louiscryan
diff --git a/‎.circleci/config.yml‎
Lines changed: 3 additions & 3 deletions b/‎.circleci/config.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.codecov.yml‎
Lines changed: 2 additions & 0 deletions b/‎.codecov.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎codecov.skip‎
Lines changed: 0 additions & 1 deletion b/‎codecov.skip‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎galley/pkg/crd/validation/endpoint.go‎
Lines changed: 21 additions & 12 deletions b/‎galley/pkg/crd/validation/endpoint.go‎
Lines changed: 21 additions & 12 deletions
diff --git a/‎galley/pkg/crd/validation/validation.go‎
Lines changed: 1 addition & 1 deletion b/‎galley/pkg/crd/validation/validation.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎install/kubernetes/helm/istio-remote/templates/sidecar-injector-configmap.yaml‎
Lines changed: 4 additions & 3 deletions b/‎install/kubernetes/helm/istio-remote/templates/sidecar-injector-configmap.yaml‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎install/kubernetes/helm/istio-remote/values.yaml‎
Lines changed: 2 additions & 1 deletion b/‎install/kubernetes/helm/istio-remote/values.yaml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎install/kubernetes/helm/istio/templates/configmap.yaml‎
Lines changed: 9 additions & 1 deletion b/‎install/kubernetes/helm/istio/templates/configmap.yaml‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml‎
Lines changed: 4 additions & 3 deletions b/‎install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎install/kubernetes/helm/istio/values.yaml‎
Lines changed: 3 additions & 1 deletion b/‎install/kubernetes/helm/istio/values.yaml‎
Lines changed: 3 additions & 1 deletion
@@ -236,7 +236,7 @@ jobs:
               # Should only happen when re-running a job, and the workspace is gone
               time make build test-bins
             fi
-            make docker.all generate_yaml
+            make docker.all generate_e2e_test_yaml
       - run: bin/testEnvRootMinikube.sh wait
       - run: docker images
       - run:
@@ -272,7 +272,7 @@ jobs:
               # Should only happen when re-running a job, and the workspace is gone
               time make build test-bins
             fi
-            make docker.all generate_yaml
+            make docker.all generate_e2e_test_yaml
       - run: bin/testEnvRootMinikube.sh wait
       - run: docker images
       - run:
@@ -485,7 +485,7 @@ jobs:
               export PATH=$GOPATH/bin:$PATH
               make localTestEnv
               set -o pipefail
-              make test.integration T=-v | tee -a /go/out/tests/build-log.txt
+              make test.integration.local T=-v | tee -a /go/out/tests/build-log.txt
         - <<: *recordZeroExitCodeIfTestPassed
         - <<: *recordNonzeroExitCodeIfTestFailed
         - <<: *markJobFinishesOnGCS
 
@@ -3,6 +3,8 @@ coverage:
   round: up
   range: 60..99
   ignore:
+    - "mixer/test"
+    - "mixer/template"
     - "**/*.pb.go" # Auto-generated proto files
     - "tests/" # Test infrastructure coverage does not affect core coverage
     - "**/test/*.go"
 
@@ -4,7 +4,6 @@ istio.io/istio/mixer/pkg/mockapi
 istio.io/istio/mixer/pkg/perf
 istio.io/istio/mixer/pkg/runtime/testing
 istio.io/istio/mixer/template/sample
-istio.io/istio/mixer/test
 istio.io/istio/mixer/tools/codegen
 istio.io/istio/pilot/test
 istio.io/istio/pkg/mcp/testing
 
@@ -39,7 +39,10 @@ func endpointReady(store cache.KeyGetter, queue workqueue.RateLimitingInterface,
 	if err != nil || !exists {
 		return endpointCheckNotReady
 	}
-	endpoints := item.(*v1.Endpoints)
+	endpoints, ok := item.(*v1.Endpoints)
+	if !ok {
+		return endpointCheckNotReady
+	}
 	if len(endpoints.Subsets) == 0 {
 		scope.Warnf("%s/%v endpoint not ready: no subsets", namespace, name)
 		return endpointCheckNotReady
@@ -65,9 +68,6 @@ func (wh *Webhook) waitForEndpointReady(stopCh <-chan struct{}) (shutdown bool)
 		}
 	}()
 
-	controllerStopCh := make(chan struct{})
-	defer close(controllerStopCh)
-
 	queue := workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter())
 	defer queue.ShutDown()
 
@@ -97,21 +97,30 @@ func (wh *Webhook) waitForEndpointReady(stopCh <-chan struct{}) (shutdown bool)
 			},
 		},
 	)
-	go controller.Run(stopCh)
+
+	controllerStopCh := make(chan struct{})
+	defer close(controllerStopCh)
+	go controller.Run(controllerStopCh)
 
 	if !cache.WaitForCacheSync(stopCh, controller.HasSynced) {
+		scope.Errorf("wait for cache sync failed")
 		return true
 	}
 
 	for {
-		ready := endpointReady(store, queue, wh.deploymentAndServiceNamespace, wh.serviceName)
-		switch ready {
-		case endpointCheckShutdown:
+		select {
+		case <-stopCh:
 			return true
-		case endpointCheckReady:
-			return false
-		case endpointCheckNotReady:
-			// continue waiting for endpoint to be ready
+		default:
+			ready := endpointReady(store, queue, wh.deploymentAndServiceNamespace, wh.serviceName)
+			switch ready {
+			case endpointCheckShutdown:
+				return true
+			case endpointCheckReady:
+				return false
+			case endpointCheckNotReady:
+				// continue waiting for endpoint to be ready
+			}
 		}
 	}
 }
@@ -70,7 +70,7 @@ func createMixerValidator() store.BackendValidator {
 func webhookHTTPSHandlerReady(client httpClient, vc *WebhookParameters) error {
 	readinessURL := &url.URL{
 		Scheme: "https",
-		Host:   fmt.Sprintf("localhost:%v", vc.Port),
+		Host:   fmt.Sprintf("127.0.0.1:%v", vc.Port),
 		Path:   httpsHandlerReadyPath,
 	}
 
 
@@ -13,6 +13,7 @@ metadata:
 data:
   config: |-
     policy: {{ .Values.global.proxy.autoInject }}
+    rewriteAppHTTPProbe: {{ .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe }}
     template: |-
 {{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }}
       initContainers:
@@ -170,7 +171,7 @@ data:
             - NET_ADMIN
           runAsGroup: 1337
           {{ "[[ else -]]" }}
-          {{ if and .Values.global.sds.enabled .Values.global.sds.enableTokenMount }}
+          {{ if and .Values.global.sds.enabled .Values.global.sds.useTrustworthyJwt }}
           runAsGroup: 1337
           {{- end }}
           runAsUser: 1337
@@ -194,7 +195,7 @@ data:
         {{- if .Values.global.sds.enabled }}
         - mountPath: /var/run/sds
           name: sds-uds-path
-        {{- if .Values.global.sds.enableTokenMount }}
+        {{- if .Values.global.sds.useTrustworthyJwt }}
         - mountPath: /var/run/secrets/tokens
           name: istio-token
         {{- end }}
@@ -204,7 +205,7 @@ data:
       - name: sds-uds-path
         hostPath:
           path: /var/run/sds
-      {{- if .Values.global.sds.enableTokenMount }}
+      {{- if .Values.global.sds.useTrustworthyJwt }}
       - name: istio-token
         projected:
           sources:
 
@@ -258,7 +258,8 @@ global:
   sds:
     enabled: false
     udsPath: ""
-    enableTokenMount: false
+    useTrustworthyJwt: false
+    useNormalJwt: false
 
   # Sets an identifier for the remote network to be used for Split Horizon EDS. The network will be sent
   # to the Pilot when connected by the sidecar and will affect the results returned in EDS requests.
 
@@ -60,7 +60,15 @@ data:
     # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount 
     # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which 
     # will be used to generate key/cert eventually. This isn't supported for non-k8s case.
-    enableSdsTokenMount: {{ .Values.global.sds.enableTokenMount }}
+    enableSdsTokenMount: {{ .Values.global.sds.useTrustworthyJwt }}
+
+    # This flag is used by secret discovery service(SDS). 
+    # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' 
+    # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) 
+    # and pass to sds server, which will be used to request key/cert eventually. 
+    # this flag is ignored if enableSdsTokenMount is set.
+    # This isn't supported for non-k8s case.
+    sdsUseK8sSaJwt: {{ .Values.global.sds.useNormalJwt }}
 
     # The trust domain corresponds to the trust root of a system.
     # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
 
@@ -14,6 +14,7 @@ data:
   config: |-
     policy: {{ .Values.global.proxy.autoInject }}
     template: |-
+      rewriteAppHTTPProbe: {{ .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe }}
 {{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }}
       initContainers:
 {{- if not .Values.istio_cni.enabled }}
@@ -202,7 +203,7 @@ data:
             - NET_ADMIN
           runAsGroup: 1337
           {{ "[[ else -]]" }}
-          {{ if and .Values.global.sds.enabled .Values.global.sds.enableTokenMount }}
+          {{ if and .Values.global.sds.enabled .Values.global.sds.useTrustworthyJwt }}
           runAsGroup: 1337
           {{- end }}
           runAsUser: 1337
@@ -226,7 +227,7 @@ data:
         {{- if .Values.global.sds.enabled }}
         - mountPath: /var/run/sds
           name: sds-uds-path
-        {{- if .Values.global.sds.enableTokenMount }}
+        {{- if .Values.global.sds.useTrustworthyJwt }}
         - mountPath: /var/run/secrets/tokens
           name: istio-token
         {{- end }}
@@ -241,7 +242,7 @@ data:
       - name: sds-uds-path
         hostPath:
           path: /var/run/sds
-      {{- if .Values.global.sds.enableTokenMount }}
+      {{- if .Values.global.sds.useTrustworthyJwt }}
       - name: istio-token
         projected:
           sources:
 
@@ -11,6 +11,7 @@ gateways:
 #
 sidecarInjectorWebhook:
   enabled: true
+  rewriteAppHTTPProbe: false
 
 #
 # galley configuration, refer to charts/galley/values.yaml
@@ -348,7 +349,8 @@ global:
     # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
     enabled: false
     udsPath: ""
-    enableTokenMount: false
+    useTrustworthyJwt: false
+    useNormalJwt: false
 
   # Configure the mesh networks to be used by the Split Horizon EDS.
   #
Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ func createMixerValidator() store.BackendValidator {`
`70`	`70`	`func webhookHTTPSHandlerReady(client httpClient, vc *WebhookParameters) error {`
`71`	`71`	`readinessURL := &url.URL{`
`72`	`72`	`Scheme: "https",`
`73`		`- Host: fmt.Sprintf("localhost:%v", vc.Port),`
	`73`	`+ Host: fmt.Sprintf("127.0.0.1:%v", vc.Port),`
`74`	`74`	`Path: httpsHandlerReadyPath,`
`75`	`75`	`}`
`76`	`76`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ gateways:`
`11`	`11`	`#`
`12`	`12`	`sidecarInjectorWebhook:`
`13`	`13`	`enabled: true`
	`14`	`+ rewriteAppHTTPProbe: false`
`14`	`15`
`15`	`16`	`#`
`16`	`17`	`# galley configuration, refer to charts/galley/values.yaml`
`@@ -348,7 +349,8 @@ global:`
`348`	`349`	`# distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.`
`349`	`350`	`enabled: false`
`350`	`351`	`udsPath: ""`
`351`		`- enableTokenMount: false`
	`352`	`+ useTrustworthyJwt: false`
	`353`	`+ useNormalJwt: false`
`352`	`354`
`353`	`355`	`# Configure the mesh networks to be used by the Split Horizon EDS.`
`354`	`356`	`#`