diff --git a/.github/workflows/e2e_tests.yml b/.github/workflows/e2e_tests.yml index 52e432e59542..6602e6394840 100644 --- a/.github/workflows/e2e_tests.yml +++ b/.github/workflows/e2e_tests.yml @@ -7,17 +7,20 @@ on: env: HUB: ${{ secrets.TEST_HUB }} + SHA: "44bb48b8a72151a8cc8ebeec583e524e324b5bc0" jobs: # copied from make_release.yml build_fips_proxy: # Only run this job when the release type equals "fips". if: contains(github.event.ref, 'fips') + name: build fips proxy binary timeout-minutes: 840 runs-on: ['self-hosted','Linux','x64','c5.4xlarge'] env: RELEASE_GCS_PATH: gs://getistio-build/proxy-fips + IMG: gcr.io/tid-testing/build-tools-proxy:v5 steps: - name: Get the tag id: get_tag @@ -46,7 +49,6 @@ jobs: - name: Check if already built id: check_already_built run: | - SHA=$(git rev-parse --verify HEAD) SHOULD_BUILD=1 if gsutil ls ${RELEASE_GCS_PATH} | grep "${SHA}[^-]" ; then SHOULD_BUILD=0 @@ -61,8 +63,7 @@ jobs: # from push_release. run: | ESCAPED_RELEASE_GCS_PATH=$(printf '%s\n' "$RELEASE_GCS_PATH" | sed -e 's/[\/&]/\\&/g') - sed -i "s/\-p//g; s/push_release: build/push_release:/g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk - + sed -i "s/PUSH_RELEASE_FLAGS ?= -p//g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk - name: Tweak release-binary script if: ${{ steps.check_already_built.outputs.should_build == '1' }} # 1) Setup in-docker auth against gcloud @@ -74,10 +75,15 @@ jobs: cp scripts/release-binary.sh scripts/release-binary.sh.tmp echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh - sed -i 's/release release\-symbol debug/release release\-symbol/' scripts/release-binary.sh - sed -i 's/for config in release release-symbol asan debug/for config in release/g' scripts/release-binary.sh + sed -i 's/da77eab7d2f758ac4380467775ec29e47ff28205/44bb48b8a72151a8cc8ebeec583e524e324b5bc0/g' WORKSPACE + sed -i 's/8bae7e001560c1be51f4096eaffc72164c16f60138b3e96db253b1867118f979/bb17f0011395b1c79a773430f5cf1782e24cbe53e1e3e0fa0ebe771cbd2e1247/g' WORKSPACE + sed -i 's/SHA=.*/SHA=44bb48b8a72151a8cc8ebeec583e524e324b5bc0/g' scripts/release-binary.sh + sed -i 's/ENVOY_ORG = "envoyproxy"/ENVOY_ORG = "psbrar99"/g' WORKSPACE + sed -i 's/for config in release release-symbol asan debug/for config in release/g' scripts/release-binary.sh sed -i -n '/Build and publish Wasm plugins/q;p' scripts/release-binary.sh cat scripts/release-binary.sh + cat Makefile.core.mk + cat WORKSPACE - name: Add FIPS flag if: ${{ steps.check_already_built.outputs.should_build == '1' }} @@ -87,13 +93,14 @@ jobs: if: ${{ steps.check_already_built.outputs.should_build == '1' }} env: BUILD_WITH_CONTAINER: 1 - run: make push_release + run: | + # make clean + make push_release - name: Put CentOS binary # Copy the binary built on Ubuntu to CentOS path - this binar cannot run on CentOS/RHEL 7, but fine with CentOS 8. # The point is that we cannot build FIPS binary directly on CentOS 7 due to the constraints described in the BoringCrypto certification. run: | - SHA=$(git rev-parse --verify HEAD) gsutil cp ${RELEASE_GCS_PATH}/envoy-alpha-${SHA}.tar.gz ${RELEASE_GCS_PATH}/envoy-centos-alpha-${SHA}.tar.gz - name: Put Wasm binary @@ -101,15 +108,16 @@ jobs: env: UPSTREAM_GCSP_PATH: gs://istio-build/proxy run: | - SHA=$(git rev-parse --verify HEAD) - gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA}*" ${RELEASE_GCS_PATH}/ - gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA}*" ${RELEASE_GCS_PATH}/ - gsutil cp "${UPSTREAM_GCSP_PATH}/attributegen-${SHA}*" ${RELEASE_GCS_PATH}/ + SHA1="3c27a1b0cf381ca854ccc3a2034e88c206928da2" + gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.compiled.wasm" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.compiled.wasm" + gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.compiled.wasm.sha256" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.compiled.wasm.sha256" + gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.wasm" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.wasm" + gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.wasm.sha256" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.wasm.sha256" + build_fips_arm_proxy: # Do not run this job when the release type equals "fips"as we do not support fips compliant ARM build yet. - # if: contains(github.event.ref, 'fips') - if: false + if: contains(github.event.ref, 'fips') name: build ARM proxy binary timeout-minutes: 1440 # 12 hours runs-on: ['self-hosted','Linux','ARM64','arm64-32'] @@ -146,7 +154,6 @@ jobs: - name: Check if already built id: check_already_built run: | - SHA=$(git rev-parse --verify HEAD) SHOULD_BUILD=1 if gsutil ls ${RELEASE_GCS_PATH} | grep ${SHA}-arm64 ; then SHOULD_BUILD=0 @@ -172,11 +179,15 @@ jobs: cp scripts/release-binary.sh scripts/release-binary.sh.tmp echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh - sed -i 's/release release\-symbol debug/release release\-symbol/' scripts/release-binary.sh - sed -i '/if \[\[ "${BUILD_ENVOY_BINARY_ONLY}" !/, +6d' scripts/release-binary.sh + sed -i 's/da77eab7d2f758ac4380467775ec29e47ff28205/44bb48b8a72151a8cc8ebeec583e524e324b5bc0/g' WORKSPACE + sed -i 's/8bae7e001560c1be51f4096eaffc72164c16f60138b3e96db253b1867118f979/ba1da637c52b9c7cd93fbb7f2e3f10747663ab8c66a53b8b4d64e2afa7a6ca6c/g' WORKSPACE + sed -i 's/SHA=.*/SHA=44bb48b8a72151a8cc8ebeec583e524e324b5bc0/g' scripts/release-binary.sh + sed -i 's/ENVOY_ORG = "envoyproxy"/ENVOY_ORG = "psbrar99"/g' WORKSPACE sed -i 's/for config in release release-symbol asan debug/for config in release/g' scripts/release-binary.sh sed -i -n '/Build and publish Wasm plugins/q;p' scripts/release-binary.sh cat scripts/release-binary.sh + cat Makefile.core.mk + - name: Add FIPS flag if: ${{ steps.check_already_built.outputs.should_build == '1' }} run: echo "build --define boringssl=fips" >> .bazelrc @@ -185,24 +196,10 @@ jobs: if: ${{ steps.check_already_built.outputs.should_build == '1' }} env: BUILD_WITH_CONTAINER: 1 + BUILD_ENVOY_BINARY_ONLY: 1 + IMG: gcr.io/tid-testing/build-tools-proxy-arm64:v5 run: make push_release - - name: Put CentOS binary - # Copy the binary built on Ubuntu to CentOS path - this binar cannot run on CentOS/RHEL 7, but fine with CentOS 8. - # The point is that we cannot build FIPS binary directly on CentOS 7 due to the constraints described in the BoringCrypto certification. - run: | - SHA=$(git rev-parse --verify HEAD) - gsutil cp ${RELEASE_GCS_PATH}/envoy-alpha-${SHA}.tar.gz ${RELEASE_GCS_PATH}/envoy-centos-alpha-${SHA}.tar.gz - - name: Put Wasm binary - # Copy the built Wasm binary in the upstream to the bucket - Wasm is nothing to do with FIPS stuff. - env: - UPSTREAM_GCSP_PATH: gs://istio-build/proxy - run: | - SHA=$(git rev-parse --verify HEAD) - gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA}*" ${RELEASE_GCS_PATH}/ - gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA}*" ${RELEASE_GCS_PATH}/ - gsutil cp "${UPSTREAM_GCSP_PATH}/attributegen-${SHA}*" ${RELEASE_GCS_PATH}/ - create-test-images-arm64: name: create-test-images-arm64 runs-on: ["self-hosted", "arm64"] @@ -213,7 +210,8 @@ jobs: # 'if' condition causes this job to run even if some of the dependent jobs # have been skipped, e.g. `build_fips_proxy`. # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful - if: "contains(github.event.ref, 'multiarch')" + # if: "contains(github.event.ref, 'multiarch')" + if: false steps: - name: checkout @@ -266,12 +264,13 @@ jobs: name: create-test-images-amd64 #runs-on: ['self-hosted','Linux','x64','m5'] runs-on: ['self-hosted','Linux','x64','c5.4xlarge'] - needs: [build_fips_proxy] + needs: ['build_fips_proxy','build_fips_arm_proxy'] # 'if' condition causes this job to run even if some of the dependent jobs # have been skipped, e.g. `build_fips_proxy`. # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful if: ${{ !cancelled() && !failure() }} + steps: - name: checkout uses: actions/checkout@v2 @@ -382,7 +381,6 @@ jobs: # 'if' condition causes this job to run even if some of the dependent jobs # have been skipped, e.g. `build_fips_proxy`. # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful - # if: false if: ${{ !cancelled() && !failure() }} strategy: @@ -446,11 +444,12 @@ jobs: eks-e2e-test: name: eks-e2e-test runs-on: ubuntu-latest - needs: [create-multiarch-images] + needs: [create-test-images-amd64] # 'if' condition causes this job to run even if some of the dependent jobs # have been skipped, e.g. `build_fips_proxy`. # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful if: ${{ !cancelled() && !failure() }} + # if: false strategy: fail-fast: false @@ -514,7 +513,8 @@ jobs: # 'if' condition causes this job to run even if some of the dependent jobs # have been skipped, e.g. `build_fips_proxy`. # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful - if: ${{ !cancelled() && !failure() }} + # if: ${{ !cancelled() && !failure() }} + if: false strategy: fail-fast: false @@ -731,4 +731,4 @@ jobs: tag_name: ${{ steps.get_tag.outputs.TAG }} release_name: Tetrate Istio draft: false - prerelease: false + prerelease: false \ No newline at end of file diff --git a/istio.deps b/istio.deps index 66bd58a81440..d7bdd2bcaf2a 100644 --- a/istio.deps +++ b/istio.deps @@ -4,6 +4,6 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "5382f1d9645b73f7a8aff075a966200a6b9f7169" + "lastStableSHA": "44bb48b8a72151a8cc8ebeec583e524e324b5bc0" } ] diff --git a/tetrateci/1.17/test/skip.d/eks b/tetrateci/1.17/test/skip.d/eks index d94ed36c1f77..05f1120d28de 100644 --- a/tetrateci/1.17/test/skip.d/eks +++ b/tetrateci/1.17/test/skip.d/eks @@ -30,3 +30,4 @@ istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerificatio istio.io/istio/tests/integration/security=TestReachability/global_no_peer_authn TestReachability/migration_tls_mutual TestReachability/migration_no_tls TestReachability/mtls_strict istio.io/istio/tests/integration/helm/upgrade=* istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=* diff --git a/tetrateci/1.17/test/skip.d/eks-arm64 b/tetrateci/1.17/test/skip.d/eks-arm64 index eab40ca7e49e..18d5f8c98dbf 100644 --- a/tetrateci/1.17/test/skip.d/eks-arm64 +++ b/tetrateci/1.17/test/skip.d/eks-arm64 @@ -29,3 +29,4 @@ istio.io/istio/tests/integration/security/sds_ingress/quic=* istio.io/istio/tests/integration/telemetry/stackdriver=* istio.io/istio/tests/integration/telemetry/stackdriver/vm=* istio.io/istio/tests/integration/telemetry_envoyfilter_nullvm=TestDashboard +istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=* diff --git a/tetrateci/gen_release_manifest.py b/tetrateci/gen_release_manifest.py index 5263ff6029f3..421dfe1393d9 100755 --- a/tetrateci/gen_release_manifest.py +++ b/tetrateci/gen_release_manifest.py @@ -27,12 +27,14 @@ manifest["version"] = tag manifest["dependencies"]["istio"] = {"localpath" : "./istio"} manifest["dependencies"]["client-go"]["branch"] = branch + del manifest["dependencies"]["proxy"]["auto"] + manifest["dependencies"]["proxy"]["branch"] = branch manifest["dependencies"]["tools"]["branch"] = branch # genproto has been removed from 1.14 # added check for "gogo-genproto" dependenciy if it present then assign branch if "gogo-genproto" in manifest["dependencies"]: manifest["dependencies"]["gogo-genproto"]["branch"] = branch - manifest["dependencies"]["envoy"]["git"] = "https://github.com/istio/envoy" + manifest["dependencies"]["envoy"]["git"] = "https://github.com/envoyproxy/envoy" manifest['outputs'] = ["docker"] f = open(os.path.join(destination_folder, "manifest.docker.yaml"), 'w') yaml.dump(manifest, f) @@ -40,5 +42,4 @@ manifest['outputs'] = ["archive"] print(manifest) f = open(os.path.join(destination_folder, "manifest.archive.yaml"), 'w') - yaml.dump(manifest, f) - + yaml.dump(manifest, f) \ No newline at end of file