From 90987fca376fa5148760f538443fb632cf8c116f Mon Sep 17 00:00:00 2001 From: Costin Manolache Date: Tue, 2 Jan 2018 13:22:40 -0800 Subject: [PATCH] Polish on the build (#2331) * Increase timeout, try again e2e * Update cron job * Attempt to fix resolv.conf * Fix order for resolv.conf * Use KUBECONFIG env variable instead of linked file * Use only fast linters * Fix linters and lint/licence warnings * Fix build - goimports doesn't seem to like this * Revert goimports * fmt.sh * More attempts for e2e, test fix * Default linked * Move pilot no-auth to the new style, seems more reliable * One more e2e attempt * Fix test parsing * Continue to use random ns for e2e * Improve parsing of ginko (why are we using it ? Consistency...) * Fix gopath for e2e * Fmt (Goland needs to be set to use the right import order * Try the mixer e2e * It appears kubedns service was missing in 0.24 * Timeout, try with simple (most test were passing) * Woot, e2e passing ! * yaml error * Use better names, run all e2e even if first fails * Initial version of the .deb creation * Fix building the .deb using the container * Allow version customization and match the original names * Run nightly on the current PR * Remove empty makefile * Fix lint errors * Fix typo * Fix bad merge --- .circleci/Dockerfile | 28 ++- .circleci/Makefile | 17 +- .circleci/config.yml | 113 +++++++---- DEV-CONVENTIONS.md | 2 +- Makefile | 49 +++++ bin/check_license.sh | 2 +- bin/fmt.sh | 2 +- bin/linters.sh | 11 +- bin/pre-commit | 6 +- lintconfig_base.json | 4 +- mixer/pkg/perf/config.go | 2 +- mixer/pkg/perf/settings.go | 1 + mixer/pkg/tracing/tracing.go | 2 +- .../tools/codegen/cmd/mixgeninventory/main.go | 2 +- .../cloudfoundry/cloudfoundry_suite_test.go | 2 + pilot/platform/cloudfoundry/config.go | 2 +- pilot/test/integration/driver.go | 7 +- pilot/test/integration/egress_rules.go | 1 + pilot/test/integration/routing.go | 1 + pilot/test/integration/routingToEgress.go | 1 + pkg/log/config.go | 1 - tests/e2e/framework/kubernetes.go | 3 +- tests/istio.mk | 9 +- tests/k8s/helper.go | 15 ++ tools/deb/envoy.json | 77 ++++++++ tools/deb/istio-iptables.sh | 181 ++++++++++++++++++ tools/deb/istio-start.sh | 71 +++++++ tools/deb/istio.service | 12 ++ tools/deb/postinst.sh | 43 +++++ tools/deb/sidecar.env | 53 +++++ 30 files changed, 648 insertions(+), 72 deletions(-) create mode 100644 tools/deb/envoy.json create mode 100755 tools/deb/istio-iptables.sh create mode 100755 tools/deb/istio-start.sh create mode 100644 tools/deb/istio.service create mode 100755 tools/deb/postinst.sh create mode 100644 tools/deb/sidecar.env diff --git a/.circleci/Dockerfile b/.circleci/Dockerfile index 1ea304108ef..9cabdc35cd0 100644 --- a/.circleci/Dockerfile +++ b/.circleci/Dockerfile @@ -1,5 +1,16 @@ FROM circleci/golang:1.9 +# The base circleci image runs as user 'circleci'(3434), with sudo capabilities. +# Based on Debian9. Go installed in /usr/local/go + +# Env: +# GOLANG_VERSION +# GPATH=/go + +# Workdir: /go + +# Also installed docker, docker-compose, dockerize, jq + RUN go get github.com/coreos/etcd/cmd/etcd ARG K8S_VER=v1.7.4 @@ -10,6 +21,7 @@ RUN mkdir -p /tmp/apiserver && \ wget https://storage.googleapis.com/kubernetes-release/release/v1.7.4/bin/linux/amd64/kube-apiserver && \ chmod +x /tmp/apiserver/kube-apiserver +# TODO: generate and checkin the test apiserver and istio-ca keys RUN cd /tmp && \ curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz && \ tar xzf easy-rsa.tar.gz && \ @@ -23,9 +35,21 @@ RUN cd /tmp && \ cd /tmp && \ rm -rf /tmp/easy-rsa-master/ - RUN go get -u github.com/golang/dep/cmd/dep ADD start-test-server.sh /tmp/apiserver/start-test-server.sh -ENTRYPOINT ["/tmp/apiserver/start-test-server.sh"] \ No newline at end of file +# Tool used to convert 'go test' to junit, for integration with CI dashboard +RUN go get github.com/jstemmer/go-junit-report + +# Install fpm tool +RUN sudo apt-get -qqy install ruby ruby-dev rubygems build-essential && \ + sudo gem install --no-ri --no-rdoc fpm + +# Include minikube and kubectl in the image +RUN curl -Lo /tmp/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.7.4/bin/linux/amd64/kubectl && \ + chmod +x /tmp/kubectl && sudo mv /tmp/kubectl /usr/local/bin/ + +RUN curl -Lo /tmp/minikube https://storage.googleapis.com/minikube/releases/v0.22.3/minikube-linux-amd64 &&\ + chmod +x /tmp/minikube && sudo mv /tmp/minikube /usr/local/bin/ + diff --git a/.circleci/Makefile b/.circleci/Makefile index d068fef4e61..9e0bc0fb772 100644 --- a/.circleci/Makefile +++ b/.circleci/Makefile @@ -1,21 +1,20 @@ # Builder version -VERSION ?= go1.9-k8s1.7.4 -PROJECT ?= istio -HUB ?= +CI_VERSION ?= go1.9-k8s1.7.4 +CI_HUB ?= istio -image: - docker build -t ${HUB}${PROJECT}/ci:$(VERSION) -f Dockerfile . +ci.image: + docker build -t ${CI_HUB}/ci:$(CI_VERSION) -f Dockerfile . -push: - docker push "${HUB}${PROJECT}/ci:$(VERSION)" +ci.push: + docker push "${CI_HUB}/ci:$(CI_VERSION)" -run: +ci.run: docker run --rm -u $(shell id -u) -it \ -v ${GOPATH}:${GOPATH} \ -w ${PWD} \ -e USER=${USER} \ --entrypoint /bin/bash \ - ${HUB}${PROJECT}/ci:$(VERSION) + ${CI_HUB}/ci:$(CI_VERSION) .PHONY: image push \ No newline at end of file diff --git a/.circleci/config.yml b/.circleci/config.yml index 44b52f52f7e..0c8fd6db92e 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -28,6 +28,7 @@ jobs: environment: - KUBECONFIG: /go/out/minikube.conf - TEST_ENV: minikube-none + - GOPATH: /go steps: - type: shell name: Initialize Working Directory @@ -36,10 +37,13 @@ jobs: sudo mkdir -p /go/src/istio.io/istio sudo chown -R circleci /go - checkout - - run: curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/v1.7.4/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/ - - run: curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.24.1/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/ + - attach_workspace: + at: /go - run: + name: "Start minikube" command: | + curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/v1.7.4/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/ + curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.22.3/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/ mkdir -p /go/out mkdir /home/circleci/logs sudo -E minikube start \ @@ -52,7 +56,9 @@ jobs: - restore_cache: keys: - dep-cache-{{ checksum "Gopkg.toml" }}-{{ checksum "WORKSPACE" }} + - run: make docker - run: + name: "Wait for minikube" command: | kubectl cluster-info set -ne @@ -63,12 +69,25 @@ jobs: fi sleep 2 done + kubectl get svc --all-namespaces + + - run: docker images - run: - command: | - make docker - # Show created images - docker images - make e2e_simple + timeout: 20m + command: | + make e2e_simple E2E_ARGS="--skip_delete -use_local_cluster -cluster_wide -alsologtostderr -test.v -v 2 --istioctl ${GOPATH}/bin/istioctl" + - run: + timeout: 20m + # Run the test even if previous failed + when: always + command: | + make e2e_mixer E2E_ARGS="--skip_delete -use_local_cluster -cluster_wide -alsologtostderr -test.v -v 2 --istioctl ${GOPATH}/bin/istioctl" + - run: + timeout: 20m + when: always + command: | + make e2e_bookinfo E2E_ARGS="--skip_delete -use_local_cluster -cluster_wide -alsologtostderr -test.v -v 2 --istioctl ${GOPATH}/bin/istioctl" + - store_artifacts: path: /home/circleci/logs path: /tmp @@ -123,6 +142,12 @@ jobs: pilot-integration-noauth: <<: *integrationDefaults + environment: + - GOPATH: /go + - KUBECONFIG: /go/out/minikube.conf + - TEST_ENV: minikube-none + - HUB: docker.io/dnerepo + - TAG: dontpush steps: - type: shell name: Initialize Working Directory @@ -130,31 +155,35 @@ jobs: command: | sudo mkdir -p /go/src/istio.io/istio sudo chown -R circleci /go + sudo chown -R circleci /usr/local/go - checkout - run: curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/v1.7.4/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/ - run: curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.22.3/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/ - run: command: | + mkdir -p /go/out + mkdir /home/circleci/logs sudo -E minikube start \ - --extra-config=apiserver.Admission.PluginNames="Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,GenericAdmissionWebhook,ResourceQuota" \ - --kubernetes-version=v1.7.5 --vm-driver=none - - run: sudo -E minikube update-context - - run: bin/install-go.sh + --extra-config=apiserver.Admission.PluginNames="Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,GenericAdmissionWebhook,ResourceQuota" \ + --kubernetes-version=v1.7.5 --vm-driver=none + sudo chown -R $USER $KUBECONFIG + sudo chown -R $USER $HOME/.minikube - restore_cache: keys: - dep-cache-{{ checksum "Gopkg.toml" }}-{{ checksum "WORKSPACE" }} - - run: - command: | - cd /go/src/istio.io/istio - if [ ! -d vendor ]; then - dep ensure - fi - run: cd pilot; bin/gocompile-and-push-images.sh -hub $HUB -tag $TAG -build-only - - run: mkdir /home/circleci/logs - run: go build -i ./pilot/test/integration - - run: JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status};{end}{end}'; until sudo kubectl get nodes -o jsonpath="$JSONPATH" 2>&1 | grep -q "Ready=True"; do sleep 1; done - - run: sudo -E kubectl cluster-info - - run: make kubelink + - run: + command: | + set -ne + kubectl cluster-info + for i in {1..150}; do # timeout for 5 minutes + kubectl get po &> /dev/null + if [ $? -ne 1 ]; then + break + fi + sleep 2 + done - run: ./integration --logtostderr -hub $HUB -tag $TAG -mixer=false -auth=disable -errorlogsdir=/home/circleci/logs -use-initializer - store_artifacts: path: /home/circleci/logs @@ -243,7 +272,7 @@ jobs: - store_artifacts: path: /go/bin - gotest: + test: <<: *defaults resource_class: xlarge steps: @@ -253,11 +282,17 @@ jobs: - dep-cache-{{ checksum "Gopkg.toml" }}-{{ checksum "WORKSPACE" }} - run: command: | - make localTestEnv go-test KUBECONFIG=/go/src/istio.io/istio/.circleci/config + mkdir -p /go/out/tests + go get github.com/jstemmer/go-junit-report + trap "go-junit-report /go/out/tests/go-test-report.xml" EXIT + make localTestEnv go-test KUBECONFIG=/go/src/istio.io/istio/.circleci/config T=-v | tee /go/out/tests/go-test-report.out - store_artifacts: path: /go/bin + path: /go/out + - store_test_results: + path: /go/out/tests - gobuild: + build: <<: *defaults resource_class: xlarge steps: @@ -271,6 +306,11 @@ jobs: make go-build - store_artifacts: path: /go/bin + - persist_to_workspace: + root: /go + paths: + - pkg + - bin lint: <<: *integrationDefaults @@ -287,11 +327,9 @@ jobs: keys: - dep-cache-{{ checksum "Gopkg.toml" }}-{{ checksum "WORKSPACE" }} - run: + no_output_timeout: 900 command: | - cd /go/src/istio.io/istio - SKIP_INIT=1 bin/linters.sh - - store_artifacts: - path: /go/bin + make lint docker-push: <<: *defaults @@ -301,7 +339,8 @@ jobs: - restore_cache: keys: - dep-cache-{{ checksum "Gopkg.toml" }}-{{ checksum "WORKSPACE" }} - - setup_remote_docker + - setup_remote_docker: + docker_layer_caching: true - run: command: | if [ ! -z "${DOCKER_USER}" ] ; then @@ -317,7 +356,6 @@ jobs: resource_class: xlarge steps: - checkout - - restore_cache: - restore_cache: keys: - dep-cache-{{ checksum "Gopkg.toml" }}-{{ checksum "WORKSPACE" }} @@ -341,7 +379,7 @@ workflows: filters: branches: only: - - gobuild + - master jobs: - dependencies # Build @@ -369,21 +407,24 @@ workflows: all: jobs: - dependencies - - gobuild: + - build: requires: - dependencies - - gotest: + - e2e: + requires: + - build + - test: requires: - dependencies - codecov: requires: - - gotest + - build - lint: requires: - dependencies - pilot-integration-noauth: requires: - - gotest + - test - pilot-integration-auth: requires: - - gotest + - test diff --git a/DEV-CONVENTIONS.md b/DEV-CONVENTIONS.md index d54d077d1e2..ea54d6cd034 100644 --- a/DEV-CONVENTIONS.md +++ b/DEV-CONVENTIONS.md @@ -127,6 +127,6 @@ the [adapter logger interface](https://godoc.org/istio.io/istio/mixer/pkg/adapte - Third-party code - - Go code for normal third-party dependencies is managed by the [Bazel](http://bazel.build) build system. + - Go code for normal third-party dependencies is managed by the Go [Dep](https://github.com/golang/dep). - Third-party code must carry licenses. This includes modified third-party code and excerpts. diff --git a/Makefile b/Makefile index 6ff6bbd4a0e..bebb4c99dec 100644 --- a/Makefile +++ b/Makefile @@ -18,6 +18,9 @@ ISTIO_GO := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) SHELL := /bin/bash +# Current version, updated after a release. +VERSION ?= "0.5.0" + # Make sure GOPATH is set based on the executing Makefile and workspace. Will override # GOPATH from the env. export GOPATH= $(shell cd ../../..; pwd) @@ -111,6 +114,12 @@ depend.vendor: vendor vendor: dep ensure -update +lint: + SKIP_INIT=1 bin/linters.sh + +# Target run by the pre-commit script, to automate formatting and lint +# If pre-commit script is not used, please run this manually. +pre-commit: fmt lint #----------------------------------------------------------------------------- # Target: precommit @@ -305,6 +314,7 @@ show.%: ; $(info $* $(H) $($*)) # Target: artifacts and distribution #----------------------------------------------------------------------------- + ${OUT}/dist/Gopkg.lock: mkdir -p ${OUT}/dist cp Gopkg.lock ${OUT}/dist/ @@ -314,6 +324,45 @@ dist-bin: ${OUT}/dist/Gopkg.lock dist: dist-bin +include .circleci/Makefile + +.PHONY: docker.sidecar.deb sidecar.deb + +# Make the deb image using the CI/CD image and docker. +docker.sidecar.deb: + (cd ${TOP}; docker run --rm -u $(shell id -u) -it \ + -v ${GOPATH}:${GOPATH} \ + -w ${PWD} \ + -e USER=${USER} \ + --entrypoint /usr/bin/make ${CI_HUB}/ci:${CI_VERSION} \ + sidecar.deb ) + + +# Create the 'sidecar' deb, including envoy and istio agents and configs. +# This target uses a locally installed 'fpm' - use 'docker.sidecar.deb' to use +# the builder image. +# TODO: consistent layout, possibly /opt/istio-VER/... +sidecar.deb: + fpm -s dir -t deb -n istio-sidecar --version ${VERSION} --iteration 1 -C ${GOPATH} -f \ + --url http://istio.io \ + --license Apache \ + --vendor istio.io \ + --maintainer istio@istio.io \ + --after-install tools/deb/postinst.sh \ + --config-files /var/lib/istio/envoy/sidecar.env \ + --config-files /var/lib/istio/envoy/envoy.json \ + --description "Istio" \ + src/istio.io/istio/tools/deb/istio-start.sh=/usr/local/bin/istio-start.sh \ + src/istio.io/istio/tools/deb/istio-iptables.sh=/usr/local/bin/istio-iptables/sh \ + src/istio.io/istio/tools/deb/istio.service=/lib/systemd/system/istio.service \ + src/istio.io/istio/security/tools/deb/istio-auth-node-agent.service=/lib/systemd/system/istio-auth-node-agent.service \ + bin/envoy=/usr/local/bin/envoy \ + bin/pilot-agent=/usr/local/bin/pilot-agent \ + bin/node_agent=/usr/local/istio/bin/node_agent \ + src/istio.io/istio/tools/deb/sidecar.env=/var/lib/istio/envoy/sidecar.env \ + src/istio.io/istio/tools/deb/envoy.json=/var/lib/istio/envoy/envoy.json + + #----------------------------------------------------------------------------- # Target: e2e tests #----------------------------------------------------------------------------- diff --git a/bin/check_license.sh b/bin/check_license.sh index a9056942c16..c586e47a4a3 100755 --- a/bin/check_license.sh +++ b/bin/check_license.sh @@ -4,7 +4,7 @@ ROOTDIR=$SCRIPTPATH/.. cd $ROOTDIR ret=0 -for fn in $(find ${ROOTDIR} -name '*.go'); do +for fn in $(find ${ROOTDIR} -name '*.go' | grep -v vendor); do if [[ $fn == *.pb.go ]];then continue fi diff --git a/bin/fmt.sh b/bin/fmt.sh index 2dac83eb119..413a8770b77 100755 --- a/bin/fmt.sh +++ b/bin/fmt.sh @@ -8,7 +8,7 @@ SCRIPTPATH=$( cd "$(dirname "$0")" ; pwd -P ) ROOTDIR=$SCRIPTPATH/.. cd $ROOTDIR -export GOPATH=$(cd $ROOTDIR/../..; pwd) +export GOPATH=$(cd $ROOTDIR/../../..; pwd) export PATH=$GOPATH/bin:$PATH if which goimports; then diff --git a/bin/linters.sh b/bin/linters.sh index 2b8a458db39..ee03b6bb6be 100755 --- a/bin/linters.sh +++ b/bin/linters.sh @@ -11,7 +11,11 @@ if [[ -z $SKIP_INIT ]];then bin/init.sh fi -echo 'Running linters .... in advisory mode' +echo 'Checking licences' +bin/check_license.sh +echo 'licences OK' + +echo 'Running linters ....' #TODO: after the new generation script is in, make sure we generate the exclude docker run\ @@ -19,11 +23,8 @@ docker run\ -w /go/src/istio.io/istio\ gcr.io/mukai-istio/linter:bbcfb47f85643d4f5a7b1c092280d33ffd214c10\ --config=./lintconfig_base.json \ - ./... + -s vendor --fast ./... echo 'linters OK' -echo 'Checking licences' -bin/check_license.sh -echo 'licences OK' diff --git a/bin/pre-commit b/bin/pre-commit index 149c84f0efa..ec6d7aa7833 100755 --- a/bin/pre-commit +++ b/bin/pre-commit @@ -37,9 +37,5 @@ BRANCH_NAME=$(git branch | grep '*' | sed 's/* //') if [ $BRANCH_NAME != '(no branch)' ]; then cd $ROOT - #echo "updating autogen files..." - #bin/regenerate_files.py - - echo "formatting..." - bin/fmt.sh + make pre-commit fi diff --git a/lintconfig_base.json b/lintconfig_base.json index b9f7c18cf0f..4caac07788f 100644 --- a/lintconfig_base.json +++ b/lintconfig_base.json @@ -26,7 +26,7 @@ "vetshadow" ], "severity": { - "aligncheck": "error", + "aligncheck": "warn", "deadcode": "error", "errcheck": "error", "gas": "error", @@ -47,7 +47,9 @@ }, "exclude": [ "vendor", + "../vendor", ".pb.go", + "mock_*", "mixer/adapter/doc.go", "mixer/pkg/config/proto/combined.go", ".*.gen.go", diff --git a/mixer/pkg/perf/config.go b/mixer/pkg/perf/config.go index 833214d5d40..d6b91d5251e 100644 --- a/mixer/pkg/perf/config.go +++ b/mixer/pkg/perf/config.go @@ -14,8 +14,8 @@ package perf -// TODO: We should ideally combine this file with pkg/server/Args. Unfortunately, pkg/serverArgs is not serializable. // Config is the Mixer server configuration to use during perf tests. +// TODO: We should ideally combine this file with pkg/server/Args. Unfortunately, pkg/serverArgs is not serializable. type Config struct { Global string `json:"global"` Service string `json:"rpcServer"` diff --git a/mixer/pkg/perf/settings.go b/mixer/pkg/perf/settings.go index 6314960997e..3c792052c99 100644 --- a/mixer/pkg/perf/settings.go +++ b/mixer/pkg/perf/settings.go @@ -19,6 +19,7 @@ import ( "istio.io/istio/mixer/pkg/template" ) +// RunMode configures the run mode for the perf. type RunMode int const ( diff --git a/mixer/pkg/tracing/tracing.go b/mixer/pkg/tracing/tracing.go index d3b5f3d581c..0ba12872500 100644 --- a/mixer/pkg/tracing/tracing.go +++ b/mixer/pkg/tracing/tracing.go @@ -26,8 +26,8 @@ import ( jaeger "github.com/uber/jaeger-client-go" "github.com/uber/jaeger-client-go/transport" "github.com/uber/jaeger-client-go/transport/zipkin" - "go.uber.org/zap" + ilog "istio.io/istio/pkg/log" ) diff --git a/mixer/tools/codegen/cmd/mixgeninventory/main.go b/mixer/tools/codegen/cmd/mixgeninventory/main.go index 06d145c5f02..71c9708004b 100644 --- a/mixer/tools/codegen/cmd/mixgeninventory/main.go +++ b/mixer/tools/codegen/cmd/mixgeninventory/main.go @@ -21,7 +21,7 @@ import ( "strings" "github.com/spf13/cobra" - "gopkg.in/yaml.v2" + yaml "gopkg.in/yaml.v2" "istio.io/istio/mixer/tools/codegen/pkg/inventory" ) diff --git a/pilot/platform/cloudfoundry/cloudfoundry_suite_test.go b/pilot/platform/cloudfoundry/cloudfoundry_suite_test.go index 5c88e158937..d0fb4dc3682 100644 --- a/pilot/platform/cloudfoundry/cloudfoundry_suite_test.go +++ b/pilot/platform/cloudfoundry/cloudfoundry_suite_test.go @@ -15,6 +15,7 @@ package cloudfoundry_test import ( + "fmt" "testing" . "github.com/onsi/ginkgo" @@ -24,4 +25,5 @@ import ( func TestCloudFoundry(t *testing.T) { RegisterFailHandler(Fail) RunSpecs(t, "Cloud Foundry Suite") + fmt.Print("\n\n") } diff --git a/pilot/platform/cloudfoundry/config.go b/pilot/platform/cloudfoundry/config.go index f87a7dd4bd8..2e1dd8cca70 100644 --- a/pilot/platform/cloudfoundry/config.go +++ b/pilot/platform/cloudfoundry/config.go @@ -22,7 +22,7 @@ import ( "io/ioutil" "time" - "gopkg.in/validator.v2" + validator "gopkg.in/validator.v2" yaml "gopkg.in/yaml.v2" ) diff --git a/pilot/test/integration/driver.go b/pilot/test/integration/driver.go index 4b5f2c25224..f595a01cac8 100644 --- a/pilot/test/integration/driver.go +++ b/pilot/test/integration/driver.go @@ -29,6 +29,7 @@ import ( "time" "github.com/davecgh/go-spew/spew" + "github.com/golang/glog" // TODO(nmittler): Remove this _ "github.com/golang/glog" "github.com/golang/sync/errgroup" @@ -84,7 +85,7 @@ func init() { flag.BoolVar(&verbose, "verbose", false, "Debug level noise from proxies") flag.BoolVar(¶ms.checkLogs, "logs", true, "Validate pod logs (expensive in long-running tests)") - flag.StringVar(&kubeconfig, "kubeconfig", "pilot/platform/kube/config", + flag.StringVar(&kubeconfig, "kubeconfig", os.Getenv("KUBECONFIG"), "kube config file (missing or empty file makes the test use in-cluster kube config instead)") flag.IntVar(&count, "count", 1, "Number of times to run the tests after deploying") flag.StringVar(&authmode, "auth", "both", "Enable / disable auth, or test both.") @@ -144,6 +145,10 @@ func main() { return } + if len(kubeconfig) == 0 { + kubeconfig = "pilot/platform/kube/config" + glog.Info("Using linked in kube config. Set KUBECONFIG env before running the test.") + } var err error _, client, err = kube.CreateInterface(kubeconfig) if err != nil { diff --git a/pilot/test/integration/egress_rules.go b/pilot/test/integration/egress_rules.go index a5f13f700f6..aec1d7038dd 100644 --- a/pilot/test/integration/egress_rules.go +++ b/pilot/test/integration/egress_rules.go @@ -24,6 +24,7 @@ import ( // TODO(nmittler): Remove this _ "github.com/golang/glog" multierror "github.com/hashicorp/go-multierror" + "istio.io/istio/pkg/log" ) diff --git a/pilot/test/integration/routing.go b/pilot/test/integration/routing.go index 22eb9754567..a10d695d6be 100644 --- a/pilot/test/integration/routing.go +++ b/pilot/test/integration/routing.go @@ -26,6 +26,7 @@ import ( // TODO(nmittler): Remove this _ "github.com/golang/glog" multierror "github.com/hashicorp/go-multierror" + "istio.io/istio/pkg/log" ) diff --git a/pilot/test/integration/routingToEgress.go b/pilot/test/integration/routingToEgress.go index 62cc6f69dea..6e67ce40199 100644 --- a/pilot/test/integration/routingToEgress.go +++ b/pilot/test/integration/routingToEgress.go @@ -24,6 +24,7 @@ import ( // TODO(nmittler): Remove this _ "github.com/golang/glog" multierror "github.com/hashicorp/go-multierror" + "istio.io/istio/pkg/log" ) diff --git a/pkg/log/config.go b/pkg/log/config.go index 9e0c32a5a29..bf88a489c99 100644 --- a/pkg/log/config.go +++ b/pkg/log/config.go @@ -53,7 +53,6 @@ package log import ( "github.com/natefinch/lumberjack" - "go.uber.org/zap" "go.uber.org/zap/zapcore" "go.uber.org/zap/zapgrpc" diff --git a/tests/e2e/framework/kubernetes.go b/tests/e2e/framework/kubernetes.go index 90155a53b32..96fe6c6b9aa 100644 --- a/tests/e2e/framework/kubernetes.go +++ b/tests/e2e/framework/kubernetes.go @@ -54,6 +54,7 @@ var ( authEnable = flag.Bool("auth_enable", false, "Enable auth") localCluster = flag.Bool("use_local_cluster", false, "Whether the cluster is local or not") skipSetup = flag.Bool("skip_setup", false, "Skip namespace creation and istio cluster setup") + skipDelete = flag.Bool("skip_delete", false, "Skip namespace deletion, for ephemeral machines and to debug after test") initializerFile = flag.String("initializer_file", istioInitializerFile, "Initializer yaml file") clusterWide = flag.Bool("cluster_wide", false, "Run cluster wide tests") @@ -147,7 +148,7 @@ func (k *KubeInfo) Setup() error { func (k *KubeInfo) Teardown() error { log.Info("Cleaning up kubeInfo") - if *skipSetup { + if *skipSetup || *skipCleanup { return nil } diff --git a/tests/istio.mk b/tests/istio.mk index ccd25e13c67..79f5a06aa88 100644 --- a/tests/istio.mk +++ b/tests/istio.mk @@ -1,5 +1,4 @@ # Test-specific targets, included from top Makefile - ifeq (${TEST_ENV},minikube) # In minikube env we don't need to push the images to dockerhub or gcr, it is all local, @@ -58,15 +57,17 @@ e2e: istioctl # Simple e2e test using fortio, approx 2 min e2e_simple: istioctl - echo "=== E2E testing with ${TAG} and ${HUB}" + @echo "=== E2E testing with ${TAG} and ${HUB}" go test -v ${TEST_ARGS:-} ./tests/e2e/tests/simple -args ${E2E_ARGS} --mixer_tag ${TAG} --pilot_tag ${TAG} --ca_tag ${TAG} \ --mixer_hub ${HUB} --pilot_hub ${HUB} --ca_hub ${HUB} e2e_mixer: istioctl - go test -v ${TEST_ARGS:-} ./tests/e2e/tests/mixer -args ${E2E_ARGS} + go test -v ${TEST_ARGS:-} ./tests/e2e/tests/mixer -args ${E2E_ARGS} --mixer_tag ${TAG} --pilot_tag ${TAG} --ca_tag ${TAG} \ + --mixer_hub ${HUB} --pilot_hub ${HUB} --ca_hub ${HUB} e2e_bookinfo: istioctl - go test -v ${TEST_ARGS:-} ./tests/e2e/tests/bookinfo -args ${E2E_ARGS} + go test -v ${TEST_ARGS:-} ./tests/e2e/tests/bookinfo -args ${E2E_ARGS} --mixer_tag ${TAG} --pilot_tag ${TAG} --ca_tag ${TAG} \ + --mixer_hub ${HUB} --pilot_hub ${HUB} --ca_hub ${HUB} e2e_all: e2e_simple e2e_mixer e2e_bookinfo diff --git a/tests/k8s/helper.go b/tests/k8s/helper.go index d15ed1e0d79..702cc8fb027 100644 --- a/tests/k8s/helper.go +++ b/tests/k8s/helper.go @@ -1,3 +1,18 @@ +// Copyright 2017 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package k8s provides helpers for testing k8s package k8s import ( diff --git a/tools/deb/envoy.json b/tools/deb/envoy.json new file mode 100644 index 00000000000..e9d3ee6b465 --- /dev/null +++ b/tools/deb/envoy.json @@ -0,0 +1,77 @@ +{ + "listeners": [ + ], + "lds": { + "cluster": "lds", + "refresh_delay_ms": 10000 + }, + "admin": { + "access_log_path": "/dev/null", + "address": "tcp://0.0.0.0:15000" + }, + "cluster_manager": { + "clusters": [ + { + "name": "rds", + "connect_timeout_ms": 1000, + "type": "strict_dns", + "lb_type": "round_robin", + "hosts": [ + { + "url": "tcp://istio-pilot:15003" + } + ] + }, + { + "name": "lds", + "connect_timeout_ms": 1000, + "type": "strict_dns", + "lb_type": "round_robin", + "hosts": [ + { + "url": "tcp://istio-pilot:15003" + } + ] + }, + { + "name": "local8000", + "connect_timeout_ms": 5000, + "type": "strict_dns", + "lb_type": "round_robin", + "hosts": [ + { + "url": "tcp://localhost:8000" + } + ] + } + ], + "sds": { + "cluster": { + "name": "sds", + "connect_timeout_ms": 1000, + "type": "strict_dns", + "lb_type": "round_robin", + "hosts": [ + { + "url": "tcp://istio-pilot:15003" + } + ] + }, + "refresh_delay_ms": 10000 + }, + "cds": { + "cluster": { + "name": "cds", + "connect_timeout_ms": 1000, + "type": "strict_dns", + "lb_type": "round_robin", + "hosts": [ + { + "url": "tcp://istio-pilot:15003" + } + ] + }, + "refresh_delay_ms": 10000 + } + } +} diff --git a/tools/deb/istio-iptables.sh b/tools/deb/istio-iptables.sh new file mode 100755 index 00000000000..2d96f5b5323 --- /dev/null +++ b/tools/deb/istio-iptables.sh @@ -0,0 +1,181 @@ +#!/bin/bash +# +# Copyright 2017 Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +# +# Initialization script responsible for setting up port forwarding for Istio sidecar. + +# Based on pilot/docker/prepare_proxy.sh - but instead of capturing all traffic, only capture +# configured ranges. +# Compared to the K8S docker sidecar: +# - use config files - manual or pushed by an config system. +# - fine grain control over what inbound ports are captured +# - more control over what outbound traffic is captured +# - can be run multiple times, will cleanup previous rules +# - the "clean" option will remove all rules it previously added. + +# After more testing, the goal is to replace and unify the script in K8S - by generating +# the sidecar image using the .deb file created by proxy. + +function usage() { + echo "${0} -p PORT -u UID [-h]" + echo '' + echo ' -p: Specify the envoy port to which redirect all TCP traffic (default $ENVOY_PORT = 150001)' + echo ' -u: Specify the UID of the user for which the redirection is not' + echo ' applied. Typically, this is the UID of the proxy container (default to uid of $ENVOY_USER, uid of istio_proxy, or 1337)' + echo ' -i: Comma separated list of IP ranges in CIDR form to redirect to envoy (optional)' + echo '' + echo 'Using environment variables in $ISTIO_SIDECAR_CONFIG (default: /var/lib/istio/envoy/sidecar.env)' +} + +set -o nounset +set -o pipefail +IFS=, + +# The cluster env can be used for common cluster settings, pushed to all VMs in the cluster. +# This allows separating per-machine settings (the list of inbound ports, local path overrides) from cluster wide +# settings (CIDR range) +ISTIO_CLUSTER_CONFIG=${ISTIO_CLUSTER_CONFIG:-/var/lib/istio/envoy/cluster.env} +if [ -r ${ISTIO_CLUSTER_CONFIG} ]; then + . ${ISTIO_CLUSTER_CONFIG} +fi + +ISTIO_SIDECAR_CONFIG=${ISTIO_SIDECAR_CONFIG:-/var/lib/istio/envoy/sidecar.env} +if [ -r ${ISTIO_SIDECAR_CONFIG} ]; then + . ${ISTIO_SIDECAR_CONFIG} +fi + +# TODO: load all files from a directory, similar with ufw, to make it easier for automated install scripts +# Ideally we should generate ufw (and similar) configs as well, in case user already has an iptables solution. + +IP_RANGES_INCLUDE=${ISTIO_SERVICE_CIDR:-} + +while getopts ":p:u:e:i:h" opt; do + case ${opt} in + p) + ENVOY_PORT=${OPTARG} + ;; + u) + ENVOY_UID=${OPTARG} + ;; + i) + IP_RANGES_INCLUDE=${OPTARG} + ;; + h) + usage + exit 0 + ;; + \?) + echo "Invalid option: -$OPTARG" >&2 + usage + exit 1 + ;; + esac +done + + +# TODO: more flexibility - maybe a whitelist of users to be captured for output instead of +# a blacklist. +if [ -z "${ENVOY_UID:-}" ]; then + # Default to the UID of ENVOY_USER and root + ENVOY_UID=$(id -u ${ENVOY_USER:-istio-proxy}) + if [ $? -ne 0 ]; then + echo "Invalid istio user $ENVOY_UID $ENVOY_USER" + exit 1 + fi + # If ENVOY_UID is not explicitly defined (as it would be in k8s env), we add root to the list, + # for ca agent. + ENVOY_UID=${ENVOY_UID},0 +fi + +# Remove the old chains, to generate new configs. +iptables -t nat -D PREROUTING -p tcp -j ISTIO_INBOUND 2>/dev/null +iptables -t nat -D OUTPUT -p tcp -j ISTIO_OUTPUT 2>/dev/null + +# Flush and delete the istio chains +iptables -t nat -F ISTIO_OUTPUT 2>/dev/null +iptables -t nat -X ISTIO_OUTPUT 2>/dev/null +iptables -t nat -F ISTIO_INBOUND 2>/dev/null +iptables -t nat -X ISTIO_INBOUND 2>/dev/null +iptables -t nat -F ISTIO_REDIRECT 2>/dev/null +iptables -t nat -X ISTIO_REDIRECT 2>/dev/null + +if [ "${1:-}" = "clean" ]; then + # Only cleanup, don't add new rules. + exit 0 +fi + +# Create a new chain for redirecting inbound traffic to the common Envoy port. +# In the ISTIO_INBOUND and ISTIO_OUTBOUND chains, '-j RETURN' bypasses Envoy +# and '-j ISTIO_REDIRECT' redirects to Envoy. +iptables -t nat -N ISTIO_REDIRECT +iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-port ${ENVOY_PORT:-15001} + +# Handling of inbound ports. Traffic will be redirected to Envoy, which will process and forward +# to the local service. If not set, no inbound port will be intercepted by istio iptables. +if [ -n "${ISTIO_INBOUND_PORTS:-}" ]; then + iptables -t nat -N ISTIO_INBOUND + iptables -t nat -A PREROUTING -p tcp -j ISTIO_INBOUND + + # Makes sure SSH is not redirectred + iptables -t nat -A ISTIO_INBOUND -p tcp --dport 22 -j RETURN + + if [ "${ISTIO_INBOUND_PORTS:-}" == "*" ]; then + for port in ${ISTIO_LOCAL_EXCLUDE_PORTS:-}; do + iptables -t nat -A ISTIO_INBOUND -p tcp --dport ${port} -j RETURN + done + iptables -t nat -A ISTIO_INBOUND -p tcp -j ISTIO_REDIRECT + else + for port in ${ISTIO_INBOUND_PORTS}; do + iptables -t nat -A ISTIO_INBOUND -p tcp --dport ${port} -j ISTIO_REDIRECT + done + fi +fi + +# TODO: change the default behavior to not intercept any output - user may use http_proxy or another +# iptables wrapper (like ufw). Current default is similar with 0.1 + +# Create a new chain for selectively redirecting outbound packets to Envoy. +iptables -t nat -N ISTIO_OUTPUT + +# Jump to the ISTIO_OUTPUT chain from OUTPUT chain for all tcp traffic. +iptables -t nat -A OUTPUT -p tcp -j ISTIO_OUTPUT + +# Redirect app calls to back itself via Envoy when using the service VIP or endpoint +# address, e.g. appN => Envoy (client) => Envoy (server) => appN. +iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_REDIRECT + +for uid in ${ENVOY_UID}; do + # Avoid infinite loops. Don't redirect Envoy traffic directly back to + # Envoy for non-loopback traffic. + iptables -t nat -A ISTIO_OUTPUT -m owner --uid-owner ${uid} -j RETURN +done + +# Skip redirection for Envoy-aware applications and +# container-to-container traffic both of which explicitly use +# localhost. +iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN + +IFS=, +if [ -n "${IP_RANGES_INCLUDE:-}" ]; then + for cidr in ${IP_RANGES_INCLUDE}; do + iptables -t nat -A ISTIO_OUTPUT -d ${cidr} -j ISTIO_REDIRECT + done + iptables -t nat -A ISTIO_OUTPUT -j RETURN +else + iptables -t nat -A ISTIO_OUTPUT -j ISTIO_REDIRECT +fi + diff --git a/tools/deb/istio-start.sh b/tools/deb/istio-start.sh new file mode 100755 index 00000000000..bda61cec234 --- /dev/null +++ b/tools/deb/istio-start.sh @@ -0,0 +1,71 @@ +#!/bin/bash +# +# Copyright 2017 Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +# +# Script to configure and start the Istio sidecar. + +set -e + +# Load optional config variables +ISTIO_SIDECAR_CONFIG=${ISTIO_SIDECAR_CONFIG:-/var/lib/istio/envoy/sidecar.env} +if [[ -r ${ISTIO_SIDECAR_CONFIG} ]]; then + . $ISTIO_SIDECAR_CONFIG +fi + +# Load config variables ISTIO_SYSTEM_NAMESPACE, CONTROL_PLANE_AUTH_POLICY +ISTIO_CLUSTER_CONFIG=${ISTIO_CLUSTER_CONFIG:-/var/lib/istio/envoy/cluster.env} +if [[ -r ${ISTIO_CLUSTER_CONFIG} ]]; then + . $ISTIO_CLUSTER_CONFIG +fi + +# Set defaults +ISTIO_BIN_BASE=${ISTIO_BIN_BASE:-/usr/local/bin} +ISTIO_LOG_DIR=${ISTIO_LOG_DIR:-/var/log/istio} +ISTIO_CFG=${ISTIO_CFG:-/var/lib/istio} +NS=${ISTIO_NAMESPACE:-default} +SVC=${ISTIO_SERVICE:-rawvm} +ISTIO_SYSTEM_NAMESPACE=${ISTIO_SYSTEM_NAMESPACE:-istio-system} +ISTIO_PILOT_PORT=${ISTIO_PILOT_PORT:-15003} +CONTROL_PLANE_AUTH_POLICY=${CONTROL_PLANE_AUTH_POLICY:-MUTUAL_TLS} + + +if [ -z "${ISTIO_SVC_IP:-}" ]; then + ISTIO_SVC_IP=$(hostname --ip-address) +fi + +if [ -z "${POD_NAME:-}" ]; then + POD_NAME=$(hostname -s) +fi + +# Init option will only initialize iptables. Can be used +if [[ ${1-} == "init" || ${1-} == "-p" ]] ; then + # Update iptables, based on current config. This is for backward compatibility with the init image mode. + # The sidecar image can replace the k8s init image, to avoid downloading 2 different images. + ${ISTIO_BIN_BASE}/istio-iptables.sh "${@}" + exit 0 +fi + +# Update iptables, based on config file +${ISTIO_BIN_BASE}/istio-iptables.sh + +if [ -f ${ISTIO_BIN_BASE}/pilot-agent ]; then + exec su -s /bin/bash -c "INSTANCE_IP=${ISTIO_SVC_IP} POD_NAME=${POD_NAME} POD_NAMESPACE=${NS} exec ${ISTIO_BIN_BASE}/pilot-agent proxy --serviceCluster $SVC --discoveryAddress istio-pilot.${ISTIO_SYSTEM_NAMESPACE}:${ISTIO_PILOT_PORT} --controlPlaneAuthPolicy $CONTROL_PLANE_AUTH_POLICY 2> ${ISTIO_LOG_DIR}/istio.err.log > ${ISTIO_LOG_DIR}/istio.log" istio-proxy +else + ENVOY_CFG=${ENVOY_CFG:-${ISTIO_CFG}/envoy/envoy.json} + # Run envoy directly - agent not installed. This should be used only for debugging/testing standalone envoy + exec su -s /bin/bash -c "exec ${ISTIO_BIN_BASE}/envoy -c $ENVOY_CFG --restart-epoch 0 --drain-time-s 2 --parent-shutdown-time-s 3 --service-cluster $SVC --service-node 'sidecar~${ISTIO_SVC_IP}~${POD_NAME}.${NS}.svc.cluster.local~${NS}.svc.cluster.local' $ISTIO_DEBUG >${ISTIO_LOG_DIR}/istio.log" istio-proxy +fi diff --git a/tools/deb/istio.service b/tools/deb/istio.service new file mode 100644 index 00000000000..fd4d29e17ad --- /dev/null +++ b/tools/deb/istio.service @@ -0,0 +1,12 @@ +[Unit] +Description=istio-sidecar: The Istio sidecar +Documentation=http://istio.io/ + +[Service] +ExecStart=/usr/local/bin/istio-start.sh +Restart=always +StartLimitInterval=0 +RestartSec=10 + +[Install] +WantedBy=multi-user.target diff --git a/tools/deb/postinst.sh b/tools/deb/postinst.sh new file mode 100755 index 00000000000..da3c2fdb3c7 --- /dev/null +++ b/tools/deb/postinst.sh @@ -0,0 +1,43 @@ +#!/bin/bash +# +# Copyright 2017 Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +set -e + +action="$1" +oldversion="$2" + +umask 022 + +if ! getent passwd istio-proxy >/dev/null; then + addgroup --system istio-proxy + adduser --system --group --home /var/lib/istio istio-proxy +fi + +if [ ! -e /etc/istio ]; then + # Backward compat. + ln -s /var/lib/istio /etc/istio +fi + +mkdir -p /var/lib/istio/envoy +mkdir -p /var/lib/istio/proxy +mkdir -p /var/lib/istio/config +mkdir -p /var/log/istio + +touch /var/lib/istio/config/mesh + +chown istio-proxy.istio-proxy /var/lib/istio/envoy /var/lib/istio/config /var/log/istio /var/lib/istio/config/mesh /var/lib/istio/proxy + diff --git a/tools/deb/sidecar.env b/tools/deb/sidecar.env new file mode 100644 index 00000000000..72d728ded61 --- /dev/null +++ b/tools/deb/sidecar.env @@ -0,0 +1,53 @@ +# Environment variables used to configure istio startup + +# Comma separated list of CIDRs used for services. If set, iptables will be run to allow istio +# sidecar to intercept outbound calls to configured addresses. If not set, outbound istio sidecar +# will not be used via iptables. +# ISTIO_SERVICE_CIDR= + +# Name of the service exposed by the machine. +# ISTIO_SERVICE=myservice + +# Comma separated list of local ports that will use Istio sidecar for inbound services. +# If set, iptables rules will be configured to intercept inbound traffic and redirect to sidecar. +# If not set, no rules will be enabled +# ISTIO_INBOUND_PORTS= + +# List of ports to exclude from inbound interception, if ISTIO_INBOUND_PORTS is set to * +# Port 22 is automatically excluded +# ISTIO_INBOUND_EXCLUDE_PORTS= + +# Namespace of the cluster. +# ISTIO_NAMESPACE=default + +# Specify the IP address used in endpoints. If not set, 'hostname --ip-address' will be used. +# Needed if the host has multiple IP. +# ISTIO_SVC_IP= + + + +# Fine tunning - useful if installing/building binaries instead of using the .deb file, or running +# multiple instances. + +# Port used by Envoy. Defaults to 15001, used in the autogenerated config +# ENVOY_PORT=15001 + +# User running Envoy. For testing you can use a regular user ID - however running iptables requires +# root or netadmin capability. The debian file creates user istio. +# ENVOY_USER=istio-proxy + +# Uncomment to enable debugging +# ISTIO_DEBUG="-l debug" + +# Directory for stdout redirection. The redirection is required because envoy attempts to open +# /dev/stdout - must be a real file. Will be used for access logs. Additional config for logsaver +# needs to be made, envoy reopens the file on SIGUSR1 +# ISTIO_LOG_DIR=/var/log/istio + +# Installation directory for istio binaries, customize in case you're using a binary. +# This is likely to change - current path matches the docker layout in 0.1 +# ISTIO_BIN_BASE=/usr/local/bin + +# Location of istio configs. +# ISTIO_CFG=/var/lib/istio +