Add docs for Calico, set the annotation by default. #44259
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
costinm
requested review from
jacob-delgado,
Monkeyanator and
a team
as code owners
istio-testing
added
the
size/M
howardjohn
reviewed
Apr 5, 2023
manifests/charts/ztunnel/values.yaml
Outdated
| @@ -3,6 +3,7 @@ hub: gcr.io/istio-testing | |||
| # Tag to pull from. Image will be `Hub/Image:Tag-Variant` | |||
| tag: latest | |||
| # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. | |||
| # Setting variant to "debug" will also run with higher permissions to allow tcpdump. | |||
There was a problem hiding this comment.
kubectl debug may be more appropriate here?
This is going to be a privilege escalation for users by default which doesn't seem great. debug is really just ubuntu, we may even only allow distroless as part of "ambient uses safe mode by default".
There was a problem hiding this comment.
Would kubectl debug raise the capabilities of the pod ? I.e. if a cap is dropped, will it be added back ?
I tried and didn't seem to work - but if there is some option to add the caps I agree it would be far better.
There was a problem hiding this comment.
Also "safe by default" is all good - but "debug" is neither the default nor supposed to be safe.
There was a problem hiding this comment.
debug is the default. It shouldn't be in safe mode, of course.
I just tested and it worked. kubectl debug --image istio/base -it -n istio-system ztunnel-9xpvt then tcpdump in the shell had no issues. kubectl exec into ztunnel I got permission denied
There was a problem hiding this comment.
Ok, will remove this.
Speaking of safe mode - for ztunnel it may be good to default to safe, and have debug optional. We should do
the same in the safe charts for istiod.
There was a problem hiding this comment.
Also - if this works, maybe we should remove tcpdump, dig and other debug helpers from istio/base ?
I guess backward compat will prevent this - but we can create a second base for 'safe mode' at some point
and do a base cleanup too.
AndreaM12345
reviewed
Apr 6, 2023
|
|
||
| - if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` | ||
| - if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) | ||
|
|
There was a problem hiding this comment.
I think we may also need mention adding the IPs as mentioned in this doc?
https://github.com/istio/istio/tree/master/cni/pkg/ebpf
kubectl -n istio-system patch ds ztunnel --type='json' -p='[{"op": "add", "path": "/spec/template/metadata/annotations/cni.projectcalico.org~1allowedSourcePrefixes", "value": "[\"10.x.0.0/16\"]"}]'
See that you mention the IPs in the daemonset.yaml but thinking for clarity maybe mentioning it in the readme
There was a problem hiding this comment.
I don't think patching ztunnel is right - user may reinstall it, upgrade, etc. For debugging or dev it may be ok, not prod.
I added the annotation to ztunnel - so it is added without extra patching ( non-calico will ignore it AFAIK ).
Also instead of 10.x... I set it to 0.0.0.0 - ztunnel may need to impersonate original dst from other clusters in MC or even from ingress.
Did you do any testing with IPv6 ? Is there an equivalent annotation ?
There was a problem hiding this comment.
didn't test with IPv6. I think you are correct about not patching ztunnel. My comment was that the readme should point out that if a user wants to adjust the allowedSourcePrefix they should make the change to the daemonset.yaml Just for my own clarification are you suggesting that users should not set the allowedSourcePrefix?
There was a problem hiding this comment.
ztunnel is only going to impersonate pods on its own node fwiw, so technically the setting on each ztunnel could be its node's CIDR.
Having a per-pod annotation based on the node is pretty hard to do though so not suggesting we actually do that, but I think it would be the minimal allowed from calico POV
There was a problem hiding this comment.
Actually I am wrong :-) it will only impersonate to or from a node-local pod, but it may be random thing -> node local pod
There was a problem hiding this comment.
Yes, that was my understanding as well - it should use 'x-forwarded-for' header, which may reflect a source IP from another cluster ( multi-network + E/W ), or the original pod sending request to the Waypoint or even the remote IP for ingress. Since we have no other way to convey this info ( and even when we have metadata endpoint, it's more efficient and compatible to have the real peer IP).
I am starting to believe we should implement HAProxy as well - it is VERY common in cloud infra. How to declare that a pod expects HAProxy remains TBD, maybe something GAMMA should define since others will have the same problem.
istio-testing
added
size/S
howardjohn
reviewed
Apr 13, 2023
howardjohn
added
the
release-notes-none
howardjohn
approved these changes
Apr 13, 2023
psbrar99
added a commit
to tetratelabs/istio
that referenced
this pull request
Aug 7, 2023
* Retry when east-west gateway hostname resolution fails (istio#44192) * retry when gateway hostnames resolution failed * add a ut * add a release note * test * test retry period * test * test * update retry period * distinguish server failure * fix * fix ttl * remove named return values * address comments * Automator: update proxy@master in istio/istio@master (istio#44295) * gateway: skip un-managed types in deploymentcontroller (istio#43541) * Automator: update proxy@master in istio/istio@master (istio#44298) * Add nil-check for WASM validation (istio#44296) * kube-probe: avoid duplicate probe headers (istio#44297) This is a regression of istio#28466 from istio#31866 The 31866 fixed the k8s spec having duplicates, but we end up duplicating all headers twice - the kubelet adds the header from HTTPHeaders and we also add from HTTPHeaders, resulting in 2x every header. Instead, we simply copy the incoming request headers and host, making us a fairly transparent proxy. * Refactor multi network manage (istio#44190) * Refactor multi network * Change reloadXX to networkManager's private method * Automator: update go-control-plane in istio/istio@master (istio#44301) * Automator: update proxy@master in istio/istio@master (istio#44302) * Automator: update common-files@master in istio/istio@master (istio#44305) * skip gateway.istio.io/controller-version anno message that is not created by users (istio#44306) * Automator: update istio/client-go@master dependency in istio/istio@master (istio#44312) * Fix the metric and log reports for the dryrun gateway config (istio#44303) * fix reporting metric for dryrun gateway config * add releasnotes * improve log * Automator: update common-files@master in istio/istio@master (istio#44314) * Early update_deps.sh before branching (istio#44317) * e2e: refactor grpc stats test (istio#44307) * e2e: refactor grpc stats test * fix gen * fix build * fix analyze * fix buildGRPCQuery Signed-off-by: hejianpeng <[email protected]> --------- Signed-off-by: hejianpeng <[email protected]> * Automator: update proxy@master in istio/istio@master (istio#44320) * Fix system namespace filtering (istio#44325) * update istio.io/api (istio#44330) * validation: add another nil check (istio#44332) * Fix type at shared.go (istio#44326) Signed-off-by: jongwooo <[email protected]> * Update istio.io modules (istio#44331) * Update istio.io modules * Run `mske gen` * Add update_ztunnel script (istio#44334) * remove sync all (istio#44111) * remove syncall * update * update * Fix namespace equal check * Fix ClusterExternalAddresses race * Fix * Add bookinfo demo for PSA (istio#44214) Signed-off-by: Kalya Subramanian <[email protected]> * Integration tests for ENABLE_ENHANCED_RESOURCE_SCOPING feature (istio#44246) * Integration tests for ENABLE_ENHANCED_RESOURCE_SCOPING feature Signed-off-by: Faseela K <[email protected]> * fix lint Signed-off-by: Faseela K <[email protected]> * add build tag Signed-off-by: Faseela K <[email protected]> * fix lint Signed-off-by: Faseela K <[email protected]> * skip VMs Signed-off-by: Faseela K <[email protected]> * Require singlecluster Signed-off-by: Faseela K <[email protected]> * SkipExternalControlPlaneTopology Signed-off-by: Faseela K <[email protected]> * Require Multi Primary Signed-off-by: Faseela K <[email protected]> * add build tag Signed-off-by: Faseela K <[email protected]> * replace httpbin.org with echo external service Signed-off-by: Faseela K <[email protected]> --------- Signed-off-by: Faseela K <[email protected]> * Update deps 2023 04 10 (istio#44319) * ./bin/update_deps.sh * update go deps * Remove default.yaml * Make gen * Revert change to distroless * Fix controller runtime * Update istio.io/api and istio.io/pkg * Run go mod tidy * Update release prow * Update istio.io/api * Automator: update istio/client-go@master dependency in istio/istio@master (istio#44339) * Use official 0.27.0 release (istio#44340) * reduced tokenWaitBackoff from 1 second to 10 millis (istio#44338) * Fix the ztunnel iop specification for resources leads to a patch error. (istio#44322) * fix ztunnel iop resource * add test * Automator: update proxy@master in istio/istio@master (istio#44343) * Fix ServiceEntry WorkloadInstanceHandler for label change in Pods (istio#42922) * Fix ServiceEntry WorkloadInstanceHandler for label change in Pods For a label change in WorkloadInstance, which results in a mismatch with a previously matching ServiceEntry, the whole update event is skipped. Which results in the WorkloadInstance not getting removed from the ServiceEntry. This fix changes the behaviour for such cases to handle those updates similar to a delete event and clean up the WorkloadInstance from the list. Fixes [istio#42921] * use DeepEquals to avoid SubsetOf iteration * gocritic linting fix * go back to the first approach * fix workloadInstanceDiff * fix linting errors * change test cases to table format * fix testcase for new Event type * fix Event Type * go fmt * remove wi diff * Update BASE_VERSION to master-2023-04-12T19-02-00 (istio#44357) * Add docs for Calico, set the annotation by default. (istio#44259) * Add docs for Calico, set the annotation by default. * Finish the comment. * Remove debug, kubectl debug works * indent * Update manifests/charts/istio-cni/README.md --------- Co-authored-by: John Howard <[email protected]> * update_deps.sh change (istio#44373) * fix gateway service name (istio#44365) * Automator: update proxy@master in istio/istio@master (istio#44380) * validation: add small nil check (istio#44360) * Remove kustomize and precompute manifests (istio#44376) See istio#44237 for more info * Add a better check for ztunnel pod guess (istio#44292) * add a better check for ztunnel guess * rebise based on comments * cni: drop experimental taint controller (istio#44377) This controller was added many years ago as an experiment and hasn't progressed. Unless there are users who have remained hidden during this time, I think its effectively dead code we should cleanup. * kube: use protobuf in client (istio#44379) * kube: use protobuf in client This was attempted in istio#38658 but the `config` set is never used there. Also add an opt-out and AcceptContentTypes to allow json fallback as recommended by k8s * fix writes * Remove release note approval by release-managers (istio#44395) * gateway: prevent duplicate `istio_authn` network filter in the filter chain (istio#44388) * gateway: prevent duplicate `istio_authn` network filter in the filter chain Signed-off-by: Yaroslav Skopets <[email protected]> * add release notes Signed-off-by: Yaroslav Skopets <[email protected]> * fix lint Signed-off-by: Yaroslav Skopets <[email protected]> * fixup Signed-off-by: Yaroslav Skopets <[email protected]> * ensure stability of the unit test Signed-off-by: Yaroslav Skopets <[email protected]> --------- Signed-off-by: Yaroslav Skopets <[email protected]> * Add response headers for grpc (istio#44394) * Add response headers for grpc * Update the output * Automator: update istio/client-go@master dependency in istio/istio@master (istio#44396) * Automator: update common-files@master in istio/istio@master (istio#44398) * Use k8s 1.27.0 as the default node image for integration testing (istio#44400) * Automator: update proxy@master in istio/istio@master (istio#44403) * remove deadcode from operator proto (istio#44397) Was missed in previous PR * fix:productpage build fail (istio#44405) Signed-off-by: xin.li <[email protected]> * Run update_deps.sh (istio#44404) * chore: Fix function name of comment (istio#44406) Correct name is runAllTypes but comment has pruneAllTypes * Automator: update go-control-plane in istio/istio@master (istio#44407) * Automator: update proxy@master in istio/istio@master (istio#44408) * Automator: update ztunnel@master in istio/istio@master (istio#44409) * Remove hard coded Istio namespace (istio#44410) * Automator: update proxy@master in istio/istio@master (istio#44411) * Analyze: add cert check for gateway credential (istio#43921) * add cert check for gateway credential * add releasenotes and lint * reuse some logics and add more checks * make gen * remove unnecessary releasenotes * Automator: update proxy@master in istio/istio@master (istio#44419) * Fix webhook issues in installation process (istio#44345) * fix webhook creation in install process * add releasenotes * Only set the WorkloadSelector of ServiceEntry if the label is not empty (istio#44420) Signed-off-by: Yanqiang Miao <[email protected]> * Setting the control plane lazily (istio#44417) Change-Id: I31adfcb808d04aef51c42ddaed5b3473db2397a5 * Automator: update proxy@master in istio/istio@master (istio#44431) * "istioctl pc route" output add "VHOST NAME" (istio#44414) * "istioctl pc route" output add "VHOST NAME" * add releasenote * fix * Update releasenotes/notes/44414.yaml Co-authored-by: Yossi Mesika <[email protected]> --------- Co-authored-by: Yossi Mesika <[email protected]> * Temper severity of extraneous errors (istio#44416) When the CNI initially runs on a node that is clean of the ztunnel chains errors and warnings are logged that are extraneous. This change reduces the severity and adds comments in the code. * cleanup message.yaml (istio#44421) * update_deps for 1.18 branch cut (istio#44436) * Automator: update proxy@master in istio/istio@master (istio#44442) * fix wrong example for admin log (istio#44438) Signed-off-by: xin.li <[email protected]> * add validation for empty prefix header match (istio#44428) * add validation for empty prefix header match * fix linter issues * update error message + add a release note * add "prefix" to the error message * >fix `istioctl analyze` to panic when the server port in gateway is nil. (istio#44321) * >fix `istioctl analyze` to panic when the server port in gateway is nil. * Update releasenotes/notes/fix-44318.yaml Co-authored-by: Xiaopeng Han <[email protected]> --------- Co-authored-by: Xiaopeng Han <[email protected]> * Automator: update [email protected] in istio/[email protected] (istio#44527) * Automator: update [email protected] in istio/[email protected] (istio#44550) * [release-1.18] Automated branching step 4 (istio#44553) * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#44559) * Automator: update [email protected] in istio/[email protected] (istio#44560) * Automator: update [email protected] in istio/[email protected] (istio#44564) * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#44563) * Automator: update [email protected] in istio/[email protected] (istio#44567) * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#44569) * Update BASE_VERSION to release-1.18-2023-04-26T19-01-40 (istio#44576) * Automator: update [email protected] in istio/[email protected] (istio#44607) * Automator: update [email protected] in istio/[email protected] (istio#44610) * Update master to 1.18 (istio#44615) * gateway-api: start reading ReferenceGrant beta (istio#44619) Co-authored-by: John Howard <[email protected]> * update to kiali 1.67.0 (istio#44504) Co-authored-by: John Mazzitelli <[email protected]> * revise waypoint examples (istio#44511) Co-authored-by: xiaopeng <[email protected]> * Use safer dedupe for config (istio#44521) This is just appending them, there is no guarantee of conflicts being avoided Co-authored-by: John Howard <[email protected]> * disable automount SA token only on tests with min istio revisions >= 1.16 (istio#44533) Testing multiple istio versions involves older istio versions which doesn't support sidecars with disable automount SA token. This was enabled form 1.16 onwards. Co-authored-by: akshayjnambiar <[email protected]> * Automator: update [email protected] in istio/[email protected] (istio#44625) * [release-1.18] Fix pilot using wrong readinessprobe check, should check if /validate and /inject endpoints are ready. (istio#44632) * fix validationcontroller not having readinessprobe * add releasenotes * revise based on comments * revise based on comments * Delete 44526.yaml --------- Co-authored-by: xiaopeng <[email protected]> * typo fix for failover validation (istio#44638) Co-authored-by: Greg Hanson <[email protected]> * telemetry: deflake access log tests (istio#44645) Example failure: https://prow.istio.io/view/gs/istio-prow/pr-logs/directory/integ-telemetry_istio/1652008195079540736 It looks like the XDS push is just causing too much load and it takes more than 10s to process. We see during XDS push /stats/prometheus also times out. Co-authored-by: John Howard <[email protected]> * [release-1.18] Support p384 curves (istio#44628) * support p384 curves * code review and make gen * cleanup test * fix linter * only support 256 and 384 * cleanup tests --------- Co-authored-by: Jacob Delgado <[email protected]> * Automator: update go-control-plane in istio/[email protected] (istio#44651) * [release-1.18] Skip runtime resources when analyzing files (istio#44663) * Skip runtime resources when analyzing files * add test data and fmt * add support for tests to analyze pods * update analyze test to respect file exclusions * show failed json in message * fix json formatting * differentiate json analyzer tests * add release note --------- Co-authored-by: Mitch Connors <[email protected]> * [release-1.18] gateway: fix and test unmanaged skipping (istio#44508) * gateway: fix and test unmanaged skipping istio#43541 didn't work quite right due to a rebasing issue. Fix it and add better tests * fix test * fix log * use unique name (istio#44528) (cherry picked from commit 7033e9537a68f23a77f804f35413c7d00b6e00be) (cherry picked from commit c8f7331) --------- Co-authored-by: John Howard <[email protected]> * vwh: speedup reconcilation and fix test flake (istio#44658) Fixes https://prow.istio.io/view/gs/istio-prow/logs/integ-pilot-cpp_istio_postsubmit/1651656748131422208 failure This is a 1.18 regression since we changed the queue backoff. This fixes it in 2 ways: * Make sure we don't ahve to wait 1min every time * Make sure once one webhook succeeds, all of them do This also makes the test more robust to wait for all webhooks instead of just one. Co-authored-by: John Howard <[email protected]> * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#44672) * Automator: update [email protected] in istio/[email protected] (istio#44669) * Use go-control-plane from the last commmit before 1.26 was cut (istio#44674) * Automator: update [email protected] in istio/[email protected] (istio#44682) * Fix new test which was broken on distroless (istio#44685) There is no distroless app container Co-authored-by: John Howard <[email protected]> * Automator: update [email protected] in istio/[email protected] (istio#44694) * update_deps output priot to beta0 build (istio#44699) * Automator: update [email protected] in istio/[email protected] (istio#44707) * Actually change the rate limiter type (istio#44726) Co-authored-by: John Howard <[email protected]> * Automator: update [email protected] in istio/[email protected] (istio#44727) * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#44724) * Automator: update [email protected] in istio/[email protected] (istio#44728) * Automator: update [email protected] in istio/[email protected] (istio#44738) * Fix multi-cluster issue by increasing the timeout of listing CRDs (istio#44715) (istio#44740) When a new secret is added, a watcher will be created based on the remote secret. The process can fail if the API server doesn't respond in 10 seconds which can be the case if the cluster contains a lot of CRDs. This PR bumps the timeout to 60 seconds which is the default timeout value (specified in --request-timeout) for requests to API server. * [release-1.18] Fix persistent sessions scale down with envoy (istio#44653) * Missing change for persistent session support. Without it envoy will drop the draining endpoints and scale down will break. * Update the cluster status to be more future proof, add grpc, c++ implementation requires this * Remove unhealthy --------- Co-authored-by: Costin Manolache <[email protected]> * Automator: update [email protected] in istio/[email protected] (istio#44760) * [release-1.18] Fix gateway hostname resolution TTL (istio#44768) * fix gateway hostname resolution ttl * add tests --------- Co-authored-by: dddddai <[email protected]> * [release-1.18] Fix verify-install to work with multi iops (istio#44752) * fix verify-install with multi iops * Update releasenotes/notes/verify-install-multi-iops.yaml Co-authored-by: Eric Van Norman <[email protected]> --------- Co-authored-by: xiaopeng <[email protected]> Co-authored-by: Eric Van Norman <[email protected]> * deployment controller: add leaderelection back (istio#44746) (istio#44771) * Add per-revision leader election * Add leader election for deployment controller (cherry picked from commit acd30f9) * Automator: update [email protected] in istio/[email protected] (istio#44774) * Automator: update [email protected] in istio/[email protected] (istio#44780) * fix missing gateway services (istio#44461) Co-authored-by: dddddai <[email protected]> * add support for security.istio.io/v1beta1 api in authz tests when testing multiple istio versions (istio#44806) Testing multiple istio versions involves older istio versions which uses the v1beta1 api. This change will start using v1 for 1.17+ and v1beta1 for 1.16-. Co-authored-by: Akshay J Nambiar <[email protected]> * set delay between retry attempts (istio#44809) Co-authored-by: dddddai <[email protected]> * [release-1.18] istiod: drop Alpha Gateway API types by default (istio#44812) * istiod: drop Alpha Gateway API types by default This is problematic because most providers will not install Alpha CRDs. So once these promote to Beta, clusters will have *only* beta version in the CRD. We would detect the CRD and attempt to watch, but fail as alpha does not exist. This makes the alpha enablement an explicit opt-in to avoid this. An alternative could be to read the actual CRD to check it has the version we want. However, this is not safe -- a user may silently stop reading critical configurations. This is not needed for Istio CRDs as we don't remove old versions. * Fix test * fix build * fix note --------- Co-authored-by: John Howard <[email protected]> * [release-1.18] Fix precheck and analysis messages (istio#44832) * fix precheck and analysis messages * fix lint --------- Co-authored-by: xiaopeng <[email protected]> * update_deps prior to beta1 build (istio#44846) * inject: remove unknown fields from template (istio#44860) We have a number of cases where we insert unknown fields into the template. This eventually gets marshalled into a `v1.Pod`, so the unknown fields are dropped. So it has no impact, but it is "wrong". However, one of the fields we have (restartPolicy) is actually going to be a valid field in future k8s, so would start breaking at that point. So this *will* be a critical bug for future k8s versions. Test with: Replace applyOverlayYAML with ``` decoder := json.NewDecoder(bytes.NewReader(patched)) decoder.DisallowUnknownFields() if err := decoder.Decode(&pod); err != nil { return nil, fmt.Errorf("unmarshal patched pod: %v", err) } ``` Its probably a nice idea to keep it as non-strict to be resilient to unexpected issues? Co-authored-by: John Howard <[email protected]> * [release-1.18] vm: support health checks for VMs that are not using auto-registration (istio#44866) * vm: support health checks for VMs that are not using auto-registration Signed-off-by: Yaroslav Skopets <[email protected]> * add release notes Signed-off-by: Yaroslav Skopets <[email protected]> --------- Signed-off-by: Yaroslav Skopets <[email protected]> Co-authored-by: Yaroslav Skopets <[email protected]> * remove file from file certs before triggering call backs (istio#44907) Signed-off-by: Rama Chavali <[email protected]> Co-authored-by: Rama Chavali <[email protected]> * spiffe: fix handling of trust bundles with multiple keys (istio#44947) In the existing implementation, we were overriding the `cert` while iterating over doc.Keys. This commit fixes that. Further, there was an unnecessary check for the existence of `ret[trustDomain]`. We are iterating over a map with `trustDomain` as keys, maps don't have duplicate keys, and so `ret[trustDomain]` would never have had a key before we set it in this iteration. This is a cherry-pick for istio#44831 (with modifications in the tests to avoid conflicts). This was cherry-picked in 1.17 as istio#44909. Change-Id: Ibf68f75cc667a72cce68bd42e4f600bd37946222 * Automator: update [email protected] in istio/[email protected] (istio#44992) * Automator: update [email protected] in istio/[email protected] (istio#45001) * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#44994) * Automator: update [email protected] in istio/[email protected] (istio#45008) * [release-1.18] deploymentcontroller: add support for ProxyConfig CRD (istio#44987) * deploymentcontroller: add support for ProxyConfig CRD (istio#44916) * deploymentcontroller: add support for ProxyConfig CRD Signed-off-by: Jacek Ewertowski <[email protected]> * Handle default gateway labels Signed-off-by: Jacek Ewertowski <[email protected]> * Remove a comment Signed-off-by: Jacek Ewertowski <[email protected]> * Handle pod annotations Signed-off-by: Jacek Ewertowski <[email protected]> * Encapsulate EffectiveProxyConfig into GetProxyConfigOrDefault Signed-off-by: Jacek Ewertowski <[email protected]> * Remove default pod label service.istio.io/canonical-name Signed-off-by: Jacek Ewertowski <[email protected]> * Respect only istio.io/gateway-name label when matching ProxyConfig with Gateway Signed-off-by: Jacek Ewertowski <[email protected]> * Add release note Signed-off-by: Jacek Ewertowski <[email protected]> * Change area in the relase note Signed-off-by: Jacek Ewertowski <[email protected]> * Remove support for proxy.istio.io/config annotation applied to k8s Gateway pods Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]> * Fix unit tests Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]> * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#45024) * [release-1.18] Fix bug report missing all logs for json logs (istio#45026) * Add json log parsing * Remove bug report file * Omit filter and add tests * Extract to parseLog * Fix test failures * Fix format --------- Co-authored-by: Siyi Wang <[email protected]> * telemetry: enable experimental mertic expiry (istio#44605) (istio#45037) * mertic-expiry * fix test * fix lint * add release-notes * fix gen * use ProxyMetadata * fix rebase * add test * update release-notes * fix not working * reduce xds size * use pilot ENV * update with john's comment * add UT * fix lint --------- Signed-off-by: hejianpeng <[email protected]> * [release-1.18] fix backoff and read ca file interval (istio#45038) * fix read ca file interval * fix backoff never stop * address comment * remove permanent error * Address comment --------- Co-authored-by: Zhonghu Xu <[email protected]> * fix waypoint list summary and add revision (istio#45052) Co-authored-by: xiaopeng <[email protected]> * Automator: update [email protected] in istio/[email protected] (istio#45072) * Automator: update [email protected] in istio/[email protected] (istio#45074) * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#45076) * Automator: update [email protected] in istio/[email protected] (istio#45094) * Update BASE_VERSION to release-1.18-2023-05-24T19-03-47 (istio#45109) * RetryWithContext should use the new NextBackOff() (istio#45123) Signed-off-by: Faseela K <[email protected]> Co-authored-by: Faseela K <[email protected]> * rc.0 step 1 - update deps (istio#45134) * Automator: update [email protected] in istio/[email protected] (istio#45139) * Temporarily remove eBPF impl pending CNCF guidance (istio#45167) eBPF support is temporarily disabled pending CNCF establishing guidance around dual-licensed eBPF bytecode cncf/toc#1000 (comment) Signed-off-by: Benjamin Leggett <[email protected]> * 1.17: bump docker dep (istio#45199) This has a "CVE". It doesn't impact Istio but makes scanners unhappy. The dep is only used in WASM code and is a small bump so pretty low risk * Update BASE_VERSION to release-1.18-2023-05-31T19-02-09 (istio#45225) * Automator: update [email protected] in istio/[email protected] (istio#45281) * Update BASE_VERSION to release-1.18-2023-06-05T19-04-11 (istio#45289) * Update deps prior to 1.18.0 GA (istio#45310) * Automator: update [email protected] in istio/[email protected] (istio#45325) * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#45326) * Automator: update [email protected] in istio/[email protected] (istio#45333) * precise-errorcode-debuggen (istio#45164) Change-Id: Ia2654e18006b7cc2d54bb86ff9c9a2abe9e28bf5 Co-authored-by: Ingwon Song <[email protected]> * [release-1.18]Manual cherry-pick of 44481 and 44775 (istio#45081) * add PDB to gateway chart * add releasenotes * revise based on comments * revise values to have better control * disable PDB by default * [release-1.18] Certificate Revocation List support (istio#45130) * refactor KeyCertAndStaple (istio#44764) Doing this refactoring in preparation for CRL support Signed-off-by: Faseela K <[email protected]> * Certificate Revocation List support (istio#45104) Signed-off-by: Faseela K <[email protected]> * populate crl only when the key is present in secret (istio#45112) Signed-off-by: Faseela K <[email protected]> * skip empty ocsp staple configuration (istio#45159) Signed-off-by: Faseela K <[email protected]> --------- Signed-off-by: Faseela K <[email protected]> * Adding LRS support (istio#45165) Change-Id: Ifd075d62a5f0dda3b4b57eb807677f1637bed04f Co-authored-by: Ingwon Song <[email protected]> * Fix invalid XDS configuration for wildcard Ingress HTTP path (istio#44898) (istio#45168) * Fix invalid XDS configuration for wildcard Ingress path Updates Ingress to VirtualService translation to not create a HTTPRequestMatch when the URI is nil. The URI is nil when the path is a wildcard or is empty and the pathType is nil or implementationSpecific. This change prevents an Envoy failure. Envoy regex fails when the path seperated prefix is empty or has a trailing "/". * Fix failing unit tests - handle sorting HTTPRoutes with no HTTPRequestMatches * Update golden converion tests for ingress. Remove empty match. --------- Signed-off-by: jaellio <[email protected]> * Fix Telemetry disablement matching (istio#45303) Co-authored-by: John Howard <[email protected]> * Add rolling update max unavailable to CNI chart to speed up deploys (cherry pick to release-1.18) (istio#44934) * Add rolling update max unavailable to CNI chart to speed up deploys * Update generated code * Update chart updating instructions * Add release note * Skip config from istio#44642 * [release-1.18] Fix istioctl pc secret cert validity not accurate (istio#45343) * fix istioctl pc secret cert valid * lint and add releasenotes --------- Co-authored-by: xiaopeng <[email protected]> * Change to use Node instead of RawMeta (istio#45359) Change-Id: I21117025bb99b62c18484d2f1598a001751faaa4 Co-authored-by: Ingwon Song <[email protected]> * [release-1.18] Check the disabled status when adding a log provider (istio#45373) * Check the disabled status when adding a log provider By checking the disabled status when adding a log provider, this PR fixes an issue where disabling a log provider through Istio telemetry API would not work. Otherwise, a disabled log provider may still be added to the log configuration and cause the disabling to not work as expected. The test case in this PR verifies that with the fix this PR, a disabled log provider will not be added to the log configuration. * Update the variable name --------- Co-authored-by: Lei Tang <[email protected]> * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#45381) * Automator: update [email protected] in istio/[email protected] (istio#45450) * [release-1.18] Update min supported k8s version to 1.24 (istio#45444) * update min supported k9s version to 1.24 * add releasenotes --------- Co-authored-by: xiaopeng <[email protected]> * [release-1.18] cherry-pick: add debug info when generating certs for workloads (istio#45194) * cherry-pick: add debug info when generating certs for workloads istio#45183 Signed-off-by: huabing zhao <[email protected]> * remove signer and make ttl human readable Signed-off-by: huabing zhao <[email protected]> --------- Signed-off-by: huabing zhao <[email protected]> * Update BASE_VERSION to 1.18-2023-06-15T19-02-54 (istio#45495) * [release-1.18] improve accesslog mode e2e tests (istio#45519) * improve accesslog mode e2e tests * retry Signed-off-by: hejianpeng <[email protected]> * fix --------- Signed-off-by: hejianpeng <[email protected]> Co-authored-by: hejianpeng <[email protected]> * Automator: update [email protected] in istio/[email protected] (istio#45569) * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#45570) * Automator: update [email protected] in istio/[email protected] (istio#45579) * Automator: update [email protected] in istio/[email protected] (istio#45587) * prow: move to use WI for auth_header in private (istio#45609) This replaces authentikos Co-authored-by: John Howard <[email protected]> * Automator: update [email protected] in istio/[email protected] (istio#45667) * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#45660) * Automator: update [email protected] in istio/[email protected] (istio#45690) * Bump github.com/lestrrat-go/jwx from 1.2.25 to 1.2.26 (istio#45684) Signed-off-by: Kalya Subramanian <[email protected]> * Automator: update [email protected] in istio/[email protected] (istio#45702) * Fix auth header syntax (istio#45711) Co-authored-by: John Howard <[email protected]> * gcp metadata: compute GCPClusterURL from metadata (istio#45741) This allows computing GCPClusterURL from GCP_METADATA env var, if it is set. This allows usage with zero dependency on the metadata server. * Automator: update [email protected] in istio/[email protected] (istio#45747) * Automator: update [email protected] in istio/[email protected] (istio#45769) * Automator: update [email protected] in istio/[email protected] (istio#45771) * Automator: update [email protected] in istio/[email protected] (istio#45834) * [release-1.18] Fix a potential nil panic of endpointindex (istio#45808) * fix a potential nil panic of endpointindex * add releasenotes * revise releasenotes --------- Co-authored-by: xiaopeng <[email protected]> * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#45857) * [release-1.18] Fix bug report include option not working as expected (istio#45860) * fix bug report include option * add releasenotes --------- Co-authored-by: xiaopeng <[email protected]> * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#45876) * Automator: update [email protected] in istio/[email protected] (istio#45875) * Automator: update [email protected] in istio/[email protected] (istio#45892) * Automator: update [email protected] in istio/[email protected] (istio#45936) * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#45938) * [release-1.18] Fix health probe port overwrite (istio#45873) * Remove app req host override with req host on health-check Signed-off-by: jaellio <[email protected]> * set appReq host to prober host value Signed-off-by: jaellio <[email protected]> * add conditional check before setting appReq host to probe host Signed-off-by: jaellio <[email protected]> * Remove host override from app probe unit tests. The explicit override does not reflect the actual request host value on health probe requests. Prior to being processed in the istio-proxy the host of the request should not be set to the app port. Signed-off-by: jaellio <[email protected]> --------- Signed-off-by: jaellio <[email protected]> Co-authored-by: jaellio <[email protected]> * Add release note for istio#45632 (istio#45927) Signed-off-by: jaellio <[email protected]> Co-authored-by: jaellio <[email protected]> * Automator: update [email protected] in istio/[email protected] (istio#45948) * [release-1.18] Set inject true for compatibility tests (istio#45928) * Set inject true for compatibility tests * adding the fix to TestProxyProtocolTCPGateway and TestCustomGateway --------- Co-authored-by: Riya Sinha <[email protected]> * [release-1.18] prevent port conflict with sidecar static listener like 15021 15090 (istio#45966) * prevent port conflict with sidecar static listener 15021 15090 * remove duplicate conflict detection * address comment --------- Co-authored-by: Zhonghu Xu <[email protected]> * Update image from (istio#45958) Co-authored-by: Eric Van Norman <[email protected]> * Automator: update [email protected] in istio/[email protected] (istio#45995) * Automator: update istio/[email protected] dependency in istio/[email protected] (istio#45996) * Automator: update [email protected] in istio/[email protected] (istio#46000) * Automator: update [email protected] in istio/[email protected] (istio#46007) * Exit if sds socket not found (istio#45941) (istio#46014) * Exit if sds socket not found (istio#45941) * adding - exit if sds socket not found * fix release note for # 45941 * renaming flag to USE_EXTERNAL_WORKLOAD_SDS * rewording release note for istio#45941, describe usage of USE_EXTERNAL_SDS_SOCKET * fix cherry-pick * fix conflict (istio#46017) Signed-off-by: Kuat Yessenov <[email protected]> Co-authored-by: Kuat Yessenov <[email protected]> * fix concurrent map access in endpoint metadata (istio#44473) (istio#46021) * fix concurrent map access in endpoint metadata * only clone as needed * only clone as needed * remove unnecessary code * review comments * fix ut * add test case * add lock --------- Signed-off-by: Rama Chavali <[email protected]> Co-authored-by: Rama Chavali <[email protected]> * Fix nil map for cluster builder (istio#46024) Co-authored-by: Sergii Shapar <[email protected]> * Automator: update [email protected] in istio/[email protected] (istio#46025) * Automator: update [email protected] in istio/[email protected] (istio#46039) * Bump proxy version (#122) * Add validation of workload entry identity (#117) (cherry picked from commit b6eefaf3045227431b60384002e5b0c57740288d) * 1.18.2 tetrate build Signed-off-by: psbrar99 <[email protected]> * eks patch Signed-off-by: psbrar99 <[email protected]> * 1.18.2 tetratefips build Signed-off-by: psbrar99 <[email protected]> * 1.18.2 tetratefips build Signed-off-by: psbrar99 <[email protected]> * 1.18.2 tetratefips build Signed-off-by: psbrar99 <[email protected]> * 1.18.2 tetratefips build Signed-off-by: psbrar99 <[email protected]> * bump proxy SHA Signed-off-by: psbrar99 <[email protected]> * envoy cves Signed-off-by: psbrar99 <[email protected]> * envoy cves Signed-off-by: psbrar99 <[email protected]> * bump proxy SHA Signed-off-by: psbrar99 <[email protected]> * running e2e tests for pilot Signed-off-by: psbrar99 <[email protected]> * running e2e tests for pilot Signed-off-by: psbrar99 <[email protected]> * running e2e tests for pilot Signed-off-by: psbrar99 <[email protected]> * bump runners Signed-off-by: psbrar99 <[email protected]> * bump runners Signed-off-by: psbrar99 <[email protected]> * publish release Signed-off-by: psbrar99 <[email protected]> * update tetrate-workflow branch Signed-off-by: psbrar99 <[email protected]> * update tetrate-workflow branch Signed-off-by: psbrar99 <[email protected]> * update tetrate-workflow branch Signed-off-by: psbrar99 <[email protected]> * update tetrate-workflow branch Signed-off-by: psbrar99 <[email protected]> * Removing unnecessary code Signed-off-by: psbrar99 <[email protected]> * addressed comment Signed-off-by: psbrar99 <[email protected]> * address reveiw comments Signed-off-by: psbrar99 <[email protected]> * cleanup and updated new patch for eks Signed-off-by: psbrar99 <[email protected]> * Update tetrateci/version_check.py Co-authored-by: zirain <[email protected]> * fix WF for make release job Signed-off-by: psbrar99 <[email protected]> * fips.md update Signed-off-by: psbrar99 <[email protected]> * Update fips.md * Update .github/workflows/make_release.yml Co-authored-by: zirain <[email protected]> * Update .github/workflows/make_release.yml Co-authored-by: zirain <[email protected]> --------- Signed-off-by: hejianpeng <[email protected]> Signed-off-by: jongwooo <[email protected]> Signed-off-by: Kalya Subramanian <[email protected]> Signed-off-by: Faseela K <[email protected]> Signed-off-by: Yaroslav Skopets <[email protected]> Signed-off-by: xin.li <[email protected]> Signed-off-by: Yanqiang Miao <[email protected]> Signed-off-by: Rama Chavali <[email protected]> Signed-off-by: Jacek Ewertowski <[email protected]> Signed-off-by: Benjamin Leggett <[email protected]> Signed-off-by: jaellio <[email protected]> Signed-off-by: huabing zhao <[email protected]> Signed-off-by: Kuat Yessenov <[email protected]> Signed-off-by: psbrar99 <[email protected]> Co-authored-by: dwq <[email protected]> Co-authored-by: Istio Automation <[email protected]> Co-authored-by: John Howard <[email protected]> Co-authored-by: Zhonghu Xu <[email protected]> Co-authored-by: Xiaopeng Han <[email protected]> Co-authored-by: Eric Van Norman <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Jongwoo Han <[email protected]> Co-authored-by: Kalya Subramanian <[email protected]> Co-authored-by: Faseela K <[email protected]> Co-authored-by: jacob-delgado <[email protected]> Co-authored-by: cebernardi <[email protected]> Co-authored-by: Rajat Sharma <[email protected]> Co-authored-by: Costin Manolache <[email protected]> Co-authored-by: pmerrison <[email protected]> Co-authored-by: Yaroslav Skopets <[email protected]> Co-authored-by: my-git9 <[email protected]> Co-authored-by: Ikumi Nakamura <[email protected]> Co-authored-by: Yossi Mesika <[email protected]> Co-authored-by: Yanqiang Miao <[email protected]> Co-authored-by: Ingwon Song <[email protected]> Co-authored-by: zengyuxing <[email protected]> Co-authored-by: Yossi Mesika <[email protected]> Co-authored-by: john-a-joyce <[email protected]> Co-authored-by: pmerrison <[email protected]> Co-authored-by: Peter Jausovec <[email protected]> Co-authored-by: Nicole LiHui <[email protected]> Co-authored-by: John Mazzitelli <[email protected]> Co-authored-by: akshayjnambiar <[email protected]> Co-authored-by: Greg Hanson <[email protected]> Co-authored-by: Mitch Connors <[email protected]> Co-authored-by: Rui Gu <[email protected]> Co-authored-by: Akshay J Nambiar <[email protected]> Co-authored-by: Rama Chavali <[email protected]> Co-authored-by: Rohit Agarwal <[email protected]> Co-authored-by: Jacek Ewertowski <[email protected]> Co-authored-by: Siyi Wang <[email protected]> Co-authored-by: Ben Leggett <[email protected]> Co-authored-by: github-actions <[email protected]> Co-authored-by: Ingwon Song <[email protected]> Co-authored-by: Jackie Elliott <[email protected]> Co-authored-by: Dwayne Schultz <[email protected]> Co-authored-by: Lei Tang <[email protected]> Co-authored-by: zhaohuabing <[email protected]> Co-authored-by: jaellio <[email protected]> Co-authored-by: Riya Sinha <[email protected]> Co-authored-by: Adam Sayah <[email protected]> Co-authored-by: Kuat Yessenov <[email protected]> Co-authored-by: Hemendra Teli <[email protected]> Co-authored-by: Sergii Shapar <[email protected]> Co-authored-by: zirain <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please provide a description of this PR:
Mostly readme additions, attempting to simplify the install for Calico.
For Ztunnel, the default is set to 0.0.0.0 - we have other docs suggesting a more complex install that
only allows impersonation for the pod range, but ztunnel may need to also set it for other clusters,
east-west and even ingress. So far not clear how IPv6 will be handled.