qudongfang

happy flow

All issues were found during the Checks&Tests. No bad changes were rolled out.

flowchart TD
    A[stage 0/PR] --> B[github actions/localstack];
    B -- Yes --> C[stage 1 rollout];
    B -- No  --> D[block PR merge];

qudongfang

for c in $(kubectx | grep -v gov | grep -v dev); do
    echo $c;
    kubectx $c

    kubectl delete deployments istiod -n istio-system
    kubectl delete hpa istiod -n istio-system
    kubectl delete pdb istiod -n istio-system
    kubectl delete svc istiod -n istio-system  --wait=false
    kubectl delete cm -n istio-system istio
done

qudongfang

for c in $(kubectx | grep -v gov | grep -v dev); do
    echo $c;
    kubectx $c
    
    kubectl -n istio-system patch iop istio-control-plane --type=json --patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]'

    istioctl tag set default --revision 1-20-5 --overwrite

    kubectl -n flux-system --wait=false delete kustomization/istio-operator-bootstrap

qudongfang

AKS kubectl API traffic flow

graph TD;
    kubectl --> lb-b-mgmt[kube-1-eastus2-azure-cloud-dev.k8s-api.corp.mongodb.com];
    lb-b-mgmt[kube-1-eastus2-azure-cloud-dev.k8s-api.corp.mongodb.com] --> proxy-headless.kubectl.eastus2.azure.cloud-dev.svc.cluster.local:8080;
    proxy-headless.kubectl.eastus2.azure.cloud-dev.svc.cluster.local:8080 --> proxy_pods[socat pods running in namespace kubectl]
   proxy_pods[socat pods running in namespace kubectl] --> kubernetes.default.svc.cluster.local:443

qudongfang

RELEASE=1.19

git clone https://github.com/istio/proxy.git

cd proxy

git checkout ${RELEASE}

# make your changes to the source code

qudongfang

RELEASE=1.19

git clone https://github.com/istio/proxy.git

cd proxy

git checkout ${RELEASE}

# make your changes to the source code

qudongfang

ARG RELEASE=1.19.6
ARG SIDECAR=envoy

FROM gcr.io/istio-release/proxyv2:${RELEASE}

# Install Envoy.
COPY ./${SIDECAR} /usr/local/bin/${SIDECAR}
RUN chmod 0755 /usr/local/bin/${SIDECAR}

qudongfang

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: add-x-cluster-client-ip-header
  namespace: istio-system
spec:
  configPatches:
  - applyTo: ROUTE_CONFIGURATION
    match:
      context: SIDECAR_INBOUND

qudongfang

### Keybase proof

I hereby claim:

  * I am qudongfang on github.
  * I am dongfang (https://keybase.io/dongfang) on keybase.
  * I have a public key ASCIfbaHj0EKcHrmiqSGB73Gqyvht1fuIy71ES9_YD_b0Qo

To claim this, I am signing this object:

qudongfang

import sun.misc.Unsafe;

import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;

public class Foo {
    private boolean flag = true;

    public boolean getFlag() {