Cleanup secure ingress test (#7313)

* Cleanup secure ingress test * fix lint * remove curl version check
2020-05-14 10:20:37 -04:00 · 2020-05-14 10:20:37 -04:00 · 93b889af63
parent 0dcdd6fddb
commit 93b889af63
9 changed files with 171 additions and 339 deletions
--- a/tests/trafficmanagement/ingress/scripts/cleanup.txt
+++ b/tests/trafficmanagement/ingress/scripts/cleanup.txt
@ -1,26 +0,0 @@
 #!/usr/bin/env bash
 # Copyright Istio Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 set -u
 source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
 snip_cleanup_1
 # Keep the files around for debugging.
 # snip_cleanup_2
 snip_cleanup_3
--- a/tests/trafficmanagement/ingress/scripts/configure_mtls_ingress.txt
+++ b/tests/trafficmanagement/ingress/scripts/configure_mtls_ingress.txt
@ -1,48 +0,0 @@
 #!/usr/bin/env bash
 # Copyright Istio Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 set -e
 set -u
 set -o pipefail
 source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
 snip_configure_a_mutual_tls_ingress_gateway_1
 snip_configure_a_mutual_tls_ingress_gateway_2
 # Wait for the change to propagate
 sleep 5s
 export SECURE_INGRESS_PORT={{ .secureIngressPortCommand }}
 export INGRESS_HOST={{ .ingressHostCommand }}
 # The next command is expected to fail, but don't error the script.
 set +e
 set +o pipefail
 out=$(snip_configure_a_mutual_tls_ingress_gateway_3 2>&1)
 _verify_not_contains "$out" "HTTP/2 418" "snip_configure_a_mutual_tls_ingress_gateway_3"
 # Restore error handling
 set -e
 set -o pipefail
 snip_configure_a_mutual_tls_ingress_gateway_4
 out=$(snip_configure_a_mutual_tls_ingress_gateway_5 2>&1)
 _verify_contains "$out" "HTTP/2 418" "snip_configure_a_mutual_tls_ingress_gateway_5"
 _verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_mutual_tls_ingress_gateway_5"
--- a/tests/trafficmanagement/ingress/scripts/configure_tls_ingress_multiple_hosts.txt
+++ b/tests/trafficmanagement/ingress/scripts/configure_tls_ingress_multiple_hosts.txt
@ -1,48 +0,0 @@
 #!/usr/bin/env bash
 # Copyright Istio Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 set -e
 set -u
 set -o pipefail
 source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
 snip_configure_a_tls_ingress_gateway_for_multiple_hosts_1
 snip_configure_a_tls_ingress_gateway_for_multiple_hosts_2
 snip_configure_a_tls_ingress_gateway_for_multiple_hosts_3
 snip_configure_a_tls_ingress_gateway_for_multiple_hosts_4
 snip_configure_a_tls_ingress_gateway_for_multiple_hosts_5
 snip_configure_a_tls_ingress_gateway_for_multiple_hosts_6
 echo "Waiting for helloworldv1 deployment to start"
 kubectl wait --for=condition=available deployment --all --timeout=60s
 kubectl wait --for=condition=Ready pod --all --timeout=60s
 export SECURE_INGRESS_PORT={{ .secureIngressPortCommand }}
 export INGRESS_HOST={{ .ingressHostCommand }}
 out=$(snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7 2>&1)
 _verify_contains "$out" "$snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7_out" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7"
 out=$(snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8 2>&1)
 _verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8"
 _verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8"
--- a/tests/trafficmanagement/ingress/scripts/configure_tls_ingress_single_host.txt
+++ b/tests/trafficmanagement/ingress/scripts/configure_tls_ingress_single_host.txt
@ -1,115 +0,0 @@
 #!/usr/bin/env bash
 # Copyright Istio Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 set -e
 set -u
 set -o pipefail
 source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
 echo "Deploying httpbin"
 cat <<EOF | kubectl apply -f -
 apiVersion: v1
 kind: Service
 metadata:
  name: httpbin
  labels:
    app: httpbin
 spec:
  ports:
  - name: http
    port: 8000
  selector:
    app: httpbin
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: httpbin
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      containers:
      - image: docker.io/citizenstig/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 8000
 EOF
 echo "Creating httpbin gateway secrets"
 snip_configure_a_tls_ingress_gateway_for_a_single_host_1
 echo "Deploying httpbin gateway"
 snip_configure_a_tls_ingress_gateway_for_a_single_host_2
 echo "Deploying httpbin virtual service"
 snip_configure_a_tls_ingress_gateway_for_a_single_host_3
 echo "Waiting for httpbin deployment to start"
 kubectl wait --for=condition=available deployment --all --timeout=60s
 kubectl wait --for=condition=Ready pod --all --timeout=60s
 echo "Verifying httpbin deployment"
 export SECURE_INGRESS_PORT={{ .secureIngressPortCommand }}
 export INGRESS_HOST={{ .ingressHostCommand }}
 out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_4 2>&1)
 _verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_4"
 _verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_a_single_host_4"
 echo "Deleting httpbin secret and re-creating"
 snip_configure_a_tls_ingress_gateway_for_a_single_host_5
 snip_configure_a_tls_ingress_gateway_for_a_single_host_6
 # Wait for the change to propagate
 sleep 5s
 echo "Verifying new httpbin credentials"
 out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_7 2>&1)
 _verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_7"
 _verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_a_single_host_7"
 # The next command is expected to fail, but don't error the script.
 set +e
 set +o pipefail
 echo "Verifying old httpbin credentials no longer work"
 out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_8 2>&1)
 _verify_not_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_8"
 # Restore error handling
 set -e
 set -o pipefail
--- a/tests/trafficmanagement/ingress/scripts/generate_certs_and_keys.txt
+++ b/tests/trafficmanagement/ingress/scripts/generate_certs_and_keys.txt
@ -1,25 +0,0 @@
 #!/usr/bin/env bash
 # Copyright Istio Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 set -e
 set -u
 set -o pipefail
 source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
 snip_generate_client_and_server_certificates_and_keys_1
 snip_generate_client_and_server_certificates_and_keys_2
--- a/tests/trafficmanagement/ingress/scripts/secure_ingress.sh
+++ b/tests/trafficmanagement/ingress/scripts/secure_ingress.sh
@ -0,0 +1,122 @@
 #!/usr/bin/env bash
 # shellcheck disable=SC1090,SC2154
 # Copyright Istio Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 set -e
 set -u
 set -o pipefail
 source "${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh"
 source "${REPO_ROOT}/tests/util/samples.sh"
 kubectl label namespace default istio-injection=enabled --overwrite
 # start the httpbin sample
 startup_httpbin_sample
 # export the INGRESS_ environment variables
 sample_set_ingress_environment_variables
 snip_generate_client_and_server_certificates_and_keys_1
 snip_generate_client_and_server_certificates_and_keys_2
 # creating httpbin gateway secrets
 snip_configure_a_tls_ingress_gateway_for_a_single_host_1
 # deploying httpbin gateway
 snip_configure_a_tls_ingress_gateway_for_a_single_host_2
 # deploying httpbin virtual service
 snip_configure_a_tls_ingress_gateway_for_a_single_host_3
 # waiting for httpbin deployment to start
 sample_wait_for_deployment default httpbin
 # verifying httpbin deployment
 out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_4 2>&1)
 _verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_4"
 _verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_a_single_host_4"
 # deleting httpbin secret and re-creating
 snip_configure_a_tls_ingress_gateway_for_a_single_host_5
 snip_configure_a_tls_ingress_gateway_for_a_single_host_6
 # wait for the change to propagate
 sleep 5s
 # verifying new httpbin credentials
 out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_7 2>&1)
 _verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_7"
 _verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_a_single_host_7"
 # The next command is expected to fail, but don't error the script.
 set +e
 # verifying old httpbin credentials no longer work
 out=$(snip_configure_a_tls_ingress_gateway_for_a_single_host_8 2>&1)
 _verify_not_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_a_single_host_8"
 # Restore error handling
 set -e
 snip_configure_a_tls_ingress_gateway_for_multiple_hosts_1
 # start helloworld-v1 sample
 snip_configure_a_tls_ingress_gateway_for_multiple_hosts_2
 # waiting for helloworldv1 deployment to start
 sample_wait_for_deployment default helloworld-v1
 snip_configure_a_tls_ingress_gateway_for_multiple_hosts_3
 snip_configure_a_tls_ingress_gateway_for_multiple_hosts_4
 snip_configure_a_tls_ingress_gateway_for_multiple_hosts_5
 snip_configure_a_tls_ingress_gateway_for_multiple_hosts_6
 # waiting for configuration to propagate
 sleep 5s # TODO: call proper wait utility (e.g., istioctl wait)
 out=$(snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7 2>&1)
 _verify_contains "$out" "$snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7_out" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7"
 out=$(snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8 2>&1)
 _verify_contains "$out" "HTTP/2 418" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8"
 _verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8"
 snip_configure_a_mutual_tls_ingress_gateway_1
 snip_configure_a_mutual_tls_ingress_gateway_2
 # wait for the change to propagate
 sleep 5s
 # The next command is expected to fail, but don't error the script.
 set +e
 out=$(snip_configure_a_mutual_tls_ingress_gateway_3 2>&1)
 _verify_not_contains "$out" "HTTP/2 418" "snip_configure_a_mutual_tls_ingress_gateway_3"
 # Restore error handling
 set -e
 snip_configure_a_mutual_tls_ingress_gateway_4
 out=$(snip_configure_a_mutual_tls_ingress_gateway_5 2>&1)
 _verify_contains "$out" "HTTP/2 418" "snip_configure_a_mutual_tls_ingress_gateway_5"
 _verify_contains "$out" "-=[ teapot ]=-" "snip_configure_a_mutual_tls_ingress_gateway_5"
--- a/tests/trafficmanagement/ingress/secure_ingress_sds_test.go
+++ b/tests/trafficmanagement/ingress/secure_ingress_sds_test.go
@ -1,76 +0,0 @@
 // Copyright Istio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package ingress
 import (
 	"testing"
 	"github.com/Masterminds/semver"
 	"istio.io/istio/pkg/test/framework"
 	"istio.io/istio/pkg/test/framework/components/environment/kube"
 	"istio.io/istio/pkg/test/util/curl"
 	"istio.io/istio.io/pkg/test/istioio"
 )
 const (
 	secureIngressPortCommand = `$(kubectl -n istio-system \
 get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')`
 	ingressHostCommand = `$(kubectl -n istio-system \
 get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')`
 	minikubeSecureIngressPortCommand = `$(kubectl -n istio-system \
 get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')`
 	minikubeIngressHostCommand = `$(kubectl -n istio-system \
 get pod -l istio=ingressgateway -o jsonpath='{.items[0].status.hostIP}')`
 )
 // https://preliminary.istio.io/docs/tasks/traffic-management/ingress/secure-ingress-sds/
 func TestSecureIngressSDS(t *testing.T) {
 	// Check the version of curl. This test requires the --retry-connrefused arg.
 	curl.RequireMinVersionOrFail(t, semver.MustParse("7.52.0"))
 	framework.
 		NewTest(t).
 		Run(func(ctx framework.TestContext) {
 			istioio.NewBuilder("traffic_management__ingress__secure_gateways_sds").
 				Add(script(ctx, "generate_certs_and_keys.txt")).
 				Add(script(ctx, "configure_tls_ingress_single_host.txt")).
 				Add(script(ctx, "configure_tls_ingress_multiple_hosts.txt")).
 				Add(script(ctx, "configure_mtls_ingress.txt")).
 				Defer(script(ctx, "cleanup.txt")).
 				BuildAndRun(ctx)
 		})
 }
 func script(ctx framework.TestContext, filename string) istioio.Script {
 	// Determine the commands to use for ingress host/port.
 	e := ctx.Environment().(*kube.Environment)
 	runtimeSecureIngressPortCommand := secureIngressPortCommand
 	runtimeIngressHostCommand := ingressHostCommand
 	if e.Settings().Minikube {
 		runtimeSecureIngressPortCommand = minikubeSecureIngressPortCommand
 		runtimeIngressHostCommand = minikubeIngressHostCommand
 	}
 	return istioio.Script{
 		Input: istioio.Evaluate(istioio.Path("scripts/"+filename), map[string]interface{}{
 			"password":                 "password",
 			"curlOptions":              "--retry 10 --retry-connrefused --retry-delay 5 ",
 			"secureIngressPortCommand": runtimeSecureIngressPortCommand,
 			"ingressHostCommand":       runtimeIngressHostCommand,
 		}),
 	}
 }
--- a/tests/trafficmanagement/ingress/secure_ingress_test.go
+++ b/tests/trafficmanagement/ingress/secure_ingress_test.go
@ -0,0 +1,44 @@
 // Copyright Istio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package ingress
 import (
 	"testing"
 	"istio.io/istio/pkg/test/framework"
 	"istio.io/istio.io/pkg/test/istioio"
 )
 func TestSecureIngress(t *testing.T) {
 	framework.
 		NewTest(t).
 		Run(istioio.NewBuilder("tasks__traffic_management__secure_ingress").
 			Add(istioio.Script{
 				Input: istioio.Path("scripts/secure_ingress.sh"),
 			}).
 			Defer(istioio.Script{
 				Input: istioio.Inline{
 					FileName: "cleanup.sh",
 					Value: `
 set +e # ignore cleanup errors
 source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
 snip_cleanup_1
 snip_cleanup_2
 snip_cleanup_3`,
 				},
 			}).
 			Build())
 }
--- a/tests/util/samples.sh
+++ b/tests/util/samples.sh
@ -73,10 +73,14 @@ sample_set_ingress_environment_variables() {
    fi
 }
 # TODO: should we have functions for these?
 #   kubectl wait --for=condition=available deployment --all --timeout=60s
 #   kubectl wait --for=condition=Ready pod --all --timeout=60s
 # Wait for rollout of named deployment
 # usage: sample_wait_for_deployment <namespace> <deployment name>
 sample_wait_for_deployment() {
-	local namespace="$1"
+    local namespace="$1"
    local name="$2"
    if ! kubectl -n "$namespace" rollout status deployment "$name" --timeout 5m; then
        echo "Failed rollout of deployment $name in namespace $namespace"