Kubernetes Ingress Test + fixes (#7662)

* Kubernetes Ingress Test + fixes * cleanup * fix circuit-breaking test * fix lint * remove -it
2020-07-06 10:54:35 -04:00 · 2020-07-06 10:54:35 -04:00 · 412f03105c
parent 0fd97d3817
commit 412f03105c
26 changed files with 258 additions and 139 deletions
--- a/content/en/docs/examples/bookinfo/index.md
+++ b/content/en/docs/examples/bookinfo/index.md
@ -137,7 +137,7 @@ If you use GKE, please ensure your cluster has at least 4 standard GKE nodes. If
    example from `ratings`:

    {{< text bash >}}
-    $ kubectl exec -it "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
+    $ kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
    <title>Simple Bookstore App</title>
    {{< /text >}}

--- a/content/en/docs/examples/bookinfo/snips.sh
+++ b/content/en/docs/examples/bookinfo/snips.sh
@ -60,7 +60,7 @@ reviews-v3-1813607990-8ch52      2/2       Running   0          6m
 ENDSNIP

 snip_start_the_application_services_6() {
-kubectl exec -it "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
+kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
 }

 ! read -r -d '' snip_start_the_application_services_6_out <<\ENDSNIP
--- a/content/en/docs/tasks/observability/logs/access-log/index.md
+++ b/content/en/docs/tasks/observability/logs/access-log/index.md
@ -68,7 +68,6 @@ All three of these parameters may also be configured via [install options](https
          |       ;/
          \_     _/
            `"""`
-    ...
    {{< /text >}}

 1.  Check `sleep`'s log:
--- a/content/en/docs/tasks/observability/logs/access-log/snips.sh
+++ b/content/en/docs/tasks/observability/logs/access-log/snips.sh
@ -51,7 +51,6 @@ kubectl exec "$SOURCE_POD" -c sleep -- curl -v httpbin:8000/status/418
      |       ;/
      \_     _/
        `"""`
-...
 ENDSNIP

 snip_test_the_access_log_2() {
--- a/content/en/docs/tasks/observability/logs/access-log/test.sh
+++ b/content/en/docs/tasks/observability/logs/access-log/test.sh
@ -42,8 +42,7 @@ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath='{.items[0].metadat
 startup_httpbin_sample

 # Make curl request to httpbin
-#TODO _verify_elided snip_test_the_access_log_1 "$snip_test_the_access_log_1_out"
-_verify_contains snip_test_the_access_log_1 "-=[ teapot ]=-"
+_verify_elided snip_test_the_access_log_1 "$snip_test_the_access_log_1_out"

 # Check the logs
 _verify_contains snip_test_the_access_log_2 "outbound|8000||httpbin.default.svc.cluster.local"
--- a/content/en/docs/tasks/security/authentication/mtls-migration/index.md
+++ b/content/en/docs/tasks/security/authentication/mtls-migration/index.md
@ -116,7 +116,7 @@ If you installed Istio with `values.global.proxy.privileged=true`, you can use `
 traffic is encrypted or not.

 {{< text bash >}}
-$ kubectl exec -nfoo "$(kubectl get pod -nfoo -lapp=httpbin -ojsonpath={.items..metadata.name})" -c istio-proxy -it -- sudo tcpdump dst port 80  -A
+$ kubectl exec -nfoo "$(kubectl get pod -nfoo -lapp=httpbin -ojsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80  -A
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
 {{< /text >}}
--- a/content/en/docs/tasks/security/authentication/mtls-migration/snips.sh
+++ b/content/en/docs/tasks/security/authentication/mtls-migration/snips.sh
@ -90,7 +90,7 @@ sleep.legacy to httpbin.bar: 200
 ENDSNIP

 snip_lock_down_to_mutual_tls_by_namespace_3() {
-kubectl exec -nfoo "$(kubectl get pod -nfoo -lapp=httpbin -ojsonpath={.items..metadata.name})" -c istio-proxy -it -- sudo tcpdump dst port 80  -A
+kubectl exec -nfoo "$(kubectl get pod -nfoo -lapp=httpbin -ojsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80  -A
 }

 ! read -r -d '' snip_lock_down_to_mutual_tls_by_namespace_3_out <<\ENDSNIP
--- a/content/en/docs/tasks/traffic-management/circuit-breaking/index.md
+++ b/content/en/docs/tasks/traffic-management/circuit-breaking/index.md
@ -107,8 +107,8 @@ governed by Istio.
 Pass in `-curl` to indicate that you just want to make one call:

    {{< text bash >}}
-    $ FORTIO_POD=$(kubectl get pods -lapp=fortio -o 'jsonpath={.items[0].metadata.name}')
-    $ kubectl exec -it "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -curl http://httpbin:8000/get
+    $ export FORTIO_POD=$(kubectl get pods -lapp=fortio -o 'jsonpath={.items[0].metadata.name}')
+    $ kubectl exec "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -curl http://httpbin:8000/get
    HTTP/1.1 200 OK
    server: envoy
    date: Tue, 25 Feb 2020 20:25:52 GMT
@ -148,7 +148,7 @@ one connection and request concurrently, you should see some failures when the
 (`-n 20`):

    {{< text bash >}}
-    $ kubectl exec -it "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 2 -qps 0 -n 20 -loglevel Warning http://httpbin:8000/get
+    $ kubectl exec "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 2 -qps 0 -n 20 -loglevel Warning http://httpbin:8000/get
    20:33:46 I logger.go:97> Log level is now 3 Warning (was 2 Info)
    Fortio 1.3.1 running at 0 queries per second, 6->6 procs, for 20 calls: http://httpbin:8000/get
    Starting at max qps with 2 thread(s) [gomax 6] for exactly 20 calls (10 per thread + 0)
@ -193,7 +193,7 @@ one connection and request concurrently, you should see some failures when the
 1. Bring the number of concurrent connections up to 3:

    {{< text bash >}}
-    $ kubectl exec -it "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 3 -qps 0 -n 30 -loglevel Warning http://httpbin:8000/get
+    $ kubectl exec "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 3 -qps 0 -n 30 -loglevel Warning http://httpbin:8000/get
    20:32:30 I logger.go:97> Log level is now 3 Warning (was 2 Info)
    Fortio 1.3.1 running at 0 queries per second, 6->6 procs, for 30 calls: http://httpbin:8000/get
    Starting at max qps with 3 thread(s) [gomax 6] for exactly 30 calls (10 per thread + 0)
--- a/content/en/docs/tasks/traffic-management/circuit-breaking/snips.sh
+++ b/content/en/docs/tasks/traffic-management/circuit-breaking/snips.sh
@ -76,8 +76,8 @@ kubectl apply -f <(istioctl kube-inject -f samples/httpbin/sample-client/fortio-
 }

 snip_adding_a_client_3() {
-FORTIO_POD=$(kubectl get pods -lapp=fortio -o 'jsonpath={.items[0].metadata.name}')
-kubectl exec -it "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -curl http://httpbin:8000/get
+export FORTIO_POD=$(kubectl get pods -lapp=fortio -o 'jsonpath={.items[0].metadata.name}')
+kubectl exec "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -curl http://httpbin:8000/get
 }

 ! read -r -d '' snip_adding_a_client_3_out <<\ENDSNIP
@ -108,7 +108,7 @@ x-envoy-upstream-service-time: 36
 ENDSNIP

 snip_tripping_the_circuit_breaker_1() {
-kubectl exec -it "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 2 -qps 0 -n 20 -loglevel Warning http://httpbin:8000/get
+kubectl exec "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 2 -qps 0 -n 20 -loglevel Warning http://httpbin:8000/get
 }

 ! read -r -d '' snip_tripping_the_circuit_breaker_1_out <<\ENDSNIP
@ -151,7 +151,7 @@ Code 503 : 3 (15.0 %)
 ENDSNIP

 snip_tripping_the_circuit_breaker_3() {
-kubectl exec -it "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 3 -qps 0 -n 30 -loglevel Warning http://httpbin:8000/get
+kubectl exec "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 3 -qps 0 -n 30 -loglevel Warning http://httpbin:8000/get
 }

 ! read -r -d '' snip_tripping_the_circuit_breaker_3_out <<\ENDSNIP
--- a/content/en/docs/tasks/traffic-management/circuit-breaking/test.sh
+++ b/content/en/docs/tasks/traffic-management/circuit-breaking/test.sh
@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# shellcheck disable=SC1090,SC2154
+# shellcheck disable=SC1090,SC2154,SC2155

 # Copyright 2020 Istio Authors
 #
@ -42,7 +42,7 @@ snip_adding_a_client_1
 _wait_for_deployment default fortio-deploy

 # Make one call to httpbin
-_verify_contains snip_adding_a_client_3 "HTTP/1.1 200 OK"
+_verify_first_line snip_adding_a_client_3 "$snip_adding_a_client_3_out"

 # FIXME / TODO: These tests previously relied on checking that the
 # percentage of 200 and 503 responses fell within a given range. That
@ -54,6 +54,9 @@ _verify_contains snip_adding_a_client_3 "HTTP/1.1 200 OK"
 #  Temporary fix: https://github.com/istio/istio.io/pull/7043
 #          Issue: https://github.com/istio/istio.io/issues/7074

+# TODO: FORTIO_POD is set in snip_adding_a_client_3. Why is it not still set?
+export FORTIO_POD=$(kubectl get pods -lapp=fortio -o 'jsonpath={.items[0].metadata.name}')
+
 # Make requests with 2 connections
 _verify_lines snip_tripping_the_circuit_breaker_1 "
 + Code 200 :
@ -67,12 +70,12 @@ _verify_lines snip_tripping_the_circuit_breaker_3 "
 "

 # Query the istio-proxy stats
-expected="cluster.outbound|8000||httpbin.istio-io-circuitbreaker.svc.cluster.local.circuit_breakers.default.rq_pending_open: ...
-cluster.outbound|8000||httpbin.istio-io-circuitbreaker.svc.cluster.local.circuit_breakers.high.rq_pending_open: ...
-cluster.outbound|8000||httpbin.istio-io-circuitbreaker.svc.cluster.local.upstream_rq_pending_active: ...
-cluster.outbound|8000||httpbin.istio-io-circuitbreaker.svc.cluster.local.upstream_rq_pending_failure_eject: ...
-cluster.outbound|8000||httpbin.istio-io-circuitbreaker.svc.cluster.local.upstream_rq_pending_overflow: ...
-cluster.outbound|8000||httpbin.istio-io-circuitbreaker.svc.cluster.local.upstream_rq_pending_total: ..."
+expected="cluster.outbound|8000||httpbin.default.svc.cluster.local.circuit_breakers.default.rq_pending_open: ...
+cluster.outbound|8000||httpbin.default.svc.cluster.local.circuit_breakers.high.rq_pending_open: ...
+cluster.outbound|8000||httpbin.default.svc.cluster.local.upstream_rq_pending_active: ...
+cluster.outbound|8000||httpbin.default.svc.cluster.local.upstream_rq_pending_failure_eject: ...
+cluster.outbound|8000||httpbin.default.svc.cluster.local.upstream_rq_pending_overflow: ...
+cluster.outbound|8000||httpbin.default.svc.cluster.local.upstream_rq_pending_total: ..."
 _verify_like snip_tripping_the_circuit_breaker_5 "$expected"

 # @cleanup
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
@ -619,7 +619,7 @@ to hold the configuration of the NGINX server:
 1.  Verify that the key and the certificate are successfully loaded in the `istio-egressgateway` pod:

    {{< text bash >}}
-    $ kubectl exec -it -n istio-system "$(kubectl -n istio-system get pods -l istio=egressgateway -o jsonpath='{.items[0].metadata.name}')" -- ls -al /etc/istio/nginx-client-certs /etc/istio/nginx-ca-certs
+    $ kubectl exec -n istio-system "$(kubectl -n istio-system get pods -l istio=egressgateway -o jsonpath='{.items[0].metadata.name}')" -- ls -al /etc/istio/nginx-client-certs /etc/istio/nginx-ca-certs
    {{< /text >}}

    `tls.crt` and `tls.key` should exist in `/etc/istio/nginx-client-certs`, while `ca-chain.cert.pem` in
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/mtls_test.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/mtls_test.sh
@ -86,7 +86,7 @@ _wait_for_istio virtualservice default direct-nginx-through-egress-gateway
 _wait_for_istio destinationrule default originate-mtls-for-nginx

 # TODO: Verify HTTP connection to nginx
-# _verify_contains snip_configure_mutual_tls_origination_for_egress_traffic_3 "Welcome to nginx!"
+#_verify_elided snip_configure_mutual_tls_origination_for_egress_traffic_3 "$snip_configure_mutual_tls_origination_for_egress_traffic_3_out"

 #TODO: verify request is actually being routed through egress gateway

--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/snips.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/snips.sh
@ -494,7 +494,7 @@ kubectl -n istio-system patch --type=json deploy istio-egressgateway -p "$(cat g
 }

 snip_redeploy_the_egress_gateway_with_the_client_certificates_4() {
-kubectl exec -it -n istio-system "$(kubectl -n istio-system get pods -l istio=egressgateway -o jsonpath='{.items[0].metadata.name}')" -- ls -al /etc/istio/nginx-client-certs /etc/istio/nginx-ca-certs
+kubectl exec -n istio-system "$(kubectl -n istio-system get pods -l istio=egressgateway -o jsonpath='{.items[0].metadata.name}')" -- ls -al /etc/istio/nginx-client-certs /etc/istio/nginx-ca-certs
 }

 snip_configure_mutual_tls_origination_for_egress_traffic_1() {
--- a/content/en/docs/tasks/traffic-management/ingress/ingress-control/index.md
+++ b/content/en/docs/tasks/traffic-management/ingress/ingress-control/index.md
@ -200,13 +200,8 @@ Let's see how you can configure a `Gateway` on port 80 for HTTP traffic.
    {{< text bash >}}
    $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"
    HTTP/1.1 200 OK
-    server: envoy
-    date: Mon, 29 Jan 2018 04:45:49 GMT
-    content-type: text/html; charset=utf-8
-    access-control-allow-origin: *
-    access-control-allow-credentials: true
-    content-length: 0
-    x-envoy-upstream-service-time: 48
+    server: istio-envoy
+    ...
    {{< /text >}}

    Note that you use the `-H` flag to set the _Host_ HTTP header to
@ -218,9 +213,7 @@ Let's see how you can configure a `Gateway` on port 80 for HTTP traffic.
    {{< text bash >}}
    $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/headers"
    HTTP/1.1 404 Not Found
-    date: Mon, 29 Jan 2018 04:45:49 GMT
-    server: envoy
-    content-length: 0
+    ...
    {{< /text >}}

 ## Accessing ingress services using a browser
--- a/content/en/docs/tasks/traffic-management/ingress/ingress-control/snips.sh
+++ b/content/en/docs/tasks/traffic-management/ingress/ingress-control/snips.sh
@ -117,13 +117,8 @@ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status

 ! read -r -d '' snip_configuring_ingress_using_an_istio_gateway_3_out <<\ENDSNIP
 HTTP/1.1 200 OK
-server: envoy
-date: Mon, 29 Jan 2018 04:45:49 GMT
-content-type: text/html; charset=utf-8
-access-control-allow-origin: *
-access-control-allow-credentials: true
-content-length: 0
-x-envoy-upstream-service-time: 48
+server: istio-envoy
+...
 ENDSNIP

 snip_configuring_ingress_using_an_istio_gateway_4() {
@ -132,9 +127,7 @@ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/header

 ! read -r -d '' snip_configuring_ingress_using_an_istio_gateway_4_out <<\ENDSNIP
 HTTP/1.1 404 Not Found
-date: Mon, 29 Jan 2018 04:45:49 GMT
-server: envoy
-content-length: 0
+...
 ENDSNIP

 snip_accessing_ingress_services_using_a_browser_1() {
--- a/content/en/docs/tasks/traffic-management/ingress/ingress-control/test.sh
+++ b/content/en/docs/tasks/traffic-management/ingress/ingress-control/test.sh
@ -50,12 +50,10 @@ _wait_for_istio gateway default httpbin-gateway
 _wait_for_istio virtualservice default httpbin

 # access the httpbin service
-#_verify_first_line snip_configuring_ingress_using_an_istio_gateway_3 "$snip_configuring_ingress_using_an_istio_gateway_3_out"
-_verify_contains snip_configuring_ingress_using_an_istio_gateway_3 "HTTP/1.1 200 OK"
+_verify_elided snip_configuring_ingress_using_an_istio_gateway_3 "$snip_configuring_ingress_using_an_istio_gateway_3_out"

 # access the httpbin service
-#_verify_first_line snip_configuring_ingress_using_an_istio_gateway_4 "$snip_configuring_ingress_using_an_istio_gateway_4_out"
-_verify_contains snip_configuring_ingress_using_an_istio_gateway_4 "HTTP/1.1 404 Not Found"
+_verify_elided snip_configuring_ingress_using_an_istio_gateway_4 "$snip_configuring_ingress_using_an_istio_gateway_4_out"

 # configure for web browser
 snip_accessing_ingress_services_using_a_browser_1
--- a/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md
+++ b/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md
@ -136,7 +136,7 @@ to hold the configuration of the NGINX server:
    printed correctly, i.e., `common name (CN)` is equal to `nginx.example.com`.

    {{< text bash >}}
-    $ kubectl exec -it "$(kubectl get pod  -l run=my-nginx -o jsonpath={.items..metadata.name})" -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com
+    $ kubectl exec "$(kubectl get pod  -l run=my-nginx -o jsonpath={.items..metadata.name})" -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com
    ...
    SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
    ALPN, server accepted to use http/1.1
--- a/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh
+++ b/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh
@ -115,7 +115,7 @@ EOF
 }

 snip_deploy_an_nginx_server_5() {
-kubectl exec -it "$(kubectl get pod  -l run=my-nginx -o jsonpath={.items..metadata.name})" -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com
+kubectl exec "$(kubectl get pod  -l run=my-nginx -o jsonpath={.items..metadata.name})" -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com
 }

 ! read -r -d '' snip_deploy_an_nginx_server_5_out <<\ENDSNIP
--- a/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/index.md
+++ b/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/index.md
@ -3,7 +3,7 @@ title: Ingress (Kubernetes)
 description: Describes how to configure a Kubernetes Ingress object to expose a service outside of the service mesh.
 weight: 15
 keywords: [traffic-management,ingress]
-test: no
+test: yes
 ---

 This task describes how to configure Istio to expose a service outside of the service mesh cluster, using the Kubernetes [Ingress Resource](https://kubernetes.io/docs/concepts/services-networking/ingress/).
@ -22,7 +22,7 @@ A [Kubernetes Ingress Resources](https://kubernetes.io/docs/concepts/services-ne

 Let's see how you can configure a `Ingress` on port 80 for HTTP traffic.

-1.  Create an Istio `Gateway`:
+1.  Create an `Ingress` resource:

    {{< text bash >}}
    $ kubectl apply -f - <<EOF
@ -49,15 +49,10 @@ Let's see how you can configure a `Ingress` on port 80 for HTTP traffic.
 1.  Access the _httpbin_ service using _curl_:

    {{< text bash >}}
-    $ curl -I -HHost:httpbin.example.com http://$INGRESS_HOST:$INGRESS_PORT/status/200
+    $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"
    HTTP/1.1 200 OK
-    server: envoy
-    date: Mon, 29 Jan 2018 04:45:49 GMT
-    content-type: text/html; charset=utf-8
-    access-control-allow-origin: *
-    access-control-allow-credentials: true
-    content-length: 0
-    x-envoy-upstream-service-time: 48
+    server: istio-envoy
+    ...
    {{< /text >}}

    Note that you use the `-H` flag to set the _Host_ HTTP header to
@ -67,11 +62,9 @@ Let's see how you can configure a `Ingress` on port 80 for HTTP traffic.
 1.  Access any other URL that has not been explicitly exposed. You should see an HTTP 404 error:

    {{< text bash >}}
-    $ curl -I -HHost:httpbin.example.com http://$INGRESS_HOST:$INGRESS_PORT/headers
+    $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/headers"
    HTTP/1.1 404 Not Found
-    date: Mon, 29 Jan 2018 04:45:49 GMT
-    server: envoy
-    content-length: 0
+    ...
    {{< /text >}}

 ## Next Steps
@ -104,7 +97,15 @@ metadata:
  name: ingress
 spec:
  ingressClassName: istio
-  ...
+  rules:
+  - host: httpbin.example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          serviceName: httpbin
+          servicePort: 8000
 {{< /text >}}

 ## Cleanup
--- a/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/snips.sh
+++ b/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/snips.sh
@ -0,0 +1,90 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+#          docs/tasks/traffic-management/ingress/kubernetes-ingress/index.md
+####################################################################################################
+
+snip_configuring_ingress_using_an_ingress_resource_1() {
+kubectl apply -f - <<EOF
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: istio
+  name: ingress
+spec:
+  rules:
+  - host: httpbin.example.com
+    http:
+      paths:
+      - path: /status/*
+        backend:
+          serviceName: httpbin
+          servicePort: 8000
+EOF
+}
+
+snip_configuring_ingress_using_an_ingress_resource_2() {
+curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"
+}
+
+! read -r -d '' snip_configuring_ingress_using_an_ingress_resource_2_out <<\ENDSNIP
+HTTP/1.1 200 OK
+server: istio-envoy
+...
+ENDSNIP
+
+snip_configuring_ingress_using_an_ingress_resource_3() {
+curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/headers"
+}
+
+! read -r -d '' snip_configuring_ingress_using_an_ingress_resource_3_out <<\ENDSNIP
+HTTP/1.1 404 Not Found
+...
+ENDSNIP
+
+! read -r -d '' snip_specifying_ingressclass_1 <<\ENDSNIP
+apiVersion: networking.k8s.io/v1beta1
+kind: IngressClass
+metadata:
+  name: istio
+spec:
+  controller: istio.io/ingress-controller
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: ingress
+spec:
+  ingressClassName: istio
+  rules:
+  - host: httpbin.example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          serviceName: httpbin
+          servicePort: 8000
+ENDSNIP
+
+snip_cleanup_1() {
+kubectl delete ingress ingress
+kubectl delete --ignore-not-found=true -f samples/httpbin/httpbin.yaml
+}
--- a/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/test.sh
+++ b/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/test.sh
@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC2154
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+set -u
+set -o pipefail
+
+source "tests/util/samples.sh"
+
+# @setup profile=default
+
+kubectl label namespace default istio-injection=enabled --overwrite
+
+# start the httpbin sample
+startup_httpbin_sample
+
+# export the INGRESS_ environment variables
+_set_ingress_environment_variables
+
+# create the Ingress resource
+snip_configuring_ingress_using_an_ingress_resource_1
+
+# access exposed httpbin URL
+_verify_elided snip_configuring_ingress_using_an_ingress_resource_2 "$snip_configuring_ingress_using_an_ingress_resource_2_out"
+
+# Access other URL
+_verify_elided snip_configuring_ingress_using_an_ingress_resource_3 "$snip_configuring_ingress_using_an_ingress_resource_3_out"
+
+# Test IngressClass and pathType
+kubectl apply -f - <<< "$snip_specifying_ingressclass_1"
+
+get_headers() {
+curl -s -H "Foo: bar" -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/headers"
+}
+_verify_contains get_headers '"Foo": "bar"'
+
+# @cleanup
+
+set +e # ignore cleanup errors
+snip_cleanup_1
--- a/content/en/docs/tasks/traffic-management/ingress/secure-ingress/test.sh
+++ b/content/en/docs/tasks/traffic-management/ingress/secure-ingress/test.sh
@ -61,10 +61,7 @@ snip_configure_a_tls_ingress_gateway_for_a_single_host_6
 # TODO: wait for the secret change to propagate

 # verifying new httpbin credentials
-_verify_lines snip_configure_a_tls_ingress_gateway_for_a_single_host_7 "
-+ HTTP/2 418
-+ -=[ teapot ]=-
-"
+_verify_elided snip_configure_a_tls_ingress_gateway_for_a_single_host_7 "$snip_configure_a_tls_ingress_gateway_for_a_single_host_7_out"

 # verifying old httpbin credentials no longer work
 _verify_failure snip_configure_a_tls_ingress_gateway_for_a_single_host_8
@ -91,10 +88,7 @@ _wait_for_istio virtualservice default helloworld-v1

 _verify_contains snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7 "$snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7_out"

-_verify_lines snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8 "
-+ HTTP/2 418
-+ -=[ teapot ]=-
-"
+_verify_elided snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8 "$snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8_out"

 snip_configure_a_mutual_tls_ingress_gateway_1

@ -107,10 +101,7 @@ _verify_failure snip_configure_a_mutual_tls_ingress_gateway_3

 snip_configure_a_mutual_tls_ingress_gateway_4

-_verify_lines snip_configure_a_mutual_tls_ingress_gateway_5 "
-+ HTTP/2 418
-+ -=[ teapot ]=-
-"
+_verify_elided snip_configure_a_mutual_tls_ingress_gateway_5 "$snip_configure_a_mutual_tls_ingress_gateway_5_out"

 # @cleanup
 set +e # ignore cleanup errors
--- a/scripts/snip.py
+++ b/scripts/snip.py
@ -54,6 +54,7 @@ HEADER = """#!/bin/bash
 startsnip = re.compile(r"^(\s*){{< text (syntax=)?\"?(\w+)\"? .*>}}$")
 snippetid = re.compile(r"snip_id=(\w+)")
 githubfile = re.compile(r"^([^@]*)(?<![A-Za-z0-9])@([\w\.\-_/]+)@([^@]*)$")
+execit = re.compile(r"^(.*kubectl exec.*) -it (.*)$")
 heredoc = re.compile(r"<<\s*\\?EOF")
 sectionhead = re.compile(r"^##+ (.*)$")
 invalidchar = re.compile(r"[^0-9a-zA-Z_]")
@ -142,6 +143,9 @@ with open(markdown, 'rt', encoding='utf-8') as mdfile:
                    match = githubfile.match(line)
                    if match:
                        line = match.group(1) + match.group(2) + match.group(3)
+                    match = execit.match(line)
+                    if match:
+                        print("    WARNING: -it should be removed from kubectl exec of .md line: " + str(linenum))
                    if heredoc.search(line):
                        multiline_cmd = True
                current_snip["script"].append(line)
--- a/tests/util/verify.sh
+++ b/tests/util/verify.sh
@ -24,7 +24,7 @@ __err_exit() {

 # Returns 0 if $out and $expected are the same.  Otherwise, returns 1.
 __cmp_same() {
-    local out=$1
+    local out="${1//$'\r'}"
    local expected=$2

    if [[ "$out" != "$expected" ]]; then
@ -36,7 +36,7 @@ __cmp_same() {

 # Returns 0 if $out contains the substring $expected.  Otherwise, returns 1.
 __cmp_contains() {
-    local out=$1
+    local out="${1//$'\r'}"
    local expected=$2

    if [[ "$out" != *"$expected"* ]]; then
@ -49,7 +49,7 @@ __cmp_contains() {
 # Returns 0 if $out does not contain the substring $expected.  Otherwise,
 # returns 1.
 __cmp_not_contains() {
-    local out=$1
+    local out="${1//$'\r'}"
    local expected=$2

    if [[ "$out" == *"$expected"* ]]; then
@ -62,7 +62,7 @@ __cmp_not_contains() {
 # Returns 0 if $out contains the lines in $expected where "..." on a line
 # matches one or more lines containing any text.  Otherwise, returns 1.
 __cmp_elided() {
-    local out=$1
+    local out="${1//$'\r'}"
    local expected=$2

    local contains=""
@ -88,18 +88,13 @@ __cmp_elided() {

 # Returns 0 if the first line of $out matches the first line in $expected.
 # Otherwise, returns 1.
-# TODO ???? flaky behavior, doesn't seem to work as expected
 __cmp_first_line() {
    local out=$1
    local expected=$2

-    # TODO ???? the following seem to leave a trailing \n in some cases and then the following check fails
-    IFS=$'\n' read -r out_first_line <<< "$out"
+    IFS=$'\n\r' read -r out_first_line <<< "$out"
    IFS=$'\n' read -r expected_first_line <<< "$expected"
-    echo "out first line: \"$out_first_line\""
-    echo "expected first line: \"$expected_first_line\""

-    # TODO ???? following fails because one or the other might have a \n at the end of the string, when the other does not
    if [[ "$out_first_line" != "$expected_first_line" ]]; then
        return 1
    fi
@ -117,7 +112,7 @@ __cmp_first_line() {
 #        - expected ... is a wildcard token, matches anything
 # Otherwise, returns 1.
 __cmp_like() {
-    local out=$1
+    local out="${1//$'\r'}"
    local expected=$2

    if [[ "$out" != "$expected" ]]; then