gateway-api: enable mutual tls test (#12156)

* gateway-api: enable mutual tls test

* verify_failure should retry

* fix

content/en/docs/tasks/traffic-management/ingress/ingress-control/index.md

@@ -24,7 +24,7 @@ This task describes how to configure Istio to expose a service outside of the se
 
     {{< tip >}}
     If you are going to use the `Gateway API` instructions, you can install Istio using the `minimal`
-    profile, because you will not need the `istio-ingressgateway`, which is otherwise installed
+    profile because you will not need the `istio-ingressgateway` which is otherwise installed
     by default:
 
     {{< text bash >}}

content/en/docs/tasks/traffic-management/ingress/secure-ingress/test.sh

@@ -110,12 +110,9 @@ else
     _wait_for_istio gateway default mygateway
 fi
 
-if [ "$GATEWAY_API" != "true" ]; then 
-    _verify_failure snip_configure_a_mutual_tls_ingress_gateway_4
+_verify_failure snip_configure_a_mutual_tls_ingress_gateway_4
 
-    _verify_elided snip_configure_a_mutual_tls_ingress_gateway_5 "$snip_configure_a_mutual_tls_ingress_gateway_5_out"
-fi
-# TODO ^^^ Mutual tls is currently not working with gateway API. Remove above guard when fixed.
+_verify_elided snip_configure_a_mutual_tls_ingress_gateway_5 "$snip_configure_a_mutual_tls_ingress_gateway_5_out"
 
 # @cleanup
 if [ "$GATEWAY_API" != "true" ]; then

tests/util/verify.sh

@@ -251,6 +251,17 @@ __cmp_lines() {
     return 0
 }
 
+# Returns 0 if the command failed to execute.  Otherwise, returns 1.
+__cmp_failure() {
+    local funcret=$3
+
+    if [[ "$funcret" -eq 0 ]]; then
+        return 1
+    fi
+
+    return 0
+}
+
 # Verify the output of $func is the same as $expected.  If they are not the same,
 # retry every second, up to 2 minutes by default. The delay between retries as
 # well as the timeout can be configured by setting the VERIFY_DELAY and
@@ -262,7 +273,7 @@ __cmp_lines() {
 # $1: output comparison function (required).
 # $2: function to be executed periodically (required).
 # $3: expected output (required).
-# $5: fail on error. If a non-empty string, will restore the failure status upon error.
+# $4: fail on error. If a non-empty string, will restore the failure status upon error.
 __verify_with_retry() {
     local cmp_func=$1
     local func=$2
@@ -296,7 +307,7 @@ __verify_with_retry() {
         # shellcheck disable=SC2001
         out=$(sed 's/[[:space:]]*$//g' <<< "$out")
 
-        $cmp_func "$out" "$expected"
+        $cmp_func "$out" "$expected" "$funcret"
         local cmpret="$?"
 
         if [[ "$cmpret" -eq 0 ]]; then
@@ -362,7 +373,7 @@ _verify_not_contains() {
     local expected=$2
     # __cmp_not_contains will return true even if func fails. Pass failonerr arg
     # to tell __verify_with_retry to fail in this case instead.
-    __verify_with_retry __cmp_not_contains "$func" "$expected" 1 "true"
+    __verify_with_retry __cmp_not_contains "$func" "$expected" "true"
 }
 
 # Runs $func and compares the output with $expected.  If the output does not
@@ -448,19 +459,5 @@ _verify_lines() {
 # for testing commands that demonstrate configurations that are expected to fail.
 _verify_failure() {
     local func=$1
-    local errexit_state
-
-    errexit_state="$(shopt -po errexit || true)"
-    set +e
-
-    # Run the command.
-    out=$($func 2>&1)
-    local funcret="$?"
-
-    # Restore the "errexit" state.
-    eval "$errexit_state"
-
-    if [[ "$funcret" -eq 0 ]]; then
-        __err_exit "$func" "$out" "NON-ZERO COMMAND EXIT STATUS"
-    fi
-}
+    __verify_with_retry __cmp_failure "$func" "NON-ZERO COMMAND EXIT STATUS"
+}