├── tetrateci ├── docs │ ├── release.md │ ├── credentials.md │ ├── ci_workflow.md │ └── fips.md ├── testing-report.xlsx ├── cleanup_aks_cluster.sh ├── cleanup_gke_cluster.sh ├── cleanup_eks_cluster.sh ├── patches │ ├── common │ │ ├── disable-autoscaling-on-cpu.1.8.patch │ │ ├── disable-vmregistration.1.10.patch │ │ ├── disable-vmregistration.1.8.patch │ │ ├── disable-vmregistration.1.9.patch │ │ ├── fix-version-check.1.9.patch │ │ ├── increase-vm-timeout.1.9.patch │ │ ├── increase-sniffing-timeout.1.9.patch │ │ ├── disable-passthroughfilterchain.1.10.patch │ │ ├── disable-passthroughfilterchain.1.9.patch │ │ ├── increase-dashboard-timeout.1.10.patch │ │ ├── increase-dashboard-timeout.1.11.patch │ │ ├── increase-dashboard-timeout.1.9.patch │ │ ├── increase-dashboard-timeout.1.8.patch │ │ ├── enable-arm64.1.12.patch │ │ ├── increase-vm-timeout.1.8.patch │ │ └── wait-for-envoy.1.8.patch │ ├── build │ │ └── e2e │ │ │ └── 1.11 │ │ │ ├── README.md │ │ │ └── 0001-Allow-turning-off-ALPN-in-echo-server-35447.patch │ ├── gke │ │ └── chiron-gke.patch │ └── eks │ │ ├── eks_1.16.patch │ │ ├── eks_1.17.patch │ │ ├── eks_1.18.patch │ │ └── eks_1.15.patch ├── images.sh ├── gen_iop.py ├── README.md ├── create_gke_cluster.sh ├── apply_e2e_build_patches.sh ├── create_aks_cluster.sh ├── 1.14 │ └── test │ │ └── skip.d │ │ ├── eks-arm64 │ │ ├── eks │ │ └── gke ├── 1.15 │ └── test │ │ └── skip.d │ │ ├── eks-arm64 │ │ ├── eks │ │ └── gke ├── cleanup_eksd_cluster.sh ├── 1.11 │ └── test │ │ └── skip.d │ │ ├── gke │ │ └── eks ├── 1.13 │ └── test │ │ └── skip.d │ │ ├── gke │ │ ├── eks │ │ └── eks-arm64 ├── create_multiarch_images.sh ├── 1.16 │ └── test │ │ └── skip.d │ │ ├── eks │ │ ├── eks-arm64 │ │ └── gke ├── manifest.yaml.in ├── create_eksd_cluster.sh ├── 1.17 │ └── test │ │ └── skip.d │ │ ├── eks-arm64 │ │ ├── eks │ │ └── gke ├── 1.18 │ └── test │ │ └── skip.d │ │ ├── eks-arm64 │ │ ├── eks │ │ └── gke ├── 1.12 │ └── test │ │ └── skip.d │ │ ├── gke │ │ ├── eks │ │ └── eks-arm64 ├── create_eks_cluster.sh ├── setup_go.sh ├── upload_upstream_release.sh ├── test_1.7.sh ├── gen_release_manifest.py ├── version_check.py ├── port_patches_to_release.sh ├── test_istio.sh ├── iop-gke-integration.yml ├── test_1.8.sh ├── test_1.12.sh ├── fetch_all_tags.sh ├── fips.md ├── test_1.9.sh ├── test_1.10.sh ├── ci_workflow.md ├── test_1.11.sh ├── test_1.13.sh ├── test_1.16.sh ├── test_1.18.sh ├── test_1.14.sh ├── test_1.17.sh ├── test_1.15.sh ├── test_1.18_arm.sh ├── test_1.15_arm.sh ├── test_1.16_arm.sh ├── test_1.17_arm.sh ├── eks-d.tpl └── create_istio_release.sh ├── .github ├── ISSUE_TEMPLATE │ ├── config.yml │ ├── feature_request.md │ └── bug_report.yml ├── workflows │ ├── backport_commits.yml │ ├── sync_fork.yml │ ├── tools.yml │ └── make_release.yml ├── SECURITY.md └── pull_request_template.md └── cve.scan.json /tetrateci/docs/release.md: -------------------------------------------------------------------------------- 1 | # Release Process 2 | 3 | TODO(psbrar99): explain the process. 4 | -------------------------------------------------------------------------------- /tetrateci/testing-report.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tetratelabs/istio/tetrate-workflow/tetrateci/testing-report.xlsx -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | contact_links: 2 | - name: "Crash bug" 3 | url: https://istio.io/about/security-vulnerabilities/ 4 | about: "Please file any bug causing a crash to istio-security-vulnerability-reports@googlegroups.com." 5 | -------------------------------------------------------------------------------- /tetrateci/cleanup_aks_cluster.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ./tetrateci/version_check.py && exit 4 | 5 | set -o errexit 6 | set -o pipefail 7 | 8 | SHA8=$(git rev-parse --short $GITHUB_SHA) 9 | SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION) 10 | CLUSTER_NAME="test-istio-$SHA8-$SUFFIX" 11 | az aks delete --name $CLUSTER_NAME --resource-group $RESOURCE --yes 12 | -------------------------------------------------------------------------------- /tetrateci/cleanup_gke_cluster.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ./tetrateci/version_check.py && exit 4 | 5 | set -o errexit 6 | set -o pipefail 7 | 8 | SHA8=$(git rev-parse --short $GITHUB_SHA) 9 | SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION) 10 | CLUSTER_NAME="test-istio-$SHA8-$SUFFIX" 11 | gcloud container clusters delete $CLUSTER_NAME --region us-central1-c --quiet 12 | -------------------------------------------------------------------------------- /tetrateci/cleanup_eks_cluster.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ./tetrateci/version_check.py && exit 4 | 5 | set -o errexit 6 | set -o pipefail 7 | 8 | SHA8=$(git rev-parse --short $GITHUB_SHA) 9 | SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION.$TEST_ARCH) 10 | CLUSTER_NAME="test-istio-$SHA8-$SUFFIX" 11 | echo "Deleting eks cluster $CLUSTER_NAME" 12 | eksctl delete cluster --name $CLUSTER_NAME 13 | -------------------------------------------------------------------------------- /tetrateci/patches/common/disable-autoscaling-on-cpu.1.8.patch: -------------------------------------------------------------------------------- 1 | diff --git a/manifests/charts/istiocoredns/values.yaml b/manifests/charts/istiocoredns/values.yaml 2 | index e163cc0e3d..63cac9b587 100644 3 | --- a/manifests/charts/istiocoredns/values.yaml 4 | +++ b/manifests/charts/istiocoredns/values.yaml 5 | @@ -3,7 +3,7 @@ 6 | # 7 | istiocoredns: 8 | enabled: false 9 | - autoscaleEnabled: true 10 | + autoscaleEnabled: false 11 | autoscaleMin: 1 12 | autoscaleMax: 5 13 | replicaCount: 1 14 | -------------------------------------------------------------------------------- /tetrateci/patches/common/disable-vmregistration.1.10.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tests/integration/pilot/vm_test.go b/tests/integration/pilot/vm_test.go 2 | index 5aa5af8855..6b458503d0 100644 3 | --- a/tests/integration/pilot/vm_test.go 4 | +++ b/tests/integration/pilot/vm_test.go 5 | @@ -76,6 +76,7 @@ func TestVmOSPost(t *testing.T) { 6 | } 7 | 8 | func TestVMRegistrationLifecycle(t *testing.T) { 9 | + t.Skip("https://github.com/istio/istio/issues/29100") 10 | framework. 11 | NewTest(t). 12 | RequiresSingleCluster(). 13 | -------------------------------------------------------------------------------- /tetrateci/patches/common/disable-vmregistration.1.8.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tests/integration/pilot/vm_test.go b/tests/integration/pilot/vm_test.go 2 | index 5aa5af8855..6b458503d0 100644 3 | --- a/tests/integration/pilot/vm_test.go 4 | +++ b/tests/integration/pilot/vm_test.go 5 | @@ -76,6 +76,7 @@ func TestVmOSPost(t *testing.T) { 6 | } 7 | 8 | func TestVMRegistrationLifecycle(t *testing.T) { 9 | + t.Skip("https://github.com/istio/istio/issues/29100") 10 | framework. 11 | NewTest(t). 12 | RequiresSingleCluster(). 13 | -------------------------------------------------------------------------------- /tetrateci/patches/common/disable-vmregistration.1.9.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tests/integration/pilot/vm_test.go b/tests/integration/pilot/vm_test.go 2 | index 5aa5af8855..6b458503d0 100644 3 | --- a/tests/integration/pilot/vm_test.go 4 | +++ b/tests/integration/pilot/vm_test.go 5 | @@ -76,6 +76,7 @@ func TestVmOSPost(t *testing.T) { 6 | } 7 | 8 | func TestVMRegistrationLifecycle(t *testing.T) { 9 | + t.Skip("https://github.com/istio/istio/issues/29100") 10 | framework. 11 | NewTest(t). 12 | RequiresSingleCluster(). 13 | -------------------------------------------------------------------------------- /.github/workflows/backport_commits.yml: -------------------------------------------------------------------------------- 1 | name: create-backport-pr 2 | 3 | on: 4 | push: 5 | branches: 6 | - 'tetrate-workflow' 7 | 8 | jobs: 9 | create-pr: 10 | name: create-pr 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: checkout 14 | uses: actions/checkout@v2 15 | with: 16 | fetch-depth: 0 17 | 18 | - name: invoke hub 19 | run: bash ./tetrateci/port_patches_to_release.sh 20 | env: 21 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -------------------------------------------------------------------------------- /tetrateci/patches/build/e2e/1.11/README.md: -------------------------------------------------------------------------------- 1 | # Patches to Istio 1.11 2 | 3 | ## 0001-Allow-turning-off-ALPN-in-echo-server-35447.patch 4 | 5 | ### Why do we need it? 6 | 7 | Integration tests of `Istio 1.11` were relying on certain behaviour 8 | of the HTTPS server from the Go standard library. 9 | 10 | In `Go 1.17`, behaviour of the HTTPS server has changed and tests started failing. 11 | 12 | In `Istio 1.12` they changed integration tests in order to be able to upgrade to `Go 1.17`. 13 | 14 | See https://github.com/istio/istio/pull/35447 15 | -------------------------------------------------------------------------------- /tetrateci/images.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | # set -x 6 | 7 | BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 8 | 9 | mkdir containers.istio.tetratelabs.com 10 | 11 | IMAGES=(app 12 | install-cni 13 | istioctl 14 | pilot 15 | proxyv2) 16 | 17 | 18 | IMAGE_SUFFIXES=("debug" "distroless") 19 | 20 | for image in "${IMAGES[@]}"; do 21 | for suffix in "${IMAGE_SUFFIXES[@]}"; do 22 | echo containers.istio.tetratelabs.com/${image}:${TAG}-${suffix} >> list.txt 23 | cat list.txt 24 | done 25 | done 26 | -------------------------------------------------------------------------------- /tetrateci/gen_iop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import yaml 4 | 5 | extra = {'cni' : {'cniBinDir' : '/home/kubernetes/bin', 'excludeNamespaces' : ['istio-system', 'kube-system']}} 6 | 7 | with open(r'./tests/integration/iop-integration-test-defaults.yaml') as file : 8 | iop_config = yaml.load(file, Loader=yaml.FullLoader) 9 | if "values" not in iop_config['spec']: 10 | iop_config['spec'] = dict(values=extra) 11 | else: 12 | iop_config['spec']['values'].update(extra) 13 | f = open(r'./tetrateci/iop-gke-integration.yml', 'w') 14 | yaml.dump(iop_config, f) 15 | -------------------------------------------------------------------------------- /tetrateci/patches/common/fix-version-check.1.9.patch: -------------------------------------------------------------------------------- 1 | diff --git a/pkg/test/framework/components/cluster/topology.go b/pkg/test/framework/components/cluster/topology.go 2 | index cb2f02b91c..b5eef8100a 100644 3 | --- a/pkg/test/framework/components/cluster/topology.go 4 | +++ b/pkg/test/framework/components/cluster/topology.go 5 | @@ -122,7 +122,7 @@ func (c Topology) MinKubeVersion(major, minor int) bool { 6 | if err != nil { 7 | return true 8 | } 9 | - serverMinor, err := strconv.Atoi(ver.Minor) 10 | + serverMinor, err := strconv.Atoi(ver.Minor[:2]) 11 | if err != nil { 12 | return true 13 | } 14 | -------------------------------------------------------------------------------- /tetrateci/patches/common/increase-vm-timeout.1.9.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tests/integration/pilot/vm_test.go b/tests/integration/pilot/vm_test.go 2 | index 5aa5af8855..2cc94751ad 100644 3 | --- a/tests/integration/pilot/vm_test.go 4 | +++ b/tests/integration/pilot/vm_test.go 5 | @@ -114,7 +114,7 @@ func TestVMRegistrationLifecycle(t *testing.T) { 6 | return errors.New("expected 2 pilots") 7 | } 8 | return nil 9 | - }, retry.Timeout(10*time.Second)) 10 | + }, retry.Timeout(5*time.Minute)) 11 | 12 | // get the initial workload entry state 13 | entries := getWorkloadEntriesOrFail(ctx, autoVM) 14 | -------------------------------------------------------------------------------- /tetrateci/README.md: -------------------------------------------------------------------------------- 1 | # Tetrate Istio Distro 2 | 3 | This doc covers a few aspects of Tetrate Istio Distro. 4 | 5 | - [CI Workflow](https://github.com/tetratelabs/istio/blob/tetrate-workflow/tetrateci/docs/ci_workflow.md) 6 | is a good start to understand the overall TID build process. 7 | - [FIPS build](https://github.com/tetratelabs/istio/blob/tetrate-workflow/tetrateci/docs/fips.md) 8 | covers some information about how FIPS version TID is built. 9 | - [Release Process](https://github.com/tetratelabs/istio/blob/tetrate-workflow/tetrateci/docs/release.md) 10 | document what a release manager should do to create a release. 11 | -------------------------------------------------------------------------------- /tetrateci/patches/common/increase-sniffing-timeout.1.9.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tests/integration/pilot/common/routing.go b/tests/integration/pilot/common/routing.go 2 | index 06048f21a8..ff517f1c05 100644 3 | --- a/tests/integration/pilot/common/routing.go 4 | +++ b/tests/integration/pilot/common/routing.go 5 | @@ -848,7 +848,7 @@ func protocolSniffingCases() []TrafficTestCase { 6 | opts: echo.CallOptions{ 7 | PortName: call.port, 8 | Scheme: call.scheme, 9 | - Timeout: time.Second * 5, 10 | + Timeout: time.Second * 30, 11 | }, 12 | validate: func(src echo.Instance, dst echo.Instances) echo.Validator { 13 | if call.scheme == scheme.TCP { 14 | -------------------------------------------------------------------------------- /.github/SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | ## Supported Versions 4 | 5 | Information about supported Istio versions can be found on the 6 | [Support Announcements] page on Istio's website. 7 | 8 | ## Reporting a Vulnerability 9 | 10 | Instructions for reporting a vulnerability can be found on the 11 | [Istio Security Vulnerabilities] page. 12 | 13 | ## Security Bulletins 14 | 15 | Information about previous Istio vulnerabilities can be found on the 16 | [Security Bulletins] page. 17 | 18 | [Support Announcements]: https://istio.io/news/support/ 19 | [Istio Security Vulnerabilities]: https://istio.io/about/security-vulnerabilities/ 20 | [Security Bulletins]: https://istio.io/news/security/ 21 | -------------------------------------------------------------------------------- /tetrateci/patches/common/disable-passthroughfilterchain.1.10.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tests/integration/security/pass_through_filter_chain_test.go b/tests/integration/security/pass_through_filter_chain_test.go 2 | index 2c7c0a67ba..df93bf72c9 100644 3 | --- a/tests/integration/security/pass_through_filter_chain_test.go 4 | +++ b/tests/integration/security/pass_through_filter_chain_test.go 5 | @@ -33,6 +33,7 @@ import ( 6 | 7 | // TestPassThroughFilterChain tests the authN and authZ policy on the pass through filter chain. 8 | func TestPassThroughFilterChain(t *testing.T) { 9 | + t.Skip("https://github.com/istio/istio/issues/32623") 10 | framework. 11 | NewTest(t). 12 | Features("security.filterchain"). 13 | -------------------------------------------------------------------------------- /tetrateci/patches/common/disable-passthroughfilterchain.1.9.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tests/integration/security/pass_through_filter_chain_test.go b/tests/integration/security/pass_through_filter_chain_test.go 2 | index 2c7c0a67ba..df93bf72c9 100644 3 | --- a/tests/integration/security/pass_through_filter_chain_test.go 4 | +++ b/tests/integration/security/pass_through_filter_chain_test.go 5 | @@ -33,6 +33,7 @@ import ( 6 | 7 | // TestPassThroughFilterChain tests the authN and authZ policy on the pass through filter chain. 8 | func TestPassThroughFilterChain(t *testing.T) { 9 | + t.Skip("https://github.com/istio/istio/issues/32623") 10 | framework. 11 | NewTest(t). 12 | Features("security.filterchain"). 13 | -------------------------------------------------------------------------------- /tetrateci/patches/common/increase-dashboard-timeout.1.10.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go 2 | index 3f8d8cb32c..d3c7c0fecf 100644 3 | --- a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go 4 | +++ b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go 5 | @@ -177,7 +177,7 @@ func TestDashboard(t *testing.T) { 6 | for _, query := range queries { 7 | retry.UntilSuccessOrFail(t, func() error { 8 | return checkMetric(cl, p, query, d.excluded) 9 | - }, retry.Timeout(time.Minute)) 10 | + }, retry.Timeout(5*time.Minute)) 11 | } 12 | } 13 | }) 14 | -------------------------------------------------------------------------------- /tetrateci/patches/common/increase-dashboard-timeout.1.11.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go 2 | index 3f8d8cb32c..d3c7c0fecf 100644 3 | --- a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go 4 | +++ b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go 5 | @@ -177,7 +177,7 @@ func TestDashboard(t *testing.T) { 6 | for _, query := range queries { 7 | retry.UntilSuccessOrFail(t, func() error { 8 | return checkMetric(cl, p, query, d.excluded) 9 | - }, retry.Timeout(time.Minute)) 10 | + }, retry.Timeout(5*time.Minute)) 11 | } 12 | } 13 | }) 14 | -------------------------------------------------------------------------------- /tetrateci/patches/common/increase-dashboard-timeout.1.9.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go 2 | index 3f8d8cb32c..d3c7c0fecf 100644 3 | --- a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go 4 | +++ b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go 5 | @@ -177,7 +177,7 @@ func TestDashboard(t *testing.T) { 6 | for _, query := range queries { 7 | retry.UntilSuccessOrFail(t, func() error { 8 | return checkMetric(cl, p, query, d.excluded) 9 | - }, retry.Timeout(time.Minute)) 10 | + }, retry.Timeout(5*time.Minute)) 11 | } 12 | } 13 | }) 14 | -------------------------------------------------------------------------------- /tetrateci/create_gke_cluster.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ./tetrateci/version_check.py && exit 4 | 5 | set -o errexit 6 | set -o pipefail 7 | 8 | SHA8=$(git rev-parse --short $GITHUB_SHA) 9 | SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION) 10 | CLUSTER_NAME="test-istio-$SHA8-$SUFFIX" 11 | gcloud container clusters create $CLUSTER_NAME --machine-type "n1-standard-4" --num-nodes 3 --region=us-central1-c --enable-network-policy --cluster-version $K8S_VERSION --release-channel "$CHAN" 12 | gcloud config set container/use_client_certificate False 13 | gcloud container clusters get-credentials $CLUSTER_NAME --region us-central1-c 14 | kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user="$(gcloud config get-value core/account)" 15 | -------------------------------------------------------------------------------- /.github/workflows/sync_fork.yml: -------------------------------------------------------------------------------- 1 | name: Sync fork 2 | 3 | on: 4 | schedule: 5 | - cron: '0 0 * * *' 6 | 7 | workflow_dispatch: 8 | 9 | jobs: 10 | sync_with_upstream: 11 | runs-on: ubuntu-latest 12 | name: Sync master with upstream latest 13 | 14 | steps: 15 | # convenient way to setup the environment nothing much more tbh 16 | - name: Checkout tetrate-workflow 17 | uses: actions/checkout@v2 18 | with: 19 | ref: tetrate-workflow 20 | ssh-key: ${{ secrets.GETISTIO_PUSH_KEY }} 21 | 22 | - name: Sync the tags 23 | run: bash ./tetrateci/fetch_all_tags.sh 24 | env: 25 | CLOUDSMITH_USER: ${{ secrets.CLOUDSMITH_USER }} 26 | CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} 27 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | **Please provide a description of this PR:** 2 | 3 | 4 | 5 | **To help us figure out who should review this PR, please put an X in all the areas that this PR affects.** 6 | 7 | - [ ] Configuration Infrastructure 8 | - [ ] Docs 9 | - [ ] Installation 10 | - [ ] Networking 11 | - [ ] Performance and Scalability 12 | - [ ] Policies and Telemetry 13 | - [ ] Security 14 | - [ ] Test and Release 15 | - [ ] User Experience 16 | - [ ] Developer Infrastructure 17 | 18 | **Please check any characteristics that apply to this pull request.** 19 | 20 | - [ ] Does not have any [user-facing](https://github.com/istio/istio/tree/master/releasenotes#when-to-add-release-notes) changes. This may include CLI changes, API changes, behavior changes, performance improvements, etc. 21 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea to improve Istio 4 | 5 | --- 6 | (This is used to request new product features, please visit for questions on using Istio) 7 | 8 | **Describe the feature request** 9 | 10 | **Describe alternatives you've considered** 11 | 12 | **Affected product area (please put an X in all that apply)** 13 | 14 | [ ] Docs 15 | [ ] Installation 16 | [ ] Networking 17 | [ ] Performance and Scalability 18 | [ ] Extensions and Telemetry 19 | [ ] Security 20 | [ ] Test and Release 21 | [ ] User Experience 22 | [ ] Developer Infrastructure 23 | 24 | **Affected features (please put an X in all that apply)** 25 | 26 | [ ] Multi Cluster 27 | [ ] Virtual Machine 28 | [ ] Multi Control Plane 29 | 30 | **Additional context** 31 | -------------------------------------------------------------------------------- /tetrateci/apply_e2e_build_patches.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright (c) Tetrate, Inc 2021 All Rights Reserved. 4 | 5 | # 6 | # Apply patches to the Istio code base that are necessary to fix e2e tests. 7 | # 8 | # E.g., after we bumped version of Go from `1.16` to `1.17`, e2e tests of 9 | # `Istio 1.11` started failing. 10 | # 11 | # To fix e2e tests, we had to backport changes from `Istio 1.12`. 12 | # 13 | # However, since required changes affected only test code and test images, 14 | # we didn't want to include them into the release build. 15 | # 16 | 17 | set -e 18 | set -u 19 | set -x 20 | 21 | SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 22 | 23 | while IFS= read -r -d '' patch 24 | do 25 | git apply "${patch}" 26 | done < <(find "${SCRIPTDIR}/patches/build/e2e/${ISTIO_MINOR_VER}" -type f -name '*.patch' -print0) 27 | -------------------------------------------------------------------------------- /tetrateci/docs/credentials.md: -------------------------------------------------------------------------------- 1 | ## Setting up the CI/CD system 2 | 3 | ###### Required Creds 4 | 1. AWS_ACCESS_KEY_ID 5 | 2. AWS_REGION 6 | 3. AWS_SECRET_ACCESS_KEY 7 | 4. AZURE_CREDENTIALS : [Note](https://github.com/Azure/login#configure-deployment-credentials) 8 | 5. AZURE_RESOURCE : [ Note : The azure resource name corresponding to the creds ] 9 | 6. BINTRAY_API_KEY 10 | 7. BINTRAY_ARCHIVE_API : [ Note : The archive API url, example - https://api.bintray.com/content/hellozee/istio-archives/istio ] 11 | 8. BINTRAY_USER 12 | 9. DEPLOY_HUB : [ Note : Link to the docker registry where final images would be pushed ] 13 | 10. GCP_PROJECT_ID 14 | 11. GCP_SA_KEY 15 | 12. GETISTIO_PUSH_KEY : [ Note : DEPLOY KEY that can push to the repo ] 16 | 13. TEST_HUB : [ Note : Link to docker registry for pushing test images ] 17 | 14. TEST_HUB_PASS 18 | 15. TEST_HUB_USER 19 | -------------------------------------------------------------------------------- /tetrateci/patches/common/increase-dashboard-timeout.1.8.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go 2 | index f93c640be0..3cb5e255ef 100644 3 | --- a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go 4 | +++ b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go 5 | @@ -163,9 +163,9 @@ func TestDashboard(t *testing.T) { 6 | } 7 | 8 | for _, query := range queries { 9 | - if err := checkMetric(cl, p, query, d.excluded); err != nil { 10 | - t.Errorf("Check query failed for cluster %s: %v", cl.Name(), err) 11 | - } 12 | + retry.UntilSuccessOrFail(t, func() error { 13 | + return checkMetric(cl, p, query, d.excluded) 14 | + }, retry.Timeout(5 * time.Minute)) 15 | } 16 | } 17 | }) 18 | -------------------------------------------------------------------------------- /tetrateci/create_aks_cluster.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ./tetrateci/version_check.py && exit 4 | 5 | set -o errexit 6 | set -o pipefail 7 | 8 | SHA8=$(git rev-parse --short $GITHUB_SHA) 9 | SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION) 10 | CLUSTER_NAME="test-istio-$SHA8-$SUFFIX" 11 | 12 | echo "Fetching location of the resource" 13 | location=$(az group show -g $RESOURCE | jq '.location') 14 | 15 | echo "Fetching available kubernetes patch version for $K8S_VERSION" 16 | version=$(az aks get-versions -l $location | jq '.orchestrators[] | .orchestratorVersion' | grep $K8S_VERSION | tail -n 1 | tr -d '"') 17 | 18 | echo "Kubernetes version selected: $version" 19 | 20 | az aks create --resource-group $RESOURCE --name $CLUSTER_NAME --node-count 3 --generate-ssh-keys --kubernetes-version $version -s standard_ds3_v2 --network-plugin azure 21 | az aks get-credentials --resource-group $RESOURCE --name $CLUSTER_NAME 22 | -------------------------------------------------------------------------------- /tetrateci/patches/common/enable-arm64.1.12.patch: -------------------------------------------------------------------------------- 1 | diff --git a/manifests/charts/gateways/istio-egress/values.yaml b/manifests/charts/gateways/istio-egress/values.yaml 2 | index 5562ba5342..0308cbdd8c 100644 3 | --- a/manifests/charts/gateways/istio-egress/values.yaml 4 | +++ b/manifests/charts/gateways/istio-egress/values.yaml 5 | @@ -170,6 +170,7 @@ global: 6 | # 3 - Most preferred 7 | arch: 8 | amd64: 2 9 | + arm64: 2 10 | s390x: 2 11 | ppc64le: 2 12 | 13 | diff --git a/manifests/charts/gateways/istio-ingress/values.yaml b/manifests/charts/gateways/istio-ingress/values.yaml 14 | index 7be1815185..726aad6f0f 100644 15 | --- a/manifests/charts/gateways/istio-ingress/values.yaml 16 | +++ b/manifests/charts/gateways/istio-ingress/values.yaml 17 | @@ -183,6 +183,7 @@ global: 18 | # 3 - Most preferred 19 | arch: 20 | amd64: 2 21 | + arm64: 2 22 | s390x: 2 23 | ppc64le: 2 24 | 25 | -------------------------------------------------------------------------------- /tetrateci/1.14/test/skip.d/eks-arm64: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/pilot=TestGatewayConformance 26 | istio.io/istio/tests/integration/helm/upgrade=* 27 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 28 | -------------------------------------------------------------------------------- /tetrateci/1.15/test/skip.d/eks-arm64: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/pilot=TestGatewayConformance 26 | istio.io/istio/tests/integration/helm/upgrade=* 27 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 28 | -------------------------------------------------------------------------------- /tetrateci/1.15/test/skip.d/eks: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/pilot=TestGatewayConformance TestIngress/status 26 | istio.io/istio/tests/integration/helm/upgrade=* 27 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 28 | -------------------------------------------------------------------------------- /tetrateci/cleanup_eksd_cluster.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | 6 | 7 | BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 8 | 9 | if [[ ! -f ~/.aws/config && ! -f ~/.aws/credentials ]] 10 | then 11 | echo "warn: didn't find config and credentials in ~/.aws." 12 | echo "checking for environment varibles...." 13 | if [[ ! -v AWS_ACCESS_KEY_ID && ! -v AWS_SECRET_ACCESS_KEY ]] 14 | then 15 | echo "error: neither is aws_access_key_id and aws_secret_access_key is set." 16 | exit 2 17 | fi 18 | fi 19 | 20 | SHA8=$(git rev-parse --short $GITHUB_SHA) 21 | SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION) 22 | 23 | ## Cluster name has to end with k8s.local 24 | CLUSTER_NAME="test-istio-$SHA8-$SUFFIX.k8s.local" 25 | 26 | cd $BASEDIR/../eks-distro/development/kops 27 | 28 | export KOPS_STATE_STORE=s3://${S3_BUCKET} 29 | export KOPS_CLUSTER_NAME=${CLUSTER_NAME} 30 | 31 | 32 | #Wait for the cluster to be created 33 | ./delete_cluster.sh 34 | 35 | -------------------------------------------------------------------------------- /tetrateci/1.11/test/skip.d/gke: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/helm/upgrade=TestRevisionTagsUpgradeFromPrevious 26 | MinorRelease 27 | 28 | istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic 29 | 30 | istio.io/istio/tests/integration/telemetry/stackdriver=* 31 | -------------------------------------------------------------------------------- /tetrateci/1.13/test/skip.d/gke: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/helm/upgrade=TestRevisionTagsUpgradeFromPrevious 26 | MinorRelease 27 | 28 | istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic 29 | 30 | istio.io/istio/tests/integration/telemetry/stackdriver=* 31 | -------------------------------------------------------------------------------- /tetrateci/create_multiarch_images.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | # set -x 6 | 7 | BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 8 | 9 | IMAGES=(app 10 | app_sidecar_centos_7 11 | app_sidecar_centos_8 12 | app_sidecar_debian_10 13 | app_sidecar_debian_9 14 | app_sidecar_ubuntu_bionic 15 | app_sidecar_ubuntu_focal 16 | app_sidecar_ubuntu_xenial 17 | install-cni 18 | istioctl 19 | operator 20 | pilot 21 | proxyv2) 22 | 23 | IMAGE_SUFFIXES=("" "-debug" "-distroless") 24 | 25 | for image in "${IMAGES[@]}"; do 26 | for suffix in "${IMAGE_SUFFIXES[@]}"; do 27 | AMD64_IMAGE=$HUB/${image}:${TAG}-amd64${suffix} 28 | ARM64_IMAGE=$HUB/${image}:${TAG}-arm64${suffix} 29 | MULTIARCH_IMAGE=$HUB/${image}:${TAG}${suffix} 30 | 31 | if docker manifest inspect ${AMD64_IMAGE} &> /dev/null && docker manifest inspect ${ARM64_IMAGE} &> /dev/null; then 32 | docker manifest create ${MULTIARCH_IMAGE} --amend ${AMD64_IMAGE} --amend ${ARM64_IMAGE} 33 | docker manifest push ${MULTIARCH_IMAGE} 34 | fi 35 | done 36 | done 37 | -------------------------------------------------------------------------------- /tetrateci/1.16/test/skip.d/eks: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/telemetry/stackdriver=* 26 | istio.io/istio/tests/integration/telemetry/stackdriver/vm=* 27 | istio.io/istio/tests/integration/pilot=TestGatewayConformance TestIngress/status 28 | istio.io/istio/tests/integration/helm/upgrade=* 29 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 30 | -------------------------------------------------------------------------------- /.github/workflows/tools.yml: -------------------------------------------------------------------------------- 1 | name: Build tools docker 2 | 3 | on: 4 | workflow_dispatch: 5 | inputs: 6 | ref: 7 | description: Ref [a branch or a tag, e.g. release/1.13] 8 | required: true 9 | 10 | jobs: 11 | build_tools_docker: 12 | name: build tools docker 13 | runs-on: ["self-hosted", "arm64"] 14 | env: 15 | HUB: gcr.io/tetrate-istio-arm 16 | steps: 17 | - name: Checkout 18 | uses: actions/checkout@v2 19 | with: 20 | repository: "istio/tools" 21 | ref: ${{ github.event.inputs.ref }} 22 | 23 | - name: Set up Cloud SDK 24 | uses: google-github-actions/setup-gcloud@v0 25 | with: 26 | project_id: ${{ secrets.GCP_PROJECT_ID }} 27 | service_account_key: ${{ secrets.GCP_SA_KEY }} 28 | export_default_credentials: true 29 | 30 | - name: Configure Docker 31 | run: | 32 | gcloud auth configure-docker 33 | 34 | - name: Build images 35 | run: | 36 | cd docker/build-tools 37 | ./build-and-push.sh 38 | shell: bash 39 | -------------------------------------------------------------------------------- /tetrateci/1.11/test/skip.d/eks: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/helm/upgrade=TestRevisionTagsUpgradeFromPrevious 26 | MinorRelease 27 | 28 | istio.io/istio/tests/integration/pilot=TestIngress/status 29 | 30 | istio.io/istio/tests/integration/telemetry/tracing/zipkin/servertracing=TestProxyTracing 31 | 32 | istio.io/istio/tests/integration/telemetry/stackdriver=* 33 | istio.io/istio/tests/integration/telemetry/stackdriver/vm=* 34 | -------------------------------------------------------------------------------- /tetrateci/1.13/test/skip.d/eks: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/helm/upgrade=TestRevisionTagsUpgradeFromPrevious 26 | MinorRelease 27 | 28 | istio.io/istio/tests/integration/pilot=TestIngress/status 29 | 30 | istio.io/istio/tests/integration/telemetry/tracing/zipkin/servertracing=TestProxyTracing 31 | 32 | istio.io/istio/tests/integration/telemetry/stackdriver=* 33 | istio.io/istio/tests/integration/telemetry/stackdriver/vm=* 34 | -------------------------------------------------------------------------------- /tetrateci/1.14/test/skip.d/eks: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/helm/upgrade=TestRevisionTagsUpgradeFromPrevious 26 | MinorRelease 27 | 28 | istio.io/istio/tests/integration/pilot=TestIngress/status 29 | 30 | istio.io/istio/tests/integration/telemetry/tracing/zipkin/servertracing=TestProxyTracing 31 | 32 | istio.io/istio/tests/integration/telemetry/stackdriver=* 33 | istio.io/istio/tests/integration/telemetry/stackdriver/vm=* 34 | -------------------------------------------------------------------------------- /tetrateci/manifest.yaml.in: -------------------------------------------------------------------------------- 1 | version: $TAG 2 | 3 | docker: $HUB 4 | 5 | directory: /tmp/istio-release 6 | 7 | ignoreVulnerability: true 8 | 9 | dependencies: 10 | istio: 11 | localpath: ./istio 12 | api: 13 | git: https://github.com/istio/api 14 | auto: modules 15 | proxy: 16 | git: https://github.com/istio/proxy 17 | auto: deps 18 | pkg: 19 | git: https://github.com/istio/pkg 20 | auto: modules 21 | client-go: 22 | git: https://github.com/istio/client-go 23 | branch: $BRANCH 24 | goversionenabled: true 25 | gogo-genproto: 26 | git: https://github.com/istio/gogo-genproto 27 | branch: $BRANCH 28 | test-infra: 29 | git: https://github.com/istio/test-infra 30 | branch: master 31 | tools: 32 | git: https://github.com/istio/tools 33 | branch: $BRANCH 34 | envoy: 35 | git: https://github.com/envoyproxy/envoy 36 | auto: proxy_workspace 37 | 38 | dashboards: 39 | istio-extension-dashboard: 13277 40 | istio-mesh-dashboard: 7639 41 | istio-performance-dashboard: 11829 42 | istio-service-dashboard: 7636 43 | istio-workload-dashboard: 7630 44 | pilot-dashboard: 7645 45 | 46 | outputs: 47 | -------------------------------------------------------------------------------- /tetrateci/1.16/test/skip.d/eks-arm64: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification 25 | istio.io/istio/tests/integration/pilot=TestGatewayConformance 26 | istio.io/istio/tests/integration/helm/upgrade=* 27 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 28 | istio.io/istio/tests/integration/telemetry/stackdriver=* 29 | istio.io/istio/tests/integration/telemetry/stackdriver/vm=* 30 | istio.io/istio/tests/integration/telemetry_envoyfilter_nullvm=TestDashboard 31 | -------------------------------------------------------------------------------- /tetrateci/create_eksd_cluster.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | 6 | BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 7 | 8 | if [[ ! -f ~/.aws/config && ! -f ~/.aws/credentials ]] 9 | then 10 | echo "warn: didn't find config and credentials in ~/.aws." 11 | echo "checking for environment varibles...." 12 | if [[ ! -v AWS_ACCESS_KEY_ID && ! -v AWS_SECRET_ACCESS_KEY ]] 13 | then 14 | echo "error: neither is aws_access_key_id and aws_secret_access_key is set." 15 | exit 2 16 | fi 17 | fi 18 | 19 | SHA8=$(git rev-parse --short $GITHUB_SHA) 20 | SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION) 21 | 22 | ## Cluster name has to end with k8s.local 23 | CLUSTER_NAME="test-istio-$SHA8-$SUFFIX.k8s.local" 24 | 25 | cd $BASEDIR/.. 26 | git clone https://github.com/aws/eks-distro.git 27 | cd eks-distro/development/kops 28 | 29 | export KOPS_STATE_STORE=s3://${S3_BUCKET} 30 | export KOPS_CLUSTER_NAME=${CLUSTER_NAME} 31 | 32 | cp $BASEDIR/tetrateci/eks-d.tpl . 33 | 34 | # possible versions: 1-18, 1-19 35 | export RELEASE_BRANCH=$(sed 's/\./-/g' <<< $K8S_VERSION) 36 | 37 | echo "creating a eksd cluster with \"$CLUSTER_NAME\" name..." 38 | ./run_cluster.sh 39 | 40 | #Wait for the cluster to be created 41 | ./cluster_wait.sh 42 | 43 | cd $BASEDIR 44 | -------------------------------------------------------------------------------- /cve.scan.json: -------------------------------------------------------------------------------- 1 | { 2 | "tid-istio": { 3 | "branches": [], 4 | "tags": [ 5 | "1.19.3-tetrate-v0", 6 | "1.18.5-tetrate-v0", 7 | "1.17.8-tetrate-v0", 8 | "1.16.7-tetrate-v2", 9 | "1.19.0-tetrate-v0", 10 | "1.18.3-tetrate-v0", 11 | "1.17.6-tetrate-v0", 12 | "1.16.7-tetrate-v0" 13 | ] 14 | }, 15 | "tid-istio-fips": { 16 | "branches": [], 17 | "tags": [ 18 | "1.19.3-tetratefips-v0", 19 | "1.18.5-tetratefips-v0", 20 | "1.17.8-tetratefips-v0", 21 | "1.16.7-tetratefips-v2", 22 | "1.19.0-tetratefips-v0", 23 | "1.18.3-tetratefips-v0", 24 | "1.17.6-tetratefips-v0", 25 | "1.16.7-tetratefips-v0" 26 | 27 | ] 28 | }, 29 | "oss-istio": { 30 | "branches": [], 31 | "tags": [ 32 | "1.19.3", 33 | "1.18.5", 34 | "1.17.8", 35 | "1.16.7" 36 | ] 37 | }, 38 | "oss-istio-distroless": { 39 | "branches": [], 40 | "tags": [ 41 | "1.19.3-distroless", 42 | "1.18.5-distroless", 43 | "1.17.8-distroless", 44 | "1.16.7-distroless" 45 | ] 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /tetrateci/1.17/test/skip.d/eks-arm64: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification 25 | istio.io/istio/tests/integration/pilot=TestGatewayConformance 26 | istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt 27 | istio.io/istio/tests/integration/helm/upgrade=* 28 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 29 | istio.io/istio/tests/integration/telemetry/stackdriver=* 30 | istio.io/istio/tests/integration/telemetry/stackdriver/vm=* 31 | istio.io/istio/tests/integration/telemetry_envoyfilter_nullvm=TestDashboard 32 | -------------------------------------------------------------------------------- /tetrateci/1.18/test/skip.d/eks-arm64: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification 25 | istio.io/istio/tests/integration/pilot=TestGatewayConformance 26 | istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt 27 | istio.io/istio/tests/integration/helm/upgrade=* 28 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 29 | istio.io/istio/tests/integration/telemetry/stackdriver=* 30 | istio.io/istio/tests/integration/telemetry/stackdriver/vm=* 31 | istio.io/istio/tests/integration/telemetry_envoyfilter_nullvm=TestDashboard 32 | -------------------------------------------------------------------------------- /tetrateci/1.12/test/skip.d/gke: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/helm/upgrade=* 26 | 27 | istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic 28 | istio.io/istio/tests/integration/pilot/endpointslice=TestTraffic/jwt-claim-route 29 | 30 | istio.io/istio/tests/integration/security=TestAuthorization_IngressGateway TestAuthorization_EgressGateway TestIngressRequestAuthentication/ingress-authn 31 | 32 | istio.io/istio/tests/integration/telemetry/stackdriver=* 33 | istio.io/istio/tests/integration/telemetry/stackdriver/api=* 34 | istio.io/istio/tests/integration/telemetry/stackdriver/vm=* 35 | -------------------------------------------------------------------------------- /tetrateci/create_eks_cluster.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ./tetrateci/version_check.py && exit 4 | 5 | set -o errexit 6 | set -o pipefail 7 | 8 | if [[ ! -f ~/.aws/config && ! -f ~/.aws/credentials ]] 9 | then 10 | echo "warn: didn't find config and credentials in ~/.aws." 11 | echo "checking for environment varibles...." 12 | if [[ ! -v AWS_ACCESS_KEY_ID && ! -v AWS_SECRET_ACCESS_KEY ]] 13 | then 14 | echo "error: neither is aws_access_key_id and aws_secret_access_key is set." 15 | exit 2 16 | fi 17 | fi 18 | 19 | if ! command -v eksctl &> /dev/null 20 | then 21 | echo "warn: eksctl is not found in the \$path. downloading eksctl" 22 | curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp 23 | sudo mv /tmp/eksctl /usr/local/bin 24 | fi 25 | 26 | SHA8=$(git rev-parse --short $GITHUB_SHA) 27 | SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION.$TEST_ARCH) 28 | CLUSTER_NAME="test-istio-$SHA8-$SUFFIX" 29 | NODE_TYPE="m6a.4xlarge" 30 | if [[ "${TEST_ARCH}" = "arm64" ]]; then 31 | NODE_TYPE="m6g.4xlarge" 32 | fi 33 | 34 | echo "creating a eks cluster with \"$CLUSTER_NAME\" name..." 35 | eksctl create cluster --name $CLUSTER_NAME --version $K8S_VERSION --nodes 3 --node-type $NODE_TYPE --tags tetrate:owner=psb,tetrate:purpose=development,tetrate:team=eng:tid,tetrate:customer=internal,tetrate:lifespan=ongoing 36 | 37 | -------------------------------------------------------------------------------- /tetrateci/setup_go.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e 3 | set -u 4 | 5 | if $(grep -q "1.7" <<< $TAG); then 6 | export GOLANG_VERSION=1.14.12 7 | fi 8 | 9 | if $(grep -q "1.8" <<< $TAG || grep -q "1.9" <<< $TAG); then 10 | export GOLANG_VERSION=1.15.7 11 | fi 12 | 13 | if $(grep -q "1.10" <<< $TAG); then 14 | export GOLANG_VERSION=1.16.9 15 | fi 16 | 17 | if $(grep -q "1.11" <<< $TAG); then 18 | export GOLANG_VERSION=1.17.6 19 | fi 20 | 21 | if $(grep -q "1.12" <<< $TAG) || [[ "${REL_BRANCH_VER:-${ISTIO_MINOR_VER}}" == "1.13" ]]; then 22 | export GOLANG_VERSION=1.17.8 23 | fi 24 | 25 | if $(grep -q "1.14" <<< $TAG); then 26 | export GOLANG_VERSION=1.18.4 27 | fi 28 | 29 | if $(grep -q "1.15" <<< $TAG); then 30 | export GOLANG_VERSION=1.19.2 31 | fi 32 | 33 | if [[ "${REL_BRANCH_VER:-${ISTIO_MINOR_VER}}" == "1.16" ]]; then 34 | export GOLANG_VERSION=1.19.5 35 | fi 36 | 37 | if [[ "${REL_BRANCH_VER:-${ISTIO_MINOR_VER}}" == "1.17" ]]; then 38 | export GOLANG_VERSION=1.20.2 39 | fi 40 | 41 | if [[ "${REL_BRANCH_VER:-${ISTIO_MINOR_VER}}" == "1.18" ]]; then 42 | export GOLANG_VERSION=1.20.6 43 | fi 44 | 45 | url="https://golang.org/dl/go$GOLANG_VERSION.linux-$(dpkg --print-architecture).tar.gz" 46 | 47 | wget -q -O go.tgz "$url" 48 | 49 | sudo tar -C /usr/local -xzf go.tgz 50 | rm go.tgz 51 | 52 | export GOROOT=/usr/local/go 53 | export PATH="$GOROOT/bin:$PATH" 54 | 55 | echo "Go installed" 56 | go version 57 | -------------------------------------------------------------------------------- /tetrateci/patches/common/increase-vm-timeout.1.8.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tests/integration/pilot/vm_test.go b/tests/integration/pilot/vm_test.go 2 | index 5aa5af8855..8563d7fdb4 100644 3 | --- a/tests/integration/pilot/vm_test.go 4 | +++ b/tests/integration/pilot/vm_test.go 5 | @@ -100,7 +100,7 @@ func TestVMRegistrationLifecycle(t *testing.T) { 6 | return err 7 | } 8 | return res.CheckOK() 9 | - }, retry.Timeout(15*time.Second)) 10 | + }, retry.Timeout(5*time.Minute)) 11 | }) 12 | ctx.NewSubTest("reconnect reuses WorkloadEntry").Run(func(ctx framework.TestContext) { 13 | // ensure we have two pilot instances, other tests can pass before the second one comes up 14 | @@ -114,7 +114,7 @@ func TestVMRegistrationLifecycle(t *testing.T) { 15 | return errors.New("expected 2 pilots") 16 | } 17 | return nil 18 | - }, retry.Timeout(10*time.Second)) 19 | + }, retry.Timeout(5*time.Minute)) 20 | 21 | // get the initial workload entry state 22 | entries := getWorkloadEntriesOrFail(ctx, autoVM) 23 | @@ -138,7 +138,7 @@ func TestVMRegistrationLifecycle(t *testing.T) { 24 | return errors.New("expected WorkloadEntry to be updated by other pilot") 25 | } 26 | return nil 27 | - }, retry.Delay(5*time.Second)) 28 | + }, retry.Delay(5*time.Minute)) 29 | }) 30 | ctx.NewSubTest("disconnect deletes WorkloadEntry").Run(func(ctx framework.TestContext) { 31 | deployment := fmt.Sprintf("%s-%s", autoVM.Config().Service, "v1") 32 | -------------------------------------------------------------------------------- /tetrateci/1.17/test/skip.d/eks: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | istio.io/istio/tests/integration/telemetry/stackdriver=* 25 | istio.io/istio/tests/integration/telemetry/stackdriver/vm=* 26 | istio.io/istio/tests/integration/telemetry/api=TestAccessLogsMode 27 | istio.io/istio/tests/integration/pilot=TestGatewayConformance TestIngress/status 28 | istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt 29 | istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification 30 | istio.io/istio/tests/integration/security=TestReachability/global_no_peer_authn TestReachability/migration_tls_mutual TestReachability/migration_no_tls TestReachability/mtls_strict 31 | istio.io/istio/tests/integration/helm/upgrade=* 32 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 33 | -------------------------------------------------------------------------------- /tetrateci/patches/gke/chiron-gke.patch: -------------------------------------------------------------------------------- 1 | diff --git a/security/pkg/pki/util/verify_cert.go b/security/pkg/pki/util/verify_cert.go 2 | index 517e10ff3f..d2a52e1b52 100644 3 | --- a/security/pkg/pki/util/verify_cert.go 4 | +++ b/security/pkg/pki/util/verify_cert.go 5 | @@ -128,13 +128,13 @@ func VerifyCertificate(privPem []byte, certChainPem []byte, rootCertPem []byte, 6 | return fmt.Errorf("unexpected value for 'NotAfter' - 'NotBefore': want %v but got %v", ttl, cert.NotAfter.Sub(cert.NotBefore)) 7 | } 8 | 9 | - if eku := sortExtKeyUsage(expectedFields.ExtKeyUsage); !reflect.DeepEqual(eku, sortExtKeyUsage(cert.ExtKeyUsage)) { 10 | - return fmt.Errorf("unexpected value for 'ExtKeyUsage' field: want %v but got %v", eku, cert.ExtKeyUsage) 11 | - } 12 | + // if eku := sortExtKeyUsage(expectedFields.ExtKeyUsage); !reflect.DeepEqual(eku, sortExtKeyUsage(cert.ExtKeyUsage)) { 13 | + // return fmt.Errorf("unexpected value for 'ExtKeyUsage' field: want %v but got %v", eku, cert.ExtKeyUsage) 14 | + // } 15 | 16 | - if ku := expectedFields.KeyUsage; ku != cert.KeyUsage { 17 | - return fmt.Errorf("unexpected value for 'KeyUsage' field: want %v but got %v", ku, cert.KeyUsage) 18 | - } 19 | + // if ku := expectedFields.KeyUsage; ku != cert.KeyUsage { 20 | + // return fmt.Errorf("unexpected value for 'KeyUsage' field: want %v but got %v", ku, cert.KeyUsage) 21 | + // } 22 | 23 | if isCA := expectedFields.IsCA; isCA != cert.IsCA { 24 | return fmt.Errorf("unexpected value for 'IsCA' field: want %t but got %t", isCA, cert.IsCA) 25 | -------------------------------------------------------------------------------- /tetrateci/1.18/test/skip.d/eks: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | istio.io/istio/tests/integration/telemetry/stackdriver=* 25 | istio.io/istio/tests/integration/telemetry/stackdriver/vm=* 26 | istio.io/istio/tests/integration/telemetry/api=TestAccessLogsMode 27 | istio.io/istio/tests/integration/pilot=TestGatewayConformance TestIngress/status TestGateway 28 | istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt 29 | istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification 30 | istio.io/istio/tests/integration/security=TestReachability/global_no_peer_authn TestReachability/migration_tls_mutual TestReachability/migration_no_tls TestReachability/mtls_strict 31 | istio.io/istio/tests/integration/helm/upgrade=* 32 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 33 | -------------------------------------------------------------------------------- /tetrateci/1.14/test/skip.d/gke: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/helm/upgrade=TestRevisionTagsUpgradeFromPrevious 26 | MinorRelease 27 | 28 | istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic 29 | istio.io/istio/tests/integration/helm=* 30 | istio.io/istio/tests/integration/helm/upgrade=* 31 | istio.io/istio/tests/integration/security=TestReachability/beta-mtls-off 32 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 33 | istio.io/istio/tests/integration/security/mtls_first_party_jwt=* 34 | istio.io/istio/tests/integration/security/https_jwt=TestJWTHTTPS/jwt-authn/a/to_b/valid-token-forward-remote-jwks 35 | istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic 36 | istio.io/istio/tests/integration/telemetry/stackdriver=* 37 | istio.io/istio/tests/integration/telemetry/stackdriver=* 38 | -------------------------------------------------------------------------------- /tetrateci/upload_upstream_release.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | 6 | NEWTAG=$TAG-istio-v0 7 | 8 | python3 -m pip install --upgrade cloudsmith-cli --user 9 | # exit if the tag already exist 10 | cloudsmith ls pkgs tetrate/getistio -F json | jq -r '.data[].filename' | cut -f1-3 -d. | rev | cut -f3- -d- | rev | grep istioctl | cut -f2 -d- | uniq | grep -q "$NEWTAG" && exit 11 | 12 | echo "Creating a temporary directory to download $TAG release assets" 13 | mkdir /tmp/release 14 | cd /tmp/release 15 | 16 | echo "Fetching the download urls for the $TAG release" 17 | urls=$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/istio/istio/releases/tags/$TAG | jq -r '.assets[] | .browser_download_url') 18 | 19 | for url in $urls; do 20 | echo "Downloading from $url" 21 | wget $url 22 | done 23 | 24 | echo "Renaming packages" 25 | 26 | istiopkgs=$(ls | grep "istio-$TAG") 27 | 28 | for pkg in $istiopkgs; do 29 | name=$(sed "s/istio-$TAG/istio-$TAG-istio-v0/g" <<< $pkg) 30 | echo "Renaming $pkg to $name" 31 | mv $pkg $name 32 | done 33 | 34 | istioctlpkgs=$(ls | grep "istioctl-$TAG") 35 | 36 | for pkg in $istioctlpkgs; do 37 | name=$(sed "s/istioctl-$TAG/istioctl-$TAG-istio-v0/g" <<< $pkg) 38 | echo "Renaming $pkg to $name" 39 | mv $pkg $name 40 | done 41 | 42 | PACKAGES=$(ls | grep "istio") 43 | 44 | for package in $PACKAGES; do 45 | echo "Publishing $package" 46 | cloudsmith push raw tetrate/getistio ./$package 47 | done 48 | 49 | echo "Cleaning up the the downloaded artifacts" 50 | 51 | cd .. 52 | rm -rf release 53 | -------------------------------------------------------------------------------- /tetrateci/test_1.7.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ./tetrateci/version_check.py && exit 3 | set -e 4 | 5 | # need this variable to run the tests outside GOPATH 6 | export REPO_ROOT=$(pwd) 7 | echo "Set REPO_ROOT=$REPO_ROOT" 8 | source ./tetrateci/setup_go.sh 9 | 10 | echo "Applying patches...." 11 | 12 | if [[ ${CLUSTER} == "gke" ]]; then 13 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio-old/issues/76 14 | echo "Generating operator config for GKE" 15 | python3 -m pip install pyyaml --user && ./tetrateci/gen_iop.py 16 | CLUSTERFLAGS="-istio.test.kube.helm.iopFile $(pwd)/tetrateci/iop-gke-integration.yml" 17 | 18 | echo "Applying GKE specific patches...." 19 | git apply tetrateci/patches/gke/chiron-gke.patch 20 | fi 21 | 22 | if [[ ${CLUSTER} == "eks" ]]; then 23 | echo "Applying Ingress patch for EKS...." 24 | git apply tetrateci/patches/eks/eks-ingress.1.7.patch 25 | fi 26 | 27 | PACKAGES=$(go list ./tests/integration/... | grep -v /qualification | grep -v /examples | grep -v /multicluster | grep -v /stackdriver) 28 | 29 | echo "Starting Testing" 30 | 31 | for package in $PACKAGES; do 32 | n=0 33 | until [ "$n" -ge 3 ] 34 | do 35 | echo "========================================================TESTING $package | TRY $n========================================================" 36 | go test -test.v $package -timeout 30m --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.pullpolicy IfNotPresent ${CLUSTERFLAGS} && break || echo "Test Failed: $package" 37 | for folder in $(ls -d /tmp/* | grep istio); do sudo rm -rf -- $folder; done 38 | n=$((n+1)) 39 | done 40 | [ "$n" -ge 3 ] && exit 1 41 | done 42 | 43 | echo "Testing Done" 44 | -------------------------------------------------------------------------------- /tetrateci/1.12/test/skip.d/eks: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/helm/upgrade=* 26 | 27 | istio.io/istio/tests/integration/pilot=* 28 | istio.io/istio/tests/integration/pilot/endpointslice=* 29 | istio.io/istio/tests/integration/pilot/revisions=TestMultiRevision 30 | 31 | istio.io/istio/tests/integration/security=* 32 | istio.io/istio/tests/integration/security/sds_ingress=* 33 | istio.io/istio/tests/integration/security/sds_tls_origination=TestSimpleTlsOrigination TestMutualTlsOrigination 34 | 35 | istio.io/istio/tests/integration/telemetry/stats/prometheus/nullvm=TestAccessLogs 36 | istio.io/istio/tests/integration/telemetry/tracing/opencensusagent=TestProxyTracing 37 | istio.io/istio/tests/integration/telemetry/tracing/zipkin/clienttracing=TestClientTracing 38 | istio.io/istio/tests/integration/telemetry/tracing/zipkin/servertracing=TestProxyTracing 39 | 40 | istio.io/istio/tests/integration/telemetry/stackdriver=* 41 | istio.io/istio/tests/integration/telemetry/stackdriver/api=* 42 | istio.io/istio/tests/integration/telemetry/stackdriver/vm=* 43 | -------------------------------------------------------------------------------- /tetrateci/patches/common/wait-for-envoy.1.8.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tests/integration/telemetry/policy/envoy_ratelimit_test.go b/tests/integration/telemetry/policy/envoy_ratelimit_test.go 2 | index 368c1ff9ea..8fa191ab08 100644 3 | --- a/tests/integration/telemetry/policy/envoy_ratelimit_test.go 4 | +++ b/tests/integration/telemetry/policy/envoy_ratelimit_test.go 5 | @@ -16,6 +16,7 @@ 6 | package policy 7 | 8 | import ( 9 | + "fmt" 10 | "io/ioutil" 11 | "testing" 12 | "time" 13 | @@ -31,6 +32,7 @@ import ( 14 | "istio.io/istio/pkg/test/framework/label" 15 | "istio.io/istio/pkg/test/framework/resource" 16 | "istio.io/istio/pkg/test/kube" 17 | + "istio.io/istio/pkg/test/util/retry" 18 | "istio.io/istio/pkg/test/util/tmpl" 19 | ) 20 | 21 | @@ -159,12 +161,32 @@ func setupEnvoyFilter(ctx resource.Context) error { 22 | 23 | func sendTrafficAndCheckIfRatelimited(t *testing.T) bool { 24 | t.Helper() 25 | + 26 | + testCall := echo.CallOptions{ 27 | + Target: srv, 28 | + PortName: "http", 29 | + Count: 1, 30 | + } 31 | + 32 | + retry.UntilSuccessOrFail(t, func() error { 33 | + t.Logf("Sending a test request to see if envoy is up or not.....") 34 | + if parsedResponse, err := clt.Call(testCall); err == nil { 35 | + for _, resp := range parsedResponse { 36 | + if response.StatusCodeOK != resp.Code { 37 | + return fmt.Errorf("envoy not ready, wanted 200 got %v", resp.Code) 38 | + } 39 | + } 40 | + } 41 | + return nil 42 | + }, retry.Timeout(5*time.Minute)) 43 | + 44 | t.Logf("Sending 300 requests...") 45 | httpOpts := echo.CallOptions{ 46 | Target: srv, 47 | PortName: "http", 48 | Count: 300, 49 | } 50 | + 51 | if parsedResponse, err := clt.Call(httpOpts); err == nil { 52 | for _, resp := range parsedResponse { 53 | if response.StatusCodeTooManyRequests == resp.Code { 54 | -------------------------------------------------------------------------------- /tetrateci/1.15/test/skip.d/gke: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic TestGatewayConformance TestTunnelingOutboundTraffic 26 | istio.io/istio/tests/integration/pilot/revisioncmd=* 27 | istio.io/istio/tests/integration/helm=* 28 | istio.io/istio/tests/integration/helm/upgrade=* 29 | istio.io/istio/tests/integration/security=TestReachability/beta-mtls-off TestAuthz_EgressGateway TestReachability/global_no_peer_authn/http 30 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 31 | istio.io/istio/tests/integration/security/mtls_first_party_jwt=* 32 | istio.io/istio/tests/integration/security/https_jwt=TestJWTHTTPS/jwt-authn/a/to_b/valid-token-forward-remote-jwks 33 | istio.io/istio/tests/integration/security/filebased_tls_origination=TestEgressGatewayTls 34 | istio.io/istio/tests/integration/telemetry/outboundtrafficpolicy=* 35 | istio.io/istio/tests/integration/telemetry/stats/prometheus/nullvm=* 36 | istio.io/istio/tests/integration/telemetry/stats/prometheus/wasm=* 37 | istio.io/istio/tests/integration/telemetry/stackdriver=* 38 | -------------------------------------------------------------------------------- /tetrateci/1.16/test/skip.d/gke: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic TestGatewayConformance TestTunnelingOutboundTraffic 26 | istio.io/istio/tests/integration/pilot/revisioncmd=* 27 | istio.io/istio/tests/integration/helm=* 28 | istio.io/istio/tests/integration/helm/upgrade=* 29 | istio.io/istio/tests/integration/security=TestReachability/beta-mtls-off TestAuthz_EgressGateway TestReachability/global_no_peer_authn/http 30 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 31 | istio.io/istio/tests/integration/security/mtls_first_party_jwt=* 32 | istio.io/istio/tests/integration/security/https_jwt=TestJWTHTTPS/jwt-authn/a/to_b/valid-token-forward-remote-jwks 33 | istio.io/istio/tests/integration/security/filebased_tls_origination=TestEgressGatewayTls 34 | istio.io/istio/tests/integration/telemetry/outboundtrafficpolicy=* 35 | istio.io/istio/tests/integration/telemetry/stats/prometheus/nullvm=* 36 | istio.io/istio/tests/integration/telemetry/stats/prometheus/wasm=* 37 | istio.io/istio/tests/integration/telemetry/stackdriver=* 38 | -------------------------------------------------------------------------------- /tetrateci/1.17/test/skip.d/gke: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic TestGatewayConformance TestTunnelingOutboundTraffic 26 | istio.io/istio/tests/integration/pilot/revisioncmd=* 27 | istio.io/istio/tests/integration/helm=* 28 | istio.io/istio/tests/integration/helm/upgrade=* 29 | istio.io/istio/tests/integration/security=TestReachability/beta-mtls-off TestAuthz_EgressGateway TestReachability/global_no_peer_authn/http 30 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 31 | istio.io/istio/tests/integration/security/mtls_first_party_jwt=* 32 | istio.io/istio/tests/integration/security/https_jwt=TestJWTHTTPS/jwt-authn/a/to_b/valid-token-forward-remote-jwks 33 | istio.io/istio/tests/integration/security/filebased_tls_origination=TestEgressGatewayTls 34 | istio.io/istio/tests/integration/telemetry/outboundtrafficpolicy=* 35 | istio.io/istio/tests/integration/telemetry/stats/prometheus/nullvm=* 36 | istio.io/istio/tests/integration/telemetry/stats/prometheus/wasm=* 37 | istio.io/istio/tests/integration/telemetry/stackdriver=* 38 | -------------------------------------------------------------------------------- /tetrateci/1.18/test/skip.d/gke: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic TestGatewayConformance TestTunnelingOutboundTraffic 26 | istio.io/istio/tests/integration/pilot/revisioncmd=* 27 | istio.io/istio/tests/integration/helm=* 28 | istio.io/istio/tests/integration/helm/upgrade=* 29 | istio.io/istio/tests/integration/security=TestReachability/beta-mtls-off TestAuthz_EgressGateway TestReachability/global_no_peer_authn/http 30 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 31 | istio.io/istio/tests/integration/security/mtls_first_party_jwt=* 32 | istio.io/istio/tests/integration/security/https_jwt=TestJWTHTTPS/jwt-authn/a/to_b/valid-token-forward-remote-jwks 33 | istio.io/istio/tests/integration/security/filebased_tls_origination=TestEgressGatewayTls 34 | istio.io/istio/tests/integration/telemetry/outboundtrafficpolicy=* 35 | istio.io/istio/tests/integration/telemetry/stats/prometheus/nullvm=* 36 | istio.io/istio/tests/integration/telemetry/stats/prometheus/wasm=* 37 | istio.io/istio/tests/integration/telemetry/stackdriver=* 38 | -------------------------------------------------------------------------------- /tetrateci/gen_release_manifest.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import yaml, sys, os 4 | 5 | if len(sys.argv) != 3: 6 | print("Usage ./gen_release_manifest.py source_yaml distination_folder") 7 | exit(1) 8 | 9 | print("Reading arguments") 10 | source_yaml = sys.argv[1] 11 | destination_folder = sys.argv[2] 12 | 13 | print("Reading environment variables") 14 | hub = os.environ.get("HUB") 15 | tag = os.environ.get("TAG") 16 | branch = os.environ.get("BRANCH") 17 | 18 | print("HUB: ", hub) 19 | print("TAG: ", tag) 20 | print("BRANCH: ", branch) 21 | 22 | with open(source_yaml, "r") as file : 23 | print("Loading source yaml: ", source_yaml) 24 | manifest = yaml.load(file, Loader=yaml.FullLoader) 25 | manifest["ignoreVulnerability"] = False 26 | manifest["docker"] = hub 27 | manifest["version"] = tag 28 | manifest["dependencies"]["istio"] = {"localpath" : "./istio"} 29 | manifest["dependencies"]["client-go"]["branch"] = branch 30 | del manifest["dependencies"]["proxy"]["auto"] 31 | manifest["dependencies"]["proxy"]["branch"] = branch 32 | manifest["dependencies"]["tools"]["branch"] = branch 33 | # genproto has been removed from 1.14 34 | # added check for "gogo-genproto" dependenciy if it present then assign branch 35 | if "gogo-genproto" in manifest["dependencies"]: 36 | manifest["dependencies"]["gogo-genproto"]["branch"] = branch 37 | manifest["dependencies"]["envoy"]["git"] = "https://github.com/envoyproxy/envoy" 38 | manifest['outputs'] = ["docker"] 39 | f = open(os.path.join(destination_folder, "manifest.docker.yaml"), 'w') 40 | yaml.dump(manifest, f) 41 | print(manifest) 42 | manifest['outputs'] = ["archive"] 43 | print(manifest) 44 | f = open(os.path.join(destination_folder, "manifest.archive.yaml"), 'w') 45 | yaml.dump(manifest, f) -------------------------------------------------------------------------------- /tetrateci/version_check.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import sys, os 4 | 5 | version_matrix = { 6 | "1.7": {"1.16", "1.17", "1.18"}, 7 | "1.8": {"1.16", "1.17", "1.18", "1.19"}, 8 | "1.9": {"1.17", "1.18", "1.19", "1.20"}, 9 | "1.10": {"1.18", "1.19", "1.20", "1.21"}, 10 | "1.11": {"1.18", "1.19", "1.20", "1.21", "1.22"}, 11 | "1.12": {"1.19", "1.20", "1.21", "1.22"}, # officially supported versions according to https://istio.io/latest/news/releases/1.12.x/announcing-1.12 12 | "1.13": {"1.20", "1.21", "1.22", "1.23"}, # officially supported versions according to https://istio.io/latest/news/releases/1.13.x/announcing-1.13 13 | "1.14": {"1.20","1.21", "1.22", "1.23", "1.24"} , # officially supported versions according to https://istio.io/latest/news/releases/1.14.x/announcing-1.14 14 | "1.15": {"1.21","1.22", "1.23", "1.24", "1.25"} , # officially supported versions according to https://istio.io/latest/news/releases/1.15.x/announcing-1.15 15 | "1.16": {"1.22", "1.23", "1.24", "1.25"} , # officially supported versions according to https://istio.io/latest/news/releases/1.16.x/announcing-1.16 16 | "1.17": {"1.22", "1.23", "1.24", "1.25"} , # officially supported versions according to https://istio.io/latest/news/releases/1.17.x/announcing-1.17 17 | "1.18": {"1.24", "1.25", "1.26", "1.27"} , # officially supported versions according to https://istio.io/latest/news/releases/1.18.x/announcing-1.18 18 | } 19 | 20 | istio_ver = os.environ.get("ISTIO_MINOR_VER") 21 | k8s_ver = os.environ.get("K8S_VERSION") 22 | 23 | print("Istio Version : ", istio_ver) 24 | print("Kubernetes Version : ", k8s_ver) 25 | 26 | if istio_ver in version_matrix: 27 | if k8s_ver in version_matrix[istio_ver]: 28 | print("Version matched!!") 29 | sys.exit(1) 30 | 31 | print("Version not matched!!") 32 | sys.exit(0) 33 | -------------------------------------------------------------------------------- /tetrateci/1.12/test/skip.d/eks-arm64: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/helm/upgrade=* 26 | 27 | istio.io/istio/tests/integration/pilot=* 28 | istio.io/istio/tests/integration/pilot/endpointslice=* 29 | istio.io/istio/tests/integration/pilot/revisions=TestMultiRevision 30 | 31 | istio.io/istio/tests/integration/security=* 32 | istio.io/istio/tests/integration/security/sds_ingress=* 33 | istio.io/istio/tests/integration/security/sds_tls_origination=TestSimpleTlsOrigination TestMutualTlsOrigination 34 | 35 | istio.io/istio/tests/integration/telemetry/stats/prometheus/nullvm=TestAccessLogs 36 | istio.io/istio/tests/integration/telemetry/tracing/zipkin/clienttracing=TestClientTracing 37 | istio.io/istio/tests/integration/telemetry/tracing/zipkin/servertracing=TestProxyTracing 38 | 39 | istio.io/istio/tests/integration/telemetry/stackdriver=* 40 | istio.io/istio/tests/integration/telemetry/stackdriver/api=* 41 | istio.io/istio/tests/integration/telemetry/stackdriver/vm=* 42 | 43 | istio.io/istio/tests/integration/telemetry/tracing/opencensusagent=* 44 | istio.io/istio/tests/integration/telemetry/policy=* 45 | -------------------------------------------------------------------------------- /tetrateci/1.13/test/skip.d/eks-arm64: -------------------------------------------------------------------------------- 1 | # e2e tests to skip (until a long-term fix is found) 2 | # 3 | # Each line has format: 4 | # 5 | # ```text 6 | # = ... 7 | # ``` 8 | # 9 | # where 10 | # 1. - is a name of a package with Istio e2e tests, e.g. 11 | # `istio.io/istio/tests/integration/pilot` 12 | # 2. - is a regexp that matches unit tests to skip, e.g. 13 | # 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. 14 | # Each `` value will be translated into the 15 | # `--istio.test.skip` option of the Istio Test Framework. 16 | # 17 | # A special case, 18 | # 19 | # ```text 20 | # =* 21 | # ``` 22 | # 23 | # indicates that tests for the package `` should not be run at all. 24 | 25 | istio.io/istio/tests/integration/helm/upgrade=* 26 | 27 | istio.io/istio/tests/integration/pilot=* 28 | istio.io/istio/tests/integration/pilot/endpointslice=* 29 | istio.io/istio/tests/integration/pilot/revisions=TestMultiRevision 30 | 31 | istio.io/istio/tests/integration/security=* 32 | istio.io/istio/tests/integration/security/sds_ingress/quic=* 33 | istio.io/istio/tests/integration/security/https_jwt=* 34 | istio.io/istio/tests/integration/security/sds_ingress=* 35 | istio.io/istio/tests/integration/security/sds_tls_origination=TestSimpleTlsOrigination TestMutualTlsOrigination 36 | 37 | istio.io/istio/tests/integration/telemetry/tracing/zipkin/clienttracing=TestClientTracing 38 | istio.io/istio/tests/integration/telemetry/tracing/zipkin/servertracing=TestProxyTracing 39 | istio.io/istio/tests/integration/telemetry/stackdriver=* 40 | istio.io/istio/tests/integration/telemetry/stackdriver/api=* 41 | istio.io/istio/tests/integration/telemetry/stackdriver/vm=* 42 | istio.io/istio/tests/integration/telemetry/tracing/opencensusagent=* 43 | istio.io/istio/tests/integration/telemetry/policy=* 44 | -------------------------------------------------------------------------------- /tetrateci/port_patches_to_release.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -o errexit 3 | set -o pipefail 4 | 5 | if [[ -z "$GITHUB_TOKEN" ]]; then 6 | echo "Undefined GITHUB_TOKEN environment variable." 7 | exit 1 8 | fi 9 | 10 | echo "Configuring git" 11 | 12 | cat <<- EOF > $HOME/.netrc 13 | machine github.com 14 | login $GITHUB_ACTOR 15 | password $GITHUB_TOKEN 16 | machine api.github.com 17 | login $GITHUB_ACTOR 18 | password $GITHUB_TOKEN 19 | EOF 20 | chmod 600 $HOME/.netrc 21 | 22 | git config user.name $GITHUB_ACTOR 23 | git config user.email github-actions@github.com 24 | 25 | echo "Fetching target branches" 26 | 27 | git fetch --all --verbose 28 | TARGETS=$(git branch -r| grep -E "origin/tetrate-release-[[:digit:]]+.[[:digit:]]+$" | xargs) 29 | 30 | function create_pr_using_temp() { 31 | echo "Getting branch name for $1" 32 | local branch_name=$(cut -f2 -d"/" <<< $1) 33 | 34 | temp_branch=temp-github-actions-$branch_name 35 | 36 | echo "Creating a temporary branch" 37 | git checkout -b $temp_branch $1 38 | 39 | echo "Checking out the changes" 40 | git checkout origin/tetrate-workflow -- tetrateci 41 | git checkout origin/tetrate-workflow -- .github/workflows 42 | git commit -m "Merging tetrate-workflow with $branch_name" 43 | 44 | echo "Pushing temporary branch to origin" 45 | git push origin $temp_branch --force 46 | 47 | echo "Creating PR for $branch_name" 48 | hub pull-request -b $branch_name -m "AUTO: Backporting patches to $branch_name" 49 | } 50 | 51 | echo "Creating PRs" 52 | 53 | for branch in $TARGETS; do 54 | create_pr_using_temp $branch 55 | done 56 | 57 | echo "Creating PRs for FIPS branches" 58 | 59 | FIPS_TARGETS=$(git branch -r| grep -E "origin/tetratefips-release-[[:digit:]]+.[[:digit:]]+$" | xargs) 60 | 61 | for branch in $FIPS_TARGETS; do 62 | create_pr_using_temp $branch 63 | done 64 | -------------------------------------------------------------------------------- /tetrateci/test_istio.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # this is just for reference won't be used 4 | # master for now 5 | git clone https://github.com/istio/istio 6 | cd istio/test/integration/ 7 | 8 | go test -tags=integ ./operator/... -istio.test.skipVM true -p 1 9 | go test -tags=integ ./helm/... -istio.test.skipVM true -p 1 10 | go test -tags=integ -run='TestEmptyCluster|TestFileOnly|TestDirectoryWithoutRecursion|TestDirectoryWithRecursion|TestInvalidFileError|TestJsonInputFile|TestJsonOutput|TestKubeOnly|TestFileAndKubeCombined|TestAllNamespaces|TestTimeout|TestErrorLine|TestWait|TestVersion|TestDescribe|TestAddToAndRemoveFromMesh|TestProxyConfig|TestProxyStatus|TestAuthZCheck|TestLocality|TestMain|TestMirroring|TestMirroringExternalService|TestTproxy|TestRevisionedUpgrade|TestValidation|TestEnsureNoMissingCRDs|TestWebhook' ./pilot/ -istio.test.skipVM true -p 1 11 | go test -tags=integ ./pilot/analysis/... -istio.test.skipVM true -p 1 12 | go test -tags=integ ./pilot/cni/... -istio.test.skipVM true -p 1 13 | go test -tags=integ ./pilot/revisions/... -istio.test.skipVM true -p 1 14 | go test -tags=integ -run='TestStatsFilter|TestStatsTCPFilter|TestSetup|TestIstioctlMetrics|TestTcpMetric|TestStatsFilter|TestWASMTcpMetric|TestWasmStatsFilter|TestMain|TestCustomizeMetrics' ./telemetry/stats/... -istio.test.skipVM true -p 1 15 | go test -tags=integ ./security/ca_custom_root/... -istio.test.skipVM true -p 1 16 | go test -tags=integ ./security/chiron/... -istio.test.skipVM true -p 1 17 | go test -tags=integ ./security/file_mounted_certs/... -istio.test.skipVM true -p 1 18 | go test -tags=integ ./security/filebased_tls_origination/... -istio.test.skipVM true -p 1 19 | go test -tags=integ ./security/mtls_first_party_jwt/... -istio.test.skipVM true -p 1 20 | go test -tags=integ ./security/mtlsk8sca/... -istio.test.skipVM true -p 1 21 | go test -tags=integ ./security/sds_egress/... -istio.test.skipVM true -p 1 22 | go test -tags=integ ./security/sds_tls_origination/... -istio.test.skipVM true -p 1 23 | go test -tags=integ ./security/webhook/... -istio.test.skipVM true -p 1 24 | -------------------------------------------------------------------------------- /tetrateci/iop-gke-integration.yml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | metadata: 4 | name: install 5 | spec: 6 | meshConfig: 7 | accessLogFile: "/dev/stdout" 8 | defaultConfig: 9 | proxyMetadata: 10 | ISTIO_META_DNS_CAPTURE: "true" 11 | components: 12 | ingressGateways: 13 | - name: istio-ingressgateway 14 | enabled: true 15 | k8s: 16 | service: 17 | ports: 18 | ## Default ports 19 | - port: 15021 20 | targetPort: 15021 21 | name: status-port 22 | - port: 80 23 | targetPort: 8080 24 | name: http2 25 | - port: 443 26 | targetPort: 8443 27 | name: https 28 | # This is the port where sni routing happens 29 | - port: 15443 30 | targetPort: 15443 31 | name: tls 32 | ## Extra ports for testing 33 | - port: 15012 34 | targetPort: 15012 35 | name: tls-istiod 36 | - port: 15017 37 | targetPort: 15017 38 | name: tls-webhook 39 | - port: 31400 40 | targetPort: 31400 41 | name: tcp 42 | # Enable the egressgateway for all tests by default. 43 | egressGateways: 44 | - name: istio-egressgateway 45 | enabled: true 46 | values: 47 | cni: 48 | cniBinDir: /home/kubernetes/bin 49 | excludeNamespaces: 50 | - istio-system 51 | - kube-system 52 | global: 53 | externalIstiod: true 54 | proxy: 55 | resources: 56 | requests: 57 | cpu: 10m 58 | memory: 40Mi 59 | pilot: 60 | env: 61 | PILOT_ENABLED_SERVICE_APIS: true 62 | ENABLE_ADMIN_ENDPOINTS: true 63 | PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION: true 64 | gateways: 65 | istio-ingressgateway: 66 | autoscaleMax: 1 67 | resources: 68 | requests: 69 | cpu: 10m 70 | memory: 40Mi 71 | istio-egressgateway: 72 | autoscaleMax: 1 73 | resources: 74 | requests: 75 | cpu: 10m 76 | -------------------------------------------------------------------------------- /tetrateci/test_1.8.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ./tetrateci/version_check.py && exit 3 | set -e 4 | 5 | # need this variable to run the tests outside GOPATH 6 | export REPO_ROOT=$(pwd) 7 | echo "Set REPO_ROOT=$REPO_ROOT" 8 | source ./tetrateci/setup_go.sh 9 | 10 | echo "Applying patches...." 11 | git apply tetrateci/patches/common/increase-dashboard-timeout.1.8.patch 12 | git apply tetrateci/patches/common/wait-for-envoy.1.8.patch 13 | #git apply tetrateci/patches/common/increase-vm-timeout.1.8.patch 14 | #git apply tetrateci/patches/common/disable-autoscaling-on-cpu.1.8.patch 15 | git apply tetrateci/patches/common/disable-vmregistration.1.8.patch # https://github.com/istio/istio/issues/29100 16 | 17 | if [[ ${CLUSTER} == "gke" ]]; then 18 | echo "Generating operator config for GKE" 19 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 20 | python3 -m pip install pyyaml --user && ./tetrateci/gen_iop.py 21 | CLUSTERFLAGS="-istio.test.kube.helm.iopFile $(pwd)/tetrateci/iop-gke-integration.yml" 22 | 23 | echo "Applying GKE specific patches...." 24 | git apply tetrateci/patches/gke/chiron-gke.patch 25 | fi 26 | 27 | if [[ ${CLUSTER} == "eks" ]]; then 28 | echo "Applying Ingress patch for EKS...." 29 | git apply tetrateci/patches/eks/eks-ingress.1.8.patch 30 | fi 31 | 32 | if $(grep -q "1.17" <<< ${K8S_VERSION} ); then 33 | PACKAGES=$(go list -tags=integ ./tests/integration/... | grep -v /qualification | grep -v /examples | grep -v /multicluster | grep -v /endpointslice | grep -v /stackdriver) 34 | else 35 | PACKAGES=$(go list -tags=integ ./tests/integration/... | grep -v /qualification | grep -v /examples | grep -v /multicluster | grep -v /stackdriver) 36 | fi 37 | 38 | echo "Starting Testing" 39 | 40 | for package in $PACKAGES; do 41 | n=0 42 | until [ "$n" -ge 3 ] 43 | do 44 | echo "========================================================TESTING $package | TRY $n========================================================" 45 | go test -test.v -tags=integ $package -timeout 30m --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.pullpolicy IfNotPresent ${CLUSTERFLAGS} && break || echo "Test Failed: $package" 46 | for folder in $(ls -d /tmp/* | grep istio); do sudo rm -rf -- $folder; done 47 | n=$((n+1)) 48 | done 49 | [ "$n" -ge 3 ] && exit 1 50 | done 51 | 52 | echo "Testing Done" 53 | -------------------------------------------------------------------------------- /tetrateci/test_1.12.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright (c) Tetrate, Inc 2021 All Rights Reserved. 4 | 5 | set -e 6 | set -u 7 | set -x 8 | 9 | SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 10 | ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) 11 | 12 | "${SCRIPTDIR}/version_check.py" && exit 13 | 14 | # shellcheck disable=SC1091 15 | source "${SCRIPTDIR}/setup_go.sh" 16 | 17 | COMMON_TEST_FLAGS=() 18 | 19 | if [[ "${CLUSTER}" == "gke" ]]; then 20 | echo "Generating operator config for GKE" 21 | 22 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 23 | python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" 24 | 25 | COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) 26 | fi 27 | 28 | PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") 29 | 30 | echo "Starting Testing" 31 | 32 | FAILED_PACKAGES=() 33 | 34 | for pkg in $PACKAGES; do 35 | echo "========================================================TESTING ${pkg} ========================================================" 36 | 37 | SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) 38 | SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) 39 | 40 | if [[ "${SKIP_TESTS}" == "*" ]]; then 41 | echo "Skipping according to the rule: ${SKIP_RULE}" 42 | continue 43 | fi 44 | 45 | read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" 46 | 47 | SKIP_TEST_FLAGS=() 48 | for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do 49 | SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) 50 | done 51 | 52 | go test \ 53 | -test.v \ 54 | -timeout 2h \ 55 | -tags=integ \ 56 | "${pkg}" \ 57 | --istio.test.select=-postsubmit,-flaky \ 58 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 59 | --istio.test.ci \ 60 | --istio.test.pullpolicy=IfNotPresent \ 61 | --istio.test.retries=1 \ 62 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 63 | || \ 64 | { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } 65 | 66 | find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; 67 | done 68 | 69 | echo "Testing Done" 70 | 71 | if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then 72 | echo "" 73 | echo "Some of the tests have failed :(" 74 | echo "" 75 | echo "Packages with failed tests:" 76 | for pkg in "${FAILED_PACKAGES[@]}"; do 77 | echo "- ${pkg}" 78 | done 79 | exit 1 80 | fi 81 | -------------------------------------------------------------------------------- /tetrateci/fetch_all_tags.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -o errexit 3 | set -o pipefail 4 | # we first fetch all the tags from origin and then from upstream 5 | # the tag should be in form of number.number.number 6 | git remote add upstream https://github.com/istio/istio 7 | git fetch --tags origin 8 | git tag -l | grep -E "^[0-9]+.[0-9]+.[0-9]+$" > /tmp/oldtags 9 | git fetch --tags upstream 10 | git tag -l | grep -E "^[0-9]+.[0-9]+.[0-9]+$" > /tmp/newtags 11 | 12 | echo "print oldtags" 13 | cat /tmp/oldtags 14 | echo "print newtags" 15 | cat /tmp/newtags 16 | 17 | # then compare the list and pick the ones unique to the second list 18 | tags=$(comm -13 /tmp/oldtags /tmp/newtags) 19 | echo "===================" 20 | echo "New istio tags to be created $tags" 21 | echo "===================" 22 | 23 | git config user.name github-actions 24 | git config user.email github-actions@github.com 25 | 26 | for tag in $tags; do 27 | # the branch names are suffixed with the first 2 numbers in the version 28 | branch=$( echo $tag | cut -d. -f1,2 ) 29 | if [[ ! $(git rev-parse --verify --quiet origin/tetrate-release-$branch) ]]; then 30 | # create the tetrate release branch if it doesn't exist with the workflows 31 | git checkout -b tetrate-release-$branch origin/tetrate-workflow 32 | git merge $tag --no-edit --allow-unrelated-histories -X theirs 33 | git tag test-$tag-tetrate-v0 34 | else 35 | git checkout -b tetrate-release-$branch origin/tetrate-release-$branch 36 | git merge $tag --no-edit --allow-unrelated-histories -X theirs 37 | git tag test-$tag-tetrate-v0 38 | fi 39 | 40 | git push origin tetrate-release-$branch --tags 41 | 42 | # Now for FIPS 43 | if [[ ! $(git rev-parse --verify --quiet origin/tetratefips-release-$branch) ]]; then 44 | git checkout -b tetratefips-release-$branch origin/tetrate-workflow 45 | git merge $tag --no-edit --allow-unrelated-histories -X theirs 46 | # no tag created since we need to backport the corresponding patch for fips compliant build manually 47 | else 48 | git checkout -b tetratefips-release-$branch origin/tetratefips-release-$branch 49 | git merge $tag --no-edit --allow-unrelated-histories -X theirs 50 | git tag test-$tag-tetratefips-v0 51 | fi 52 | 53 | git push origin tetratefips-release-$branch --tags 54 | 55 | export TAG=$tag 56 | ./tetrateci/upload_upstream_release.sh 57 | done 58 | 59 | # finally push all the tags 60 | git push --tags origin 61 | -------------------------------------------------------------------------------- /tetrateci/fips.md: -------------------------------------------------------------------------------- 1 | ## Introduction 2 | 3 | Google's BoringCrypto [module][1] is used for [FIPS-compliant Istio builds][2]. BoringCrypto is a core module of the 4 | BoringSSL library and has been tested by CMVP to be [FIPS validated][3]. Both the Istio control plane and data plane 5 | are built with these modules. The quickest way to get started with FIPS Istio is to use the 6 | [Tetrate Istio Distribution][4]. 7 | 8 | ## FIPS Verification 9 | 10 | The easiest way to verify the Go version is with Docker. First, create the containers from the [CloudSmith][5] images. 11 | ```shell 12 | HUB=containers.istio.tetratelabs.com 13 | TAG=1.11.4-tetratefips-v0 14 | PILOT_CONTAINER_ID=$(docker create $HUB/pilot:$TAG) 15 | PROXY_CONTAINER_ID=$(docker create $HUB/proxyv2:$TAG) 16 | OPERATOR_CONTAINER_ID=$(docker create $HUB/operator:$TAG) 17 | ISTIOCTL_CONTAINER_ID=$(docker create $HUB/istioctl:$TAG) 18 | CNI_CONTAINER_ID=$(docker create $HUB/install-cni:$TAG) 19 | ``` 20 | 21 | Copy the binaries from the containers to your local machine. 22 | ```shell 23 | docker cp $PILOT_CONTAINER_ID:/usr/local/bin/pilot-discovery pilot-discovery 24 | docker cp $PROXY_CONTAINER_ID:/usr/local/bin/pilot-agent pilot-agent 25 | docker cp $PROXY_CONTAINER_ID:/usr/local/bin/envoy envoy 26 | docker cp $OPERATOR_CONTAINER_ID:/usr/local/bin/operator operator 27 | docker cp $ISTIOCTL_CONTAINER_ID:/usr/local/bin/istioctl istioctl 28 | docker cp $CNI_CONTAINER_ID:/usr/local/bin/install-cni install-cni 29 | ``` 30 | 31 | Verify the Go version used by the binaries. 32 | ```shell 33 | go version pilot-discovery 34 | go version pilot-agent 35 | go version operator 36 | go version istioctl 37 | go version install-cni 38 | ``` 39 | 40 | - For Istio minor version <1.15 41 | The Go version should include `b` to indicate BoringSSL, `go1.16.9b7` 42 | - For Istio minor version >1.15 43 | The Go version should indicate X:boringcrypto as cryptolibrary, `pilot-discovery: go1.19.1 X:boringcrypto` 44 | 45 | 46 | Verify Envoy is using BoringSSL FIPS: 47 | ```shell 48 | envoy --version | cut -f4 -d" " 49 | ``` 50 | 51 | The version should include `BoringSSL-FIPS`, for example: 52 | ```shell 53 | ed148b62dfb0dc79adc8c8573ced4806883389c0/1.19.2-dev/Modified/RELEASE/BoringSSL-FIPS 54 | ``` 55 | 56 | [1]: https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md 57 | [2]: https://go-boringcrypto.storage.googleapis.com 58 | [3]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3678 59 | [4]: https://istio.tetratelabs.io/ 60 | [5]: https://cloudsmith.io/~tetrate/repos/getistio-containers/packages/ 61 | -------------------------------------------------------------------------------- /tetrateci/test_1.9.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ./tetrateci/version_check.py && exit 3 | set -e 4 | 5 | source ./tetrateci/setup_go.sh 6 | 7 | echo "Applying patches...." 8 | 9 | # git apply tetrateci/patches/common/increase-vm-timeout.1.9.patch 10 | git apply tetrateci/patches/common/increase-sniffing-timeout.1.9.patch 11 | git apply tetrateci/patches/common/increase-dashboard-timeout.1.9.patch 12 | git apply tetrateci/patches/common/disable-vmregistration.1.9.patch # https://github.com/istio/istio/issues/29100 13 | git apply tetrateci/patches/common/disable-passthroughfilterchain.1.9.patch # https://github.com/istio/istio/issues/32623 14 | 15 | # the code fails whenever there is something other than digits in the k8s minor version 16 | # in our case which is a "+" symbol due to extra patching by corresponding vendor 17 | # so we get 1.17+ instead of 1.17 18 | git apply tetrateci/patches/common/fix-version-check.1.9.patch 19 | 20 | if [[ ${CLUSTER} == "gke" ]]; then 21 | echo "Generating operator config for GKE" 22 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 23 | python3 -m pip install pyyaml --user && ./tetrateci/gen_iop.py 24 | CLUSTERFLAGS="-istio.test.kube.helm.iopFile $(pwd)/tetrateci/iop-gke-integration.yml" 25 | 26 | echo "Applying GKE specific patches...." 27 | git apply tetrateci/patches/gke/chiron-gke.patch 28 | fi 29 | 30 | if [[ ${CLUSTER} == "eks" ]]; then 31 | echo "Applying Ingress patch for EKS...." 32 | git apply tetrateci/patches/eks/eks-ingress.1.9.patch 33 | fi 34 | 35 | if $(grep -q "1.17" <<< ${K8S_VERSION}); then 36 | PACKAGES=$(go list -tags=integ ./tests/integration/... | grep -v /qualification | grep -v /examples | grep -v /multicluster | grep -v /endpointslice | grep -v /stackdriver) 37 | else 38 | PACKAGES=$(go list -tags=integ ./tests/integration/... | grep -v /qualification | grep -v /examples | grep -v /multicluster | grep -v /stackdriver) 39 | fi 40 | 41 | echo "Starting Testing" 42 | 43 | for package in $PACKAGES; do 44 | n=0 45 | until [ "$n" -ge 3 ] 46 | do 47 | echo "========================================================TESTING $package | TRY $n========================================================" 48 | go test -test.v -tags=integ $package -timeout 30m --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.pullpolicy IfNotPresent ${CLUSTERFLAGS} && break || echo "Test Failed: $package" 49 | for folder in $(ls -d /tmp/* | grep istio); do sudo rm -rf -- $folder; done 50 | n=$((n+1)) 51 | done 52 | [ "$n" -ge 3 ] && exit 1 53 | done 54 | 55 | echo "Testing Done" 56 | -------------------------------------------------------------------------------- /tetrateci/test_1.10.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ./tetrateci/version_check.py && exit 3 | set -e 4 | 5 | source ./tetrateci/setup_go.sh 6 | 7 | echo "Applying patches...." 8 | 9 | # git apply tetrateci/patches/common/increase-vm-timeout.1.9.patch 10 | # git apply tetrateci/patches/common/increase-sniffing-timeout.1.9.patch 11 | git apply tetrateci/patches/common/increase-dashboard-timeout.1.10.patch 12 | git apply tetrateci/patches/common/disable-vmregistration.1.10.patch # https://github.com/istio/istio/issues/29100 13 | git apply tetrateci/patches/common/disable-passthroughfilterchain.1.10.patch # https://github.com/istio/istio/issues/32623 14 | 15 | # the code fails whenever there is something other than digits in the k8s minor version 16 | # in our case which is a "+" symbol due to extra patching by corresponding vendor 17 | # so we get 1.17+ instead of 1.17 18 | # git apply tetrateci/patches/common/fix-version-check.1.9.patch 19 | 20 | if [[ ${CLUSTER} == "gke" ]]; then 21 | echo "Generating operator config for GKE" 22 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 23 | python3 -m pip install pyyaml --user && ./tetrateci/gen_iop.py 24 | CLUSTERFLAGS="-istio.test.kube.helm.iopFile $(pwd)/tetrateci/iop-gke-integration.yml" 25 | 26 | echo "Applying GKE specific patches...." 27 | git apply tetrateci/patches/gke/chiron-gke.patch 28 | fi 29 | 30 | if [[ ${CLUSTER} == "eks" ]]; then 31 | echo "Applying Ingress patch for EKS...." 32 | git apply tetrateci/patches/eks/eks-ingress.1.10.patch 33 | fi 34 | 35 | if $(grep -q "1.17" <<< ${K8S_VERSION}); then 36 | PACKAGES=$(go list -tags=integ ./tests/integration/... | grep -v /qualification | grep -v /examples | grep -v /multicluster | grep -v /endpointslice | grep -v /stackdriver) 37 | else 38 | PACKAGES=$(go list -tags=integ ./tests/integration/... | grep -v /qualification | grep -v /examples | grep -v /multicluster | grep -v /stackdriver) 39 | fi 40 | 41 | echo "Starting Testing" 42 | 43 | for package in $PACKAGES; do 44 | n=0 45 | until [ "$n" -ge 3 ] 46 | do 47 | echo "========================================================TESTING $package | TRY $n========================================================" 48 | go test -test.v -tags=integ $package -timeout 30m --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.pullpolicy IfNotPresent ${CLUSTERFLAGS} && break || echo "Test Failed: $package" 49 | for folder in $(ls -d /tmp/* | grep istio); do sudo rm -rf -- $folder; done 50 | n=$((n+1)) 51 | done 52 | [ "$n" -ge 3 ] && exit 1 53 | done 54 | 55 | echo "Testing Done" 56 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.yml: -------------------------------------------------------------------------------- 1 | name: Bug report 2 | description: Report a bug to help us improve Istio 3 | body: 4 | - type: markdown 5 | attributes: 6 | value: | 7 | Thanks for taking the time to fill out this bug report! 8 | - type: textarea 9 | id: bug-description 10 | attributes: 11 | label: Bug Description 12 | description: Tell us what issues you ran into 13 | placeholder: Include information about what you tried, what you expected to happen, and what actually happened. The more details, the better! 14 | validations: 15 | required: true 16 | - type: textarea 17 | id: version 18 | attributes: 19 | label: Version 20 | description: Include the output of `istioctl version`, `kubectl version --short`, and `helm version --short` (if you used Helm) 21 | placeholder: | 22 | $ istioctl version 23 | client version: 1.0.0 24 | control plane version: 1.0.0 25 | data plane version: 1.0.0 (100 proxies) 26 | $ kubectl version --short 27 | Client Version: v1.0.0 28 | Server Version: v1.0.0 29 | render: prose 30 | validations: 31 | required: true 32 | - type: textarea 33 | id: additional-info 34 | attributes: 35 | label: Additional Information 36 | description: | 37 | Please include the output of [`istioctl bug-report`](http://istio.io/help/bugs/#generating-a-cluster-state-archive). 38 | If you are unable to do so, please ensure you have collected the relevant debugging information manually and attached below; 39 | issue without enough information will not be resolvable. 40 | - type: checkboxes 41 | id: area 42 | attributes: 43 | label: Affected product area 44 | options: 45 | - label: "Docs" 46 | - label: "Installation" 47 | - label: "Networking" 48 | - label: "Performance and Scalability" 49 | - label: "Extensions and Telemetry" 50 | - label: "Security" 51 | - label: "Test and Release" 52 | - label: "User Experience" 53 | - label: "Developer Infrastructure" 54 | - label: "Upgrade" 55 | - label: "Multi Cluster" 56 | - label: "Virtual Machine" 57 | - label: "Control Plane Revisions" 58 | - type: checkboxes 59 | id: security-check 60 | attributes: 61 | label: Is this the right place to submit this? 62 | description: |- 63 | This is used to report product bugs: 64 | To report a security vulnerability, please visit 65 | To ask questions about how to use Istio, please visit 66 | options: 67 | - label: "This is not a security vulnerability" 68 | required: true 69 | - label: "This is not a question about how to use Istio" 70 | required: true -------------------------------------------------------------------------------- /tetrateci/ci_workflow.md: -------------------------------------------------------------------------------- 1 | ## Github Workflows 2 | ### backport_commits.yml 3 | Creates a backports PR for any commit made to the `tetrate-workflow` branch to any branch which conform those regexes 4 | - `origin/tetrate-release-[[:digit:]]+.[[:digit:]]+$` 5 | - `origin/tetratefips-release-[[:digit:]]+.[[:digit:]]+$` 6 | 7 | The script is adapted from [here](https://github.com/repo-sync/pull-request). The catch is the script only ports changes if there are on the `tetrateci` or `.github/workflows` folders. Merging with a commit or rebasing is not used to avoid merge conflicts. 8 | 9 | ### sync_fork.yml 10 | Runs every midnight and checks if there are any new tag on `istio/istio`, if no new tags are founds the action is done. On the other hand if there are new tags, the script loops through them creating corresponding `test-tetrate-x.y.z-v0` & `test-tetratefips-x.y.z-v0` tags and merging them with `tetrate-release-x.y` & `tetratefips-release-x.y` branches. 11 | 12 | Also pushes the archives from `istio/istio` release to the cloudsmith repo. 13 | 14 | ### e2e_tests.yml 15 | Runs if there are any tags pushed with `test-` prefix. Utilizes `istio/release-builder` to generate docker images which are to be used for subsequent testing. The one thing to keep in mind it, the same script is used for making the releases and we only differentiate that based on whether the `TEST` environment variable is defined or not. 16 | 17 | Subsequent 4 jobs runs the istio integration tests on applicable versions of eks, gke, aks and eksd, though some of them are disable for various reasons for now. All the platforms have corresponding create and cleanup scripts. The `version_check.py` has a matrix of istio versions vs k8s versions which determines which versions we need to get the istio release tested on. 18 | 19 | All the minor versions of istio have their own testing scripts, the reason being there are patches which need to be applied before testing so the tests dont fail. The tests being written for `kind` have some default assumptions which might not be applicable for all the platforms we test on. 20 | 21 | After the tests pass, the `test-` prefix is stripped off the current tag and the tree is tagged with the remaining, cutting a release with something similar to `tetrate-x.y.z-vn`. 22 | 23 | Then the release builder is again triggered to create the release images and archives with `tetrate-x.y.z-vn` tag but this time without defining the `TEST` environment variable. A fips compliant build is only triggered if the tag contains `fips` in it. The only difference between fips and non fips build is the `Go` we are using. The `create_istio_release.sh` script sets up the environment manually instead if using the docker image is due to some restrictions in the Github Actions, it becomes a bit hard to procure the logs and monitor the whole process. 24 | 25 | ### make_release.yml 26 | It is same as the last process of `e2e_tests.yml` but with a manual trigger. Changes made to any of them must be backported to the other one, since they more or less do the same thing. 27 | -------------------------------------------------------------------------------- /tetrateci/docs/ci_workflow.md: -------------------------------------------------------------------------------- 1 | ## Github Workflows 2 | ### backport_commits.yml 3 | Creates a backports PR for any commit made to the `tetrate-workflow` branch to any branch which conform those regexes 4 | - `origin/tetrate-release-[[:digit:]]+.[[:digit:]]+$` 5 | - `origin/tetratefips-release-[[:digit:]]+.[[:digit:]]+$` 6 | 7 | The script is adapted from [here](https://github.com/repo-sync/pull-request). The catch is the script only ports changes if there are on the `tetrateci` or `.github/workflows` folders. Merging with a commit or rebasing is not used to avoid merge conflicts. 8 | 9 | ### sync_fork.yml 10 | Runs every midnight and checks if there are any new tag on `istio/istio`, if no new tags are founds the action is done. On the other hand if there are new tags, the script loops through them creating corresponding `test-tetrate-x.y.z-v0` & `test-tetratefips-x.y.z-v0` tags and merging them with `tetrate-release-x.y` & `tetratefips-release-x.y` branches. 11 | 12 | Also pushes the archives from `istio/istio` release to the cloudsmith repo. 13 | 14 | ### e2e_tests.yml 15 | Runs if there are any tags pushed with `test-` prefix. Utilizes `istio/release-builder` to generate docker images which are to be used for subsequent testing. The one thing to keep in mind it, the same script is used for making the releases and we only differentiate that based on whether the `TEST` environment variable is defined or not. 16 | 17 | Subsequent 4 jobs runs the istio integration tests on applicable versions of eks, gke, aks and eksd, though some of them are disable for various reasons for now. All the platforms have corresponding create and cleanup scripts. The `version_check.py` has a matrix of istio versions vs k8s versions which determines which versions we need to get the istio release tested on. 18 | 19 | All the minor versions of istio have their own testing scripts, the reason being there are patches which need to be applied before testing so the tests dont fail. The tests being written for `kind` have some default assumptions which might not be applicable for all the platforms we test on. 20 | 21 | After the tests pass, the `test-` prefix is stripped off the current tag and the tree is tagged with the remaining, cutting a release with something similar to `tetrate-x.y.z-vn`. 22 | 23 | Then the release builder is again triggered to create the release images and archives with `tetrate-x.y.z-vn` tag but this time without defining the `TEST` environment variable. A fips compliant build is only triggered if the tag contains `fips` in it. The only difference between fips and non fips build is the `Go` we are using. The `create_istio_release.sh` script sets up the environment manually instead if using the docker image is due to some restrictions in the Github Actions, it becomes a bit hard to procure the logs and monitor the whole process. 24 | 25 | ### make_release.yml 26 | It is same as the last process of `e2e_tests.yml` but with a manual trigger. Changes made to any of them must be backported to the other one, since they more or less do the same thing. 27 | -------------------------------------------------------------------------------- /tetrateci/test_1.11.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright (c) Tetrate, Inc 2022 All Rights Reserved. 4 | 5 | set -e 6 | set -u 7 | set -x 8 | 9 | SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 10 | ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) 11 | 12 | "${SCRIPTDIR}/version_check.py" && exit 13 | 14 | # shellcheck disable=SC1091 15 | source "${SCRIPTDIR}/setup_go.sh" 16 | 17 | COMMON_TEST_FLAGS=() 18 | 19 | echo "Applying patches...." 20 | 21 | # Apply the same patches that were applies when building test images 22 | "${SCRIPTDIR}/apply_e2e_build_patches.sh" 23 | 24 | git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" 25 | 26 | if [[ "${CLUSTER}" == "gke" ]]; then 27 | echo "Generating operator config for GKE" 28 | 29 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 30 | python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" 31 | 32 | COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) 33 | 34 | echo "Applying GKE specific patches...." 35 | git apply "${SCRIPTDIR}/patches/gke/chiron-gke.patch" 36 | fi 37 | 38 | if [[ "${CLUSTER}" == "eks" ]]; then 39 | echo "Applying Ingress patch for EKS...." 40 | git apply "${SCRIPTDIR}/patches/eks/eks-ingress.1.11.patch" 41 | fi 42 | 43 | PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") 44 | 45 | echo "Starting Testing" 46 | 47 | FAILED_PACKAGES=() 48 | 49 | for pkg in $PACKAGES; do 50 | echo "========================================================TESTING ${pkg} ========================================================" 51 | 52 | SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) 53 | SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) 54 | 55 | if [[ "${SKIP_TESTS}" == "*" ]]; then 56 | echo "Skipping according to the rule: ${SKIP_RULE}" 57 | continue 58 | fi 59 | 60 | read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" 61 | 62 | SKIP_TEST_FLAGS=() 63 | for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do 64 | SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) 65 | done 66 | 67 | go test \ 68 | -test.v \ 69 | -timeout 2h \ 70 | -tags=integ \ 71 | "${pkg}" \ 72 | --istio.test.select=-postsubmit,-flaky \ 73 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 74 | --istio.test.ci \ 75 | --istio.test.pullpolicy=IfNotPresent \ 76 | --istio.test.retries=1 \ 77 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 78 | || \ 79 | { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } 80 | 81 | find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; 82 | done 83 | 84 | echo "Testing Done" 85 | 86 | if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then 87 | echo "" 88 | echo "Some of the tests have failed :(" 89 | echo "" 90 | echo "Packages with failed tests:" 91 | for pkg in "${FAILED_PACKAGES[@]}"; do 92 | echo "- ${pkg}" 93 | done 94 | exit 1 95 | fi 96 | -------------------------------------------------------------------------------- /tetrateci/test_1.13.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright (c) Tetrate, Inc 2022 All Rights Reserved. 4 | 5 | set -e 6 | set -u 7 | set -x 8 | 9 | SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 10 | ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) 11 | 12 | "${SCRIPTDIR}/version_check.py" && exit 13 | 14 | # shellcheck disable=SC1091 15 | source "${SCRIPTDIR}/setup_go.sh" 16 | 17 | COMMON_TEST_FLAGS=() 18 | 19 | echo "Applying patches...." 20 | 21 | # Apply the same patches that were applies when building test images 22 | "${SCRIPTDIR}/apply_e2e_build_patches.sh" 23 | 24 | git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" 25 | 26 | if [[ "${CLUSTER}" == "gke" ]]; then 27 | echo "Generating operator config for GKE" 28 | 29 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 30 | python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" 31 | 32 | COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) 33 | 34 | echo "Applying GKE specific patches...." 35 | git apply "${SCRIPTDIR}/patches/gke/chiron-gke.patch" 36 | fi 37 | 38 | if [[ "${CLUSTER}" == "eks" ]]; then 39 | echo "Applying Ingress patch for EKS...." 40 | git apply "${SCRIPTDIR}/patches/eks/eks-ingress.1.11.patch" 41 | fi 42 | 43 | PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") 44 | 45 | echo "Starting Testing" 46 | 47 | FAILED_PACKAGES=() 48 | 49 | for pkg in $PACKAGES; do 50 | echo "========================================================TESTING ${pkg} ========================================================" 51 | 52 | SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) 53 | SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) 54 | 55 | if [[ "${SKIP_TESTS}" == "*" ]]; then 56 | echo "Skipping according to the rule: ${SKIP_RULE}" 57 | continue 58 | fi 59 | 60 | read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" 61 | 62 | SKIP_TEST_FLAGS=() 63 | for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do 64 | SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) 65 | done 66 | 67 | go test \ 68 | -test.v \ 69 | -timeout 2h \ 70 | -tags=integ \ 71 | "${pkg}" \ 72 | --istio.test.select=-postsubmit,-flaky \ 73 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 74 | --istio.test.ci \ 75 | --istio.test.pullpolicy=IfNotPresent \ 76 | --istio.test.retries=1 \ 77 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 78 | || \ 79 | { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } 80 | 81 | find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; 82 | done 83 | 84 | echo "Testing Done" 85 | 86 | if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then 87 | echo "" 88 | echo "Some of the tests have failed :(" 89 | echo "" 90 | echo "Packages with failed tests:" 91 | for pkg in "${FAILED_PACKAGES[@]}"; do 92 | echo "- ${pkg}" 93 | done 94 | exit 1 95 | fi 96 | -------------------------------------------------------------------------------- /tetrateci/test_1.16.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright (c) Tetrate, Inc 2022 All Rights Reserved. 4 | 5 | set -e 6 | set -u 7 | set -x 8 | 9 | SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 10 | ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) 11 | 12 | "${SCRIPTDIR}/version_check.py" && exit 13 | 14 | # shellcheck disable=SC1091 15 | source "${SCRIPTDIR}/setup_go.sh" 16 | 17 | COMMON_TEST_FLAGS=() 18 | 19 | echo "Applying patches...." 20 | 21 | # Apply the same patches that were applies when building test images 22 | "${SCRIPTDIR}/apply_e2e_build_patches.sh" 23 | 24 | 25 | if [[ "${CLUSTER}" == "gke" ]]; then 26 | echo "Generating operator config for GKE" 27 | 28 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 29 | python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" 30 | 31 | COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) 32 | 33 | fi 34 | 35 | if [[ "${CLUSTER}" == "eks" ]]; then 36 | echo "Applying patch for EKS...." 37 | git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" 38 | fi 39 | 40 | 41 | PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") 42 | 43 | echo "Starting Testing" 44 | 45 | FAILED_PACKAGES=() 46 | 47 | for pkg in $PACKAGES; do 48 | echo "========================================================TESTING ${pkg} ========================================================" 49 | 50 | SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) 51 | SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) 52 | 53 | if [[ "${SKIP_TESTS}" == "*" ]]; then 54 | echo "Skipping according to the rule: ${SKIP_RULE}" 55 | continue 56 | fi 57 | 58 | read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" 59 | 60 | SKIP_TEST_FLAGS=() 61 | for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do 62 | SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) 63 | done 64 | 65 | go test \ 66 | -test.v \ 67 | -timeout 2h \ 68 | -tags=integ \ 69 | "${pkg}" \ 70 | --istio.test.select=-postsubmit,-flaky \ 71 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 72 | --istio.test.ci \ 73 | --istio.test.hub=${HUB} \ 74 | --istio.test.tag=${TAG}-distroless \ 75 | --istio.test.pullpolicy=IfNotPresent \ 76 | --istio.test.retries=1 \ 77 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 78 | && \ 79 | go test \ 80 | -test.v \ 81 | -timeout 2h \ 82 | -tags=integ \ 83 | "${pkg}" \ 84 | --istio.test.select=-postsubmit,-flaky \ 85 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 86 | --istio.test.ci \ 87 | --istio.test.pullpolicy=IfNotPresent \ 88 | --istio.test.retries=1 \ 89 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 90 | || \ 91 | { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } 92 | 93 | find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; 94 | done 95 | 96 | echo "Testing Done" 97 | 98 | if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then 99 | echo "" 100 | echo "Some of the tests have failed :(" 101 | echo "" 102 | echo "Packages with failed tests:" 103 | for pkg in "${FAILED_PACKAGES[@]}"; do 104 | echo "- ${pkg}" 105 | done 106 | exit 1 107 | fi 108 | -------------------------------------------------------------------------------- /tetrateci/test_1.18.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright (c) Tetrate, Inc 2022 All Rights Reserved. 4 | 5 | set -e 6 | set -u 7 | set -x 8 | 9 | SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 10 | ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) 11 | 12 | "${SCRIPTDIR}/version_check.py" && exit 13 | 14 | # shellcheck disable=SC1091 15 | source "${SCRIPTDIR}/setup_go.sh" 16 | 17 | COMMON_TEST_FLAGS=() 18 | 19 | echo "Applying patches...." 20 | 21 | # Apply the same patches that were applies when building test images 22 | "${SCRIPTDIR}/apply_e2e_build_patches.sh" 23 | 24 | 25 | if [[ "${CLUSTER}" == "gke" ]]; then 26 | echo "Generating operator config for GKE" 27 | 28 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 29 | python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" 30 | 31 | COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) 32 | 33 | fi 34 | 35 | if [[ "${CLUSTER}" == "eks" ]]; then 36 | echo "Applying patch for EKS...." 37 | git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" 38 | fi 39 | 40 | 41 | PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") 42 | 43 | echo "Starting Testing" 44 | 45 | FAILED_PACKAGES=() 46 | 47 | for pkg in $PACKAGES; do 48 | echo "========================================================TESTING ${pkg} ========================================================" 49 | 50 | SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) 51 | SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) 52 | 53 | if [[ "${SKIP_TESTS}" == "*" ]]; then 54 | echo "Skipping according to the rule: ${SKIP_RULE}" 55 | continue 56 | fi 57 | 58 | read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" 59 | 60 | SKIP_TEST_FLAGS=() 61 | for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do 62 | SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) 63 | done 64 | 65 | go test \ 66 | -test.v \ 67 | -timeout 2h \ 68 | -tags=integ \ 69 | "${pkg}" \ 70 | --istio.test.select=-postsubmit,-flaky \ 71 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 72 | --istio.test.ci \ 73 | --istio.test.skipVM=true \ 74 | --istio.test.hub=${HUB} \ 75 | --istio.test.tag=${TAG}-distroless \ 76 | --istio.test.pullpolicy=IfNotPresent \ 77 | --istio.test.retries=1 \ 78 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 79 | && \ 80 | go test \ 81 | -test.v \ 82 | -timeout 2h \ 83 | -tags=integ \ 84 | "${pkg}" \ 85 | --istio.test.select=-postsubmit,-flaky \ 86 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 87 | --istio.test.ci \ 88 | --istio.test.skipVM=true \ 89 | --istio.test.pullpolicy=IfNotPresent \ 90 | --istio.test.retries=1 \ 91 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 92 | || \ 93 | { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } 94 | 95 | find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; 96 | done 97 | 98 | echo "Testing Done" 99 | 100 | if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then 101 | echo "" 102 | echo "Some of the tests have failed :(" 103 | echo "" 104 | echo "Packages with failed tests:" 105 | for pkg in "${FAILED_PACKAGES[@]}"; do 106 | echo "- ${pkg}" 107 | done 108 | exit 1 109 | fi -------------------------------------------------------------------------------- /tetrateci/test_1.14.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright (c) Tetrate, Inc 2022 All Rights Reserved. 4 | 5 | set -e 6 | set -u 7 | set -x 8 | 9 | SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 10 | ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) 11 | 12 | "${SCRIPTDIR}/version_check.py" && exit 13 | 14 | # shellcheck disable=SC1091 15 | source "${SCRIPTDIR}/setup_go.sh" 16 | 17 | COMMON_TEST_FLAGS=() 18 | 19 | echo "Applying patches...." 20 | 21 | # Apply the same patches that were applies when building test images 22 | "${SCRIPTDIR}/apply_e2e_build_patches.sh" 23 | 24 | git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" 25 | 26 | if [[ "${CLUSTER}" == "gke" ]]; then 27 | echo "Generating operator config for GKE" 28 | 29 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 30 | python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" 31 | 32 | COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) 33 | 34 | fi 35 | 36 | if [[ "${CLUSTER}" == "eks" ]]; then 37 | echo "Applying Ingress patch for EKS...." 38 | git apply "${SCRIPTDIR}/patches/eks/eks-ingress.1.13.patch" 39 | fi 40 | 41 | PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") 42 | 43 | echo "Starting Testing" 44 | 45 | FAILED_PACKAGES=() 46 | 47 | for pkg in $PACKAGES; do 48 | echo "========================================================TESTING ${pkg} ========================================================" 49 | 50 | SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) 51 | SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) 52 | 53 | if [[ "${SKIP_TESTS}" == "*" ]]; then 54 | echo "Skipping according to the rule: ${SKIP_RULE}" 55 | continue 56 | fi 57 | 58 | read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" 59 | 60 | SKIP_TEST_FLAGS=() 61 | for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do 62 | SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) 63 | done 64 | 65 | go test \ 66 | -test.v \ 67 | -timeout 2h \ 68 | -tags=integ \ 69 | "${pkg}" \ 70 | --istio.test.select=-postsubmit,-flaky \ 71 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 72 | --istio.test.ci \ 73 | --istio.test.hub=${HUB} \ 74 | --istio.test.tag=${TAG}-distroless \ 75 | --istio.test.pullpolicy=IfNotPresent \ 76 | --istio.test.retries=1 \ 77 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 78 | && \ 79 | go test \ 80 | -test.v \ 81 | -timeout 2h \ 82 | -tags=integ \ 83 | "${pkg}" \ 84 | --istio.test.select=-postsubmit,-flaky \ 85 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 86 | --istio.test.ci \ 87 | --istio.test.pullpolicy=IfNotPresent \ 88 | --istio.test.retries=1 \ 89 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 90 | || \ 91 | { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } 92 | 93 | find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; 94 | done 95 | 96 | echo "Testing Done" 97 | 98 | if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then 99 | echo "" 100 | echo "Some of the tests have failed :(" 101 | echo "" 102 | echo "Packages with failed tests:" 103 | for pkg in "${FAILED_PACKAGES[@]}"; do 104 | echo "- ${pkg}" 105 | done 106 | exit 1 107 | fi 108 | -------------------------------------------------------------------------------- /tetrateci/test_1.17.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright (c) Tetrate, Inc 2022 All Rights Reserved. 4 | 5 | set -e 6 | set -u 7 | set -x 8 | 9 | SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 10 | ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) 11 | 12 | "${SCRIPTDIR}/version_check.py" && exit 13 | 14 | # shellcheck disable=SC1091 15 | source "${SCRIPTDIR}/setup_go.sh" 16 | 17 | COMMON_TEST_FLAGS=() 18 | 19 | echo "Applying patches...." 20 | 21 | # Apply the same patches that were applies when building test images 22 | "${SCRIPTDIR}/apply_e2e_build_patches.sh" 23 | 24 | 25 | if [[ "${CLUSTER}" == "gke" ]]; then 26 | echo "Generating operator config for GKE" 27 | 28 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 29 | python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" 30 | 31 | COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) 32 | 33 | fi 34 | 35 | if [[ "${CLUSTER}" == "eks" ]]; then 36 | echo "Applying patch for EKS...." 37 | git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" 38 | fi 39 | 40 | 41 | PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") 42 | 43 | echo "Starting Testing" 44 | 45 | FAILED_PACKAGES=() 46 | 47 | for pkg in $PACKAGES; do 48 | echo "========================================================TESTING ${pkg} ========================================================" 49 | 50 | SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) 51 | SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) 52 | 53 | if [[ "${SKIP_TESTS}" == "*" ]]; then 54 | echo "Skipping according to the rule: ${SKIP_RULE}" 55 | continue 56 | fi 57 | 58 | read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" 59 | 60 | SKIP_TEST_FLAGS=() 61 | for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do 62 | SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) 63 | done 64 | 65 | go test \ 66 | -test.v \ 67 | -timeout 2h \ 68 | -tags=integ \ 69 | "${pkg}" \ 70 | --istio.test.select=-postsubmit,-flaky \ 71 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 72 | --istio.test.ci \ 73 | --istio.test.skipVM=true \ 74 | --istio.test.hub=${HUB} \ 75 | --istio.test.tag=${TAG}-distroless \ 76 | --istio.test.pullpolicy=IfNotPresent \ 77 | --istio.test.retries=1 \ 78 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 79 | && \ 80 | go test \ 81 | -test.v \ 82 | -timeout 2h \ 83 | -tags=integ \ 84 | "${pkg}" \ 85 | --istio.test.select=-postsubmit,-flaky \ 86 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 87 | --istio.test.ci \ 88 | --istio.test.skipVM=true \ 89 | --istio.test.pullpolicy=IfNotPresent \ 90 | --istio.test.retries=1 \ 91 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 92 | || \ 93 | { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } 94 | 95 | find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; 96 | done 97 | 98 | echo "Testing Done" 99 | 100 | if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then 101 | echo "" 102 | echo "Some of the tests have failed :(" 103 | echo "" 104 | echo "Packages with failed tests:" 105 | for pkg in "${FAILED_PACKAGES[@]}"; do 106 | echo "- ${pkg}" 107 | done 108 | exit 1 109 | fi 110 | -------------------------------------------------------------------------------- /tetrateci/test_1.15.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright (c) Tetrate, Inc 2022 All Rights Reserved. 4 | 5 | set -e 6 | set -u 7 | set -x 8 | 9 | SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 10 | ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) 11 | 12 | "${SCRIPTDIR}/version_check.py" && exit 13 | 14 | # shellcheck disable=SC1091 15 | source "${SCRIPTDIR}/setup_go.sh" 16 | 17 | COMMON_TEST_FLAGS=() 18 | 19 | echo "Applying patches...." 20 | 21 | # Apply the same patches that were applies when building test images 22 | "${SCRIPTDIR}/apply_e2e_build_patches.sh" 23 | 24 | git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" 25 | 26 | if [[ "${CLUSTER}" == "gke" ]]; then 27 | echo "Generating operator config for GKE" 28 | 29 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 30 | python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" 31 | 32 | COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) 33 | 34 | fi 35 | 36 | if [[ "${CLUSTER}" == "eks" ]]; then 37 | echo "Applying patch for EKS...." 38 | git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" 39 | fi 40 | 41 | 42 | PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") 43 | 44 | echo "Starting Testing" 45 | 46 | FAILED_PACKAGES=() 47 | 48 | for pkg in $PACKAGES; do 49 | echo "========================================================TESTING ${pkg} ========================================================" 50 | 51 | SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) 52 | SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) 53 | 54 | if [[ "${SKIP_TESTS}" == "*" ]]; then 55 | echo "Skipping according to the rule: ${SKIP_RULE}" 56 | continue 57 | fi 58 | 59 | read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" 60 | 61 | SKIP_TEST_FLAGS=() 62 | for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do 63 | SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) 64 | done 65 | 66 | go test \ 67 | -test.v \ 68 | -timeout 2h \ 69 | -tags=integ \ 70 | "${pkg}" \ 71 | --istio.test.select=-postsubmit,-flaky \ 72 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 73 | --istio.test.ci \ 74 | --istio.test.hub=${HUB} \ 75 | --istio.test.tag=${TAG}-distroless \ 76 | --istio.test.pullpolicy=IfNotPresent \ 77 | --istio.test.retries=1 \ 78 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 79 | && \ 80 | go test \ 81 | -test.v \ 82 | -timeout 2h \ 83 | -tags=integ \ 84 | "${pkg}" \ 85 | --istio.test.select=-postsubmit,-flaky \ 86 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 87 | --istio.test.ci \ 88 | --istio.test.pullpolicy=IfNotPresent \ 89 | --istio.test.retries=1 \ 90 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 91 | || \ 92 | { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } 93 | 94 | find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; 95 | done 96 | 97 | echo "Testing Done" 98 | 99 | if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then 100 | echo "" 101 | echo "Some of the tests have failed :(" 102 | echo "" 103 | echo "Packages with failed tests:" 104 | for pkg in "${FAILED_PACKAGES[@]}"; do 105 | echo "- ${pkg}" 106 | done 107 | exit 1 108 | fi 109 | -------------------------------------------------------------------------------- /tetrateci/test_1.18_arm.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright (c) Tetrate, Inc 2022 All Rights Reserved. 4 | 5 | set -e 6 | set -u 7 | set -x 8 | 9 | SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 10 | ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) 11 | 12 | "${SCRIPTDIR}/version_check.py" && exit 13 | 14 | # shellcheck disable=SC1091 15 | source "${SCRIPTDIR}/setup_go.sh" 16 | 17 | COMMON_TEST_FLAGS=() 18 | 19 | echo "Applying patches...." 20 | 21 | # Apply the same patches that were applies when building test images 22 | "${SCRIPTDIR}/apply_e2e_build_patches.sh" 23 | 24 | #git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" 25 | 26 | if [[ "${CLUSTER}" == "gke" ]]; then 27 | echo "Generating operator config for GKE" 28 | 29 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 30 | python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" 31 | 32 | COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) 33 | 34 | fi 35 | 36 | if [[ "${CLUSTER}" == "eks" ]]; then 37 | echo "Applying patch for EKS...." 38 | git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" 39 | fi 40 | 41 | #go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG}-distroless --istio.test.pullpolicy=IfNotPresent --istio.test.retries=1 && go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG} --istio.test.pullpolicy=IfNotPresent 42 | 43 | PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") 44 | 45 | echo "Starting Testing" 46 | 47 | FAILED_PACKAGES=() 48 | 49 | for pkg in $PACKAGES; do 50 | echo "========================================================TESTING ${pkg} ========================================================" 51 | 52 | SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) 53 | SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) 54 | 55 | if [[ "${SKIP_TESTS}" == "*" ]]; then 56 | echo "Skipping according to the rule: ${SKIP_RULE}" 57 | continue 58 | fi 59 | 60 | read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" 61 | 62 | SKIP_TEST_FLAGS=() 63 | for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do 64 | SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) 65 | done 66 | 67 | go test \ 68 | -test.v \ 69 | -timeout 2h \ 70 | -tags=integ \ 71 | "${pkg}" \ 72 | --istio.test.select=-postsubmit,-flaky \ 73 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 74 | --istio.test.ci \ 75 | --istio.test.skipVM=true \ 76 | --istio.test.hub=${HUB} \ 77 | --istio.test.tag=${TAG}-distroless \ 78 | --istio.test.pullpolicy=IfNotPresent \ 79 | --istio.test.retries=1 \ 80 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 81 | && \ 82 | go test \ 83 | -test.v \ 84 | -timeout 2h \ 85 | -tags=integ \ 86 | "${pkg}" \ 87 | --istio.test.select=-postsubmit,-flaky \ 88 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 89 | --istio.test.ci \ 90 | --istio.test.skipVM=true \ 91 | --istio.test.pullpolicy=IfNotPresent \ 92 | --istio.test.retries=1 \ 93 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 94 | || \ 95 | { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } 96 | 97 | find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; 98 | done 99 | 100 | echo "Testing Done" 101 | 102 | if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then 103 | echo "" 104 | echo "Some of the tests have failed :(" 105 | echo "" 106 | echo "Packages with failed tests:" 107 | for pkg in "${FAILED_PACKAGES[@]}"; do 108 | echo "- ${pkg}" 109 | done 110 | exit 1 111 | fi -------------------------------------------------------------------------------- /tetrateci/test_1.15_arm.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright (c) Tetrate, Inc 2022 All Rights Reserved. 4 | 5 | set -e 6 | set -u 7 | set -x 8 | 9 | SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 10 | ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) 11 | 12 | "${SCRIPTDIR}/version_check.py" && exit 13 | 14 | # shellcheck disable=SC1091 15 | source "${SCRIPTDIR}/setup_go.sh" 16 | 17 | COMMON_TEST_FLAGS=() 18 | 19 | echo "Applying patches...." 20 | 21 | # Apply the same patches that were applies when building test images 22 | "${SCRIPTDIR}/apply_e2e_build_patches.sh" 23 | 24 | git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" 25 | 26 | if [[ "${CLUSTER}" == "gke" ]]; then 27 | echo "Generating operator config for GKE" 28 | 29 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 30 | python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" 31 | 32 | COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) 33 | 34 | fi 35 | 36 | if [[ "${CLUSTER}" == "eks" ]]; then 37 | echo "Applying patch for EKS...." 38 | git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" 39 | fi 40 | 41 | #go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG}-distroless --istio.test.pullpolicy=IfNotPresent --istio.test.retries=1 && go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG} --istio.test.pullpolicy=IfNotPresent 42 | 43 | PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") 44 | 45 | echo "Starting Testing" 46 | 47 | FAILED_PACKAGES=() 48 | 49 | for pkg in $PACKAGES; do 50 | echo "========================================================TESTING ${pkg} ========================================================" 51 | 52 | SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) 53 | SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) 54 | 55 | if [[ "${SKIP_TESTS}" == "*" ]]; then 56 | echo "Skipping according to the rule: ${SKIP_RULE}" 57 | continue 58 | fi 59 | 60 | read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" 61 | 62 | SKIP_TEST_FLAGS=() 63 | for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do 64 | SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) 65 | done 66 | 67 | go test \ 68 | -test.v \ 69 | -timeout 2h \ 70 | -tags=integ \ 71 | "${pkg}" \ 72 | --istio.test.select=-postsubmit,-flaky \ 73 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 74 | --istio.test.ci \ 75 | --istio.test.skipVM=true \ 76 | --istio.test.hub=${HUB} \ 77 | --istio.test.tag=${TAG}-distroless \ 78 | --istio.test.pullpolicy=IfNotPresent \ 79 | --istio.test.retries=1 \ 80 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 81 | && \ 82 | go test \ 83 | -test.v \ 84 | -timeout 2h \ 85 | -tags=integ \ 86 | "${pkg}" \ 87 | --istio.test.select=-postsubmit,-flaky \ 88 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 89 | --istio.test.ci \ 90 | --istio.test.skipVM=true \ 91 | --istio.test.pullpolicy=IfNotPresent \ 92 | --istio.test.retries=1 \ 93 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 94 | || \ 95 | { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } 96 | 97 | find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; 98 | done 99 | 100 | echo "Testing Done" 101 | 102 | if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then 103 | echo "" 104 | echo "Some of the tests have failed :(" 105 | echo "" 106 | echo "Packages with failed tests:" 107 | for pkg in "${FAILED_PACKAGES[@]}"; do 108 | echo "- ${pkg}" 109 | done 110 | exit 1 111 | fi 112 | -------------------------------------------------------------------------------- /tetrateci/test_1.16_arm.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright (c) Tetrate, Inc 2022 All Rights Reserved. 4 | 5 | set -e 6 | set -u 7 | set -x 8 | 9 | SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 10 | ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) 11 | 12 | "${SCRIPTDIR}/version_check.py" && exit 13 | 14 | # shellcheck disable=SC1091 15 | source "${SCRIPTDIR}/setup_go.sh" 16 | 17 | COMMON_TEST_FLAGS=() 18 | 19 | echo "Applying patches...." 20 | 21 | # Apply the same patches that were applies when building test images 22 | "${SCRIPTDIR}/apply_e2e_build_patches.sh" 23 | 24 | #git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" 25 | 26 | if [[ "${CLUSTER}" == "gke" ]]; then 27 | echo "Generating operator config for GKE" 28 | 29 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 30 | python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" 31 | 32 | COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) 33 | 34 | fi 35 | 36 | if [[ "${CLUSTER}" == "eks" ]]; then 37 | echo "Applying patch for EKS...." 38 | git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" 39 | fi 40 | 41 | #go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG}-distroless --istio.test.pullpolicy=IfNotPresent --istio.test.retries=1 && go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG} --istio.test.pullpolicy=IfNotPresent 42 | 43 | PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") 44 | 45 | echo "Starting Testing" 46 | 47 | FAILED_PACKAGES=() 48 | 49 | for pkg in $PACKAGES; do 50 | echo "========================================================TESTING ${pkg} ========================================================" 51 | 52 | SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) 53 | SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) 54 | 55 | if [[ "${SKIP_TESTS}" == "*" ]]; then 56 | echo "Skipping according to the rule: ${SKIP_RULE}" 57 | continue 58 | fi 59 | 60 | read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" 61 | 62 | SKIP_TEST_FLAGS=() 63 | for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do 64 | SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) 65 | done 66 | 67 | go test \ 68 | -test.v \ 69 | -timeout 2h \ 70 | -tags=integ \ 71 | "${pkg}" \ 72 | --istio.test.select=-postsubmit,-flaky \ 73 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 74 | --istio.test.ci \ 75 | --istio.test.skipVM=true \ 76 | --istio.test.hub=${HUB} \ 77 | --istio.test.tag=${TAG}-distroless \ 78 | --istio.test.pullpolicy=IfNotPresent \ 79 | --istio.test.retries=1 \ 80 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 81 | && \ 82 | go test \ 83 | -test.v \ 84 | -timeout 2h \ 85 | -tags=integ \ 86 | "${pkg}" \ 87 | --istio.test.select=-postsubmit,-flaky \ 88 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 89 | --istio.test.ci \ 90 | --istio.test.skipVM=true \ 91 | --istio.test.pullpolicy=IfNotPresent \ 92 | --istio.test.retries=1 \ 93 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 94 | || \ 95 | { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } 96 | 97 | find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; 98 | done 99 | 100 | echo "Testing Done" 101 | 102 | if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then 103 | echo "" 104 | echo "Some of the tests have failed :(" 105 | echo "" 106 | echo "Packages with failed tests:" 107 | for pkg in "${FAILED_PACKAGES[@]}"; do 108 | echo "- ${pkg}" 109 | done 110 | exit 1 111 | fi 112 | -------------------------------------------------------------------------------- /tetrateci/test_1.17_arm.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright (c) Tetrate, Inc 2022 All Rights Reserved. 4 | 5 | set -e 6 | set -u 7 | set -x 8 | 9 | SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 10 | ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) 11 | 12 | "${SCRIPTDIR}/version_check.py" && exit 13 | 14 | # shellcheck disable=SC1091 15 | source "${SCRIPTDIR}/setup_go.sh" 16 | 17 | COMMON_TEST_FLAGS=() 18 | 19 | echo "Applying patches...." 20 | 21 | # Apply the same patches that were applies when building test images 22 | "${SCRIPTDIR}/apply_e2e_build_patches.sh" 23 | 24 | #git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" 25 | 26 | if [[ "${CLUSTER}" == "gke" ]]; then 27 | echo "Generating operator config for GKE" 28 | 29 | # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 30 | python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" 31 | 32 | COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) 33 | 34 | fi 35 | 36 | if [[ "${CLUSTER}" == "eks" ]]; then 37 | echo "Applying patch for EKS...." 38 | git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" 39 | fi 40 | 41 | #go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG}-distroless --istio.test.pullpolicy=IfNotPresent --istio.test.retries=1 && go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG} --istio.test.pullpolicy=IfNotPresent 42 | 43 | PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") 44 | 45 | echo "Starting Testing" 46 | 47 | FAILED_PACKAGES=() 48 | 49 | for pkg in $PACKAGES; do 50 | echo "========================================================TESTING ${pkg} ========================================================" 51 | 52 | SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) 53 | SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) 54 | 55 | if [[ "${SKIP_TESTS}" == "*" ]]; then 56 | echo "Skipping according to the rule: ${SKIP_RULE}" 57 | continue 58 | fi 59 | 60 | read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" 61 | 62 | SKIP_TEST_FLAGS=() 63 | for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do 64 | SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) 65 | done 66 | 67 | go test \ 68 | -test.v \ 69 | -timeout 2h \ 70 | -tags=integ \ 71 | "${pkg}" \ 72 | --istio.test.select=-postsubmit,-flaky \ 73 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 74 | --istio.test.ci \ 75 | --istio.test.skipVM=true \ 76 | --istio.test.hub=${HUB} \ 77 | --istio.test.tag=${TAG}-distroless \ 78 | --istio.test.pullpolicy=IfNotPresent \ 79 | --istio.test.retries=1 \ 80 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 81 | && \ 82 | go test \ 83 | -test.v \ 84 | -timeout 2h \ 85 | -tags=integ \ 86 | "${pkg}" \ 87 | --istio.test.select=-postsubmit,-flaky \ 88 | ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ 89 | --istio.test.ci \ 90 | --istio.test.skipVM=true \ 91 | --istio.test.pullpolicy=IfNotPresent \ 92 | --istio.test.retries=1 \ 93 | ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ 94 | || \ 95 | { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } 96 | 97 | find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; 98 | done 99 | 100 | echo "Testing Done" 101 | 102 | if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then 103 | echo "" 104 | echo "Some of the tests have failed :(" 105 | echo "" 106 | echo "Packages with failed tests:" 107 | for pkg in "${FAILED_PACKAGES[@]}"; do 108 | echo "- ${pkg}" 109 | done 110 | exit 1 111 | fi 112 | -------------------------------------------------------------------------------- /tetrateci/eks-d.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: kops.k8s.io/v1alpha2 2 | kind: Cluster 3 | metadata: 4 | name: {{ .clusterName }} 5 | spec: 6 | api: 7 | loadBalancer: 8 | class: Classic 9 | type: Public 10 | authorization: 11 | rbac: {} 12 | channel: stable 13 | cloudProvider: aws 14 | configBase: {{ .configBase }} 15 | containerRuntime: docker 16 | etcdClusters: 17 | - cpuRequest: 200m 18 | etcdMembers: 19 | - instanceGroup: control-plane-{{.awsRegion}}a 20 | name: a 21 | memoryRequest: 100Mi 22 | name: main 23 | - cpuRequest: 100m 24 | etcdMembers: 25 | - instanceGroup: control-plane-{{.awsRegion}}a 26 | name: a 27 | memoryRequest: 100Mi 28 | name: events 29 | iam: 30 | allowContainerRegistry: true 31 | legacy: false 32 | kubernetesApiAccess: 33 | - 0.0.0.0/0 34 | kubernetesVersion: {{ .kubernetesVersion }} 35 | masterPublicName: api.{{ .clusterName }} 36 | networkCIDR: 172.20.0.0/16 37 | networking: 38 | amazonvpc: {} 39 | nonMasqueradeCIDR: 100.64.0.0/10 40 | sshAccess: 41 | - 0.0.0.0/0 42 | subnets: 43 | - cidr: 172.20.32.0/19 44 | name: {{.awsRegion}}a 45 | type: Public 46 | zone: {{.awsRegion}}a 47 | - cidr: 172.20.64.0/19 48 | name: {{.awsRegion}}b 49 | type: Public 50 | zone: {{.awsRegion}}b 51 | - cidr: 172.20.96.0/19 52 | name: {{.awsRegion}}c 53 | type: Public 54 | zone: {{.awsRegion}}c 55 | topology: 56 | dns: 57 | type: Public 58 | masters: public 59 | nodes: public 60 | kubeAPIServer: 61 | apiAudiences: 62 | - api 63 | - istio-ca 64 | serviceAccountIssuer: kubernetes.default.svc 65 | image: {{ .kube_apiserver.repository }}:{{ .kube_apiserver.tag }} 66 | kubeControllerManager: 67 | image: {{ .kube_controller_manager.repository }}:{{ .kube_controller_manager.tag }} 68 | kubeScheduler: 69 | image: {{ .kube_scheduler.repository }}:{{ .kube_scheduler.tag }} 70 | kubeProxy: 71 | image: {{ .kube_proxy.repository }}:{{ .kube_proxy.tag }} 72 | # Metrics Server will be supported with kops 1.19 73 | metricsServer: 74 | enabled: true 75 | image: {{ .metrics_server.repository }}:{{ .metrics_server.tag }} 76 | authentication: 77 | aws: 78 | image: {{ .awsiamauth.repository }}:{{ .awsiamauth.tag }} 79 | kubeDNS: 80 | provider: CoreDNS 81 | coreDNSImage: {{ .coredns.repository }}:{{ .coredns.tag }} 82 | externalCoreFile: | 83 | .:53 { 84 | errors 85 | health { 86 | lameduck 5s 87 | } 88 | kubernetes cluster.local. in-addr.arpa ip6.arpa { 89 | pods insecure 90 | #upstream 91 | fallthrough in-addr.arpa ip6.arpa 92 | } 93 | prometheus :9153 94 | forward . /etc/resolv.conf 95 | loop 96 | cache 30 97 | loadbalance 98 | reload 99 | } 100 | masterKubelet: 101 | podInfraContainerImage: {{ .pause.repository }}:{{ .pause.tag }} 102 | # kubelet might already be defined, append the following config 103 | kubelet: 104 | podInfraContainerImage: {{ .pause.repository }}:{{ .pause.tag }} 105 | anonymousAuth: false 106 | 107 | --- 108 | 109 | apiVersion: kops.k8s.io/v1alpha2 110 | kind: InstanceGroup 111 | metadata: 112 | labels: 113 | kops.k8s.io/cluster: {{.clusterName}} 114 | name: control-plane-{{.awsRegion}}a 115 | spec: 116 | {{- if .controlPlaneInstanceProfileArn }} 117 | iam: 118 | profile: {{ .controlPlaneInstanceProfileArn }} 119 | {{- end }} 120 | image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20201026 121 | machineType: t3.medium 122 | maxSize: 1 123 | minSize: 1 124 | nodeLabels: 125 | kops.k8s.io/instancegroup: control-plane-{{.awsRegion}}a 126 | role: Master 127 | subnets: 128 | - {{.awsRegion}}a 129 | 130 | --- 131 | 132 | apiVersion: kops.k8s.io/v1alpha2 133 | kind: InstanceGroup 134 | metadata: 135 | labels: 136 | kops.k8s.io/cluster: {{.clusterName}} 137 | name: nodes 138 | spec: 139 | {{- if .nodeInstanceProfileArn }} 140 | iam: 141 | profile: {{ .nodeInstanceProfileArn }} 142 | {{- end }} 143 | image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20201026 144 | machineType: t3.medium 145 | maxSize: 3 146 | minSize: 3 147 | nodeLabels: 148 | kops.k8s.io/instancegroup: nodes 149 | role: Node 150 | subnets: 151 | - {{.awsRegion}}a 152 | - {{.awsRegion}}b 153 | - {{.awsRegion}}c 154 | -------------------------------------------------------------------------------- /tetrateci/docs/fips.md: -------------------------------------------------------------------------------- 1 | ## Introduction 2 | 3 | Google's BoringCrypto [module][1] is used for [FIPS-compliant Istio builds][2]. BoringCrypto is a core module of the 4 | BoringSSL library and has been tested by CMVP to be [FIPS validated][3]. Both the Istio control plane and data plane 5 | are built with these modules. The quickest way to get started with FIPS Istio is to use the 6 | [Tetrate Istio Distribution][4]. 7 | 8 | ## FIPS Build Process and Verification 9 | 10 | ### Istio Control Plane FIPS Build Process 11 | 12 | This [doc](https://gokulchandrapr.medium.com/go-crypto-and-kubernetes-fips-140-2-fedramp-compliance-66d852ccccd2) 13 | provides a good introduction on what's necessary to build a FIPS compliant go binaries by using boring crypto. 14 | 15 | Roughy speaking, we need to: 16 | 17 | 1. Use boringcrypto version Golang toolset. In TID, we set up golang binaries differently, see [setup_boring_go.sh](https://github.com/tetratelabs/istio/blob/f7d03be560753dc71d4c764dceb06f961c4fcdbd/tetrateci/setup_boring_go.sh#L25). 18 | 1. Configure `CGO_ENABLED=1` when invoking `go build`. Istio uses a wrapper `gobuild.sh` script to build all Go binaries. 19 | In TID, we ensure the `CGO_ENABLED=1` is patched to this script. For example, in [tetratefips-release-1.9](https://github.com/tetratelabs/istio/blob/tetratefips-release-1.9/common/scripts/gobuild.sh#L53). 20 | TODO(psbrar99): provide link on other releases when we updated from 1.10 and beyond. 21 | 1. Optionally, some tutorial may suggest to verify the FIPS compliant build via `go tool nm ./out/linux_amd64/pilot-discovery | grep 'boringcrypto.*'`. 22 | For now, when you run this against TID go binaries, you may not see the symbols, because currently Istio(TID as well) strips off 23 | the symbols by providing [`-ldflags '-extldflags -static -s -w'`](https://github.com/tetratelabs/istio/blob/tetratefips-release-1.9/Makefile.core.mk#L270). 24 | TODO(incfly): consider whether to retain the symbols this as part of the final build. 25 | 26 | ### Istio Data Plane Build Process 27 | 28 | Istio dataplane, namely the sidecar proxy binaries, are built under FIPS compliant boringssl implementation. 29 | Per [envoyproxy document](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2), 30 | envoy must be built with `--define boringssl=fips` bazel option. 31 | 32 | TID does set that in the release pipeline, see [Add FIPS flags](https://github.com/tetratelabs/istio/blob/d0d39e76abd8c9293f5095bafc93f94808149c4d/.github/workflows/make_release.yml#L75) in our CI configuration. 33 | 34 | 35 | ### Verify Cipher Suite 36 | 37 | Istio could serve TLS in gateway or sidecar. 38 | 39 | 1. Gateway, you can choose which Cipher suite to use via [Gateway.Tls]() configuration. 40 | 1. Sidecar mTLS, Istio configures a few [Cipher suite](https://github.com/istio/istio/pull/27500/files#diff-d125e7f730d1cbb88e68de5b3899a279868936baeaf2be780be5f052708a71c1R138). 41 | 42 | In either case, you can use the following command to figure out what's being used on both gateway and sidecar TLS. 43 | 44 | ```sh 45 | istioctl proxy-config all -ojson | grep -i "cipherSuites" -A10 46 | "cipherSuites": [ 47 | "ECDHE-ECDSA-AES256-GCM-SHA384", 48 | "ECDHE-RSA-AES256-GCM-SHA384", 49 | "ECDHE-ECDSA-AES128-GCM-SHA256", 50 | "ECDHE-RSA-AES128-GCM-SHA256", 51 | "AES256-GCM-SHA384", 52 | "AES128-GCM-SHA256" 53 | ] 54 | }, 55 | "tlsCertificateSdsSecretConfigs": [ 56 | ``` 57 | 58 | ### Verify Golang Version Used for Build 59 | 60 | The easiest way to verify the Go version is with Docker. First, create the containers from the [CloudSmith][5] images. 61 | ```shell 62 | HUB=containers.istio.tetratelabs.com 63 | TAG=1.11.4-tetratefips-v0 64 | PILOT_CONTAINER_ID=$(docker create $HUB/pilot:$TAG) 65 | PROXY_CONTAINER_ID=$(docker create $HUB/proxyv2:$TAG) 66 | OPERATOR_CONTAINER_ID=$(docker create $HUB/operator:$TAG) 67 | ISTIOCTL_CONTAINER_ID=$(docker create $HUB/istioctl:$TAG) 68 | CNI_CONTAINER_ID=$(docker create $HUB/install-cni:$TAG) 69 | ``` 70 | 71 | Copy the binaries from the containers to your local machine. 72 | ```shell 73 | docker cp $PILOT_CONTAINER_ID:/usr/local/bin/pilot-discovery pilot-discovery 74 | docker cp $PROXY_CONTAINER_ID:/usr/local/bin/pilot-agent pilot-agent 75 | docker cp $PROXY_CONTAINER_ID:/usr/local/bin/envoy envoy 76 | docker cp $OPERATOR_CONTAINER_ID:/usr/local/bin/operator operator 77 | docker cp $ISTIOCTL_CONTAINER_ID:/usr/local/bin/istioctl istioctl 78 | docker cp $CNI_CONTAINER_ID:/usr/local/bin/install-cni install-cni 79 | ``` 80 | 81 | Verify the Go version used by the binaries. 82 | ```shell 83 | go version pilot-discovery | cut -f2 -d" " 84 | go version pilot-agent | cut -f2 -d" " 85 | go version operator | cut -f2 -d" " 86 | go version istioctl | cut -f2 -d" " 87 | go version install-cni | cut -f2 -d" " 88 | ``` 89 | The Go version should include `b` to indicate BoringSSL, `go1.16.9b7` for example. 90 | 91 | Verify Envoy is using BoringSSL FIPS: 92 | ```shell 93 | envoy --version | cut -f4 -d" " 94 | ``` 95 | 96 | The version should include `BoringSSL-FIPS`, for example: 97 | ```shell 98 | ed148b62dfb0dc79adc8c8573ced4806883389c0/1.19.2-dev/Modified/RELEASE/BoringSSL-FIPS 99 | ``` 100 | 101 | [1]: https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md 102 | [2]: https://go-boringcrypto.storage.googleapis.com 103 | [3]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407 104 | [4]: https://istio.tetratelabs.io/ 105 | [5]: https://cloudsmith.io/~tetrate/repos/getistio-containers/packages/ 106 | -------------------------------------------------------------------------------- /tetrateci/patches/eks/eks_1.16.patch: -------------------------------------------------------------------------------- 1 | From db64738688316472d1840c5f0e58fcdf6b7c51d9 Mon Sep 17 00:00:00 2001 2 | From: psbrar99 3 | Date: Thu, 3 Aug 2023 13:52:36 -0600 4 | Subject: [PATCH] 1.16 patch 5 | 6 | Signed-off-by: psbrar99 7 | --- 8 | .../components/echo/kube/deployment.go | 1 + 9 | .../echo/kube/templates/vm_deployment.yaml | 22 +++++++++---------- 10 | pkg/test/framework/components/istio/util.go | 9 ++++++++ 11 | tests/integration/pilot/ingress_test.go | 13 +++++++++++ 12 | 4 files changed, 34 insertions(+), 11 deletions(-) 13 | 14 | diff --git a/pkg/test/framework/components/echo/kube/deployment.go b/pkg/test/framework/components/echo/kube/deployment.go 15 | index 3eb41c570b..bd9b567b83 100644 16 | --- a/pkg/test/framework/components/echo/kube/deployment.go 17 | +++ b/pkg/test/framework/components/echo/kube/deployment.go 18 | @@ -521,6 +521,7 @@ spec: 19 | if rev := getIstioRevision(cfg.Namespace); len(rev) > 0 { 20 | cmd = append(cmd, "--revision", rev) 21 | } 22 | + cmd = append(cmd, "--ingressIP", istiodAddr.Addr().String()) 23 | // make sure namespace controller has time to create root-cert ConfigMap 24 | if err := retry.UntilSuccess(func() error { 25 | stdout, stderr, err := istioCtl.Invoke(cmd) 26 | diff --git a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml 27 | index 4343abcd5c..1c61d2c1a5 100644 28 | --- a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml 29 | +++ b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml 30 | @@ -85,16 +85,16 @@ spec: 31 | 32 | # since we're not overwriting /etc/hosts on k8s, verify that istiod hostname in /etc/hosts 33 | # matches the value generated by istioctl 34 | - echo "checking istio host" 35 | - SYSTEM_HOST=$(cat /etc/hosts | grep istiod) 36 | - ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) 37 | - if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then 38 | - echo "istiod host in /etc/hosts does not match value generated by istioctl" 39 | - echo "/etc/hosts: $SYSTEM_HOST" 40 | - echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" 41 | - exit 1 42 | - fi 43 | - echo "istiod host ok" 44 | + # echo "checking istio host" 45 | + # SYSTEM_HOST=$(cat /etc/hosts | grep istiod) 46 | + # ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) 47 | + # if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then 48 | + # echo "istiod host in /etc/hosts does not match value generated by istioctl" 49 | + # echo "/etc/hosts: $SYSTEM_HOST" 50 | + # echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" 51 | + # exit 1 52 | + # fi 53 | + # echo "istiod host ok" 54 | 55 | # read certs from correct directory 56 | sudo sh -c 'echo PROV_CERT=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env' 57 | @@ -173,4 +173,4 @@ spec: 58 | name: {{ $value.Value }} 59 | {{- end }} 60 | {{- end }} 61 | -{{- end}} 62 | +{{- end}} 63 | \ No newline at end of file 64 | diff --git a/pkg/test/framework/components/istio/util.go b/pkg/test/framework/components/istio/util.go 65 | index 2600fe421c..2d01c756c1 100644 66 | --- a/pkg/test/framework/components/istio/util.go 67 | +++ b/pkg/test/framework/components/istio/util.go 68 | @@ -137,6 +137,15 @@ func getRemoteServiceAddress(s *kube.Settings, cluster cluster.Cluster, ns, labe 69 | if ingr.IP == "" && ingr.Hostname == "" { 70 | return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) 71 | } 72 | + if ingr.Hostname != "" { 73 | + ip, err := net.LookupIP(ingr.Hostname) 74 | + if err != nil { 75 | + return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) 76 | + } 77 | + if len(ip) > 0 { 78 | + ingr.IP = ip[0].String() 79 | + } 80 | + } 81 | if ingr.IP != "" { 82 | ipaddr, err := netip.ParseAddr(ingr.IP) 83 | if err != nil { 84 | diff --git a/tests/integration/pilot/ingress_test.go b/tests/integration/pilot/ingress_test.go 85 | index 258dcf8de0..d1cd0601be 100644 86 | --- a/tests/integration/pilot/ingress_test.go 87 | +++ b/tests/integration/pilot/ingress_test.go 88 | @@ -232,6 +232,7 @@ spec: 89 | if err != nil { 90 | return err 91 | } 92 | + 93 | if s := kstatus.GetCondition(gwc.Status.Conditions, string(k8s.GatewayClassConditionStatusAccepted)).Status; s != metav1.ConditionTrue { 94 | return fmt.Errorf("expected status %q, got %q", metav1.ConditionTrue, s) 95 | } 96 | @@ -601,6 +602,12 @@ spec: 97 | if hostIsIP { 98 | got = ing.Status.LoadBalancer.Ingress[0].IP 99 | } 100 | + if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { 101 | + ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) 102 | + if len(ip) > 0 { 103 | + got = ip[0].String() 104 | + } 105 | + } 106 | if got != host { 107 | return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) 108 | } 109 | @@ -617,6 +624,12 @@ spec: 110 | if hostIsIP { 111 | got = ing.Status.LoadBalancer.Ingress[0].IP 112 | } 113 | + if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { 114 | + ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) 115 | + if len(ip) > 0 { 116 | + got = ip[0].String() 117 | + } 118 | + } 119 | if got != host { 120 | return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) 121 | } 122 | -- 123 | 2.30.1 (Apple Git-130) 124 | 125 | -------------------------------------------------------------------------------- /tetrateci/patches/eks/eks_1.17.patch: -------------------------------------------------------------------------------- 1 | From 5de4783fd311442f004213871142e75ec320c135 Mon Sep 17 00:00:00 2001 2 | From: psbrar99 3 | Date: Thu, 3 Aug 2023 15:51:42 -0600 4 | Subject: [PATCH] 1.17 patch 5 | 6 | Signed-off-by: psbrar99 7 | --- 8 | .../components/echo/kube/deployment.go | 1 + 9 | .../echo/kube/templates/vm_deployment.yaml | 22 +++++++++---------- 10 | pkg/test/framework/components/istio/util.go | 9 ++++++++ 11 | tests/integration/pilot/ingress_test.go | 13 +++++++++++ 12 | 4 files changed, 34 insertions(+), 11 deletions(-) 13 | 14 | diff --git a/pkg/test/framework/components/echo/kube/deployment.go b/pkg/test/framework/components/echo/kube/deployment.go 15 | index 7574ed58c4..6f418d7f17 100644 16 | --- a/pkg/test/framework/components/echo/kube/deployment.go 17 | +++ b/pkg/test/framework/components/echo/kube/deployment.go 18 | @@ -521,6 +521,7 @@ spec: 19 | if rev := getIstioRevision(cfg.Namespace); len(rev) > 0 { 20 | cmd = append(cmd, "--revision", rev) 21 | } 22 | + cmd = append(cmd, "--ingressIP", istiodAddr.Addr().String()) 23 | // make sure namespace controller has time to create root-cert ConfigMap 24 | if err := retry.UntilSuccess(func() error { 25 | stdout, stderr, err := istioCtl.Invoke(cmd) 26 | diff --git a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml 27 | index 4343abcd5c..1c61d2c1a5 100644 28 | --- a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml 29 | +++ b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml 30 | @@ -85,16 +85,16 @@ spec: 31 | 32 | # since we're not overwriting /etc/hosts on k8s, verify that istiod hostname in /etc/hosts 33 | # matches the value generated by istioctl 34 | - echo "checking istio host" 35 | - SYSTEM_HOST=$(cat /etc/hosts | grep istiod) 36 | - ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) 37 | - if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then 38 | - echo "istiod host in /etc/hosts does not match value generated by istioctl" 39 | - echo "/etc/hosts: $SYSTEM_HOST" 40 | - echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" 41 | - exit 1 42 | - fi 43 | - echo "istiod host ok" 44 | + # echo "checking istio host" 45 | + # SYSTEM_HOST=$(cat /etc/hosts | grep istiod) 46 | + # ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) 47 | + # if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then 48 | + # echo "istiod host in /etc/hosts does not match value generated by istioctl" 49 | + # echo "/etc/hosts: $SYSTEM_HOST" 50 | + # echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" 51 | + # exit 1 52 | + # fi 53 | + # echo "istiod host ok" 54 | 55 | # read certs from correct directory 56 | sudo sh -c 'echo PROV_CERT=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env' 57 | @@ -173,4 +173,4 @@ spec: 58 | name: {{ $value.Value }} 59 | {{- end }} 60 | {{- end }} 61 | -{{- end}} 62 | +{{- end}} 63 | \ No newline at end of file 64 | diff --git a/pkg/test/framework/components/istio/util.go b/pkg/test/framework/components/istio/util.go 65 | index 2600fe421c..2d01c756c1 100644 66 | --- a/pkg/test/framework/components/istio/util.go 67 | +++ b/pkg/test/framework/components/istio/util.go 68 | @@ -137,6 +137,15 @@ func getRemoteServiceAddress(s *kube.Settings, cluster cluster.Cluster, ns, labe 69 | if ingr.IP == "" && ingr.Hostname == "" { 70 | return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) 71 | } 72 | + if ingr.Hostname != "" { 73 | + ip, err := net.LookupIP(ingr.Hostname) 74 | + if err != nil { 75 | + return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) 76 | + } 77 | + if len(ip) > 0 { 78 | + ingr.IP = ip[0].String() 79 | + } 80 | + } 81 | if ingr.IP != "" { 82 | ipaddr, err := netip.ParseAddr(ingr.IP) 83 | if err != nil { 84 | diff --git a/tests/integration/pilot/ingress_test.go b/tests/integration/pilot/ingress_test.go 85 | index 82766cfc3c..6e1ef41f9f 100644 86 | --- a/tests/integration/pilot/ingress_test.go 87 | +++ b/tests/integration/pilot/ingress_test.go 88 | @@ -232,6 +232,7 @@ spec: 89 | if err != nil { 90 | return err 91 | } 92 | + 93 | if s := kstatus.GetCondition(gwc.Status.Conditions, string(k8s.GatewayClassConditionStatusAccepted)).Status; s != metav1.ConditionTrue { 94 | return fmt.Errorf("expected status %q, got %q", metav1.ConditionTrue, s) 95 | } 96 | @@ -601,6 +602,12 @@ spec: 97 | if hostIsIP { 98 | got = ing.Status.LoadBalancer.Ingress[0].IP 99 | } 100 | + if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { 101 | + ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) 102 | + if len(ip) > 0 { 103 | + got = ip[0].String() 104 | + } 105 | + } 106 | if got != host { 107 | return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) 108 | } 109 | @@ -617,6 +624,12 @@ spec: 110 | if hostIsIP { 111 | got = ing.Status.LoadBalancer.Ingress[0].IP 112 | } 113 | + if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { 114 | + ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) 115 | + if len(ip) > 0 { 116 | + got = ip[0].String() 117 | + } 118 | + } 119 | if got != host { 120 | return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) 121 | } 122 | -- 123 | 2.30.1 (Apple Git-130) 124 | 125 | -------------------------------------------------------------------------------- /tetrateci/patches/eks/eks_1.18.patch: -------------------------------------------------------------------------------- 1 | From 76ba05e0d163dc99389959c9922fd51d89e41f53 Mon Sep 17 00:00:00 2001 2 | From: psbrar99 3 | Date: Wed, 2 Aug 2023 15:05:54 -0600 4 | Subject: [PATCH] patch 5 | 6 | Signed-off-by: psbrar99 7 | --- 8 | .../components/echo/kube/deployment.go | 1 + 9 | .../echo/kube/templates/vm_deployment.yaml | 22 +++++++++---------- 10 | pkg/test/framework/components/istio/util.go | 9 ++++++++ 11 | tests/integration/pilot/ingress_test.go | 12 +++++----- 12 | 4 files changed, 28 insertions(+), 16 deletions(-) 13 | 14 | diff --git a/pkg/test/framework/components/echo/kube/deployment.go b/pkg/test/framework/components/echo/kube/deployment.go 15 | index a0c723e0e8..0739d0b0bf 100644 16 | --- a/pkg/test/framework/components/echo/kube/deployment.go 17 | +++ b/pkg/test/framework/components/echo/kube/deployment.go 18 | @@ -522,6 +522,7 @@ spec: 19 | if rev := getIstioRevision(cfg.Namespace); len(rev) > 0 { 20 | cmd = append(cmd, "--revision", rev) 21 | } 22 | + cmd = append(cmd, "--ingressIP", istiodAddr.Addr().String()) 23 | // make sure namespace controller has time to create root-cert ConfigMap 24 | if err := retry.UntilSuccess(func() error { 25 | stdout, stderr, err := istioCtl.Invoke(cmd) 26 | diff --git a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml 27 | index 4343abcd5c..1c61d2c1a5 100644 28 | --- a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml 29 | +++ b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml 30 | @@ -85,16 +85,16 @@ spec: 31 | 32 | # since we're not overwriting /etc/hosts on k8s, verify that istiod hostname in /etc/hosts 33 | # matches the value generated by istioctl 34 | - echo "checking istio host" 35 | - SYSTEM_HOST=$(cat /etc/hosts | grep istiod) 36 | - ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) 37 | - if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then 38 | - echo "istiod host in /etc/hosts does not match value generated by istioctl" 39 | - echo "/etc/hosts: $SYSTEM_HOST" 40 | - echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" 41 | - exit 1 42 | - fi 43 | - echo "istiod host ok" 44 | + # echo "checking istio host" 45 | + # SYSTEM_HOST=$(cat /etc/hosts | grep istiod) 46 | + # ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) 47 | + # if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then 48 | + # echo "istiod host in /etc/hosts does not match value generated by istioctl" 49 | + # echo "/etc/hosts: $SYSTEM_HOST" 50 | + # echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" 51 | + # exit 1 52 | + # fi 53 | + # echo "istiod host ok" 54 | 55 | # read certs from correct directory 56 | sudo sh -c 'echo PROV_CERT=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env' 57 | @@ -173,4 +173,4 @@ spec: 58 | name: {{ $value.Value }} 59 | {{- end }} 60 | {{- end }} 61 | -{{- end}} 62 | +{{- end}} 63 | \ No newline at end of file 64 | diff --git a/pkg/test/framework/components/istio/util.go b/pkg/test/framework/components/istio/util.go 65 | index 2600fe421c..2d01c756c1 100644 66 | --- a/pkg/test/framework/components/istio/util.go 67 | +++ b/pkg/test/framework/components/istio/util.go 68 | @@ -137,6 +137,15 @@ func getRemoteServiceAddress(s *kube.Settings, cluster cluster.Cluster, ns, labe 69 | if ingr.IP == "" && ingr.Hostname == "" { 70 | return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) 71 | } 72 | + if ingr.Hostname != "" { 73 | + ip, err := net.LookupIP(ingr.Hostname) 74 | + if err != nil { 75 | + return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) 76 | + } 77 | + if len(ip) > 0 { 78 | + ingr.IP = ip[0].String() 79 | + } 80 | + } 81 | if ingr.IP != "" { 82 | ipaddr, err := netip.ParseAddr(ingr.IP) 83 | if err != nil { 84 | diff --git a/tests/integration/pilot/ingress_test.go b/tests/integration/pilot/ingress_test.go 85 | index 4f158b96ef..c332e1630e 100644 86 | --- a/tests/integration/pilot/ingress_test.go 87 | +++ b/tests/integration/pilot/ingress_test.go 88 | @@ -332,6 +332,12 @@ spec: 89 | if hostIsIP { 90 | got = ing.Status.LoadBalancer.Ingress[0].IP 91 | } 92 | + if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { 93 | + ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) 94 | + if len(ip) > 0 { 95 | + got = ip[0].String() 96 | + } 97 | + } 98 | if got != host { 99 | return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) 100 | } 101 | @@ -441,10 +447,6 @@ func TestCustomGateway(t *testing.T) { 102 | NewTest(t). 103 | Features("traffic.ingress.custom"). 104 | Run(func(t framework.TestContext) { 105 | - inject := false 106 | - if t.Settings().Compatibility { 107 | - inject = true 108 | - } 109 | injectLabel := `sidecar.istio.io/inject: "true"` 110 | if t.Settings().Revisions.Default() != "" { 111 | injectLabel = fmt.Sprintf(`istio.io/rev: "%v"`, t.Settings().Revisions.Default()) 112 | @@ -458,7 +460,7 @@ func TestCustomGateway(t *testing.T) { 113 | } 114 | 115 | t.NewSubTest("minimal").Run(func(t framework.TestContext) { 116 | - gatewayNs := namespace.NewOrFail(t, t, namespace.Config{Prefix: "custom-gateway-minimal", Inject: inject}) 117 | + gatewayNs := namespace.NewOrFail(t, t, namespace.Config{Prefix: "custom-gateway-minimal"}) 118 | _ = t.ConfigIstio().Eval(gatewayNs.Name(), templateParams, `apiVersion: v1 119 | kind: Service 120 | metadata: 121 | -- 122 | 2.30.1 (Apple Git-130) 123 | 124 | -------------------------------------------------------------------------------- /tetrateci/patches/eks/eks_1.15.patch: -------------------------------------------------------------------------------- 1 | From a2e8b635a71ac66273edd6388ba883a0214b9cf8 Mon Sep 17 00:00:00 2001 2 | From: psbrar99 3 | Date: Thu, 3 Aug 2023 16:25:50 -0600 4 | Subject: [PATCH] 1.15 patch 5 | 6 | Signed-off-by: psbrar99 7 | --- 8 | .../components/echo/kube/deployment.go | 1 + 9 | .../echo/kube/templates/vm_deployment.yaml | 22 +++++++++---------- 10 | pkg/test/framework/components/istio/util.go | 9 ++++++++ 11 | tests/integration/pilot/ingress_test.go | 14 +++++++++++- 12 | 4 files changed, 34 insertions(+), 12 deletions(-) 13 | 14 | diff --git a/pkg/test/framework/components/echo/kube/deployment.go b/pkg/test/framework/components/echo/kube/deployment.go 15 | index dbad3eb0be..9a53ff95dd 100644 16 | --- a/pkg/test/framework/components/echo/kube/deployment.go 17 | +++ b/pkg/test/framework/components/echo/kube/deployment.go 18 | @@ -515,6 +515,7 @@ spec: 19 | // LoadBalancer may not be supported and the command doesn't have NodePort fallback logic that the tests do 20 | cmd = append(cmd, "--ingressIP", istiodAddr.IP.String()) 21 | } 22 | + cmd = append(cmd, "--ingressIP", istiodAddr.IP.String()) 23 | if rev := getIstioRevision(cfg.Namespace); len(rev) > 0 { 24 | cmd = append(cmd, "--revision", rev) 25 | } 26 | diff --git a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml 27 | index 4343abcd5c..1c61d2c1a5 100644 28 | --- a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml 29 | +++ b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml 30 | @@ -85,16 +85,16 @@ spec: 31 | 32 | # since we're not overwriting /etc/hosts on k8s, verify that istiod hostname in /etc/hosts 33 | # matches the value generated by istioctl 34 | - echo "checking istio host" 35 | - SYSTEM_HOST=$(cat /etc/hosts | grep istiod) 36 | - ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) 37 | - if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then 38 | - echo "istiod host in /etc/hosts does not match value generated by istioctl" 39 | - echo "/etc/hosts: $SYSTEM_HOST" 40 | - echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" 41 | - exit 1 42 | - fi 43 | - echo "istiod host ok" 44 | + # echo "checking istio host" 45 | + # SYSTEM_HOST=$(cat /etc/hosts | grep istiod) 46 | + # ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) 47 | + # if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then 48 | + # echo "istiod host in /etc/hosts does not match value generated by istioctl" 49 | + # echo "/etc/hosts: $SYSTEM_HOST" 50 | + # echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" 51 | + # exit 1 52 | + # fi 53 | + # echo "istiod host ok" 54 | 55 | # read certs from correct directory 56 | sudo sh -c 'echo PROV_CERT=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env' 57 | @@ -173,4 +173,4 @@ spec: 58 | name: {{ $value.Value }} 59 | {{- end }} 60 | {{- end }} 61 | -{{- end}} 62 | +{{- end}} 63 | \ No newline at end of file 64 | diff --git a/pkg/test/framework/components/istio/util.go b/pkg/test/framework/components/istio/util.go 65 | index 18c5502e1d..60198b4f7d 100644 66 | --- a/pkg/test/framework/components/istio/util.go 67 | +++ b/pkg/test/framework/components/istio/util.go 68 | @@ -132,6 +132,15 @@ func getRemoteServiceAddress(s *kube.Settings, cluster cluster.Cluster, ns, labe 69 | if ingr.IP == "" && ingr.Hostname == "" { 70 | return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) 71 | } 72 | + if ingr.Hostname != "" { 73 | + ip, err := net.LookupIP(ingr.Hostname) 74 | + if err != nil { 75 | + return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) 76 | + } 77 | + if len(ip) > 0 { 78 | + ingr.IP = ip[0].String() 79 | + } 80 | + } 81 | if ingr.IP != "" { 82 | return net.TCPAddr{IP: net.ParseIP(ingr.IP), Port: port}, true, nil 83 | } 84 | diff --git a/tests/integration/pilot/ingress_test.go b/tests/integration/pilot/ingress_test.go 85 | index 217da4f89c..9bd5a9287f 100644 86 | --- a/tests/integration/pilot/ingress_test.go 87 | +++ b/tests/integration/pilot/ingress_test.go 88 | @@ -228,7 +228,7 @@ spec: 89 | }) 90 | t.NewSubTest("status").Run(func(t framework.TestContext) { 91 | retry.UntilSuccessOrFail(t, func() error { 92 | - gwc, err := t.Clusters().Kube().Default().GatewayAPI().GatewayV1beta1().GatewayClasses().Get(context.Background(), "istio", metav1.GetOptions{}) 93 | + gwc, err := t.Clusters().Kube().Default().GatewayAPI().GatewayV1alpha2().GatewayClasses().Get(context.Background(), "istio", metav1.GetOptions{}) 94 | if err != nil { 95 | return err 96 | } 97 | @@ -601,6 +601,12 @@ spec: 98 | if hostIsIP { 99 | got = ing.Status.LoadBalancer.Ingress[0].IP 100 | } 101 | + if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { 102 | + ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) 103 | + if len(ip) > 0 { 104 | + got = ip[0].String() 105 | + } 106 | + } 107 | if got != host { 108 | return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) 109 | } 110 | @@ -617,6 +623,12 @@ spec: 111 | if hostIsIP { 112 | got = ing.Status.LoadBalancer.Ingress[0].IP 113 | } 114 | + if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { 115 | + ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) 116 | + if len(ip) > 0 { 117 | + got = ip[0].String() 118 | + } 119 | + } 120 | if got != host { 121 | return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) 122 | } 123 | -- 124 | 2.30.1 (Apple Git-130) 125 | 126 | -------------------------------------------------------------------------------- /tetrateci/patches/build/e2e/1.11/0001-Allow-turning-off-ALPN-in-echo-server-35447.patch: -------------------------------------------------------------------------------- 1 | From a73e4473ebf9f35d15d825077253993f6e770020 Mon Sep 17 00:00:00 2001 2 | From: John Howard 3 | Date: Mon, 4 Oct 2021 11:06:39 -0700 4 | Subject: [PATCH] Allow turning off ALPN in echo server (#35447) 5 | 6 | --- 7 | pkg/test/echo/cmd/server/main.go | 3 +++ 8 | pkg/test/echo/common/model.go | 5 +++++ 9 | pkg/test/echo/server/endpoint/http.go | 6 +++++- 10 | pkg/test/echo/server/endpoint/instance.go | 1 + 11 | pkg/test/echo/server/instance.go | 2 ++ 12 | .../components/echo/kube/deployment.go | 3 +++ 13 | .../security/ca_custom_root/main_test.go | 21 +++++++++++-------- 14 | 7 files changed, 31 insertions(+), 10 deletions(-) 15 | 16 | diff --git a/pkg/test/echo/cmd/server/main.go b/pkg/test/echo/cmd/server/main.go 17 | index e32a07dff5..30bc9d7a01 100644 18 | --- a/pkg/test/echo/cmd/server/main.go 19 | +++ b/pkg/test/echo/cmd/server/main.go 20 | @@ -48,6 +48,7 @@ var ( 21 | crt string 22 | key string 23 | istioVersion string 24 | + disableALPN bool 25 | 26 | loggingOptions = log.DefaultOptions() 27 | 28 | @@ -123,6 +124,7 @@ var ( 29 | Cluster: cluster, 30 | IstioVersion: istioVersion, 31 | UDSServer: uds, 32 | + DisableALPN: disableALPN, 33 | }) 34 | 35 | if err := s.Start(); err != nil { 36 | @@ -164,6 +166,7 @@ func init() { 37 | rootCmd.PersistentFlags().StringVar(&crt, "crt", "", "gRPC TLS server-side certificate") 38 | rootCmd.PersistentFlags().StringVar(&key, "key", "", "gRPC TLS server-side key") 39 | rootCmd.PersistentFlags().StringVar(&istioVersion, "istio-version", "", "Istio sidecar version") 40 | + rootCmd.PersistentFlags().BoolVar(&disableALPN, "disable-alpn", disableALPN, "disable ALPN negotiation") 41 | 42 | loggingOptions.AttachCobraFlags(rootCmd) 43 | 44 | diff --git a/pkg/test/echo/common/model.go b/pkg/test/echo/common/model.go 45 | index 0433f36ef8..2e721ebdd7 100644 46 | --- a/pkg/test/echo/common/model.go 47 | +++ b/pkg/test/echo/common/model.go 48 | @@ -28,6 +28,11 @@ type TLSSettings struct { 49 | Hostname string 50 | // If set to true, the cert will be provisioned by proxy, and extra cert volume will be mounted. 51 | ProxyProvision bool 52 | + // AcceptAnyALPN, if true, will make the server accept ANY ALPNs. This comes at the expense of 53 | + // allowing h2 negotiation and being able to detect the negotiated ALPN (as there is none), because 54 | + // Golang doesn't like us doing this (https://github.com/golang/go/issues/46310). 55 | + // This is useful when the server is simulating Envoy which does unconventional things with ALPN. 56 | + AcceptAnyALPN bool 57 | } 58 | 59 | // Port represents a network port where a service is listening for 60 | diff --git a/pkg/test/echo/server/endpoint/http.go b/pkg/test/echo/server/endpoint/http.go 61 | index 59aa38abd6..2d93d55fa4 100644 62 | --- a/pkg/test/echo/server/endpoint/http.go 63 | +++ b/pkg/test/echo/server/endpoint/http.go 64 | @@ -86,9 +86,13 @@ func (s *httpInstance) Start(onReady OnReadyFunc) error { 65 | if cerr != nil { 66 | return fmt.Errorf("could not load TLS keys: %v", cerr) 67 | } 68 | + nextProtos := []string{"h2", "http/1.1", "http/1.0"} 69 | + if s.DisableALPN { 70 | + nextProtos = nil 71 | + } 72 | config := &tls.Config{ 73 | Certificates: []tls.Certificate{cert}, 74 | - NextProtos: []string{"h2", "http/1.1", "http/1.0"}, 75 | + NextProtos: nextProtos, 76 | GetConfigForClient: func(info *tls.ClientHelloInfo) (*tls.Config, error) { 77 | // There isn't a way to pass through all ALPNs presented by the client down to the 78 | // HTTP server to return in the response. However, for debugging, we can at least log 79 | diff --git a/pkg/test/echo/server/endpoint/instance.go b/pkg/test/echo/server/endpoint/instance.go 80 | index f2ccbf5086..f6a0c7de16 100644 81 | --- a/pkg/test/echo/server/endpoint/instance.go 82 | +++ b/pkg/test/echo/server/endpoint/instance.go 83 | @@ -40,6 +40,7 @@ type Config struct { 84 | Port *common.Port 85 | ListenerIP string 86 | IstioVersion string 87 | + DisableALPN bool 88 | } 89 | 90 | // Instance of an endpoint that serves the Echo application on a single port/protocol. 91 | diff --git a/pkg/test/echo/server/instance.go b/pkg/test/echo/server/instance.go 92 | index b3040fcea7..ccf0557855 100644 93 | --- a/pkg/test/echo/server/instance.go 94 | +++ b/pkg/test/echo/server/instance.go 95 | @@ -47,6 +47,7 @@ type Config struct { 96 | Cluster string 97 | Dialer common.Dialer 98 | IstioVersion string 99 | + DisableALPN bool 100 | } 101 | 102 | func (c Config) String() string { 103 | @@ -164,6 +165,7 @@ func (s *Instance) newEndpoint(port *common.Port, udsServer string) (endpoint.In 104 | TLSKey: s.TLSKey, 105 | Dialer: s.Dialer, 106 | ListenerIP: ip, 107 | + DisableALPN: s.DisableALPN, 108 | IstioVersion: s.IstioVersion, 109 | }) 110 | } 111 | diff --git a/pkg/test/framework/components/echo/kube/deployment.go b/pkg/test/framework/components/echo/kube/deployment.go 112 | index 667a79fa7c..75079eb210 100644 113 | --- a/pkg/test/framework/components/echo/kube/deployment.go 114 | +++ b/pkg/test/framework/components/echo/kube/deployment.go 115 | @@ -221,6 +221,9 @@ spec: 116 | {{- if $.TLSSettings }} 117 | - --crt=/etc/certs/custom/cert-chain.pem 118 | - --key=/etc/certs/custom/key.pem 119 | +{{- if $.TLSSettings.AcceptAnyALPN}} 120 | + - --disable-alpn 121 | +{{- end }} 122 | {{- else }} 123 | - --crt=/cert.crt 124 | - --key=/cert.key 125 | diff --git a/tests/integration/security/ca_custom_root/main_test.go b/tests/integration/security/ca_custom_root/main_test.go 126 | index 095a242184..293bc5c085 100644 127 | --- a/tests/integration/security/ca_custom_root/main_test.go 128 | +++ b/tests/integration/security/ca_custom_root/main_test.go 129 | @@ -141,9 +141,10 @@ func SetupApps(ctx resource.Context, apps *EchoDeployments) error { 130 | }, 131 | }, 132 | TLSSettings: &common.TLSSettings{ 133 | - RootCert: rootCert, 134 | - ClientCert: clientCert, 135 | - Key: Key, 136 | + RootCert: rootCert, 137 | + ClientCert: clientCert, 138 | + Key: Key, 139 | + AcceptAnyALPN: true, 140 | }, 141 | }). 142 | WithConfig(echo.Config{ 143 | @@ -165,9 +166,10 @@ func SetupApps(ctx resource.Context, apps *EchoDeployments) error { 144 | }, 145 | }, 146 | TLSSettings: &common.TLSSettings{ 147 | - RootCert: rootCert, 148 | - ClientCert: clientCert, 149 | - Key: Key, 150 | + RootCert: rootCert, 151 | + ClientCert: clientCert, 152 | + Key: Key, 153 | + AcceptAnyALPN: true, 154 | }, 155 | }). 156 | WithConfig(echo.Config{ 157 | @@ -190,9 +192,10 @@ func SetupApps(ctx resource.Context, apps *EchoDeployments) error { 158 | }, 159 | }, 160 | TLSSettings: &common.TLSSettings{ 161 | - RootCert: rootCertAlt, 162 | - ClientCert: clientCertAlt, 163 | - Key: keyAlt, 164 | + RootCert: rootCertAlt, 165 | + ClientCert: clientCertAlt, 166 | + Key: keyAlt, 167 | + AcceptAnyALPN: true, 168 | }, 169 | }). 170 | WithConfig(echo.Config{ 171 | -- 172 | 2.21.1 (Apple Git-122.3) 173 | 174 | -------------------------------------------------------------------------------- /tetrateci/create_istio_release.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -x 6 | 7 | BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" 8 | 9 | sudo rm -rf /usr/local/go 10 | 11 | source ${BASEDIR}/tetrateci/setup_go.sh 12 | 13 | 14 | 15 | ## Set up release-builder 16 | 17 | # BOM is needed for generating bill of materials, required by Istio since 1.13, https://github.com/istio/release-builder/pull/893 18 | # go install sigs.k8s.io/bom/cmd/bom@v0.2.2 19 | # sudo cp /home/runner/go/bin/bom /usr/local/bin/ 20 | 21 | sudo gem install fpm 22 | sudo apt-get install go-bindata -y 23 | export BRANCH=release-${REL_BRANCH_VER} 24 | cd .. 25 | rm -rf release-builder 26 | git clone https://github.com/istio/release-builder --branch ${BRANCH} 27 | 28 | 29 | # HACK : the github runner runs provides 14 GB free space. (https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources). 30 | # Temporary thing, we should be moving to a custom runner instead. 31 | echo "Deleting /usr/share/dotnet, /opt/ghc, /usr/local/share/boost to reclaim space" 32 | for i in /usr/share/dotnet /opt/ghc /usr/local/share/boost; do echo deleting folder $i; [ -d $i ] && rm -rf "$i" ; done 33 | echo "Deletion complete" 34 | 35 | # HACK : This is needed during istio build for istiod to serve version command 36 | export ISTIO_VERSION=$TAG 37 | 38 | # We are not using a docker container to build the istioctl binary and images, so we make it explicit 39 | export BUILD_WITH_CONTAINER=0 40 | 41 | # HACK : For FIPS change the distroless base image to include glibc 42 | # We would use the same distroless base image as istio-proxy for pilot and operator 43 | # HACK : change envoy/wasm base URL to point to FIPS compliant one 44 | if [[ ${TAG} =~ "fips" ]]; then 45 | PROXY_DISTROLESS_BASE=$(grep 'as distroless' ${BASEDIR}/pilot/docker/Dockerfile.proxyv2) 46 | # Escape '/' 47 | PROXY_DISTROLESS_BASE_ESCAPED=$(sed 's/\//\\\//g' <<< ${PROXY_DISTROLESS_BASE}) 48 | sed -i "s/.*as distroless/${PROXY_DISTROLESS_BASE_ESCAPED}/" ${BASEDIR}/operator/docker/Dockerfile.operator 49 | export ISTIO_ENVOY_BASE_URL=https://storage.googleapis.com/getistio-build/proxy-fips 50 | fi 51 | 52 | 53 | if [[ "$(uname -m)" = "aarch64" ]]; then 54 | sed -i 's/gcr\.io\/istio-release/gcr\.io\/tetrate-istio-arm/' $(find ${BASEDIR} | grep Dockerfile) 55 | sed -i 's/gcr\.io\/tetrate-istio-arm\/iptables@sha256:[0-9a-f]*/gcr\.io\/istio-release\/iptables@sha256:8efeb55ddf08f2f513d303b8f0ff42c9f08f355de2f4124e641d209d11a6af91/' ${BASEDIR}/pilot/docker/Dockerfile.proxyv2 56 | export ISTIO_ENVOY_BASE_URL=https://storage.googleapis.com/getistio-build/proxy-arm 57 | export BASE_VERSION=1602e34d9524a2a312907aab276bcd7100da52df # 1.12 58 | 59 | fi 60 | 61 | 62 | 63 | 64 | # HACK : default manifest from release builder is modified 65 | echo "Generating the manifests" 66 | # we are generating the different yamls for both the archive & docker image builds which are saved to release-builder folder 67 | python3 -m pip install pyyaml --user 68 | ${BASEDIR}/tetrateci/gen_release_manifest.py ${BASEDIR}/../release-builder/example/manifest.yaml ${BASEDIR}/../release-builder/ 69 | 70 | # if length $TEST is zero we are making a RELEASE. It should have both images and archives 71 | # The test flag is to check whether we are building images for testing or release 72 | # in case of release we build the istioctl too which we don't need in case of testing. 73 | echo "TEST flag is '${TEST:-}'" 74 | 75 | echo "Getting into release builder" 76 | cd release-builder 77 | 78 | if [[ "$(uname -m)" = "aarch64" ]]; then 79 | sed -i 's/linux_amd64/linux_arm64/' pkg/model/model.go 80 | fi 81 | 82 | echo "Copying istio directory" 83 | cp -r ../istio . 84 | # export IMAGE_VERSION=$(curl https://raw.githubusercontent.com/istio/test-infra/master/prow/config/jobs/release-builder.yaml | grep "image: gcr.io" | head -n 1 | cut -d: -f3) 85 | # make shell TODO: https://github.com/tetratelabs/getistio/issues/82 86 | 87 | # "Enabling CGO for FIPS build via CGO_ENABLED=1" 88 | echo "Enabling CGO for FIPS build via CGO_ENABLED=1 to istio/common/scripts/gobuild.sh" 89 | 90 | if [[ ${TAG} =~ "fips" ]]; then 91 | echo "Checking if the upstream file is not changed" 92 | if ! grep -q 'CGO_ENABLED=${CGO_ENABLED:-0}' istio/common/scripts/gobuild.sh;then exit 1;fi 93 | text="if [[ "\${GOARCH}" == "amd64" ]]; then export CGO_ENABLED=1; else export CGO_ENABLED=0; fi" 94 | sed -i 's/export CGO_ENABLED=${CGO_ENABLED:-0}/'"$text"'/g' istio/common/scripts/gobuild.sh 95 | fi 96 | 97 | # Generalizing TAG variable exporting option to incorporate ARM build.We need amd64 and arm64 suffix in docker images to create multi-arch images.Not needed for tetrate and tetratefips build. 98 | if [[ ${TAG} =~ "multiarch" ]]; then 99 | if [[ "$(uname -m)" = "aarch64" ]]; then 100 | export TAG="${TAG}-arm64" 101 | else 102 | export TAG="${TAG}-amd64" 103 | fi 104 | fi 105 | 106 | #install rpm-build package 107 | sudo apt-get install rpm -y 108 | # Build Docker Images 109 | sudo rm -rf /tmp/istio-release && mkdir /tmp/istio-release 110 | 111 | if [[ ${TAG} =~ "fips" ]]; then 112 | GOEXPERIMENT=boringcrypto go run main.go build --manifest manifest.docker.yaml 113 | else 114 | go run main.go build --manifest manifest.docker.yaml 115 | fi 116 | # go run main.go validate --release /tmp/istio-release/out # seems like it fails if not all the targets are generated 117 | 118 | #loading pilot image manually since docker container create command is failing due to unavailbilty of pilot image locally 119 | docker load -i /tmp/istio-release/out/docker/pilot.tar.gz 120 | 121 | CONTAINER_ID=$(docker create $HUB/pilot:$TAG) 122 | docker cp $CONTAINER_ID:/usr/local/bin/pilot-discovery pilot-bin 123 | # go version with which the binaries for the docker images wi 124 | BUILD_GO_VERSION=$(go version pilot-bin | cut -f2 -d" ") 125 | echo "Images are built with: go $BUILD_GO_VERSION" 126 | 127 | [ $BUILD_GO_VERSION == go$GOLANG_VERSION ] || exit 1 128 | 129 | # Check if binaries are compiled with boringcrypto 130 | if [ ${TAG} =~ "fips" ]; then 131 | CHECK_CRYPTO=$(go version pilot-bin| cut -f3 -d" ") 132 | [[ $CHECK_CRYPTO == X:boringcrypto ]] || exit 1 133 | fi 134 | 135 | go run main.go publish --release /tmp/istio-release/out --dockerhub $HUB 136 | echo "Cleaning up the istio source artificats...." 137 | sudo rm -rf /tmp/istio-release/sources/ 138 | 139 | if [[ "$(uname -m)" = "x86_64" ]]; then 140 | export TAG="${TAG%-amd64}" 141 | ${BASEDIR}/tetrateci/gen_release_manifest.py ${BASEDIR}/../release-builder/example/manifest.yaml ${BASEDIR}/../release-builder/ 142 | else 143 | exit 0 144 | fi 145 | 146 | # If RELEASE, Build Archives 147 | if [[ -z ${TEST:-} ]]; then 148 | echo "Building archives..." 149 | # if FIPS, need to use native go as boringgo as of now can't build archives for different platforms 150 | if [[ ${TAG} =~ "fips" ]]; then 151 | sudo rm -rf /usr/local/go 152 | source ${BASEDIR}/tetrateci/setup_go.sh 153 | #disabling cgo flag 154 | sed -i '/then export CGO_ENABLED=1/c\export CGO_ENABLED=0' istio/common/scripts/gobuild.sh 155 | fi 156 | echo "Cleaning up older artifacts created in docker build stage ..." 157 | sudo rm -rf /tmp/istio-release/sources/ && sudo rm -rf /tmp/istio-release/work/ 158 | echo "Prunning docker images to reclaim more space for 1.13.x-fips release" 159 | for i in `docker images | grep -i app_sidecar | awk {'print $3'} | tail -n +2`; do echo pruning $i; docker rmi $i --force; done 160 | go run main.go build --manifest manifest.archive.yaml 161 | 162 | python3 -m pip install --upgrade cloudsmith-cli --user 163 | export PATH=$PATH:/home/runner/.local/bin 164 | 165 | PACKAGES=$(ls /tmp/istio-release/out/ | grep "istio") 166 | for package in $PACKAGES; do 167 | echo "Publishing $package" 168 | cloudsmith push raw tetrate/getistio /tmp/istio-release/out/$package 169 | done 170 | fi 171 | echo "Cleaning /tmp/istio...." 172 | [ -d "/tmp/istio-release" ] && sudo rm -rf /tmp/istio-release 173 | 174 | echo "Done building and pushing the artifacts." 175 | -------------------------------------------------------------------------------- /.github/workflows/make_release.yml: -------------------------------------------------------------------------------- 1 | name: Make a release 2 | 3 | on: 4 | workflow_dispatch: 5 | inputs: 6 | tag: 7 | description: Tag [e.g. 1.7.8-tetrate-v0] 8 | required: true 9 | 10 | jobs: 11 | build_fips_proxy: 12 | # Only run this job when the release type equals "fips". 13 | if: contains(github.event.ref, 'fips') 14 | name: build fips proxy binary 15 | timeout-minutes: 840 16 | runs-on: ['self-hosted','Linux','x64','c5.4xlarge'] 17 | env: 18 | RELEASE_GCS_PATH: gs://getistio-build/proxy-fips 19 | steps: 20 | - name: Get the tag 21 | id: get_tag 22 | run: echo ::set-output name=TAG::${GITHUB_REF#refs/tags/} 23 | - name: Get normalized tag 24 | id: get_normalized_ver 25 | run: echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/test-//g' | sed 's/-.*//g') 26 | shell: bash 27 | env: 28 | TAG: ${{ steps.get_tag.outputs.TAG }} 29 | - name: Get minor version 30 | id: get_minor_ver 31 | run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') 32 | shell: bash 33 | env: 34 | TAG: ${{ steps.get_tag.outputs.TAG }} 35 | - name: Checkout 36 | uses: actions/checkout@v2 37 | with: 38 | repository: "istio/proxy" 39 | ref: ${{ steps.get_normalized_ver.outputs.NORMALIZED_TAG }} 40 | - name: Set up Cloud SDK 41 | uses: google-github-actions/setup-gcloud@v0 42 | with: 43 | project_id: ${{ secrets.GCP_PROJECT_ID }} 44 | service_account_key: ${{ secrets.GCP_SA_KEY }} 45 | export_default_credentials: true 46 | - name: Check if already built 47 | id: check_already_built 48 | env: 49 | REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} 50 | TAG: ${{ steps.get_tag.outputs.TAG }} 51 | run: | 52 | SHA=$(echo $TAG | sed 's/test-//g' | sed 's/[0-9].[0-9][0-9].[0-9]-[A-Za-z]*-//g' | sed 's/-.*//g') 53 | SHOULD_BUILD=1 54 | SHOULD_COPY=1 55 | if gsutil ls ${RELEASE_GCS_PATH} | grep "${SHA}[^-]" ; then 56 | SHOULD_BUILD=0 57 | fi 58 | if [ $(bc <<< "$REL_BRANCH_VER > 1.17") -eq 1 ];then 59 | SHOULD_COPY=0 60 | fi 61 | echo ::set-output name=should_build::${SHOULD_BUILD} 62 | echo ::set-output name=should_copy::${SHOULD_COPY} 63 | - name: Tweak make recipe 64 | if: ${{ steps.check_already_built.outputs.should_build == '1' }} 65 | # 1) remove unnecessary dependency on naive "build" target 66 | # 2) remove "-p" flag to not push and build container, 67 | # 3) replace RELEASE_GCS_PATH var with the literal due to docker build. 68 | # from push_release. 69 | run: | 70 | ESCAPED_RELEASE_GCS_PATH=$(printf '%s\n' "$RELEASE_GCS_PATH" | sed -e 's/[\/&]/\\&/g') 71 | sed -i "s/\-p//g; s/push_release: build/push_release:/g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk 72 | - name: Tweak release-binary script 73 | if: ${{ steps.check_already_built.outputs.should_build == '1' }} 74 | # 1) Setup in-docker auth against gcloud 75 | # 2) Remove unnecessary debug build 76 | # 3) Remove unnecessary Wasm build and publish 77 | # Note that /work is the mount destination of the current home of make command with BUILD_WITH_CONTAINER=1. 78 | run: | 79 | CREDENTIAL_FILE_NAME=$(echo ${GOOGLE_APPLICATION_CREDENTIALS} | awk -F/ '{print $NF}') 80 | cp scripts/release-binary.sh scripts/release-binary.sh.tmp 81 | echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh 82 | cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh 83 | sed -i 's/for config in release release-symbol asan debug/for config in release/g' scripts/release-binary.sh 84 | sed -i -n '/Build and publish Wasm plugins/q;p' scripts/release-binary.sh 85 | cat scripts/release-binary.sh 86 | 87 | - name: Add FIPS flag 88 | if: ${{ steps.check_already_built.outputs.should_build == '1' }} 89 | run: echo "build --define boringssl=fips" >> .bazelrc 90 | 91 | - name: Build and push 92 | if: ${{ steps.check_already_built.outputs.should_build == '1' }} 93 | env: 94 | BUILD_WITH_CONTAINER: 1 95 | run: make push_release 96 | 97 | - name: Put CentOS binary 98 | env: 99 | REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} 100 | TAG: ${{ steps.get_tag.outputs.TAG }} 101 | # Copy the binary built on Ubuntu to CentOS path - this binary cannot run on CentOS/RHEL 7, but fine with CentOS 8. 102 | # The point is that we cannot build FIPS binary directly on CentOS 7 due to the constraints described in the BoringCrypto certification. 103 | run: | 104 | SHA=$(echo $TAG | sed 's/test-//g' | sed 's/[0-9].[0-9][0-9].[0-9]-[A-Za-z]*-//g' | sed 's/-.*//g') 105 | gsutil cp ${RELEASE_GCS_PATH}/envoy-alpha-${SHA}.tar.gz ${RELEASE_GCS_PATH}/envoy-centos-alpha-${SHA}.tar.gz 106 | 107 | - name: Put Wasm binary 108 | if: ${{ steps.check_already_built.outputs.should_build == '1' && steps.check_already_built.outputs.should_copy == '1' }} 109 | # Copy the built Wasm binary in the upstream to the bucket - Wasm is nothing to do with FIPS stuff. 110 | env: 111 | UPSTREAM_GCSP_PATH: gs://istio-build/proxy 112 | REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} 113 | TAG: ${{ steps.get_tag.outputs.TAG }} 114 | run: | 115 | SHA1=$(git rev-parse --verify HEAD) 116 | SHA=$(echo $TAG | sed 's/test-//g' | sed 's/[0-9].[0-9][0-9].[0-9]-[A-Za-z]*-//g' | sed 's/-.*//g') 117 | gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.compiled.wasm" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.compiled.wasm" 118 | gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.compiled.wasm.sha256" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.compiled.wasm.sha256" 119 | gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.wasm" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.wasm" 120 | gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.wasm.sha256" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.wasm.sha256" 121 | gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA1}.compiled.wasm" "${RELEASE_GCS_PATH}/stats-${SHA}.compiled.wasm" 122 | gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA1}.compiled.wasm.sha256" "${RELEASE_GCS_PATH}/stats-${SHA}.compiled.wasm.sha256" 123 | gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA1}.wasm" "${RELEASE_GCS_PATH}/stats-${SHA}.wasm" 124 | gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA1}.wasm.sha256" "${RELEASE_GCS_PATH}/stats-${SHA}.wasm.sha256" 125 | 126 | build_fips_arm_proxy: 127 | if: contains(github.event.ref, 'fips') 128 | name: build ARM proxy binary 129 | timeout-minutes: 1440 # 12 hours 130 | runs-on: ['self-hosted','Linux','ARM64','arm64-32'] 131 | env: 132 | RELEASE_GCS_PATH: gs://getistio-build/proxy-fips 133 | ARCH_SUFFIX: arm64 134 | steps: 135 | - name: Get normalized tag 136 | id: get_normalized_ver 137 | run: echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/test-//g' | sed 's/-.*//g') 138 | shell: bash 139 | env: 140 | TAG: ${{ steps.get_tag.outputs.TAG }} 141 | - name: Get minor version 142 | id: get_minor_ver 143 | run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') 144 | shell: bash 145 | env: 146 | TAG: ${{ steps.get_tag.outputs.TAG }} 147 | - name: Checkout 148 | uses: actions/checkout@v2 149 | with: 150 | repository: "istio/proxy" 151 | ref: ${{ steps.get_normalized_ver.outputs.NORMALIZED_TAG }} 152 | - name: Set up Cloud SDK 153 | uses: google-github-actions/setup-gcloud@v0 154 | with: 155 | project_id: ${{ secrets.GCP_PROJECT_ID }} 156 | service_account_key: ${{ secrets.GCP_SA_KEY }} 157 | export_default_credentials: true 158 | - name: Check if already built 159 | id: check_already_built 160 | env: 161 | REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} 162 | TAG: ${{ steps.get_tag.outputs.TAG }} 163 | run: | 164 | SHA=$(echo $TAG | sed 's/test-//g' | sed 's/[0-9].[0-9][0-9].[0-9]-[A-Za-z]*-//g' | sed 's/-.*//g') 165 | SHOULD_BUILD=1 166 | if gsutil ls ${RELEASE_GCS_PATH} | grep "${SHA}[^-]" ; then 167 | SHOULD_BUILD=0 168 | fi 169 | echo ::set-output name=should_build::${SHOULD_BUILD} 170 | - name: Tweak make recipe 171 | if: ${{ steps.check_already_built.outputs.should_build == '1' }} 172 | # 1) remove unnecessary dependency on naive "build" target 173 | # 2) remove "-p" flag to not push and build container, 174 | # 3) replace RELEASE_GCS_PATH var with the literal due to docker build. 175 | # from push_release. 176 | run: | 177 | ESCAPED_RELEASE_GCS_PATH=$(printf '%s\n' "$RELEASE_GCS_PATH" | sed -e 's/[\/&]/\\&/g') 178 | sed -i "s/\-p//g; s/push_release: build/push_release:/g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk 179 | - name: Tweak release-binary script 180 | if: ${{ steps.check_already_built.outputs.should_build == '1' }} 181 | # 1) Setup in-docker auth against gcloud 182 | # 2) Remove unnecessary debug build 183 | # 3) Remove unnecessary Wasm build and publish 184 | # Note that /work is the mount destination of the current home of make command with BUILD_WITH_CONTAINER=1. 185 | run: | 186 | CREDENTIAL_FILE_NAME=$(echo ${GOOGLE_APPLICATION_CREDENTIALS} | awk -F/ '{print $NF}') 187 | cp scripts/release-binary.sh scripts/release-binary.sh.tmp 188 | echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh 189 | cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh 190 | sed -i 's/release release\-symbol debug/release release\-symbol/' scripts/release-binary.sh 191 | sed -i '/if \[\[ "${BUILD_ENVOY_BINARY_ONLY}" !/, +6d' scripts/release-binary.sh 192 | sed -i -n '/Build and publish Wasm plugins/q;p' scripts/release-binary.sh 193 | cat scripts/release-binary.sh 194 | - name: Add FIPS flag 195 | if: ${{ steps.check_already_built.outputs.should_build == '1' }} 196 | run: echo "build --define boringssl=fips" >> .bazelrc 197 | - name: Build and push 198 | if: ${{ steps.check_already_built.outputs.should_build == '1' }} 199 | env: 200 | BUILD_ENVOY_BINARY_ONLY: 1 201 | BUILD_WITH_CONTAINER: 1 202 | run: make push_release 203 | 204 | create-images-arm64: 205 | name: create-images-arm64 206 | runs-on: ["self-hosted", "arm64"] 207 | env: 208 | TARGETARCH: arm64 209 | DOCKER_ARCHITECTURES: linux/arm64 210 | HUB: ${{ secrets.CLOUDSMITH_HUB }} 211 | needs: [build_arm_proxy] 212 | # 'if' condition causes this job to run even if some of the dependent jobs 213 | # have been skipped, e.g. `build_fips_proxy`. 214 | # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful 215 | if: "contains(github.event.ref, 'multiarch')" 216 | 217 | steps: 218 | - name: Checkout to choosen tag 219 | uses: actions/checkout@v2 220 | with: 221 | ref: ${{ github.event.inputs.tag }} 222 | fetch-depth: 0 223 | 224 | - name: Login to CloudSmith 225 | uses: docker/login-action@v1 226 | with: 227 | registry: ${{ env.HUB }} 228 | username: ${{ secrets.CLOUDSMITH_USER }} 229 | password: ${{ secrets.CLOUDSMITH_API_KEY }} 230 | 231 | - name: Get Registry 232 | id: get_registry 233 | run: | 234 | [[ ${HUB} == *.* ]] && REGISTRY=$(echo ${HUB} | cut -d/ -f1) 235 | echo REGISTRY=${REGISTRY} 236 | echo REGISTRY=${REGISTRY} >> $GITHUB_ENV 237 | 238 | - name: Get the tag 239 | id: get_tag 240 | run: echo ::set-output name=TAG::${GITHUB_REF/refs\/tags\/test-/} 241 | shell: bash 242 | 243 | - name: Get minor version 244 | id: get_minor_ver 245 | run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') 246 | shell: bash 247 | env: 248 | TAG: ${{ github.event.inputs.tag }} 249 | 250 | - name: build and push images 251 | run: bash ./tetrateci/create_istio_release.sh 252 | env: 253 | CLOUDSMITH_USER: ${{ secrets.CLOUDSMITH_USER }} 254 | CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} 255 | TAG: ${{ github.event.inputs.tag }} 256 | REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} 257 | 258 | create-images-amd64: 259 | name: create-images-amd64 260 | runs-on: ['self-hosted','Linux','x64','c5.4xlarge'] 261 | needs: [build_fips_proxy] 262 | # 'if' condition causes this job to run even if some of the dependent jobs 263 | # have been skipped, e.g. `build_fips_proxy`. 264 | # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful 265 | if: ${{ !cancelled() && !failure() }} 266 | env: 267 | HUB: ${{ secrets.CLOUDSMITH_HUB }} 268 | 269 | steps: 270 | - name: Checkout to choosen tag 271 | uses: actions/checkout@v2 272 | with: 273 | ref: ${{ github.event.inputs.tag }} 274 | fetch-depth: 0 275 | 276 | - name: Login to CloudSmith 277 | uses: docker/login-action@v1 278 | with: 279 | registry: ${{ env.HUB }} 280 | username: ${{ secrets.CLOUDSMITH_USER }} 281 | password: ${{ secrets.CLOUDSMITH_API_KEY }} 282 | 283 | - name: Get Registry 284 | id: get_registry 285 | run: | 286 | [[ ${HUB} == *.* ]] && REGISTRY=$(echo ${HUB} | cut -d/ -f1) 287 | echo REGISTRY=${REGISTRY} 288 | echo REGISTRY=${REGISTRY} >> $GITHUB_ENV 289 | 290 | - name: Get minor version 291 | id: get_minor_ver 292 | run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') 293 | shell: bash 294 | env: 295 | TAG: ${{ github.event.inputs.tag }} 296 | 297 | - name: build and push images 298 | run: bash ./tetrateci/create_istio_release.sh 299 | env: 300 | CLOUDSMITH_USER: ${{ secrets.CLOUDSMITH_USER }} 301 | CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} 302 | TAG: ${{ github.event.inputs.tag }} 303 | REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} 304 | Scan: 305 | name: Scanner 306 | runs-on: ubuntu-20.04 307 | needs: [create-images-amd64] 308 | if: ${{ !cancelled() && !failure() }} 309 | steps: 310 | - name: Checkout code 311 | uses: actions/checkout@v3 312 | - name: Get minor version 313 | id: get_minor_ver 314 | run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') 315 | shell: bash 316 | env: 317 | TAG: ${{ steps.get_tag.outputs.TAG }} 318 | - name: List docker images 319 | run: bash ./tetrateci/images.sh && pwd 320 | env: 321 | TAG: ${{ github.event.inputs.tag }} 322 | - name: Scan images for CRITICAL vulnerabilities 323 | uses: docker://ghcr.io/aquasecurity/trivy 324 | with: 325 | entrypoint: /bin/sh 326 | args: -c "trivy image --clear-cache; for img in $(cat list.txt); do trivy image --exit-code 0 --severity HIGH,CRITICAL --no-progress --quiet --format sarif $img >> $img.sarif ;done " 327 | - name: Upload Trivy scan results to GitHub Security tab 328 | uses: github/codeql-action/upload-sarif@v1 329 | with: 330 | sarif_file: containers.istio.tetratelabs.com 331 | create-multiarch-images: 332 | name: create-multiarch-images 333 | runs-on: ubuntu-latest 334 | needs: [create-images-amd64, create-images-arm64] 335 | # 'if' condition causes this job to run even if some of the dependent jobs 336 | # have been skipped, e.g. `build_fips_proxy`. 337 | # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful 338 | if: "contains(github.event.ref, 'multiarch')" 339 | env: 340 | HUB: ${{ secrets.CLOUDSMITH_HUB }} 341 | steps: 342 | - name: Checkout to choosen tag 343 | uses: actions/checkout@v2 344 | with: 345 | ref: ${{ github.event.inputs.tag }} 346 | fetch-depth: 0 347 | 348 | - name: Login to CloudSmith 349 | uses: docker/login-action@v1 350 | with: 351 | registry: ${{ env.HUB }} 352 | username: ${{ secrets.CLOUDSMITH_USER }} 353 | password: ${{ secrets.CLOUDSMITH_API_KEY }} 354 | 355 | - name: Get Registry 356 | id: get_registry 357 | run: | 358 | [[ ${HUB} == *.* ]] && REGISTRY=$(echo ${HUB} | cut -d/ -f1) 359 | echo REGISTRY=${REGISTRY} 360 | echo REGISTRY=${REGISTRY} >> $GITHUB_ENV 361 | 362 | - name: Get minor version 363 | id: get_minor_ver 364 | run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') 365 | shell: bash 366 | env: 367 | TAG: ${{ github.event.inputs.tag }} 368 | 369 | - name: build and push images 370 | run: bash ./tetrateci/create_multiarch_images.sh 371 | env: 372 | CLOUDSMITH_USER: ${{ secrets.CLOUDSMITH_USER }} 373 | CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} 374 | TAG: ${{ github.event.inputs.tag }} 375 | REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} 376 | --------------------------------------------------------------------------------