Automator: merge upstream changes to openshift-service-mesh/istio@master #537
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* add release-note for warmup aggression change * Update releasenotes/notes/align-warmup-aggression.yaml Co-authored-by: Faseela K <[email protected]> --------- Co-authored-by: Faseela K <[email protected]>
…8292) * prevent httproute status conflict with multi-revisions Signed-off-by: Lucas Copi <[email protected]> * add tagwatcher for status to all route types Signed-off-by: Lucas Copi <[email protected]> * add integration test and release note Signed-off-by: Lucas Copi <[email protected]> * lint Signed-off-by: Lucas Copi <[email protected]> * create new revision checker Signed-off-by: Lucas Copi <[email protected]> * check match revision in register status, not in the status collection handler Signed-off-by: Lucas Copi <[email protected]> * lint Signed-off-by: Lucas Copi <[email protected]> * fix goroutine leak Signed-off-by: Lucas Copi <[email protected]> --------- Signed-off-by: Lucas Copi <[email protected]>
…ntry (#58242) * tests: add integration tests for BackendTLSPolicy applied to ServiceEntry Signed-off-by: Jacek Ewertowski <[email protected]> * Add a test case for BackendTLSPolicy with HTTPRoute Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]>
https://storage.googleapis.com/istio-prow/logs/integ-assertion_istio_postsubmit/1991626385549955072/artifacts/ambient-1000a77ac823425cb81d309/_suite_context/istio-state-882031679/primary-0/istiod-66599dbf4b-knz5h_discovery.previous.log I believe this is because waypoint has different config from gateways ``` if (cb.sidecarProxy() || cb.proxyType == model.Waypoint) && isAutoProtocol { // Use downstream protocol. If the incoming traffic use HTTP 1.1, the // upstream cluster will use HTTP 1.1, if incoming traffic use HTTP2, // the upstream cluster will use HTTP2. cb.setUseDownstreamProtocol(cluster) } ``` so we need to take this into account
* bump go-control-plane * bump
Signed-off-by: xin.li <[email protected]>
openshift-service-mesh-bot
force-pushed
the
none-master-merge_upstream_istio_master-6253864e
branch
from
47dd415 to
4227de3
Compare
* Add timeout and headers support to Zipkin tracing provider This change adds two new optional fields to the ZipkinTracingProvider in MeshConfig: - `timeout`: Configures the HTTP request timeout when sending spans to the Zipkin collector, providing better control over trace export reliability and preventing indefinite waits. - `headers`: Allows including custom HTTP headers in requests to the Zipkin collector for authentication, authorization, and custom metadata use cases. Headers support both direct values and environment variable references for secure credential management. Implementation details: - When timeout or headers are configured, Istio uses Envoy's modern HttpService configuration with full URI support - When neither is configured, Istio uses legacy Envoy fields for backward compatibility - Added comprehensive test coverage for all configuration modes - Updated API documentation with usage examples * Add timeout and headers support to Zipkin tracing provider This change adds two new optional fields to the ZipkinTracingProvider in MeshConfig: - `timeout`: Configures the HTTP request timeout when sending spans to the Zipkin collector, providing better control over trace export reliability and preventing indefinite waits. - `headers`: Allows including custom HTTP headers in requests to the Zipkin collector for authentication, authorization, and custom metadata use cases. Headers support both direct values and environment variable references for secure credential management. Implementation details: - When timeout or headers are configured, Istio uses Envoy's modern HttpService configuration with full URI support - When neither is configured, Istio uses legacy Envoy fields for backward compatibility - Added comprehensive test coverage for all configuration modes - Updated API documentation with usage examples * This change adds two new optional fields to the ZipkinTracingProvider in MeshConfig: - `timeout`: Configures the HTTP request timeout when sending spans to the Zipkin collector, providing better control over trace export reliability and preventing indefinite waits. - `headers`: Allows including custom HTTP headers in requests to the Zipkin collector for authentication, authorization, and custom metadata use cases. Headers support both direct values and environment variable references for secure credential management. Implementation details: - When timeout or headers are configured, Istio uses Envoy's modern HttpService configuration with full URI support - When neither is configured, Istio uses legacy Envoy fields for backward compatibility - Added comprehensive test coverage for all configuration modes - Updated API documentation with usage examples * This change adds two new optional fields to the ZipkinTracingProvider in MeshConfig: - `timeout`: Configures the HTTP request timeout when sending spans to the Zipkin collector, providing better control over trace export reliability and preventing indefinite waits. - `headers`: Allows including custom HTTP headers in requests to the Zipkin collector for authentication, authorization, and custom metadata use cases. Headers support both direct values and environment variable references for secure credential management. Implementation details: - When timeout or headers are configured, Istio uses Envoy's modern HttpService configuration with full URI support - When neither is configured, Istio uses legacy Envoy fields for backward compatibility - Added comprehensive test coverage for all configuration modes - Updated API documentation with usage examples * This change adds two new optional fields to the ZipkinTracingProvider in MeshConfig: - `timeout`: Configures the HTTP request timeout when sending spans to the Zipkin collector, providing better control over trace export reliability and preventing indefinite waits. - `headers`: Allows including custom HTTP headers in requests to the Zipkin collector for authentication, authorization, and custom metadata use cases. Headers support both direct values and environment variable references for secure credential management. Implementation details: - When timeout or headers are configured, Istio uses Envoy's modern HttpService configuration with full URI support - When neither is configured, Istio uses legacy Envoy fields for backward compatibility - Added comprehensive test coverage for all configuration modes - Updated API documentation with usage examples * This change adds two new optional fields to the ZipkinTracingProvider in MeshConfig: - `timeout`: Configures the HTTP request timeout when sending spans to the Zipkin collector, providing better control over trace export reliability and preventing indefinite waits. - `headers`: Allows including custom HTTP headers in requests to the Zipkin collector for authentication, authorization, and custom metadata use cases. Headers support both direct values and environment variable references for secure credential management. Implementation details: - When timeout or headers are configured, Istio uses Envoy's modern HttpService configuration with full URI support - When neither is configured, Istio uses legacy Envoy fields for backward compatibility - Added comprehensive test coverage for all configuration modes - Updated API documentation with usage examples * This change adds two new optional fields to the ZipkinTracingProvider in MeshConfig: - `timeout`: Configures the HTTP request timeout when sending spans to the Zipkin collector, providing better control over trace export reliability and preventing indefinite waits. - `headers`: Allows including custom HTTP headers in requests to the Zipkin collector for authentication, authorization, and custom metadata use cases. Headers support both direct values and environment variable references for secure credential management. Implementation details: - When timeout or headers are configured, Istio uses Envoy's modern HttpService configuration with full URI support - When neither is configured, Istio uses legacy Envoy fields for backward compatibility - Added comprehensive test coverage for all configuration modes - Updated API documentation with usage examples * This change adds two new optional fields to the ZipkinTracingProvider in MeshConfig: - `timeout`: Configures the HTTP request timeout when sending spans to the Zipkin collector, providing better control over trace export reliability and preventing indefinite waits. - `headers`: Allows including custom HTTP headers in requests to the Zipkin collector for authentication, authorization, and custom metadata use cases. Headers support both direct values and environment variable references for secure credential management. Implementation details: - When timeout or headers are configured, Istio uses Envoy's modern HttpService configuration with full URI support - When neither is configured, Istio uses legacy Envoy fields for backward compatibility - Added comprehensive test coverage for all configuration modes - Updated API documentation with usage examples * This change adds two new optional fields to the ZipkinTracingProvider in MeshConfig: - `timeout`: Configures the HTTP request timeout when sending spans to the Zipkin collector, providing better control over trace export reliability and preventing indefinite waits. - `headers`: Allows including custom HTTP headers in requests to the Zipkin collector for authentication, authorization, and custom metadata use cases. Headers support both direct values and environment variable references for secure credential management. Implementation details: - When timeout or headers are configured, Istio uses Envoy's modern HttpService configuration with full URI support - When neither is configured, Istio uses legacy Envoy fields for backward compatibility - Added comprehensive test coverage for all configuration modes - Updated API documentation with usage examples * This change adds two new optional fields to the ZipkinTracingProvider in MeshConfig: - `timeout`: Configures the HTTP request timeout when sending spans to the Zipkin collector, providing better control over trace export reliability and preventing indefinite waits. - `headers`: Allows including custom HTTP headers in requests to the Zipkin collector for authentication, authorization, and custom metadata use cases. Headers support both direct values and environment variable references for secure credential management. Implementation details: - When timeout or headers are configured, Istio uses Envoy's modern HttpService configuration with full URI support - When neither is configured, Istio uses legacy Envoy fields for backward compatibility - Added comprehensive test coverage for all configuration modes - Updated API documentation with usage examples * Fixing the linitng issues * Making the http service available to all proxies from 1.29
* Fix kubelet detection on MicroK8s with nftables backend When Ambient mode is used with the nftables backend, this PR fixes kubelet UID detection so that it works in MicroK8s, where kubelet runs inside the unified “kubelite” daemon rather than as a standalone process. Fixes: istio/istio#58185 Signed-off-by: Sridhar Gaddam <[email protected]> * Add release notes Signed-off-by: Sridhar Gaddam <[email protected]> --------- Signed-off-by: Sridhar Gaddam <[email protected]>
openshift-service-mesh-bot
force-pushed
the
none-master-merge_upstream_istio_master-6253864e
branch
from
4227de3 to
67a0c0e
Compare
* Update GIE CRDs to include support for >1 targetPorts I planned on updating to v1.1.0 but ran into dependency issues. Now pointing to the commit that loosened restrictions on number of targetPorts. * Add support for multiple targetPorts in InferencePool This adds support for multiple targetPorts in an InferencePool by adding all targetPorts to the shadow service, and then making sure that only a single cluster is created for the dummy port (54321), allowing the EPP to loadbalance across all endpoints. * Add release note * Add integration test and EPP mock Co-Authored-By: Claude <[email protected]> --------- Co-authored-by: Claude <[email protected]>
…395) Followup to #58238
* Fix racy test Signed-off-by: Keith Mattix II <[email protected]> * Address comments Signed-off-by: Keith Mattix II <[email protected]> --------- Signed-off-by: Keith Mattix II <[email protected]>
Signed-off-by: vicerace <[email protected]>
This breaks things like a PEM cert in a configmap
* impl formatter custom tag * e2e and release notes * update * encode query param * update query * update test
Starting from Openshift 4.19 (1.32), GW API comes pre-installed and should not be deployed. But GatewayAPIInferenceExtension should be deployed on Openshift in any condition. Adding condition to make sure GatewayAPIInferenceExtension CRDs are being deployed during the test execution. Signed-off-by: Maxim Babushkin <[email protected]>
… have multiple IPs (#58398) * nds: fix missing nametable entries for pods with multiple IP families * add note * update note * use namespacedname type * use local map instead of output map when checking if remote is skippable
Signed-off-by: xin.li <[email protected]>
openshift-service-mesh-bot
force-pushed
the
none-master-merge_upstream_istio_master-6253864e
branch
from
c82455e to
a9e2da3
Compare
Contributor
|
/test istio-integration-pilot |
Contributor
|
Two ambient tests were added and are using an experimental GW API, which could not be installed in OCP 4.19 and above. |
Contributor
|
/test istio-integration-sail-pilot |
1 similar comment
Contributor
|
/test istio-integration-sail-pilot |
Contributor
|
/test istio-integration-sail-ambient |
Contributor
|
/test istio-integration-ambient |
1 similar comment
Contributor
|
/test istio-integration-ambient |
* krt: aggregate Join events for conflicting keys * fix race in test * fmt * fix goroutine leak in backend policies and add handler cleanup * better respect unchecked overlap flag * typo * relnote
Contributor
|
/test istio-integration-ambient |
When an existing Istio Ambient deployment using the iptables backend is upgraded to the nftables backend, IstioCNI shouldn’t switch to nftables silently. Doing so leaves stale iptables rules/IPsets on the host. If this happens along with reconcileIptablesOnStartup setting, the pod network namespaces end up with both nftables rules and the old iptables rules. In both cases, the stale iptables rules can cause issues until the node is rebooted. This PR updates the IstioCNI initialization code to detect any iptables artifacts on the host. If it finds them, it overrides the nftables setting, keeps using the iptables backend, and logs a message telling users to reboot the node to complete the migration. This allows safe upgrades with no pod disruption in Ambient mode. After a reboot, the old iptables artifacts are cleared and pods come up with clean namespaces, completing the migration automatically. Fixes: istio/istio#58353 Signed-off-by: Sridhar Gaddam <[email protected]>
openshift-service-mesh-bot
force-pushed
the
none-master-merge_upstream_istio_master-6253864e
branch
from
a9e2da3 to
0ae1b0e
Compare
* fix proxy version check for built-in formatters Signed-off-by: Rama Chavali <[email protected]> * remove proxy version Signed-off-by: Rama Chavali <[email protected]> * lint Signed-off-by: Rama Chavali <[email protected]> --------- Signed-off-by: Rama Chavali <[email protected]>
openshift-service-mesh-bot
force-pushed
the
none-master-merge_upstream_istio_master-6253864e
branch
from
0ae1b0e to
ee8517d
Compare
Signed-off-by: xin.li <[email protected]>
It appears that TestServerSideLB is flaky in multi-network setup. I think there are two contributing factors for that: 1. With two clusters we have twice as many backends to hit, so the same 10 attempts may not always be enough 2. Specifically when waypoints are involved, we may be affected by istio/istio#58039, though after running the test locally, it does not seem critical. Aside from that, I also cleaned up some of the skips that were added when we just started running ambient integration tests in multi-cluster environment. As things stand now there are just three known reasons why we should skip a test in ambient multi-cluster: 1. When in test workload behind a sidecar proxy tries to talk to a workload behind ztunnel (but not other way around) - the fix for that is tracked in istio/istio#57878, but given that interoperability between ambient and sidecar is not officially supported, it's ok to skip those tests. 2. We skip TestServiceDynamicEnroll because it's flaky in general and running it in single cluster mode as well as in multi-cluster mode just increases the chances of hitting a flake for somewhat unclear benefits at the moment; there is a ticket open to fix the test - istio/istio#58228. 3. We skip TestTrafficSplit at the moment because it relies on subsetting and we lose that information when we cross network boundary; it's debatable if we want to support this feature at all in multi-cluster, but for now we track it in istio/istio#58140. All other tests should be running and passing in ambient multi-cluster mode. Fixes #58020 Fixes #58080 Fixes #56228 Signed-off-by: Mikhail Krinkin <[email protected]>
* Add missing permission for watching remote configmaps Signed-off-by: Jacek Ewertowski <[email protected]> * Implement watching remote trust domain Signed-off-by: Jacek Ewertowski <[email protected]> * Add a release note Signed-off-by: Jacek Ewertowski <[email protected]> * Implement restricted mesh watcher Signed-off-by: Jacek Ewertowski <[email protected]> * Make TestWatcher an impl of RestrictedConfigWatcher Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]>
Contributor
|
The test failure in telemetry test suite more complicated. I've created the following fix, but still need to work on it. |
* upstream/master: (54 commits) update min k8s version (#58485) Automator: update ztunnel@master in istio/istio@master (#58480) pilot: watch meshConfig in remote clusters (#58455) Fix ambient multi-cluster integration tests (#58466) Automator: update common-files@master in istio/istio@master (#58495) improve the istioctl waypoint status describe and example (#58482) fix proxy version check for built-in formatters (#58469) Support safe migration from iptables to nftables in Ambient (#58354) krt: aggregate Join events for conflicting keys (#58324) Automator: update proxy@master in istio/istio@master (#58458) addons: Bump addons version (#58443) add indication for the requests count (#58454) `istioctl`: Display proxy cert serial numbers with trailing zeros (#58449) nds: fix missing IP addresses in headless nametable entries when pods have multiple IPs (#58398) Adapt TestInferencePoolMultipleTargetPorts test to Openshift (#58448) Add istiod_remote_cluster_sync_status metric (#58384) Automator: update proxy@master in istio/istio@master (#58446) Automator: update istio/client-go@master dependency in istio/istio@master (#58421) Automator: update proxy@master in istio/istio@master (#58439) Automator: update proxy@master in istio/istio@master (#58437) ...
openshift-service-mesh-bot
force-pushed
the
none-master-merge_upstream_istio_master-6253864e
branch
from
ee8517d to
b98e155
Compare
|
@openshift-service-mesh-bot: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Generated by Automator - 2025-12-05T05:03:33+00:00