istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cleanup remaining tests (#7389) 

* Cleanup bookinfo test

* fix test name

* convert txt to sh files

* combine scripts

* lint

* txt2sh

* remove trailing spaces

* fault_injection script

* remove WaitForPods

* wait sleep
This commit is contained in:
Frank Budinsky 2020-05-25 15:18:50 -04:00 committed by GitHub
parent 4e0103110d
commit a0c11bc65a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 180 additions and 319 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
tests/configuration/health_check_test.go
View File

@ -28,19 +28,17 @@ func TestHealthCheck(t *testing.T) {
NewTest(t).
Run(istioio.NewBuilder("ops__configuration__mesh__app_health_check").
Add(istioio.Script{
Input: istioio.Path("scripts/liveness_and_readiness_probes_with_command.txt"),
}).
Add(istioio.Script{
Input: istioio.Path("scripts/liveness_and_readiness_probes_with_http_globally.txt"),
}).
Add(istioio.Script{
Input: istioio.Path("scripts/liveness_and_readiness_probes_with_http_annotations.txt"),
}).
Add(istioio.Script{
Input: istioio.Path("scripts/liveness_and_readiness_probes_with_http_separate_port.txt"),
Input: istioio.Path("scripts/liveness_and_readiness_probes.sh"),
}).
Defer(istioio.Script{
Input: istioio.Path("scripts/cleanup.txt"),
Input: istioio.Inline{
FileName: "cleanup.sh",
Value: `
set +e # ignore cleanup errors
source ${REPO_ROOT}/content/en/docs/ops/configuration/mesh/app-health-check/snips.sh
snip_cleanup_1
kubectl delete ns health-annotate`,
},
}).
Build())
}

25
tests/configuration/scripts/cleanup.txt
View File

@ -1,25 +0,0 @@
#!/usr/bin/env bash
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/ops/configuration/mesh/app-health-check/snips.sh
snip_cleanup_1
kubectl delete ns health-annotate

69
tests/configuration/scripts/liveness_and_readiness_probes.sh Normal file
View File

@ -0,0 +1,69 @@
#!/usr/bin/env bash
# shellcheck disable=SC1090,SC2154
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -u
set -o pipefail
source "${REPO_ROOT}/content/en/docs/ops/configuration/mesh/app-health-check/snips.sh"
snip_liveness_and_readiness_probes_with_command_option_1
snip_liveness_and_readiness_probes_with_command_option_2
snip_liveness_and_readiness_probes_with_command_option_3
snip_liveness_and_readiness_probes_with_command_option_4
kubectl -n istio-io-health rollout status deployment liveness --timeout 60s
_run_and_verify_like snip_liveness_and_readiness_probes_with_command_option_5 "$snip_liveness_and_readiness_probes_with_command_option_5_out"
kubectl -n istio-io-health delete -f samples/health-check/liveness-command.yaml
snip_enable_globally_via_install_option_1
snip_redeploy_the_liveness_health_check_app_1
kubectl -n istio-same-port rollout status deployment liveness-http --timeout 60s
_run_and_verify_like snip_redeploy_the_liveness_health_check_app_2 "$snip_redeploy_the_liveness_health_check_app_2_out"
kubectl -n istio-same-port delete -f samples/health-check/liveness-http-same-port.yaml
kubectl get cm istio-sidecar-injector -n istio-system -o yaml | sed -e 's/"rewriteAppHTTPProbe": true/"rewriteAppHTTPProbe": false/' | kubectl apply -f -
kubectl create ns health-annotate
echo "$snip_use_annotations_on_pod_1" | kubectl -n health-annotate apply -f -
kubectl -n health-annotate rollout status deployment liveness-http --timeout 30s
out=$(kubectl -n health-annotate get pod 2>&1)
expected="NAME READY STATUS RESTARTS AGE
liveness-http-975595bb6-5b2z7c 1/1 Running 0 1m"
_verify_like "$out" "$expected" "verify_health-annotate_pod"
kubectl -n health-annotate delete deploy/liveness-http
snip_separate_port_1
kubectl -n istio-sep-port rollout status deployment liveness-http --timeout 60s
_run_and_verify_like snip_separate_port_2 "$snip_separate_port_2_out"
kubectl -n istio-sep-port delete -f samples/health-check/liveness-http.yaml

36
tests/configuration/scripts/liveness_and_readiness_probes_with_command.txt
View File

@ -1,36 +0,0 @@
#!/usr/bin/env bash
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/ops/configuration/mesh/app-health-check/snips.sh
snip_liveness_and_readiness_probes_with_command_option_1
snip_liveness_and_readiness_probes_with_command_option_2
snip_liveness_and_readiness_probes_with_command_option_3
snip_liveness_and_readiness_probes_with_command_option_4
kubectl -n istio-io-health rollout status deployment liveness --timeout 60s
out=$(snip_liveness_and_readiness_probes_with_command_option_5 2>&1)
_verify_like "$out" "$snip_liveness_and_readiness_probes_with_command_option_5_out" "snip_liveness_and_readiness_probes_with_command_option_5"
kubectl -n istio-io-health delete -f samples/health-check/liveness-command.yaml

34
tests/configuration/scripts/liveness_and_readiness_probes_with_http_annotations.txt
View File

@ -1,34 +0,0 @@
#!/usr/bin/env bash
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/ops/configuration/mesh/app-health-check/snips.sh
kubectl create ns health-annotate
echo "$snip_use_annotations_on_pod_1" | kubectl -n health-annotate apply -f -
kubectl -n health-annotate rollout status deployment liveness-http --timeout 30s
out=$(kubectl -n health-annotate get pod 2>&1)
expected="NAME READY STATUS RESTARTS AGE
liveness-http-975595bb6-5b2z7c 1/1 Running 0 1m"
_verify_like "$out" "$expected" "verify_health-annotate_pod"
kubectl -n health-annotate delete deploy/liveness-http

34
tests/configuration/scripts/liveness_and_readiness_probes_with_http_globally.txt
View File

@ -1,34 +0,0 @@
#!/usr/bin/env bash
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/ops/configuration/mesh/app-health-check/snips.sh
snip_enable_globally_via_install_option_1
snip_redeploy_the_liveness_health_check_app_1
kubectl -n istio-same-port rollout status deployment liveness-http --timeout 60s
out=$(snip_redeploy_the_liveness_health_check_app_2 2>&1)
_verify_like "$out" "$snip_redeploy_the_liveness_health_check_app_2_out" "snip_redeploy_the_liveness_health_check_app_2"
kubectl -n istio-same-port delete -f samples/health-check/liveness-http-same-port.yaml
kubectl get cm istio-sidecar-injector -n istio-system -o yaml | sed -e 's/"rewriteAppHTTPProbe": true/"rewriteAppHTTPProbe": false/' | kubectl apply -f -

30
tests/configuration/scripts/liveness_and_readiness_probes_with_http_separate_port.txt
View File

@ -1,30 +0,0 @@
#!/usr/bin/env bash
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/ops/configuration/mesh/app-health-check/snips.sh
snip_separate_port_1
kubectl -n istio-sep-port rollout status deployment liveness-http --timeout 60s
out=$(snip_separate_port_2 2>&1)
_verify_like "$out" "$snip_separate_port_2_out" "snip_separate_port_2"
kubectl -n istio-sep-port delete -f samples/health-check/liveness-http.yaml

36
tests/examples/bookinfo_test.go
View File

@ -18,52 +18,24 @@ import (
"testing"
"istio.io/istio/pkg/test/framework"
"istio.io/istio/pkg/test/framework/components/environment/kube"
"istio.io/istio.io/pkg/test/istioio"
)
const (
ingressPortCommand = `$(kubectl -n istio-system \
get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')`
ingressHostCommand = `$(kubectl -n istio-system \
get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')`
minikubeIngressPortCommand = `$(kubectl -n istio-system \
get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')`
minikubeIngressHostCommand = `$(kubectl -n istio-system \
get pod -l istio=ingressgateway -o jsonpath='{.items[0].status.hostIP}')`
)
//https://istio.io/docs/examples/bookinfo/
//https://github.com/istio/istio.io/blob/master/content/en/docs/examples/bookinfo/index.md
func TestBookinfo(t *testing.T) {
framework.
NewTest(t).
Run(istioio.NewBuilder("examples__bookinfo").
Add(istioio.Script{
Input: istioio.InputSelectorFunc(func(ctx istioio.Context) istioio.Input {
e := ctx.Environment().(*kube.Environment)
portCommand := ingressPortCommand
hostCommand := ingressHostCommand
if e.Settings().Minikube {
portCommand = minikubeIngressPortCommand
hostCommand = minikubeIngressHostCommand
}
return istioio.Evaluate(
istioio.Path("scripts/bookinfo.txt"),
map[string]interface{}{
"ingressPortCommand": portCommand,
"ingressHostCommand": hostCommand,
},
).SelectInput(ctx)
}),
Input: istioio.Path("scripts/bookinfo.sh"),
}).
Defer(istioio.Script{
Input: istioio.Inline{
FileName: "cleanup.sh",
Value: `
kubectl delete -n default -f samples/bookinfo/platform/kube/bookinfo.yaml || true
kubectl delete -n default -f samples/bookinfo/networking/bookinfo-gateway.yaml || true`,
set +e # ignore cleanup errors
source ${REPO_ROOT}/content/en/docs/examples/bookinfo/snips.sh
snip_cleanup_1`,
},
}).
Build())

8
tests/examples/scripts/bookinfo.txt → tests/examples/scripts/bookinfo.sh
View File

@ -1,4 +1,5 @@
#!/usr/bin/env bash
# shellcheck disable=SC1090,SC2154
# Copyright Istio Authors
#
@ -18,7 +19,8 @@ set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/examples/bookinfo/snips.sh
source "${REPO_ROOT}/content/en/docs/examples/bookinfo/snips.sh"
source "${REPO_ROOT}/tests/util/samples.sh"
# remove the injection label to prevent the following command from failing
kubectl label namespace default istio-injection-
@ -43,8 +45,8 @@ _run_and_verify_like snip_determine_the_ingress_ip_and_port_2 "$snip_determine_t
# give it some time to propagate
sleep 5
export INGRESS_HOST={{ .ingressHostCommand }}
export INGRESS_PORT={{ .ingressPortCommand }}
# export the INGRESS_ environment variables
sample_set_ingress_environment_variables
snip_determine_the_ingress_ip_and_port_3

10
tests/security/authz_deny/authz_deny_test.go
View File

@ -28,15 +28,6 @@ func TestAuthzDeny(t *testing.T) {
framework.
NewTest(t).
Run(istioio.NewBuilder("tasks__security___authz_deny").
Add(istioio.Script{
Input: istioio.Inline{
FileName: "create_ns_foo_with_httpbin_sleep.sh",
Value: `
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-deny/snips.sh
snip_before_you_begin_1`,
},
}).
Add(istioio.MultiPodWait("foo")).
Add(istioio.Script{
Input: istioio.Path("scripts/authz_deny.sh"),
}).
@ -46,6 +37,7 @@ snip_before_you_begin_1`,
Input: istioio.Inline{
FileName: "cleanup.sh",
Value: `
set +e # ignore cleanup errors
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-deny/snips.sh
snip_clean_up_1`,
},

22
tests/security/authz_deny/scripts/authz_deny.sh
View File

@ -20,27 +20,31 @@ set -u
set -o pipefail
source "${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-deny/snips.sh"
source "${REPO_ROOT}/tests/util/samples.sh"
max_attempts=5
snip_before_you_begin_1
_run_and_verify_same snip_before_you_begin_2 "$snip_before_you_begin_2_out" $max_attempts
sample_wait_for_deployment foo httpbin
sample_wait_for_deployment foo sleep
_run_and_verify_same snip_before_you_begin_2 "$snip_before_you_begin_2_out"
snip_explicitly_deny_a_request_1
_run_and_verify_same snip_explicitly_deny_a_request_2 "$snip_explicitly_deny_a_request_2_out" $max_attempts
_run_and_verify_same snip_explicitly_deny_a_request_2 "$snip_explicitly_deny_a_request_2_out"
_run_and_verify_same snip_explicitly_deny_a_request_3 "$snip_explicitly_deny_a_request_3_out" $max_attempts
_run_and_verify_same snip_explicitly_deny_a_request_3 "$snip_explicitly_deny_a_request_3_out"
snip_explicitly_deny_a_request_4
_run_and_verify_same snip_explicitly_deny_a_request_5 "$snip_explicitly_deny_a_request_5_out" $max_attempts
_run_and_verify_same snip_explicitly_deny_a_request_5 "$snip_explicitly_deny_a_request_5_out"
_run_and_verify_same snip_explicitly_deny_a_request_6 "$snip_explicitly_deny_a_request_6_out" $max_attempts
_run_and_verify_same snip_explicitly_deny_a_request_6 "$snip_explicitly_deny_a_request_6_out"
snip_explicitly_deny_a_request_7
_run_and_verify_same snip_explicitly_deny_a_request_8 "$snip_explicitly_deny_a_request_8_out" $max_attempts
_run_and_verify_same snip_explicitly_deny_a_request_8 "$snip_explicitly_deny_a_request_8_out"
_run_and_verify_same snip_explicitly_deny_a_request_9 "$snip_explicitly_deny_a_request_9_out" $max_attempts
_run_and_verify_same snip_explicitly_deny_a_request_9 "$snip_explicitly_deny_a_request_9_out"
_run_and_verify_same snip_explicitly_deny_a_request_10 "$snip_explicitly_deny_a_request_10_out" $max_attempts
_run_and_verify_same snip_explicitly_deny_a_request_10 "$snip_explicitly_deny_a_request_10_out"

15
tests/security/authz_http_test.go
View File

@ -29,20 +29,21 @@ func TestAuthorizationForHTTPServices(t *testing.T) {
NewTest(t).
Run(istioio.NewBuilder("tasks__security__authorization_for_http_services").
Add(istioio.Script{
Input: istioio.Path("scripts/authz_http.txt"),
Input: istioio.Path("scripts/authz_http.sh"),
}).
// Remaining cleanup (undocumented).
Defer(istioio.Script{
Input: istioio.Inline{
FileName: "cleanup.sh",
Value: `
set +e # ignore cleanup errors
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-http/snips.sh
source ${REPO_ROOT}/tests/util/samples.sh
snip_clean_up_1
kubectl delete -f samples/bookinfo/platform/kube/bookinfo.yaml || true
kubectl delete -f samples/bookinfo/networking/bookinfo-gateway.yaml || true
kubectl delete -f samples/bookinfo/networking/destination-rule-all.yaml || true
kubectl delete -f samples/bookinfo/networking/virtual-service-reviews-v3.yaml || true
kubectl delete -f samples/sleep/sleep.yaml || true`,
# remaining cleanup (undocumented).
cleanup_bookinfo_sample
cleanup_sleep_sample
kubectl delete -f samples/bookinfo/networking/virtual-service-reviews-v3.yaml
`,
},
}).Build())
}

10
tests/security/authz_jwt/authz_jwt_test.go
View File

@ -28,15 +28,6 @@ func TestAuthzJWT(t *testing.T) {
framework.
NewTest(t).
Run(istioio.NewBuilder("tasks__security___authz_jwt").
Add(istioio.Script{
Input: istioio.Inline{
FileName: "create_ns_foo_with_httpbin_sleep.sh",
Value: `
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-jwt/snips.sh
snip_before_you_begin_1`,
},
}).
Add(istioio.MultiPodWait("foo")).
Add(istioio.Script{
Input: istioio.Path("scripts/authz_jwt.sh"),
}).
@ -46,6 +37,7 @@ snip_before_you_begin_1`,
Input: istioio.Inline{
FileName: "cleanup.sh",
Value: `
set +e # ignore cleanup errors
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-jwt/snips.sh
snip_clean_up_1`,
},

26
tests/security/authz_jwt/scripts/authz_jwt.sh
View File

@ -20,6 +20,12 @@ set -u
set -o pipefail
source "${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-jwt/snips.sh"
source "${REPO_ROOT}/tests/util/samples.sh"
snip_before_you_begin_1
sample_wait_for_deployment foo httpbin
sample_wait_for_deployment foo sleep
# Pull the Istio branch from the docs configuration file.
ISTIO_BRANCH=$(yq r "${REPO_ROOT}"/data/args.yml 'source_branch_name')
@ -30,35 +36,33 @@ TOKEN_GROUP_URL="https://raw.githubusercontent.com/istio/istio/${ISTIO_BRANCH}/s
export TOKEN
export TOKEN_GROUP
max_attempts=5
_run_and_verify_same snip_before_you_begin_2 "$snip_before_you_begin_2_out" $max_attempts
_run_and_verify_same snip_before_you_begin_2 "$snip_before_you_begin_2_out"
snip_allow_requests_with_valid_jwt_and_listtyped_claims_1
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_2 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_2_out" $max_attempts
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_2 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_2_out"
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_3 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_3_out" $max_attempts
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_3 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_3_out"
snip_allow_requests_with_valid_jwt_and_listtyped_claims_4
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_5 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_5_out" $max_attempts
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_5 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_5_out"
# The previous step stored the JWT in TOKEN, and it's needed in the next step.
TOKEN=$(curl "${TOKEN_URL}" -s)
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_6 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_6_out" $max_attempts
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_6 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_6_out"
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_7 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_7_out" $max_attempts
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_7 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_7_out"
snip_allow_requests_with_valid_jwt_and_listtyped_claims_8
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_9 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_9_out" $max_attempts
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_9 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_9_out"
# The previous step stored the JWT group in TOKEN_GROUP, and it's needed in
# the next step.
TOKEN_GROUP=$(curl "${TOKEN_GROUP_URL}" -s)
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_10 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_10_out" $max_attempts
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_10 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_10_out"
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_11 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_11_out" $max_attempts
_run_and_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_11 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_11_out"

12
tests/security/authz_tcp/authz_tcp_test.go
View File

@ -29,16 +29,7 @@ func TestAuthzTCP(t *testing.T) {
NewTest(t).
Run(istioio.NewBuilder("tasks__security___authz_tcp").
Add(istioio.Script{
Input: istioio.Inline{
FileName: "create_ns_foo_with_tcpecho_sleep.sh",
Value: `
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh
snip_before_you_begin_1`,
},
}).
Add(istioio.MultiPodWait("foo")).
Add(istioio.Script{
Input: istioio.Path("scripts/authz_tcp.txt"),
Input: istioio.Path("scripts/authz_tcp.sh"),
}).
// Cleanup.
@ -46,6 +37,7 @@ snip_before_you_begin_1`,
Input: istioio.Inline{
FileName: "cleanup.sh",
Value: `
set +e # ignore cleanup errors
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh
snip_clean_up_1`,
},

14
tests/security/authz_tcp/scripts/authz_tcp.txt → tests/security/authz_tcp/scripts/authz_tcp.sh
View File

@ -1,4 +1,5 @@
#!/usr/bin/env bash
# shellcheck disable=SC1090,SC2154
# Copyright Istio Authors
#
@ -18,9 +19,16 @@ set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh
source "${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh"
source "${REPO_ROOT}/tests/util/samples.sh"
export TCP_ECHO_IP=$(kubectl get pod $(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name}) -n foo -o jsonpath={.status.podIP})
snip_before_you_begin_1
sample_wait_for_deployment foo tcp-echo
sample_wait_for_deployment foo sleep
# shellcheck disable=SC2155
export TCP_ECHO_IP=$(kubectl get pod "$(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name})" -n foo -o "jsonpath={.status.podIP}")
# When strict-mode mTLS is enabled, only ports defined as a service are
# protected by mTLS. As part of this test, we connect to port 9002, which was
@ -28,7 +36,7 @@ export TCP_ECHO_IP=$(kubectl get pod $(kubectl get pod -l app=tcp-echo -n foo -o
#
# To make this test reliable, we remove any peer authentication that may have
# stuck around from a previous test.
kubectl delete peerauthentication --all-namespaces --all
#kubectl delete peerauthentication --all-namespaces --all
_run_and_verify_same snip_before_you_begin_2 "$snip_before_you_begin_2_out"

3
tests/security/dns_cert/dns_cert_test.go
View File

@ -29,13 +29,14 @@ func TestDNSCert(t *testing.T) {
NewTest(t).
Run(istioio.NewBuilder("tasks__security___dns_cert").
Add(istioio.Script{
Input: istioio.Path("scripts/dns_cert.txt"),
Input: istioio.Path("scripts/dns_cert.sh"),
}).
// Cleanup.
Defer(istioio.Script{
Input: istioio.Inline{
FileName: "cleanup.sh",
Value: `
set +e # ignore cleanup errors
source ${REPO_ROOT}/content/en/docs/tasks/security/cert-management/dns-cert/snips.sh
snip_cleanup_1`,
},

5
tests/security/dns_cert/scripts/dns_cert.txt → tests/security/dns_cert/scripts/dns_cert.sh
View File

@ -1,4 +1,5 @@
#!/usr/bin/env bash
# shellcheck disable=SC1090,SC2154
# Copyright Istio Authors
#
@ -14,11 +15,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# shellcheck disable=SC2001
set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/tasks/security/cert-management/dns-cert/snips.sh
source "${REPO_ROOT}/content/en/docs/tasks/security/cert-management/dns-cert/snips.sh"
out=$(snip_check_the_provisioning_of_dns_certificates_1 2>&1)
# Remove trailing spaces

20
tests/security/mtls_migration_test.go
View File

@ -30,25 +30,7 @@ func TestMutualTLSMigration(t *testing.T) {
NewTest(t).
Run(istioio.NewBuilder("tasks__security__mututal_tls_migration").
Add(istioio.Script{
Input: istioio.Inline{
FileName: "create_ns_foo_bar_legacy.sh",
Value: `
set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/tasks/security/authentication/mtls-migration/snips.sh
# create_ns_foo_bar_legacy
snip_set_up_the_cluster_1
snip_set_up_the_cluster_2`,
},
}).
// Wait for pods to start.
Add(istioio.MultiPodWait("foo"),
istioio.MultiPodWait("bar"),
istioio.MultiPodWait("legacy")).
Add(istioio.Script{
Input: istioio.Path("scripts/mtls_migration.txt"),
Input: istioio.Path("scripts/mtls_migration.sh"),
}).
// Cleanup.
Defer(istioio.Script{

18
tests/security/plugin_ca_cert/plugin_ca_cert_test.go
View File

@ -30,28 +30,14 @@ func TestPluginCACert(t *testing.T) {
NewTest(t).
Run(istioio.NewBuilder("tasks__security___plugin_ca_cert").
Add(istioio.Script{
Input: istioio.Inline{
FileName: "create_ns_foo_with_httpbin_sleep.sh",
Value: `
set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/tasks/security/cert-management/plugin-ca-cert/snips.sh
# create_ns_foo_with_httpbin_sleep
snip_deploying_example_services_1
snip_deploying_example_services_2`,
},
}).
// Wait for pods to start.
Add(istioio.MultiPodWait("foo")).
Add(istioio.Script{
Input: istioio.Path("scripts/plugin_ca_cert.txt"),
Input: istioio.Path("scripts/plugin_ca_cert.sh"),
}).
// Cleanup.
Defer(istioio.Script{
Input: istioio.Inline{
FileName: "cleanup.sh",
Value: `
set +e # ignore cleanup errors
source ${REPO_ROOT}/content/en/docs/tasks/security/cert-management/plugin-ca-cert/snips.sh
snip_cleanup_1`,
},

11
tests/security/plugin_ca_cert/scripts/plugin_ca_cert.txt → tests/security/plugin_ca_cert/scripts/plugin_ca_cert.sh
View File

@ -1,4 +1,5 @@
#!/usr/bin/env bash
# shellcheck disable=SC1090,SC2154
# Copyright Istio Authors
#
@ -18,7 +19,15 @@ set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/tasks/security/cert-management/plugin-ca-cert/snips.sh
source "${REPO_ROOT}/content/en/docs/tasks/security/cert-management/plugin-ca-cert/snips.sh"
source "${REPO_ROOT}/tests/util/samples.sh"
# create_ns_foo_with_httpbin_sleep
snip_deploying_example_services_1
snip_deploying_example_services_2
sample_wait_for_deployment foo httpbin
sample_wait_for_deployment foo sleep
# Disable errors, since the next command is expected to return an error.
set +e

25
tests/security/scripts/authz_http.txt → tests/security/scripts/authz_http.sh
View File

@ -1,4 +1,5 @@
#!/usr/bin/env bash
# shellcheck disable=SC1090,SC2154
# Copyright Istio Authors
#
@ -18,7 +19,8 @@ set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-http/snips.sh
source "${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-http/snips.sh"
source "${REPO_ROOT}/tests/util/samples.sh"
REPEAT=${REPEAT:-100}
THRESHOLD=${THRESHOLD:-1}
@ -75,31 +77,22 @@ function verify {
fi
done
echo -e "want code ${wantCode} and text: $(printf "%s, " "${wantText[@]}")\ngot: ${lastResponse}\n"
return 1
}
kubectl label namespace default istio-injection=enabled || true
kubectl label namespace default istio-injection=enabled --overwrite
startup_sleep_sample # needed for sending test requests with curl
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml
# launch the bookinfo app
startup_bookinfo_sample
# TODO: Using reviews-v3 in this test. Should update the doc to do so as well, to make sure ratings request
# are configured when it demonstrates denial of access to the ratings service.
kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-v3.yaml
kubectl apply -f samples/sleep/sleep.yaml
# Wait for the deployments to roll out.
for deploy in "productpage-v1" "details-v1" "ratings-v1" "reviews-v1" "reviews-v2" "reviews-v3" "sleep"; do
if ! kubectl rollout status deployment "$deploy" --timeout 5m
then
echo "$deploy deployment rollout status check failed"
exit 1
fi
done
#istioctl experimental wait --for=distribution VirtualService reviews.default
sleep 5s
snip_configure_access_control_for_workloads_using_http_traffic_1

14
tests/security/scripts/mtls_migration.txt → tests/security/scripts/mtls_migration.sh
View File

@ -1,4 +1,5 @@
#!/usr/bin/env bash
# shellcheck disable=SC1090,SC2154
# Copyright Istio Authors
#
@ -18,7 +19,18 @@ set -e
set -u
set -o pipefail
source ${REPO_ROOT}/content/en/docs/tasks/security/authentication/mtls-migration/snips.sh
source "${REPO_ROOT}/content/en/docs/tasks/security/authentication/mtls-migration/snips.sh"
source "${REPO_ROOT}/tests/util/samples.sh"
# create_ns_foo_bar_legacy
snip_set_up_the_cluster_1
snip_set_up_the_cluster_2
sample_wait_for_deployment foo httpbin
sample_wait_for_deployment foo sleep
sample_wait_for_deployment bar httpbin
sample_wait_for_deployment bar sleep
sample_wait_for_deployment legacy sleep
# curl_foo_bar_legacy
_run_and_verify_same snip_set_up_the_cluster_3 "$snip_set_up_the_cluster_3_out"

2
tests/trafficmanagement/fault_injection_test.go
View File

@ -27,7 +27,7 @@ func TestFaultInjection(t *testing.T) {
NewTest(t).
Run(istioio.NewBuilder("tasks__traffic_management__fault_injection").
Add(istioio.Script{
Input: istioio.Path("scripts/request_routing.sh"),
Input: istioio.Path("scripts/fault_injection.sh"),
}).
Defer(istioio.Script{
Input: istioio.Inline{