Add additional tests for ingress recipes.

* Add ingress-cloudarmor test.
* Add ingress-custom-default-backend test.
* Add ingress-https test.
* Add ingress-nginx test.

ingress/single-cluster/ingress-cloudarmor/cleanup.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test.conf
+test_name="ingress-cloudarmor"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name")
+
+resource_yaml="ingress/single-cluster/ingress-cloudarmor/cloudarmor-ingress.yaml"
+policy_name="allow-my-ip"
+
+kubectl --context "${context}" delete -f "${resource_yaml}" -n "${test_name}" || true
+kubectl --context "${context}" delete namespace "${test_name}" || true
+wait_for_glbc_deletion "cloudarmor-test" "${test_name}"
+
+sed -i'.bak' "s/${policy_name}/\$POLICY_NAME/g" "${resource_yaml}"
+rm -f "${resource_yaml}".bak
+gcloud compute security-policies delete "${policy_name}" --quiet || true
+
+cleanup_gke_basic "${test_name}" "${zone}" "${subnet_region}"

ingress/single-cluster/ingress-cloudarmor/run-test.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test.conf
+test_name="ingress-cloudarmor"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name")
+
+vip=$(wait_for_ingress_ip "cloudarmor-test" "${test_name}" "${context}")
+echo "Load balancer IP is ${vip}"
+
+check_http_status "${vip}/whereami" 200
+check_http_status "${vip}" 404
+check_http_status "${vip}/whereami" 502 "" "${test_name}" "${zone}"
+check_http_status "${vip}" 404 "" "${test_name}" "${zone}"

ingress/single-cluster/ingress-cloudarmor/setup.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test.conf
+test_name="ingress-cloudarmor"
+setup_gke_basic "${test_name}" "${zone}" "${subnet_region}"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name")
+
+resource_yaml="ingress/single-cluster/ingress-cloudarmor/cloudarmor-ingress.yaml"
+kubectl --context "${context}" create namespace "${test_name}"
+
+currentIP=$(curl -s ifconfig.me)
+policy_name="allow-my-ip"
+gcloud compute security-policies create "${policy_name}"
+gcloud compute security-policies rules update 2147483647  --security-policy "${policy_name}" --action "deny-502" # Update the default policy(2147483647 is the priority value for default rule).
+gcloud compute security-policies rules create 1000 --security-policy "${policy_name}" --src-ip-ranges "${currentIP}" --action "allow"
+sed -i'.bak' "s/\$POLICY_NAME/${policy_name}/g" "${resource_yaml}"
+
+kubectl --context "${context}" apply -f "${resource_yaml}" -n "${test_name}"

ingress/single-cluster/ingress-custom-default-backend/cleanup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test.conf
+test_name="ingress-custom-default-backend"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name")
+
+resource_yaml="ingress/single-cluster/ingress-custom-default-backend/ingress-custom-default-backend.yaml"
+
+kubectl --context "${context}" delete -f "${resource_yaml}" -n "${test_name}" || true
+kubectl --context "${context}" delete namespace "${test_name}" || true
+wait_for_glbc_deletion "foo-internal" "${test_name}"
+
+cleanup_gke_basic "${test_name}" "${zone}" "${subnet_region}"

ingress/single-cluster/ingress-custom-default-backend/run-test.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test.conf
+test_name="ingress-custom-default-backend"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name")
+
+vip=$(wait_for_ingress_ip "foo-internal" "${test_name}" "${context}")
+echo "Load balancer IP is ${vip}"
+
+check_http_status "${vip}/foo" 200 "" "${test_name}" "${zone}"
+check_http_status "${vip}/bar" 200 "" "${test_name}" "${zone}"

ingress/single-cluster/ingress-custom-default-backend/setup.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test.conf
+test_name="ingress-custom-default-backend"
+setup_gke_basic "${test_name}" "${zone}" "${subnet_region}"
+setup_ilb "${test_name}" "${subnet_region}"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name")
+
+resource_yaml="ingress/single-cluster/ingress-custom-default-backend/ingress-custom-default-backend.yaml"
+kubectl --context "${context}" create namespace "${test_name}"
+
+kubectl --context "${context}" apply -f "${resource_yaml}" -n "${test_name}"

ingress/single-cluster/ingress-https/cleanup.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test.conf
+test_name="ingress-https"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name")
+
+resource_yaml="ingress/single-cluster/ingress-https/secure-ingress.yaml"
+
+kubectl --context "${context}" delete -f "${resource_yaml}" -n "${test_name}" || true
+kubectl --context "${context}" delete namespace "${test_name}" || true
+wait_for_glbc_deletion "secure-ingress" "${test_name}"
+
+sed -i'.bak' "s/${https_record1}/foo.\${DOMAIN}.com/g" "${resource_yaml}"
+sed -i'.bak' "s/${https_record2}/bar.\${DOMAIN}.com/g" "${resource_yaml}"
+rm -f "${resource_yaml}".bak
+gcloud compute ssl-policies delete gke-ingress-ssl-policy --quiet || true
+gcloud compute addresses delete --global gke-foobar-public-ip --quiet || true
+gcloud dns --project="${dns_project}" record-sets delete "${https_record1}" --zone="${dns_zone}" --type="A" || true
+gcloud dns --project="${dns_project}" record-sets delete "${https_record2}" --zone="${dns_zone}" --type="A" || true
+
+cleanup_gke_basic "${test_name}" "${zone}" "${subnet_region}"

ingress/single-cluster/ingress-https/run-test.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test.conf
+test_name="ingress-https"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name")
+
+vip=$(wait_for_ingress_ip "secure-ingress" "${test_name}" "${context}")
+echo "Load balancer IP is ${vip}"
+
+wait_for_managed_cert "foobar-certificate" "ingress-https" "${context}"
+
+check_http_status "https://${https_record1}" 200
+check_http_status "https://${https_record2}" 200
+check_http_status "http://${https_record1}" 301
+check_http_status "http://${https_record2}" 301

ingress/single-cluster/ingress-https/setup.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test.conf
+test_name="ingress-https"
+setup_gke_basic "${test_name}" "${zone}" "${subnet_region}"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name")
+
+resource_yaml="ingress/single-cluster/ingress-https/secure-ingress.yaml"
+kubectl --context "${context}" create namespace "${test_name}"
+
+static_ip_name=gke-foobar-public-ip
+gcloud compute addresses create --global "${static_ip_name}"
+static_ip=$(gcloud compute addresses describe --global "${static_ip_name}" --format="value(address)")
+gcloud compute ssl-policies create gke-ingress-ssl-policy --profile MODERN --min-tls-version 1.2
+
+gcloud dns --project="${dns_project}" record-sets create "${https_record1}" --zone="${dns_zone}" --type="A" --ttl="14400" --rrdatas="${static_ip}"
+gcloud dns --project="${dns_project}" record-sets create "${https_record2}" --zone="${dns_zone}" --type="A" --ttl="14400" --rrdatas="${static_ip}"
+
+sed -i'.bak' "s/foo.\${DOMAIN}.com/${https_record1}/g" "${resource_yaml}"
+sed -i'.bak' "s/bar.\${DOMAIN}.com/${https_record2}/g" "${resource_yaml}"
+kubectl --context "${context}" apply -f "${resource_yaml}" -n "${test_name}"

ingress/single-cluster/ingress-nginx/README.md

@@ -19,10 +19,12 @@ GKE allows customers to deploy their own Ingress Controllers instead of the stan
 - 1.16.5-gke.1 and later.
 
 
+## Note
+NGINX is not one of the GKE offering, this is just an exmaple of using custom controller.
 
 ### Networking Manifests
 
-In this example an internal Ingress resource matches for HTTP traffic with `foo.example.com`  for path `/foo`  and sends it to the `foo` Service at port 8080. A public IP address is automatically provisioned by the Ngnix controller which listens for traffic on port 8080. The Ingress resource below shows that there is one host match. Any traffic which does not match this is sent to the default backend to provide 404 responses.
+In this example an external Ingress resource matches for HTTP traffic with `foo.example.com`  for path `/foo`  and sends it to the `foo` Service at port 8080. A public IP address is automatically provisioned by the Ngnix controller which listens for traffic on port 8080. The Ingress resource below shows that there is one host match. Any traffic which does not match this is sent to the default backend to provide 404 responses.
 
 
 ```yaml

ingress/single-cluster/ingress-nginx/cleanup.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test.conf
+test_name="ingress-nginx"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name")
+
+resource_yaml="ingress/single-cluster/ingress-nginx/ingress-nginx.yaml"
+
+kubectl --context "${context}" delete -f "${resource_yaml}" -n "${test_name}" || true
+
+kubectl --context "${context}" delete -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml || true
+kubectl --context "${context}" delete clusterrolebinding cluster-admin-binding || true
+
+kubectl --context "${context}" delete namespace "${test_name}" || true
+wait_for_glbc_deletion "foo-external" "${test_name}"
+
+cleanup_gke_basic "${test_name}" "${zone}" "${subnet_region}"