Network topology automated test (#9096)

* Cleanup make snips issues

* Fix snippets

* Add test for network topologies page

* Check output; but don't be too strict

gateway_url works differently under metallb than it does on a provisioned k8s cluster

* Try verify_likes

* Fix unit test

* Get the automated test to work with verify_like

* Fix snippet

* Fix test failures

* Use verify like instead of contains

* gateways work differently on kind than elsewhere

content/en/docs/ops/configuration/traffic-management/network-topologies/index.md

@@ -4,7 +4,7 @@ description: How to configure gateway network topology (experimental).
 weight: 60
 keywords: [traffic-management,ingress,gateway]
 owner: istio/wg-networking-maintainers
-test: no
+test: yes
 ---
 
 ## Forwarding external client attributes (IP address, certificate info) to destination workloads
@@ -35,7 +35,7 @@ For more information on `X-Forwarded-For`, see the IETF's [RFC](https://tools.ie
 Configuration of XFF and XFCC headers can be set globally for all gateway workloads via `MeshConfig` or per gateway using
 a pod annotation. For example, to configure globally during install or upgrade when using an `IstioOperator` custom resource:
 
-{{< text yaml >}}
+{{< text syntax=yaml snip_id=none >}}
 spec:
   meshConfig:
     defaultConfig:
@@ -47,7 +47,7 @@ spec:
 You can also configure both of these settings by adding the `proxy.istio.io/config` annotation to the Pod spec
 of your Istio ingress gateway.
 
-{{< text yaml >}}
+{{< text syntax=yaml snip_id=none >}}
 ...
   metadata:
     annotations:
@@ -76,7 +76,7 @@ to understand how `X-Forwarded-For` headers and trusted client addresses are det
 
 1. Run the following command to create a file named `topology.yaml` with `numTrustedProxies` set to `2` and install Istio:
 
-    {{< text bash >}}
+    {{< text syntax=bash snip_id=install_num_trusted_proxies_two >}}
     $ cat <<EOF > topology.yaml
     apiVersion: install.istio.io/v1alpha1
     kind: IstioOperator
@@ -95,57 +95,72 @@ to understand how `X-Forwarded-For` headers and trusted client addresses are det
 
 1. Create an `httpbin` namespace:
 
-    {{< text bash >}}
+    {{< text syntax=bash snip_id=create_httpbin_namespace >}}
     $ kubectl create namespace httpbin
     namespace/httpbin created
     {{< /text >}}
 
 1. Set the `istio-injection` label to `enabled` for sidecar injection:
 
-    {{< text bash >}}
+    {{< text syntax=bash snip_id=label_httpbin_namespace >}}
     $ kubectl label --overwrite namespace httpbin istio-injection=enabled
     namespace/httpbin labeled
     {{< /text >}}
 
 1. Deploy `httpbin` in the `httpbin` namespace:
 
-    {{< text bash >}}
+    {{< text syntax=bash snip_id=apply_httpbin >}}
     $ kubectl apply -n httpbin -f samples/httpbin/httpbin.yaml
     {{< /text >}}
 
 1. Deploy a gateway associated with `httpbin`:
 
-    {{< text bash >}}
+    {{< text syntax=bash snip_id=deploy_httpbin_gateway >}}
     $ kubectl apply -n httpbin -f samples/httpbin/httpbin-gateway.yaml
     {{< /text >}}
 
 1. Set a local `GATEWAY_URL` environmental variable based on your Istio ingress gateway's IP address:
 
-    {{< text bash >}}
+    {{< text syntax=bash snip_id=export_gateway_url >}}
     $ export GATEWAY_URL=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
     {{< /text >}}
 
 1. Run the following `curl` command to simulate a request with proxy addresses in the `X-Forwarded-For` header:
 
-    {{< text bash >}}
-    $ curl -H 'X-Forwarded-For: 56.5.6.7, 72.9.5.6, 98.1.2.3' $GATEWAY_URL/get?show_env=true
+    {{< text syntax=bash snip_id=curl_xff_headers >}}
+    $ curl -s -H 'X-Forwarded-For: 56.5.6.7, 72.9.5.6, 98.1.2.3' "$GATEWAY_URL"/get?show_env=true
     {
-      "args": {
-        "show_env": "true"
-      },
+    "args": {
+      "show_env": "true"
+    },
       "headers": {
-        ...
-        "X-Envoy-External-Address": "72.9.5.6",
-        ...
-        "X-Forwarded-For": "56.5.6.7, 72.9.5.6, 98.1.2.3, <YOUR GATEWAY IP>",
-        ...
-      },
-      ...
+      "Accept": ...
+      "Host": ...
+      "User-Agent": ...
+      "X-B3-Parentspanid": ...
+      "X-B3-Sampled": ...
+      "X-B3-Spanid": ...
+      "X-B3-Traceid": ...
+      "X-Envoy-Attempt-Count": ...
+      "X-Envoy-External-Address": "72.9.5.6",
+      "X-Forwarded-Client-Cert": ...
+      "X-Forwarded-For": "56.5.6.7, 72.9.5.6, 98.1.2.3,10.244.0.1",
+      "X-Forwarded-Proto": ...
+      "X-Request-Id": ...
+    },
+      "origin": "56.5.6.7, 72.9.5.6, 98.1.2.3,10.244.0.1",
+      "url": ...
     }
     {{< /text >}}
 
-The above output shows the request headers that the `httpbin` workload received. When the Istio gateway received this request, it set the `X-Envoy-External-Address` header to the second to last (`numTrustedProxies: 2`) address in the `X-Forwarded-For` header from your curl command. Additionally, the gateway appends its own IP to the
-`X-Forwarded-For` header before forwarding it to the httpbin workload.
+{{< tip >}}
+In the above example `$GATEWAY_URL` resolved to 10.244.0.1. This will not be the case in your environment.
+{{< /tip >}}
+
+The above output shows the request headers that the `httpbin` workload received. When the Istio gateway received this
+request, it set the `X-Envoy-External-Address` header to the second to last (`numTrustedProxies: 2`) address in the
+`X-Forwarded-For` header from your curl command. Additionally, the gateway appends its own IP to the `X-Forwarded-For`
+header before forwarding it to the httpbin workload.
 
 ### Configuring X-Forwarded-Client-Cert Headers
 
@@ -160,7 +175,7 @@ sanitize/append/forward the XFCC header before proxying the request.
 
 To configure how XFCC headers are handled, set `forwardClientCertDetails` in your `IstioOperator`
 
-{{< text yaml >}}
+{{< text syntax=yaml snip_id=none >}}
 apiVersion: install.istio.io/v1alpha1
 kind: IstioOperator
 spec:
@@ -190,7 +205,7 @@ The [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
 
 If your external load balancer is configured to use the PROXY protocol, the Istio gateway must also be configured to accept the PROXY protocol. Enabling this requires adding the [Envoy Proxy Protocol filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/proxy_protocol) using an `EnvoyFilter` applied on the gateway workload. For example:
 
-{{< text yaml >}}
+{{< text syntax=yaml snip_id=none >}}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:

content/en/docs/ops/configuration/traffic-management/network-topologies/snips.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+#          docs/ops/configuration/traffic-management/network-topologies/index.md
+####################################################################################################
+
+snip_install_num_trusted_proxies_two() {
+cat <<EOF > topology.yaml
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  meshConfig:
+    defaultConfig:
+      gatewayTopology:
+        numTrustedProxies: 2
+EOF
+istioctl install -f topology.yaml
+}
+
+snip_create_httpbin_namespace() {
+kubectl create namespace httpbin
+}
+
+! read -r -d '' snip_create_httpbin_namespace_out <<\ENDSNIP
+namespace/httpbin created
+ENDSNIP
+
+snip_label_httpbin_namespace() {
+kubectl label --overwrite namespace httpbin istio-injection=enabled
+}
+
+! read -r -d '' snip_label_httpbin_namespace_out <<\ENDSNIP
+namespace/httpbin labeled
+ENDSNIP
+
+snip_apply_httpbin() {
+kubectl apply -n httpbin -f samples/httpbin/httpbin.yaml
+}
+
+snip_deploy_httpbin_gateway() {
+kubectl apply -n httpbin -f samples/httpbin/httpbin-gateway.yaml
+}
+
+snip_export_gateway_url() {
+export GATEWAY_URL=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+}
+
+snip_curl_xff_headers() {
+curl -s -H 'X-Forwarded-For: 56.5.6.7, 72.9.5.6, 98.1.2.3' "$GATEWAY_URL"/get?show_env=true
+}
+
+! read -r -d '' snip_curl_xff_headers_out <<\ENDSNIP
+{
+"args": {
+  "show_env": "true"
+},
+  "headers": {
+  "Accept": ...
+  "Host": ...
+  "User-Agent": ...
+  "X-B3-Parentspanid": ...
+  "X-B3-Sampled": ...
+  "X-B3-Spanid": ...
+  "X-B3-Traceid": ...
+  "X-Envoy-Attempt-Count": ...
+  "X-Envoy-External-Address": "72.9.5.6",
+  "X-Forwarded-Client-Cert": ...
+  "X-Forwarded-For": "56.5.6.7, 72.9.5.6, 98.1.2.3,10.244.0.1",
+  "X-Forwarded-Proto": ...
+  "X-Request-Id": ...
+},
+  "origin": "56.5.6.7, 72.9.5.6, 98.1.2.3,10.244.0.1",
+  "url": ...
+}
+ENDSNIP

content/en/docs/ops/configuration/traffic-management/network-topologies/test.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC2154
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+set -u
+set -o pipefail
+
+# ingressgateway is necessary, but we need to do a custom install
+# @setup profile=none
+
+echo '*** install Istio with numTrustedProxies set to 2 ***'
+echo y | snip_install_num_trusted_proxies_two
+
+_wait_for_deployment istio-system istiod
+_wait_for_deployment istio-system istio-ingressgateway
+
+echo '*** apply httpbin ***'
+snip_create_httpbin_namespace
+snip_label_httpbin_namespace
+snip_apply_httpbin
+_wait_for_deployment httpbin httpbin
+
+echo '*** apply httpbin gateway ***'
+snip_deploy_httpbin_gateway
+
+# wait for for the rules to propagate
+_wait_for_istio gateway httpbin httpbin-gateway
+_wait_for_istio virtualservice httpbin httpbin
+
+snip_export_gateway_url
+echo "*** GATEWAY_URL = $GATEWAY_URL ***"
+
+_verify_like snip_curl_xff_headers "$snip_curl_xff_headers_out"
+
+# @cleanup
+kubectl delete -f samples/httpbin/httpbin-gateway.yaml
+kubectl delete -f samples/httpbin/httpbin.yaml
+kubectl delete ns httpbin
+
+# Delete the Istio this test installed
+echo y | istioctl x uninstall --revision "default"
+kubectl delete ns istio-system

topology.yaml

@@ -0,0 +1,7 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  meshConfig:
+    defaultConfig:
+      gatewayTopology:
+        numTrustedProxies: 2