tetratelabs · psbrar99 · Oct 23, 2023 · Oct 23, 2023 · Oct 23, 2023
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,22 @@
+# Configures Depdendabot to PR go security updates only
+
+version: 2
+updates:
+  # Go configuration for master branch
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    # Limit number of open PRs to 0 so that we only get security updates
+    # See https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates
+    open-pull-requests-limit: 0
+  # Go configuration for release-1.18 branch
+  - package-ecosystem: "gomod"
+    target-branch: "release-1.18"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    # Limit number of open PRs to 0 so that we only get security updates
+    # See https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates
+    open-pull-requests-limit: 0
+
diff --git a/.github/workflows/make_release.yml b/.github/workflows/make_release.yml
diff --git a/tetrateci/1.18/test/skip.d/eks b/tetrateci/1.18/test/skip.d/eks
@@ -21,12 +21,30 @@
 # ```
 #
 # indicates that tests for the package `<pkg>` should not be run at all.
-istio.io/istio/tests/integration/telemetry/stackdriver=*
-istio.io/istio/tests/integration/telemetry/stackdriver/vm=*
-istio.io/istio/tests/integration/telemetry/api=TestAccessLogsMode
-istio.io/istio/tests/integration/pilot=TestGatewayConformance TestIngress/status TestGateway
+
+
 istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt
 istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification
-istio.io/istio/tests/integration/security=TestReachability/global_no_peer_authn TestReachability/migration_tls_mutual TestReachability/migration_no_tls TestReachability/mtls_strict
 istio.io/istio/tests/integration/helm/upgrade=*
+istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic
+istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability    
 istio.io/istio/tests/integration/security/sds_ingress/quic=*
+istio.io/istio/tests/integration/telemetry=*
+istio.io/istio/tests/integration/telemetry/api=*
+istio.io/istio/tests/integration/telemetry/common=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=*
+istio.io/istio/tests/integration/telemetry/policy=*
+istio.io/istio/tests/integration/telemetry/stackdriver=*
+istio.io/istio/tests/integration/telemetry/stackdriver/api=*
+istio.io/istio/tests/integration/telemetry/stackdriver/vm=*
+istio.io/istio/tests/integration/telemetry/tracing=*
+istio.io/istio/tests/integration/telemetry/tracing/otelcollector=*
+istio.io/istio/tests/integration/telemetry/tracing/zipkin=*
+
+
+
+
+
+
diff --git a/tetrateci/1.18/test/skip.d/eks-arm64 b/tetrateci/1.18/test/skip.d/eks-arm64
@@ -21,11 +21,22 @@
 # ```
 #
 # indicates that tests for the package `<pkg>` should not be run at all.
-istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification
-istio.io/istio/tests/integration/pilot=TestGatewayConformance
 istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt
+istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification
 istio.io/istio/tests/integration/helm/upgrade=*
+istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic
+istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability    
 istio.io/istio/tests/integration/security/sds_ingress/quic=*
+istio.io/istio/tests/integration/telemetry=*
+istio.io/istio/tests/integration/telemetry/api=*
+istio.io/istio/tests/integration/telemetry/common=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=*
+istio.io/istio/tests/integration/telemetry/policy=*
 istio.io/istio/tests/integration/telemetry/stackdriver=*
+istio.io/istio/tests/integration/telemetry/stackdriver/api=*
 istio.io/istio/tests/integration/telemetry/stackdriver/vm=*
-istio.io/istio/tests/integration/telemetry_envoyfilter_nullvm=TestDashboard
+istio.io/istio/tests/integration/telemetry/tracing=*
+istio.io/istio/tests/integration/telemetry/tracing/otelcollector=*
+istio.io/istio/tests/integration/telemetry/tracing/zipkin=*
diff --git a/tetrateci/1.18/test/skip.d/gke b/tetrateci/1.18/test/skip.d/gke
@@ -22,16 +22,22 @@
 #
 # indicates that tests for the package `<pkg>` should not be run at all.
 
-istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic TestGatewayConformance TestTunnelingOutboundTraffic
-istio.io/istio/tests/integration/pilot/revisioncmd=*
-istio.io/istio/tests/integration/helm=*
+istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt
+istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification
 istio.io/istio/tests/integration/helm/upgrade=*
-istio.io/istio/tests/integration/security=TestReachability/beta-mtls-off TestAuthz_EgressGateway TestReachability/global_no_peer_authn/http
+istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic
+istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability    
 istio.io/istio/tests/integration/security/sds_ingress/quic=*
-istio.io/istio/tests/integration/security/mtls_first_party_jwt=*
-istio.io/istio/tests/integration/security/https_jwt=TestJWTHTTPS/jwt-authn/a/to_b/valid-token-forward-remote-jwks
-istio.io/istio/tests/integration/security/filebased_tls_origination=TestEgressGatewayTls
-istio.io/istio/tests/integration/telemetry/outboundtrafficpolicy=*
-istio.io/istio/tests/integration/telemetry/stats/prometheus/nullvm=*
-istio.io/istio/tests/integration/telemetry/stats/prometheus/wasm=*
+istio.io/istio/tests/integration/telemetry=*
+istio.io/istio/tests/integration/telemetry/api=*
+istio.io/istio/tests/integration/telemetry/common=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=*
+istio.io/istio/tests/integration/telemetry/policy=*
 istio.io/istio/tests/integration/telemetry/stackdriver=*
+istio.io/istio/tests/integration/telemetry/stackdriver/api=*
+istio.io/istio/tests/integration/telemetry/stackdriver/vm=*
+istio.io/istio/tests/integration/telemetry/tracing=*
+istio.io/istio/tests/integration/telemetry/tracing/otelcollector=*
+istio.io/istio/tests/integration/telemetry/tracing/zipkin=*
diff --git a/tetrateci/1.19/test/skip.d/eks b/tetrateci/1.19/test/skip.d/eks
@@ -0,0 +1,52 @@
+# e2e tests to skip (until a long-term fix is found)
+#
+# Each line has format:
+#
+# ```text
+# <pkg>=<test1> <test2> <test3> ...
+# ```
+#
+# where
+# 1. <pkg>   - is a name of a package with Istio e2e tests, e.g.
+#              `istio.io/istio/tests/integration/pilot`
+# 2. <testN> - is a regexp that matches unit tests to skip, e.g.
+#              'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc.
+#              Each `<testN>` value will be translated into the
+#              `--istio.test.skip` option of the Istio Test Framework.
+#
+# A special case,
+#
+# ```text
+# <pkg>=*
+# ```
+#
+# indicates that tests for the package `<pkg>` should not be run at all.
+
+
+istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt
+istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification
+istio.io/istio/tests/integration/helm/upgrade=*
+istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic TestGateway TestIngress
+istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotHost TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability
+istio.io/istio/tests/integration/security/sds_ingress=*
+istio.io/istio/tests/integration/security/sds_ingress/quic=*
+istio.io/istio/tests/integration/telemetry=*
+istio.io/istio/tests/integration/telemetry/api=*
+istio.io/istio/tests/integration/telemetry/common=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=*
+istio.io/istio/tests/integration/telemetry/policy=*
+istio.io/istio/tests/integration/telemetry/stackdriver=*
+istio.io/istio/tests/integration/telemetry/stackdriver/api=*
+istio.io/istio/tests/integration/telemetry/stackdriver/vm=*
+istio.io/istio/tests/integration/telemetry/tracing=*
+istio.io/istio/tests/integration/telemetry/tracing/otelcollector=*
+istio.io/istio/tests/integration/telemetry/tracing/zipkin=*
+
+
+
+
+
+
+
diff --git a/tetrateci/1.19/test/skip.d/eks-arm64 b/tetrateci/1.19/test/skip.d/eks-arm64
@@ -0,0 +1,43 @@
+# e2e tests to skip (until a long-term fix is found)
+#
+# Each line has format:
+#
+# ```text
+# <pkg>=<test1> <test2> <test3> ...
+# ```
+#
+# where
+# 1. <pkg>   - is a name of a package with Istio e2e tests, e.g.
+#              `istio.io/istio/tests/integration/pilot`
+# 2. <testN> - is a regexp that matches unit tests to skip, e.g.
+#              'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc.
+#              Each `<testN>` value will be translated into the
+#              `--istio.test.skip` option of the Istio Test Framework.
+#
+# A special case,
+#
+# ```text
+# <pkg>=*
+# ```
+#
+# indicates that tests for the package `<pkg>` should not be run at all.
+istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt
+istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification
+istio.io/istio/tests/integration/helm/upgrade=*
+istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic TestGateway TestIngress TestDescribe
+istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotHost TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability
+istio.io/istio/tests/integration/security/sds_ingress=*
+istio.io/istio/tests/integration/security/sds_ingress/quic=*
+istio.io/istio/tests/integration/telemetry=*
+istio.io/istio/tests/integration/telemetry/api=*
+istio.io/istio/tests/integration/telemetry/common=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=*
+istio.io/istio/tests/integration/telemetry/policy=*
+istio.io/istio/tests/integration/telemetry/stackdriver=*
+istio.io/istio/tests/integration/telemetry/stackdriver/api=*
+istio.io/istio/tests/integration/telemetry/stackdriver/vm=*
+istio.io/istio/tests/integration/telemetry/tracing=*
+istio.io/istio/tests/integration/telemetry/tracing/otelcollector=*
+istio.io/istio/tests/integration/telemetry/tracing/zipkin=*
diff --git a/tetrateci/1.19/test/skip.d/gke b/tetrateci/1.19/test/skip.d/gke
@@ -0,0 +1,44 @@
+# e2e tests to skip (until a long-term fix is found)
+#
+# Each line has format:
+#
+# ```text
+# <pkg>=<test1> <test2> <test3> ...
+# ```
+#
+# where
+# 1. <pkg>   - is a name of a package with Istio e2e tests, e.g.
+#              `istio.io/istio/tests/integration/pilot`
+# 2. <testN> - is a regexp that matches unit tests to skip, e.g.
+#              'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc.
+#              Each `<testN>` value will be translated into the
+#              `--istio.test.skip` option of the Istio Test Framework.
+#
+# A special case,
+#
+# ```text
+# <pkg>=*
+# ```
+#
+# indicates that tests for the package `<pkg>` should not be run at all.
+
+istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt
+istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification
+istio.io/istio/tests/integration/helm/upgrade=*
+istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic TestGateway TestIngress TestRevisionCommand TestDescribe
+istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotHost TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestAuthz_EgressGateway TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability
+istio.io/istio/tests/integration/security/sds_ingress=*  
+istio.io/istio/tests/integration/security/sds_ingress/quic=*
+istio.io/istio/tests/integration/telemetry=*
+istio.io/istio/tests/integration/telemetry/api=*
+istio.io/istio/tests/integration/telemetry/common=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=*
+istio.io/istio/tests/integration/telemetry/policy=*
+istio.io/istio/tests/integration/telemetry/stackdriver=*
+istio.io/istio/tests/integration/telemetry/stackdriver/api=*
+istio.io/istio/tests/integration/telemetry/stackdriver/vm=*
+istio.io/istio/tests/integration/telemetry/tracing=*
+istio.io/istio/tests/integration/telemetry/tracing/otelcollector=*
+istio.io/istio/tests/integration/telemetry/tracing/zipkin=*
diff --git a/tetrateci/create_gke_cluster.sh b/tetrateci/create_gke_cluster.sh
@@ -8,7 +8,7 @@ set -o pipefail
 SHA8=$(git rev-parse --short $GITHUB_SHA)
 SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION)
 CLUSTER_NAME="test-istio-$SHA8-$SUFFIX"
+export USE_GKE_GCLOUD_AUTH_PLUGIN=True
+gcloud components install gke-gcloud-auth-plugin
 gcloud container clusters create $CLUSTER_NAME --machine-type "n1-standard-4" --num-nodes 3 --region=us-central1-c --enable-network-policy --cluster-version $K8S_VERSION --release-channel "$CHAN"
-gcloud config set container/use_client_certificate False
 gcloud container clusters get-credentials $CLUSTER_NAME --region us-central1-c
-kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user="$(gcloud config get-value core/account)"
diff --git a/tetrateci/create_istio_release.sh b/tetrateci/create_istio_release.sh
@@ -44,9 +44,12 @@ export BUILD_WITH_CONTAINER=0
 if [[ ${TAG} =~ "fips" ]]; then
 	PROXY_DISTROLESS_BASE=$(grep 'as distroless' ${BASEDIR}/pilot/docker/Dockerfile.proxyv2)
 	# Escape '/'
-	PROXY_DISTROLESS_BASE_ESCAPED=$(sed 's/\//\\\//g' <<< ${PROXY_DISTROLESS_BASE})
-	sed -i "s/.*as distroless/${PROXY_DISTROLESS_BASE_ESCAPED}/" ${BASEDIR}/operator/docker/Dockerfile.operator
-        export ISTIO_ENVOY_BASE_URL=https://storage.googleapis.com/getistio-build/proxy-fips
+  PROXY_DISTROLESS_BASE_ESCAPED=$(sed 's/\//\\\//g' <<< ${PROXY_DISTROLESS_BASE})
+  cat ${BASEDIR}/docker/Dockerfile.distroless
+  sed -i "s/.*as distroless/${PROXY_DISTROLESS_BASE_ESCAPED}/" ${BASEDIR}/operator/docker/Dockerfile.operator
+  sed "s/.*as distroless/FROM gcr.io\/distroless\/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e as distroless_source/" ${BASEDIR}/docker/Dockerfile.distroless
+  export ISTIO_ENVOY_BASE_URL=https://storage.googleapis.com/getistio-build/proxy-fips
+  cat ${BASEDIR}/docker/Dockerfile.distroless
 fi
 
 
@@ -133,6 +136,10 @@ if [ ${TAG} =~ "fips" ]; then
 fi
 
 go run main.go publish --release /tmp/istio-release/out --dockerhub $HUB
+
+
+
+
 echo "Cleaning up the istio source artificats...."
 sudo rm -rf /tmp/istio-release/sources/
 
@@ -145,13 +152,25 @@ fi
 
 # If RELEASE, Build Archives
 if [[ -z ${TEST:-} ]]; then
+
+    # IMAGES=(install-cni
+    # proxyv2
+    # operator
+    # istioctl
+    # pilot)
+
+    # IMAGE_SUFFIXES=("" "-debug" "-distroless")
+
+    # for image in "${IMAGES[@]}"; do
+    #   for suffix in "${IMAGE_SUFFIXES[@]}"; do
+    #     DIGEST=$(crane digest $HUB/${image}:${TAG}${suffix})
+    #     cosign sign -y --identity-token=$(gcloud auth print-identity-token --audiences=sigstore --include-email --impersonate-service-account [email protected]) $HUB/${image}@$DIGEST
+    #   done
+    # done
     echo "Building archives..."
     # if FIPS, need to use native go as boringgo as of now can't build archives for different platforms
     if [[ ${TAG} =~ "fips" ]]; then
-        sudo rm -rf /usr/local/go
-        source ${BASEDIR}/tetrateci/setup_go.sh
-        #disabling cgo flag
-        sed -i '/then export CGO_ENABLED=1/c\export CGO_ENABLED=0' istio/common/scripts/gobuild.sh
+      exit 0      
     fi
     echo "Cleaning up older artifacts created in docker build stage ..."
     sudo rm -rf /tmp/istio-release/sources/ && sudo rm -rf /tmp/istio-release/work/
@@ -169,6 +188,6 @@ if [[ -z ${TEST:-} ]]; then
     done
 fi
 echo "Cleaning /tmp/istio...."
-[ -d "/tmp/istio-release" ] && sudo rm -rf /tmp/istio-release
+#[ -d "/tmp/istio-release" ] && sudo rm -rf /tmp/istio-release
 
 echo "Done building and pushing the artifacts."
diff --git a/tetrateci/fips.md b/tetrateci/fips.md
@@ -37,10 +37,10 @@ go version istioctl
 go version install-cni 
 ```
 
-- For Istio minor version <1.15
-  The Go version should include `b` to indicate BoringSSL, `go1.16.9b7` 
-- For Istio minor version >1.15
-  The Go version should indicate X:boringcrypto as cryptolibrary, `pilot-discovery: go1.19.1 X:boringcrypto`
+For Istio minor version <1.15
+The Go version should include `b` to indicate BoringSSL, `go1.16.9b7` 
+For Istio minor version >1.15
+The Go version should indicate X:boringcrypto as cryptolibrary, `pilot-discovery: go1.19.1 X:boringcrypto`
 
 
 Verify Envoy is using BoringSSL FIPS:

diff --git a/tetrateci/images.sh b/tetrateci/images.sh
@@ -6,20 +6,18 @@ set -o pipefail
 
 BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
 
-mkdir containers.istio.tetratelabs.com
 
-IMAGES=(app
-install-cni
-istioctl
-pilot
-proxyv2)
 
+IMAGES=(install-cni
+proxyv2
+operator
+pilot)
 
 IMAGE_SUFFIXES=("debug" "distroless")
 
 for image in "${IMAGES[@]}"; do
   for suffix in "${IMAGE_SUFFIXES[@]}"; do
-    echo containers.istio.tetratelabs.com/${image}:${TAG}-${suffix} >> list.txt
-    cat list.txt
+    DIGEST=$(crane digest $HUB/${image}:${TAG}-${suffix})
+    cosign sign -y --identity-token=$(gcloud auth print-identity-token --audiences=sigstore --include-email --impersonate-service-account [email protected]) $HUB/${image}@$DIGEST
   done
 done