diff --git a/tests/trafficmanagement/ingress/scripts/cleanup.txt b/tests/trafficmanagement/ingress/scripts/cleanup.txt deleted file mode 100644 index 970c421948..0000000000 --- a/tests/trafficmanagement/ingress/scripts/cleanup.txt +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bash - -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -u - -source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh - -snip_cleanup_1 - -# Keep the files around for debugging. -# snip_cleanup_2 - -snip_cleanup_3 diff --git a/tests/trafficmanagement/ingress/scripts/configure_mtls_ingress.txt b/tests/trafficmanagement/ingress/scripts/configure_mtls_ingress.txt deleted file mode 100644 index 95eeab5abe..0000000000 --- a/tests/trafficmanagement/ingress/scripts/configure_mtls_ingress.txt +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/env bash - -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -e -set -u -set -o pipefail - -source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh - -snip_configure_a_mutual_tls_ingress_gateway_1 - -snip_configure_a_mutual_tls_ingress_gateway_2 - -# Wait for the change to propagate -sleep 5s - -export SECURE_INGRESS_PORT={{ .secureIngressPortCommand }} -export INGRESS_HOST={{ .ingressHostCommand }} - -# The next command is expected to fail, but don't error the script. -set +e -set +o pipefail - -out=$(snip_configure_a_mutual_tls_ingress_gateway_3 2>&1) -_verify_not_contains "$out" "HTTP/2 418" "snip_configure_a_mutual_tls_ingress_gateway_3" - -# Restore error handling -set -e -set -o pipefail - -snip_configure_a_mutual_tls_ingress_gateway_4 - -out=$(snip_configure_a_mutual_tls_ingress_gateway_5 2>&1) -_verify_contains "$out" "HTTP/2 418" "snip_configure_a_mutual_tls_ingress_gateway_5" -_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_mutual_tls_ingress_gateway_5" diff --git a/tests/trafficmanagement/ingress/scripts/configure_tls_ingress_multiple_hosts.txt b/tests/trafficmanagement/ingress/scripts/configure_tls_ingress_multiple_hosts.txt deleted file mode 100644 index 03fe0debc9..0000000000 --- a/tests/trafficmanagement/ingress/scripts/configure_tls_ingress_multiple_hosts.txt +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/env bash - -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -e -set -u -set -o pipefail - -source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh - -snip_configure_a_tls_ingress_gateway_for_multiple_hosts_1 - -snip_configure_a_tls_ingress_gateway_for_multiple_hosts_2 - -snip_configure_a_tls_ingress_gateway_for_multiple_hosts_3 - -snip_configure_a_tls_ingress_gateway_for_multiple_hosts_4 - -snip_configure_a_tls_ingress_gateway_for_multiple_hosts_5 - -snip_configure_a_tls_ingress_gateway_for_multiple_hosts_6 - -echo "Waiting for helloworldv1 deployment to start" - -kubectl wait --for=condition=available deployment --all --timeout=60s -kubectl wait --for=condition=Ready pod --all --timeout=60s - -export SECURE_INGRESS_PORT={{ .secureIngressPortCommand }} -export INGRESS_HOST={{ .ingressHostCommand }} - -out=$(snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7 2>&1) -_verify_contains "$out" "$snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7_out" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7" - -out=$(snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8 2>&1) -_verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8" -_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8" diff --git a/tests/trafficmanagement/ingress/scripts/configure_tls_ingress_single_host.txt b/tests/trafficmanagement/ingress/scripts/configure_tls_ingress_single_host.txt deleted file mode 100644 index 984463a48d..0000000000 --- a/tests/trafficmanagement/ingress/scripts/configure_tls_ingress_single_host.txt +++ /dev/null @@ -1,115 +0,0 @@ -#!/usr/bin/env bash - -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -e -set -u -set -o pipefail - -source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh - -echo "Deploying httpbin" - -cat <&1) -_verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_4" -_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_a_single_host_4" - -echo "Deleting httpbin secret and re-creating" - -snip_configure_a_tls_ingress_gateway_for_a_single_host_5 - -snip_configure_a_tls_ingress_gateway_for_a_single_host_6 - -# Wait for the change to propagate -sleep 5s - -echo "Verifying new httpbin credentials" - -out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_7 2>&1) -_verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_7" -_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_a_single_host_7" - -# The next command is expected to fail, but don't error the script. -set +e -set +o pipefail - -echo "Verifying old httpbin credentials no longer work" - -out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_8 2>&1) -_verify_not_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_8" - -# Restore error handling -set -e -set -o pipefail diff --git a/tests/trafficmanagement/ingress/scripts/generate_certs_and_keys.txt b/tests/trafficmanagement/ingress/scripts/generate_certs_and_keys.txt deleted file mode 100644 index f134e45c60..0000000000 --- a/tests/trafficmanagement/ingress/scripts/generate_certs_and_keys.txt +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env bash - -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -e -set -u -set -o pipefail - -source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh - -snip_generate_client_and_server_certificates_and_keys_1 - -snip_generate_client_and_server_certificates_and_keys_2 diff --git a/tests/trafficmanagement/ingress/scripts/secure_ingress.sh b/tests/trafficmanagement/ingress/scripts/secure_ingress.sh new file mode 100644 index 0000000000..f8b5a40781 --- /dev/null +++ b/tests/trafficmanagement/ingress/scripts/secure_ingress.sh @@ -0,0 +1,122 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC2154 + +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e +set -u +set -o pipefail + +source "${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh" +source "${REPO_ROOT}/tests/util/samples.sh" + +kubectl label namespace default istio-injection=enabled --overwrite + +# start the httpbin sample +startup_httpbin_sample + +# export the INGRESS_ environment variables +sample_set_ingress_environment_variables + +snip_generate_client_and_server_certificates_and_keys_1 + +snip_generate_client_and_server_certificates_and_keys_2 + +# creating httpbin gateway secrets +snip_configure_a_tls_ingress_gateway_for_a_single_host_1 + +# deploying httpbin gateway +snip_configure_a_tls_ingress_gateway_for_a_single_host_2 + +# deploying httpbin virtual service +snip_configure_a_tls_ingress_gateway_for_a_single_host_3 + +# waiting for httpbin deployment to start +sample_wait_for_deployment default httpbin + +# verifying httpbin deployment +out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_4 2>&1) +_verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_4" +_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_a_single_host_4" + +# deleting httpbin secret and re-creating +snip_configure_a_tls_ingress_gateway_for_a_single_host_5 +snip_configure_a_tls_ingress_gateway_for_a_single_host_6 + +# wait for the change to propagate +sleep 5s + +# verifying new httpbin credentials +out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_7 2>&1) +_verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_7" +_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_a_single_host_7" + +# The next command is expected to fail, but don't error the script. +set +e + +# verifying old httpbin credentials no longer work +out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_8 2>&1) +_verify_not_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_8" + +# Restore error handling +set -e + +snip_configure_a_tls_ingress_gateway_for_multiple_hosts_1 + +# start helloworld-v1 sample +snip_configure_a_tls_ingress_gateway_for_multiple_hosts_2 + +# waiting for helloworldv1 deployment to start +sample_wait_for_deployment default helloworld-v1 + +snip_configure_a_tls_ingress_gateway_for_multiple_hosts_3 + +snip_configure_a_tls_ingress_gateway_for_multiple_hosts_4 + +snip_configure_a_tls_ingress_gateway_for_multiple_hosts_5 + +snip_configure_a_tls_ingress_gateway_for_multiple_hosts_6 + +# waiting for configuration to propagate +sleep 5s # TODO: call proper wait utility (e.g., istioctl wait) + +out=$(snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7 2>&1) +_verify_contains "$out" "$snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7_out" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7" + +out=$(snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8 2>&1) +_verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8" +_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8" + +snip_configure_a_mutual_tls_ingress_gateway_1 + +snip_configure_a_mutual_tls_ingress_gateway_2 + +# wait for the change to propagate +sleep 5s + +# The next command is expected to fail, but don't error the script. +set +e + +out=$(snip_configure_a_mutual_tls_ingress_gateway_3 2>&1) +_verify_not_contains "$out" "HTTP/2 418" "snip_configure_a_mutual_tls_ingress_gateway_3" + +# Restore error handling +set -e + +snip_configure_a_mutual_tls_ingress_gateway_4 + +out=$(snip_configure_a_mutual_tls_ingress_gateway_5 2>&1) +_verify_contains "$out" "HTTP/2 418" "snip_configure_a_mutual_tls_ingress_gateway_5" +_verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_mutual_tls_ingress_gateway_5" diff --git a/tests/trafficmanagement/ingress/secure_ingress_sds_test.go b/tests/trafficmanagement/ingress/secure_ingress_sds_test.go deleted file mode 100644 index e3a32344a7..0000000000 --- a/tests/trafficmanagement/ingress/secure_ingress_sds_test.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright Istio Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package ingress - -import ( - "testing" - - "github.com/Masterminds/semver" - - "istio.io/istio/pkg/test/framework" - "istio.io/istio/pkg/test/framework/components/environment/kube" - "istio.io/istio/pkg/test/util/curl" - - "istio.io/istio.io/pkg/test/istioio" -) - -const ( - secureIngressPortCommand = `$(kubectl -n istio-system \ -get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')` - ingressHostCommand = `$(kubectl -n istio-system \ -get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')` - minikubeSecureIngressPortCommand = `$(kubectl -n istio-system \ -get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')` - minikubeIngressHostCommand = `$(kubectl -n istio-system \ -get pod -l istio=ingressgateway -o jsonpath='{.items[0].status.hostIP}')` -) - -// https://preliminary.istio.io/docs/tasks/traffic-management/ingress/secure-ingress-sds/ -func TestSecureIngressSDS(t *testing.T) { - // Check the version of curl. This test requires the --retry-connrefused arg. - curl.RequireMinVersionOrFail(t, semver.MustParse("7.52.0")) - - framework. - NewTest(t). - Run(func(ctx framework.TestContext) { - istioio.NewBuilder("traffic_management__ingress__secure_gateways_sds"). - Add(script(ctx, "generate_certs_and_keys.txt")). - Add(script(ctx, "configure_tls_ingress_single_host.txt")). - Add(script(ctx, "configure_tls_ingress_multiple_hosts.txt")). - Add(script(ctx, "configure_mtls_ingress.txt")). - Defer(script(ctx, "cleanup.txt")). - BuildAndRun(ctx) - }) -} - -func script(ctx framework.TestContext, filename string) istioio.Script { - // Determine the commands to use for ingress host/port. - e := ctx.Environment().(*kube.Environment) - runtimeSecureIngressPortCommand := secureIngressPortCommand - runtimeIngressHostCommand := ingressHostCommand - if e.Settings().Minikube { - runtimeSecureIngressPortCommand = minikubeSecureIngressPortCommand - runtimeIngressHostCommand = minikubeIngressHostCommand - } - - return istioio.Script{ - Input: istioio.Evaluate(istioio.Path("scripts/"+filename), map[string]interface{}{ - "password": "password", - "curlOptions": "--retry 10 --retry-connrefused --retry-delay 5 ", - "secureIngressPortCommand": runtimeSecureIngressPortCommand, - "ingressHostCommand": runtimeIngressHostCommand, - }), - } -} diff --git a/tests/trafficmanagement/ingress/secure_ingress_test.go b/tests/trafficmanagement/ingress/secure_ingress_test.go new file mode 100644 index 0000000000..0c93c25faf --- /dev/null +++ b/tests/trafficmanagement/ingress/secure_ingress_test.go @@ -0,0 +1,44 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ingress + +import ( + "testing" + + "istio.io/istio/pkg/test/framework" + + "istio.io/istio.io/pkg/test/istioio" +) + +func TestSecureIngress(t *testing.T) { + framework. + NewTest(t). + Run(istioio.NewBuilder("tasks__traffic_management__secure_ingress"). + Add(istioio.Script{ + Input: istioio.Path("scripts/secure_ingress.sh"), + }). + Defer(istioio.Script{ + Input: istioio.Inline{ + FileName: "cleanup.sh", + Value: ` +set +e # ignore cleanup errors +source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh +snip_cleanup_1 +snip_cleanup_2 +snip_cleanup_3`, + }, + }). + Build()) +} diff --git a/tests/util/samples.sh b/tests/util/samples.sh index f2012eac5e..c567ccdb87 100644 --- a/tests/util/samples.sh +++ b/tests/util/samples.sh @@ -73,10 +73,14 @@ sample_set_ingress_environment_variables() { fi } +# TODO: should we have functions for these? +# kubectl wait --for=condition=available deployment --all --timeout=60s +# kubectl wait --for=condition=Ready pod --all --timeout=60s + # Wait for rollout of named deployment # usage: sample_wait_for_deployment sample_wait_for_deployment() { - local namespace="$1" + local namespace="$1" local name="$2" if ! kubectl -n "$namespace" rollout status deployment "$name" --timeout 5m; then echo "Failed rollout of deployment $name in namespace $namespace"