addition to the browser interface, there is a REST API enabling access to all
the same things that the UI shows.

Mixer is integrated with ControlZ but doesn't currently have custom UI. We should
integrate ControlZ with our other server components in due time.

* Add myself to owners. (istio#5039)

* pod Ip is actually required

Service vip doesn’t exist for non existent port and we need a non
existent port to get the bad routing behavior

* Expose image of each istio component for istio chart. (istio#5222)

Automatic merge from submit-queue.

Expose image of each istio component for istio chart.

Make `image` for each Istio component be configurable. 
This is useful in case that users build or retag Istio image.

/cc @gyliu513 @linsun @sdake

* Undoing accidental merge to master

* Adding zone/region node labeling if missing (istio#5164)

* Fixing missing INSTANCE_IP

* Fix yaml error

* Rename v1alpha3.ExternalSerivce to v1alpha3.ServiceEntry (istio#5195)

* first pass renaming v1alpha3.ExternalSerivce to v1alpha3.ServiceEntry

* rename ServiceEntry.Discovery to ServiceEntry.Resolution

* update vendor to latest istio/api

* fix cloudfoundry copilot e2e test (istio#5188)

* initial changes to fix both pilot endpoints

* they now should be curl'ing the right things

properly booting an envoy with dynamic
template now

new port name for building listeners

Include port for Cloud Foundry services

* Building listeners now requires named ports.

* always run cloudfoundry tests

* moves cloudfoundry circleci test to own run

* adds cloudfoundry test to all

* want to just use default env vars

* need GOPATH/bin on path for envoy

* switch to defaults which uses da container

* disable zipkin test in pilot

* add missing clusters to ads mesh response (istio#5221)

* e2e test for JWT authn policy (istio#5144)

Automatic merge from submit-queue.

e2e test for JWT authn policy

istio#5078

1. JWT token used here expires in year 2132 (borrowed from https://github.com/istio/proxy/blob/master/src/envoy/http/jwt_auth/sample/correct_jwt). 
2. will add another e2e test for fetching JWT public key scenario after istio#5061 is in.

* Set listeners h2 max streams to override nghttp2 client default of 100 (istio#5232)

Automatic merge from submit-queue.

Set listeners h2 max streams to override nghttp2 client default of 100

Reference issue: envoyproxy/envoy#3076
Signed-off-by: Kuat Yessenov <kuat@google.com>

* Enable ControlZ to fetch the current process' known logging scopes. (istio#5245)

Automatic merge from submit-queue.

Enable ControlZ to fetch the current process' known logging scopes.

* Add more parameters to sidecar injector helm template (istio#5044)

Automatic merge from submit-queue.

Add enableCoreDump and policy parameters to sidecar injector helm template

* Fixing fallout of renames in earlier commit + restore auth for e2e-simple on circle (istio#5241)

* Fixing fallout of renames in earlier commit

* Re fixing lost fix that e2e-simple should run with auth

Technically it should run with both auth and no auth like on prow but
if it runs only 1 mode it should be with auth

* follow output log pattern for cloudfoundry e2e test (istio#5234)

- and tee to a new file so it doesn't overwrite

* bootstrapv2: Stop using deprecated cluster_names (istio#5225)

Using cluster_names in GRPC resource config is deprecated:
envoyproxy/envoy@ad02e4a

Signed-off-by: Romain Lenglet <romain@covalent.io>

* Address a few causes of Gateway/Filterchain failures (istio#5185)

* Sort HTTP route virtual hosts before sending listeners to Envoy.
Listeners with multiple filter chains containing HTTP filters require
that the HTTP filters have consistent ordering due to how Envoy computes
updates.

* don't respond with empty listeners

* address review comments

* fix linter

* linters, once more

* use configurable paths for envoy and envoy config locations (istio#5248)

* re-add istioctl unit tests to Makefile (istio#5205)

* re-add istioctl unit tests to Makefile

istio#3820 moved istioctl out of pilot
subdirectory but forgot to re-add istioctl unit tests to top-level
Makefile. Fix that problem and also the currently broken tests.

* add missing test data

* return an error when Envoy fails to start (istio#5251)

mixer and backend should also do this, but that involves slightly more
work.

* Adde list of container ports to the injected inbound ports

* Add support for helm

* [test pr] check if 503s and other known bugs are fixed

removing the t.Skip()

Should fail in CI until we have a fix

* prune old version resources that no longer exist (istio#5107)

Automatic merge from submit-queue.

prune old version resources that no longer exist

* [vendor-change] CloudWatch Mixer adapter (istio#4617)

Automatic merge from submit-queue.

[vendor-change] CloudWatch Mixer adapter

Adding an adapter to send metrics to cloudwatch

* Enable Ingress/Egress gateways in Helm for bookinfo demos (istio#5120)

Automatic merge from submit-queue.

Enable Ingress/Egress gateways in Helm for bookinfo demos

* Consume labeled multicluster secrets on startup (istio#5117)

Automatic merge from submit-queue.

Consume labeled multicluster secrets on startup

This patch when run against istio.yaml or istio-auth.yaml
runs in the new config mode using only labels rather than
configmaps.  The configmap functionality can be removed in
0.9.

* Add a linter check to make sure types.go are generated. (istio#5110)

Automatic merge from submit-queue.

Add a linter check to make sure types.go are generated.

addresses istio#4418

* Remove outdated manifests from install/kubernetes (istio#4882)

* Remove orig_ manifests

* Remove istio-mixer-validator and istio-mixer-with-health-check manifests

* Remove unwanted manifests before archiving

* Remove istio-sidecar-injector.yaml from install/README.md

* Remove *one-namespace*.yaml from install/README.md

* Make helm-generated manifests overwrite updateVersion_orig.sh manifests

* Add support for per-metric namespace configuration to prom config (istio#5112)

* Adding CI workflow for checking vendor diff (istio#5051)

Automatic merge from submit-queue.

Adding CI workflow for checking vendor diff

This aims to help ensure that a PR contains the correct vendor change,
by running `dep ensure` and seeing if git detects any changes.

* Introduce galley/pkg/server (istio#4974)

Automatic merge from submit-queue.

Introduce galley/pkg/server

galley/pkg/server implements logic performs both CRD synchronization, along with resource synchronization operations. The resource synchronizers are started/stopped as CRDs (of interest) are added/deleted.

* [vendor change] Add metrics command to istioctl experimental cli (istio#4945)

Automatic merge from submit-queue.

[vendor change] Add metrics command to istioctl experimental cli

This PR adds a new command for retrieving service-level metrics
for services within an Istio service mesh. In combination with
the `watch` command, this tool may be used to display a rudimentary
service dashboard from the commandline.

This command requires the deployment of a prometheus instance for
monitoring the mesh. It discovers a prometheus pod, establishes a
port-forward to that pod, and executes a series of queries to extract
the metrics for display.

Currently, this command pulls all metrics from the current time, 
calculating rates and latencies over a time window of 1 minute. In 
the future, it will be possible to add support for flexible time
windows.

Example usage (bookinfo example):

```
$ istioctl experimental metrics productpage reviews ratings details
productpage:
  Total RPS:     7.872870
  Error RPS:     0.000000
  P50 Latency:   40ms
  P90 Latency:   80ms
  P99 Latency:   98ms
reviews:
  Total RPS:     7.909235
  Error RPS:     0.000000
  P50 Latency:   4ms
  P90 Latency:   9ms
  P99 Latency:   21ms
ratings:
  Total RPS:     5.309187
  Error RPS:     0.000000
  P50 Latency:   2ms
  P90 Latency:   4ms
  P99 Latency:   4ms
details:
  Total RPS:     7.872870
  Error RPS:     0.000000
  P50 Latency:   3ms
  P90 Latency:   38ms
  P99 Latency:   48ms
``` 

This tool is intended primarily to aid with debugging, as discovering
what is happening with a mesh and/or a particular service can be somewhat
cumbersome.

Reviewers: please let me know if there is a more appropriate place for 
such a tool and if there is more/different information that you think
is relevant to display for a service.

Vendor PR: istio/old_vendor-istio_repo#58

* unset IFS, minor fix for perf setup (istio#5124)

Automatic merge from submit-queue.

unset IFS, minor fix for perf setup

* perf setup update: add grafana, misc fixes (istio#5028)

* need git pull --tags to get latest_release movement, use DUR variable for duration

* Add grafana ingress

Doesn’t work because of mixer/telemetry split yet but almost

Also had to disable mtls for grafana - this should be the default

* Add annotation for no mtls in helm template

* From 0.8 prometheus is already in the yaml

See istio#5111

* Assert requried circle CI envs in ci2gubernator (istio#5137)

Automatic merge from submit-queue.

Assert requried circle CI envs in ci2gubernator

There has been cases where tests on circle failed when calling ci2gubernator because `CIRCLE_PR_NUMBER` unbound. This PR asserts the existence of the circle ci envs required by ci2gubernator and resort to no op if any of those is not defined.

* Add Mixer perf tests that includes the RPC path. (istio#5013)

Automatic merge from submit-queue.

Add Mixer perf tests that includes the RPC path.

The perf tests included two sets of tests (proper v.s. with _R2 suffix).
The tests with _R2 suffix was for testing runtime2 implementation.

Now that there is only one runtime, repurposing some of the tests to
include the gRpc layer as well.

* verify 200 status code in addition to header value (istio#5163)

* Add/Update Mixer e2e tests to cover more attributes sent from Envoy. (istio#5152)

* Add/Update Mixer e2e tests to cover more attributes sent from Envoy.

* Fix indent.

* Assorted bug fixes for 0.8 (istio#5133)

* assorted bug fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Updated zipkin to 2.7 for istio. (istio#5155)

Automatic merge from submit-queue.

Updated zipkin to 2.7 for istio.

This is a follow up PR for istio#4726

/cc @ldemailly

* fix path for go 1.10 on perf vm (istio#5168)

* Move mixer filter to per_filter_config (istio#5073)

Automatic merge from submit-queue.

Move mixer filter to per_filter_config

Move the per route mixer filter config from the metadata field to per_filter_config and turn it into a ServiceConfig proto.

* Enable test

* [vendor change] Add B3 codec to Jaeger tracer to enable mixer trace to be included in… (istio#5116)

Automatic merge from submit-queue.

[vendor change] Add B3 codec to Jaeger tracer to enable mixer trace to be included in…

… the application trace - and extended zipkin test to check for the mixer span

Installs the B3 codec into the Jaeger tracer to enable B3 headers to be understood and therefore associate any spans with the existing application trace.

The PR also updates the zipkin e2e test to check that the mixer spans are included in the application trace instance. 

Once an initial review of the PR has been approved I'll commit the vendor change - using "dep ensure"? Locally this has resulted in a number of dependencies being deleted under `vendor/k8s.io/client-go/`.

Signed-off-by: Gary Brown <gary@brownuk.com>

* remove prometheus from release archives (istio#5150)

Automatic merge from submit-queue.

remove prometheus from release archives

* Add Galley command-line flags "server" and "purge" (istio#4977)

Automatic merge from submit-queue.

Add Galley command-line flags "server" and "purge"

Add command-line flags for server and purge commands.

* Simplify the auth test

Thanks Andra for pointing out that version should fail/work the same as
using pod IP directly as the destination container never sees the
original cluster IP

* adds guard for kube client (istio#5140)

* adds guard for kube client

- there may not always be one, especially in
the case of CF.
- made CF case more explicit

* ci2gubernator: stop checking for unset variables

* Fix single endpoint pilot ads look up (istio#5165)

* Add an experiment subcommand rbac to istioctl. (istio#5093)

Automatic merge from submit-queue.

Add an experiment subcommand rbac to istioctl.

The subcommand is used to interact with Istio RBAC policies, this PR
adds the basic interface and the actual logic will be added in a later
PR.

See istio#4856.

* Fixing race test failure in TestAdsEds (istio#5161)

Automatic merge from submit-queue.

Fixing race test failure in TestAdsEds

introduced by istio#4694
addresses istio#4235

* v1alpha1 to v1alpha3 rule conversion tool bug fixes and subset merging (istio#5178)

* v1 to v3 conversion enhancements and tests

* Handle DestinationPolicy w/o labels

* Remove AddJwtAuth (istio#5194)

Automatic merge from submit-queue.

Remove AddJwtAuth

There is a compile error.
# istio.io/istio/mixer/test/client/env
../../../../../mixer/test/client/env/mixer_filter_config.go:167:47: undefined: client.JWT
../../../../../mixer/test/client/env/mixer_filter_config.go:168:21: mfConf.PerRouteConf.EndUserAuthnSpec undefined (type *client.ServiceConfig has no field or method EndUserAuthnSpec)
../../../../../mixer/test/client/env/mixer_filter_config.go:168:42: undefined: client.EndUserAuthenticationPolicySpec
../../../../../mixer/test/client/env/mixer_filter_config.go:169:21: mfConf.PerRouteConf.EndUserAuthnSpec undefined (type *client.ServiceConfig has no field or method EndUserAuthnSpec)

Remove AddJwtAuth function.

cc @diemtvu

* Skip bad routes instead of erroring (istio#5183)

* Skip bad routes instead of erroring

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* final nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix rules

* BlackHole with a capital H

* validate clusters false

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Fetch/cache/refresh JWT public key, construct localJwks in sidecar filter config (istio#5061)

Automatic merge from submit-queue.

Fetch/cache/refresh JWT public key, construct localJwks in sidecar filter config

istio#4917

This PR includes 
1. fetch JWT public key, and cache the key.
2. key rotation - a refresher job refresh key periodically.
3. use the key to construct localJwks in sidecar filter config.

* Introduce dynamic proto3 encoder (istio#5122)

* WIP commit

* Remove dead code

* Rearrange code

* split code into encoderUtil

* Everything except ENUM

* use protoc 3.5.1 to ensure json names are generated

* expose internal funcs

* WIP3. all dynamic and static elementry types. No repeated or packed

* support packed static primitive types

* use switch in place of if

* primitives with eval and packed repeated

* all primitives with expressions

* add test with enum constants and expressions

* add expressions in repeated fields

* Refactor 2

* linter checks

* fix linter2

* split encoder and builder

* rename eval to primitive

* add all dynamic tests

* Add dependency for messagediff

* add full dynamic test

* update comment

* fix linter error

* Update vendor. Add messagediff.v1 for test verification

* add all positive tests

* improve test coverage

* remove updated to lang.compiled

* fix linter error

* handle float64 inputs for integers

* Builder.Build() takes msgName and data

* WIP2

* review comments

* review comments

* rename messagediff to diff

* add more tests

* Update deps

* improve test coverage

* add log message while skipping fields

* increase test coverage

* update dep status

* Add more files to gitignore (istio#5198)

* Fix Mixer dashboard CPU reporting (istio#5145)

Automatic merge from submit-queue.

Fix Mixer dashboard CPU reporting

A previous PR seems to have accidentally removed the "rate" component of
the CPU calculations for the Mixer Dashboard. This results in an ever-increasing
CPU graph.

This PR restores a proper rate-based display for CPU calculation. It also
renames the jobs in the Prometheus config to better align with the split
from Mixer to Istio-Telemetry and Istio-Mixer (providing easier to understand
tracking between cAdvisor metrics and the self-reported metrics.

This PR should be cherry-picked onto the 0.8 branch.

* fix nil reference error when mock server fails to start (istio#5216)

* [WIP] refactor bookinfo to use different gateway definitions for envoy v1/routing v1alpha1 and envoy v2/routing v1alpha3  (istio#5113)

* restrict the tests to either v1alpha1 or v1alpha3

* move applying defaultRules into setUpDefaultRouting

* extract Ingress (Gateway) definition from bookinfo.yaml

it is different for v1alpha1 and v1alpha3

* make the gateway rule first in defaultRules, so it will be applied first

* fixed wrong variable names in mixer tests

* fixed the location of bookinfo gateway yaml

* fixed wrong variable in mixer test

* add missing spec and name to destination-policy-reviews

* remove comment line in samples/bookinfo/routing/bookinfo-gateway.yaml

* add port 9080 to the new bookinfo gateway

* remove using a special destination rule for reviews

* refactor GetIngress to make it reusable for GetIngressGateway

extract functions for getting Kubernetes Ingress and NodePort

* remove a shadowing variable

* refactor GetIngressPod, add GetIngressGateway

* add IngressGateway() to framework Kube

* added using IngressGateway() of framework Kube in bookinfo e2e tests

* use load balancer ingress IP to get the IP of the nodeport

* use ingress IP for nodeport

* remove commented out line

* fixed getting the ingress as the IP for a NodePort

* Revert "fixed getting the ingress as the IP for a NodePort"

This reverts commit 594e58d.

* Revert "use ingress IP for nodeport"

This reverts commit 333b80f.

* Revert "use load balancer ingress IP to get the IP of the nodeport"

This reverts commit 3c138e4.

* add generate_yaml-envoyv2_transition_loadbalancer_ingressgateway

to generate istio configurations without ingress and with ingressgateway as
a LoadBalancer service

* use generate_yaml-envoyv2_transition_loadbalancer_ingressgateway in test/local/noauth/e2e_bookinfo_envoyv2

* added LoadBalancerServiceType and NodePortServiceType constants

* rewrote the ingress related logic

use LoadBalancer type for non-local and NodePort for local tests

* lint fixes

* fix lint errors

* *sync.Locker -> sync.Locker, use interface instead of a pointer to interface

* refactor: extract getServicePort() from getServiceNodePort()

* add isKubernetesIngress flag to tests/util.GetIngress()

* fix the destination port in the virtual service of the gateway

* Revert "add isKubernetesIngress flag to tests/util.GetIngress()"

This reverts commit 8dbe13c.

* set different retry values for LoadBalancer and NodePort

according to the original implementation

* fix logging message

* fix a typo

* Introduce pkg/ctrlz, Istio's introspection package. (istio#5123)

* Introduce pkg/ctrlz, Istio's introspection package.

Processes that integrate with ControlZ open up a port that enables operators
to connect with a web browser and interact with the process. Through the browser,
the operator can adjust logging scope levels, see the process' command-line arguments
and envirinment variables, see statistics about heap use, and more.

Integration with ControlZ is nominally two line deal for processes. Optionally,
processes can extend the base ControlZ UI and integrate their own screens into the
main UI.

In addition to the browser interface, there is a REST API enabling access to all
the same things that the UI shows.

Mixer is integrated with ControlZ but doesn't currently have custom UI. We should
integrate ControlZ with our other server components in due time.

* Add myself to owners. (istio#5039)

* pod Ip is actually required

Service vip doesn’t exist for non existent port and we need a non
existent port to get the bad routing behavior

* Expose image of each istio component for istio chart. (istio#5222)

Automatic merge from submit-queue.

Expose image of each istio component for istio chart.

Make `image` for each Istio component be configurable. 
This is useful in case that users build or retag Istio image.

/cc @gyliu513 @linsun @sdake

* Undoing accidental merge to master

* Adding zone/region node labeling if missing (istio#5164)

* Fixing missing INSTANCE_IP

* Fix yaml error

* Rename v1alpha3.ExternalSerivce to v1alpha3.ServiceEntry (istio#5195)

* first pass renaming v1alpha3.ExternalSerivce to v1alpha3.ServiceEntry

* rename ServiceEntry.Discovery to ServiceEntry.Resolution

* update vendor to latest istio/api

* fix cloudfoundry copilot e2e test (istio#5188)

* initial changes to fix both pilot endpoints

* they now should be curl'ing the right things

properly booting an envoy with dynamic
template now

new port name for building listeners

Include port for Cloud Foundry services

* Building listeners now requires named ports.

* always run cloudfoundry tests

* moves cloudfoundry circleci test to own run

* adds cloudfoundry test to all

* want to just use default env vars

* need GOPATH/bin on path for envoy

* switch to defaults which uses da container

* disable zipkin test in pilot

* add missing clusters to ads mesh response (istio#5221)

* e2e test for JWT authn policy (istio#5144)

Automatic merge from submit-queue.

e2e test for JWT authn policy

istio#5078

1. JWT token used here expires in year 2132 (borrowed from https://github.com/istio/proxy/blob/master/src/envoy/http/jwt_auth/sample/correct_jwt). 
2. will add another e2e test for fetching JWT public key scenario after istio#5061 is in.

* Set listeners h2 max streams to override nghttp2 client default of 100 (istio#5232)

Automatic merge from submit-queue.

Set listeners h2 max streams to override nghttp2 client default of 100

Reference issue: envoyproxy/envoy#3076
Signed-off-by: Kuat Yessenov <kuat@google.com>

* Enable ControlZ to fetch the current process' known logging scopes. (istio#5245)

Automatic merge from submit-queue.

Enable ControlZ to fetch the current process' known logging scopes.

* Add more parameters to sidecar injector helm template (istio#5044)

Automatic merge from submit-queue.

Add enableCoreDump and policy parameters to sidecar injector helm template

* Fixing fallout of renames in earlier commit + restore auth for e2e-simple on circle (istio#5241)

* Fixing fallout of renames in earlier commit

* Re fixing lost fix that e2e-simple should run with auth

Technically it should run with both auth and no auth like on prow but
if it runs only 1 mode it should be with auth

* follow output log pattern for cloudfoundry e2e test (istio#5234)

- and tee to a new file so it doesn't overwrite

* bootstrapv2: Stop using deprecated cluster_names (istio#5225)

Using cluster_names in GRPC resource config is deprecated:
envoyproxy/envoy@ad02e4a

Signed-off-by: Romain Lenglet <romain@covalent.io>

* Address a few causes of Gateway/Filterchain failures (istio#5185)

* Sort HTTP route virtual hosts before sending listeners to Envoy.
Listeners with multiple filter chains containing HTTP filters require
that the HTTP filters have consistent ordering due to how Envoy computes
updates.

* don't respond with empty listeners

* address review comments

* fix linter

* linters, once more

* use configurable paths for envoy and envoy config locations (istio#5248)

* re-add istioctl unit tests to Makefile (istio#5205)

* re-add istioctl unit tests to Makefile

istio#3820 moved istioctl out of pilot
subdirectory but forgot to re-add istioctl unit tests to top-level
Makefile. Fix that problem and also the currently broken tests.

* add missing test data

* return an error when Envoy fails to start (istio#5251)

mixer and backend should also do this, but that involves slightly more
work.

* add example for disabling injection (istio#1021)

* Updated reference docs. (istio#1045)

* Add task for Istio CA health check. (istio#1038)

* Add task for Istio CA health check.

* Small fix.

* Small fix.

* Updates troubleshooting guide to add pilot (istio#1037)

* Fix misnamed link (istio#1050)

* update document generation for istioctl (istio#1047)

* Hack to get ownership of Google analytics account for the site.

* Don't need the analytics hack no more...

* Make the rake test ensure that we use {{home}} consistently. (istio#1053)

We now generate the test site into a subdirectory such that we can ensure all
links are correctly using {{home}}, which makes the site work correctly once
archived.

Fixed a bunch of broken cases.

* Reduce the visual weight of code blocks so they don't break up the page so much. (istio#1054)

* Introduce support for building the site in "preliminary" mode. (istio#1052)

* Notes for 0.6 (istio#1048)

* Refresh version selection menu given 0.6.

* update instructions for mesh expansion (istio#1056)

* update instructions for mesh expansion

* remove ISTIO_STAGING references

* Specify --debug option to use docker.io/istio/proxy_debug image for (istio#1057)

deployment.

* Update reference docs.

* Update Quick start Doc (istio#1059)

Fix Typo

* Update Istio RBAC document to relfect sample changes. (istio#1062)

* Fix typo in Cleanup section (istio#1061)

* clarify verification of injected proxy with automatic injection (istio#1024)

* Fixe wrong port number (istio#1041)

* Sidecar proxy help (istio#1044)

* Use same instance name in Mixer config example (istio#1051)

* Add a bunch of redirects for old pages (istio#1066)

The Google Crawl Engine reported a bunch of broken links pointing into istio.io.
This adds redirects so that these links work.

Add a hack such that the gear menu logic that lets you time travel through versions
of the site will insist that if a page existed in a given version, it must also exist
in subsequent versions. This will ensure we always create redirects when we move site
content, and thus avoid breaking links into the site. If a page is moved or removed,
this will lead to rake test errors when checking the content of archive.istio.io.

* Update reference docs.

* Fix bad formatting.

* Fix typos.

* Update reference docs.

* Eliminate flickering on page load. (istio#1068)

- Fix another issue with my arch-nemesis, the Copy button. My last fix for Copy button issues
resulted in screen flickering upon page loading. This is now fixed.

- Pin the size of the gear and magnifying glass icons in the header to avoid flicker as the
fonts for those renders a few ms too late and lead to flickering on page load.

- Cleaned up the site's JavaScript for clarity, and include minimized versions in the
site for improved perf.

* Improve formatting. (istio#1070)

- Remove the silly right indent used for list items. This was throwing away a lot of
useful screen real estate on mobile.

* Add support for dynamically inserting file content into the site. (istio#1069)

This is useful for pulling in content straight from GitHub on the fly,
rather than cut & pasting it into the site.

* Update sidecar AWS verification (istio#1060)

* Update sidecar AWS verification

Add verification without ssh access on master node. Perform check directly with kubectl client.

* Update sidecar injection Docs

Update with @ayj remarks

* Update link 

Update link for managing tls in a cluster, add a '/'

* Fix links. (istio#1073)

- Add a / to links pointing to directories

- Switch a bunch of links from http: to https:

* master branch is now server from preliminary.istio.io (istio#1075)

* Setup 0.7.

* Forgot to update releases.yml.

* Update README

* Consolidate cluster prerequisites for webhooks into k8s quick start (istio#1077)

The automatic sidecar injection has its own set of k8s install instructions for webhooks. This overlaps with the general k8s install instructions. We'll also introduce server-side configuration webhooks which need the same prerequisites.

* Add missing .html suffix on some links. (istio#1080)

* A few more link fixes (istio#1081)

* Fix handling of legacy community links.

* Add missing .html extension on search page reference.

* Add Certificate lifetime configuration in FAQ. (istio#1079)

* Update reference docs.

* Fix some newly broken links. (istio#1082)

* Update reference docs.

* Remove empty document. (istio#1085)

* Update Ansible documentation to reflect change in Jaeger addon (istio#1049)

* Update Ansible documentation to reflect change in Jaeger addon

Relates to: istio/istio#3603

* Small polish to Ansible documentation

* Remove extra tilde in the docs (istio#1087)

Fixes istio#1004

* [WIP] Update traffic routing tasks to use v1alpha3 config (istio#1067)

* use v1alpha3 route rules

* circuit breaking task updated to v1alpha3

* convert mirroring task to v1alpha3

* convert egress task to v1alpha3

* Egress task corrections and clarifications

* use simpler rule names

* move new tasks to separate folder (keep old versions around for now)

* update example outputs

* egress tcp task

* fix broken refs

* more broken refs

* imporove wording

* add missing include home.html

* remove ingress task - will create a replacement in followup PR

* Improve sorting algorithm to use document title and not just document URL. (istio#1089)

This makes it so documents in the same directory get sorted by document title instead of
by the URL name (unless they have an order: directive, which takes precedence over alpha
order)

* Istio RBAC doc fix. (istio#1093)

* Improve readability

* Add one more faq for secret encryption (istio#1096)

* Add note to have debug version of proxy for curl command (istio#1097)

* Delete some old stuff we don't need anymore.

* Delete some old stuff we don't need anymore.

* Fix problem preventing proper section indices in the "About" section of the site.

* Revise note to install curl (istio#1098)

* Revise note to install curl

* Revise note to install curl

* Address comment

* Fix bug with the Copy button and proto documentation.

- HTML generated from protos encode preformatted blocks with <pre><code></code></pre>,
while HTML generated through Jekyll's markdown converter wraps an extra <div> around the
block. The logic to insert the Copy button on preformatted was assuming the presence of this
DIV. If the DIV is not present on input, we now explicitly add one which makes things work.

* Update reference docs.

* Fix bug that was messing up all the index pages in the site. (istio#1100)

Fix newly broken k8s link along the way...

* Revise curl instruction in master branch (istio#1107)

* Update intro.md (istio#1110)

* Update intro.md

Updating info per Wencheng's suggestion

* Update intro.md

* WIP - Combined ingress/gateway task for v1alpha3 (istio#1094)

* First pass combined ingress/gateway task

* Add verifying gateway section

* clarifications

* fix broken link

* fix build broken

* address review comments

* fix small grammar issue (istio#1112)

* Fix a few bugs and add a feature. (istio#1111)

- Link injection for document headers has been broken for a while due to my
misunderstanding of the "for in" syntax in JavaScript. This now works as expected.

- Same problem also prevented the feature that causes every link to outside of istio.io
to be opened in a separate window. This now works as intended.

- Made the gear dropdown menu be right-aligned such that it doesn't go off-screen on
portrait mode tablets.

- Stop importing Popper.js since it's only needed for dropdown menus that aren't in the
nav bar. Ours is in a nav bar...

- Added link injection for <dt> terms, which makes it easy to create links to individual glossary entries.

* 0.7 notes (istio#1101)

* Add an entry about creating quality hyperlinks. (istio#1114)

* 0.2.12 typo fix + doc link should be to docs/ directly + ... (istio#1115)

* 0.2.12 doc link should be to docs/ directly

+ note about shell security

* fix typo (for for)

* Revise wording and linking

Drop the double TOC (this page has very little traffic anyway)

* Fix inconsistent header use in this doc.

* Fix invalid index page.

* Update servicegraph docs with new viz. (istio#1074)

* Fix mobile navigation issues. (istio#1118)

When on mobile, the left sidebar is hidden by default. To make navigation easier, we allow the user to browse
the site entirely through the various index sections which provide links to all articles. This wasn't working
for the About and Blog links at the top of the page since they send you to a direct page instead of to the
relevant navigation page. So...

- Made the About link point to the about section's index page.

- Each blog page now contains a link to the next and previous blog post.

* [ImgBot] optimizes images (istio#1120)

/_docs/tasks/telemetry/img/servicegraph-example.png -- 41.49kb -> 28.62kb (31.03%)

* Add documentation for upgrade (istio#1108)

* Add upgrade doc and fixing a broken link.

* revert one file.

* Refine the doc.

* Move the doc.

* Fix syntax.

* Fix syntax

* Fix syntax

* Make non-manifest based installers have similar titles and overviews (istio#1086)

* Make the setup page a little more consistent.

* Make non-manifest based installers have similar titles and overviews

* Shorten the overview,tidy up the title, and add a helm.html redirect

* Installation typo in both files

* Fix inconsistent header use in this doc. (istio#1117)

* Improve layout on phone.

- We shrink the height of the header and footer when on mobile.

- We shrink the header font based on screen width, to avoid the nav bar being split on two lines
which leads to all sorts of bad things happening

* Since we shrink the brand more aggressively, allow the navbar to be displayed until the next bp.

* Oops, left a debugging change in accidentally, reverting.

* Add Istio mTLS support for https service demo (istio#1121)

* Add Istio mTLS support for https service demo

* Address comment

* Address comment

* Address comment

* Fix more headers. (istio#1126)

* Update procedures to access the team drive.

* Fix broken links, causing HTML proofer in circleci gates to fail (istio#1132)

* Fix broken links, causing HTML proofer in circleci gates to fail

* Add the same missing links to sidecar-injection.md

* Refine Helm installation warning. (istio#1133)

Helm charts are unstable prior to 0.7.  Remove the red warning
and instead add a simple notice that Helm charts =<0.7 are not functional.

* Fix typo

In AWS (w/Kops) section:
"openned" should be "opened"?

* prepare_proxy was refactored into istio-proxy (istio#1134)

* In Note 1: Consul modified to Eureka (istio#1122)

* Revamped nav header for better mobile experience. (istio#1129)

- We now only use the skinny version of the navbar instead of dynamically switching
based on viewport size. This looks cleaner, giving more screen space to the content rather than
our chrome.

- The search textbox is replaced with a search button. Clicking the button brings up the
search textbox. This looks less cluttered and works considerably better on smaller screens.

- When on a phone and the nav links are collapsed into a hamburger menu, cleanly show the
search box in the menu that comes up when you click the hamburger.

- Remove the down arrow next to the cog, it's superfluous and things look cleaner without
it.

* Add one faq item for istio on https service (istio#1127)

* Add one faq item for istio on https service

* Address comment

* Address comment

* Simplify the demo of plugin ca cert. (istio#1138)

* Update IBM Cloud Container Service (IKS) k8s setup instructions (istio#1136)

Copy IKS specific instructions from istio#1072 to general k8s setup page.

* Revamp the footer. (istio#1137)

- Remove all the redundant stuff and emphasize community resource via icons.

- Move the "Report a doc bug" and "Edit this page on GitHub" options to the gear
menu.

- Use Jekyll "include" support to store the landing page's artwork in external
SVG files instead of directly embedded in the HTML. Much nicer.

* Switching to 0.8.

* Update README

* Add placeholder 0.8 file to fix rake tests

* Create Owners

* Fix markdown (istio#1140)

* Cleans up the readability of the Ansible Installation (istio#1130)

* Cleans up the readability of the Ansible Installation

Run through a yaml linter Run through spell | sort | uniq
Reorganized to semi-match the Helm installation page as they have similar
functionality

There are things I like about how this document is structured now
and will carry those over to the Helm documentation in the future as time
permits.

* Remove customization example as suggested during the review

* Change Openshift->OpenShift

* Add labels over community icons in the footer. (istio#1142)

* Remove $ sign in command since it breaks the copy button (istio#1143)

* Update 0.7.md (istio#1144)

helm is working in master branch but not in 0.7.1

* Fix bug caused by istio#1138 (istio#1145)

* Switch back to normal html-proofer (istio#1146)

As my pr was merged

Fixes istio#849

* Setup for linting markdown files. (istio#1147)

- linters.sh will run spell-checking and a style checker on
markdown files.

- Fix a whole bunch of typos and bad markdown content throughout. There are many more fixes
to come before we can enable the linters as a checkin gate, but this takes care of a majority
of items. More to come later.

* Finish fixing remaining lint errors

* Make spell checking and style checking part of our doc checkin gate. (istio#1154)

* Update

* Inline the TOC on mobile.

- For small screens that don't have room for the righthand TOC, we now
display the TOC inline in the main document. This substantially improves
navigation on mobile.

- Fix the scroll offset which was off by a bit since the switch to the skinny
header.

* Update reference docs.

* Improve mobile experience. (istio#1158)

- The two call to action buttons on the landing page are now displayed one of top of
the other on small screens instead of next to one another.

- On mobile, when you scroll down a page, an arrow shows up in the top right of the screen
to let you scroll back to the top of the page. This is mighty handy since on mobile there
isn't a TOC available to click on.

- Add some convenient links on the docs' section landing page.

* Accessibility improvements. (istio#1159)

* www.yaml.org went missing - yaml.org seems to work. (istio#1166)

sdake@falkor-08:~/go/src/istio.io/istio.github.io/_docs$ dig www.yaml.org

; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.yaml.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34828
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.yaml.org.			IN	A

;; Query time: 917 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 08 09:10:51 MST 2018

* Authn policy concept and tutorial. (istio#1128)

* fix service account names in the instructions for OpenShift (istio#1083)

This commit replaces the service account names for grafana and
prometheus in the instructions to set the security context
constraints for OpenShift.

* Improve plugin cert task for better UX. (istio#1150)

* Update Security section in Istio overview (istio#1170)

* Update Security section in Istio overview

* Fix comment

* Update documentation for automatic sidecar injection webhook. (istio#1169)

* Add multicluster deployment documentation to Istio (istio#1139)

* Add multicluster deployment documentation to Istio

* Change *Ip to *Endpoint a per request

* Fix a typo

* Address all reviewer comments

Note, SVG diagram will be handled as a follow-on PR.

* Fix legitimate spelling errors found by gate

* Some backticks to fix spelling errors and other misc cleanups

* some spelling and backticks.

* Expand spelling exemptions dictionary slightly

* Correctly spell routable.

* Address reviewer comments.

Needed a rebase in the process.

* A minor consistency change

* Address reviewer comments.

* Add a caveats and known issue tracker to the documentation

Early on during review of this PR, I believe there was a review
asking for caveats, but it has disappeared from the github comments.

* Make istio.io support quality print output. (istio#1163)

- Get rid of all the chrome when printing a page. So no headers, sidebars, etc.

- Ensure that PRE blocks are fully expanded when printing instead of
showing a scroll bar.

- Generate endnotes for each page printed which lists the URLs of the various links
on the page. Each link site is annotated with a superscript number referencing this
table.

* Update doc for TCP periodical report. (istio#1095)

* Update doc for TCP periodical report.

* Add report response arrow into svg.

* Reference: https://istio.io/docs/reference/config/istio.routing.v1alpha1.html#StringMatch (istio#1180)

* Fix broken links caused by changes in istio/istio.

* Update reference docs.

* Improve sidenav behavior on mobile. (istio#1173)

The sidenav now hovers over the main text instead of pushing the main
text sideways.

The rendering of the sidenav toggler button now matches the "back to top"
button I added last week.

* Bunch of improvements (istio#1181)

- New visuals for the sailboat in the header. It now overflows the header.

- The TOC now highlights the currently displayed portion of the current page.
As you scroll through the doc, the selected entry updates accordingly.

- Add previous/next page links in every doc page. These used to be present only in
blog posts, but they're useful everywhere.

- Fix a few off-by-one formatting errors that stemed from using a mixed of
min-width and max-width throughout the stylesheet. This caused some strange
formatting to happen at specific window widths. Now, we're consistently using
min-width and everything lines up properly.

- Improved footer formatting so it looks better on mobile.

- Only display the TOC on XL screens, otherwise it wraps too much.
Screens smaller than XL now all get the inlined TOC instead.

- Add support for pages to request that the TOC be generated inline instead of in a sidebar.
This is useful for pages that have headings which cause too much wrapping in the TOC,
such as the Troubleshooting Guide.

- Add some blank space between an inlined TOC and the main text so that things don't look
so crowded, especially when printing.

- Inline the sailboat SVG into each page. This avoids a network roundtrip and allows the
SVG to be controlled with the same CSS as everything else.

- Eliminate a huge amount of redundancy in the four main layout file for the site.
They now share a single primary.html include file which carries most of the weight. This
will avoid having to constantly make the same change in four different files.

- Improve the generated HTML for <figure> elements which makes
things better for screen readers.

- Simplify the HTML & CSS for the footer.

* Fix indent issue (istio#1182)

* Rename Isito CA to Citadel. (istio#1179)

* Update feature-stages.md (istio#1183)

Updates to features as of 0.7 release

* Update Helm Documentation (istio#1168)

* Modify minimum pin of Istio version with Helm and improve prereqs

* Add section describing briefly how to use helm without tiller

* Change heading description for Helm method and add upgrade warning

* Make common customization options table match current master

* Subsection the two methods for installing with Helm

* Remove Helm keys from .spelling.  Add FQDNs as an acronym.

* Backtick the keys and defaults, values.yaml, and fix 1 spelling error

* Add uninstall instructions for both kubectl and helm with tiller

* Place backticks around architecture platforms and correctly list them

* Show both uninstall methods (kubectl & Helm)

* Remove two extra CRs

* Fix yaml linting errors

* Link to requirements for automatic sidecar injection.

* Change istio-auth to istio for rendering

* Address reviewer comments.

* Fix linting error.

* Notify operator they need capability to install service accounts.

* Fix lint error

* Switch to PrismJS for syntax highlighting. (istio#1184)

Instead of doing syntax highlighting statically in Jekyll, we now
go back to the PrimsJS library we used in the 0.2-0.4 timeframe.
It used to be problematic, but the cause for the problems have
been addressed a while ago.

This gives us highlighting for non-markdown content,
such as dynamically loaded PRE blocks and PRE blocks that
come from HTML generated from protos.

* Adding info about new expression language methods. (istio#1186)

Adding info about dnsName, email, and uri functions.

* Fix typo liveliness -> liveness (istio#1188)

* Fix typo liveliness -> liveness

Add mdspell dependency to gem installations

* Add backticks around firebase deploy command

* Fix a few bugs. (istio#1187)

- The slide-in sidenav used on mobile went all crazy when text got too long in the expanded
panel. We now set a max width to trigger controlled wrapping and avoid the nasties.

- The hamburger menu that replaces the link in the top header on small screens didn't render
right on medium-sized screens (a.k.a. portrait-mode tablets). I had one of my breakpoints set
inconsistently.

- Dynamically loaded PRE blocks were not being syntax colored, now they are.

- The Links endnote section created for printing pages was not dedupping identical
links.

- The Links endnote section contained entries for the next/previous links which are
normally at the bottom of each page. These links aren't visible when printing and so
shouldn't appear in the Links endnote section.

* Add rocket chat to our footer & community page. (istio#1189)

Also, update the mailing list icon on the community page to match what we use in the
footer.

* Add instructions to integrate Istio with existing Endpoints services.  (istio#1164)

* Add multitenancy blog (istio#1119)

* Add multitenancy blog

* Update soft-multitenancy.md

* Update soft-multitenancy.md

* Add multitenancy blog

* Add blog entry for configuring aws nlb for istio ingress (istio#1165)

* Don't add links from figures into endnotes. (istio#1192)

- The prior design for avoiding links for figures was brittle and was
in fact broken. Now it's more robust.

* [ImgBot] optimizes images (istio#1193)

*Total -- 683.39kb -> 440.68kb (35.52%)

/_blog/2018/img/roles_summary.png -- 101.32kb -> 61.03kb (39.77%)
/_blog/2018/img/policies.png -- 244.70kb -> 148.25kb (39.41%)
/_blog/2018/img/attach_policies.png -- 48.65kb -> 31.59kb (35.06%)
/_blog/2018/img/createpolicyjson.png -- 120.21kb -> 80.63kb (32.93%)
/_blog/2018/img/create_policy.png -- 86.38kb -> 60.62kb (29.82%)
/_blog/2018/img/createpolicystart.png -- 82.12kb -> 58.55kb (28.7%)

* Update circuit break use existing file. (istio#1091)

* Add proper link to Helm and Multicluster feature stages (istio#1196)

* Update multicluster installation to match master (istio#1195)

* Add a trailing / on an URL that was returning a 301

* Update multicluster intallation to match master

Big usability improvements have been made.  Document
the new workflow for multicluster.

* Address reviewer comments.

* Fix linting problem

* Fix docker run command (istio#1201)

The command as it stands will fail with "Gemfile not found". The working directory should be set to $(pwd) as well to start execution in the istio.github.io directory and find the Gemfile.

* remove installation instructions for prometheus (istio#1199)

* remove installation instructions for prometheus

* more doc fixes for 0.8

* Add request.auth.claims and update source.user, source.principal, and (istio#1205)

request.auth.principal

* Fix command to build & serve site locally using docker (bad workdir) (istio#1206)

* Add attributes into documentation. (istio#1200)

* add a step to define ingress gateway in bookinfo guide (istio#1207)

* add a step to define ingress gateway in bookinfo guide

following istio/istio#5113

* make ingress gateway lower case

* Fix broken link in README.md (istio#1209)

* Adding Azure support instructions (istio#1202)

* adding docs for Azure

* minor misspelling fix

* adding acronyms

* removing blank line

* changing bash output to reflect only necessary flags

* fixing grammar errors

* Fix link to IBM cloud private (istio#1216)

* Typo fix (istio#1208)

* clarify we support more than just k8s (istio#1212)

* Update reference docs. (istio#1219)

* Quiet GitHub warning

* v1alpha3 routing blog (istio#1190)

* Clarify istio.io/preliminary.istio.io stuff (istio#1221)

* add galley.enabled option to helm instructions (istio#1222)

* Fix naming collision (istio#1226)

ingressgateway and ingress both match the grep, resulting in
incorect ingress name being produced in troubleshooting guide.

* adding the recommended namespace (istio#1218)

* adding the recommended namespace

istio/old_issues_repo#312

* add the recommended namespace

* add creating the namespace

* correct typos

* only need to create namespace 

for the template approach

* Introduce support for new fangled PRE blocks. (istio#1224)

Instead of having to have two PRE blocks, one for commands and one for the output,
we can now have a single PRE block and we take care of rendering things to show the
command vs. the output. The Copy button on such a thing only copy the command, and not
the output.

We now also show a $ on command-lines, but the Copy button doesn't copy that and knows to just
copy the usable part of the command-line.

* 0.8 release notes. (istio#1223)

* Fix incorrect behavior of the sidenav when dealing with long non-wrapping page titles. (istio#1229)

- When I was last fiddling with the sidenav on mobile, I messed up the sizing for non-mobile cases.
This cause the sidenav to grow beyond its expected size when presented with long non-wrapping page
titles. The text is now wrapped instead as it should.

- Shrank the font size of the list items in the sidenav to 85% to reduce the amount of wrapping that
happens.

- Reduce the right margin in the side nav to again try to reduce the amount of wrapping.

* Update content to help upcoming migration from Jekyll to Hugo (istio#1232)

- In front matter, order: and overview: are now weight: and description:

- In front matter, we generally don't need layout: and use config to assign layouts automatically

- Remove the useless type: front-matter entries, the type is infered from the file extension.

* Improves multicluster documentation (istio#1217)

* Improves multicluster documentation

Improve documentation based upon fresh eyes running through the
documented process.

* Address reviewer comments.

* More refinement.

* Exclude rule MD028

Rule 028 is: https://github.com/DavidAnson/markdownlint/blob/master/doc/Rules.md#md028---blank-line-inside-blockquote

The rationale below cut and pasted from markdownlint seems
valid for the general case, however, our MD parser always
produces seprate block-quotes, which is what I am after in
this PR.  I think other people will prefer our renders of
blockquotes (separate blockquotes);

Rationale: Some markdown parsers will treat two blockquotes
separated by one or more blank lines as the same blockquote,
while others will treat them as separate blockquotes.

* Improve the doc to apply istio-auth.yaml (istio#1227)

* Fix doc (istio#1228)

* Task/guide updates for v1alpha3 (istio#1231)

* Task/guide updates for v1alpha3

* fix typo

* remove trailing spaces

* tweaks

* Corrections and clarifications (istio#1238)

* clarify https external services support (istio#1239)

* clarify https external services support

* spelling error

* Hopefully finally really fix the issues with the sidenav on small screens. (istio#1240)

* fix manual sidecar injection docs for helm template changes (istio#1211)

Addresses istio#1210

* Switch most uses of ```bash to ```command. (istio#1242)

This takes advantage of the new rendering for command-lines and their outputs.

* Fixes to the doc after testing/reviewing it with release-0.8 istio branch (istio#1244)

* update format of a tcp ServiceEntry (istio#1237)

* Remove broken link. (istio#1250)

* WIP PR for v1alpha3 task corrections (istio#1247)

* ingress task corrections

* fault injection task version wrong

* Fault task corrections (istio#1253)

* update samples to align with latest proto definition (istio#1254)

* Traffic Shifting Review - Fixed wrong links (istio#1259)

* rbac.md: unindent yaml files (istio#1257)

also fixed a typo

Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>

* Create istio namespace before install remote cluster. (istio#1243)

* update instructions for gke-iam (istio#1260)

* Remove a broken link. (istio#1263)

* Fix another broken link. (istio#1265)

* [ImgBot] optimizes images (istio#1264)

*Total -- 73.77kb -> 65.13kb (11.72%)

/_docs/setup/kubernetes/img/dm_gcp_iam_role.png -- 38.54kb -> 33.47kb (13.15%)
/_docs/setup/kubernetes/img/dm_gcp_iam.png -- 35.23kb -> 31.65kb (10.15%)

* Fixes istio#1241 (istio#1258)

* Added namespace when create helm template. (istio#1234)

* Add istioctl proxy-config to the troubleshooting section (istio#1267)

* Fix istioctl proxy-config link to not point at prelim docs (istio#1269)

Because that would be a dumb thing to do

* Update how we insert images to make a transition from Jekyll to Hugo easier. (istio#1275)

* Change publish_date front-matter to publishdate to aid in the Jekyll to Hugo migration. (istio#1276)

* Remove stray quotes.

* Shorten long titles and descriptions. (istio#1278)

* Fix aspect ratio of a couple images. (istio#1277)

The incorrect aspect ratio value was leading to spurious top/bottom padding on
the images.

Also, delete unecessary .png version of some .svg files.

* Rebase from Istio Master (#2)

* add example for disabling injection (#1021)

* Updated reference docs. (#1045)

* Add task for Istio CA health check. (#1038)

* Add task for Istio CA health check.

* Small fix.

* Small fix.

* Updates troubleshooting guide to add pilot (#1037)

* Fix misnamed link (#1050)

* update document generation for istioctl (#1047)

* Hack to get ownership of Google analytics account for the site.

* Don't need the analytics hack no more...

* Make the rake test ensure that we use {{home}} consistently. (#1053)

We now generate the test site into a subdirectory such that we can ensure all
links are correctly using {{home}}, which makes the site work correctly once
archived.

Fixed a bunch of broken cases.

* Reduce the visual weight of code blocks so they don't break up the page so much. (#1054)

* Introduce support for building the site in "preliminary" mode. (#1052)

* Notes for 0.6 (#1048)

* Refresh version selection menu given 0.6.

* update instructions for mesh expansion (#1056)

* update instructions for mesh expansion

* remove ISTIO_STAGING references

* Specify --debug option to use docker.io/istio/proxy_debug image for (#1057)

deployment.

* Update reference docs.

* Update Quick start Doc (#1059)

Fix Typo

* Update Istio RBAC document to relfect sample changes. (#1062)

* Fix typo in Cleanup section (#1061)

* clarify verification of injected proxy with automatic injection (#1024)

* Fixe wrong port number (#1041)

* Sidecar proxy help (#1044)

* Use same instance name in Mixer config example (#1051)

* Add a bunch of redirects for old pages (#1066)

The Google Crawl Engine reported a bunch of broken links pointing into istio.io.
This adds redirects so that these links work.

Add a hack such that the gear menu logic that lets you time travel through versions
of the site will insist that if a page existed in a given version, it must also exist
in subsequent versions. This will ensure we always create redirects when we move site
content, and thus avoid breaking links into the site. If a page is moved or removed,
this will lead to rake test errors when checking the content of archive.istio.io.

* Update reference docs.

* Fix bad formatting.

* Fix typos.

* Update reference docs.

* Eliminate flickering on page load. (#1068)

- Fix another issue with my arch-nemesis, the Copy button. My last fix for Copy button issues
resulted in screen flickering upon page loading. This is now fixed.

- Pin the size of the gear and magnifying glass icons in the header to avoid flicker as the
fonts for those renders a few ms too late and lead to flickering on page load.

- Cleaned up the site's JavaScript for clarity, and include minimized versions in the
site for improved perf.

* Improve formatting. (#1070)

- Remove the silly right indent used for list items. This was throwing away a lot of
useful screen real estate on mobile.

* Add support for dynamically inserting file content into the site. (#1069)

This is useful for pulling in content straight from GitHub on the fly,
rather than cut & pasting it into the site.

* Update sidecar AWS verification (#1060)

* Update sidecar AWS verification

Add verification without ssh access on master node. Perform check directly with kubectl client.

* Update sidecar injection Docs

Update with @ayj remarks

* Update link 

Update link for managing tls in a cluster, add a '/'

* Fix links. (#1073)

- Add a / to links pointing to directories

- Switch a bunch of links from http: to https:

* master branch is now server from preliminary.istio.io (#1075)

* Setup 0.7.

* Forgot to update releases.yml.

* Update README

* Consolidate cluster prerequisites for webhooks into k8s quick start (#1077)

The automatic sidecar injection has its own set of k8s install instructions for webhooks. This overlaps with the general k8s install instructions. We'll also introduce server-side configuration webhooks which need the same prerequisites.

* Add missing .html suffix on some links. (#1080)

* A few more link fixes (#1081)

* Fix handling of legacy community links.

* Add missing .html extension on search page reference.

* Add Certificate lifetime configuration in FAQ. (#1079)

* Update reference docs.

* Fix some newly broken links. (#1082)

* Update reference docs.

* Remove empty document. (#1085)

* Update Ansible documentation to reflect change in Jaeger addon (#1049)

* Update Ansible documentation to reflect change in Jaeger addon

Relates to: istio/istio#3603

* Small polish to Ansible documentation

* Remove extra tilde in the docs (#1087)

Fixes #1004

* [WIP] Update traffic routing tasks to use v1alpha3 config (#1067)

* use v1alpha3 route rules

* circuit breaking task updated to v1alpha3

* convert mirroring task to v1alpha3

* convert egress task to v1alpha3

* Egress task corrections and clarifications

* use simpler rule names

* move new tasks to separate folder (keep old versions around for now)

* update example outputs

* egress tcp task

* fix broken refs

* more broken refs

* imporove wording

* add missing include home.html

* remove ingress task - will create a replacement in followup PR

* Improve sorting algorithm to use document title and not just document URL. (#1089)

This makes it so documents in the same directory get sorted by document title instead of
by the URL name (unless they have an order: directive, which takes precedence over alpha
order)

* Istio RBAC doc fix. (#1093)

* Improve readability

* Add one more faq for secret encryption (#1096)

* Add note to have debug version of proxy for curl command (#1097)

* Delete some old stuff we don't need anymore.

* Delete some old stuff we don't need anymore.

* Fix problem preventing proper section indices in the "About" section of the site.

* Revise note to install curl (#1098)

* Revise note to install curl

* Revise note to install curl

* Address comment

* Fix bug with the Copy button and proto documentation.

- HTML generated from protos encode preformatted blocks with <pre><code></code></pre>,
while HTML generated through Jekyll's markdown converter wraps an extra <div> around the
block. The logic to insert the Copy button on preformatted was assuming the presence of this
DIV. If the DIV is not present on input, we now explicitly add one which makes things work.

* Update reference docs.

* Fix bug that was messing up all the index pages in the site. (#1100)

Fix newly broken k8s link along the way...

* Revise curl instruction in master branch (#1107)

* Update intro.md (#1110)

* Update intro.md

Updating info per Wencheng's suggestion

* Update intro.md

* WIP - Combined ingress/gateway task for v1alpha3 (#1094)

* First pass combined ingress/gateway task

* Add verifying gateway section

* clarifications

* fix broken link

* fix build broken

* address review comments

* fix small grammar issue (#1112)

* Fix a few bugs and add a feature. (#1111)

- Link injection for document headers has been broken for a while due to my
misunderstanding of the "for in" syntax in JavaScript. This now works as expected.

- Same problem also prevented the feature that causes every link to outside of istio.io
to be opened in a separate window. This now works as intended.

- Made the gear dropdown menu be right-aligned such that it doesn't go off-screen on
portrait mode tablets.

- Stop importing Popper.js since it's only needed for dropdown menus that aren't in the
nav bar. Ours is in a nav bar...

- Added link injection for <dt> terms, which makes it easy to create links to individual glossary entries.

* 0.7 notes (#1101)

* Add an entry about creating quality hyperlinks. (#1114)

* 0.2.12 typo fix + doc link should be to docs/ directly + ... (#1115)

* 0.2.12 doc link should be to docs/ directly

+ note about shell security

* fix typo (for for)

* Revise wording and linking

Drop the double TOC (this page has very little traffic anyway)

* Fix inconsistent header use in this doc.

* Fix invalid index page.

* Update servicegraph docs with new viz. (#1074)

* Fix mobile navigation issues. (#1118)

When on mobile, the left sidebar is hidden by default. To make navigation easier, we allow the user to browse
the site entirely through the various index sections which provide links to all articles. This wasn't working
for the About and Blog links at the top of the page since they send you to a direct page instead of to the
relevant navigation page. So...

- Made the About link point to the about section's index page.

- Each blog page now contains a link to the next and previous blog post.

* [ImgBot] optimizes images (#1120)

/_docs/tasks/telemetry/img/servicegraph-example.png -- 41.49kb -> 28.62kb (31.03%)

* Add documentation for upgrade (#1108)

* Add upgrade doc and fixing a broken link.

* revert one file.

* Refine the doc.

* Move the doc.

* Fix syntax.

* Fix syntax

* Fix syntax

* Make non-manifest based installers have similar titles and overviews (#1086)

* Make the setup page a little more consistent.

* Make non-manifest based installers have similar titles and overviews

* Shorten the overview,tidy up the title, and add a helm.html redirect

* Installation typo in both files

* Fix inconsistent header use in this doc. (#1117)

* Improve layout on phone.

- We shrink the height of the header and footer when on mobile.

- We shrink the header font based on screen width, to avoid the nav bar being split on two lines
which leads to all sorts of bad things happening

* Since we shrink the brand more aggressively, allow the navbar to be displayed until the next bp.

* Oops, left a debugging change in accidentally, reverting.

* Add Istio mTLS support for https service demo (#1121)

* Add Istio mTLS support for https service demo

* Address comment

* Address comment

* Address comment

* Fix more headers. (#1126)

* Update procedures to access the team drive.

* Fix broken links, causing HTML proofer in circleci gates to fail (#1132)

* Fix broken links, causing HTML proofer in circleci gates to fail

* Add the same missing links to sidecar-injection.md

* Refine Helm installation warning. (#1133)

Helm charts are unstable prior to 0.7.  Remove the red warning
and instead add a simple notice that Helm charts =<0.7 are not functional.

* Fix typo

In AWS (w/Kops) section:
"openned" should be "opened"?

* prepare_proxy was refactored into istio-proxy (#1134)

* In Note 1: Consul modified to Eureka (#1122)

* Revamped nav header for better mobile experience. (#1129)

- We now only use the skinny version of the navbar instead of dynamically switching
based on viewport size. This looks cleaner, giving more screen space to the content rather than
our chrome.

- The search textbox is replaced with a search button. Clicking the button brings up the
search textbox. This looks less cluttered and works considerably better on smaller screens.

- When on a phone and the nav links are collapsed into a hamburger menu, cleanly show the
search box in the menu that comes up when you click the hamburger.

- Remove the down arrow next to the cog, it's superfluous and things look cleaner without
it.

* Add one faq item for istio on https service (#1127)

* Add one faq item for istio on https service

* Address comment

* Address comment

* Simplify the demo of plugin ca cert. (#1138)

* Update IBM Cloud Container Service (IKS) k8s setup instructions (#1136)

Copy IKS specific instructions from #1072 to general k8s setup page.

* Revamp the footer. (#1137)

- Remove all the redundant stuff and emphasize community resource via icons.

- Move the "Report a doc bug" and "Edit this page on GitHub" options to the gear
menu.

- Use Jekyll "include" support to store the landing page's artwork in external
SVG files instead of directly embedded in the HTML. Much nicer.

* Switching to 0.8.

* Update README

* Add placeholder 0.8 file to fix rake tests

* Create Owners

* Fix markdown (#1140)

* Cleans up the readability of the Ansible Installation (#1130)

* Cleans up the readability of the Ansible Installation

Run through a yaml linter Run through spell | sort | uniq
Reorganized to semi-match the Helm installation page as they have similar
functionality

There are things I like about how this document is structured now
and will carry those over to the Helm documentation in the future as time
permits.

* Remove customization example as suggested during the review

* Change Openshift->OpenShift

* Add labels over community icons in the footer. (#1142)

* Remove $ sign in command since it breaks the copy button (#1143)

* Update 0.7.md (#1144)

helm is working in master branch but not in 0.7.1

* Fix bug caused by #1138 (#1145)

* Switch back to normal html-proofer (#1146)

As my pr was merged

Fixes #849

* Setup for linting markdown files. (#1147)

- linters.sh will run spell-checking and a style checker on
markdown files.

- Fix a whole bunch of typos and bad markdown content throughout. There are many more fixes
to come before we can enable the linters as a checkin gate, but this takes care of a majority
of items. More to come later.

* Finish fixing remaining lint errors

* Make spell checking and style checking part of our doc checkin gate. (#1154)

* Update

* Inline the TOC on mobile.

- For small screens that don't have room for the righthand TOC, we now
display the TOC inline in the main document. This substantially improves
navigation on mobile.

- Fix the scroll offset which was off by a bit since the switch to the skinny
header.

* Update reference docs.

* Improve mobile experience. (#1158)

- The two call to action buttons on the landing page are now displayed one of top of
the other on small screens instead of next to one another.

- On mobile, when you scroll down a page, an arrow shows up in the top right of the screen
to let you scroll back to the top of the page. This is mighty handy since on mobile there
isn't a TOC available to click on.

- Add some convenient links on the docs' section landing page.

* Accessibility improvements. (#1159)

* www.yaml.org went missing - yaml.org seems to work. (#1166)

sdake@falkor-08:~/go/src/istio.io/istio.github.io/_docs$ dig www.yaml.org

; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.yaml.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34828
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.yaml.org.			IN	A

;; Query time: 917 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 08 09:10:51 MST 2018

* Authn policy concept and tutorial. (#1128)

* fix service account names in the instructions for OpenShift (#1083)

This commit replaces the service account names for grafana and
prometheus in the instructions to set the security context
constraints for OpenShift.

* Improve plugin cert task for better UX. (#1150)

* Update Security section in Istio overview (#1170)

* Update Security section in Istio overview

* Fix comment

* Update documentation for automatic sidecar injection webhook. (#1169)

* Add multicluster deployment documentation to Istio (#1139)

* Add multicluster deployment documentation to Istio

* Change *Ip to *Endpoint a per request

* Fix a typo

* Address all reviewer comments

Note, SVG diagram will be handled as a follow-on PR.

* Fix legitimate spelling errors found by gate

* Some backticks to fix spelling errors and other misc cleanups

* some spelling and backticks.

* Expand spelling exemptions dictionary slightly

* Correctly spell routable.

* Address reviewer comments.

Needed a rebase in the process.

* A minor consistency change

* Address reviewer comments.

* Add a caveats and known issue tracker to the documentation

Early on during review of this PR, I believe there was a review
asking for caveats, but it has disappeared from the github comments.

* Make istio.io support quality print output. (#1163)

- Get rid of all the chrome when printing a page. So no headers, sidebars, etc.

- Ensure that PRE blocks are fully expanded when printing instead of
showing a scroll bar.

- Generate endnotes for each page printed which lists the URLs of the various links
on the page. Each link site is annotated with a superscript number referencing this
table.

* Update doc for TCP periodical report. (#1095)

* Update doc for TCP periodical report.

* Add report response arrow into svg.

* Reference: https://istio.io/docs/reference/config/istio.routing.v1alpha1.html#StringMatch (#1180)

* Fix broken links caused by changes in istio/istio.

* Update reference docs.

* Improve sidenav behavior on mobile. (#1173)

The sidenav now hovers over the main text instead of pushing the main
text sideways.

The rendering of the sidenav toggler button now matches the "back to top"
button I added last week.

* Bunch of improvements (#1181)

- New visuals for the sailboat in the header. It now overflows the header.

- The TOC now highlights the currently displayed portion of the current page.
As you scroll through the doc, the selected entry updates accordingly.

- Add previous/next page links in every doc page. These used to be present only in
blog posts, but they're useful everywhere.

- Fix a few off-by-one formatting errors that stemed from using a mixed of
min-width and max-width throughout the stylesheet. This caused some strange
formatting to happen at specific window widths. Now, we're consistently using
min-width and everything lines up properly.

- Improved footer formatting so it looks better on mobile.

- Only display the TOC on XL screens, otherwise it wraps too much.
Screens smaller than XL now all get the inlined TOC instead.

- Add support for pages to request that the TOC be generated inline instead of in a sidebar.
This is useful for pages that have headings which cause too much wrapping in the TOC,
such as the Troubleshooting Guide.

- Add some blank space between an inlined TOC and the main text so that things don't look
so crowded, especially when printing.

- Inline the sailboat SVG into each page. This avoids a network roundtrip and allows the
SVG to be controlled with the same CSS as everything else.

- Eliminate a huge amount of redundancy in the four main layout file for the site.
They now share a single primary.html include file which carries most of the weight. This
will avoid having to constantly make the same change in four different files.

- Improve the generated HTML for <figure> elements which makes
things better for screen readers.

- Simplify the HTML & CSS for the footer.

* Fix indent issue (#1182)

* Rename Isito CA to Citadel. (#1179)

* Update feature-stages.md (#1183)

Updates to features as of 0.7 release

* Update Helm Documentation (#1168)

* Modify minimum pin of Istio version with Helm and improve prereqs

* Add section describing briefly how to use helm without tiller

* Change heading description for Helm method and add upgrade warning

* Make common customization options table match current master

* Subsection the two methods for installing with Helm

* Remove Helm keys from .spelling.  Add FQDNs as an acronym.

* Backtick the keys and defaults, values.yaml, and fix 1 spelling error

* Add uninstall instructions for both kubectl and helm with tiller

* Place backticks around architecture platforms and correctly list them

* Show both uninstall methods (kubectl & Helm)

* Remove two extra CRs

* Fix yaml linting errors

* Link to requirements for automatic sidecar injection.

* Change istio-auth to istio for rendering

* Address reviewer comments.

* Fix linting error.

* Notify operator they need capability to install service accounts.

* Fix lint error

* Switch to PrismJS for syntax highlighting. (#1184)

Instead of doing syntax highlighting statically in Jekyll, we now
go back to the PrimsJS library we used in the 0.2-0.4 timeframe.
It used to be problematic, but the cause for the problems have
been addressed a while ago.

This gives us highlighting for non-markdown content,
such as dynamically loaded PRE blocks and PRE blocks that
come from HTML generated from protos.

* Adding info about new expression language methods. (#1186)

Adding info about dnsName, email, and uri functions.

* Fix typo liveliness -> liveness (#1188)

* Fix typo liveliness -> liveness

Add mdspell dependency to gem installations

* Add backticks around firebase deploy command

* Fix a few bugs. (#1187)

- The slide-in sidenav used on mobile went all crazy when text got too long in the expanded
panel. We now set a max width to trigger controlled wrapping and avoid the nasties.

- The hamburger menu that replaces the link in the top header on small screens didn't render
right on medium-sized screens (a.k.a. portrait-mode tablets). I had one of my breakpoints set
inconsistently.

- Dynamically loaded PRE blocks were not being syntax colored, now they are.

- The Links endnote section created for printing pages was not dedupping identical
links.

- The Links endnote section contained entries for the next/previous links which are
normally at the bottom of each page. These links aren't visible when printing and so
shouldn't appear in the Links endnote section.

* Add rocket chat to our footer & community page. (#1189)

Also, update the mailing list icon on the community page to match what we use in the
footer.

* Add instructions to integrate Istio with existing Endpoints services.  (#1164)

* Add multitenancy blog (#1119)

* Add multitenancy blog

* Update soft-multitenancy.md

* Update soft-multitenancy.md

* Add multitenancy blog

* Add blog entry for configuring aws nlb for istio ingress (#1165)

* Don't add links from figures into endnotes. (#1192)

- The prior design for avoiding links for figures was brittle and was
in fact broken. Now it's more robust.

* [ImgBot] optimizes images (#1193)

*Total -- 683.39kb -> 440.68kb (35.52%)

/_blog/2018/img/roles_summary.png -- 101.32kb -> 61.03kb (39.77%)
/_blog/2018/img/policies.png -- 244.70kb -> 148.25kb (39.41%)
/_blog/2018/img/attach_policies.png -- 48.65kb -> 31.59kb (35.06%)
/_blog/2018/img/createpolicyjson.png -- 120.21kb -> 80.63kb (32.93%)
/_blog/2018/img/create_policy.png -- 86.38kb -> 60.62kb (29.82%)
/_blog/2018/img/createpolicystart.png -- 82.12kb -> 58.55kb (28.7%)

* Update circuit break use existing file. (#1091)

* Add proper link to Helm and Multicluster feature stages (#1196)

* Update multicluster installation to match master (#1195)

* Add a trailing / on an URL that was returning a 301

* Update multicluster intallation to match master

Big usability improvements have been made.  Document
the new workflow for multicluster.

* Address reviewer comments.

* Fix linting problem

* Fix docker run command (#1201)

The command as it stands will fail with "Gemfile not found". The working directory should be set to $(pwd) as well to start execution in the istio.github.io directory and find the Gemfile.

* remove installation instructions for prometheus (#1199)

* remove installation instructions for prometheus

* more doc fixes for 0.8

* Add request.auth.claims and update source.user, source.principal, and (#1205)

request.auth.principal

* Fix command to build & serve site locally using docker (bad workdir) (#1206)

* Add attributes into documentation. (#1200)

* add a step to define ingress gateway in bookinfo guide (#1207)

* add a step to define ingress gateway in bookinfo guide

following istio/istio#5113

* make ingress gateway lower case

* Fix broken link in README.md (#1209)

* Adding Azure support instructions (#1202)

* adding docs for Azure

* minor misspelling fix

* adding acronyms

* removing blank line

* changing bash output to reflect only necessary flags

* fixing grammar errors

* Fix link to IBM cloud private (#1216)

* Typo fix (#1208)

* clarify we support more than just k8s (#1212)

* Update reference docs. (#1219)

* Quiet GitHub warning

* v1alpha3 routing blog (#1190)

* Clarify istio.io/preliminary.istio.io stuff (#1221)

* add galley.enabled option to helm instructions (#1222)

* Fix naming collision (#1226)

ingressgateway and ingress both match the grep, resulting in
incorect ingress name being produced in troubleshooting guide.

* adding the recommended namespace (#1218)

* adding the recommended namespace

istio/old_issues_repo#312

* add the recommended namespace

* add creating the namespace

* correct typos

* only need to create namespace 

for the template approach

* Introduce support for new fangled PRE blocks. (#1224)

Instead of having to have two PRE blocks, one for commands and one for the output,
we can now have a single PRE block and we take care of rendering things to show the
command vs. the output. The Copy button on such a thing only copy the command, and not
the output.

We now also show a $ on command-lines, but the Copy button doesn't copy that and knows to just
copy the usable part of the command-line.

* 0.8 release notes. (#1223)

* Fix incorrect behavior of the sidenav when dealing with long non-wrapping page titles. (#1229)

- When I was last fiddling with the sidenav on mobile, I messed up the sizing for non-mobile cases.
This cause the sidenav to grow beyond its expected size when presented with long non-wrapping page
titles. The text is now wrapped instead as it should.

- Shrank the font size of the list items in the sidenav to 85% to reduce the amount of wrapping that
happens.

- Reduce the right margin in the side nav to again try to reduce the amount of wrapping.

* Update content to help upcoming migration from Jekyll to Hugo (#1232)

- In front matter, order: and overview: are now weight: and description:

- In front matter, we generally don't need layout: and use config to assign layouts automatically

- Remove the useless type: front-matter entries, the type is infered from the file extension.

* Improves multicluster documentation (#1217)

* Improves multicluster documentation

Improve documentation based upon fresh eyes running through the
documented process.

* Address reviewer comments.

* More refinement.

* Exclude rule MD028

Rule 028 is: https://github.com/DavidAnson/markdownlint/blob/master/doc/Rules.md#md028---blank-line-inside-blockquote

The rationale below cut and pasted from markdownlint seems
valid for the general case, however, our MD parser always
produces seprate block-quotes, which is what I am after in
this PR.  I think other people will prefer our renders of
blockquotes (separate blockquotes);

Rationale: Some markdown parsers will treat two blockquotes
separated by one or more blank lines as the same blockquote,
while others will treat them as separate blockquotes.

* Improve the doc to apply istio-auth.yaml (#1227)

* Fix doc (#1228)

* Task/guide updates for v1alpha3 (#1231)

* Task/guide updates for v1alpha3

* fix typo

* remove trailing spaces

* tweaks

* Corrections and clarifications (#1238)

* clarify https external services support (#1239)

* clarify https external services support

* spelling error

* Hopefully finally really fix the issues with the sidenav on small screens. (#1240)

* fix manual sidecar injection docs for helm template changes (#1211)

Addresses #1210

* Switch most uses of ```bash to ```command. (#1242)

This takes advantage of the new rendering for command-lines and their outputs.

* Fixes to the doc after testing/reviewing it with release-0.8 istio branch (#1244)

* update format of a tcp ServiceEntry (#1237)

* Remove broken link. (#1250)

* WIP PR for v1alpha3 task corrections (#1247)

* ingress task corrections

* fault injection task version wrong

* Fault task corrections (#1253)

* update samples to align with latest proto definition (#1254)

* Traffic Shifting Review - Fixed wrong links (#1259)

* rbac.md: unindent yaml files (#1257)

also fixed a typo

Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>

* Create istio namespace before install remote cluster. (#1243)

* update instructions for gke-iam (#1260)

* Remove a broken link. (#1263)

* Fix another broken link. (#1265)

* [ImgBot] optimizes images (#1264)

*Total -- 73.77kb -> 65.13kb (11.72%)

/_docs/setup/kubernetes/img/dm_gcp_iam_role.png -- 38.54kb -> 33.47kb (13.15%)
/_docs/setup/kubernetes/img/dm_gcp_iam.png -- 35.23kb -> 31.65kb (10.15%)

* Fixes #1241 (#1258)

* Added namespace when create helm template. (#1234)

* Add istioctl proxy-config to the troubleshooting section (#1267)

* Fix istioctl proxy-config link to not point at prelim docs (#1269)

Because that would be a dumb thing to do

* Update how we insert images to make a transition from Jekyll to Hugo easier. (#1275)

* Change publish_date front-matter to publishdate to aid in the Jekyll to Hugo migration. (#1276)

* Remove stray quotes.

* Shorten long titles and descriptions. (#1278)

* Fix aspect ratio of a couple images. (#1277)

The incorrect aspect ratio value was leading to spurious top/bottom padding on
the images.

Also, delete unecessary .png version of some .svg files.

* Revert "Rebase from Istio Master (#2)" (#3)

This reverts commit 6122f38.

* Add ,missing feature links

This change adds some of the missing feature links to the feature-stages page.

* Fixes the API key location

API key location was wrong

…for envoy v1/routing v1alpha1 and envoy v2/routing v1alpha3 (#5113)"

This reverts commit a453938.

* Add attribute connection.mtls into documentation.

* Revise per comment.

* Add missing feature links (#1280)

* Rebase from Istio Master (#2)

* add example for disabling injection (#1021)

* Updated reference docs. (#1045)

* Add task for Istio CA health check. (#1038)

* Add task for Istio CA health check.

* Small fix.

* Small fix.

* Updates troubleshooting guide to add pilot (#1037)

* Fix misnamed link (#1050)

* update document generation for istioctl (#1047)

* Hack to get ownership of Google analytics account for the site.

* Don't need the analytics hack no more...

* Make the rake test ensure that we use {{home}} consistently. (#1053)

We now generate the test site into a subdirectory such that we can ensure all
links are correctly using {{home}}, which makes the site work correctly once
archived.

Fixed a bunch of broken cases.

* Reduce the visual weight of code blocks so they don't break up the page so much. (#1054)

* Introduce support for building the site in "preliminary" mode. (#1052)

* Notes for 0.6 (#1048)

* Refresh version selection menu given 0.6.

* update instructions for mesh expansion (#1056)

* update instructions for mesh expansion

* remove ISTIO_STAGING references

* Specify --debug option to use docker.io/istio/proxy_debug image for (#1057)

deployment.

* Update reference docs.

* Update Quick start Doc (#1059)

Fix Typo

* Update Istio RBAC document to relfect sample changes. (#1062)

* Fix typo in Cleanup section (#1061)

* clarify verification of injected proxy with automatic injection (#1024)

* Fixe wrong port number (#1041)

* Sidecar proxy help (#1044)

* Use same instance name in Mixer config example (#1051)

* Add a bunch of redirects for old pages (#1066)

The Google Crawl Engine reported a bunch of broken links pointing into istio.io.
This adds redirects so that these links work.

Add a hack such that the gear menu logic that lets you time travel through versions
of the site will insist that if a page existed in a given version, it must also exist
in subsequent versions. This will ensure we always create redirects when we move site
content, and thus avoid breaking links into the site. If a page is moved or removed,
this will lead to rake test errors when checking the content of archive.istio.io.

* Update reference docs.

* Fix bad formatting.

* Fix typos.

* Update reference docs.

* Eliminate flickering on page load. (#1068)

- Fix another issue with my arch-nemesis, the Copy button. My last fix for Copy button issues
resulted in screen flickering upon page loading. This is now fixed.

- Pin the size of the gear and magnifying glass icons in the header to avoid flicker as the
fonts for those renders a few ms too late and lead to flickering on page load.

- Cleaned up the site's JavaScript for clarity, and include minimized versions in the
site for improved perf.

* Improve formatting. (#1070)

- Remove the silly right indent used for list items. This was throwing away a lot of
useful screen real estate on mobile.

* Add support for dynamically inserting file content into the site. (#1069)

This is useful for pulling in content straight from GitHub on the fly,
rather than cut & pasting it into the site.

* Update sidecar AWS verification (#1060)

* Update sidecar AWS verification

Add verification without ssh access on master node. Perform check directly with kubectl client.

* Update sidecar injection Docs

Update with @ayj remarks

* Update link 

Update link for managing tls in a cluster, add a '/'

* Fix links. (#1073)

- Add a / to links pointing to directories

- Switch a bunch of links from http: to https:

* master branch is now server from preliminary.istio.io (#1075)

* Setup 0.7.

* Forgot to update releases.yml.

* Update README

* Consolidate cluster prerequisites for webhooks into k8s quick start (#1077)

The automatic sidecar injection has its own set of k8s install instructions for webhooks. This overlaps with the general k8s install instructions. We'll also introduce server-side configuration webhooks which need the same prerequisites.

* Add missing .html suffix on some links. (#1080)

* A few more link fixes (#1081)

* Fix handling of legacy community links.

* Add missing .html extension on search page reference.

* Add Certificate lifetime configuration in FAQ. (#1079)

* Update reference docs.

* Fix some newly broken links. (#1082)

* Update reference docs.

* Remove empty document. (#1085)

* Update Ansible documentation to reflect change in Jaeger addon (#1049)

* Update Ansible documentation to reflect change in Jaeger addon

Relates to: istio/istio#3603

* Small polish to Ansible documentation

* Remove extra tilde in the docs (#1087)

Fixes #1004

* [WIP] Update traffic routing tasks to use v1alpha3 config (#1067)

* use v1alpha3 route rules

* circuit breaking task updated to v1alpha3

* convert mirroring task to v1alpha3

* convert egress task to v1alpha3

* Egress task corrections and clarifications

* use simpler rule names

* move new tasks to separate folder (keep old versions around for now)

* update example outputs

* egress tcp task

* fix broken refs

* more broken refs

* imporove wording

* add missing include home.html

* remove ingress task - will create a replacement in followup PR

* Improve sorting algorithm to use document title and not just document URL. (#1089)

This makes it so documents in the same directory get sorted by document title instead of
by the URL name (unless they have an order: directive, which takes precedence over alpha
order)

* Istio RBAC doc fix. (#1093)

* Improve readability

* Add one more faq for secret encryption (#1096)

* Add note to have debug version of proxy for curl command (#1097)

* Delete some old stuff we don't need anymore.

* Delete some old stuff we don't need anymore.

* Fix problem preventing proper section indices in the "About" section of the site.

* Revise note to install curl (#1098)

* Revise note to install curl

* Revise note to install curl

* Address comment

* Fix bug with the Copy button and proto documentation.

- HTML generated from protos encode preformatted blocks with <pre><code></code></pre>,
while HTML generated through Jekyll's markdown converter wraps an extra <div> around the
block. The logic to insert the Copy button on preformatted was assuming the presence of this
DIV. If the DIV is not present on input, we now explicitly add one which makes things work.

* Update reference docs.

* Fix bug that was messing up all the index pages in the site. (#1100)

Fix newly broken k8s link along the way...

* Revise curl instruction in master branch (#1107)

* Update intro.md (#1110)

* Update intro.md

Updating info per Wencheng's suggestion

* Update intro.md

* WIP - Combined ingress/gateway task for v1alpha3 (#1094)

* First pass combined ingress/gateway task

* Add verifying gateway section

* clarifications

* fix broken link

* fix build broken

* address review comments

* fix small grammar issue (#1112)

* Fix a few bugs and add a feature. (#1111)

- Link injection for document headers has been broken for a while due to my
misunderstanding of the "for in" syntax in JavaScript. This now works as expected.

- Same problem also prevented the feature that causes every link to outside of istio.io
to be opened in a separate window. This now works as intended.

- Made the gear dropdown menu be right-aligned such that it doesn't go off-screen on
portrait mode tablets.

- Stop importing Popper.js since it's only needed for dropdown menus that aren't in the
nav bar. Ours is in a nav bar...

- Added link injection for <dt> terms, which makes it easy to create links to individual glossary entries.

* 0.7 notes (#1101)

* Add an entry about creating quality hyperlinks. (#1114)

* 0.2.12 typo fix + doc link should be to docs/ directly + ... (#1115)

* 0.2.12 doc link should be to docs/ directly

+ note about shell security

* fix typo (for for)

* Revise wording and linking

Drop the double TOC (this page has very little traffic anyway)

* Fix inconsistent header use in this doc.

* Fix invalid index page.

* Update servicegraph docs with new viz. (#1074)

* Fix mobile navigation issues. (#1118)

When on mobile, the left sidebar is hidden by default. To make navigation easier, we allow the user to browse
the site entirely through the various index sections which provide links to all articles. This wasn't working
for the About and Blog links at the top of the page since they send you to a direct page instead of to the
relevant navigation page. So...

- Made the About link point to the about section's index page.

- Each blog page now contains a link to the next and previous blog post.

* [ImgBot] optimizes images (#1120)

/_docs/tasks/telemetry/img/servicegraph-example.png -- 41.49kb -> 28.62kb (31.03%)

* Add documentation for upgrade (#1108)

* Add upgrade doc and fixing a broken link.

* revert one file.

* Refine the doc.

* Move the doc.

* Fix syntax.

* Fix syntax

* Fix syntax

* Make non-manifest based installers have similar titles and overviews (#1086)

* Make the setup page a little more consistent.

* Make non-manifest based installers have similar titles and overviews

* Shorten the overview,tidy up the title, and add a helm.html redirect

* Installation typo in both files

* Fix inconsistent header use in this doc. (#1117)

* Improve layout on phone.

- We shrink the height of the header and footer when on mobile.

- We shrink the header font based on screen width, to avoid the nav bar being split on two lines
which leads to all sorts of bad things happening

* Since we shrink the brand more aggressively, allow the navbar to be displayed until the next bp.

* Oops, left a debugging change in accidentally, reverting.

* Add Istio mTLS support for https service demo (#1121)

* Add Istio mTLS support for https service demo

* Address comment

* Address comment

* Address comment

* Fix more headers. (#1126)

* Update procedures to access the team drive.

* Fix broken links, causing HTML proofer in circleci gates to fail (#1132)

* Fix broken links, causing HTML proofer in circleci gates to fail

* Add the same missing links to sidecar-injection.md

* Refine Helm installation warning. (#1133)

Helm charts are unstable prior to 0.7.  Remove the red warning
and instead add a simple notice that Helm charts =<0.7 are not functional.

* Fix typo

In AWS (w/Kops) section:
"openned" should be "opened"?

* prepare_proxy was refactored into istio-proxy (#1134)

* In Note 1: Consul modified to Eureka (#1122)

* Revamped nav header for better mobile experience. (#1129)

- We now only use the skinny version of the navbar instead of dynamically switching
based on viewport size. This looks cleaner, giving more screen space to the content rather than
our chrome.

- The search textbox is replaced with a search button. Clicking the button brings up the
search textbox. This looks less cluttered and works considerably better on smaller screens.

- When on a phone and the nav links are collapsed into a hamburger menu, cleanly show the
search box in the menu that comes up when you click the hamburger.

- Remove the down arrow next to the cog, it's superfluous and things look cleaner without
it.

* Add one faq item for istio on https service (#1127)

* Add one faq item for istio on https service

* Address comment

* Address comment

* Simplify the demo of plugin ca cert. (#1138)

* Update IBM Cloud Container Service (IKS) k8s setup instructions (#1136)

Copy IKS specific instructions from #1072 to general k8s setup page.

* Revamp the footer. (#1137)

- Remove all the redundant stuff and emphasize community resource via icons.

- Move the "Report a doc bug" and "Edit this page on GitHub" options to the gear
menu.

- Use Jekyll "include" support to store the landing page's artwork in external
SVG files instead of directly embedded in the HTML. Much nicer.

* Switching to 0.8.

* Update README

* Add placeholder 0.8 file to fix rake tests

* Create Owners

* Fix markdown (#1140)

* Cleans up the readability of the Ansible Installation (#1130)

* Cleans up the readability of the Ansible Installation

Run through a yaml linter Run through spell | sort | uniq
Reorganized to semi-match the Helm installation page as they have similar
functionality

There are things I like about how this document is structured now
and will carry those over to the Helm documentation in the future as time
permits.

* Remove customization example as suggested during the review

* Change Openshift->OpenShift

* Add labels over community icons in the footer. (#1142)

* Remove $ sign in command since it breaks the copy button (#1143)

* Update 0.7.md (#1144)

helm is working in master branch but not in 0.7.1

* Fix bug caused by #1138 (#1145)

* Switch back to normal html-proofer (#1146)

As my pr was merged

Fixes #849

* Setup for linting markdown files. (#1147)

- linters.sh will run spell-checking and a style checker on
markdown files.

- Fix a whole bunch of typos and bad markdown content throughout. There are many more fixes
to come before we can enable the linters as a checkin gate, but this takes care of a majority
of items. More to come later.

* Finish fixing remaining lint errors

* Make spell checking and style checking part of our doc checkin gate. (#1154)

* Update

* Inline the TOC on mobile.

- For small screens that don't have room for the righthand TOC, we now
display the TOC inline in the main document. This substantially improves
navigation on mobile.

- Fix the scroll offset which was off by a bit since the switch to the skinny
header.

* Update reference docs.

* Improve mobile experience. (#1158)

- The two call to action buttons on the landing page are now displayed one of top of
the other on small screens instead of next to one another.

- On mobile, when you scroll down a page, an arrow shows up in the top right of the screen
to let you scroll back to the top of the page. This is mighty handy since on mobile there
isn't a TOC available to click on.

- Add some convenient links on the docs' section landing page.

* Accessibility improvements. (#1159)

* www.yaml.org went missing - yaml.org seems to work. (#1166)

sdake@falkor-08:~/go/src/istio.io/istio.github.io/_docs$ dig www.yaml.org

; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.yaml.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34828
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.yaml.org.			IN	A

;; Query time: 917 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 08 09:10:51 MST 2018

* Authn policy concept and tutorial. (#1128)

* fix service account names in the instructions for OpenShift (#1083)

This commit replaces the service account names for grafana and
prometheus in the instructions to set the security context
constraints for OpenShift.

* Improve plugin cert task for better UX. (#1150)

* Update Security section in Istio overview (#1170)

* Update Security section in Istio overview

* Fix comment

* Update documentation for automatic sidecar injection webhook. (#1169)

* Add multicluster deployment documentation to Istio (#1139)

* Add multicluster deployment documentation to Istio

* Change *Ip to *Endpoint a per request

* Fix a typo

* Address all reviewer comments

Note, SVG diagram will be handled as a follow-on PR.

* Fix legitimate spelling errors found by gate

* Some backticks to fix spelling errors and other misc cleanups

* some spelling and backticks.

* Expand spelling exemptions dictionary slightly

* Correctly spell routable.

* Address reviewer comments.

Needed a rebase in the process.

* A minor consistency change

* Address reviewer comments.

* Add a caveats and known issue tracker to the documentation

Early on during review of this PR, I believe there was a review
asking for caveats, but it has disappeared from the github comments.

* Make istio.io support quality print output. (#1163)

- Get rid of all the chrome when printing a page. So no headers, sidebars, etc.

- Ensure that PRE blocks are fully expanded when printing instead of
showing a scroll bar.

- Generate endnotes for each page printed which lists the URLs of the various links
on the page. Each link site is annotated with a superscript number referencing this
table.

* Update doc for TCP periodical report. (#1095)

* Update doc for TCP periodical report.

* Add report response arrow into svg.

* Reference: https://istio.io/docs/reference/config/istio.routing.v1alpha1.html#StringMatch (#1180)

* Fix broken links caused by changes in istio/istio.

* Update reference docs.

* Improve sidenav behavior on mobile. (#1173)

The sidenav now hovers over the main text instead of pushing the main
text sideways.

The rendering of the sidenav toggler button now matches the "back to top"
button I added last week.

* Bunch of improvements (#1181)

- New visuals for the sailboat in the header. It now overflows the header.

- The TOC now highlights the currently displayed portion of the current page.
As you scroll through the doc, the selected entry updates accordingly.

- Add previous/next page links in every doc page. These used to be present only in
blog posts, but they're useful everywhere.

- Fix a few off-by-one formatting errors that stemed from using a mixed of
min-width and max-width throughout the stylesheet. This caused some strange
formatting to happen at specific window widths. Now, we're consistently using
min-width and everything lines up properly.

- Improved footer formatting so it looks better on mobile.

- Only display the TOC on XL screens, otherwise it wraps too much.
Screens smaller than XL now all get the inlined TOC instead.

- Add support for pages to request that the TOC be generated inline instead of in a sidebar.
This is useful for pages that have headings which cause too much wrapping in the TOC,
such as the Troubleshooting Guide.

- Add some blank space between an inlined TOC and the main text so that things don't look
so crowded, especially when printing.

- Inline the sailboat SVG into each page. This avoids a network roundtrip and allows the
SVG to be controlled with the same CSS as everything else.

- Eliminate a huge amount of redundancy in the four main layout file for the site.
They now share a single primary.html include file which carries most of the weight. This
will avoid having to constantly make the same change in four different files.

- Improve the generated HTML for <figure> elements which makes
things better for screen readers.

- Simplify the HTML & CSS for the footer.

* Fix indent issue (#1182)

* Rename Isito CA to Citadel. (#1179)

* Update feature-stages.md (#1183)

Updates to features as of 0.7 release

* Update Helm Documentation (#1168)

* Modify minimum pin of Istio version with Helm and improve prereqs

* Add section describing briefly how to use helm without tiller

* Change heading description for Helm method and add upgrade warning

* Make common customization options table match current master

* Subsection the two methods for installing with Helm

* Remove Helm keys from .spelling.  Add FQDNs as an acronym.

* Backtick the keys and defaults, values.yaml, and fix 1 spelling error

* Add uninstall instructions for both kubectl and helm with tiller

* Place backticks around architecture platforms and correctly list them

* Show both uninstall methods (kubectl & Helm)

* Remove two extra CRs

* Fix yaml linting errors

* Link to requirements for automatic sidecar injection.

* Change istio-auth to istio for rendering

* Address reviewer comments.

* Fix linting error.

* Notify operator they need capability to install service accounts.

* Fix lint error

* Switch to PrismJS for syntax highlighting. (#1184)

Instead of doing syntax highlighting statically in Jekyll, we now
go back to the PrimsJS library we used in the 0.2-0.4 timeframe.
It used to be problematic, but the cause for the problems have
been addressed a while ago.

This gives us highlighting for non-markdown content,
such as dynamically loaded PRE blocks and PRE blocks that
come from HTML generated from protos.

* Adding info about new expression language methods. (#1186)

Adding info about dnsName, email, and uri functions.

* Fix typo liveliness -> liveness (#1188)

* Fix typo liveliness -> liveness

Add mdspell dependency to gem installations

* Add backticks around firebase deploy command

* Fix a few bugs. (#1187)

- The slide-in sidenav used on mobile went all crazy when text got too long in the expanded
panel. We now set a max width to trigger controlled wrapping and avoid the nasties.

- The hamburger menu that replaces the link in the top header on small screens didn't render
right on medium-sized screens (a.k.a. portrait-mode tablets). I had one of my breakpoints set
inconsistently.

- Dynamically loaded PRE blocks were not being syntax colored, now they are.

- The Links endnote section created for printing pages was not dedupping identical
links.

- The Links endnote section contained entries for the next/previous links which are
normally at the bottom of each page. These links aren't visible when printing and so
shouldn't appear in the Links endnote section.

* Add rocket chat to our footer & community page. (#1189)

Also, update the mailing list icon on the community page to match what we use in the
footer.

* Add instructions to integrate Istio with existing Endpoints services.  (#1164)

* Add multitenancy blog (#1119)

* Add multitenancy blog

* Update soft-multitenancy.md

* Update soft-multitenancy.md

* Add multitenancy blog

* Add blog entry for configuring aws nlb for istio ingress (#1165)

* Don't add links from figures into endnotes. (#1192)

- The prior design for avoiding links for figures was brittle and was
in fact broken. Now it's more robust.

* [ImgBot] optimizes images (#1193)

*Total -- 683.39kb -> 440.68kb (35.52%)

/_blog/2018/img/roles_summary.png -- 101.32kb -> 61.03kb (39.77%)
/_blog/2018/img/policies.png -- 244.70kb -> 148.25kb (39.41%)
/_blog/2018/img/attach_policies.png -- 48.65kb -> 31.59kb (35.06%)
/_blog/2018/img/createpolicyjson.png -- 120.21kb -> 80.63kb (32.93%)
/_blog/2018/img/create_policy.png -- 86.38kb -> 60.62kb (29.82%)
/_blog/2018/img/createpolicystart.png -- 82.12kb -> 58.55kb (28.7%)

* Update circuit break use existing file. (#1091)

* Add proper link to Helm and Multicluster feature stages (#1196)

* Update multicluster installation to match master (#1195)

* Add a trailing / on an URL that was returning a 301

* Update multicluster intallation to match master

Big usability improvements have been made.  Document
the new workflow for multicluster.

* Address reviewer comments.

* Fix linting problem

* Fix docker run command (#1201)

The command as it stands will fail with "Gemfile not found". The working directory should be set to $(pwd) as well to start execution in the istio.github.io directory and find the Gemfile.

* remove installation instructions for prometheus (#1199)

* remove installation instructions for prometheus

* more doc fixes for 0.8

* Add request.auth.claims and update source.user, source.principal, and (#1205)

request.auth.principal

* Fix command to build & serve site locally using docker (bad workdir) (#1206)

* Add attributes into documentation. (#1200)

* add a step to define ingress gateway in bookinfo guide (#1207)

* add a step to define ingress gateway in bookinfo guide

following istio/istio#5113

* make ingress gateway lower case

* Fix broken link in README.md (#1209)

* Adding Azure support instructions (#1202)

* adding docs for Azure

* minor misspelling fix

* adding acronyms

* removing blank line

* changing bash output to reflect only necessary flags

* fixing grammar errors

* Fix link to IBM cloud private (#1216)

* Typo fix (#1208)

* clarify we support more than just k8s (#1212)

* Update reference docs. (#1219)

* Quiet GitHub warning

* v1alpha3 routing blog (#1190)

* Clarify istio.io/preliminary.istio.io stuff (#1221)

* add galley.enabled option to helm instructions (#1222)

* Fix naming collision (#1226)

ingressgateway and ingress both match the grep, resulting in
incorect ingress name being produced in troubleshooting guide.

* adding the recommended namespace (#1218)

* adding the recommended namespace

istio/old_issues_repo#312

* add the recommended namespace

* add creating the namespace

* correct typos

* only need to create namespace 

for the template approach

* Introduce support for new fangled PRE blocks. (#1224)

Instead of having to have two PRE blocks, one for commands and one for the output,
we can now have a single PRE block and we take care of rendering things to show the
command vs. the output. The Copy button on such a thing only copy the command, and not
the output.

We now also show a $ on command-lines, but the Copy button doesn't copy that and knows to just
copy the usable part of the command-line.

* 0.8 release notes. (#1223)

* Fix incorrect behavior of the sidenav when dealing with long non-wrapping page titles. (#1229)

- When I was last fiddling with the sidenav on mobile, I messed up the sizing for non-mobile cases.
This cause the sidenav to grow beyond its expected size when presented with long non-wrapping page
titles. The text is now wrapped instead as it should.

- Shrank the font size of the list items in the sidenav to 85% to reduce the amount of wrapping that
happens.

- Reduce the right margin in the side nav to again try to reduce the amount of wrapping.

* Update content to help upcoming migration from Jekyll to Hugo (#1232)

- In front matter, order: and overview: are now weight: and description:

- In front matter, we generally don't need layout: and use config to assign layouts automatically

- Remove the useless type: front-matter entries, the type is infered from the file extension.

* Improves multicluster documentation (#1217)

* Improves multicluster documentation

Improve documentation based upon fresh eyes running through the
documented process.

* Address reviewer comments.

* More refinement.

* Exclude rule MD028

Rule 028 is: https://github.com/DavidAnson/markdownlint/blob/master/doc/Rules.md#md028---blank-line-inside-blockquote

The rationale below cut and pasted from markdownlint seems
valid for the general case, however, our MD parser always
produces seprate block-quotes, which is what I am after in
this PR.  I think other people will prefer our renders of
blockquotes (separate blockquotes);

Rationale: Some markdown parsers will treat two blockquotes
separated by one or more blank lines as the same blockquote,
while others will treat them as separate blockquotes.

* Improve the doc to apply istio-auth.yaml (#1227)

* Fix doc (#1228)

* Task/guide updates for v1alpha3 (#1231)

* Task/guide updates for v1alpha3

* fix typo

* remove trailing spaces

* tweaks

* Corrections and clarifications (#1238)

* clarify https external services support (#1239)

* clarify https external services support

* spelling error

* Hopefully finally really fix the issues with the sidenav on small screens. (#1240)

* fix manual sidecar injection docs for helm template changes (#1211)

Addresses #1210

* Switch most uses of ```bash to ```command. (#1242)

This takes advantage of the new rendering for command-lines and their outputs.

* Fixes to the doc after testing/reviewing it with release-0.8 istio branch (#1244)

* update format of a tcp ServiceEntry (#1237)

* Remove broken link. (#1250)

* WIP PR for v1alpha3 task corrections (#1247)

* ingress task corrections

* fault injection task version wrong

* Fault task corrections (#1253)

* update samples to align with latest proto definition (#1254)

* Traffic Shifting Review - Fixed wrong links (#1259)

* rbac.md: unindent yaml files (#1257)

also fixed a typo

Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>

* Create istio namespace before install remote cluster. (#1243)

* update instructions for gke-iam (#1260)

* Remove a broken link. (#1263)

* Fix another broken link. (#1265)

* [ImgBot] optimizes images (#1264)

*Total -- 73.77kb -> 65.13kb (11.72%)

/_docs/setup/kubernetes/img/dm_gcp_iam_role.png -- 38.54kb -> 33.47kb (13.15%)
/_docs/setup/kubernetes/img/dm_gcp_iam.png -- 35.23kb -> 31.65kb (10.15%)

* Fixes #1241 (#1258)

* Added namespace when create helm template. (#1234)

* Add istioctl proxy-config to the troubleshooting section (#1267)

* Fix istioctl proxy-config link to not point at prelim docs (#1269)

Because that would be a dumb thing to do

* Update how we insert images to make a transition from Jekyll to Hugo easier. (#1275)

* Change publish_date front-matter to publishdate to aid in the Jekyll to Hugo migration. (#1276)

* Remove stray quotes.

* Shorten long titles and descriptions. (#1278)

* Fix aspect ratio of a couple images. (#1277)

The incorrect aspect ratio value was leading to spurious top/bottom padding on
the images.

Also, delete unecessary .png version of some .svg files.

* Revert "Rebase from Istio Master (#2)" (#3)

This reverts commit 6122f38.

* Add ,missing feature links

This change adds some of the missing feature links to the feature-stages page.

* Fixes the API key location

API key location was wrong

…9a02d10064d169 (#6019)

* Generate inboundPorts for the init container (#5070)

* Adde list of container ports to the injected inbound ports

* Add support for helm

* [test pr] check if 503s and other known bugs are fixed

removing the t.Skip()

Should fail in CI until we have a fix

* prune old version resources that no longer exist (#5107)

Automatic merge from submit-queue.

prune old version resources that no longer exist

* [vendor-change] CloudWatch Mixer adapter (#4617)

Automatic merge from submit-queue.

[vendor-change] CloudWatch Mixer adapter

Adding an adapter to send metrics to cloudwatch

* Enable Ingress/Egress gateways in Helm for bookinfo demos (#5120)

Automatic merge from submit-queue.

Enable Ingress/Egress gateways in Helm for bookinfo demos

* Consume labeled multicluster secrets on startup (#5117)

Automatic merge from submit-queue.

Consume labeled multicluster secrets on startup

This patch when run against istio.yaml or istio-auth.yaml
runs in the new config mode using only labels rather than
configmaps.  The configmap functionality can be removed in
0.9.

* Add a linter check to make sure types.go are generated. (#5110)

Automatic merge from submit-queue.

Add a linter check to make sure types.go are generated.

addresses https://github.com/istio/istio/issues/4418

* Remove outdated manifests from install/kubernetes (#4882)

* Remove orig_ manifests

* Remove istio-mixer-validator and istio-mixer-with-health-check manifests

* Remove unwanted manifests before archiving

* Remove istio-sidecar-injector.yaml from install/README.md

* Remove *one-namespace*.yaml from install/README.md

* Make helm-generated manifests overwrite updateVersion_orig.sh manifests

* Add support for per-metric namespace configuration to prom config (#5112)

* Adding CI workflow for checking vendor diff (#5051)

Automatic merge from submit-queue.

Adding CI workflow for checking vendor diff

This aims to help ensure that a PR contains the correct vendor change,
by running `dep ensure` and seeing if git detects any changes.

* Introduce galley/pkg/server (#4974)

Automatic merge from submit-queue.

Introduce galley/pkg/server

galley/pkg/server implements logic performs both CRD synchronization, along with resource synchronization operations. The resource synchronizers are started/stopped as CRDs (of interest) are added/deleted.

* [vendor change] Add metrics command to istioctl experimental cli (#4945)

Automatic merge from submit-queue.

[vendor change] Add metrics command to istioctl experimental cli

This PR adds a new command for retrieving service-level metrics
for services within an Istio service mesh. In combination with
the `watch` command, this tool may be used to display a rudimentary
service dashboard from the commandline.

This command requires the deployment of a prometheus instance for
monitoring the mesh. It discovers a prometheus pod, establishes a
port-forward to that pod, and executes a series of queries to extract
the metrics for display.

Currently, this command pulls all metrics from the current time, 
calculating rates and latencies over a time window of 1 minute. In 
the future, it will be possible to add support for flexible time
windows.

Example usage (bookinfo example):

```
$ istioctl experimental metrics productpage reviews ratings details
productpage:
  Total RPS:     7.872870
  Error RPS:     0.000000
  P50 Latency:   40ms
  P90 Latency:   80ms
  P99 Latency:   98ms
reviews:
  Total RPS:     7.909235
  Error RPS:     0.000000
  P50 Latency:   4ms
  P90 Latency:   9ms
  P99 Latency:   21ms
ratings:
  Total RPS:     5.309187
  Error RPS:     0.000000
  P50 Latency:   2ms
  P90 Latency:   4ms
  P99 Latency:   4ms
details:
  Total RPS:     7.872870
  Error RPS:     0.000000
  P50 Latency:   3ms
  P90 Latency:   38ms
  P99 Latency:   48ms
``` 

This tool is intended primarily to aid with debugging, as discovering
what is happening with a mesh and/or a particular service can be somewhat
cumbersome.

Reviewers: please let me know if there is a more appropriate place for 
such a tool and if there is more/different information that you think
is relevant to display for a service.

Vendor PR: https://github.com/istio/vendor-istio/pull/58

* unset IFS, minor fix for perf setup (#5124)

Automatic merge from submit-queue.

unset IFS, minor fix for perf setup

* perf setup update: add grafana, misc fixes (#5028)

* need git pull --tags to get latest_release movement, use DUR variable for duration

* Add grafana ingress

Doesn’t work because of mixer/telemetry split yet but almost

Also had to disable mtls for grafana - this should be the default

* Add annotation for no mtls in helm template

* From 0.8 prometheus is already in the yaml

See #5111

* Assert requried circle CI envs in ci2gubernator (#5137)

Automatic merge from submit-queue.

Assert requried circle CI envs in ci2gubernator

There has been cases where tests on circle failed when calling ci2gubernator because `CIRCLE_PR_NUMBER` unbound. This PR asserts the existence of the circle ci envs required by ci2gubernator and resort to no op if any of those is not defined.

* Add Mixer perf tests that includes the RPC path. (#5013)

Automatic merge from submit-queue.

Add Mixer perf tests that includes the RPC path.

The perf tests included two sets of tests (proper v.s. with _R2 suffix).
The tests with _R2 suffix was for testing runtime2 implementation.

Now that there is only one runtime, repurposing some of the tests to
include the gRpc layer as well.

* verify 200 status code in addition to header value (#5163)

* Add/Update Mixer e2e tests to cover more attributes sent from Envoy. (#5152)

* Add/Update Mixer e2e tests to cover more attributes sent from Envoy.

* Fix indent.

* Assorted bug fixes for 0.8 (#5133)

* assorted bug fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Updated zipkin to 2.7 for istio. (#5155)

Automatic merge from submit-queue.

Updated zipkin to 2.7 for istio.

This is a follow up PR for https://github.com/istio/istio/pull/4726

/cc @ldemailly

* fix path for go 1.10 on perf vm (#5168)

* Move mixer filter to per_filter_config (#5073)

Automatic merge from submit-queue.

Move mixer filter to per_filter_config

Move the per route mixer filter config from the metadata field to per_filter_config and turn it into a ServiceConfig proto.

* Enable test

* [vendor change] Add B3 codec to Jaeger tracer to enable mixer trace to be included in… (#5116)

Automatic merge from submit-queue.

[vendor change] Add B3 codec to Jaeger tracer to enable mixer trace to be included in…

… the application trace - and extended zipkin test to check for the mixer span

Installs the B3 codec into the Jaeger tracer to enable B3 headers to be understood and therefore associate any spans with the existing application trace.

The PR also updates the zipkin e2e test to check that the mixer spans are included in the application trace instance. 

Once an initial review of the PR has been approved I'll commit the vendor change - using "dep ensure"? Locally this has resulted in a number of dependencies being deleted under `vendor/k8s.io/client-go/`.

Signed-off-by: Gary Brown <gary@brownuk.com>

* remove prometheus from release archives (#5150)

Automatic merge from submit-queue.

remove prometheus from release archives

* Add Galley command-line flags "server" and "purge" (#4977)

Automatic merge from submit-queue.

Add Galley command-line flags "server" and "purge"

Add command-line flags for server and purge commands.

* Simplify the auth test

Thanks Andra for pointing out that version should fail/work the same as
using pod IP directly as the destination container never sees the
original cluster IP

* adds guard for kube client (#5140)

* adds guard for kube client

- there may not always be one, especially in
the case of CF.
- made CF case more explicit

* ci2gubernator: stop checking for unset variables

* Fix single endpoint pilot ads look up (#5165)

* Add an experiment subcommand rbac to istioctl. (#5093)

Automatic merge from submit-queue.

Add an experiment subcommand rbac to istioctl.

The subcommand is used to interact with Istio RBAC policies, this PR
adds the basic interface and the actual logic will be added in a later
PR.

See #4856.

* Fixing race test failure in TestAdsEds (#5161)

Automatic merge from submit-queue.

Fixing race test failure in TestAdsEds

introduced by https://github.com/istio/istio/pull/4694
addresses #4235

* v1alpha1 to v1alpha3 rule conversion tool bug fixes and subset merging (#5178)

* v1 to v3 conversion enhancements and tests

* Handle DestinationPolicy w/o labels

* Remove AddJwtAuth (#5194)

Automatic merge from submit-queue.

Remove AddJwtAuth

There is a compile error.
# istio.io/istio/mixer/test/client/env
../../../../../mixer/test/client/env/mixer_filter_config.go:167:47: undefined: client.JWT
../../../../../mixer/test/client/env/mixer_filter_config.go:168:21: mfConf.PerRouteConf.EndUserAuthnSpec undefined (type *client.ServiceConfig has no field or method EndUserAuthnSpec)
../../../../../mixer/test/client/env/mixer_filter_config.go:168:42: undefined: client.EndUserAuthenticationPolicySpec
../../../../../mixer/test/client/env/mixer_filter_config.go:169:21: mfConf.PerRouteConf.EndUserAuthnSpec undefined (type *client.ServiceConfig has no field or method EndUserAuthnSpec)

Remove AddJwtAuth function.

cc @diemtvu

* Skip bad routes instead of erroring (#5183)

* Skip bad routes instead of erroring

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* final nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix rules

* BlackHole with a capital H

* validate clusters false

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Fetch/cache/refresh JWT public key, construct localJwks in sidecar filter config (#5061)

Automatic merge from submit-queue.

Fetch/cache/refresh JWT public key, construct localJwks in sidecar filter config

https://github.com/istio/istio/issues/4917

This PR includes 
1. fetch JWT public key, and cache the key.
2. key rotation - a refresher job refresh key periodically.
3. use the key to construct localJwks in sidecar filter config.

* Introduce dynamic proto3 encoder (#5122)

* WIP commit

* Remove dead code

* Rearrange code

* split code into encoderUtil

* Everything except ENUM

* use protoc 3.5.1 to ensure json names are generated

* expose internal funcs

* WIP3. all dynamic and static elementry types. No repeated or packed

* support packed static primitive types

* use switch in place of if

* primitives with eval and packed repeated

* all primitives with expressions

* add test with enum constants and expressions

* add expressions in repeated fields

* Refactor 2

* linter checks

* fix linter2

* split encoder and builder

* rename eval to primitive

* add all dynamic tests

* Add dependency for messagediff

* add full dynamic test

* update comment

* fix linter error

* Update vendor. Add messagediff.v1 for test verification

* add all positive tests

* improve test coverage

* remove updated to lang.compiled

* fix linter error

* handle float64 inputs for integers

* Builder.Build() takes msgName and data

* WIP2

* review comments

* review comments

* rename messagediff to diff

* add more tests

* Update deps

* improve test coverage

* add log message while skipping fields

* increase test coverage

* update dep status

* Add more files to gitignore (#5198)

* Fix Mixer dashboard CPU reporting (#5145)

Automatic merge from submit-queue.

Fix Mixer dashboard CPU reporting

A previous PR seems to have accidentally removed the "rate" component of
the CPU calculations for the Mixer Dashboard. This results in an ever-increasing
CPU graph.

This PR restores a proper rate-based display for CPU calculation. It also
renames the jobs in the Prometheus config to better align with the split
from Mixer to Istio-Telemetry and Istio-Mixer (providing easier to understand
tracking between cAdvisor metrics and the self-reported metrics.

This PR should be cherry-picked onto the 0.8 branch.

* fix nil reference error when mock server fails to start (#5216)

* [WIP] refactor bookinfo to use different gateway definitions for envoy v1/routing v1alpha1 and envoy v2/routing v1alpha3  (#5113)

* restrict the tests to either v1alpha1 or v1alpha3

* move applying defaultRules into setUpDefaultRouting

* extract Ingress (Gateway) definition from bookinfo.yaml

it is different for v1alpha1 and v1alpha3

* make the gateway rule first in defaultRules, so it will be applied first

* fixed wrong variable names in mixer tests

* fixed the location of bookinfo gateway yaml

* fixed wrong variable in mixer test

* add missing spec and name to destination-policy-reviews

* remove comment line in samples/bookinfo/routing/bookinfo-gateway.yaml

* add port 9080 to the new bookinfo gateway

* remove using a special destination rule for reviews

* refactor GetIngress to make it reusable for GetIngressGateway

extract functions for getting Kubernetes Ingress and NodePort

* remove a shadowing variable

* refactor GetIngressPod, add GetIngressGateway

* add IngressGateway() to framework Kube

* added using IngressGateway() of framework Kube in bookinfo e2e tests

* use load balancer ingress IP to get the IP of the nodeport

* use ingress IP for nodeport

* remove commented out line

* fixed getting the ingress as the IP for a NodePort

* Revert "fixed getting the ingress as the IP for a NodePort"

This reverts commit 594e58d9ae9d7eb4374979b21795f0a945abdc3d.

* Revert "use ingress IP for nodeport"

This reverts commit 333b80f92e12aef938b8ef8d576074c8a3a2ab57.

* Revert "use load balancer ingress IP to get the IP of the nodeport"

This reverts commit 3c138e4819bc5cc41f3e74b9f4fd6371c103bbe8.

* add generate_yaml-envoyv2_transition_loadbalancer_ingressgateway

to generate istio configurations without ingress and with ingressgateway as
a LoadBalancer service

* use generate_yaml-envoyv2_transition_loadbalancer_ingressgateway in test/local/noauth/e2e_bookinfo_envoyv2

* added LoadBalancerServiceType and NodePortServiceType constants

* rewrote the ingress related logic

use LoadBalancer type for non-local and NodePort for local tests

* lint fixes

* fix lint errors

* *sync.Locker -> sync.Locker, use interface instead of a pointer to interface

* refactor: extract getServicePort() from getServiceNodePort()

* add isKubernetesIngress flag to tests/util.GetIngress()

* fix the destination port in the virtual service of the gateway

* Revert "add isKubernetesIngress flag to tests/util.GetIngress()"

This reverts commit 8dbe13cc4b0d69c0790a96c1d82c749a2c91dcae.

* set different retry values for LoadBalancer and NodePort

according to the original implementation

* fix logging message

* fix a typo

* Introduce pkg/ctrlz, Istio's introspection package. (#5123)

* Introduce pkg/ctrlz, Istio's introspection package.

Processes that integrate with ControlZ open up a port that enables operators
to connect with a web browser and interact with the process. Through the browser,
the operator can adjust logging scope levels, see the process' command-line arguments
and envirinment variables, see statistics about heap use, and more.

Integration with ControlZ is nominally two line deal for processes. Optionally,
processes can extend the base ControlZ UI and integrate their own screens into the
main UI.

In addition to the browser interface, there is a REST API enabling access to all
the same things that the UI shows.

Mixer is integrated with ControlZ but doesn't currently have custom UI. We should
integrate ControlZ with our other server components in due time.

* Add myself to owners. (#5039)

* pod Ip is actually required

Service vip doesn’t exist for non existent port and we need a non
existent port to get the bad routing behavior

* Expose image of each istio component for istio chart. (#5222)

Automatic merge from submit-queue.

Expose image of each istio component for istio chart.

Make `image` for each Istio component be configurable. 
This is useful in case that users build or retag Istio image.

/cc @gyliu513 @linsun @sdake

* Undoing accidental merge to master

* Adding zone/region node labeling if missing (#5164)

* Fixing missing INSTANCE_IP

* Fix yaml error

* Rename v1alpha3.ExternalSerivce to v1alpha3.ServiceEntry (#5195)

* first pass renaming v1alpha3.ExternalSerivce to v1alpha3.ServiceEntry

* rename ServiceEntry.Discovery to ServiceEntry.Resolution

* update vendor to latest istio/api

* fix cloudfoundry copilot e2e test (#5188)

* initial changes to fix both pilot endpoints

* they now should be curl'ing the right things

properly booting an envoy with dynamic
template now

new port name for building listeners

Include port for Cloud Foundry services

* Building listeners now requires named ports.

* always run cloudfoundry tests

* moves cloudfoundry circleci test to own run

* adds cloudfoundry test to all

* want to just use default env vars

* need GOPATH/bin on path for envoy

* switch to defaults which uses da container

* disable zipkin test in pilot

* add missing clusters to ads mesh response (#5221)

* e2e test for JWT authn policy (#5144)

Automatic merge from submit-queue.

e2e test for JWT authn policy

https://github.com/istio/istio/issues/5078

1. JWT token used here expires in year 2132 (borrowed from https://github.com/istio/proxy/blob/master/src/envoy/http/jwt_auth/sample/correct_jwt). 
2. will add another e2e test for fetching JWT public key scenario after https://github.com/istio/istio/pull/5061 is in.

* Set listeners h2 max streams to override nghttp2 client default of 100 (#5232)

Automatic merge from submit-queue.

Set listeners h2 max streams to override nghttp2 client default of 100

Reference issue: https://github.com/envoyproxy/envoy/issues/3076
Signed-off-by: Kuat Yessenov <kuat@google.com>

* Enable ControlZ to fetch the current process' known logging scopes. (#5245)

Automatic merge from submit-queue.

Enable ControlZ to fetch the current process' known logging scopes.

* Add more parameters to sidecar injector helm template (#5044)

Automatic merge from submit-queue.

Add enableCoreDump and policy parameters to sidecar injector helm template

* Fixing fallout of renames in earlier commit + restore auth for e2e-simple on circle (#5241)

* Fixing fallout of renames in earlier commit

* Re fixing lost fix that e2e-simple should run with auth

Technically it should run with both auth and no auth like on prow but
if it runs only 1 mode it should be with auth

* follow output log pattern for cloudfoundry e2e test (#5234)

- and tee to a new file so it doesn't overwrite

* bootstrapv2: Stop using deprecated cluster_names (#5225)

Using cluster_names in GRPC resource config is deprecated:
https://github.com/envoyproxy/envoy/commit/ad02e4ac036be359c435d33c987501477c648020

Signed-off-by: Romain Lenglet <romain@covalent.io>

* Address a few causes of Gateway/Filterchain failures (#5185)

* Sort HTTP route virtual hosts before sending listeners to Envoy.
Listeners with multiple filter chains containing HTTP filters require
that the HTTP filters have consistent ordering due to how Envoy computes
updates.

* don't respond with empty listeners

* address review comments

* fix linter

* linters, once more

* use configurable paths for envoy and envoy config locations (#5248)

* re-add istioctl unit tests to Makefile (#5205)

* re-add istioctl unit tests to Makefile

https://github.com/istio/istio/pull/3820 moved istioctl out of pilot
subdirectory but forgot to re-add istioctl unit tests to top-level
Makefile. Fix that problem and also the currently broken tests.

* add missing test data

* return an error when Envoy fails to start (#5251)

mixer and backend should also do this, but that involves slightly more
work.

* change bookinfo test to use helm install  (#5114)

* add helm testing

* adding a few supporting methods for helm

* test: modify to invoke helm install

* Revert "test: modify to invoke helm install"

This reverts commit 0083f3c361acba49700a8a20e03b6cffab9c27f1.

* adding a few function to install tiller

* add pod name in log

* customize values for helm install

* try enable helm installer

* change to the right time

* fix build issue

* fix build issue

* set correct helm path and params

* fix e-2-e error in helm dry run

* use the correct install dir

* use the correct namespace for the testing

* Pilot crash in pushEDS function (#5266)

* Crash fix

* Adjusting the fix

* check in https://github.com/istio/istio/pull/5238 to 0.8 branch  (#5261)

Automatic merge from submit-queue.

check in https://github.com/istio/istio/pull/5238 to 0.8 branch 

check in https://github.com/istio/istio/pull/5238 to 0.8 branch, which is required for jwt authn policy to work in v2.

* fix bookinfo v1alpha3 version migration test (#5224)

* added printing unexpected version in version migration tests

* print the diffs with the compared versions in case migration test fails

* apply default rules after every bookinfo test

in v1alpha3 there is no rule precendence, a new rule just deletes the old one
there is no possibility to have two rules on the same host

* apply all the default rules instead of only allRule after each test

* Merge circleci fix from master (#5313)

* hostname assign  error (#5285)

* Crash fix

* Adjusting the fix

* fixing Hostname assignement

* Fix collateral from the change

* Adding inbound to if

* Enable mTLS for pilot e2e tests (#5268)

* Enable mTLS for pilot e2e tests

* Change generate_yaml-envoyv2_transition to output to istio-auth.yaml as test is in auth enabled mode

* Add grpc ports to containerPort list as inboundPorts are limitted by these since https://github.com/istio/istio/pull/5070

* Disable rbac e2e test as it crash when authn enabled.

* Disable egressgateway when mTLS enable.

* Use consul node address as a backup when filtering service instances (#4195)

* Fix error when running minikube (#4502)

There will be error like this if this field is missing:
Object 'Kind' is missing in ...

* Delete custom resources before uninstalling chart. (#5279)

* Improve the script to generate jwt (#5297)

* Fix doc

* Revert code change to pass test

* Make metrics command ready for web scale. (#5289)

This change makes the output denser and easier to read.

Example usage (bookinfo example):

$ istioctl experimental metrics productpage reviews ratings details
    SERVICE    TOTAL RPS    ERROR RPS  P50 LATENCY  P90 LATENCY  P99 LATENCY
productpage        7.873        0.000         40ms         80ms         98ms
    reviews        7.909        0.000          4ms          9ms         21ms
    ratings        5.309        0.000          2ms          4ms          4ms
    details        7.873        0.000          3ms         38ms         48ms

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

* prevent mixing istio-ingressgateway and istio-ingress in proxy config (#5326)

* use env.Mesh.IngressService instead of hardcoded string

* add definition of IngressService to the mock mesh in the proxy config test

* add dot to prefix comparison of Ingress Service

* Update proxy sha to latest in release-0.8 (#5314)

* Update proxy sha to latest.

* update to newer proxy sha

* Include bookinfo gateway definition into upgrade e2e test. (#5316)

* Add all circle ci tests to testgrid (#5184)

* use client-go's default client config loading rules (#5336)

* Fix egressgateway e2e test when mTLS enable. (#5333)

* Change service entry for egressgateway to b, which is in the mesh, so that test works when authn is enabled.

* Disable mTLS for service t so it can be used as fake external service.

* Add missing policy yaml.

* Add comment to explain the purpose of authn policy for egressgateway test.

* Revert accidental revert.

* Correct fix: disable mTLS for egressgateway instead.

* Correct authn policy yaml file.

* Correct policy target name.

* bugfix: tracing operations for mixer sidecar (#5362)

* Update envoy_telemetry.yaml.tmpl

* Update envoy_policy.yaml.tmpl

* disable flakey controller cache tests (#5337)

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Fix v1alpha3 abort rule not working in task (#5366)

* Disable rbac e2e test. (#5374)

RBAC consistently failed for days - the other tests were broken in post-submit as well

* eds: Hold lock for iterating on EDS clusters for logging (#5373)

Fixes: https://github.com/istio/istio/issues/4903
Signed-off-by: Romain Lenglet <romain@covalent.io>

* Fix mesh expansion, add the v2 ports (#5312)

* re-add flags for consul and eureka until these fields can be set by config/file (#5339)

* Revert 'enable auth on the noauth test' (#5378)

* Test and more bug fixes. (#5127)

* Test and more bug fixes.

Adding more coverage to the local tests showed that mixer can break
listeners in some cases - this is a P0, we shouldn't cut release until
this is in.

* Remove select used for debug, too verbose message

* Fix lint, format. Add few metrics on rejected configs

* More debug/monitoring help

* More testing and debuggability. Refactored the cluster method to allow more info in the message and simplify

* Update timeout

* More varz, fix lint/race

* Move controller test out, seems to be interfering with the other tests

* Use default timeout, add the moved controller_test

* If AuthPolicy is MTLS, use the MTLS port

* remove api section from istio.deps (#5375)

No code change, needed to fix the branch.

* Attempt to capture periodic/flaky/etc in testgrid (#5386)

Branch fixing, no code change.

* Per-port Destination rules and fault injection (#5055)

* update Go control plane

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* enabling fault injection

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* per port destination rules

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* clearer log message

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* update proxy sha

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* update proxy sha again

* dep ensure

* fix tests

* fix nil map

* format

* dep ensure

* update proxy SHA

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nit

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix buildprotostruct

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* more struct conversion errors

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

* fix up service entries

* enable auth for test/local/noauth/e2e_bookinfo_envoyv2

* enable egress tests for test/local/noauth/e2e_bookinfo_envoyv2

* dep lint fix

* fix validation

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix

* update istioctl tool for new ServiceEntry.Addresses field

* add generation of istio-auth.yaml

to generate_yaml-envoyv2_transition_loadbalancer_ingressgateway Makefile target

* Revert "enable egress tests for test/local/noauth/e2e_bookinfo_envoyv2"

This reverts commit a39da0e34446c4107e21957231c3bda6a9398492.

To debug it and to handle it in a separate PR.

* Wildcard hostnames (#5363)

* Add Hostname type to describe hostnames, and use it in Pilot's model. This will be used to provide structure for logic for hostname matching.

* Implement Matches for hostnames, with support for wildcards. Update string->model.Hostname in a few places I missed.

* fix a bunch of tests I missed on the first pass

* Add host matching of the hosts exposed by a server on the hosts exposed
by a virtual service. We skip the VirtualService if its hosts aren't
matches of the server's hosts.

Downgrade some noisy logging.

* roll back stuff touching v1alpha1

* make the linter happy

* implement sorting of hostnames, use it to determine best matches when getting destination rules for a hostname

* fix linter errors

* fix build failure due to bad merge

* make sure *.foo.com does not match foo.com

* doh, fix my own tests

* add some test cases for 'odd' wildcards, e.g. *foo.com

* rebase and fix conflicts

* another set of merge conflicts

* revert bad merge

* one more bit I missed

* Correct authn flags for pilot v2 e2e test. (#5394)

Test infrastructure problem, no code change.

* We shouldn't swallow errors without a trace (#5207)

* Change number is expected to be an int (#5396)

Fixing test infra, no code change.

* allow 'istioctl get gateway' etc (#5395)

* This PR broke mixer as its CRs were getting deleted after getting  published to kubernetes config server. (#5397)

Revert "Delete custom resources before uninstalling chart. (#5279)"

This reverts commit d266a5ce4bb16d25867b3e145399a7f61e58739c.

* Enable e2e test for mTLS enable via authn policy for both Istio install mode (enable/disable mTLS by default). (#5385)

* fix incorrect upstream tls context generation (#5387)

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Update istio.io/api dependency. (#5388)

* add root CA bundle and use it for making https request in pilot (#5368)

* add root CA bundle and use it for making https request in pilot

* address comment - rename to secureHttpClient

* let test pass if mock server fails to start (#5317)

add logging/increase retry times when mock server fails to start

* Add mixer tests for the Istio authn filter (#5267)

Add the following Mixer tests for Istio authn filter

- Test when requiring JWT for peer and binding to peer, the authn attributes in the actual check and report calls match those in the expected check call
- Test when requiring JWT for peer and binding to origin, but no method specified in origin policy, the request will be rejected by Istio authn filter.
- Test when when requiring JWT for origin and binding to origin, the authn attributes in the actual check and report calls match those in the expected check call.
- Test when requiring JWT for origin and no binding to origin, the authn attributes in the actual check and report calls match those in the expected check call.
- Test when the HTTP request is rejected by the Istio authn filter for peer JWT authentication, the response code and the response message is as expected.
- Test when the HTTP request is rejected by the Istio authn filter for origin JWT authentication, the response code and the response message is as expected.
- Test when the Istio authn filter requires mTLS for peer connection, the non mTLS connection is rejected and the response code and the response message are as expected.
- Test when the Istio authn filter requires TLS for peer connection, the non TLS connection is rejected and the response code and the response message are as expected.

* re-enable the rbac e2e test in e2e_pilot and e2e_pilotv2 (no auth). (#5402)

* Enable rbac e2e tests.

It's fixed in #5397.

* Also enable rbac e2e for test/local/noauth/e2e_pilotv2.

* Specify --rbac_enable=true explicitlly.

* Use v2 in ingressgateway, pilot, mixer. Cleanup. (#5401)

* Use v2 in ingressgateway, pilot, mixer. Cleanup.

* Add v2 to egress, consistent pull policy

* Revert pull policy default

* Missed a go, found by the test

* Cleanup circle zombies (#5399)

* Cleanup circleci jobs: remove zombies

* Move cloudfoundry test around, better capture output in dashboard
  Move cloudfoundry to tests

* conversion to junit in makefile

* istioctl convert-networking-config Ingress to Gateway (#5411)

* istioctl convert-networking-config Ingress to Gateway

* Remove whitespace for lint

* Don't shadow err var

* Don't try to improve MergedGateways output

* Use the new ingressgateway selector

* Revert "Add mixer tests for the Istio authn filter (#5267)" (#5426)

This reverts commit 2099c15597780ae99d511274c091a746b0464feb.

* Change Istio CA to Citadel in README. (#5318)

* Update proxy sha (#5463)

* Change GKE version from 1.9.6-gke.0 to 1.9.6-gke.1 (#5460)

1.9.6-gke.0 is not available in GCP anymore, 1.9.6-gke.1 should be used instead.

Currently, GCP DM deployment fails with following error:
istio-cluster: {"ResourceType":"container.v1.cluster","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"Version "1.9.6-gke.0" is invalid.","status":"INVALID_ARGUMENT","statusMessage":"Bad Request","requestPath":"https://container.googleapis.com/v1/projects/aburnos-kube-playground/zones/us-central1-a/clusters","httpMethod":"POST"}}

* Add dns lookup family to the clusters (#5447)

* add setting dns_lookup_family to v4_only

required due to https://github.com/envoyproxy/envoy/issues/3306
in v2, the default value of dns_lookup_family changed from v4_only
to auto

* enable bookinfo egress tests for v1alpha3

* Revert "enable bookinfo egress tests for v1alpha3"

This reverts commit 1c9d5422177d8f271c230c0fff8b9ab4b2559cb3.

* Fix fault rule versions (#5471)

Force merging because test failure unrelated to this change.

* Revert incorrect change to fault rules (#5476)

Undoing previous incorrect fix

* enable mtls for ingressgateway loadbalancer istio-auth.yaml (#5405)

* Remove expected error message check from test, as the message could be different depends on platform. (#5461)

* Cloud Foundry service registry now supports internal routes (#5427)

* can now use two envoys in same test

- made proxy ports and additional http
service are optional (we don't always need
them)
- simplifies the bootstrap template
from for the CF test but can be
used in other cases and is easier to
read for first timers who just need
dynamic discovery to happen

* Bump cloudfoundry/copilot

* Cloud Foundry registry supports internal routes

- requires a iptables DNAT rule in our container to redirect a VIP
to the physical envoy port

* Fix log processing (#5485)

We are missing logs in test-grid, no code change.

* Fix duplicate key on helm ingress/deployment.yaml template (#5468)

No code change.

* Fix IPv6 iptables. (#5341)

* refactor secret controller (#5445)

* refactor secret controller

* Removing secret bootstrap code

* Race tests and more metrics around events from k8s (#5389)

* More metrics, periodic push on by default

* Fix the race - merged from a separate PR, to get the test passing

* Finally reproduced and fixed the close race condition

* Use a different ip for each test client. Fix lint

* Improving the test, trying with larger numbers

* Tests show another potential block, when a (broken) client is not reading. Add code to handle

* Proper timeout on write

* Bring the ads/eds tests to match old eds tests, refine the corner case checks

* Improve hermeticity

* Even more hermeticity, tests should not use same address so they can be run in parallel

* Add metrics for push

* Another pair of tests interfering with each other

* Finally found the test flakiness problem, failing to close connections in previous tests

* Fix the mixer test problem and add back the reverted authn mixer tests (#5458)

* Fix the mixer test problem and add back the reverted authn mixer tests

- Existing mixer tests have a problem that if multiple mixer tests run
in parallel, they may cause the Envoy to crash and the failure of istio
unit tests. This PR fixes such mixer test failures.
- With the above mixer test problem fixed, this PR adds back the
reverted authn mixer tests, which are reverted due to the aforementioned
mixer test problem.

* Change the code of removing the parallel running

* Explicitely prohibit parallel running of the tests

* Add one more flag

* Add one more flag

* Check the go version

* Move mixer tests ahead to observe the result sooner

* Enter/exit mixer directory

* Place the mixer tests to its original place in Makefile

* Add disable-hot-restart option for Envoy and disable hot-restart for new Mixer tests

* Revert the changes to Makefile

* Update proxy sha with stripped binary (#5482)

* envoy_bootstrap_fix (#5450)

* Create correct log dir for CloudFoundry pilot test (#5520)

build change, not affecting the failed tests.

* CKI-3 Use template variable for access log (#5501)

* remove TLSClientConfig setting for httpclient (#5522)

* Create CA certs and make citadel run with designated certs in multi-cluster (#5512)

* Add bin/dump_kubernetes.sh which outputs logs and resource config YAML to a directory (#5422)

* Dump resources into one large yaml
* Also dumps previous logs
* Add secrets and configmaps to resource dump
* Do not create empty files
* Move to bin/
* Rename dump.sh -> dump_kubernetes.sh
* Check resource count for previous rather than ignoring errors
* /bin/sh -> /bin/bash
* Limit line length to 80 characters
* Use `readonly` with global constants
* Use local variables
- declaration and assignment must be split in command substitutions
* Add usage and parse_args function
* Add quiet option
* Use error for check_prerequisites
* Add main function
* Add dump_time
* Pluralize ingress -> ingresses
* Add events to dump_resources
* make dumpsys calls bin/dump_kubernetes.sh
* Add archive flag to make .tar.gz
* `make dumpsys` OUT_DIR/{logs -> dump}
* `make dumpsys` revert removal of tests directory

* Update mixer service port names to use http/2 (#5530)

* mixer: bind gRPC API locally to 9092 and use proxy on 9091 (#5370)

* ignore and remove git history file (#5506)

* Fix a DestinationRule for the bookinfo egress test (#5467)

* enable bookinfo egress tests for v1alpha3

* name -> host in DestinationRule

* helm lint check (#5406)

* Use the global image pull policy in the configmap (#5465)

* Make Kube Pod cache log line more helpful (#5256)

* helloworld example does not include '-n istio-system' in commands for finding host:port (#4213)

* enable rbac test for auth/e2e_pilotv2 (#5544)

* CKI-3 Don't call DumpResponse when res is nil (#5494)

Unrelated test failure.

* Correct contaienr port of netcat server. (#5548)

* Make DNS names case-insensitive (#5528)

* Launch pilot locally failed for my kube config (#5558)

* use namespace as chart name so it is unique

* Revert "use namespace as chart name so it is unique"

This reverts commit c144eeb9634461e7a6130031a3e8379e2556e155.

* fix for #5507 launch pilot discovery failed

https://github.com/istio/istio/issues/5507

* use namespace as chart name so it is unique (#5349)

* Turn off logging for AZ as it is not in scope for 0.8 (#5562)

* Create client using mechanism of PR 5300 (#5563)

* Update api sha to release0.8 latest. (#5464)

* Update api sha to release0.8 latest.

* Change branch

* Update Gopkg.toml too

* Updated some files

* update digest

* Use port number instead of port name in CDS, EDS (for v2 only) (#5543)

* Use port number instead of port name in CDS, EDS (for v2 only)

Also fixes issues such as inability to route from one service to another,
inability to rewrite destination port (80->443).

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint fix

* fixes for consul unit test

* bug fixes for external service registry and unit tests

* lint fix

* update destinations to use port number instead of name

* bug fix for eds_test

* bug fix for xds test

* ads fixes

* use service port for default clustername if service only has one port defined

* gateway use common cluster name building function

* lint fix

* defaultPort->listenerPort review comment

* cloudfoundry patch

* revert to remove cf debug lines

* lint fix

* lint fix again

* lint fix grumble grumble

* set max_concurrent_streams to 1073741824 (#5570)

* Buid, packaging, script fixes. (#5533)

- update deb to v2 (no point in shipping a v1 deb, users can stick
with 0.7 while upgrading)
- fix iptabes - it was not cleaning up properly
- fix istio-start - cp policy not matching the env
- added test programs to the deb-test docker

Also fix the base image for pilot to match that of the v2 sidecar,
debugging is more useful at this point and we are not saving any
disk. We can make a different option for 1.0 if nobody needs
debugging, but we're not there.

Also cleaned up a bit the build for the deb/docker.

* V1 - set h2 max_concurrent_streams to 1073741824  (#5572)

* use http_settings{MaxConcurrentStream: 1073741824} instead of feature=http2

* update golden images

* Fix setting empty CA certificates field in gateway (#5560)

* fix setting empty CA certificates field in gateway

Similar to the handling in https://github.com/istio/istio/blob/release-0.8/pilot/pkg/networking/core/v1alpha3/cluster.go,
applyUpstreamTLSSettings().

Empty CA certificates field causes Envoy to crash in validation -
Envoy requires non-empty CA certificates string.
Also Envoy requires non-empty TrustedCa struct

* remove unneeded local variable

* add a check that trustedCA is not nil

* Update proxy to have raw JWT claims. (#5561)

* Update proxy.

* Fix mixer client test

* attemp to fix 5564 - consistent way to create k8s client (#5566)

* use namespace as chart name so it is unique

* Revert "use namespace as chart name so it is unique"

This reverts commit c144eeb9634461e7a6130031a3e8379e2556e155.

* fix for #5507 launch pilot discovery failed

https://github.com/istio/istio/issues/5507

* pilot/cmd/pilot-agent/main.go

* clean up create interface

* adding create Interface

* fix lint error

* fix unit test error

* use clientcmd.BuildConfigFromFlags instead

* simplify to use clientcmd.BuildConfigFromFlags

* more switch to use clientcmd.BuildConfigFromFlags

* address nit

* correct lint err

* Fix proxy config command for ingress, egressgateway and ingressgateway (#5575)

* Define request.auth.claims (#5550)

* add request.auth.claims attribute, regenerated attribute list

* make request.auth.claims a STRING_MAP

* Update_Dependencies (#5583)

* Fixes for mesh expansion (#5573)

* Mesh expansion doesn't handle internal ServiceEntries

* More testing, finish up fixing ServiceEntry

* Fix the test, add a test for the real use of the method

* IMPORTANT: fix a bug in k8s selection by port.

ByName is selecting the port using the name key - in the new function
we still need to use the name of the service port to find the associated
endpoint port (which may be different)

To make the code more clear and avoid simiar issues - make the method
take a single int param, there is no use in current code for multiple
ports.

Also add a way to specify the AZ for raw VMs, which was broken.

* Fix build

* Add regression test, fix remaining tests

* Remove redundant config, deal with eventual consistency

* Remove unused method

* Change default to 60 sec push (#5593)

Race test not related. Prow tests seem to pass but the job failed somehow.

* Change envoy to default to log level warn #5559 (#5597)

* use namespace as chart name so it is unique

* Change envoy to default to log level warn #5559

* fix the bookinfo v1alpha3 test Makefile target name (#5448)

* Add starting watchers for dynamically added remote clusters (#5541)

* Initial fix of dynamic remote cluster configuration

* Fixing Linting errors

* Addressing comments part 1

* Adding Run of the dynamically created controller

* Adding AppendServiceHandler AppendInstanceHandler

* Add ClearCache callback when new controller starts

* Additional cleanup

* Rebasing to updated release-0.8

* Revert lock

* Restoring Lock

* Addressing comments

* Fixing lock

* Addressing comments

* Reverting locks

* Fix envoy binary used for tests on Mac (#5556)

Download darwin binary when running on darwin. Since #5450 only
linux binaries were downloaded (as GOOS defaults to `LOCAL_OS`).

Co-authored-by: Jan von Loewenstein <jan.von.loewenstein@sap.com>

* Adding files after running dep ensure.

* Add more info to accesslog.logentry instance for telemetry (#5252)

* Add more metrics to collect data in stackdriver logentry

* Update severity in config.yaml to Info as otherwise with Default it shows up as null in bigquery tables.
Updated labels in testdata/config/stackdriver.yaml too

* Added HttpMapping to be filled in accesslogentry.
Also added sentBytes and receivedBytes metrics in accesslogentry

* Fix formatting in log.go

* Fix lint error in log.go

* Fix tee error resolving in false negative for some test jobs (#5601)

* Fix indentation in makefile

* Fix tee issue by creating test dir

* Move to phony target

* Fix typo

* Disable upgrade test since it is flaky and noisy. (#5627)

* Disable upgrade test since it is flaky and noise.

* Fix linter

* allow users to use node port for istio ingress without producing another service for lb (#5610)

* use namespace as chart name so it is unique

* allow user to configure istio ingress service type

* allow user to specify lb ip for gateway

* use the new format

* fix pre-allocating slice capacity (#5585)

* add support for secretVolumes in the deployment of ingressgateway (#5607)

* remove generate_yaml-envoyv2_transition_auth, use generate_yaml-envoyv2_transition (#5602)

* Provide default requested resources for cpu/mem for sidecar (#5584)

* Added resources limits and requests to both automatic sidecar injector and the manual injector (istioctl) configuration

* Removed the requested resources limits which probably cause tests to fail due to lack of resources

* Removed unused global securityEnabled flag and corrected MTLS set (#5636)

* error when filters cannot be marshalled (#5596)

skip listener when filters cannot be marshalled

* Examples should use current rule types (#5640)

* Add ctrlz to Pilot (#5625)

* Add Ctrlz support to Pilot (discovery & agent).

This is a straight-up integration of CtrlZ to Pilot.

* Fix linter issues.

* Attach ctrlzOptions to serverArgs right after attaching cobra flags.

* Revert agent changes.

* Protect against nil CtrlzOptions in args.

Test code will call server without setting this.

* Dump pilot configuration from dump_kubernetes.sh (#5630)

* Add pilot debug info in the dump

* Add to release archive

* review comments and linter issues

* Istio fails to upgrade from 0.7.1 to 0.8 (#5635)

Fixes: #5633

* Update to latest istio/api. (#5645)

* Test fix for changes in Duration struct

* Generate junit reports for all e2e jobs in Prow presubmit (#5567)

* Fix e2e egress httpbin.org tests (#5637)

* Fix pilot e2e tests to match httpbin.org's new format

* Make lint happy

* Match case-insensitive

* Turn down k8senv adapter logging (#5649)

* Add binding address support to ctrlz. (#5613)

* More pre-release fixes cleanup (#5616)

* Use the logging package, and add ctrlz to control logging

* Fix TLS mode for mesh expansion, use common logging config

* Revert accidental mixer change

* format

* type

* Update makefile default from 05, add comments

* Revert ctrlz, Oz submitted separate PR

* Linter seems to dislike log, renamed the field to avoid confusion

* Update reference docs. (#5623)

- Update to latest version of protoc-gen-docs

- Add sorting of debug scopes in pkg/log so that generated docs are consistent.

- Update pkg/collateral to generate description: front-matter instead of overview:
as per the latest changes in istio.github.io

- Update protos to use $description instead of $overview:

- Move template examples from appearing on the template message to appearing on the
package. This ends up giving a better flow in the generated docs.

- Move the location of adapter & template docs into a subdirectory on istio.io for better
organization.

- Document which template each adapter supports.

* ALPN upgrade to http/2.0 (#5618)

* Set h2 protol options

* fix lint error

* Only upgrade traffic within mesh. Announce ALPN if cluster is h2

* update comment

* Use jaeger for zipkin service (#5656)

* Switch from openzipkin to jaeger for zipkin service

* Expose ui port on port 80 for zipkin service

* Add e2e_mixer tests for v1alpha3 (#5417)

* Add e2e_mixer tests for v1alpha3

* Review comment fixes

* Remove check for external service, not required

* Fix merge damage

* Fix merge damage

* Fix bug with listener type logic

* Fix another instance of bad listener type logic

* Disable TestIngressGateway503DuringRuleChange test

* Add a default secure ingress volume (#5634)

* add a default secure volume

* change ingress to ingressgateway in ingressgateway's secret volume values

* As discussed, generate an easy-to use for demo config (#5653)

* Cleanup for generated configs

* File still used by test.

* More unmaiantained old files.

* mixer: add dispatcher scope (#5621)

* Add dispatcher scope

Signed-off-by: Kuat Yessenov <kuat@google.com>

* silly linter

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Release-0.8: update api sha (#5655)

* Limit logging response body to 512 bytes (#5505)

* CKI-3 Suppress logging response body, if ...

it is 10k long or longer.

* Use fhttp.DebugSummary instead of conditional

Co-authored-by: Jan von Loewenstein <jan.von.loewenstein@sap.com>

* Fix formatting

Co-authored-by: Jan von Loewenstein <jan.von.loewenstein@sap.com>

* Use access log configuration in template and (#5496)

Use access log configuration in template and write ...

access log to a fixed file in /tmp to avoid permission problem on MacOS with /dev/stdout.
Also make envoy access log configurable in TestSetup.

Co-authored-by: Jan von Loewenstein <jan.von.loewenstein@sap.com>

* Fix missing kubeconfig issue in daily release (#5688)

* R0.8 (#5697)

* Disable TCPMixerFilter tests.

* Disable one more test.

* Fix lint errors.

* Fix lint errors.

* Quick fix for istio gen-deploy. (#5674)

* Quick fix for istio gen-deploy.

The helm feature never really worked, we'll edit the values.yaml
instead. Feature selection doesn't work and probably never really
worked.

What remains is a minimal helm template renderer, with one optional
values.yaml

* linter fix

* Release-0.8: Update proxy sha (#5658)

* Finish Span when dispatch completes. (#5693)

* Don't bypass mixer report to mixer e2e. (#5695)

* Updated README.md to match changes in istio-proxy container template. Fixes #5662 (#5663)

* Make istioctl get/delete case insensitive by converting arg to lowercase (#5702) (#5708)

* fix version for debian in dailies (#5698)

* fix version for debian in dailies

* check for alphabets at start of line

* Update istio.mk

* Update istio.mk

* Update istio.mk

* Update istio.mk

* Temporarily disable mixer filter in gateway (#5718)

Flaky v1 tests

* ServiceEntry supports unix domain sockets (#5545)

* ServiceEntry supports unix domain sockets

Signed-off-by: Spike Curtis <spike@tigera.io>

* Fix debug MemServiceDiscovery.Instances() to accept port names

Instances() is an interface and we should not modify its meaning, even
in debug/test code.

This fix reverts some of #5543 which broke looking up ServiceInstances
by port name on the MemServiceDiscovery adapter. It returns the existing
tests to using the correct v1 style naming for clusters.

Signed-off-by: Spike Curtis <spike@tigera.io>

* Include helm chart option for installing jaeger specific services (#5670)

* Add option for enabling jaeger specific services

Signed-off-by: Gary Brown <gary@brownuk.com>

* Renamed chart from zipkin to tracing

* Move UI service outside jaeger specific services

* Fix istioctl output format issue. (#5707)

* Make istio-citadel toggable in helm like all other components (#5675)

* add raw_claims to attribute manifest (#5738)

* Automatically clean up old CA resources (#5736)

* Clean up old CA resources.

* Small fix.

* Revert "ALPN upgrade to http/2.0 (#5618)" (#5684)

This reverts commit 885ed99276df7a34bcb8e15cc3547b0aa18b4b6d.

* Add prefixed based routing to Cloud Foundry (#5717)

* Update copilot API

Co-authored-by: Utako Ueda <uueda@pivotal.io>

* Add prefix-based routing for CF

Co-authored-by: Utako Ueda <uueda@pivotal.io>

* Copilot: cache destination rules

Co-authored-by: Utako Ueda <uueda@pivotal.io>

* Extract bootstrapping from copilot snapshot test

Co-authored-by: Utako Ueda <uueda@pivotal.io>

* linting fix

Co-authored-by: Utako Ueda <uueda@pivotal.io>

* removes invalid map type

Co-authored-by: Utako Ueda <uueda@pivotal.io>

* Update CF service discovery to use hashed labels

Co-authored-by: Utako Ueda <uueda@pivotal.io>

* Fix xDS failures calculation in pilot dashboard (#5690)

* Remove unnecessary webhook script (#5493)

Version 0.8 migrated to a helm based installation of the automatic
sidecar injection, thus making this script irrelevant

* Make injector-config-map top level - always installed  (#5722)

* error out for emitTemplate

* Move sidecar-inject-config map to top level

* rename sidecar-injector dir to sidecarInjectorWebhook

* update hook to before creation, hook-succeeded does not work

* restore inject.go

* fix test path

* move injector params inside global.proxy

* set default resource limits

* add imagename to sidecarInjectorWebhook

* Added missing CRDs so that they can be managed by Helm (#5750)

* Fix tracing addon missing issue in release package. (#5748)

* Enhance debug logging for Mixer grpc methods (#5743)

* Fix major issue with List  (#5737)

* Fix major issue with List - any invalid object invalidates the entire list

* Fix key name, remove verbose log

* Format

* Dump CRDs explicitly (#5719)

* Call `set_download_command` unconditionally (#5665)

Co-authored-by: Jan von Loewenstein <jan.von.loewenstein@sap.com>

* SNI header based forwarding for HTTPS ports (#5715)

* sni forwarding for https ports

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nit

* exclude empty IP 0.0.0.0 when populating routes, otherwise there are duplicate domains

* fix wildcard comparison

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* format

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* skip passthrough for TLS termination

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* tests

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* cleanups and mtls on gateway

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* add extra check to verify requests go thru egress gateway

* fmt nits

* fix typo

* remove redundant sentences about the default values (#5754)

for include IP ranges/outbound ports in istioctl kube-inject,
the defaults to the flag descriptions are added automatically

without this PR, the messages of the flags look as follows:
... All outbound traffic can be redirected with the wildcard character '*'. Defaults to "*". (default "*")

* Fix proxy-config bug with multiple Pilots (#5762)

* Fix proxy-config bug with multiple Pilots
Resolves #5733

* Add some tests

* Adds new postsubmits for k8s 1.10 (#5756)

e2e-pilot is flaky. Network working group should be looking at it.

* Upload circle presubmits to different GCS path so testgrid shows results in multiple panels (#5552)

* [WIP] Upload circle presubmits to different GCS path for testgrid to multiplex

* revert using ci2gubernator binary from gcs and use go get

* fix bootstrap destination attributes (#5766)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Add mixer cluster configuration to mixer CR jobs (#5669)

* Add mixer cluster configuration to mixer CR jobs

* fix config map

* Add new service account and binding for cr job

* Fix destination rule

* Use ALPN to indicate HTTP/2 and/or in-mesh traffic. (#5776)

For #5769.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

* Add the missing file back after a bad merge.

* Fix linter error

* Multicluster Fixing locks for add/delete/read (#5622)

* Fixing locks for add/delete/read

* Adding Unit tests

* Addressing comments

* Addressing comments

* Change locking model

* Change locking model

* Bookinfo Cleanup.sh should remove virtualservices, gateways and destinationrules (#5709)

* Also remove virtualservices, gateways and destinationrules (#5703)

* Updated following review comments

* do not set full wildcard SNI domains (#5785)

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* additional context path work for cloud foundry (#5790)

* context paths corrected

* configs need to stay sorted

* Remove comment and fix {live,readi}ness path to '/graph' on servicegraph  … (#5490)

This is workaround because servicegraph haven't the health check path.
But the ingress-gce needs the readinessProbe path that returns 200 status, so we should get 'generic JSON serialization' body and 200(httpOK) status.

* CKI-3 Fix tear down of envoy on exit (#5495)

Defered funcs won't be called when os.Exit() is invoked in the
same method.

* Revert switch to jaeger (#5795)

* Revert "Include helm chart option for installing jaeger specific services (#5670)"

This reverts commit 6dbbacac0b478017179480778637c9d8d781ac25.

* Revert "Use jaeger for zipkin service (#5656)"

This reverts commit 7efb91dc24666803ea8dfeceaafc61088ae8b68a.

* Multicluster Adding Delete logic for dynamically created controllers (#5672)

* Initial Code load

* Addressing unit test failure

* Fixing initial controller

* Addressing comments

* Fixing unit tests

* Fixing lint

* Addressing comments

* Proxy image default to v2 (#5741)

* use namespace as chart name so it is unique

* use proxyv2 as default

* updating few values yaml in hope to get test passing

* add a missing proxyv2 config

* getting back needed proxyv2 to get test passing

* getting back needed proxyv2 to get test passing

* use proxy for old ingress

* change zipkin error to log message for flaky tests (#5819)

* Istioctl kube-inject requires injectConfigFile or injectConfigMapName (#5800)

* force users to use injectConfigMapName or injectConfigFile

* set ISTIOCTL_USE_BUILTIN_DEFAULTS in Makefile, so tests continue to work

* set defaults for injectconfigmap

* ensure that tag and hub are specified when using builins

* Remove errant extra comma in ads response (#5832)

* Replace join implementation (#5836)

* Replace join implementation

* Update dump_kubernetes.sh

* Fix pilot_cli debug tool to work with EDS (#5531)

* Fix pilot_cli debug tool to work with EDS

* Clean up unused code.

* Renamed the sidecar injection toggle key to match the new name (#5808)

* Switch back to jaeger - revert (#5795) (#5840)

This reverts commit 0e633b33928dde75ef4afd036daf80733bd016fd.

* SNI, Listeners, and VHost bug fixes (#5807)

* disable full wildcard for mesh

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* updates

* more bug fixes and proxy sha update

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo some changes in gateway

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* patching

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* no sni hosts for plain text listeners in gateway

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Do not set SNI for internal services

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* tcp fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Do not infer Client TLSSettings based on Authentication Policy. (#5525)

* Add handling of ISTIO_MUTUAL when generating cluster config.

* Remove the inferences from authn policy.

Also remove the accidetally included port level DR policy #5055.

* respect the global configmap by changing how to build defaultTrafficPolicy

* Fill in TLSSettings in advance to avoid plumbing service account.

* remove dead code.

* Skip override for external and support port level settings.

* update dependency

* restore port level settings.

* remove redudant call plugins loop.

* Check fields to avoid null pointer reference.

* fix the lint.

* Move down the H2 header since ISTIO_MUTUAL to avoid NPR.

* Change cluster.go to remove TLS when it's DISABLE mode.

* Add the DestinationRule to make the test passing.

* Add DestinationRule to pass TestAuthnJWT test.

* Remove obsolete todo

* Only add DestinationRule when auth is enabled for TestAuthNJwt.

* Move configmap check into the branch when no DR is available.

* Remove the NIR code in cluster.go.

* Add H2 back and change disable-egress-mtls.yaml for gateway.

* Fix ingress e23 tests

* Correct template

* Apply DR template for TestRoutes.

* Fix TestRouteFaultInjection

* Add tls ISTIO_MUTUAL for mixer destination rules.

* fix the lint in cluster.go.

* Rename the fillTemplate and clarify the comments.

* Change the ISTIO_MUTUAL for grpc-mixer-mtls port, instead of everything.

* Wrap around adding DR before checking v1alpha3.

* fix the lint and change istio-telemetry port tls.

* Add ISTIO_MUTUAL in route-rule-all-v1.

* Branching the route-rule-all-v1-mtls when auth_enable=true for prow test.

* copy the kube/route-rule-all-v1-mtls.

* Remove chgrp in tproxy that suppressed core dumps (#5846)

* Fixing new linter errors.

* export RESOURCE_TYPE (#5850)

* missing ability to filter instances by label (#5851)

Co-authored-by: Nancy Hsieh <nhsieh@pivotal.io>

* Fix values-istio-demo.yaml, empty global replace global dict with empty (#5859)

* rename istio-mixer-create-cr to istio-mixer-post-install (#5857)

* Bug fixes in SNI forwarding for external services (#5845)

* Bug fixes in SNI forwarding for external services

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* fix istioctl

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nil pointer fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Add mixer config info into per route (#5853)

* Add mixer config info into per route

* Skip gateway 503 test

* Updating fortio to latest (0.11.0) (#5765)

Ran
```
dep ensure --update istio.io/fortio
```

* Fixes some minor bugs in multicluster e2e tests (#5329)

A few bugs with respect to error handling have been
noted in the multicluster e2e tests,  This change fixes
these bugs.

* fix cleanup.sh (#5660)

* Rename Service's field: Addresses -> ClusterVIPs (#5664)

* Rename Service's field: Addresses -> MulticlusterAddresses

* Rename MulticlusterAddresses -> ClusterVIPs

* Metrics now refresh automatically and look better. (#5615)

* Reference new types from policy/v1beta1 (#5587)

* Add NOTES.txt for chart. (#5906)

* Cleanup some superfluous abstractions (#5740)

- Delete the unused Result and CacheabilityInfo types

- Delete the SetStatus/GetStatus functions, replaced with Go-idiomatic field writes

- Delete the unused CheckResult.Combine method

- Inline the CheckResult.CombineCheckResult method since it is used only once and its
semantics were misleading (as it didn't combine the embedded status field)

* Ran `dep ensure -update github.com/envoyproxy/go-control-plane` (#5889)

* Adding instructions and scripts to facilitate running E2E tests locally (#5838)

* Add documents and scripts for k8s+vagrant env.

* update macOS setup

* Update and rename setup_linux_prereqs.sh to linux_prereqs.sh

* Update localregistry.yaml

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* U…