-
Notifications
You must be signed in to change notification settings - Fork 437
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Backport 1.17: Remove Istio trust domain (#9749)
* Remove Istio trust domain (#9713) * add trust domain * changelog * tests * fix test name * add to workflow * Adding changelog file to new location * Deleting changelog file from old location * rebalance tests, fix helm * update workflow with numbers for loadbalancing between e2e test clusters * pr feedback * update gateway proxies to be disabled for k8s gateway e2e tests * cleanup istio install, remove old trust domain tests * fix merge * minimal ci change * fix test name * fix glooctl test helm chart * fix istio edge gw manifest * fix configmap template * Adding changelog file to new location * Deleting changelog file from old location * missing gatewayProxy * t.Error * Adding changelog file to new location * Deleting changelog file from old location --------- Co-authored-by: changelog-bot <changelog-bot> Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com> * move changelog --------- Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com> Co-authored-by: Jacob Bohanon <[email protected]>
- Loading branch information
1 parent
cb2b470
commit 3067c26
Showing
24 changed files
with
359 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
changelog: | ||
- type: NON_USER_FACING | ||
issueLink: https://github.com/solo-io/solo-projects/issues/6472 | ||
resolvesIssue: false | ||
description: | | ||
Remove ---trust-domain arg for Istio agent proxy. Envoy no longer runs by default and this is not used by the | ||
istio-proxy for the CSR request. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
48 changes: 48 additions & 0 deletions
48
test/kubernetes/e2e/tests/manifests/istio-revision-helm.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
global: | ||
# Set up gloo with istio integration enabled (through `enableIstioSidecarOnGateway`) | ||
istioIntegration: | ||
enableIstioSidecarOnGateway: true | ||
disableAutoinjection: true # We do not want Gloo components to be included in the mesh | ||
istioSDS: | ||
enabled: true | ||
glooMtls: | ||
istioProxy: | ||
image: | ||
repository: proxyv2 | ||
registry: docker.io/istio | ||
tag: 1.22.0 # This tag has to match the version of Istio being used in the test | ||
podSecurityStandards: | ||
container: | ||
enableRestrictedContainerDefaults: true | ||
gloo: | ||
logLevel: info | ||
disableLeaderElection: true | ||
deployment: | ||
# We have limited GitHub action resources which can cause containers to not create | ||
# therefore we lessen the cpu resource requests values from the default (500m) to 100m. | ||
resources: | ||
requests: | ||
cpu: 100m | ||
memory: 256Mi | ||
gatewayProxies: | ||
gatewayProxy: | ||
istioDiscoveryAddress: istiod-1-22-1.istio-system.svc:15012 # this needs to be set for Istio integration to work with revisions | ||
podTemplate: | ||
resources: | ||
requests: | ||
cpu: 100m | ||
memory: 256Mi | ||
healthyPanicThreshold: 0 | ||
|
||
# These values are recommended production values and are not expected to impact tested behavior for the Istio suite | ||
settings: | ||
invalidConfigPolicy: | ||
replaceInvalidRoutes: true | ||
invalidRouteResponseCode: 404 | ||
invalidRouteResponseBody: Gloo Gateway has invalid configuration. | ||
gateway: | ||
persistProxySpec: true | ||
logLevel: info | ||
validation: | ||
allowWarnings: true | ||
alwaysAcceptResources: false |
51 changes: 51 additions & 0 deletions
51
test/kubernetes/e2e/tests/manifests/istio-revision-k8s-gateway.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
global: | ||
# Set up gloo with istio integration enabled | ||
istioIntegration: | ||
enabled: true | ||
enableAutoMtls: false # Automtls is disabled in this test setup | ||
image: | ||
pullPolicy: IfNotPresent | ||
# Note: glooRbac.namespaced settings are not supported with Gloo Gateway https://github.com/solo-io/solo-projects/issues/6064 | ||
# Gateway API fundamentally expects HTTPRoutes and Gateways in any namespace and cross-namespace references to be supported | ||
# Currently we are explicitly disabled namespaced roles for Gloo Gateway tests, but this can be left unset. | ||
glooRbac: | ||
namespaced: false | ||
settings: | ||
# Gloo Gateway requires access to namespaces outside of the install namespace to watch and create Gateway resources | ||
# singleNamespace=false must be set for namespace watch to work correctly. See: https://github.com/solo-io/solo-projects/issues/6058 | ||
singleNamespace: false | ||
create: true | ||
invalidConfigPolicy: | ||
replaceInvalidRoutes: true | ||
invalidRouteResponseCode: 404 | ||
invalidRouteResponseBody: Gloo Gateway has invalid configuration. | ||
gateway: | ||
persistProxySpec: false | ||
logLevel: info | ||
validation: | ||
allowWarnings: true | ||
alwaysAcceptResources: false | ||
# skipping delete validation due to flakes per https://github.com/solo-io/solo-projects/issues/6272 | ||
webhook: | ||
skipDeleteValidationResources: | ||
- upstreams | ||
kubeGateway: | ||
# This is the field that enables the K8s Gateway Integration in Gloo Gateway | ||
enabled: true | ||
gatewayParameters: | ||
glooGateway: | ||
istio: | ||
istioProxyContainer: | ||
istioDiscoveryAddress: istiod-1-22-1.istio-system.svc:15012 # this needs to be set for Istio integration to work with revisions | ||
gloo: | ||
logLevel: info | ||
disableLeaderElection: true | ||
deployment: | ||
replicas: 1 | ||
livenessProbeEnabled: true | ||
gatewayProxies: | ||
gatewayProxy: | ||
disabled: true | ||
# Disable discovery, not recommended for production | ||
discovery: | ||
enabled: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
package tests_test | ||
|
||
import ( | ||
"context" | ||
"log" | ||
"path/filepath" | ||
"testing" | ||
"time" | ||
|
||
"github.com/solo-io/gloo/test/kubernetes/e2e" | ||
. "github.com/solo-io/gloo/test/kubernetes/e2e/tests" | ||
"github.com/solo-io/gloo/test/kubernetes/testutils/gloogateway" | ||
"github.com/solo-io/gloo/test/kubernetes/testutils/helper" | ||
|
||
"github.com/solo-io/skv2/codegen/util" | ||
) | ||
|
||
// TestRevisionIstioRegression is the function which executes a series of tests against a given installation where | ||
// the k8s Gateway controller is disabled and the deprecated Istio integration values are used to check for regressions | ||
func TestRevisionIstioRegression(t *testing.T) { | ||
ctx := context.Background() | ||
testInstallation := e2e.CreateTestInstallation( | ||
t, | ||
&gloogateway.Context{ | ||
InstallNamespace: "istio-rev-regression-test", | ||
ValuesManifestFile: filepath.Join(util.MustGetThisDir(), "manifests", "istio-revision-helm.yaml"), | ||
}, | ||
) | ||
|
||
testHelper := e2e.MustTestHelper(ctx, testInstallation) | ||
|
||
err := testInstallation.AddIstioctl(ctx) | ||
if err != nil { | ||
log.Printf("failed to add istioctl: %v\n", err) | ||
// immediately stop if Istio installation fails | ||
t.Error() | ||
} | ||
|
||
// We register the cleanup function _before_ we actually perform the installation. | ||
// This allows us to uninstall Gloo Gateway, in case the original installation only completed partially | ||
t.Cleanup(func() { | ||
if t.Failed() { | ||
testInstallation.PreFailHandler(ctx) | ||
|
||
// Generate istioctl bug report | ||
testInstallation.CreateIstioBugReport(ctx) | ||
} | ||
|
||
testInstallation.UninstallGlooGateway(ctx, func(ctx context.Context) error { | ||
return testHelper.UninstallGlooAll() | ||
}) | ||
|
||
// Uninstall Istio | ||
err = testInstallation.UninstallIstio() | ||
if err != nil { | ||
log.Printf("failed to uninstall: %v\n", err) | ||
// immediately stop if Istio installation fails | ||
t.Error() | ||
} | ||
}) | ||
|
||
// Install Istio before Gloo Gateway to make sure istiod is present before istio-proxy | ||
err = testInstallation.InstallRevisionedIstio(ctx) | ||
if err != nil { | ||
log.Printf("failed to install: %v\n", err) | ||
// immediately stop if Istio installation fails | ||
t.Error() | ||
} | ||
|
||
// Install Gloo Gateway with only Edge APIs enabled | ||
testInstallation.InstallGlooGateway(ctx, func(ctx context.Context) error { | ||
return testHelper.InstallGloo(ctx, 5*time.Minute, helper.WithExtraArgs("--values", testInstallation.Metadata.ValuesManifestFile)) | ||
}) | ||
|
||
RevisionIstioEdgeGatewaySuiteRunner().Run(ctx, t, testInstallation) | ||
} |
Oops, something went wrong.