Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kube: use protobuf in client #44379

Merged
merged 2 commits into from
Apr 14, 2023
Merged

Conversation

howardjohn
Copy link
Member

This was attempted in #38658 but the config set is never used there.

Also add an opt-out and AcceptContentTypes to allow json fallback as recommended by k8s

In a 40k pod cluster this reduced Istiod memory by 50%

This was attempted in istio#38658 but the `config` set is never used there.

Also add an opt-out and AcceptContentTypes to allow json fallback as
recommended by k8s
@howardjohn howardjohn added the release-notes-none Indicates a PR that does not require release notes. label Apr 13, 2023
@howardjohn howardjohn requested a review from a team as a code owner April 13, 2023 23:10
@istio-testing istio-testing added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Apr 13, 2023
@istio-testing istio-testing merged commit 1cfd626 into istio:master Apr 14, 2023
psbrar99 added a commit to tetratelabs/istio that referenced this pull request Aug 7, 2023
* Retry when east-west gateway hostname resolution fails (istio#44192)

* retry when gateway hostnames resolution failed

* add a ut

* add a release note

* test

* test retry period

* test

* test

* update retry period

* distinguish server failure

* fix

* fix ttl

* remove named return values

* address comments

* Automator: update proxy@master in istio/istio@master (istio#44295)

* gateway: skip un-managed types in deploymentcontroller (istio#43541)

* Automator: update proxy@master in istio/istio@master (istio#44298)

* Add nil-check for WASM validation (istio#44296)

* kube-probe: avoid duplicate probe headers (istio#44297)

This is a regression of istio#28466 from
istio#31866

The 31866 fixed the k8s spec having duplicates, but we end up
duplicating all headers twice - the kubelet adds the header from
HTTPHeaders and we also add from HTTPHeaders, resulting in 2x every
header.

Instead, we simply copy the incoming request headers and host, making us
a fairly transparent proxy.

* Refactor multi network manage (istio#44190)

* Refactor multi network

* Change reloadXX to networkManager's private method

* Automator: update go-control-plane in istio/istio@master (istio#44301)

* Automator: update proxy@master in istio/istio@master (istio#44302)

* Automator: update common-files@master in istio/istio@master (istio#44305)

* skip gateway.istio.io/controller-version anno message that is not created by users (istio#44306)

* Automator: update istio/client-go@master dependency in istio/istio@master (istio#44312)

* Fix the metric and log reports for the dryrun gateway config (istio#44303)

* fix reporting metric for dryrun gateway config

* add releasnotes

* improve log

* Automator: update common-files@master in istio/istio@master (istio#44314)

* Early update_deps.sh before branching (istio#44317)

* e2e: refactor grpc stats test (istio#44307)

* e2e: refactor grpc stats test

* fix gen

* fix build

* fix analyze

* fix buildGRPCQuery

Signed-off-by: hejianpeng <hejianpeng2@huawei.com>

---------

Signed-off-by: hejianpeng <hejianpeng2@huawei.com>

* Automator: update proxy@master in istio/istio@master (istio#44320)

* Fix system namespace filtering (istio#44325)

* update istio.io/api (istio#44330)

* validation: add another nil check (istio#44332)

* Fix type at shared.go (istio#44326)

Signed-off-by: jongwooo <jongwooo.han@gmail.com>

* Update istio.io modules (istio#44331)

* Update istio.io modules

* Run `mske gen`

* Add update_ztunnel script (istio#44334)

* remove sync all (istio#44111)

* remove syncall

* update

* update

* Fix namespace equal check

* Fix ClusterExternalAddresses race

* Fix

* Add bookinfo demo for PSA (istio#44214)

Signed-off-by: Kalya Subramanian <kasubra@microsoft.com>

* Integration tests for ENABLE_ENHANCED_RESOURCE_SCOPING feature (istio#44246)

* Integration tests for ENABLE_ENHANCED_RESOURCE_SCOPING feature

Signed-off-by: Faseela K <faseela.k@est.tech>

* fix lint

Signed-off-by: Faseela K <faseela.k@est.tech>

* add build tag

Signed-off-by: Faseela K <faseela.k@est.tech>

* fix lint

Signed-off-by: Faseela K <faseela.k@est.tech>

* skip VMs

Signed-off-by: Faseela K <faseela.k@est.tech>

* Require singlecluster

Signed-off-by: Faseela K <faseela.k@est.tech>

* SkipExternalControlPlaneTopology

Signed-off-by: Faseela K <faseela.k@est.tech>

* Require Multi Primary

Signed-off-by: Faseela K <faseela.k@est.tech>

* add build tag

Signed-off-by: Faseela K <faseela.k@est.tech>

* replace httpbin.org with echo external service

Signed-off-by: Faseela K <faseela.k@est.tech>

---------

Signed-off-by: Faseela K <faseela.k@est.tech>

* Update deps 2023 04 10 (istio#44319)

* ./bin/update_deps.sh

* update go deps

* Remove default.yaml

* Make gen

* Revert change to distroless

* Fix controller runtime

* Update istio.io/api and istio.io/pkg

* Run go mod tidy

* Update release prow

* Update istio.io/api

* Automator: update istio/client-go@master dependency in istio/istio@master (istio#44339)

* Use official 0.27.0 release (istio#44340)

* reduced tokenWaitBackoff from 1 second to 10 millis (istio#44338)

* Fix the ztunnel iop specification for resources leads to a patch error. (istio#44322)

* fix ztunnel iop resource

* add test

* Automator: update proxy@master in istio/istio@master (istio#44343)

* Fix ServiceEntry WorkloadInstanceHandler for label change in Pods (istio#42922)

* Fix ServiceEntry WorkloadInstanceHandler for label change in Pods

For a label change in WorkloadInstance, which results in a mismatch with a previously matching ServiceEntry, the whole update event is skipped. Which results in the WorkloadInstance not getting removed from the ServiceEntry.
This fix changes the behaviour for such cases to handle those updates similar to a delete event and clean up the WorkloadInstance from the list.

Fixes [istio#42921]

* use DeepEquals to avoid SubsetOf iteration

* gocritic linting fix

* go back to the first approach

* fix workloadInstanceDiff

* fix linting errors

* change test cases to table format

* fix testcase for new Event type

* fix Event Type

* go fmt

* remove wi diff

* Update BASE_VERSION to master-2023-04-12T19-02-00 (istio#44357)

* Add docs for Calico, set the annotation by default. (istio#44259)

* Add docs for Calico, set the annotation by default.

* Finish the comment.

* Remove debug, kubectl debug works

* indent

* Update manifests/charts/istio-cni/README.md

---------

Co-authored-by: John Howard <howardjohn@google.com>

* update_deps.sh change (istio#44373)

* fix gateway service name (istio#44365)

* Automator: update proxy@master in istio/istio@master (istio#44380)

* validation: add small nil check (istio#44360)

* Remove kustomize and precompute manifests (istio#44376)

See istio#44237 for more info

* Add a better check for ztunnel pod guess (istio#44292)

* add a better check for ztunnel guess

* rebise based on comments

* cni: drop experimental taint controller (istio#44377)

This controller was added many years ago as an experiment and hasn't
progressed. Unless there are users who have remained hidden during this
time, I think its effectively dead code we should cleanup.

* kube: use protobuf in client (istio#44379)

* kube: use protobuf in client

This was attempted in istio#38658 but the `config` set is never used there.

Also add an opt-out and AcceptContentTypes to allow json fallback as
recommended by k8s

* fix writes

* Remove release note approval by release-managers (istio#44395)

* gateway: prevent duplicate `istio_authn` network filter in the filter chain (istio#44388)

* gateway: prevent duplicate `istio_authn` network filter in the filter chain

Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

* add release notes

Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

* fix lint

Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

* fixup

Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

* ensure stability of the unit test

Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

---------

Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

* Add response headers for grpc (istio#44394)

* Add response headers for grpc

* Update the output

* Automator: update istio/client-go@master dependency in istio/istio@master (istio#44396)

* Automator: update common-files@master in istio/istio@master (istio#44398)

* Use k8s 1.27.0 as the default node image for integration testing (istio#44400)

* Automator: update proxy@master in istio/istio@master (istio#44403)

* remove deadcode from operator proto (istio#44397)

Was missed in previous PR

* fix:productpage build fail (istio#44405)

Signed-off-by: xin.li <xin.li@daocloud.io>

* Run update_deps.sh (istio#44404)

* chore: Fix function name of comment (istio#44406)

Correct name is runAllTypes but comment has pruneAllTypes

* Automator: update go-control-plane in istio/istio@master (istio#44407)

* Automator: update proxy@master in istio/istio@master (istio#44408)

* Automator: update ztunnel@master in istio/istio@master (istio#44409)

* Remove hard coded Istio namespace (istio#44410)

* Automator: update proxy@master in istio/istio@master (istio#44411)

* Analyze: add cert check for gateway credential (istio#43921)

* add cert check for gateway credential

* add releasenotes and lint

* reuse some logics and add more checks

* make gen

* remove unnecessary releasenotes

* Automator: update proxy@master in istio/istio@master (istio#44419)

* Fix webhook issues in installation process (istio#44345)

* fix webhook creation in install process

* add releasenotes

* Only set the WorkloadSelector of ServiceEntry if the label is not empty (istio#44420)

Signed-off-by: Yanqiang Miao <miaoyq_2010@163.com>

* Setting the control plane lazily (istio#44417)

Change-Id: I31adfcb808d04aef51c42ddaed5b3473db2397a5

* Automator: update proxy@master in istio/istio@master (istio#44431)

* "istioctl pc route" output add "VHOST NAME" (istio#44414)

* "istioctl pc route" output add "VHOST NAME"

* add releasenote

* fix

* Update releasenotes/notes/44414.yaml

Co-authored-by: Yossi Mesika <ymesika@gmail.com>

---------

Co-authored-by: Yossi Mesika <ymesika@gmail.com>

* Temper severity of extraneous errors (istio#44416)

When the CNI initially runs on a node that is
clean of the ztunnel chains errors and warnings
are logged that are extraneous. This change reduces
the severity and adds comments in the code.

* cleanup message.yaml (istio#44421)

* update_deps for 1.18 branch cut (istio#44436)

* Automator: update proxy@master in istio/istio@master (istio#44442)

* fix wrong example for admin log (istio#44438)

Signed-off-by: xin.li <xin.li@daocloud.io>

* add validation for empty prefix header match (istio#44428)

* add validation for empty prefix header match

* fix linter issues

* update error message + add a release note

* add "prefix" to the error message

* >fix `istioctl analyze` to panic when the server port in gateway is nil. (istio#44321)

* >fix `istioctl analyze` to panic when the server port in gateway is nil.

* Update releasenotes/notes/fix-44318.yaml

Co-authored-by: Xiaopeng Han <hanxiaop8@outlook.com>

---------

Co-authored-by: Xiaopeng Han <hanxiaop8@outlook.com>

* Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44527)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44550)

* [release-1.18] Automated branching step 4 (istio#44553)

* Automator: update istio/pkg@release-1.18 dependency in istio/istio@release-1.18 (istio#44559)

* Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44560)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44564)

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44563)

* Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#44567)

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44569)

* Update BASE_VERSION to release-1.18-2023-04-26T19-01-40 (istio#44576)

* Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44607)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44610)

* Update master to 1.18 (istio#44615)

* gateway-api: start reading ReferenceGrant beta (istio#44619)

Co-authored-by: John Howard <howardjohn@google.com>

* update to kiali 1.67.0 (istio#44504)

Co-authored-by: John Mazzitelli <mazz@redhat.com>

* revise waypoint examples (istio#44511)

Co-authored-by: xiaopeng <hanxiaop8@outlook.com>

* Use safer dedupe for config (istio#44521)

This is just appending them, there is no guarantee of conflicts being
avoided

Co-authored-by: John Howard <howardjohn@google.com>

* disable automount SA token only on tests with min istio revisions >= 1.16 (istio#44533)

Testing multiple istio versions involves older istio versions which doesn't support sidecars with disable automount SA token. This was enabled form 1.16 onwards.

Co-authored-by: akshayjnambiar <akshayjnambiar@google.com>

* Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44625)

* [release-1.18] Fix pilot using wrong readinessprobe check, should check if /validate and /inject endpoints are ready. (istio#44632)

* fix validationcontroller not having readinessprobe

* add releasenotes

* revise based on comments

* revise based on comments

* Delete 44526.yaml

---------

Co-authored-by: xiaopeng <hanxiaop8@outlook.com>

* typo fix for failover validation (istio#44638)

Co-authored-by: Greg Hanson <gregory.hanson@solo.io>

* telemetry: deflake access log tests (istio#44645)

Example failure:
https://prow.istio.io/view/gs/istio-prow/pr-logs/directory/integ-telemetry_istio/1652008195079540736

It looks like the XDS push is just causing too much load and it takes
more than 10s to process. We see during XDS push /stats/prometheus also
times out.

Co-authored-by: John Howard <howardjohn@google.com>

* [release-1.18] Support p384 curves (istio#44628)

* support p384 curves

* code review and make gen

* cleanup test

* fix linter

* only support 256 and 384

* cleanup tests

---------

Co-authored-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>

* Automator: update go-control-plane in istio/istio@release-1.18 (istio#44651)

* [release-1.18] Skip runtime resources when analyzing files (istio#44663)

* Skip runtime resources when analyzing files

* add test data and fmt

* add support for tests to analyze pods

* update analyze test to respect file exclusions

* show failed json in message

* fix json formatting

* differentiate json analyzer tests

* add release note

---------

Co-authored-by: Mitch Connors <mitchconnors@gmail.com>

* [release-1.18] gateway: fix and test unmanaged skipping (istio#44508)

* gateway: fix and test unmanaged skipping

istio#43541 didn't work quite right due to
a rebasing issue. Fix it and add better tests

* fix test

* fix log

* use unique name (istio#44528)

(cherry picked from commit 7033e9537a68f23a77f804f35413c7d00b6e00be)
(cherry picked from commit c8f7331)

---------

Co-authored-by: John Howard <howardjohn@google.com>

* vwh: speedup reconcilation and fix test flake (istio#44658)

Fixes
https://prow.istio.io/view/gs/istio-prow/logs/integ-pilot-cpp_istio_postsubmit/1651656748131422208
failure

This is a  1.18 regression since we changed the queue backoff. This
fixes it in 2 ways:
* Make sure we don't ahve to wait 1min every time
* Make sure once one webhook succeeds, all of them do

This also makes the test more robust to wait for all webhooks instead of
just one.

Co-authored-by: John Howard <howardjohn@google.com>

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44672)

* Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#44669)

* Use go-control-plane from the last commmit before 1.26 was cut (istio#44674)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44682)

* Fix new test which was broken on distroless (istio#44685)

There is no distroless app container

Co-authored-by: John Howard <howardjohn@google.com>

* Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44694)

* update_deps output priot to beta0 build (istio#44699)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44707)

* Actually change the rate limiter type (istio#44726)

Co-authored-by: John Howard <howardjohn@google.com>

* Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#44727)

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44724)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44728)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44738)

* Fix multi-cluster issue by increasing the timeout of listing CRDs (istio#44715) (istio#44740)

When a new secret is added, a watcher will be created based
on the remote secret. The process can fail if the API server doesn't
respond in 10 seconds which can be the case if the cluster contains
a lot of CRDs. This PR bumps the timeout to 60 seconds which is
the default timeout value (specified in --request-timeout) for
requests to API server.

* [release-1.18] Fix persistent sessions scale down with envoy (istio#44653)

* Missing change for persistent session support.

Without it envoy will drop the draining endpoints and scale down will break.

* Update the cluster status to be more future proof, add grpc, c++ implementation requires this

* Remove unhealthy

---------

Co-authored-by: Costin Manolache <costin@gmail.com>

* Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44760)

* [release-1.18] Fix gateway hostname resolution TTL (istio#44768)

* fix gateway hostname resolution ttl

* add tests

---------

Co-authored-by: dddddai <dddwq@foxmail.com>

* [release-1.18] Fix verify-install to work with multi iops (istio#44752)

* fix verify-install with multi iops

* Update releasenotes/notes/verify-install-multi-iops.yaml

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

---------

Co-authored-by: xiaopeng <hanxiaop8@outlook.com>
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* deployment controller: add leaderelection back (istio#44746) (istio#44771)

* Add per-revision leader election

* Add leader election for deployment controller

(cherry picked from commit acd30f9)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44774)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44780)

* fix missing gateway services (istio#44461)

Co-authored-by: dddddai <dddwq@foxmail.com>

* add support for security.istio.io/v1beta1 api in authz tests when testing multiple istio versions (istio#44806)

Testing multiple istio versions involves older istio versions which uses the v1beta1 api. This change will start using v1 for 1.17+ and v1beta1 for 1.16-.

Co-authored-by: Akshay J Nambiar <akshayjnambiar@users.noreply.github.com>

* set delay between retry attempts (istio#44809)

Co-authored-by: dddddai <dddwq@foxmail.com>

* [release-1.18] istiod: drop Alpha Gateway API types by default (istio#44812)

* istiod: drop Alpha Gateway API types by default

This is problematic because most providers will not install Alpha CRDs.
So once these promote to Beta, clusters will have *only* beta version in
the CRD. We would detect the CRD and attempt to watch, but fail as alpha
does not exist.

This makes the alpha enablement an explicit opt-in to avoid this.

An alternative could be to read the actual CRD to check it has the
version we want. However, this is not safe -- a user may silently stop
reading critical configurations.

This is not needed for Istio CRDs as we don't remove old versions.

* Fix test

* fix build

* fix note

---------

Co-authored-by: John Howard <howardjohn@google.com>

* [release-1.18] Fix precheck and analysis messages (istio#44832)

* fix precheck and analysis messages

* fix lint

---------

Co-authored-by: xiaopeng <hanxiaop8@outlook.com>

* update_deps prior to beta1 build (istio#44846)

* inject: remove unknown fields from template (istio#44860)

We have a number of cases where we insert unknown fields into the
template. This eventually gets marshalled into a `v1.Pod`, so the
unknown fields are dropped. So it has no impact, but it is "wrong".

However, one of the fields we have (restartPolicy) is actually going to
be a valid field in future k8s, so would start breaking at that point.
So this *will* be a critical bug for future k8s versions.

Test with:

Replace applyOverlayYAML with

```
	decoder := json.NewDecoder(bytes.NewReader(patched))
	decoder.DisallowUnknownFields()
	if err := decoder.Decode(&pod); err != nil {
		return nil, fmt.Errorf("unmarshal patched pod: %v", err)
	}
```

Its probably a nice idea to keep it as non-strict to be resilient to unexpected issues?

Co-authored-by: John Howard <howardjohn@google.com>

* [release-1.18] vm: support health checks for VMs that are not using auto-registration (istio#44866)

* vm: support health checks for VMs that are not using auto-registration

Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

* add release notes

Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>

---------

Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>
Co-authored-by: Yaroslav Skopets <yaroslav@tetrate.io>

* remove file from file certs before triggering call backs (istio#44907)

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
Co-authored-by: Rama Chavali <rama.rao@salesforce.com>

* spiffe: fix handling of trust bundles with multiple keys (istio#44947)

In the existing implementation, we were overriding the `cert` while
iterating over doc.Keys. This commit fixes that.

Further, there was an unnecessary check for the existence of
`ret[trustDomain]`. We are iterating over a map with `trustDomain` as
keys, maps don't have duplicate keys, and so `ret[trustDomain]` would
never have had a key before we set it in this iteration.

This is a cherry-pick for istio#44831 (with modifications in the tests to
avoid conflicts). This was cherry-picked in 1.17 as istio#44909.

Change-Id: Ibf68f75cc667a72cce68bd42e4f600bd37946222

* Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#44992)

* Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45001)

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44994)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45008)

* [release-1.18] deploymentcontroller: add support for ProxyConfig CRD (istio#44987)

* deploymentcontroller: add support for ProxyConfig CRD (istio#44916)

* deploymentcontroller: add support for ProxyConfig CRD

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* Handle default gateway labels

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* Remove a comment

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* Handle pod annotations

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* Encapsulate EffectiveProxyConfig into GetProxyConfigOrDefault

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* Remove default pod label service.istio.io/canonical-name

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* Respect only istio.io/gateway-name label when matching ProxyConfig with Gateway

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* Add release note

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* Change area in the relase note

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* Remove support for proxy.istio.io/config annotation applied to k8s Gateway pods

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

---------

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* Fix unit tests

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

---------

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45024)

* [release-1.18] Fix bug report missing all logs for json logs (istio#45026)

* Add json log parsing

* Remove bug report file

* Omit filter and add tests

* Extract to parseLog

* Fix test failures

* Fix format

---------

Co-authored-by: Siyi Wang <siyiwang@google.com>

* telemetry: enable experimental mertic expiry (istio#44605) (istio#45037)

* mertic-expiry

* fix test

* fix lint

* add release-notes

* fix gen

* use ProxyMetadata

* fix rebase

* add test

* update release-notes

* fix not working

* reduce xds size

* use pilot ENV

* update with john's comment



* add UT

* fix lint

---------

Signed-off-by: hejianpeng <hejianpeng2@huawei.com>

* [release-1.18] fix backoff and read ca file interval (istio#45038)

* fix read ca file interval

* fix backoff never stop

* address comment

* remove permanent error

* Address comment

---------

Co-authored-by: Zhonghu Xu <xuzhonghu@huawei.com>

* fix waypoint list summary and add revision (istio#45052)

Co-authored-by: xiaopeng <hanxiaop8@outlook.com>

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45072)

* Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45074)

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45076)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45094)

* Update BASE_VERSION to release-1.18-2023-05-24T19-03-47 (istio#45109)

* RetryWithContext should use the new NextBackOff() (istio#45123)

Signed-off-by: Faseela K <faseela.k@est.tech>
Co-authored-by: Faseela K <faseela.k@est.tech>

* rc.0 step 1 - update deps (istio#45134)

* Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45139)

* Temporarily remove eBPF impl pending CNCF guidance (istio#45167)

eBPF support is temporarily disabled pending CNCF establishing guidance around dual-licensed eBPF bytecode
cncf/toc#1000 (comment)

Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>

* 1.17: bump docker dep (istio#45199)

This has a "CVE". It doesn't impact Istio but makes scanners unhappy.

The dep is only used in WASM code and is a small bump so pretty low risk

* Update BASE_VERSION to release-1.18-2023-05-31T19-02-09 (istio#45225)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45281)

* Update BASE_VERSION to release-1.18-2023-06-05T19-04-11 (istio#45289)

* Update deps prior to 1.18.0 GA (istio#45310)

* Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45325)

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45326)

* Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45333)

* precise-errorcode-debuggen (istio#45164)

Change-Id: Ia2654e18006b7cc2d54bb86ff9c9a2abe9e28bf5

Co-authored-by: Ingwon Song <igsong@google.com>

* [release-1.18]Manual cherry-pick of 44481 and 44775 (istio#45081)

* add PDB to gateway chart

* add releasenotes

* revise based on comments

* revise values to have better control

* disable PDB by default

* [release-1.18] Certificate Revocation List support (istio#45130)

* refactor KeyCertAndStaple (istio#44764)

Doing this refactoring in preparation for CRL support

Signed-off-by: Faseela K <faseela.k@est.tech>

* Certificate Revocation List support (istio#45104)

Signed-off-by: Faseela K <faseela.k@est.tech>

* populate crl only when the key is present in secret (istio#45112)

Signed-off-by: Faseela K <faseela.k@est.tech>

* skip empty ocsp staple configuration (istio#45159)

Signed-off-by: Faseela K <faseela.k@est.tech>

---------

Signed-off-by: Faseela K <faseela.k@est.tech>

* Adding LRS support (istio#45165)

Change-Id: Ifd075d62a5f0dda3b4b57eb807677f1637bed04f

Co-authored-by: Ingwon Song <igsong@google.com>

* Fix invalid XDS configuration for wildcard Ingress HTTP path (istio#44898) (istio#45168)

* Fix invalid XDS configuration for wildcard Ingress path

Updates Ingress to VirtualService translation to not create a
HTTPRequestMatch when the URI is nil. The URI is nil when the path
is a wildcard or is empty and the pathType is nil or
implementationSpecific. This change prevents an Envoy failure.
Envoy regex fails when the path seperated prefix is empty or has a
trailing "/".



* Fix failing unit tests - handle sorting HTTPRoutes with no
HTTPRequestMatches



* Update golden converion tests for ingress. Remove empty match.



---------

Signed-off-by: jaellio <jaellio@microsoft.com>

* Fix Telemetry disablement matching (istio#45303)

Co-authored-by: John Howard <howardjohn@google.com>

* Add rolling update max unavailable to CNI chart to speed up deploys (cherry pick to release-1.18) (istio#44934)

* Add rolling update max unavailable to CNI chart to speed up deploys

* Update generated code

* Update chart updating instructions

* Add release note

* Skip config from istio#44642

* [release-1.18] Fix istioctl pc secret cert validity not accurate (istio#45343)

* fix istioctl pc secret cert valid

* lint and add releasenotes

---------

Co-authored-by: xiaopeng <hanxiaop8@outlook.com>

* Change to use Node instead of RawMeta (istio#45359)

Change-Id: I21117025bb99b62c18484d2f1598a001751faaa4

Co-authored-by: Ingwon Song <igsong@google.com>

* [release-1.18] Check the disabled status when adding a log provider (istio#45373)

* Check the disabled status when adding a log provider

By checking the disabled status when adding a log provider, this PR fixes an issue where disabling a log provider through Istio telemetry API would not work. Otherwise, a disabled log provider may still be added to the log configuration and cause the disabling to not work as expected. The test case in this PR verifies that with the fix this PR, a disabled log provider will not be added to the log configuration.

* Update the variable name

---------

Co-authored-by: Lei Tang <32078630+lei-tang@users.noreply.github.com>

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45381)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45450)

* [release-1.18] Update min supported k8s version to 1.24 (istio#45444)

* update min supported k9s version to 1.24

* add releasenotes

---------

Co-authored-by: xiaopeng <hanxiaop8@outlook.com>

* [release-1.18] cherry-pick: add debug info when generating certs for workloads (istio#45194)

* cherry-pick: add debug info when generating certs for workloads istio#45183

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

* remove signer and make ttl human readable

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

---------

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

* Update BASE_VERSION to 1.18-2023-06-15T19-02-54 (istio#45495)

* [release-1.18] improve accesslog mode e2e tests (istio#45519)

* improve accesslog mode e2e tests

* retry

Signed-off-by: hejianpeng <hejianpeng2@huawei.com>

* fix

---------

Signed-off-by: hejianpeng <hejianpeng2@huawei.com>
Co-authored-by: hejianpeng <hejianpeng2@huawei.com>

* Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45569)

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45570)

* Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45579)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45587)

* prow: move to use WI for auth_header in private (istio#45609)

This replaces authentikos

Co-authored-by: John Howard <howardjohn@google.com>

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45667)

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45660)

* Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45690)

* Bump github.com/lestrrat-go/jwx from 1.2.25 to 1.2.26 (istio#45684)

Signed-off-by: Kalya Subramanian <kasubra@microsoft.com>

* Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45702)

* Fix auth header syntax (istio#45711)

Co-authored-by: John Howard <howardjohn@google.com>

* gcp metadata: compute GCPClusterURL from metadata (istio#45741)

This allows computing GCPClusterURL from GCP_METADATA env var, if it is
set. This allows usage with zero dependency on the metadata server.

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45747)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45769)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45771)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45834)

* [release-1.18] Fix a potential nil panic of endpointindex (istio#45808)

* fix a potential nil panic of endpointindex

* add releasenotes

* revise releasenotes

---------

Co-authored-by: xiaopeng <hanxiaop8@outlook.com>

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45857)

* [release-1.18] Fix bug report include option not working as expected (istio#45860)

* fix bug report include option

* add releasenotes

---------

Co-authored-by: xiaopeng <hanxiaop8@outlook.com>

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45876)

* Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45875)

* Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45892)

* Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45936)

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45938)

* [release-1.18] Fix health probe port overwrite (istio#45873)

* Remove app req host override with req host on health-check

Signed-off-by: jaellio <jaellio@microsoft.com>

* set appReq host to prober host value

Signed-off-by: jaellio <jaellio@microsoft.com>

* add conditional check before setting appReq host to probe host

Signed-off-by: jaellio <jaellio@microsoft.com>

* Remove host override from app probe unit tests. The explicit override does not reflect the actual request host value on health probe requests. Prior to being processed in the istio-proxy the host of the request should not be set to the app port.

Signed-off-by: jaellio <jaellio@microsoft.com>

---------

Signed-off-by: jaellio <jaellio@microsoft.com>
Co-authored-by: jaellio <jaellio@microsoft.com>

* Add release note for istio#45632 (istio#45927)

Signed-off-by: jaellio <jaellio@microsoft.com>
Co-authored-by: jaellio <jaellio@microsoft.com>

* Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45948)

* [release-1.18] Set inject true for compatibility tests (istio#45928)

* Set inject true for compatibility tests

* adding the fix to TestProxyProtocolTCPGateway and TestCustomGateway

---------

Co-authored-by: Riya Sinha <riyasinha@google.com>

* [release-1.18] prevent port conflict with sidecar static listener like 15021 15090 (istio#45966)

* prevent port conflict with sidecar static listener 15021 15090

* remove duplicate conflict detection

* address comment

---------

Co-authored-by: Zhonghu Xu <xuzhonghu@huawei.com>

* Update image from (istio#45958)

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45995)

* Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45996)

* Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#46000)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#46007)

* Exit if sds socket not found (istio#45941) (istio#46014)

* Exit if sds socket not found (istio#45941)

* adding - exit if sds socket not found

* fix release note for # 45941

* renaming flag to USE_EXTERNAL_WORKLOAD_SDS

* rewording release note for istio#45941, describe usage of USE_EXTERNAL_SDS_SOCKET

* fix cherry-pick

* fix conflict (istio#46017)

Signed-off-by: Kuat Yessenov <kuat@google.com>
Co-authored-by: Kuat Yessenov <kuat@google.com>

* fix concurrent map access in endpoint metadata (istio#44473) (istio#46021)

* fix concurrent map access in endpoint metadata



* only clone as needed



* only clone as needed



* remove unnecessary code



* review comments



* fix ut



* add test case



* add lock



---------

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
Co-authored-by: Rama Chavali <rama.rao@salesforce.com>

* Fix nil map for cluster builder (istio#46024)

Co-authored-by: Sergii Shapar <sshapar@google.com>

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#46025)

* Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#46039)

* Bump proxy version (#122)

* Add validation of workload entry identity (#117)

(cherry picked from commit b6eefaf3045227431b60384002e5b0c57740288d)

* 1.18.2 tetrate build

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* eks patch

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* 1.18.2 tetratefips build

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* 1.18.2 tetratefips build

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* 1.18.2 tetratefips build

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* 1.18.2 tetratefips build

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* bump proxy SHA

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* envoy cves

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* envoy cves

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* bump proxy SHA

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* running e2e tests for pilot

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* running e2e tests for pilot

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* running e2e tests for pilot

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* bump runners

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* bump runners

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* publish release

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* update tetrate-workflow branch

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* update tetrate-workflow branch

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* update tetrate-workflow branch

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* update tetrate-workflow branch

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* Removing unnecessary code

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* addressed comment

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* address reveiw comments

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* cleanup and updated new patch for eks

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* Update tetrateci/version_check.py

Co-authored-by: zirain <zirain2009@gmail.com>

* fix WF for make release job

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* fips.md update

Signed-off-by: psbrar99 <brargg1989@gmail.com>

* Update fips.md

* Update .github/workflows/make_release.yml

Co-authored-by: zirain <zirain2009@gmail.com>

* Update .github/workflows/make_release.yml

Co-authored-by: zirain <zirain2009@gmail.com>

---------

Signed-off-by: hejianpeng <hejianpeng2@huawei.com>
Signed-off-by: jongwooo <jongwooo.han@gmail.com>
Signed-off-by: Kalya Subramanian <kasubra@microsoft.com>
Signed-off-by: Faseela K <faseela.k@est.tech>
Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io>
Signed-off-by: xin.li <xin.li@daocloud.io>
Signed-off-by: Yanqiang Miao <miaoyq_2010@163.com>
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>
Signed-off-by: jaellio <jaellio@microsoft.com>
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: psbrar99 <brargg1989@gmail.com>
Co-authored-by: dwq <dddwq@foxmail.com>
Co-authored-by: Istio Automation <istio-testing-bot@google.com>
Co-authored-by: John Howard <howardjohn@google.com>
Co-authored-by: Zhonghu Xu <xuzhonghu@huawei.com>
Co-authored-by: Xiaopeng Han <hanxiaop8@outlook.com>
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
Co-authored-by: zirain <hejianpeng2@huawei.com>
Co-authored-by: Jongwoo Han <jongwooo.han@gmail.com>
Co-authored-by: Kalya Subramanian <42158129+ksubrmnn@users.noreply.github.com>
Co-authored-by: Faseela K <faseela.k@est.tech>
Co-authored-by: jacob-delgado <jacob.delgado@volunteers.acasi.info>
Co-authored-by: cebernardi <cbernardi@expediagroup.com>
Co-authored-by: Rajat Sharma <rajat.shrma94@gmail.com>
Co-authored-by: Costin Manolache <costin@gmail.com>
Co-authored-by: pmerrison <pmerrison@me.com>
Co-authored-by: Yaroslav Skopets <yaroslav@tetrate.io>
Co-authored-by: my-git9 <xin.li@daocloud.io>
Co-authored-by: Ikumi Nakamura <28798279+johnmanjiro13@users.noreply.github.com>
Co-authored-by: Yossi Mesika <yossi.mesika@solo.io>
Co-authored-by: Yanqiang Miao <miaoyq_2010@163.com>
Co-authored-by: Ingwon Song <102102227+ingwonsong@users.noreply.github.com>
Co-authored-by: zengyuxing <newday.jesse@gmail.com>
Co-authored-by: Yossi Mesika <ymesika@gmail.com>
Co-authored-by: john-a-joyce <joycej@cisco.com>
Co-authored-by: pmerrison <paul@tetrate.io>
Co-authored-by: Peter Jausovec <peterj@users.noreply.github.com>
Co-authored-by: Nicole LiHui <nicolelihui@outlook.com>
Co-authored-by: John Mazzitelli <mazz@redhat.com>
Co-authored-by: akshayjnambiar <akshayjnambiar@google.com>
Co-authored-by: Greg Hanson <gregory.hanson@solo.io>
Co-authored-by: Mitch Connors <mitchconnors@gmail.com>
Co-authored-by: Rui Gu <ruigu@google.com>
Co-authored-by: Akshay J Nambiar <akshayjnambiar@users.noreply.github.com>
Co-authored-by: Rama Chavali <rama.rao@salesforce.com>
Co-authored-by: Rohit Agarwal <mindprince@gmail.com>
Co-authored-by: Jacek Ewertowski <jewertow@redhat.com>
Co-authored-by: Siyi Wang <siyiwang@google.com>
Co-authored-by: Ben Leggett <854255+bleggett@users.noreply.github.com>
Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Ingwon Song <igsong@google.com>
Co-authored-by: Jackie Elliott <64559656+jaellio@users.noreply.github.com>
Co-authored-by: Dwayne Schultz <myshkin5@users.noreply.github.com>
Co-authored-by: Lei Tang <32078630+lei-tang@users.noreply.github.com>
Co-authored-by: zhaohuabing <zhaohuabing@gmail.com>
Co-authored-by: jaellio <jaellio@microsoft.com>
Co-authored-by: Riya Sinha <riyasinha@google.com>
Co-authored-by: Adam Sayah <adam.sayah@solo.io>
Co-authored-by: Kuat Yessenov <kuat@google.com>
Co-authored-by: Hemendra Teli <8605932+hemendrateli@users.noreply.github.com>
Co-authored-by: Sergii Shapar <sshapar@google.com>
Co-authored-by: zirain <zirain2009@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-notes-none Indicates a PR that does not require release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants