istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cleanup secure ingress test (#7313) 

* Cleanup secure ingress test

* fix lint

* remove curl version check
This commit is contained in:
Frank Budinsky 2020-05-14 10:20:37 -04:00 committed by GitHub
parent 0dcdd6fddb
commit 93b889af63
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 171 additions and 339 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
tests/trafficmanagement/ingress/scripts/cleanup.txt
View File

@ -1,26 +0,0 @@
#!/usr/bin/env bash
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -u
source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
snip_cleanup_1
# Keep the files around for debugging.
# snip_cleanup_2
snip_cleanup_3

48
tests/trafficmanagement/ingress/scripts/configure_mtls_ingress.txt
View File

@ -1,48 +0,0 @@
#!/usr/bin/env bash
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
snip_configure_a_mutual_tls_ingress_gateway_1
snip_configure_a_mutual_tls_ingress_gateway_2
# Wait for the change to propagate
sleep 5s
export SECURE_INGRESS_PORT={{ .secureIngressPortCommand }}
export INGRESS_HOST={{ .ingressHostCommand }}
# The next command is expected to fail, but don't error the script.
set +e
set +o pipefail
out=$(snip_configure_a_mutual_tls_ingress_gateway_3 2>&1)
_verify_not_contains "$out" "HTTP/2 418" "snip_configure_a_mutual_tls_ingress_gateway_3"
# Restore error handling
set -e
set -o pipefail
snip_configure_a_mutual_tls_ingress_gateway_4
out=$(snip_configure_a_mutual_tls_ingress_gateway_5 2>&1)
_verify_contains "$out" "HTTP/2 418" "snip_configure_a_mutual_tls_ingress_gateway_5"
_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_mutual_tls_ingress_gateway_5"

48
tests/trafficmanagement/ingress/scripts/configure_tls_ingress_multiple_hosts.txt
View File

@ -1,48 +0,0 @@
#!/usr/bin/env bash
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_1
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_2
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_3
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_4
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_5
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_6
echo "Waiting for helloworldv1 deployment to start"
kubectl wait --for=condition=available deployment --all --timeout=60s
kubectl wait --for=condition=Ready pod --all --timeout=60s
export SECURE_INGRESS_PORT={{ .secureIngressPortCommand }}
export INGRESS_HOST={{ .ingressHostCommand }}
out=$(snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7 2>&1)
_verify_contains "$out" "$snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7_out" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7"
out=$(snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8 2>&1)
_verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8"
_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8"

115
tests/trafficmanagement/ingress/scripts/configure_tls_ingress_single_host.txt
View File

@ -1,115 +0,0 @@
#!/usr/bin/env bash
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
echo "Deploying httpbin"
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: httpbin
labels:
app: httpbin
spec:
ports:
- name: http
port: 8000
selector:
app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
version: v1
template:
metadata:
labels:
app: httpbin
version: v1
spec:
containers:
- image: docker.io/citizenstig/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 8000
EOF
echo "Creating httpbin gateway secrets"
snip_configure_a_tls_ingress_gateway_for_a_single_host_1
echo "Deploying httpbin gateway"
snip_configure_a_tls_ingress_gateway_for_a_single_host_2
echo "Deploying httpbin virtual service"
snip_configure_a_tls_ingress_gateway_for_a_single_host_3
echo "Waiting for httpbin deployment to start"
kubectl wait --for=condition=available deployment --all --timeout=60s
kubectl wait --for=condition=Ready pod --all --timeout=60s
echo "Verifying httpbin deployment"
export SECURE_INGRESS_PORT={{ .secureIngressPortCommand }}
export INGRESS_HOST={{ .ingressHostCommand }}
out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_4 2>&1)
_verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_4"
_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_a_single_host_4"
echo "Deleting httpbin secret and re-creating"
snip_configure_a_tls_ingress_gateway_for_a_single_host_5
snip_configure_a_tls_ingress_gateway_for_a_single_host_6
# Wait for the change to propagate
sleep 5s
echo "Verifying new httpbin credentials"
out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_7 2>&1)
_verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_7"
_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_a_single_host_7"
# The next command is expected to fail, but don't error the script.
set +e
set +o pipefail
echo "Verifying old httpbin credentials no longer work"
out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_8 2>&1)
_verify_not_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_8"
# Restore error handling
set -e
set -o pipefail

25
tests/trafficmanagement/ingress/scripts/generate_certs_and_keys.txt
View File

@ -1,25 +0,0 @@
#!/usr/bin/env bash
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
snip_generate_client_and_server_certificates_and_keys_1
snip_generate_client_and_server_certificates_and_keys_2

122
tests/trafficmanagement/ingress/scripts/secure_ingress.sh Normal file
View File

@ -0,0 +1,122 @@
#!/usr/bin/env bash
# shellcheck disable=SC1090,SC2154
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -u
set -o pipefail
source "${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh"
source "${REPO_ROOT}/tests/util/samples.sh"
kubectl label namespace default istio-injection=enabled --overwrite
# start the httpbin sample
startup_httpbin_sample
# export the INGRESS_ environment variables
sample_set_ingress_environment_variables
snip_generate_client_and_server_certificates_and_keys_1
snip_generate_client_and_server_certificates_and_keys_2
# creating httpbin gateway secrets
snip_configure_a_tls_ingress_gateway_for_a_single_host_1
# deploying httpbin gateway
snip_configure_a_tls_ingress_gateway_for_a_single_host_2
# deploying httpbin virtual service
snip_configure_a_tls_ingress_gateway_for_a_single_host_3
# waiting for httpbin deployment to start
sample_wait_for_deployment default httpbin
# verifying httpbin deployment
out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_4 2>&1)
_verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_4"
_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_a_single_host_4"
# deleting httpbin secret and re-creating
snip_configure_a_tls_ingress_gateway_for_a_single_host_5
snip_configure_a_tls_ingress_gateway_for_a_single_host_6
# wait for the change to propagate
sleep 5s
# verifying new httpbin credentials
out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_7 2>&1)
_verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_7"
_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_a_single_host_7"
# The next command is expected to fail, but don't error the script.
set +e
# verifying old httpbin credentials no longer work
out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_8 2>&1)
_verify_not_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_8"
# Restore error handling
set -e
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_1
# start helloworld-v1 sample
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_2
# waiting for helloworldv1 deployment to start
sample_wait_for_deployment default helloworld-v1
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_3
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_4
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_5
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_6
# waiting for configuration to propagate
sleep 5s # TODO: call proper wait utility (e.g., istioctl wait)
out=$(snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7 2>&1)
_verify_contains "$out" "$snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7_out" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7"
out=$(snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8 2>&1)
_verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8"
_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8"
snip_configure_a_mutual_tls_ingress_gateway_1
snip_configure_a_mutual_tls_ingress_gateway_2
# wait for the change to propagate
sleep 5s
# The next command is expected to fail, but don't error the script.
set +e
out=$(snip_configure_a_mutual_tls_ingress_gateway_3 2>&1)
_verify_not_contains "$out" "HTTP/2 418" "snip_configure_a_mutual_tls_ingress_gateway_3"
# Restore error handling
set -e
snip_configure_a_mutual_tls_ingress_gateway_4
out=$(snip_configure_a_mutual_tls_ingress_gateway_5 2>&1)
_verify_contains "$out" "HTTP/2 418" "snip_configure_a_mutual_tls_ingress_gateway_5"
_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_mutual_tls_ingress_gateway_5"

76
tests/trafficmanagement/ingress/secure_ingress_sds_test.go
View File

@ -1,76 +0,0 @@
// Copyright Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package ingress
import (
"testing"
"github.com/Masterminds/semver"
"istio.io/istio/pkg/test/framework"
"istio.io/istio/pkg/test/framework/components/environment/kube"
"istio.io/istio/pkg/test/util/curl"
"istio.io/istio.io/pkg/test/istioio"
)
const (
secureIngressPortCommand = `$(kubectl -n istio-system \
get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')`
ingressHostCommand = `$(kubectl -n istio-system \
get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')`
minikubeSecureIngressPortCommand = `$(kubectl -n istio-system \
get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')`
minikubeIngressHostCommand = `$(kubectl -n istio-system \
get pod -l istio=ingressgateway -o jsonpath='{.items[0].status.hostIP}')`
)
// https://preliminary.istio.io/docs/tasks/traffic-management/ingress/secure-ingress-sds/
func TestSecureIngressSDS(t *testing.T) {
// Check the version of curl. This test requires the --retry-connrefused arg.
curl.RequireMinVersionOrFail(t, semver.MustParse("7.52.0"))
framework.
NewTest(t).
Run(func(ctx framework.TestContext) {
istioio.NewBuilder("traffic_management__ingress__secure_gateways_sds").
Add(script(ctx, "generate_certs_and_keys.txt")).
Add(script(ctx, "configure_tls_ingress_single_host.txt")).
Add(script(ctx, "configure_tls_ingress_multiple_hosts.txt")).
Add(script(ctx, "configure_mtls_ingress.txt")).
Defer(script(ctx, "cleanup.txt")).
BuildAndRun(ctx)
})
}
func script(ctx framework.TestContext, filename string) istioio.Script {
// Determine the commands to use for ingress host/port.
e := ctx.Environment().(*kube.Environment)
runtimeSecureIngressPortCommand := secureIngressPortCommand
runtimeIngressHostCommand := ingressHostCommand
if e.Settings().Minikube {
runtimeSecureIngressPortCommand = minikubeSecureIngressPortCommand
runtimeIngressHostCommand = minikubeIngressHostCommand
}
return istioio.Script{
Input: istioio.Evaluate(istioio.Path("scripts/"+filename), map[string]interface{}{
"password": "password",
"curlOptions": "--retry 10 --retry-connrefused --retry-delay 5 ",
"secureIngressPortCommand": runtimeSecureIngressPortCommand,
"ingressHostCommand": runtimeIngressHostCommand,
}),
}
}

44
tests/trafficmanagement/ingress/secure_ingress_test.go Normal file
View File

@ -0,0 +1,44 @@
// Copyright Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package ingress
import (
"testing"
"istio.io/istio/pkg/test/framework"
"istio.io/istio.io/pkg/test/istioio"
)
func TestSecureIngress(t *testing.T) {
framework.
NewTest(t).
Run(istioio.NewBuilder("tasks__traffic_management__secure_ingress").
Add(istioio.Script{
Input: istioio.Path("scripts/secure_ingress.sh"),
}).
Defer(istioio.Script{
Input: istioio.Inline{
FileName: "cleanup.sh",
Value: `
set +e # ignore cleanup errors
source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
snip_cleanup_1
snip_cleanup_2
snip_cleanup_3`,
},
}).
Build())
}

6
tests/util/samples.sh
View File

@ -73,10 +73,14 @@ sample_set_ingress_environment_variables() {
fi
}
# TODO: should we have functions for these?
# kubectl wait --for=condition=available deployment --all --timeout=60s
# kubectl wait --for=condition=Ready pod --all --timeout=60s
# Wait for rollout of named deployment
# usage: sample_wait_for_deployment <namespace> <deployment name>
sample_wait_for_deployment() {
local namespace="$1"
local namespace="$1"
local name="$2"
if ! kubectl -n "$namespace" rollout status deployment "$name" --timeout 5m; then
echo "Failed rollout of deployment $name in namespace $namespace"