Automated test case for "istioctl analyze" (#7781)

* Initial automated test for ops/diagnostic-tools/istioctl-analyze/ * Automated test for analyzer * Lint * Incorporate PR comments * Lint * Use less 'elided' and simplify user steps * Script clean up * Clean-up * Restore partial @, restore part of sample output
2020-07-27 18:45:56 -04:00 · 2020-07-27 18:45:56 -04:00 · 4d65bd2507
parent 01585ce123
commit 4d65bd2507
3 changed files with 258 additions and 41 deletions
--- a/content/en/docs/ops/diagnostic-tools/istioctl-analyze/index.md
+++ b/content/en/docs/ops/diagnostic-tools/istioctl-analyze/index.md
@ -4,7 +4,7 @@ description: Shows you how to use istioctl analyze to identify potential issues
 weight: 40
 keywords: [istioctl, debugging, kubernetes]
 owner: istio/wg-user-experience-maintainers
-test: no
+test: yes
 ---

 `istioctl analyze` is a diagnostic tool that can detect potential issues with your
@ -16,7 +16,7 @@ apply changes to a cluster.

 You can analyze your current live Kubernetes cluster by running:

-{{< text bash >}}
+{{< text syntax=bash snip_id=analyze_all_namespaces >}}
 $ istioctl analyze --all-namespaces
 {{< /text >}}

@ -24,27 +24,41 @@ And that’s it! It’ll give you any recommendations that apply.

 For example, if you forgot to enable Istio injection (a very common issue), you would get the following warning:

-{{< text plain >}}
-Warn [IST0102](Namespace default) The namespace is not enabled for Istio injection. Run 'kubectl label namespace default istio-injection=enabled' to enable it, or 'kubectl label namespace default istio-injection=disabled' to explicitly mark it as not needing injection
+{{< text syntax=plain snip_id=analyze_all_namespace_sample_response >}}
+Warn [IST0102] (Namespace default) The namespace is not enabled for Istio injection. Run 'kubectl label namespace default istio-injection=enabled' to enable it, or 'kubectl label namespace default istio-injection=disabled' to explicitly mark it as not needing injection
+{{< /text >}}
+
+Fix the issue:
+
+{{< text syntax=bash snip_id=fix_default_namespace >}}
+$ kubectl label namespace default istio-injection=enabled
+{{< /text >}}
+
+Then try again:
+
+{{< text syntax=bash snip_id=try_with_fixed_namespace >}}
+$ istioctl analyze --namespace default
+✔ No validation issues found when analyzing namespace: default.
 {{< /text >}}

 ## Analyzing live clusters, local files, or both

 Analyze the current live cluster, simulating the effect of applying additional yaml files like `bookinfo-gateway.yaml` and `destination-rule-all.yaml` in the `samples/bookinfo/networking` directory:

-{{< text bash >}}
-$ istioctl analyze @samples/bookinfo/networking/bookinfo-gateway.yaml@ @samples/bookinfo/networking/destination-rule-all.yaml@
+{{< text syntax=bash snip_id=analyze_sample_destrule >}}
+$ istioctl analyze @samples/bookinfo/networking/bookinfo-gateway.yaml@ samples/bookinfo/networking/destination-rule-all.yaml
+Error [IST0101] (VirtualService bookinfo.default samples/bookinfo/networking/bookinfo-gateway.yaml:16) Referenced host not found: "productpage"
 {{< /text >}}

 Analyze the entire `networking` folder:

-{{< text bash >}}
-$ istioctl analyze samples/bookinfo/networking/
+{{< text syntax=bash snip_id=analyze_networking_directory >}}
+$ istioctl analyze @samples/bookinfo/networking/@
 {{< /text >}}

 Analyze all yaml files in the `networking` folder:

-{{< text bash >}}
+{{< text syntax=bash snip_id=analyze_all_networking_yaml >}}
 $ istioctl analyze samples/bookinfo/networking/*.yaml
 {{< /text >}}

@ -54,7 +68,7 @@ Typically, this is used to analyze the entire set of configuration files that ar

 Analyze all yaml files in the `networking` folder:

-{{< text bash >}}
+{{< text syntax=bash snip_id=analyze_all_networking_yaml_no_kube >}}
 $ istioctl analyze --use-kube=false samples/bookinfo/networking/*.yaml
 {{< /text >}}

@ -71,33 +85,18 @@ This analysis uses the same logic and error messages as when using `istioctl ana

 For example. if you have a misconfigured gateway on your "ratings" virtual service, running `kubectl get virtualservice ratings` would give you something like:

-{{< text yaml >}}
-apiVersion: networking.istio.io/v1alpha3
+{{< text syntax=yaml snip_id=vs_yaml_with_status >}}
+apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
-metadata:
-  annotations:
-    kubectl.kubernetes.io/last-applied-configuration: |
-      {"apiVersion":"networking.istio.io/v1alpha3","kind":"VirtualService","metadata":{"annotations":{},"name":"ratings","namespace":"default"},"spec":{"hosts":["ratings"],"http":[{"route":[{"destination":{"host":"ratings","subset":"v1"}}]}]}}
-  creationTimestamp: "2019-09-04T17:31:46Z"
-  generation: 11
-  name: ratings
-  namespace: default
-  resourceVersion: "12760039"
-  selfLink: /apis/networking.istio.io/v1alpha3/namespaces/default/virtualservices/ratings
-  uid: dec86702-cf39-11e9-b803-42010a8a014a
+...
 spec:
  gateways:
  - bogus-gateway
-  hosts:
-  - ratings
-  http:
-  - route:
-    - destination:
-        host: ratings
-        subset: v1
+...
 status:
  validationMessages:
  - code: IST0101
+    documentation_url: https://istio.io/docs/reference/config/analysis/IST0101?ref=status-controller
    level: Error
    message: 'Referenced gateway not found: "bogus-gateway"'
 {{< /text >}}
@ -110,7 +109,7 @@ status:

 You can enable this feature with:

-{{< text bash >}}
+{{< text syntax=bash snip_id=install_with_custom_config_analysis >}}
 $ istioctl install --set values.global.istiod.enableAnalysis=true
 {{< /text >}}

@ -118,23 +117,21 @@ $ istioctl install --set values.global.istiod.enableAnalysis=true

 Sometimes you might find it useful to hide or ignore analyzer messages in certain cases. For example, imagine a situation where a message is emitted about a resource you don't have permissions to update:

-{{< text bash >}}
-$ istioctl analyze -k --all-namespaces
+{{< text syntax=bash snip_id=analyze_k_frod >}}
+$ istioctl analyze -k --namespace frod
 Warn [IST0102] (Namespace frod) The namespace is not enabled for Istio injection. Run 'kubectl label namespace frod istio-injection=enabled' to enable it, or 'kubectl label namespace frod istio-injection=disabled' to explicitly mark it as not needing injection
-Error: Analyzers found issues.
-See https://istio.io/docs/reference/config/analysis for more information about causes and resolutions.
 {{< /text >}}

 Because you don't have permissions to update the namespace, you cannot resolve the message by annotating the namespace. Instead, you can direct `istioctl analyze` to suppress the above message on the resource:

-{{< text bash >}}
-$ istioctl analyze -k --all-namespaces --suppress "IST0102=Namespace frod"
-✔ No validation issues found.
+{{< text syntax=bash snip_id=analyze_suppress0102 >}}
+$ istioctl analyze -k --namespace frod --suppress "IST0102=Namespace frod"
+✔ No validation issues found when analyzing namespace: frod.
 {{< /text >}}

 The syntax used for suppression is the same syntax used throughout `istioctl` when referring to resources: `<kind> <name>.<namespace>`, or just `<kind> <name>` for cluster-scoped resources like `Namespace`. If you want to suppress multiple objects, you can either repeat the `--suppress` argument or use wildcards:

-{{< text bash >}}
+{{< text syntax=bash snip_id=analyze_suppress_frod_0107_baz >}}
 $ # Suppress code IST0102 on namespace frod and IST0107 on all pods in namespace baz
 $ istioctl analyze -k --all-namespaces --suppress "IST0102=Namespace frod" --suppress "IST0107=Pod *.baz"
 {{< /text >}}
@ -143,13 +140,13 @@ $ istioctl analyze -k --all-namespaces --suppress "IST0102=Namespace frod" --sup

 You can also ignore specific analyzer messages using an annotation on the resource. For example, to ignore code IST0107 (`MisplacedAnnotation`) on resource `deployment/my-deployment`:

-{{< text bash >}}
+{{< text syntax=bash snip_id=annotate_for_deployment_suppression >}}
 $ kubectl annotate deployment my-deployment galley.istio.io/analyze-suppress=IST0107
 {{< /text >}}

 To ignore multiple codes for a resource, separate each code with a comma:

-{{< text bash >}}
+{{< text syntax=bash snip_id=annotate_for_deployment_suppression_107 >}}
 $ kubectl annotate deployment my-deployment galley.istio.io/analyze-suppress=IST0107,IST0002
 {{< /text >}}

--- a/content/en/docs/ops/diagnostic-tools/istioctl-analyze/snips.sh
+++ b/content/en/docs/ops/diagnostic-tools/istioctl-analyze/snips.sh
@ -0,0 +1,110 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+#          docs/ops/diagnostic-tools/istioctl-analyze/index.md
+####################################################################################################
+
+snip_analyze_all_namespaces() {
+istioctl analyze --all-namespaces
+}
+
+! read -r -d '' snip_analyze_all_namespace_sample_response <<\ENDSNIP
+Warn [IST0102] (Namespace default) The namespace is not enabled for Istio injection. Run 'kubectl label namespace default istio-injection=enabled' to enable it, or 'kubectl label namespace default istio-injection=disabled' to explicitly mark it as not needing injection
+ENDSNIP
+
+snip_fix_default_namespace() {
+kubectl label namespace default istio-injection=enabled
+}
+
+snip_try_with_fixed_namespace() {
+istioctl analyze --namespace default
+}
+
+! read -r -d '' snip_try_with_fixed_namespace_out <<\ENDSNIP
+✔ No validation issues found when analyzing namespace: default.
+ENDSNIP
+
+snip_analyze_sample_destrule() {
+istioctl analyze samples/bookinfo/networking/bookinfo-gateway.yaml samples/bookinfo/networking/destination-rule-all.yaml
+}
+
+! read -r -d '' snip_analyze_sample_destrule_out <<\ENDSNIP
+Error [IST0101] (VirtualService bookinfo.default samples/bookinfo/networking/bookinfo-gateway.yaml:16) Referenced host not found: "productpage"
+ENDSNIP
+
+snip_analyze_networking_directory() {
+istioctl analyze samples/bookinfo/networking/
+}
+
+snip_analyze_all_networking_yaml() {
+istioctl analyze samples/bookinfo/networking/*.yaml
+}
+
+snip_analyze_all_networking_yaml_no_kube() {
+istioctl analyze --use-kube=false samples/bookinfo/networking/*.yaml
+}
+
+! read -r -d '' snip_vs_yaml_with_status <<\ENDSNIP
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+...
+spec:
+  gateways:
+  - bogus-gateway
+...
+status:
+  validationMessages:
+  - code: IST0101
+    documentation_url: https://istio.io/docs/reference/config/analysis/IST0101?ref=status-controller
+    level: Error
+    message: 'Referenced gateway not found: "bogus-gateway"'
+ENDSNIP
+
+snip_install_with_custom_config_analysis() {
+istioctl install --set values.global.istiod.enableAnalysis=true
+}
+
+snip_analyze_k_frod() {
+istioctl analyze -k --namespace frod
+}
+
+! read -r -d '' snip_analyze_k_frod_out <<\ENDSNIP
+Warn [IST0102] (Namespace frod) The namespace is not enabled for Istio injection. Run 'kubectl label namespace frod istio-injection=enabled' to enable it, or 'kubectl label namespace frod istio-injection=disabled' to explicitly mark it as not needing injection
+ENDSNIP
+
+snip_analyze_suppress0102() {
+istioctl analyze -k --namespace frod --suppress "IST0102=Namespace frod"
+}
+
+! read -r -d '' snip_analyze_suppress0102_out <<\ENDSNIP
+✔ No validation issues found when analyzing namespace: frod.
+ENDSNIP
+
+snip_analyze_suppress_frod_0107_baz() {
+# Suppress code IST0102 on namespace frod and IST0107 on all pods in namespace baz
+istioctl analyze -k --all-namespaces --suppress "IST0102=Namespace frod" --suppress "IST0107=Pod *.baz"
+}
+
+snip_annotate_for_deployment_suppression() {
+kubectl annotate deployment my-deployment galley.istio.io/analyze-suppress=IST0107
+}
+
+snip_annotate_for_deployment_suppression_107() {
+kubectl annotate deployment my-deployment galley.istio.io/analyze-suppress=IST0107,IST0002
+}
--- a/content/en/docs/ops/diagnostic-tools/istioctl-analyze/test.sh
+++ b/content/en/docs/ops/diagnostic-tools/istioctl-analyze/test.sh
@ -0,0 +1,110 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC2154
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e  # Exit on failure
+set -u  # Unset is an error
+# There is no need to echo, output appears in ops_diagnostic-tools_istioctl-analyze_test_debug.txt
+set -o pipefail
+
+# This script doesn't need a control plane initially and will install Istio when needed
+# @setup profile=none
+
+# The test harness labels the default namespace.  Remove that label
+# so the output matches the expect output on a fresh K8s cluster.
+kubectl label namespace default istio-injection- || true
+
+echo '*** istioctl-analyze step 1 ***'
+_verify_contains snip_analyze_all_namespaces "$snip_analyze_all_namespace_sample_response"
+
+echo '*** istioctl-analyze step 2 ***'
+snip_fix_default_namespace
+_verify_same snip_try_with_fixed_namespace "$snip_try_with_fixed_namespace_out"
+
+echo '*** istioctl-analyze step 3 ***'
+_verify_contains snip_analyze_sample_destrule "$snip_analyze_sample_destrule_out"
+
+# There are multiple DestinationRules, some are valid for the VirtualService, some lack subsets 
+echo '*** istioctl-analyze step ***'
+snip_analyze_networking_directory || true
+
+echo '*** istioctl-analyze step 5 ***'
+snip_analyze_all_networking_yaml
+
+echo '*** istioctl-analyze step 6 ***'
+snip_analyze_all_networking_yaml_no_kube
+
+echo '*** istioctl-analyze step 7 ***'
+istioctl analyze --help
+
+echo '*** istioctl-analyze step 8 ***'
+snip_install_with_custom_config_analysis
+_wait_for_deployment istio-system istiod
+
+echo '*** istioctl-analyze step 9 ***'
+set +e  # Don't exit on failure
+kubectl apply -f - <<EOF
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: ratings
+  namespace: default
+spec:
+  gateways:
+  - bogus-gateway
+  hosts:
+  - ratings
+  http:
+  - route:
+    - destination:
+        host: ratings
+EOF
+set -e  # Exit on failure
+
+echo '*** istioctl-analyze step 10 ***'
+get_ratings_virtual_service() {
+kubectl get vs ratings -o yaml
+}
+_verify_elided get_ratings_virtual_service "$snip_vs_yaml_with_status"
+
+echo '*** istioctl-analyze step 11 ***'
+kubectl create ns frod
+_verify_contains snip_analyze_k_frod "$snip_analyze_k_frod_out"
+
+echo '*** istioctl-analyze step 12 ***'
+_verify_same snip_analyze_suppress0102 "$snip_analyze_suppress0102_out"
+
+echo '*** istioctl-analyze step 13 ***'
+_verify_lines snip_analyze_suppress_frod_0107_baz "- Warn [IST0102] (Namespace frod) The namespace is not enabled for Istio injection. Run 'kubectl label namespace frod istio-injection=enabled' to enable it, or 'kubectl label namespace frod istio-injection=disabled' to explicitly mark it as not needing injection"
+
+echo '*** istioctl-analyze step 14 ***'
+kubectl create deployment my-deployment --image=docker.io/kennethreitz/httpbin
+snip_annotate_for_deployment_suppression
+
+echo '*** istioctl-analyze step 15 ***'
+kubectl annotate deployment my-deployment galley.istio.io/analyze-suppress-
+snip_annotate_for_deployment_suppression_107
+
+# @cleanup
+set +e # ignore cleanup errors
+kubectl label namespace default istio-injection-
+kubectl delete ns frod
+kubectl delete deployment my-deployment
+kubectl delete vs ratings
+# Delete the Istio this test installed
+kubectl delete ValidatingWebhookConfiguration istiod-istio-system
+kubectl get mutatingwebhookconfigurations -o custom-columns=NAME:.metadata.name --no-headers | xargs kubectl delete mutatingwebhookconfigurations
+kubectl delete ns istio-system