* update release note for external authz
* address comment
* Update content/en/news/releases/1.12.x/announcing-1.12/change-notes/index.md
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
* build an archive of v1.11 in master
* update data/versions.yml and archive index page
* advance master to release-1.13
* ANother script update
* go get remaing istio repos to satisfy linter
* Temporarily fix link broken by istio/api #2148
* Temporarily disable istioctl analyze test.
* Fix in attribute "name" on "metadata".
Missing tab in attribute "name" at section "Define the external authorizer" in ServiceEntry example.
* command make gen
Co-authored-by: Igor Agueme <igoragueme@outlook.com>
* build an archive of v1.10 in master
* update data/versions.yml and archive index page
* advance master to release-1.12
* Update istio test reference to pick up 1.12 in istioctl messages
* Fix lint and IMAGE_VERSION
* MOre changes for lint
* Use correct IMAGE_VERSION
* Skip virtual machines test - Release Blocker issue created
* Flag experimental pages with dagger
* Use dagger symbol in title
* Dagger in navigation titles for experimental status
* Experimental asterisk note
* Asterisk with space
* Spacing between title and asterisk
* Flag experimental and alpha status
* build an archive of v1.9 in master
* update data/versions.yml and archive index page
* advance master to release-1.11
* Update the istio test reference to master
* Remove failing deny test
* Remove another test
* Remove a third test
* update security doc with evaluation order, common patterns, shoter task names and some small updates
* update
* update
* add link
* update
* update
* fix lint
* Apply suggestions from code review
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
* update
* Apply suggestions from code review
Co-authored-by: John Howard <howardjohn@google.com>
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
Co-authored-by: John Howard <howardjohn@google.com>
* Improve the plug-in cert task.
* Small fix.
* Update content/en/docs/tasks/security/cert-management/plugin-ca-cert/index.md
Co-authored-by: Sven Mawson <sven@google.com>
* Describe the recommendation of using hierarchical CA.
* Small fix.
* Apply suggestions from code review
Co-authored-by: Sven Mawson <sven@google.com>
* Apply suggestions from code review
Co-authored-by: Sven Mawson <sven@google.com>
Co-authored-by: Sven Mawson <sven@google.com>
* Silence curl command
* Update more files with -sS (adding S to show errors)
* Over-agressive on the -S and causing some tests to fail.
* Remove more curl -S flags
* Use experimental as feature stage
Pre-alpha/Development are deprecated in favor of Experimental (see
https://github.com/istio/community/pull/495). Update docs to reference
this phase.
* Add DNS proxying to experimental phase
* Do not mix alpha and experimental
* DNS Proxying is Alpha in 1.9; add to feature status page
* Fix virtual machine install doc based on review
* Fix linting issue
* update proxy protocol EnvoyFilter to be consistent
Make the proxy protocol EnvoyFilter identical to the one in
docs/ops/configuration/traffic-management/network-topologies/
* fix arch mistake
* update authz docs for remote.ip
remote.ip has been added as an Authorization Condition and the Ingress
Gateway Authorization task has been updated to include it.
* fix relative link to network topologies
* add more verification and use tabs
* remove mixer reference and put LB table below tabset
* move INGRESS_HOST info to top, add LB decision-making table
* clean up bash commands
* Update test reference to 1.8.0-alpha.2
* Fix access-log test for new behavior
* Update to remove deprecated parameter
* More updates for deprecated (already removed) values
* Enable test, disable failing tests (#8405) open for fix.
* Review comment
* Remove extraneous old-td
This required some other changes WRT verification:
- Change __cmp_like to allow for not accepting <pending> for an IP address.
- Change __verify_with_retry to use a timeout rathan than number of retries. This is a more intuitive interface and aligns with the way we do retries in istio/istio. I also got rid of exponential backoff and allow both the timeout and delay between retries to be configured.
* Update test reference
* Test framework changes
* Another required change
* Update Tag to 1.8
* Pick istio/istio commit that actually exists
* Disable ISTIO_META_DNS_CAPTURE
* Add --skip-confirmation to istioctl installl commands
* Increase test timeout. First pass at fixes.
* Update to later istio/istio that fixes DNS and minor fixes
* test fixes
* Pick up go.mod `replace` changes from #8118
* Fix istioctl-analayze and mirror
* Fix mtls-migration test
* Update istio to include commit to fix egress
* Re-enable verify with fix
* Update istio/istio ref for egress fix
* Fix tasks/security/authorization/authz-td-migration - remove ns
* Shorten wait timeout so tests complete in under an hr
* Let tests continue after wait timeout
* Fix --skip-confirmation to -y and use yes | in tests
* revert yes | to echo y |
* Additional echo y fix
* Code review comments
* Change verify from same to contains as k8s 1.19 has extra warning lines.
* add note about istio protocol detection
* fix accidental replace
* fix extra dot in filename
* path fixes
* add note about how to field authz in effect
* fix typos and add a note on the claims
* undo file rename
* Update content/en/docs/ops/common-problems/security-issues/index.md
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Update content/en/docs/ops/common-problems/security-issues/index.md
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Apply suggestions from code review
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* build an archive of v1.6 in master
* update data/versions.yml and archive index page
* advance master to release-1.8
* Missing `make snips` in script
* Update istio/istio ref and reenable tests
* Update istio/istio reference
* Update istioctl build to have version for images
* Fix lint and pull a newer istio/istio
* Disable egress tests
* add an example task to test
* main test function: save progress
* a working example: routing request
* improve log info and error handling
* introduce makefile
* run each test as a subtest; remove common setup from test.sh
* add another test.sh: fault-injection
* improve error handling
* check test environment
* add two more test.sh files
* fix make command for istio setup
* update two test.sh files from upstream
* add comments and update README.md
* update test.sh files from upstream
* support multiple test names
* update README
* update README.md for new framework
* remove documentation of migration steps
* undo format changes
* change separation line to '# @cleanup'
* move go code and makefile from content/ to tests/
* change package name
* make for loop more readable
* change the set of auto-sourced scripts
* add docs for all functions
* approach to deal with folders with the same name
* minor fixes to ensure everything still runs
* fix make gen error
* add a TIMEOUT argument
* make sure util/debug.sh works with new framework
* make lint-go happy
* [BIG CHANGE] allow different istio setup configs
* make linters happy
* make linters happier
* changed wording and function orders
* make error return as the 2nd argument
* add TODOs
* Update content/en/docs/tasks/traffic-management/traffic-shifting/test.sh
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Update tests/README.md
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Update tests/README.md
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Update tests/README.md
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Update tests/README.md
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Update tests/README.md
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Update tests/README.md
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* only test english docs
* Update tests/README.md
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* allow test.sh as suffix
* move adding setup configs to tests/setup
* recommend full paths
* Update tests/README.md
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* require full test paths
* converting old tests to new tests: traffic-management and misc
* converting old tests to new tests: security
* remove old tests
* Update content/en/docs/tasks/security/cert-management/dns-cert/test.sh
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* simplify setup configs
* Update content/en/docs/tasks/security/authentication/authn-policy/test.sh
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Update content/en/docs/tasks/security/authentication/mtls-migration/test.sh
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Update content/en/docs/tasks/security/authorization/authz-http/test.sh
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* do not let istioctl prompt y/n
* Update content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/test.sh
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Update content/en/docs/tasks/traffic-management/ingress/secure-ingress/test.sh
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Update content/en/docs/tasks/security/cert-management/plugin-ca-cert/test.sh
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* simplify stuff
* rename dns-cert test.sh to test_broken.sh
* fix dns-cert doc and test
* remove egress=disabled
* fix test
* Update content/en/docs/tasks/observability/logs/access-log/test.sh
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* Update content/en/docs/tasks/security/authentication/authn-policy/test.sh
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* authn-policy: Point users to Istio installation guide.
Have users install Istio through the installation guide instead of
explicitly instructing them to run "istioctl manifest apply" in the
task. This will make it easier to automate the task later.
* authn-policy: Make steps and expected response clear for testing.
* Add authn-policy user guide test.
* snip.py: Replace github file token with release-specific URL.
* verify.sh: Show the expected output as well as the actual output.
* snip.py: Update the githubfile regex to not include email addresses.
When generating snip scripts, pairs of "@" signs indicate a link to
GitHub repo content. However, JWT attribute values contained pairs of
email addresses such as:
`testing@secure.istio.io/testing@secure.istio.io`
which would be treated as an email address and mangled. This commit
rewrites the regex to not match on email addresses.
* Add authz-jwt user guide test.
* Update test framework to use 1.6.0-beta.0
* Go back to copies from env var
* Add more test targets, fix mtls test (new PA added)
* Update to use Istio SHA from go.mod (convert to long SHA)
* Try and remove TAG from prow
* Debug TAG not being set
* Fix paralization issue
* Remove some extra output
* Review comments
Reverted the actual mirror test script, because mirror test seems to have some subtle failure when running with what seems to be the exact same commands via snips. Will investigate further in followup PR. Merging this one to get the generator changes.
The pod of tcp-echo which is asked its podIP is in `foo` namespace, so the `kubectl get` should specify the namespace as `foo`.
Co-authored-by: Koki Tomoshige <36136133+tomocy@users.noreply.github.com>
* User guide tests for DNS certificate management
- Add user guide tests for DNS certificate management
- Remove user guide's dependency on jq
* Use _verify_contains function
* User guide tests and remove manual steps for plugging in CA cert
- Add user guide tests for plugging in CA cert
- Remove the manual steps in the user guide of plugging in CA cert
to make it easier for an user to try the guide.
* Fix SC2046 lint error and the trafficmanagement test errors
* Update doc test README
* add sh
* tweaks
* formatting
* format
* fix comment
* wording
* convert mtls migration task
* Update tests/README.md
Co-Authored-By: Eric Van Norman <ericvn@us.ibm.com>
* Update tests/README.md
Co-Authored-By: Eric Van Norman <ericvn@us.ibm.com>
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
* add a tcpdump verification for mtls
* add period
* move to the migration doc.
* lint fixing
* address cmt.
* Apply suggestions from code review
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
* authz: add task for IP whitelist/blacklist on ingress gateway
* allow list and deny list
* Small grammar adjustments
* address comments
* Update content/en/docs/tasks/security/authorization/authz-ingress/index.md
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* Update content/en/docs/tasks/security/authorization/authz-ingress/index.md
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
* Update content/en/docs/tasks/security/authorization/authz-ingress/index.md
Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
Co-authored-by: Adam Miller <1402860+adammil2000@users.noreply.github.com>
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
Yangmin Zhu
Eric Van Norman
Istio Automation
Sungyun Hur
Jianfei Hu
craigbox
Steve Zhang
Brian Avery
ChristinaMak
Shamsher Ansari
mrshengzyzy
John Howard
lei-tang
davidhauck
Oliver Liu
jacob-delgado
Frank Budinsky
Kyle Evans
Lin Sun
shankgan
Nathan Mittler
imgbot[bot]
Upo
Hongyi Zhang
Navraj Singh Chhina
Justin Pettit
jacob-delgado
Mitch Connors
Istio Automation
John Pape
tigran-a
Diem Vu
Jimmy Chen