Merge branch 'release-1.1' into master-merge-again

AmitKumarDas · May 14, 2019 · aa554e7 · aa554e7
2 parents c2d324a + 04850e1
commit aa554e7
Show file tree

Hide file tree

Showing 51 changed files with 681 additions and 371 deletions.
diff --git a/install/kubernetes/helm/istio/charts/certmanager/values.yaml b/install/kubernetes/helm/istio/charts/certmanager/values.yaml
@@ -27,5 +27,5 @@ nodeSelector: {}
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
 # “security” and value “S1”.
-podAntiAffinityLabelSelector: {}
-podAntiAffinityTermLabelSelector: {}
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
diff --git a/install/kubernetes/helm/istio/charts/galley/templates/deployment.yaml b/install/kubernetes/helm/istio/charts/galley/templates/deployment.yaml
@@ -53,6 +53,7 @@ spec:
           - --livenessProbePath=/healthliveness
           - --readinessProbePath=/healthready
           - --readinessProbeInterval=1s
+          - --deployment-namespace={{ .Release.Namespace }}
 {{- if $.Values.global.controlPlaneSecurityEnabled}}
           - --insecure=false
 {{- else }}

diff --git a/install/kubernetes/helm/istio/charts/galley/values.yaml b/install/kubernetes/helm/istio/charts/galley/values.yaml
@@ -24,5 +24,5 @@ nodeSelector: {}
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
 # “security” and value “S1”.
-podAntiAffinityLabelSelector: {}
-podAntiAffinityTermLabelSelector: {}
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
diff --git a/install/kubernetes/helm/istio/charts/gateways/templates/_affinity.tpl b/install/kubernetes/helm/istio/charts/gateways/templates/_affinity.tpl
@@ -62,7 +62,7 @@
         matchExpressions:
         - key: {{ $item.key }}
           operator: {{ $item.operator }}
-          {{- if $item.value }}
+          {{- if $item.values }}
           values:
           {{- $vals := split "," $item.values }}
           {{- range $i, $v := $vals }}
@@ -88,6 +88,5 @@
             {{- end }}
             {{- end }}
         topologyKey: {{ $item.topologyKey }}
-      weight: 100
     {{- end }}
 {{- end }}
diff --git a/install/kubernetes/helm/istio/charts/gateways/values.yaml b/install/kubernetes/helm/istio/charts/gateways/values.yaml
@@ -133,8 +133,8 @@ istio-ingressgateway:
   # This pod anti-affinity rule says that the pod requires not to be scheduled
   # onto a node if that node is already running a pod with label having key
   # “security” and value “S1”.
-  podAntiAffinityLabelSelector: {}
-  podAntiAffinityTermLabelSelector: {}
+  podAntiAffinityLabelSelector: []
+  podAntiAffinityTermLabelSelector: []
 
 istio-egressgateway:
   enabled: false
@@ -208,8 +208,8 @@ istio-egressgateway:
   # This pod anti-affinity rule says that the pod requires not to be scheduled
   # onto a node if that node is already running a pod with label having key
   # “security” and value “S1”.
-  podAntiAffinityLabelSelector: {}
-  podAntiAffinityTermLabelSelector: {}
+  podAntiAffinityLabelSelector: []
+  podAntiAffinityTermLabelSelector: []
 
 # Mesh ILB gateway creates a gateway of type InternalLoadBalancer,
 # for mesh expansion. It exposes the mtls ports for Pilot,CA as well

diff --git a/install/kubernetes/helm/istio/charts/grafana/values.yaml b/install/kubernetes/helm/istio/charts/grafana/values.yaml
@@ -47,8 +47,8 @@ nodeSelector: {}
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
 # “security” and value “S1”.
-podAntiAffinityLabelSelector: {}
-podAntiAffinityTermLabelSelector: {}
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
 
 contextPath: /grafana
 service:

diff --git a/install/kubernetes/helm/istio/charts/istiocoredns/values.yaml b/install/kubernetes/helm/istio/charts/istiocoredns/values.yaml
@@ -28,5 +28,5 @@ nodeSelector: {}
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
 # “security” and value “S1”.
-podAntiAffinityLabelSelector: {}
-podAntiAffinityTermLabelSelector: {}
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
diff --git a/install/kubernetes/helm/istio/charts/kiali/values.yaml b/install/kubernetes/helm/istio/charts/kiali/values.yaml
@@ -26,8 +26,8 @@ nodeSelector: {}
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
 # “security” and value “S1”.
-podAntiAffinityLabelSelector: {}
-podAntiAffinityTermLabelSelector: {}
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
 
 ingress:
   enabled: false

diff --git a/install/kubernetes/helm/istio/charts/mixer/values.yaml b/install/kubernetes/helm/istio/charts/mixer/values.yaml
@@ -66,8 +66,8 @@ nodeSelector: {}
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
 # “security” and value “S1”.
-podAntiAffinityLabelSelector: {}
-podAntiAffinityTermLabelSelector: {}
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
 
 adapters:
   kubernetesenv:

diff --git a/install/kubernetes/helm/istio/charts/nodeagent/values.yaml b/install/kubernetes/helm/istio/charts/nodeagent/values.yaml
@@ -30,5 +30,5 @@ nodeSelector: {}
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
 # “security” and value “S1”.
-podAntiAffinityLabelSelector: {}
-podAntiAffinityTermLabelSelector: {}
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
diff --git a/install/kubernetes/helm/istio/charts/pilot/values.yaml b/install/kubernetes/helm/istio/charts/pilot/values.yaml
@@ -40,8 +40,8 @@ nodeSelector: {}
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
 # “security” and value “S1”.
-podAntiAffinityLabelSelector: {}
-podAntiAffinityTermLabelSelector: {}
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
 
 # The following is used to limit how long a sidecar can be connected
 # to a pilot. It balances out load across pilot instances at the cost of

diff --git a/install/kubernetes/helm/istio/charts/prometheus/templates/deployment.yaml b/install/kubernetes/helm/istio/charts/prometheus/templates/deployment.yaml
@@ -27,16 +27,6 @@ spec:
       serviceAccountName: prometheus
 {{- if .Values.global.priorityClassName }}
       priorityClassName: "{{ .Values.global.priorityClassName }}"
-{{- end }}
-{{- if .Values.security.enabled }}
-      initContainers:
-      - name: prom-init
-        image: "busybox:1.30.1"
-        command: ['sh', '-c', 'counter=0; until [ "$counter" -ge 30 ]; do if [ -f /etc/istio-certs/key.pem ]; then exit 0; else echo waiting for istio certs && sleep 1 && counter=$((counter+1)); fi; done; exit 1;']
-        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-        volumeMounts:
-          - mountPath: /etc/istio-certs
-            name: istio-certs
 {{- end }}
       containers:
         - name: prometheus
@@ -74,7 +64,9 @@ spec:
       - name: istio-certs
         secret:
           defaultMode: 420
+{{- if not .Values.security.enabled }}
           optional: true
+{{- end }}
           secretName: istio.default
       affinity:
       {{- include "nodeaffinity" . | indent 6 }}

diff --git a/install/kubernetes/helm/istio/charts/prometheus/values.yaml b/install/kubernetes/helm/istio/charts/prometheus/values.yaml
@@ -26,8 +26,8 @@ nodeSelector: {}
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
 # “security” and value “S1”.
-podAntiAffinityLabelSelector: {}
-podAntiAffinityTermLabelSelector: {}
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
 
 # Controls the frequency of prometheus scraping
 scrapeInterval: 15s

diff --git a/install/kubernetes/helm/istio/charts/security/templates/deployment.yaml b/install/kubernetes/helm/istio/charts/security/templates/deployment.yaml
@@ -11,7 +11,7 @@ metadata:
     release: {{ .Release.Name }}
     istio: citadel
 spec:
-  replicas: {{ .Values.replicaCount }}
+  replicas: 1
   selector:
     matchLabels:
       istio: citadel

diff --git a/install/kubernetes/helm/istio/charts/security/values.yaml b/install/kubernetes/helm/istio/charts/security/values.yaml
@@ -2,7 +2,6 @@
 # security configuration
 #
 enabled: true
-replicaCount: 1
 image: citadel
 selfSigned: true # indicate if self-signed CA is used.
 createMeshPolicy: true
@@ -26,5 +25,5 @@ nodeSelector: {}
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
 # “security” and value “S1”.
-podAntiAffinityLabelSelector: {}
-podAntiAffinityTermLabelSelector: {}
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
diff --git a/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/values.yaml b/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/values.yaml
@@ -25,8 +25,8 @@ nodeSelector: {}
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
 # “security” and value “S1”.
-podAntiAffinityLabelSelector: {}
-podAntiAffinityTermLabelSelector: {}
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
 
 # If true, webhook or istioctl injector will rewrite PodSpec for liveness
 # health check to redirect request to sidecar. This makes liveness check work

diff --git a/install/kubernetes/helm/istio/charts/tracing/values.yaml b/install/kubernetes/helm/istio/charts/tracing/values.yaml
@@ -24,8 +24,8 @@ nodeSelector: {}
 # This pod anti-affinity rule says that the pod requires not to be scheduled
 # onto a node if that node is already running a pod with label having key
 # “security” and value “S1”.
-podAntiAffinityLabelSelector: {}
-podAntiAffinityTermLabelSelector: {}
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
 
 jaeger:
   hub: docker.io/jaegertracing

diff --git a/install/kubernetes/helm/istio/templates/_affinity.tpl b/install/kubernetes/helm/istio/templates/_affinity.tpl
@@ -62,7 +62,7 @@
         matchExpressions:
         - key: {{ $item.key }}
           operator: {{ $item.operator }}
-          {{- if $item.value }}
+          {{- if $item.values }}
           values:
           {{- $vals := split "," $item.values }}
           {{- range $i, $v := $vals }}
@@ -88,6 +88,5 @@
             {{- end }}
             {{- end }}
         topologyKey: {{ $item.topologyKey }}
-      weight: 100
     {{- end }}
 {{- end }}
diff --git a/pilot/cmd/pilot-agent/main.go b/pilot/cmd/pilot-agent/main.go
@@ -79,12 +79,6 @@ var (
 	concurrency                int
 	templateFile               string
 	disableInternalTelemetry   bool
-	tlsServerCertChain         string
-	tlsServerKey               string
-	tlsServerRootCert          string
-	tlsClientCertChain         string
-	tlsClientKey               string
-	tlsClientRootCert          string
 	tlsCertsToWatch            []string
 	loggingOptions             = log.DefaultOptions()
 
@@ -159,30 +153,9 @@ var (
 			role.TrustDomain = spiffe.GetTrustDomain()
 			log.Infof("Proxy role: %#v", role)
 
-			// Add cert paths as node metadata only if they differ from defaults
-			if tlsServerCertChain != model.DefaultCertChain {
-				role.Metadata[model.NodeMetadataTLSServerCertChain] = tlsServerCertChain
-			}
-			if tlsServerKey != model.DefaultKey {
-				role.Metadata[model.NodeMetadataTLSServerKey] = tlsServerKey
-			}
-			if tlsServerRootCert != model.DefaultRootCert {
-				role.Metadata[model.NodeMetadataTLSServerRootCert] = tlsServerRootCert
-			}
-
-			if tlsClientCertChain != model.DefaultCertChain {
-				role.Metadata[model.NodeMetadataTLSClientCertChain] = tlsClientCertChain
-			}
-			if tlsClientKey != model.DefaultKey {
-				role.Metadata[model.NodeMetadataTLSClientKey] = tlsClientKey
-			}
-			if tlsClientRootCert != model.DefaultRootCert {
-				role.Metadata[model.NodeMetadataTLSClientRootCert] = tlsClientRootCert
-			}
-
 			tlsCertsToWatch = []string{
 				tlsServerCertChain, tlsServerKey, tlsServerRootCert,
-				tlsClientCertChain, tlsClientKey, tlsClientCertChain,
+				tlsClientCertChain, tlsClientKey, tlsClientRootCert,
 			}
 
 			// dedupe cert paths so we don't set up 2 watchers for the same file:
@@ -567,22 +540,6 @@ func init() {
 	proxyCmd.PersistentFlags().BoolVar(&controlPlaneBootstrap, "controlPlaneBootstrap", true,
 		"Process bootstrap provided via templateFile to be used by control plane components.")
 
-	// server certs
-	proxyCmd.PersistentFlags().StringVar(&tlsServerCertChain, "tlsServerCertChain",
-		model.DefaultCertChain, "Absolute path to server cert-chain file used for istio mTLS")
-	proxyCmd.PersistentFlags().StringVar(&tlsServerKey, "tlsServerKey",
-		model.DefaultKey, "Absolute path to server private key file used for istio mTLS")
-	proxyCmd.PersistentFlags().StringVar(&tlsServerRootCert, "tlsServerRootCert",
-		model.DefaultRootCert, "Absolute path to server root cert file used for istio mTLS")
-
-	// client certs
-	proxyCmd.PersistentFlags().StringVar(&tlsClientCertChain, "tlsClientCertChain",
-		model.DefaultCertChain, "Absolute path to client cert-chain file used for istio mTLS")
-	proxyCmd.PersistentFlags().StringVar(&tlsClientKey, "tlsSClientKey",
-		model.DefaultKey, "Absolute path to client key file used for istio mTLS")
-	proxyCmd.PersistentFlags().StringVar(&tlsClientRootCert, "tlsClientRootCert",
-		model.DefaultRootCert, "Absolute path to client root cert file used for istio mTLS")
-
 	// Attach the Istio logging options to the command.
 	loggingOptions.AttachCobraFlags(rootCmd)
 

diff --git a/pilot/cmd/pilot-agent/model.go b/pilot/cmd/pilot-agent/model.go
@@ -0,0 +1,31 @@
+// Copyright 2019 Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"istio.io/istio/pilot/pkg/model"
+	"istio.io/istio/pkg/bootstrap"
+	"istio.io/pkg/env"
+)
+
+var (
+	tlsServerCertChain = env.RegisterStringVar(bootstrap.IstioMetaPrefix+model.NodeMetadataTLSServerCertChain, model.DefaultCertChain, "").Get()
+	tlsServerKey       = env.RegisterStringVar(bootstrap.IstioMetaPrefix+model.NodeMetadataTLSServerKey, model.DefaultKey, "").Get()
+	tlsServerRootCert  = env.RegisterStringVar(bootstrap.IstioMetaPrefix+model.NodeMetadataTLSServerRootCert, model.DefaultRootCert, "").Get()
+
+	tlsClientCertChain = env.RegisterStringVar(bootstrap.IstioMetaPrefix+model.NodeMetadataTLSClientCertChain, model.DefaultCertChain, "").Get()
+	tlsClientKey       = env.RegisterStringVar(bootstrap.IstioMetaPrefix+model.NodeMetadataTLSClientKey, model.DefaultKey, "").Get()
+	tlsClientRootCert  = env.RegisterStringVar(bootstrap.IstioMetaPrefix+model.NodeMetadataTLSClientRootCert, model.DefaultRootCert, "").Get()
+)
diff --git a/pilot/pkg/bootstrap/server.go b/pilot/pkg/bootstrap/server.go
@@ -435,7 +435,8 @@ func (s *Server) initMeshNetworks(args *PilotArgs) error { //nolint: unparam
 		return nil
 	}
 	log.Infof("mesh networks configuration %s", spew.Sdump(meshNetworks))
-	util.ResolveHostsInNetworksConfig(s.meshNetworks)
+	util.ResolveHostsInNetworksConfig(meshNetworks)
+	log.Infof("mesh networks configuration post-resolution %s", spew.Sdump(meshNetworks))
 	s.meshNetworks = meshNetworks
 
 	// Watch the networks config file for changes and reload if it got modified
@@ -448,7 +449,8 @@ func (s *Server) initMeshNetworks(args *PilotArgs) error { //nolint: unparam
 		}
 		if !reflect.DeepEqual(meshNetworks, s.meshNetworks) {
 			log.Infof("mesh networks configuration file updated to: %s", spew.Sdump(meshNetworks))
-			util.ResolveHostsInNetworksConfig(s.meshNetworks)
+			util.ResolveHostsInNetworksConfig(meshNetworks)
+			log.Infof("mesh networks configuration post-resolution %s", spew.Sdump(meshNetworks))
 			s.meshNetworks = meshNetworks
 			if s.kubeRegistry != nil {
 				s.kubeRegistry.InitNetworkLookup(meshNetworks)

diff --git a/pilot/pkg/model/context.go b/pilot/pkg/model/context.go
@@ -606,6 +606,10 @@ const (
 	// NodeMetadataPolicyCheckMaxRetryWaitTime for max time to wait between retries
 	// In duration format. If not set, this will be 1000ms.
 	NodeMetadataPolicyCheckMaxRetryWaitTime = "policy.istio.io/checkMaxRetryWaitTime"
+
+	// NodeMetadataIdleTimeout specifies the idle timeout for the proxy, in duration format (10s).
+	// If not set, no timeout is set.
+	NodeMetadataIdleTimeout = "IDLE_TIMEOUT"
 )
 
 var (