diff --git a/Makefile.core.mk b/Makefile.core.mk index 93c6e1e49c7b..8a47a4c44da2 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -49,7 +49,7 @@ endif export VERSION # Base version of Istio image to use -BASE_VERSION ?= master-2024-04-19T19-01-19 +BASE_VERSION ?= 1.22-2024-04-26T19-01-49 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release export GO111MODULE ?= on diff --git a/go.mod b/go.mod index 96fd5ae0c274..a776502d0cad 100644 --- a/go.mod +++ b/go.mod @@ -19,13 +19,13 @@ require ( github.com/census-instrumentation/opencensus-proto v0.4.1 github.com/cespare/xxhash/v2 v2.3.0 github.com/cheggaaa/pb/v3 v3.1.5 - github.com/cncf/xds/go v0.0.0-20240329184929-0c46c01016dc + github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b github.com/containernetworking/cni v1.1.2 github.com/containernetworking/plugins v1.4.1 github.com/coreos/go-oidc/v3 v3.10.0 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/docker/cli v26.0.0+incompatible - github.com/envoyproxy/go-control-plane v0.12.1-0.20240419124334-0cebb2f428b3 + github.com/envoyproxy/go-control-plane v0.12.1-0.20240425230418-212e93054f1a github.com/evanphx/json-patch/v5 v5.9.0 github.com/fatih/color v1.16.0 github.com/felixge/fgprof v0.9.4 diff --git a/go.sum b/go.sum index 93460b275902..596ae0b204a3 100644 --- a/go.sum +++ b/go.sum @@ -109,8 +109,8 @@ github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38 github.com/cilium/ebpf v0.5.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/xds/go v0.0.0-20240329184929-0c46c01016dc h1:Xo7J+m6Iq9pGYXnooTSpxZ11PzNzI7cKU9V81dpKSRQ= -github.com/cncf/xds/go v0.0.0-20240329184929-0c46c01016dc/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b h1:ga8SEFjZ60pxLcmhnThWgvH2wg8376yUJmPhEH4H3kw= +github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU= github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk= @@ -180,8 +180,8 @@ github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRr github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.12.1-0.20240419124334-0cebb2f428b3 h1:/eklMEyfPvB7C8dULCt9GYwpYDy6shwe7vqHMS+82bI= -github.com/envoyproxy/go-control-plane v0.12.1-0.20240419124334-0cebb2f428b3/go.mod h1:rlr50u7tACJ1Y9jCUMndkfLvGCAX3fWXVVAkj+OfzT4= +github.com/envoyproxy/go-control-plane v0.12.1-0.20240425230418-212e93054f1a h1:OmSlDWdXUzNgoMWOtrcEAmiO9BxTt6cGotwz7cZwIyw= +github.com/envoyproxy/go-control-plane v0.12.1-0.20240425230418-212e93054f1a/go.mod h1:5Wkq+JduFtdAXihLmeTJf+tRYIT4KBc2vPXDhwVo1pA= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= diff --git a/istio.deps b/istio.deps index cc683fe43f16..73f5985cbb93 100644 --- a/istio.deps +++ b/istio.deps @@ -11,6 +11,6 @@ "name": "ZTUNNEL_REPO_SHA", "repoName": "ztunnel", "file": "", - "lastStableSHA": "4549e63e2d5120c4a386ea41288dd08b9f823fc9" + "lastStableSHA": "56a4f6543927ff8708d5c1f018cb71b046abef38" } ] diff --git a/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml b/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml index 09fcd11cd992..7290fcdcac4f 100644 --- a/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml +++ b/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml @@ -81,7 +81,7 @@ spec: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml b/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml index 7eed32b76272..248b7ad2f653 100644 --- a/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml +++ b/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml @@ -238,7 +238,7 @@ spec: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/manifests/charts/istiod-remote/files/injection-template.yaml b/manifests/charts/istiod-remote/files/injection-template.yaml index 7eed32b76272..248b7ad2f653 100644 --- a/manifests/charts/istiod-remote/files/injection-template.yaml +++ b/manifests/charts/istiod-remote/files/injection-template.yaml @@ -238,7 +238,7 @@ spec: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pilot/pkg/leaderelection/leaderelection_test.go b/pilot/pkg/leaderelection/leaderelection_test.go index d105ca31c034..2182978756a9 100644 --- a/pilot/pkg/leaderelection/leaderelection_test.go +++ b/pilot/pkg/leaderelection/leaderelection_test.go @@ -78,9 +78,8 @@ func createElectionMulticluster(t *testing.T, cycle: atomic.NewInt32(0), enabled: true, } - gotLeader := make(chan struct{}) l.AddRunFunction(func(stop <-chan struct{}) { - gotLeader <- struct{}{} + <-stop }) for _, fn := range fns { l.AddRunFunction(fn) diff --git a/pilot/pkg/leaderelection/leak_test.go b/pilot/pkg/leaderelection/leak_test.go new file mode 100644 index 000000000000..b51239f4e47e --- /dev/null +++ b/pilot/pkg/leaderelection/leak_test.go @@ -0,0 +1,26 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package leaderelection + +import ( + "testing" + + "istio.io/istio/tests/util/leak" +) + +func TestMain(m *testing.M) { + // CheckMain asserts that no goroutines are leaked after a test package exits. + leak.CheckMain(m) +} diff --git a/pilot/pkg/server/instance_test.go b/pilot/pkg/server/instance_test.go index 2448b20be54b..71ba0ef41072 100644 --- a/pilot/pkg/server/instance_test.go +++ b/pilot/pkg/server/instance_test.go @@ -159,9 +159,12 @@ func newFakeComponent(d time.Duration) *fakeComponent { } } -func (c *fakeComponent) Run(_ <-chan struct{}) error { +func (c *fakeComponent) Run(stop <-chan struct{}) error { c.started.Store(true) - time.Sleep(c.d) + select { + case <-time.After(c.d): + case <-stop: + } c.completed.Store(true) return nil } diff --git a/pilot/pkg/server/leak_test.go b/pilot/pkg/server/leak_test.go new file mode 100644 index 000000000000..68df4fb1cf52 --- /dev/null +++ b/pilot/pkg/server/leak_test.go @@ -0,0 +1,26 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package server + +import ( + "testing" + + "istio.io/istio/tests/util/leak" +) + +func TestMain(m *testing.M) { + // CheckMain asserts that no goroutines are leaked after a test package exits. + leak.CheckMain(m) +} diff --git a/pilot/pkg/serviceregistry/aggregate/controller_test.go b/pilot/pkg/serviceregistry/aggregate/controller_test.go index 89d6eea0da80..6f39b063e471 100644 --- a/pilot/pkg/serviceregistry/aggregate/controller_test.go +++ b/pilot/pkg/serviceregistry/aggregate/controller_test.go @@ -443,7 +443,7 @@ func TestDeferredRun(t *testing.T) { t.Run("AddRegistry before aggregate Run does not run", func(t *testing.T) { ctrl.AddRegistry(runnableRegistry("earlyAdd")) - ctrl.AddRegistryAndRun(runnableRegistry("earlyAddAndRun"), nil) + ctrl.AddRegistryAndRun(runnableRegistry("earlyAddAndRun"), stop) expectRunningOrFail(t, ctrl, false) }) t.Run("aggregate Run starts all registries", func(t *testing.T) { @@ -459,7 +459,7 @@ func TestDeferredRun(t *testing.T) { expectRunningOrFail(t, ctrl, true) }) t.Run("AddRegistryAndRun after aggregate Run starts registry", func(t *testing.T) { - ctrl.AddRegistryAndRun(runnableRegistry("late"), nil) + ctrl.AddRegistryAndRun(runnableRegistry("late"), stop) expectRunningOrFail(t, ctrl, true) }) } diff --git a/pilot/pkg/serviceregistry/aggregate/leak_test.go b/pilot/pkg/serviceregistry/aggregate/leak_test.go new file mode 100644 index 000000000000..c1b4fbde27b7 --- /dev/null +++ b/pilot/pkg/serviceregistry/aggregate/leak_test.go @@ -0,0 +1,26 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package aggregate + +import ( + "testing" + + "istio.io/istio/tests/util/leak" +) + +func TestMain(m *testing.M) { + // CheckMain asserts that no goroutines are leaked after a test package exits. + leak.CheckMain(m) +} diff --git a/pilot/pkg/xds/endpoints/endpoint_builder.go b/pilot/pkg/xds/endpoints/endpoint_builder.go index 6d5e064c62c8..b9900787a0a3 100644 --- a/pilot/pkg/xds/endpoints/endpoint_builder.go +++ b/pilot/pkg/xds/endpoints/endpoint_builder.go @@ -40,6 +40,7 @@ import ( "istio.io/istio/pkg/network" "istio.io/istio/pkg/slices" "istio.io/istio/pkg/util/hash" + netutil "istio.io/istio/pkg/util/net" ) var ( @@ -337,6 +338,13 @@ func (b *EndpointBuilder) BuildClusterLoadAssignment(endpointIndex *model.Endpoi if svcPort.Name != ep.ServicePortName { return false } + // filter out endpoint that has invalid ip address, mostly domain name. Because this is generated from ServiceEntry. + // There are other two cases that should not be filtered out: + // 1. ep.Address can be empty since https://github.com/istio/istio/pull/45150, in this case we will replace it with gateway ip. + // 2. ep.Address can be uds when EndpointPort = 0 + if ep.Address != "" && ep.EndpointPort != 0 && !netutil.IsValidIPAddress(ep.Address) { + return false + } // filter out endpoints that don't match the subset if !b.subsetLabels.SubsetOf(ep.Labels) { return false diff --git a/pilot/pkg/xds/endpoints/ep_filters_test.go b/pilot/pkg/xds/endpoints/ep_filters_test.go index cbf958564fb4..2b4afedabe0d 100644 --- a/pilot/pkg/xds/endpoints/ep_filters_test.go +++ b/pilot/pkg/xds/endpoints/ep_filters_test.go @@ -834,6 +834,7 @@ func testShards() *model.EndpointIndex { // network1 has one endpoint in each cluster {Cluster: "cluster1a"}: { {Network: "network1", Address: "10.0.0.1"}, + {Network: "network1", Address: "foo.bar"}, // endpoint generated from ServiceEntry }, {Cluster: "cluster1b"}: { {Network: "network1", Address: "10.0.0.2"}, diff --git a/pkg/config/validation/validation.go b/pkg/config/validation/validation.go index ece134619459..394d37c4c89b 100644 --- a/pkg/config/validation/validation.go +++ b/pkg/config/validation/validation.go @@ -2498,7 +2498,7 @@ var ValidateWorkloadEntry = RegisterValidateFunc("ValidateWorkloadEntry", return validateWorkloadEntry(we, nil, true).Unwrap() }) -func validateWorkloadEntry(we *networking.WorkloadEntry, servicePorts map[string]bool, allowFQDNAddresses bool) Validation { +func validateWorkloadEntry(we *networking.WorkloadEntry, servicePorts sets.String, allowFQDNAddresses bool) Validation { errs := Validation{} unixEndpoint := false @@ -2530,7 +2530,7 @@ func validateWorkloadEntry(we *networking.WorkloadEntry, servicePorts map[string errs = AppendValidation(errs, labels.Instance(we.Labels).Validate()) for name, port := range we.Ports { - if servicePorts != nil && !servicePorts[name] { + if servicePorts != nil && !servicePorts.Contains(name) { errs = AppendValidation(errs, fmt.Errorf("endpoint port %v is not defined by the service entry", port)) } errs = AppendValidation(errs, @@ -2678,21 +2678,19 @@ var ValidateServiceEntry = RegisterValidateFunc("ValidateServiceEntry", } } - servicePortNumbers := make(map[uint32]bool) - servicePorts := make(map[string]bool, len(serviceEntry.Ports)) + servicePortNumbers := sets.New[uint32]() + servicePorts := sets.NewWithLength[string](len(serviceEntry.Ports)) for _, port := range serviceEntry.Ports { if port == nil { errs = AppendValidation(errs, fmt.Errorf("service entry port may not be null")) continue } - if servicePorts[port.Name] { + if servicePorts.InsertContains(port.Name) { errs = AppendValidation(errs, fmt.Errorf("service entry port name %q already defined", port.Name)) } - servicePorts[port.Name] = true - if servicePortNumbers[port.Number] { + if servicePortNumbers.InsertContains(port.Number) { errs = AppendValidation(errs, fmt.Errorf("service entry port %d already defined", port.Number)) } - servicePortNumbers[port.Number] = true if port.TargetPort != 0 { errs = AppendValidation(errs, agent.ValidatePort(int(port.TargetPort))) if serviceEntry.Resolution == networking.ServiceEntry_NONE && !features.PassthroughTargetPort { @@ -2754,7 +2752,7 @@ var ValidateServiceEntry = RegisterValidateFunc("ValidateServiceEntry", errs = AppendValidation(errs, labels.Instance(endpoint.Labels).Validate()) for name, port := range endpoint.Ports { - if !servicePorts[name] { + if !servicePorts.Contains(name) { errs = AppendValidation(errs, fmt.Errorf("endpoint port %v is not defined by the service entry", port)) } errs = AppendValidation(errs, diff --git a/pkg/kube/inject/inject_test.go b/pkg/kube/inject/inject_test.go index 1020032d7545..a53fb001ca98 100644 --- a/pkg/kube/inject/inject_test.go +++ b/pkg/kube/inject/inject_test.go @@ -358,6 +358,16 @@ func TestInjection(t *testing.T) { test.SetEnvForTest(t, platform.Platform.Name, platform.OpenShift) }, }, + { + // Validates localhost probes get injected correctly + in: "hello-probes-localhost.yaml", + want: "hello-probes-localhost.yaml.injected", + mesh: func(m *meshapi.MeshConfig) { + m.InboundTrafficPolicy = &meshapi.MeshConfig_InboundTrafficPolicy{ + Mode: meshapi.MeshConfig_InboundTrafficPolicy_LOCALHOST, + } + }, + }, } // Keep track of tests we add options above // We will search for all test files and skip these ones diff --git a/pkg/kube/inject/leak_test.go b/pkg/kube/inject/leak_test.go new file mode 100644 index 000000000000..89c65ec585ef --- /dev/null +++ b/pkg/kube/inject/leak_test.go @@ -0,0 +1,26 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package inject + +import ( + "testing" + + "istio.io/istio/tests/util/leak" +) + +func TestMain(m *testing.M) { + // CheckMain asserts that no goroutines are leaked after a test package exits. + leak.CheckMain(m) +} diff --git a/pkg/kube/inject/testdata/inject/hello-probes-localhost.yaml b/pkg/kube/inject/testdata/inject/hello-probes-localhost.yaml new file mode 100644 index 000000000000..1804ebbdafe3 --- /dev/null +++ b/pkg/kube/inject/testdata/inject/hello-probes-localhost.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: hello +spec: + replicas: 7 + selector: + matchLabels: + app: hello + tier: backend + track: stable + template: + metadata: + labels: + app: hello + tier: backend + track: stable + spec: + containers: + - name: hello + image: "fake.docker.io/google-samples/hello-go-gke:1.0" + ports: + - name: http + containerPort: 80 + livenessProbe: + httpGet: + port: http + readinessProbe: + httpGet: + port: 3333 + - name: world + image: "fake.docker.io/google-samples/hello-go-gke:1.0" + ports: + - name: http + containerPort: 90 + livenessProbe: + httpGet: + port: http + readinessProbe: + exec: + command: + - cat + - /tmp/healthy diff --git a/pkg/kube/inject/testdata/inject/hello-probes-localhost.yaml.injected b/pkg/kube/inject/testdata/inject/hello-probes-localhost.yaml.injected new file mode 100644 index 000000000000..ae732188e292 --- /dev/null +++ b/pkg/kube/inject/testdata/inject/hello-probes-localhost.yaml.injected @@ -0,0 +1,267 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + name: hello +spec: + replicas: 7 + selector: + matchLabels: + app: hello + tier: backend + track: stable + strategy: {} + template: + metadata: + annotations: + istio.io/rev: default + kubectl.kubernetes.io/default-container: hello + kubectl.kubernetes.io/default-logs-container: hello + prometheus.io/path: /stats/prometheus + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' + creationTimestamp: null + labels: + app: hello + security.istio.io/tlsMode: istio + service.istio.io/canonical-name: hello + service.istio.io/canonical-revision: latest + tier: backend + track: stable + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + livenessProbe: + httpGet: + path: /app-health/hello/livez + port: 15020 + name: hello + ports: + - containerPort: 80 + name: http + readinessProbe: + httpGet: + path: /app-health/hello/readyz + port: 15020 + resources: {} + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + livenessProbe: + httpGet: + path: /app-health/world/livez + port: 15020 + name: world + ports: + - containerPort: 90 + name: http + readinessProbe: + exec: + command: + - cat + - /tmp/healthy + resources: {} + - args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --proxyLogLevel=warning + - --proxyComponentLogLevel=misc:error + - --log_output_level=default:info + env: + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + - name: PILOT_CERT_PROVIDER + value: istiod + - name: CA_ADDR + value: istiod.istio-system.svc:15012 + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + divisor: "0" + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {"name":"http","containerPort":80} + ,{"name":"http","containerPort":90} + ] + - name: ISTIO_META_APP_CONTAINERS + value: hello,world + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + divisor: "0" + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + divisor: "0" + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: Kubernetes + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: hello + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/default/deployments/hello + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local + - name: ISTIO_KUBE_APP_PROBERS + value: '{"/app-health/hello/livez":{"httpGet":{"port":80}},"/app-health/hello/readyz":{"httpGet":{"port":3333}},"/app-health/world/livez":{"httpGet":{"port":90}}}' + image: gcr.io/istio-testing/proxyv2:latest + name: istio-proxy + ports: + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + periodSeconds: 15 + timeoutSeconds: 3 + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 + startupProbe: + failureThreshold: 600 + httpGet: + path: /healthz/ready + port: 15021 + periodSeconds: 1 + timeoutSeconds: 3 + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/credential-uds + name: credential-socket + - mountPath: /var/run/secrets/workload-spiffe-credentials + name: workload-certs + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + initContainers: + - args: + - istio-iptables + - -p + - "15001" + - -z + - "15006" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - '*' + - -d + - 15090,15021,15020 + - --log_output_level=default:info + image: gcr.io/istio-testing/proxyv2:latest + name: istio-init + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + volumes: + - name: workload-socket + - name: credential-socket + - name: workload-certs + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: {} + name: istio-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert +status: {} +--- diff --git a/pkg/kube/inject/testdata/inputs/custom-template.yaml.37.template.gen.yaml b/pkg/kube/inject/testdata/inputs/custom-template.yaml.37.template.gen.yaml index 997df3633465..b556719e81b3 100644 --- a/pkg/kube/inject/testdata/inputs/custom-template.yaml.37.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/custom-template.yaml.37.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/default.template.gen.yaml b/pkg/kube/inject/testdata/inputs/default.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/default.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/default.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml b/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.44.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.44.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.44.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.44.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.0.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.0.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.0.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.0.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.1.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.1.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.1.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.1.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.10.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.10.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.10.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.10.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.12.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.12.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.12.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.12.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.13.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.13.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.13.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.13.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.14.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.14.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.14.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.14.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.17.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.17.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.17.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.17.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.4.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.4.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.4.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.4.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.template.gen.yaml b/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/merge-probers.yaml.40.template.gen.yaml b/pkg/kube/inject/testdata/inputs/merge-probers.yaml.40.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/merge-probers.yaml.40.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/merge-probers.yaml.40.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/status_params.yaml.8.template.gen.yaml b/pkg/kube/inject/testdata/inputs/status_params.yaml.8.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/status_params.yaml.8.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/status_params.yaml.8.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/testdata/inputs/traffic-params.yaml.7.template.gen.yaml b/pkg/kube/inject/testdata/inputs/traffic-params.yaml.7.template.gen.yaml index c9c06bfec54f..5f23c0fe2d42 100644 --- a/pkg/kube/inject/testdata/inputs/traffic-params.yaml.7.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/traffic-params.yaml.7.template.gen.yaml @@ -249,7 +249,7 @@ templates: - drain {{- end }} env: - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} @@ -948,7 +948,7 @@ templates: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} diff --git a/pkg/kube/inject/watcher_test.go b/pkg/kube/inject/watcher_test.go index 55c76ab8cd7d..b1bebd19903e 100644 --- a/pkg/kube/inject/watcher_test.go +++ b/pkg/kube/inject/watcher_test.go @@ -26,6 +26,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "istio.io/istio/pkg/kube" + "istio.io/istio/pkg/test" ) const ( @@ -82,7 +83,7 @@ func TestNewConfigMapWatcher(t *testing.T) { newValues = values return nil }) - stop := make(chan struct{}) + stop := test.NewStop(t) go w.Run(stop) controller := w.(*configMapWatcher).c client.RunAndWait(stop) diff --git a/pkg/kube/kclient/client_test.go b/pkg/kube/kclient/client_test.go index b785509ac6b6..856eb3a103fe 100644 --- a/pkg/kube/kclient/client_test.go +++ b/pkg/kube/kclient/client_test.go @@ -280,6 +280,7 @@ func TestErrorHandler(t *testing.T) { c.Kube().(*fake.Clientset).Fake.PrependReactor("*", "*", func(action k8stesting.Action) (bool, runtime.Object, error) { return true, nil, fmt.Errorf("nope, out of luck") }) + c.RunAndWait(test.NewStop(t)) deployments := kclient.New[*appsv1.Deployment](c) deployments.Start(test.NewStop(t)) mt.Assert("controller_sync_errors_total", map[string]string{"cluster": "fake"}, monitortest.AtLeast(1)) @@ -288,6 +289,7 @@ func TestErrorHandler(t *testing.T) { func TestToOpts(t *testing.T) { test.SetForTest(t, &features.InformerWatchNamespace, "istio-system") c := kube.NewFakeClient() + c.RunAndWait(test.NewStop(t)) cases := []struct { name string gvr schema.GroupVersionResource diff --git a/pkg/kube/kclient/leak_test.go b/pkg/kube/kclient/leak_test.go new file mode 100644 index 000000000000..33d7f10c967d --- /dev/null +++ b/pkg/kube/kclient/leak_test.go @@ -0,0 +1,26 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package kclient + +import ( + "testing" + + "istio.io/istio/tests/util/leak" +) + +func TestMain(m *testing.M) { + // CheckMain asserts that no goroutines are leaked after a test package exits. + leak.CheckMain(m) +} diff --git a/pkg/kube/krt/collection_test.go b/pkg/kube/krt/collection_test.go index e2783d97d349..3033ceb2644a 100644 --- a/pkg/kube/krt/collection_test.go +++ b/pkg/kube/krt/collection_test.go @@ -212,7 +212,7 @@ func TestCollectionInitialState(t *testing.T) { ) pods := krt.NewInformer[*corev1.Pod](c) services := krt.NewInformer[*corev1.Service](c) - stop := make(chan struct{}) + stop := test.NewStop(t) c.RunAndWait(stop) SimplePods := SimplePodCollection(pods) SimpleServices := SimpleServiceCollection(services) diff --git a/pkg/kube/krt/leak_test.go b/pkg/kube/krt/leak_test.go new file mode 100644 index 000000000000..ac2df5e5f365 --- /dev/null +++ b/pkg/kube/krt/leak_test.go @@ -0,0 +1,26 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package krt + +import ( + "testing" + + "istio.io/istio/tests/util/leak" +) + +func TestMain(m *testing.M) { + // CheckMain asserts that no goroutines are leaked after a test package exits. + leak.CheckMain(m) +} diff --git a/releasenotes/notes/50688.yaml b/releasenotes/notes/50688.yaml new file mode 100644 index 000000000000..bb437e467d95 --- /dev/null +++ b/releasenotes/notes/50688.yaml @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: traffic-management +issue: + - 50688 +releaseNotes: +- | + **Fixed** build EDS typed cluster endpoints with domain address. diff --git a/releasenotes/notes/50700.yaml b/releasenotes/notes/50700.yaml new file mode 100644 index 000000000000..1fd718ea5fda --- /dev/null +++ b/releasenotes/notes/50700.yaml @@ -0,0 +1,9 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: traffic-management +issue: + - 50700 + +releaseNotes: +- | + **Fixed** a bug where injection template incorrectly evaluates when InboundTrafficPolicy is set to "localhost". \ No newline at end of file diff --git a/tests/integration/ambient/cnirepair/main_test.go b/tests/integration/ambient/cnirepair/main_test.go new file mode 100644 index 000000000000..9a061e11565f --- /dev/null +++ b/tests/integration/ambient/cnirepair/main_test.go @@ -0,0 +1,208 @@ +//go:build integ +// +build integ + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cnirepair + +import ( + "testing" + + "istio.io/istio/pkg/config/constants" + "istio.io/istio/pkg/test/framework" + "istio.io/istio/pkg/test/framework/components/echo" + common_deploy "istio.io/istio/pkg/test/framework/components/echo/common/deployment" + "istio.io/istio/pkg/test/framework/components/echo/common/ports" + "istio.io/istio/pkg/test/framework/components/echo/deployment" + "istio.io/istio/pkg/test/framework/components/echo/match" + "istio.io/istio/pkg/test/framework/components/istio" + "istio.io/istio/pkg/test/framework/components/namespace" + "istio.io/istio/pkg/test/framework/label" + "istio.io/istio/pkg/test/framework/resource" + "istio.io/istio/pkg/test/scopes" + "istio.io/istio/tests/integration/pilot/common" + "istio.io/istio/tests/integration/security/util/cert" +) + +var ( + i istio.Instance + + // Below are various preconfigured echo deployments. Whenever possible, tests should utilize these + // to avoid excessive creation/tear down of deployments. In general, a test should only deploy echo if + // its doing something unique to that specific test. + apps = &EchoDeployments{} +) + +type EchoDeployments struct { + // Namespace echo apps will be deployed + Namespace namespace.Instance + // Captured echo service + Captured echo.Instances + // Uncaptured echo Service + Uncaptured echo.Instances + // SidecarCaptured echo services with sidecar and ambient capture + SidecarCaptured echo.Instances + // SidecarUncaptured echo services with sidecar and no ambient capture + SidecarUncaptured echo.Instances + + // All echo services + All echo.Instances +} + +// TestMain defines the entrypoint for pilot tests using a standard Istio installation. +// If a test requires a custom install it should go into its own package, otherwise it should go +// here to reuse a single install across tests. +func TestMain(m *testing.M) { + // nolint: staticcheck + framework. + NewSuite(m). + RequireMinVersion(24). + Label(label.IPv4). // https://github.com/istio/istio/issues/41008 + Setup(func(t resource.Context) error { + t.Settings().Ambient = true + return nil + }). + Setup(istio.Setup(&i, func(ctx resource.Context, cfg *istio.Config) { + // can't deploy VMs without eastwest gateway + ctx.Settings().SkipVMs() + cfg.EnableCNI = true + cfg.DeployEastWestGW = false + cfg.ControlPlaneValues = ` +values: + cni: + repair: + enabled: true + ztunnel: + terminationGracePeriodSeconds: 5 + env: + SECRET_TTL: 5m +` + }, cert.CreateCASecretAlt)). + Setup(func(t resource.Context) error { + return SetupApps(t, i, apps) + }). + Run() +} + +const ( + Captured = "captured" + Uncaptured = "uncaptured" + SidecarCaptured = "sidecar-captured" + SidecarUncaptured = "sidecar-uncaptured" +) + +func SetupApps(t resource.Context, i istio.Instance, apps *EchoDeployments) error { + var err error + apps.Namespace, err = namespace.New(t, namespace.Config{ + Prefix: "echo", + Inject: false, + Labels: map[string]string{ + constants.DataplaneMode: "ambient", + }, + }) + if err != nil { + return err + } + + builder := deployment.New(t). + WithClusters(t.Clusters()...). + WithConfig(echo.Config{ + Service: Captured, + Namespace: apps.Namespace, + Ports: ports.All(), + ServiceAccount: true, + Subsets: []echo.SubsetConfig{ + { + Replicas: 1, + Version: "v1", + }, + { + Replicas: 1, + Version: "v2", + }, + }, + }). + WithConfig(echo.Config{ + Service: Uncaptured, + Namespace: apps.Namespace, + Ports: ports.All(), + ServiceAccount: true, + Subsets: []echo.SubsetConfig{ + { + Replicas: 1, + Version: "v1", + Annotations: echo.NewAnnotations().Set(echo.AmbientType, constants.AmbientRedirectionDisabled), + }, + { + Replicas: 1, + Version: "v2", + Annotations: echo.NewAnnotations().Set(echo.AmbientType, constants.AmbientRedirectionDisabled), + }, + }, + }). + WithConfig(echo.Config{ + Service: SidecarUncaptured, + Namespace: apps.Namespace, + Ports: ports.All(), + ServiceAccount: true, + Subsets: []echo.SubsetConfig{ + { + Replicas: 1, + Version: "v1", + Annotations: echo.NewAnnotations().Set(echo.AmbientType, constants.AmbientRedirectionDisabled), + Labels: map[string]string{ + "sidecar.istio.io/inject": "true", + }, + }, + { + Replicas: 1, + Version: "v2", + Annotations: echo.NewAnnotations().Set(echo.AmbientType, constants.AmbientRedirectionDisabled), + Labels: map[string]string{ + "sidecar.istio.io/inject": "true", + }, + }, + }, + }) + + // Build the applications + echos, err := builder.Build() + if err != nil { + return err + } + for _, b := range echos { + scopes.Framework.Infof("built %v", b.Config().Service) + } + + apps.All = echos + apps.Uncaptured = match.ServiceName(echo.NamespacedName{Name: Uncaptured, Namespace: apps.Namespace}).GetMatches(echos) + apps.Captured = match.ServiceName(echo.NamespacedName{Name: Captured, Namespace: apps.Namespace}).GetMatches(echos) + apps.SidecarUncaptured = match.ServiceName(echo.NamespacedName{Name: SidecarUncaptured, Namespace: apps.Namespace}).GetMatches(echos) + apps.SidecarCaptured = match.ServiceName(echo.NamespacedName{Name: SidecarCaptured, Namespace: apps.Namespace}).GetMatches(echos) + + return nil +} + +func TestTrafficWithCNIRepair(t *testing.T) { + framework.NewTest(t). + TopLevel(). + Run(func(t framework.TestContext) { + apps := common_deploy.NewOrFail(t, t, common_deploy.Config{ + NoExternalNamespace: true, + IncludeExtAuthz: false, + }) + common.RunAllTrafficTests(t, i, apps.SingleNamespaceView()) + }) +} diff --git a/tests/integration/ambient/main_test.go b/tests/integration/ambient/main_test.go index b56d2ff6933b..fc1f85e0517c 100644 --- a/tests/integration/ambient/main_test.go +++ b/tests/integration/ambient/main_test.go @@ -105,6 +105,12 @@ func TestMain(m *testing.M) { cfg.DeployEastWestGW = false cfg.ControlPlaneValues = ` values: + cni: + # The CNI repair feature is disabled for these tests because this is a controlled environment, + # and it is important to catch issues that might otherwise be automatically fixed. + # Refer to issue #49207 for more context. + repair: + enabled: false ztunnel: terminationGracePeriodSeconds: 5 env: