diff --git a/.gitattributes b/.gitattributes
index 297d227c811a..eea5a1ec8659 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -8,3 +8,4 @@
*.gen.yaml linguist-generated=true
*.gen.json linguist-generated=true
*_pb2.py linguist-generated=true
+go.sum merge=union
diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha
index e41057a75651..8280a8797987 100644
--- a/common/.commonfiles.sha
+++ b/common/.commonfiles.sha
@@ -1 +1 @@
-78d4a03042d695220b4ade5c17f071898d466b58
+d40d1b75c481bb08a4e5de631c26a4352d7039fd
diff --git a/content/en/about/faq/security/verify-mtls-encryption.md b/content/en/about/faq/security/verify-mtls-encryption.md
index 1ae4d107dfe2..abc027ca232b 100644
--- a/content/en/about/faq/security/verify-mtls-encryption.md
+++ b/content/en/about/faq/security/verify-mtls-encryption.md
@@ -3,4 +3,4 @@ title: How can I verify that traffic is using mutual TLS encryption?
weight: 25
---
-If you installed Istio with `values.global.proxy.privileged=true`, you can use `tcpdump` to determine encryption status. Also in Kubernetes 1.23 and later, as an alternative to installing Istio as privileged, you can use `kubectl debug` to run `tcpdump` in an [ephemeral container](https://kubernetes.io/docs/tasks/debug-application-cluster/debug-running-pod/#ephemeral-container). See [Istio mutual TLS migration](/docs/tasks/security/authentication/mtls-migration) for instructions.
+If you installed Istio with `values.global.proxy.privileged=true`, you can use `tcpdump` to determine encryption status. Also in Kubernetes 1.23 and later, as an alternative to installing Istio as privileged, you can use `kubectl debug` to run `tcpdump` in an [ephemeral container](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#ephemeral-container). See [Istio mutual TLS migration](/docs/tasks/security/authentication/mtls-migration) for instructions.
\ No newline at end of file
diff --git a/content/en/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md b/content/en/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md
index bae6279ddee8..d9b74665f0c2 100644
--- a/content/en/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md
+++ b/content/en/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md
@@ -81,8 +81,7 @@ scrape_configs:
params:
'match[]':
- - '{job="pilot"}'
- - '{job="envoy-stats"}'
+ - '{job="kubernetes-pods"}'
static_configs:
- targets:
@@ -136,8 +135,7 @@ scrape_configs:
params:
'match[]':
- - '{job="pilot"}'
- - '{job="envoy-stats"}'
+ - '{job="kubernetes-pods"}'
static_configs:
- targets:
diff --git a/content/en/docs/reference/commands/install-cni/index.html b/content/en/docs/reference/commands/install-cni/index.html
index d879820e2054..75b7386708b9 100644
--- a/content/en/docs/reference/commands/install-cni/index.html
+++ b/content/en/docs/reference/commands/install-cni/index.html
@@ -682,6 +682,12 @@
Environment variables
Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio} when server side policy enables mTLS PERMISSIVE or STRICT.
+
ENABLE_AUTO_SNI
+
Boolean
+
false
+
If enabled, automatically set SNI when `DestinationRules` do not specify the same
Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio} when server side policy enables mTLS PERMISSIVE or STRICT.
+
ENABLE_AUTO_SNI
+
Boolean
+
false
+
If enabled, automatically set SNI when `DestinationRules` do not specify the same
Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio} when server side policy enables mTLS PERMISSIVE or STRICT.
+
ENABLE_AUTO_SNI
+
Boolean
+
false
+
If enabled, automatically set SNI when `DestinationRules` do not specify the same
Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio} when server side policy enables mTLS PERMISSIVE or STRICT.
+
ENABLE_AUTO_SNI
+
Boolean
+
false
+
If enabled, automatically set SNI when `DestinationRules` do not specify the same
Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio} when server side policy enables mTLS PERMISSIVE or STRICT.
+
ENABLE_AUTO_SNI
+
Boolean
+
false
+
If enabled, automatically set SNI when `DestinationRules` do not specify the same
+
+
ENABLE_CA_SERVER
Boolean
true
diff --git a/content/en/docs/releases/security-vulnerabilities/index.md b/content/en/docs/releases/security-vulnerabilities/index.md
index aadf1073878a..36291a90f022 100644
--- a/content/en/docs/releases/security-vulnerabilities/index.md
+++ b/content/en/docs/releases/security-vulnerabilities/index.md
@@ -42,6 +42,7 @@ Don't send a vulnerability report if:
- You need help tuning Istio components for security.
- You need help applying security related updates.
- Your issue is not security related.
+- Your issue is related to base image dependencies (see [Base Images](#base-images))
## Evaluation
@@ -87,3 +88,18 @@ branches.
As much as possible this announcement will be actionable, and include any mitigating steps customers can take prior to
upgrading to a fixed version. The recommended target time for these announcements is 16:00 UTC from Monday to Thursday.
This means the announcement will be seen morning Pacific, early evening Europe, and late evening Asia.
+
+## Base Images
+
+Istio offers two sets of docker images, based on `ubuntu` (default) and based on `distroless` (see [Harden Docker Container Images](/docs/ops/configuration/security/harden-docker-images/)).
+These base images occasionally have CVEs.
+The Istio security team has automated scanning to ensure base images are kept free of CVEs.
+
+When CVEs are detected in our images, new images are automatically built and used for all future builds.
+Additionally, the security team analyzes the vulnerabilities to see if they are exploitable in Istio directly.
+In most cases, these vulnerabilities may be present in packages within the base image, but are not exploitable in the way Istio uses them.
+For these cases, new releases will not typically be released just to resolve these CVEs, and the fixes will be included in the next regularly scheduled release.
+
+As a result, base image CVEs should not be [reported](#reporting-a-vulnerability) unless there is evidence it may be exploitable within Istio.
+
+The [`distroless`](/docs/ops/configuration/security/harden-docker-images/) base images are strongly encouraged if reducing base image CVEs is important to you.
diff --git a/content/en/docs/setup/additional-setup/gateway/index.md b/content/en/docs/setup/additional-setup/gateway/index.md
index d62d8bcf84bc..d421a50c5669 100644
--- a/content/en/docs/setup/additional-setup/gateway/index.md
+++ b/content/en/docs/setup/additional-setup/gateway/index.md
@@ -4,7 +4,7 @@ description: Install and customize Istio Gateways.
weight: 40
keywords: [install,gateway,kubernetes]
owner: istio/wg-environments-maintainers
-test: no
+test: yes
---
Along with creating a service mesh, Istio allows you to manage [gateways](/docs/concepts/traffic-management/#gateways),
@@ -291,9 +291,9 @@ spec:
When this deployment is created, you will then have two versions of the gateway, both selected by the same Service:
{{< text bash >}}
-$ kubectl get endpoints -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name"
+$ kubectl get endpoints -n istio-ingress -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name"
NAME PODS
-istio-ingressgateway istio-ingressgateway-788854c955-8gv96,istio-ingressgateway-canary-b78944cbd-mq2qf
+istio-ingressgateway istio-ingressgateway-...,istio-ingressgateway-canary-...
{{< /text >}}
{{< image width="50%" link="canary-upgrade.svg" caption="Canary upgrade in progress" >}}
diff --git a/content/en/docs/setup/additional-setup/gateway/snips.sh b/content/en/docs/setup/additional-setup/gateway/snips.sh
new file mode 100644
index 000000000000..26e4b13d4697
--- /dev/null
+++ b/content/en/docs/setup/additional-setup/gateway/snips.sh
@@ -0,0 +1,167 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+# docs/setup/additional-setup/gateway/index.md
+####################################################################################################
+
+! read -r -d '' snip_deploying_a_gateway_1 <<\ENDSNIP
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+ name: ingress
+spec:
+ profile: empty # Do not install CRDs or the control plane
+ components:
+ ingressGateways:
+ - name: ingressgateway
+ namespace: istio-ingress
+ enabled: true
+ label:
+ # Set a unique label for the gateway. This is required to ensure Gateways
+ # can select this workload
+ istio: ingressgateway
+ values:
+ gateways:
+ istio-ingressgateway:
+ # Enable gateway injection
+ injectionTemplate: gateway
+ENDSNIP
+
+snip_deploying_a_gateway_2() {
+kubectl create namespace istio-ingress
+istioctl install -f ingress.yaml
+}
+
+snip_deploying_a_gateway_3() {
+kubectl create namespace istio-ingress
+helm install istio-ingress istio/gateway -n istio-ingress
+}
+
+! read -r -d '' snip_deploying_a_gateway_4 <<\ENDSNIP
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-ingress
+spec:
+ type: LoadBalancer
+ selector:
+ istio: ingressgateway
+ ports:
+ - port: 80
+ name: http
+ - port: 443
+ name: https
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-ingress
+spec:
+ selector:
+ matchLabels:
+ istio: ingressgateway
+ template:
+ metadata:
+ annotations:
+ # Select the gateway injection template (rather than the default sidecar template)
+ inject.istio.io/templates: gateway
+ labels:
+ # Set a unique label for the gateway. This is required to ensure Gateways can select this workload
+ istio: ingressgateway
+ # Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name"
+ sidecar.istio.io/inject: "true"
+ spec:
+ containers:
+ - name: istio-proxy
+ image: auto # The image will automatically update each time the pod starts.
+---
+# Set up roles to allow reading credentials for TLS
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: istio-ingressgateway-sds
+ namespace: istio-ingress
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: istio-ingressgateway-sds
+ namespace: istio-ingress
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: istio-ingressgateway-sds
+subjects:
+- kind: ServiceAccount
+ name: default
+ENDSNIP
+
+snip_deploying_a_gateway_5() {
+kubectl create namespace istio-ingress
+kubectl apply -f ingress.yaml
+}
+
+! read -r -d '' snip_gateway_selectors_1 <<\ENDSNIP
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+ name: gateway
+spec:
+ selector:
+ istio: ingressgateway
+...
+ENDSNIP
+
+! read -r -d '' snip_canary_upgrade_advanced_1 <<\ENDSNIP
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: istio-ingressgateway-canary
+ namespace: istio-ingress
+spec:
+ selector:
+ matchLabels:
+ istio: ingressgateway
+ template:
+ metadata:
+ annotations:
+ inject.istio.io/templates: gateway
+ labels:
+ istio: ingressgateway
+ istio.io/rev: canary # Set to the control plane revision you want to deploy
+ spec:
+ containers:
+ - name: istio-proxy
+ image: auto
+ENDSNIP
+
+snip_canary_upgrade_advanced_2() {
+kubectl get endpoints -n istio-ingress -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name"
+}
+
+! read -r -d '' snip_canary_upgrade_advanced_2_out <<\ENDSNIP
+NAME PODS
+istio-ingressgateway istio-ingressgateway-...,istio-ingressgateway-canary-...
+ENDSNIP
diff --git a/content/en/docs/setup/additional-setup/gateway/test.sh b/content/en/docs/setup/additional-setup/gateway/test.sh
new file mode 100644
index 000000000000..f2b4d675230a
--- /dev/null
+++ b/content/en/docs/setup/additional-setup/gateway/test.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+set -u
+
+set -o pipefail
+
+# @setup profile=none
+function rebuild() {
+ istioctl x uninstall --purge --skip-confirmation
+ kubectl delete namespace istio-ingress
+ istioctl install --skip-confirmation --set profile=minimal
+}
+
+istioctl install --skip-confirmation --set profile=minimal
+_wait_for_deployment istio-system istiod
+
+# shellcheck disable=SC2154
+cat <ingress.yaml
+$snip_deploying_a_gateway_1
+EOF
+
+echo y | snip_deploying_a_gateway_2
+_wait_for_deployment istio-ingress ingressgateway
+
+rebuild
+_rewrite_helm_repo snip_deploying_a_gateway_3
+_wait_for_deployment istio-ingress istio-ingress
+
+rebuild
+# shellcheck disable=SC2154
+cat <ingress.yaml
+$snip_deploying_a_gateway_4
+EOF
+snip_deploying_a_gateway_5
+_wait_for_deployment istio-ingress istio-ingressgateway
+
+istioctl install --skip-confirmation --set profile=minimal --set revision=canary
+_wait_for_deployment istio-system istiod-canary
+
+# shellcheck disable=SC2154
+cat <}}
+ $ cat < ./istio.yaml
+ apiVersion: install.istio.io/v1alpha1
+ kind: IstioOperator
+ spec:
+ meshConfig:
+ meshMTLS:
+ minProtocolVersion: TLSV1_3
+ EOF
+ $ istioctl install -f ./istio.yaml
+ {{< /text >}}
+
+## Check the TLS configuration of Istio workloads
+
+After configuring the minimum TLS version of Istio workloads,
+you can verify that the minimum TLS version was configured and works as expected.
+
+* Deploy two workloads: `httpbin` and `sleep`. Deploy these into a single namespace,
+ for example `foo`. Both workloads run with an Envoy proxy in front of each.
+
+ {{< text bash >}}
+ $ kubectl create ns foo
+ $ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n foo
+ $ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n foo
+ {{< /text >}}
+
+* Verify that `sleep` successfully communicates with `httpbin` using this command:
+
+ {{< text bash >}}
+ $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl http://httpbin.foo:8000/ip -sS -o /dev/null -w "%{http_code}\n"
+ 200
+ {{< /text >}}
+
+{{< warning >}}
+If you don’t see the expected output, retry after a few seconds.
+Caching and propagation can cause a delay.
+{{< /warning >}}
+
+In the example, the minimum TLS version was configured to be 1.3.
+To check that TLS 1.3 is allowed, you can run the following command:
+
+ {{< text bash >}}
+ $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -alpn istio -tls1_3 -connect httpbin.foo:8000 | grep "TLSv1.3"
+ {{< /text >}}
+
+The text output should include:
+
+ {{< text plain >}}
+ TLSv1.3
+ {{< /text >}}
+
+To check that TLS 1.2 is not allowed, you can run the following command:
+
+ {{< text bash >}}
+ $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -alpn istio -tls1_2 -connect httpbin.foo:8000 | grep "Cipher is (NONE)"
+ {{< /text >}}
+
+The text output should include:
+
+ {{< text plain >}}
+ Cipher is (NONE)
+ {{< /text >}}
+
+## Cleanup
+
+* To remove the `foo` and `istio-system` namespaces:
+
+ {{< text bash >}}
+ $ kubectl delete ns foo istio-system
+ {{< /text >}}
\ No newline at end of file
diff --git a/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/snips.sh b/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/snips.sh
new file mode 100644
index 000000000000..5f495ed7b96b
--- /dev/null
+++ b/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/snips.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+# docs/tasks/security/tls-configuration/workload-min-tls-version/index.md
+####################################################################################################
+
+snip_configuration_of_minimum_tls_version_for_istio_workloads_1() {
+cat < ./istio.yaml
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+ meshConfig:
+ meshMTLS:
+ minProtocolVersion: TLSV1_3
+EOF
+istioctl install -f ./istio.yaml
+}
+
+snip_check_the_tls_configuration_of_istio_workloads_1() {
+kubectl create ns foo
+kubectl apply -f <(istioctl kube-inject -f samples/httpbin/httpbin.yaml) -n foo
+kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) -n foo
+}
+
+snip_check_the_tls_configuration_of_istio_workloads_2() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl http://httpbin.foo:8000/ip -sS -o /dev/null -w "%{http_code}\n"
+}
+
+! read -r -d '' snip_check_the_tls_configuration_of_istio_workloads_2_out <<\ENDSNIP
+200
+ENDSNIP
+
+snip_check_the_tls_configuration_of_istio_workloads_3() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -alpn istio -tls1_3 -connect httpbin.foo:8000 | grep "TLSv1.3"
+}
+
+! read -r -d '' snip_check_the_tls_configuration_of_istio_workloads_4 <<\ENDSNIP
+TLSv1.3
+ENDSNIP
+
+snip_check_the_tls_configuration_of_istio_workloads_5() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -alpn istio -tls1_2 -connect httpbin.foo:8000 | grep "Cipher is (NONE)"
+}
+
+! read -r -d '' snip_check_the_tls_configuration_of_istio_workloads_6 <<\ENDSNIP
+Cipher is (NONE)
+ENDSNIP
+
+snip_cleanup_1() {
+kubectl delete ns foo istio-system
+}
diff --git a/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/test.sh b/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/test.sh
new file mode 100644
index 000000000000..3ec49b6c04a2
--- /dev/null
+++ b/content/en/docs/tasks/security/tls-configuration/workload-min-tls-version/test.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC2154
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# shellcheck disable=SC2001
+
+set -e
+set -u
+set -o pipefail
+
+# @setup profile=none
+
+export VERIFY_TIMEOUT=300
+
+echo y | snip_configuration_of_minimum_tls_version_for_istio_workloads_1
+_wait_for_deployment istio-system istiod
+
+snip_check_the_tls_configuration_of_istio_workloads_1
+_wait_for_deployment foo httpbin
+_wait_for_deployment foo sleep
+
+# Send request from sleep to httpbin
+_verify_contains snip_check_the_tls_configuration_of_istio_workloads_2 "$snip_check_the_tls_configuration_of_istio_workloads_2_out"
+
+_verify_contains snip_check_the_tls_configuration_of_istio_workloads_3 "$snip_check_the_tls_configuration_of_istio_workloads_4"
+
+_verify_contains snip_check_the_tls_configuration_of_istio_workloads_5 "$snip_check_the_tls_configuration_of_istio_workloads_6"
+
+# @cleanup
+snip_cleanup_1
\ No newline at end of file
diff --git a/content/zh/blog/2021/direct-upgrade/index.md b/content/zh/blog/2021/direct-upgrade/index.md
new file mode 100644
index 000000000000..505d51aa69f0
--- /dev/null
+++ b/content/zh/blog/2021/direct-upgrade/index.md
@@ -0,0 +1,63 @@
+---
+title: "宣布支持 1.8 到 1.10 的直接升级"
+description: "迈向更顺畅的升级过程。"
+publishdate: 2021-05-24
+attribution: "Mitch Connors (Google), Sam Naser (Google)"
+keywords: [更新,Istio,补丁]
+---
+
+随着 Service Mesh 技术从尖端转向稳定的基础架构,许多用户表示有兴趣减少升级他们的 Service Mesh 的频率,因为验证新的小版本可能需要很多时间。对于跟不上新版本的用户来说,升级尤其困难,因为 Istio 不支持跨多个小版本的升级。要升级 `1.6.x` 到 `1.8.x`,用户首先必须升级到 `1.7.x` 然后再到 `1.8.x`。
+
+随着 Istio 1.10 的发布,我们宣布支持 Istio Alpha 级别的升级将直接从 `1.8.x` 升级到 `1.10.x`,而不升级到 `1.9.x`。我们希望这将减轻运行 Istio 的运营负担,与我们 2021 年改善 Day 2 Operations 的主题保持一致。
+
+## 从 1.8 升级到 1.10
+
+对于直接升级,我们建议使用金丝雀升级方法,以便在将工作负载切换到新版本之前验证控制平面功能。我们还将在本指南中使用[修订标签](/zh/blog/2021/revision-tags/),这是对 1.10 中引入的金丝雀升级的改进,因此用户在升级时不必更改命名空间上的标签。
+
+首先,使用版本 `1.10` 或更高版本的 `istioctl`,创建一个版本标签 `stable` ,指向现有的 `1.8` 版本。从现在开始,让我们假设这个修订版本叫做 `1-8-5`:
+
+{{< text bash >}}
+$ istioctl x revision tag set stable --revision 1-8-5
+{{< /text >}}
+
+如果您的 1.8 安装没有相关的修订,我们可以使用以下命令创建此修订标记:
+
+{{< text bash >}}
+$ istioctl x revision tag set stable --revision default
+{{< /text >}}
+
+现在,重新用 `istio.io/rev=stable` 标签标记以前标记为 `istio-injection=enabled` 或者 `istio.io/rev=` 的名称空间。下载 Istio 1.10.0 版本并安装带有修订版的新控制平面:
+
+{{< text bash >}}
+$ istioctl install --revision 1-10-0 -y
+{{< /text >}}
+
+现在评估 `1.10` 版本是否正确出现并且是健康的。一旦对新版本的稳定性感到满意,您可以将版本标签设置为新版本:
+
+{{< text bash >}}
+$ istioctl x revision tag set stable --revision 1-10-0 --overwrite
+{{< /text >}}
+
+验证修订标签 `stable` 是否指向新的修订:
+
+{{< text bash >}}
+$ istioctl x revision tag list
+TAG REVISION NAMESPACES
+stable 1-10-0 ...
+{{< /text >}}
+
+一旦准备好将现有工作负载转移到新的 1.10 版本,就必须重新启动工作负载,以便 sidecar 代理使用新的控制平面。我们可逐个遍历名空间,并将工作负载滚动到新版本:
+
+{{< text bash >}}
+$ kubectl rollout restart deployments -n …
+{{< /text >}}
+
+在将工作负载转移到新的 Istio 版本后,注意到了一个问题吗?没问题!因为您用的是金丝雀升级,旧的控制平面仍在运行,我们可以切换回去。
+
+{{< text bash >}}
+$ istioctl x revision tag set prod --revision 1-8-5
+{{< /text >}}
+
+然后在触发另一次部署后,您的工作负载将返回到旧版本。
+
+我们期待听到您关于直接升级的体验,并期待在未来改进和扩展此功能。
diff --git a/content/zh/docs/concepts/_index.md b/content/zh/docs/concepts/_index.md
index 9217b3c4ff0b..24594b491227 100644
--- a/content/zh/docs/concepts/_index.md
+++ b/content/zh/docs/concepts/_index.md
@@ -2,6 +2,5 @@
title: 概念
description: 一些概念,理解它们有助于您更好地了解 Istio 系统的不同部分及其使用的抽象。
weight: 10
-icon: concepts
-test: n/a
+test: table-of-contents
---
diff --git a/content/zh/docs/concepts/traffic-management/index.md b/content/zh/docs/concepts/traffic-management/index.md
index 1652fa150e12..12594b252987 100644
--- a/content/zh/docs/concepts/traffic-management/index.md
+++ b/content/zh/docs/concepts/traffic-management/index.md
@@ -471,6 +471,10 @@ spec:
在配置了网络,包括故障恢复策略之后,可以使用 Istio 的故障注入机制来为整个应用程序测试故障恢复能力。故障注入是一种将错误引入系统以确保系统能够承受并从错误条件中恢复的测试方法。使用故障注入特别有用,能确保故障恢复策略不至于不兼容或者太严格,这会导致关键服务不可用。
+{{< warning >}}
+目前,故障注入配置不能与同一个虚拟服务上的重试或超时配置相结合,请参见[流量管理问题](/zh/docs/ops/common-problems/network-issues/#virtual-service-with-fault-injection-and-retry-timeout-policies-not-working-as-expected)。
+{{< /warning >}}
+
与其他错误注入机制(如延迟数据包或在网络层杀掉 Pod)不同,Istio 允许在应用层注入错误。这使您可以注入更多相关的故障,例如 HTTP 错误码,以获得更多相关的结果。
您可以注入两种故障,它们都使用[虚拟服务](#virtual-services)配置:
diff --git a/content/zh/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md b/content/zh/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md
index 0c29d0975030..47f4c0130aa8 100644
--- a/content/zh/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md
+++ b/content/zh/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/index.md
@@ -71,8 +71,7 @@ scrape_configs:
params:
'match[]':
- - '{job="pilot"}'
- - '{job="envoy-stats"}'
+ - '{job="kubernetes-pods"}'
static_configs:
- targets:
@@ -121,8 +120,7 @@ scrape_configs:
params:
'match[]':
- - '{job="pilot"}'
- - '{job="envoy-stats"}'
+ - '{job="kubernetes-pods}'
static_configs:
- targets:
diff --git a/content/zh/docs/releases/security-vulnerabilities/index.md b/content/zh/docs/releases/security-vulnerabilities/index.md
index c795c7958844..caf973c402ea 100644
--- a/content/zh/docs/releases/security-vulnerabilities/index.md
+++ b/content/zh/docs/releases/security-vulnerabilities/index.md
@@ -37,6 +37,7 @@ test: n/a
- 您需要帮助调整 Istio 组件的安全性。
- 您需要使用安全更新相关的帮助。
- 您的问题与安全性无关。
+- 您的问题与基本映像依赖关系有关(查看 [基础镜像](#base-images))
## 评估{#evaluation}
@@ -72,3 +73,9 @@ Istio 项目维护了一个邮件列表,用于在私下及早的公开安全
- Slack 上的 [#announcements](https://istio.slack.com/messages/CFXS256EQ/) 频道
该公告将尽可能包含客户在升级到固定版本之前能够采取的任何缓解措施,这些公告的建议发布时间是 UTC 时间星期一至四的 16:00。这意味着该公告将在太平洋时间的早上、欧洲傍晚和亚洲傍晚发布。
+
+## 基础镜像{#base-images}
+
+Istio 提供了两组基于 `ubuntu` 和基于 `distroless` 的默认 docker 镜像,更多详情请查阅([Harden Docker Container Images](/zh/docs/ops/configuration/security/harden-docker-images/))。
+这些镜像中偶尔会存在一些新发现的 CVE 安全漏洞。
+Istio 安全团队会对这些镜像进行自动扫描,以确保基础镜像中没有已知的 CVE 安全漏洞。
\ No newline at end of file
diff --git a/content/zh/events/banners/istio-has-applied-to-join-the-cncf.md b/content/zh/events/banners/istio-has-applied-to-join-the-cncf.md
new file mode 100644
index 000000000000..2c1c37d9ad30
--- /dev/null
+++ b/content/zh/events/banners/istio-has-applied-to-join-the-cncf.md
@@ -0,0 +1,8 @@
+---
+title: Istio has applied to join the CNCF
+period_start: 2022-04-24
+period_end: 2022-04-29
+max_impressions: 12
+---
+
+Istio 已申请加入 CNCF,或者[立即参加 IstioCon](https://events.istio.io/istiocon-2022/)。
\ No newline at end of file
diff --git a/content/zh/news/releases/1.12.x/announcing-1.12/_index.md b/content/zh/news/releases/1.12.x/announcing-1.12/_index.md
new file mode 100644
index 000000000000..8065a272fc5c
--- /dev/null
+++ b/content/zh/news/releases/1.12.x/announcing-1.12/_index.md
@@ -0,0 +1,79 @@
+---
+title: Istio 1.12 公告
+linktitle: 1.12
+subtitle: 重大更新
+description: Istio 1.12 发布公告。
+publishdate: 2021-11-18
+release: 1.12.0
+skip_list: true
+aliases:
+ - /zh/news/announcing-1.12
+ - /zh/news/announcing-1.12.0
+---
+
+我们很高兴地宣布 Istio 1.12 的发布!
+
+{{< relnote >}}
+
+这是 2021 年的最后一个版本。我们要感谢整个 Istio 社区,特别是来自 Red Hat 的发行经理 [Daniel Grimm](https://github.com/dgn) 和来自 Aspen Mesh 的 [Kenan O'Neal](https://github.com/Kmoneal),感谢他们帮助我们发布了 1.12.0。
+
+{{< tip >}}
+Istio 1.12.0 在 Kubernetes `1.19` 到 `1.22` 版本上得到了官方支持。
+{{< /tip >}}
+
+以下是该版本的一些亮点:
+
+## WebAssembly API{#WebAssembly-API}
+
+[WebAssembly](/zh/docs/concepts/wasm/) 一直是一个重要的项目,已经开发了 [3 年多](/zh/blog/2020/wasm-announce/),通过允许用户在运行时动态加载自定义扩展,为 Istio 带来高级的可扩展性。
+然而,到目前为止,配置 WebAssembly 插件还处于实验阶段,并且很难使用。
+
+在 Istio 1.12 中,我们增加了一流的 API 来配置 WebAssembly 插件,从而改善了这种体验:[WasmPlugin](/zh/docs/reference/config/proxy_extensions/wasm-plugin/)。
+
+使用 `WasmPlugin`,您可以很容易地将自定义插件部署到单个代理,甚至整个网格。
+
+该 API 目前处于 alpha 阶段并在不断发展。感谢[您的反馈](/zh/get-involved/)!
+
+## Telemetry API{#Telemetry-API}
+
+在 Istio 1.11 中,我们引入了一个全新的 [`Telemetry` API](/zh/docs/reference/config/telemetry/),带来了一个标准化的 API,用于在 Istio 中配置跟踪、日志记录和指标。
+
+在 1.12 中,我们继续朝这个方向努力,扩展了对 API 配置指标和访问日志记录的支持。
+
+要开始,请查看以下文档:
+
+* [Telemetry API 概述](/zh/docs/tasks/observability/telemetry/)
+* [追踪](/zh/docs/tasks/observability/distributed-tracing/)
+* [指标](/zh/docs/tasks/observability/metrics/)
+* [访问日志](/zh/docs/tasks/observability/logs/access-log/)
+
+该 API 目前处于 alpha 阶段并在不断发展。感谢[您的反馈](/zh/get-involved/)!
+
+## Helm 支持{#helm-support}
+
+Istio 1.12 对我们的 [Helm 安装支持](/zh/docs/setup/install/helm/)进行了许多改进,并为该功能在未来升级到测试版铺平了道路。
+
+一个官方的 Helm 库已经发布,以进一步简化加载流程,适应了[最流行的 GitHub 特性请求](https://github.com/istio/istio/issues/7505)之一。
+查看新的[入门](/zh/docs/setup/install/helm/#prerequisites)说明以获取更多信息。
+
+这些图表也可以在 [ArtifactHub](https://artifacthub.io/packages/search?org=istio) 上找到。
+
+此外,还发布了新的精制的 [`gateway` chart](https://artifacthub.io/packages/helm/istio-official/gateway) 图表。
+这个 chart 取代了旧的 `istio-ingressgateway` 和 `istio-egressgateway` charts,极大地简化了网关的管理,并遵循 Helm 的最佳实践。请访问网关注入页面,了解迁移到 helm chart 的说明。
+
+## Kubernetes Gateway API{#Kubernetes-Gateway-API}
+
+Istio 已经完全支持 `v1alpha2` 版本的 [Kubernetes Gateway API](http://gateway-api.org/)。
+该 API 的目的是统一 Istio、Kubernetes `Ingress` 和其他代理使用的各种 API 集,以定义一个强大的、可扩展的 API 来配置流量路由。
+
+虽然 API 还没有针对生产工作负载,但 API 和 Istio 的实现正在迅速发展。
+要试用它,请查看 [Kubernetes Gateway API](/zh/docs/tasks/traffic-management/ingress/gateway-api/) 文档。
+
+## 还有很多很多{#and-much-much-more}
+
+* Default Retry Policies 已经被添加到 [Mesh Config](/zh/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig),允许用户在单个位置配置默认的重试策略,而不是在每个 VirtualService 中重复配置。
+* 一个新的 `failoverPriority` 配置已经添加到[Locality Load Balancing 配置](/zh/docs/reference/config/networking/destination-rule/#LocalityLoadBalancerSetting)中,允许自定义 Pod 的优先级。例如,同一网络中的 Pod 可以被赋予额外的优先级。
+* 添加了新的配置使[安全 TLS 发起更简单](/zh/docs/ops/best-practices/security/#configure-tls-verification-in-destination-rule-when-using-tls-origination)。
+* 如果您错过了:已经为 [gRPC 原生 "Proxyless" Service Mesh](/zh/blog/2021/proxyless-grpc/) 添加了初始支持。
+* [添加了](https://github.com/istio/istio/wiki/Experimental-QUIC-and-HTTP-3-support-in-Istio-gateways)对 HTTP/3 Gateway 的额实验性支持。
+* 有关更改的完整列表,请参阅 [Change Notes](/zh/news/releases/1.12.x/announcing-1.12/change-notes/)。
diff --git a/data/companies.yml b/data/companies.yml
index 0512b9b54d24..b9b410ce4332 100644
--- a/data/companies.yml
+++ b/data/companies.yml
@@ -457,6 +457,9 @@ users:
- name: "Spotify"
logo: "/logos/spotify.svg"
url: "https://www.spotify.com/"
+ - name: "Statsig"
+ logo: "/logos/statsig.svg"
+ url: "https://www.statsig.com/"
- name: "Stilingue"
logo: "/logos/stilingue.svg"
url: "https://stilingue.com.br"
diff --git a/go.mod b/go.mod
index a84e4f4e229c..a2587383dadf 100644
--- a/go.mod
+++ b/go.mod
@@ -11,8 +11,8 @@ replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5
require (
github.com/golang/sync v0.0.0-20180314180146-1d60e4601c6f
github.com/pmezard/go-difflib v1.0.0
- istio.io/istio v0.0.0-20220422184250-d315965155f4
- istio.io/pkg v0.0.0-20220422005710-7533399e2655
+ istio.io/istio v0.0.0-20220429194846-53aa699f7ad9
+ istio.io/pkg v0.0.0-20220426123005-aba87f29dab6
k8s.io/apimachinery v0.23.5
k8s.io/client-go v0.23.5
)
@@ -55,7 +55,7 @@ require (
github.com/docker/distribution v2.8.1+incompatible // indirect
github.com/docker/docker v20.10.12+incompatible // indirect
github.com/docker/docker-credential-helpers v0.6.4 // indirect
- github.com/envoyproxy/go-control-plane v0.10.2-0.20220420171917-689c2bccf0ec // indirect
+ github.com/envoyproxy/go-control-plane v0.10.2-0.20220428052930-ec95b9f870a8 // indirect
github.com/envoyproxy/protoc-gen-validate v0.6.7 // indirect
github.com/evanphx/json-patch v4.12.0+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.6.0 // indirect
@@ -204,8 +204,8 @@ require (
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
helm.sh/helm/v3 v3.8.2 // indirect
- istio.io/api v0.0.0-20220422171451-c26918059821 // indirect
- istio.io/client-go v1.12.0-alpha.5.0.20220422172151-983ac5efbd0b // indirect
+ istio.io/api v0.0.0-20220426122505-56c53d9fe8c5 // indirect
+ istio.io/client-go v1.12.0-alpha.5.0.20220426123505-18c671f36061 // indirect
k8s.io/api v0.23.5 // indirect
k8s.io/apiextensions-apiserver v0.23.5 // indirect
k8s.io/cli-runtime v0.23.5 // indirect
@@ -215,7 +215,7 @@ require (
k8s.io/kubectl v0.23.5 // indirect
k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
sigs.k8s.io/controller-runtime v0.11.2 // indirect
- sigs.k8s.io/gateway-api v0.4.1-0.20220411164207-d6bbc338d351 // indirect
+ sigs.k8s.io/gateway-api v0.4.1-0.20220419214231-03f50b47814e // indirect
sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
sigs.k8s.io/kustomize/api v0.10.1 // indirect
sigs.k8s.io/kustomize/kyaml v0.13.0 // indirect
diff --git a/go.sum b/go.sum
index 548fdec8ca1b..de7713691369 100644
--- a/go.sum
+++ b/go.sum
@@ -623,8 +623,8 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.m
github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
github.com/envoyproxy/go-control-plane v0.10.1/go.mod h1:AY7fTTXNdv/aJ2O5jwpxAPOWUZ7hQAEvzN5Pf27BkQQ=
-github.com/envoyproxy/go-control-plane v0.10.2-0.20220420171917-689c2bccf0ec h1:np2MDgE07uAw/Z/0N5bPLVRzlPd8aAHng6cNKQUhxu0=
-github.com/envoyproxy/go-control-plane v0.10.2-0.20220420171917-689c2bccf0ec/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34=
+github.com/envoyproxy/go-control-plane v0.10.2-0.20220428052930-ec95b9f870a8 h1:ZqKqxZ7mtvDKhP9H9eqQpbX2VwSiN7HKCU4SHqOPjM0=
+github.com/envoyproxy/go-control-plane v0.10.2-0.20220428052930-ec95b9f870a8/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34=
github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws=
@@ -2904,14 +2904,14 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.2.1/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY=
-istio.io/api v0.0.0-20220422171451-c26918059821 h1:JG8lpe9IYL44UunbqdrYnTnZ/+xsBrP//JaM21wyG7E=
-istio.io/api v0.0.0-20220422171451-c26918059821/go.mod h1:qGm6l1okCpLqVKyXSfYjB+UXXgpE/LCggALuK25cSFY=
-istio.io/client-go v1.12.0-alpha.5.0.20220422172151-983ac5efbd0b h1:cwBAFo9e2jhHYwX4dFpexc6E2AveVSNWRPJPIsMuVRY=
-istio.io/client-go v1.12.0-alpha.5.0.20220422172151-983ac5efbd0b/go.mod h1:5pTd0Szh95h6FJCfPEWF9Fi/czyS4Y1J8ry3lHU95RU=
-istio.io/istio v0.0.0-20220422184250-d315965155f4 h1:0q233dVMzhzIqQ3kkJP/QDNKiLqYbz6QByJolqiMSjQ=
-istio.io/istio v0.0.0-20220422184250-d315965155f4/go.mod h1:H+AFs55ZCXIEZF9HRjZBVNN+JQk1odfM8N2jjrqjHjw=
-istio.io/pkg v0.0.0-20220422005710-7533399e2655 h1:Phikti+a0oa03NA2ZYJkCV9dHUpLeuKMv5loxdFhfZw=
-istio.io/pkg v0.0.0-20220422005710-7533399e2655/go.mod h1:kcBYN5TiyGFM2bs4b7K81j+YeDZ4JrINP+brV9ehZe0=
+istio.io/api v0.0.0-20220426122505-56c53d9fe8c5 h1:jnCjFoosOPcVVgtUKHiCwjMenUgHAgTE/m4qNzEn8t0=
+istio.io/api v0.0.0-20220426122505-56c53d9fe8c5/go.mod h1:qGm6l1okCpLqVKyXSfYjB+UXXgpE/LCggALuK25cSFY=
+istio.io/client-go v1.12.0-alpha.5.0.20220426123505-18c671f36061 h1:giM89Xq3+zpENum4vHpXAhrt7wMc3n49K59gNUna8lA=
+istio.io/client-go v1.12.0-alpha.5.0.20220426123505-18c671f36061/go.mod h1:uebNBYUGN8Y51vJ7yAH0YM9Z83LIIhpMg0FOVbuEvBw=
+istio.io/istio v0.0.0-20220429194846-53aa699f7ad9 h1:ET24y3c3vOVxWKYbSHRjBoLpMKHVs3C51MXngAiNv10=
+istio.io/istio v0.0.0-20220429194846-53aa699f7ad9/go.mod h1:5rCW+rOsxWnD0VfsgyCwFwd4mSq6KXTU5am+P1rRL6k=
+istio.io/pkg v0.0.0-20220426123005-aba87f29dab6 h1:4QSeo79CuEe4cjCpXsfFenHKzAKaQXtnUY5Gd5jWdCs=
+istio.io/pkg v0.0.0-20220426123005-aba87f29dab6/go.mod h1:kcBYN5TiyGFM2bs4b7K81j+YeDZ4JrINP+brV9ehZe0=
k8s.io/api v0.0.0-20180904230853-4e7be11eab3f/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA=
k8s.io/api v0.17.4/go.mod h1:5qxx6vjmwUVG2nHQTKGlLts8Tbok8PzHl4vHtVFuZCA=
k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78=
@@ -3082,8 +3082,8 @@ sigs.k8s.io/controller-runtime v0.11.2 h1:H5GTxQl0Mc9UjRJhORusqfJCIjBO8UtUxGggCw
sigs.k8s.io/controller-runtime v0.11.2/go.mod h1:P6QCzrEjLaZGqHsfd+os7JQ+WFZhvB8MRFsn4dWF7O4=
sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI=
sigs.k8s.io/controller-tools v0.7.0/go.mod h1:bpBAo0VcSDDLuWt47evLhMLPxRPxMDInTEH/YbdeMK0=
-sigs.k8s.io/gateway-api v0.4.1-0.20220411164207-d6bbc338d351 h1:4F7lwe6YevlYObT2HRPr1G4y63hb+NLyI2pxICJ3BoA=
-sigs.k8s.io/gateway-api v0.4.1-0.20220411164207-d6bbc338d351/go.mod h1:Gj2je/oOS/22fEU/U4xJ/nRH0wuQ3/kcfJUmLqtqXV4=
+sigs.k8s.io/gateway-api v0.4.1-0.20220419214231-03f50b47814e h1:PQOYjMWqURIPBmIEHw9OQAbtNb1DnwAVwAj/TC9l+24=
+sigs.k8s.io/gateway-api v0.4.1-0.20220419214231-03f50b47814e/go.mod h1:Gj2je/oOS/22fEU/U4xJ/nRH0wuQ3/kcfJUmLqtqXV4=
sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 h1:fD1pz4yfdADVNfFmcP2aBEtudwUQ1AlLnRBALr33v3s=
sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs=
sigs.k8s.io/kind v0.8.1/go.mod h1:oNKTxUVPYkV9lWzY6CVMNluVq8cBsyq+UgPJdvA3uu4=
diff --git a/src/sass/base/_constants.scss b/src/sass/base/_constants.scss
index f0ccb19cba4d..a7590edc69c9 100644
--- a/src/sass/base/_constants.scss
+++ b/src/sass/base/_constants.scss
@@ -32,7 +32,7 @@ $floating-button-z: 15;
$glossary-letter-z: 10;
$toolbar-button-z: 1;
$promotion-z: 1;
-$footer-z: 2;
+$footer-z: 0;
// various manifest constants
$border-radius: 4px;
diff --git a/static/logos/statsig.svg b/static/logos/statsig.svg
new file mode 100644
index 000000000000..dab30224ede6
--- /dev/null
+++ b/static/logos/statsig.svg
@@ -0,0 +1,4 @@
+
diff --git a/tests/util/helpers.sh b/tests/util/helpers.sh
index c86f81ebec31..0252a512e009 100644
--- a/tests/util/helpers.sh
+++ b/tests/util/helpers.sh
@@ -112,3 +112,16 @@ _wait_for_istio() {
_urlencode() {
python3 -c "import urllib.parse; print(urllib.parse.quote('''$1'''))"
}
+
+# Invokes bash make to rewrite a snippet to avoid installing from a real helm repository, and instead uses
+# local files
+# usage: _rewrite_helm_repo
+# shellcheck disable=SC2001
+_rewrite_helm_repo() {
+ # get function definition: https://stackoverflow.com/a/6916952/374797
+ cmd="$(type "${1:?snip}" | sed '1,3d;$d')"
+ cmd="$(echo "${cmd}" | sed 's|istio/base|manifests/charts/base|')"
+ cmd="$(echo "${cmd}" | sed 's|istio/istiod|manifests/charts/istio-control/istio-discovery|')"
+ cmd="$(echo "${cmd}" | sed 's|istio/gateway|manifests/charts/gateway|')"
+ eval "${cmd} --set global.tag=${ISTIO_IMAGE_VERSION=SHOULD_BE_SET}.${ISTIO_LONG_SHA=latest}"
+}
\ No newline at end of file