Merge pull request istio#5 from openshift-service-mesh-bot/none-maste…

…r-merge_upstream_istio_master-6253864e

Automator: merge upstream changes to openshift-service-mesh/istio@master

istio.deps

@@ -4,7 +4,7 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "015a976db904b2a3830872e405e2184ae00025c8"
+    "lastStableSHA": "22f0f1295c038d8336576455836c420ed2d8d906"
   },
   {
     "_comment": "",

istioctl/pkg/writer/ztunnel/configdump/api.go

@@ -21,22 +21,28 @@ type Locality struct {
 }
 
 type ZtunnelWorkload struct {
-	WorkloadIPs       []string  `json:"workloadIps"`
-	Waypoint          *Waypoint `json:"waypoint"`
-	Protocol          string    `json:"protocol"`
-	Name              string    `json:"name"`
-	Namespace         string    `json:"namespace"`
-	ServiceAccount    string    `json:"serviceAccount"`
-	WorkloadName      string    `json:"workloadName"`
-	WorkloadType      string    `json:"workloadType"`
-	CanonicalName     string    `json:"canonicalName"`
-	CanonicalRevision string    `json:"canonicalRevision"`
-	ClusterID         string    `json:"clusterId"`
-	TrustDomain       string    `json:"trustDomain,omitempty"`
-	Locality          Locality  `json:"locality,omitempty"`
-	Node              string    `json:"node"`
-	Network           string    `json:"network,omitempty"`
-	Status            string    `json:"status"`
+	WorkloadIPs       []string          `json:"workloadIps"`
+	Waypoint          *Waypoint         `json:"waypoint,omitempty"`
+	Protocol          string            `json:"protocol"`
+	Name              string            `json:"name"`
+	Namespace         string            `json:"namespace"`
+	ServiceAccount    string            `json:"serviceAccount"`
+	WorkloadName      string            `json:"workloadName"`
+	WorkloadType      string            `json:"workloadType"`
+	CanonicalName     string            `json:"canonicalName"`
+	CanonicalRevision string            `json:"canonicalRevision"`
+	ClusterID         string            `json:"clusterId"`
+	TrustDomain       string            `json:"trustDomain,omitempty"`
+	Locality          Locality          `json:"locality,omitempty"`
+	Node              string            `json:"node"`
+	Network           string            `json:"network,omitempty"`
+	Status            string            `json:"status"`
+	ApplicationTunnel ApplicationTunnel `json:"applicationTunnel,omitempty"`
+}
+
+type ApplicationTunnel struct {
+	Protocol string  `json:"protocol"`
+	Port     *uint16 `json:"port,omitempty"`
 }
 
 type Waypoint struct {

istioctl/pkg/ztunnelconfig/ztunnelconfig.go

@@ -395,10 +395,10 @@ func logCmd(ctx cli.Context) *cobra.Command {
  istioctl ztunnel-config log
 
  # Update levels of the all loggers for a specific Ztunnel pod
- istioctl ztunnel-config log <pod-name[.namespace]> --level none
+ istioctl ztunnel-config log <pod-name[.namespace]> --level off
 
  # Update levels of the specified loggers for all Ztunnl pods
- istioctl ztunnel-config log --level http:debug,redis:debug
+ istioctl ztunnel-config log --level access:debug,info
 
  # Reset levels of all the loggers to default value (warning)  for a specific Ztunnel pod.
  istioctl ztunnel-config log <pod-name[.namespace]> -r

pkg/envoy/agent.go

@@ -169,6 +169,8 @@ func (a *Agent) terminate() {
 		log.Infof("Checking for active connections...")
 		ticker := time.NewTicker(activeConnectionCheckDelay)
 		defer ticker.Stop()
+
+		retryCount := 0
 	graceful_loop:
 		for range ticker.C {
 			ac, err := a.activeProxyConnections()
@@ -180,9 +182,15 @@ func (a *Agent) terminate() {
 			default:
 				if err != nil {
 					log.Errorf(err.Error())
-					a.abortCh <- errAbort
-					log.Infof("Graceful termination logic ended prematurely, error while obtaining downstream_cx_active stat")
-					break graceful_loop
+					retryCount++
+					// Max retry 5 times
+					if retryCount > 4 {
+						a.abortCh <- errAbort
+						log.Warnf("Graceful termination logic ended prematurely, error while obtaining downstream_cx_active stat (Max retry %d exceeded)", retryCount)
+						break graceful_loop
+					}
+					log.Warnf("Retrying (%d attempt) to obtain active connections...", retryCount)
+					continue graceful_loop
 				}
 				if ac == -1 {
 					log.Info("downstream_cx_active are not available. This either means there are no downstream connection established yet" +
@@ -196,6 +204,8 @@ func (a *Agent) terminate() {
 					break graceful_loop
 				}
 				log.Infof("There are still %d active connections", ac)
+				// reset retry count
+				retryCount = 0
 			}
 		}
 	} else {
@@ -222,7 +232,7 @@ func (a *Agent) terminate() {
 func (a *Agent) activeProxyConnections() (int, error) {
 	adminHost := net.JoinHostPort(a.localhost, strconv.Itoa(a.adminPort))
 	activeConnectionsURL := fmt.Sprintf("http://%s/stats?usedonly&filter=downstream_cx_active$", adminHost)
-	stats, err := http.DoHTTPGet(activeConnectionsURL)
+	stats, err := http.DoHTTPGetWithTimeout(activeConnectionsURL, 2*time.Second)
 	if err != nil {
 		return -1, fmt.Errorf("unable to get listener stats from Envoy : %v", err)
 	}

releasenotes/notes/50596.yaml

@@ -0,0 +1,9 @@
+apiVersion: release-notes/v2
+kind: bug-fix
+area: traffic-management
+issue:
+  - 50596
+
+releaseNotes:
+- |
+  **Fixed** Added retry logic to make getting envoy metrics more safety on EXIT_ON_ZERO_ACTIVE_CONNECTIONS mode.

security/pkg/nodeagent/caclient/providers/citadel/client.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package caclient
+package citadel
 
 import (
 	"context"

security/pkg/nodeagent/caclient/providers/citadel/client_test.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package caclient
+package citadel
 
 import (
 	"context"

security/pkg/nodeagent/caclient/providers/citadel/leak_test.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package caclient
+package citadel
 
 import (
 	"testing"

security/pkg/nodeagent/caclient/providers/google-cas/client.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package caclient
+package googlecas
 
 import (
 	"context"

security/pkg/nodeagent/caclient/providers/google-cas/client_test.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package caclient
+package googlecas
 
 import (
 	"reflect"

security/pkg/nodeagent/caclient/providers/google/client.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package caclient
+package google
 
 import (
 	"context"

security/pkg/nodeagent/caclient/providers/google/client_test.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package caclient
+package google
 
 import (
 	"fmt"