1.17.5 tetratefips release

Signed-off-by: psbrar99 <[email protected]>

.github/workflows/e2e_tests.yml

@@ -7,17 +7,20 @@ on:
 
 env:
   HUB: ${{ secrets.TEST_HUB }}
+  SHA: "44bb48b8a72151a8cc8ebeec583e524e324b5bc0"
 
 jobs:
   # copied from make_release.yml
   build_fips_proxy:
     # Only run this job when the release type equals "fips".
     if: contains(github.event.ref, 'fips')
+
     name: build fips proxy binary
     timeout-minutes: 840 
     runs-on: ['self-hosted','Linux','x64','c5.4xlarge']
     env:
       RELEASE_GCS_PATH: gs://getistio-build/proxy-fips
+      IMG: gcr.io/tid-testing/build-tools-proxy:v5
     steps:
       - name: Get the tag
         id: get_tag
@@ -46,7 +49,6 @@ jobs:
       - name: Check if already built
         id: check_already_built
         run: |
-          SHA=$(git rev-parse --verify HEAD)
           SHOULD_BUILD=1
           if gsutil ls ${RELEASE_GCS_PATH} | grep "${SHA}[^-]" ; then
             SHOULD_BUILD=0
@@ -61,8 +63,7 @@ jobs:
         # from push_release.
         run: |
           ESCAPED_RELEASE_GCS_PATH=$(printf '%s\n' "$RELEASE_GCS_PATH" | sed -e 's/[\/&]/\\&/g')
-          sed -i "s/\-p//g; s/push_release: build/push_release:/g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk
-
+          sed -i "s/PUSH_RELEASE_FLAGS ?= -p//g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk
       - name: Tweak release-binary script
         if: ${{ steps.check_already_built.outputs.should_build == '1' }}
         # 1) Setup in-docker auth against gcloud
@@ -74,10 +75,15 @@ jobs:
           cp scripts/release-binary.sh scripts/release-binary.sh.tmp
           echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh
           cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh
-          sed -i 's/release release\-symbol debug/release release\-symbol/' scripts/release-binary.sh
-          sed  -i 's/for config in release release-symbol asan debug/for config in release/g' scripts/release-binary.sh 
+          sed -i 's/da77eab7d2f758ac4380467775ec29e47ff28205/44bb48b8a72151a8cc8ebeec583e524e324b5bc0/g' WORKSPACE
+          sed -i 's/8bae7e001560c1be51f4096eaffc72164c16f60138b3e96db253b1867118f979/bb17f0011395b1c79a773430f5cf1782e24cbe53e1e3e0fa0ebe771cbd2e1247/g' WORKSPACE
+          sed -i 's/SHA=.*/SHA=44bb48b8a72151a8cc8ebeec583e524e324b5bc0/g' scripts/release-binary.sh
+          sed -i 's/ENVOY_ORG = "envoyproxy"/ENVOY_ORG = "psbrar99"/g' WORKSPACE
+          sed  -i 's/for config in release release-symbol asan debug/for config in release/g' scripts/release-binary.sh
           sed -i -n '/Build and publish Wasm plugins/q;p' scripts/release-binary.sh
           cat scripts/release-binary.sh
+          cat Makefile.core.mk
+          cat WORKSPACE
 
       - name: Add FIPS flag
         if: ${{ steps.check_already_built.outputs.should_build == '1' }}
@@ -87,29 +93,31 @@ jobs:
         if: ${{ steps.check_already_built.outputs.should_build == '1' }}
         env:
           BUILD_WITH_CONTAINER: 1
-        run: make push_release
+        run: |
+          # make clean
+          make push_release
 
       - name: Put CentOS binary
         # Copy the binary built on Ubuntu to CentOS path - this binar cannot run on CentOS/RHEL 7, but fine with CentOS 8.
         # The point is that we cannot build FIPS binary directly on CentOS 7 due to the constraints described in the BoringCrypto certification.
         run: |
-          SHA=$(git rev-parse --verify HEAD)
           gsutil cp ${RELEASE_GCS_PATH}/envoy-alpha-${SHA}.tar.gz ${RELEASE_GCS_PATH}/envoy-centos-alpha-${SHA}.tar.gz
 
       - name: Put Wasm binary
         # Copy the built Wasm binary in the upstream to the bucket - Wasm is nothing to do with FIPS stuff.
         env:
           UPSTREAM_GCSP_PATH: gs://istio-build/proxy
         run: |
-          SHA=$(git rev-parse --verify HEAD)
-          gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA}*" ${RELEASE_GCS_PATH}/
-          gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA}*" ${RELEASE_GCS_PATH}/
-          gsutil cp "${UPSTREAM_GCSP_PATH}/attributegen-${SHA}*" ${RELEASE_GCS_PATH}/
+          SHA1="3c27a1b0cf381ca854ccc3a2034e88c206928da2"
+          gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.compiled.wasm" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.compiled.wasm"
+          gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.compiled.wasm.sha256" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.compiled.wasm.sha256"
+          gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.wasm" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.wasm"
+          gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.wasm.sha256" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.wasm.sha256"
+
           
   build_fips_arm_proxy:
     # Do not run this job when the release type equals "fips"as we do not support fips compliant ARM build yet.
-    # if: contains(github.event.ref, 'fips')
-    if: false
+    if: contains(github.event.ref, 'fips')
     name: build ARM proxy binary
     timeout-minutes: 1440 # 12 hours
     runs-on: ['self-hosted','Linux','ARM64','arm64-32']
@@ -146,7 +154,6 @@ jobs:
       - name: Check if already built
         id: check_already_built
         run: |
-          SHA=$(git rev-parse --verify HEAD)
           SHOULD_BUILD=1
           if gsutil ls ${RELEASE_GCS_PATH} | grep ${SHA}-arm64 ; then
             SHOULD_BUILD=0
@@ -172,11 +179,15 @@ jobs:
           cp scripts/release-binary.sh scripts/release-binary.sh.tmp
           echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh
           cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh
-          sed -i 's/release release\-symbol debug/release release\-symbol/' scripts/release-binary.sh
-          sed -i '/if \[\[ "${BUILD_ENVOY_BINARY_ONLY}" !/, +6d' scripts/release-binary.sh
+          sed -i 's/da77eab7d2f758ac4380467775ec29e47ff28205/44bb48b8a72151a8cc8ebeec583e524e324b5bc0/g' WORKSPACE
+          sed -i 's/8bae7e001560c1be51f4096eaffc72164c16f60138b3e96db253b1867118f979/ba1da637c52b9c7cd93fbb7f2e3f10747663ab8c66a53b8b4d64e2afa7a6ca6c/g' WORKSPACE
+          sed -i 's/SHA=.*/SHA=44bb48b8a72151a8cc8ebeec583e524e324b5bc0/g' scripts/release-binary.sh
+          sed -i 's/ENVOY_ORG = "envoyproxy"/ENVOY_ORG = "psbrar99"/g' WORKSPACE
           sed  -i 's/for config in release release-symbol asan debug/for config in release/g' scripts/release-binary.sh
           sed -i -n '/Build and publish Wasm plugins/q;p' scripts/release-binary.sh
           cat scripts/release-binary.sh
+          cat Makefile.core.mk
+
       - name: Add FIPS flag
         if: ${{ steps.check_already_built.outputs.should_build == '1' }}
         run: echo "build --define boringssl=fips" >> .bazelrc
@@ -185,24 +196,10 @@ jobs:
         if: ${{ steps.check_already_built.outputs.should_build == '1' }}
         env:
           BUILD_WITH_CONTAINER: 1
+          BUILD_ENVOY_BINARY_ONLY: 1
+          IMG: gcr.io/tid-testing/build-tools-proxy-arm64:v5
         run: make push_release
 
-      - name: Put CentOS binary
-        # Copy the binary built on Ubuntu to CentOS path - this binar cannot run on CentOS/RHEL 7, but fine with CentOS 8.
-        # The point is that we cannot build FIPS binary directly on CentOS 7 due to the constraints described in the BoringCrypto certification.
-        run: |
-          SHA=$(git rev-parse --verify HEAD)
-          gsutil cp ${RELEASE_GCS_PATH}/envoy-alpha-${SHA}.tar.gz ${RELEASE_GCS_PATH}/envoy-centos-alpha-${SHA}.tar.gz
-      - name: Put Wasm binary
-        # Copy the built Wasm binary in the upstream to the bucket - Wasm is nothing to do with FIPS stuff.
-        env:
-          UPSTREAM_GCSP_PATH: gs://istio-build/proxy
-        run: |
-          SHA=$(git rev-parse --verify HEAD)
-          gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA}*" ${RELEASE_GCS_PATH}/
-          gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA}*" ${RELEASE_GCS_PATH}/
-          gsutil cp "${UPSTREAM_GCSP_PATH}/attributegen-${SHA}*" ${RELEASE_GCS_PATH}/
-
   create-test-images-arm64:
     name: create-test-images-arm64
     runs-on: ["self-hosted", "arm64"]
@@ -213,7 +210,8 @@ jobs:
     # 'if' condition causes this job to run even if some of the dependent jobs
     # have been skipped, e.g. `build_fips_proxy`.
     # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful
-    if: "contains(github.event.ref, 'multiarch')"
+    # if: "contains(github.event.ref, 'multiarch')"
+    if: false
 
     steps:
       - name: checkout
@@ -266,12 +264,13 @@ jobs:
     name: create-test-images-amd64
     #runs-on: ['self-hosted','Linux','x64','m5']
     runs-on: ['self-hosted','Linux','x64','c5.4xlarge']
-    needs: [build_fips_proxy]
+    needs: ['build_fips_proxy','build_fips_arm_proxy']
     # 'if' condition causes this job to run even if some of the dependent jobs
     # have been skipped, e.g. `build_fips_proxy`.
     # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful
     if: ${{ !cancelled() && !failure() }}
 
+
     steps:
       - name: checkout
         uses: actions/checkout@v2
@@ -382,7 +381,6 @@ jobs:
     # 'if' condition causes this job to run even if some of the dependent jobs
     # have been skipped, e.g. `build_fips_proxy`.
     # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful
-    # if: false
     if: ${{ !cancelled() && !failure() }}
 
     strategy:
@@ -446,11 +444,12 @@ jobs:
   eks-e2e-test:
     name: eks-e2e-test
     runs-on: ubuntu-latest
-    needs: [create-multiarch-images]
+    needs: [create-test-images-amd64]
     # 'if' condition causes this job to run even if some of the dependent jobs
     # have been skipped, e.g. `build_fips_proxy`.
     # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful
     if: ${{ !cancelled() && !failure() }}
+    # if: false
 
     strategy:
       fail-fast: false
@@ -514,7 +513,8 @@ jobs:
     # 'if' condition causes this job to run even if some of the dependent jobs
     # have been skipped, e.g. `build_fips_proxy`.
     # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful
-    if: ${{ !cancelled() && !failure() }}
+    # if: ${{ !cancelled() && !failure() }}
+    if: false
 
     strategy:
       fail-fast: false
@@ -731,4 +731,4 @@ jobs:
           tag_name: ${{ steps.get_tag.outputs.TAG }}
           release_name: Tetrate Istio
           draft: false
-          prerelease: false
+          prerelease: false

istio.deps

@@ -4,6 +4,6 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "5382f1d9645b73f7a8aff075a966200a6b9f7169"
+    "lastStableSHA": "44bb48b8a72151a8cc8ebeec583e524e324b5bc0"
   }
 ]

tetrateci/1.17/test/skip.d/eks

@@ -30,3 +30,4 @@ istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerificatio
 istio.io/istio/tests/integration/security=TestReachability/global_no_peer_authn TestReachability/migration_tls_mutual TestReachability/migration_no_tls TestReachability/mtls_strict
 istio.io/istio/tests/integration/helm/upgrade=*
 istio.io/istio/tests/integration/security/sds_ingress/quic=*
+istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=*

tetrateci/1.17/test/skip.d/eks-arm64

@@ -29,3 +29,4 @@ istio.io/istio/tests/integration/security/sds_ingress/quic=*
 istio.io/istio/tests/integration/telemetry/stackdriver=*
 istio.io/istio/tests/integration/telemetry/stackdriver/vm=*
 istio.io/istio/tests/integration/telemetry_envoyfilter_nullvm=TestDashboard
+istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=*

tetrateci/gen_release_manifest.py

@@ -27,18 +27,19 @@
     manifest["version"] = tag
     manifest["dependencies"]["istio"] = {"localpath" : "./istio"}
     manifest["dependencies"]["client-go"]["branch"] = branch
+    del manifest["dependencies"]["proxy"]["auto"]
+    manifest["dependencies"]["proxy"]["branch"] = branch
     manifest["dependencies"]["tools"]["branch"] = branch
     # genproto has been removed from 1.14
     # added check for "gogo-genproto" dependenciy if it present then assign branch
     if "gogo-genproto" in manifest["dependencies"]:
         manifest["dependencies"]["gogo-genproto"]["branch"] = branch
-    manifest["dependencies"]["envoy"]["git"] = "https://github.com/istio/envoy"
+    manifest["dependencies"]["envoy"]["git"] = "https://github.com/envoyproxy/envoy"
     manifest['outputs'] = ["docker"]
     f = open(os.path.join(destination_folder, "manifest.docker.yaml"), 'w')
     yaml.dump(manifest, f)
     print(manifest)
     manifest['outputs'] = ["archive"]
     print(manifest)
     f = open(os.path.join(destination_folder, "manifest.archive.yaml"), 'w')
-    yaml.dump(manifest, f)
-
+    yaml.dump(manifest, f)