From ecda9894f348f901bcfdc39cb9b544b8a254f425 Mon Sep 17 00:00:00 2001 From: David Cheung Date: Wed, 18 Oct 2023 20:08:57 +0000 Subject: [PATCH] Add test for ingress-asm. * Add test for ingress-asm. Since asm requires a different cluster configuration, we will not use setup_gke_basic. --- .../cleanup.sh | 64 +++++++++++ .../run-test.sh | 37 +++++++ .../ingress-asm-multi-backendconfig/setup.sh | 104 ++++++++++++++++++ 3 files changed, 205 insertions(+) create mode 100755 ingress/single-cluster/ingress-asm-multi-backendconfig/cleanup.sh create mode 100755 ingress/single-cluster/ingress-asm-multi-backendconfig/run-test.sh create mode 100755 ingress/single-cluster/ingress-asm-multi-backendconfig/setup.sh diff --git a/ingress/single-cluster/ingress-asm-multi-backendconfig/cleanup.sh b/ingress/single-cluster/ingress-asm-multi-backendconfig/cleanup.sh new file mode 100755 index 00000000..9516d880 --- /dev/null +++ b/ingress/single-cluster/ingress-asm-multi-backendconfig/cleanup.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit; +set -o nounset; +set -o pipefail; +set -o xtrace; + +source ./test/helper.sh +source ./test/test.conf +test_name="ingress-asm-multi-backendconfig" +suffix=$(get_hash "${test_name}") +project=$( gcloud config get-value project 2>&1 | head -n 1 ) +context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name" || true) + +if [[ ! -z "${context}" ]]; then + ingress_name="cloudarmor-test" + fr=$(get_forwarding_rule "${ingress_name}" "${test_name}" "${context}") + thp=$(get_target_http_proxy "${ingress_name}" "${test_name}" "${context}") + thsp=$(get_target_https_proxy "${ingress_name}" "${test_name}" "${context}") + um=$(get_url_map "${ingress_name}" "${test_name}" "${context}") + backends=$(get_backends "${ingress_name}" "${test_name}" "${context}") + negs=$(get_negs "${context}") + + kubectl --context "${context}" delete \ + -n "${test_name}" \ + -f ingress/single-cluster/ingress-asm-multi-backendconfig/backend-services.yaml \ + -f ingress/single-cluster/ingress-asm-multi-backendconfig/istio-ingressgateway-service.yaml \ + -f ingress/single-cluster/ingress-asm-multi-backendconfig/asm/samples/gateways/istio-ingressgateway/serviceaccount.yaml \ + -f ingress/single-cluster/ingress-asm-multi-backendconfig/asm/samples/gateways/istio-ingressgateway/role.yaml \ + -f ingress/single-cluster/ingress-asm-multi-backendconfig/asm/samples/gateways/istio-ingressgateway/deployment.yaml + + kubectl --context "${context}" label namespace "${test_name}" istio-injection- || true + kubectl --context "${context}" delete secret my-cert my-secret -n "${test_name}" || true + wait_for_glbc_deletion "${fr}" "${thp}" "${thsp}" "${um}" "${backends}" "${negs}" + kubectl --context "${context}" delete namespace "${test_name}" || true +fi + +brand=$(get_or_create_oauth_brand) +result=( $(get_oauth_client "${brand}" "${test_name}") ) +oauth_client_name="${result[0]}" +gcloud iap oauth-clients delete "${oauth_client_name}" --brand="${brand}" --quiet || true + +rm -rf key.pem \ + certificate.pem \ + ingress/single-cluster/ingress-asm-multi-backendconfig/asm \ + ingress/single-cluster/ingress-asm-multi-backendconfig/asmcli \ + istio-1.19.3/ + +# We can still use this cleanup since the cluster is created with the same naming schema. +cleanup_gke_basic "${test_name}" "${zone}" "${subnet_region}" diff --git a/ingress/single-cluster/ingress-asm-multi-backendconfig/run-test.sh b/ingress/single-cluster/ingress-asm-multi-backendconfig/run-test.sh new file mode 100755 index 00000000..ea01ca2a --- /dev/null +++ b/ingress/single-cluster/ingress-asm-multi-backendconfig/run-test.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit; +set -o nounset; +set -o pipefail; +set -o xtrace; + +source ./test/helper.sh +source ./test/test.conf +test_name="ingress-asm-multi-backendconfig" +suffix=$(get_hash "${test_name}") +context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name") + +if [[ -z "${context}" ]]; then + exit 1 +fi + +vip=$(wait_for_ingress_ip "ingressgateway" "${test_name}" "${context}") +check_http_status "${vip}" 404 + +kubectl --context "${context}" apply -f ingress/single-cluster/ingress-asm-multi-backendconfig/backend-services.yaml -n "${test_name}" +check_http_status "${vip}" 200 "host: foo.example.com" +check_http_status "${vip}" 302 "host: bar.example.com" diff --git a/ingress/single-cluster/ingress-asm-multi-backendconfig/setup.sh b/ingress/single-cluster/ingress-asm-multi-backendconfig/setup.sh new file mode 100755 index 00000000..bcf8aa2b --- /dev/null +++ b/ingress/single-cluster/ingress-asm-multi-backendconfig/setup.sh @@ -0,0 +1,104 @@ +#!/bin/bash + +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit; +set -o nounset; +set -o pipefail; +set -o xtrace; + +source ./test/helper.sh +source ./test/test.conf +test_name="ingress-asm-multi-backendconfig" +suffix=$(get_hash "${test_name}") + +project=$( gcloud config get-value project 2>&1 | head -n 1 ) +resource_name="gke-net-recipes-${suffix}" +network="${resource_name}" +subnet="${resource_name}" +instance="${resource_name}" +cluster="${resource_name}" +gcloud compute networks create "${network}" --subnet-mode="custom" +gcloud compute networks subnets create "${subnet}" \ + --network="${network}" \ + --region="${subnet_region}" \ + --range="10.1.2.0/24" +gcloud compute instances create "${instance}" \ + --zone="${zone}" \ + --network="${network}" \ + --subnet="${subnet}" \ + --image-family="debian-11" \ + --image-project="debian-cloud" \ + --tags="allow-ssh" +gcloud container clusters create "${cluster}" \ + --zone="${zone}" \ + --enable-ip-alias \ + --machine-type="e2-standard-4" \ + --workload-pool="${project}.svc.id.goog" \ + --release-channel rapid \ + --network="${network}" \ + --subnetwork="${subnet}" +gcloud container clusters get-credentials "${cluster}" --zone="${zone}" +context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name") + +if [[ -z "${context}" ]]; then + exit 1 +fi + +kubectl --context "${context}" create namespace "${test_name}" + +curl -L https://istio.io/downloadIstio | sh - +export PATH=$PWD/istio-1.19.3/bin:$PATH +istioctl install --set profile=demo -y + +asmcli="ingress/single-cluster/ingress-asm-multi-backendconfig/asmcli" +curl https://storage.googleapis.com/csm-artifacts/asm/asmcli_1.18 > "${asmcli}" +chmod +x "${asmcli}" + +# Answer y during installation. +echo "y" | ./"${asmcli}" install \ + --project_id "${project}" \ + --cluster_location us-west1-a \ + --cluster_name "${cluster}" \ + --enable_all \ + --output_dir "ingress/single-cluster/ingress-asm-multi-backendconfig/asm" + +brand=$(get_or_create_oauth_brand) +result=( $(get_oauth_client "${brand}" "${test_name}") ) +client_id="${result[1]}" +secret="${result[2]}" + +kubectl --context "${context}" create secret generic my-secret \ + --from-literal=client_id="${client_id}" \ + --from-literal=client_secret="${secret}" \ + -n "${test_name}" + +openssl req -newkey rsa:2048 -nodes \ + -keyout key.pem -x509 \ + -days 365 -out certificate.pem \ + -subj "/CN=foo.example.com" \ + -addext "subjectAltName=DNS:foo.example.com,DNS:bar.example.com" +kubectl --context "${context}" create secret tls my-cert \ + --key=key.pem \ + --cert=certificate.pem \ + -n "${test_name}" + +kubectl --context "${context}" label namespace "${test_name}" istio-injection=enabled --overwrite +kubectl --context "${context}" apply \ + -n "${test_name}" \ + -f ingress/single-cluster/ingress-asm-multi-backendconfig/asm/samples/gateways/istio-ingressgateway/serviceaccount.yaml \ + -f ingress/single-cluster/ingress-asm-multi-backendconfig/asm/samples/gateways/istio-ingressgateway/role.yaml \ + -f ingress/single-cluster/ingress-asm-multi-backendconfig/asm/samples/gateways/istio-ingressgateway/deployment.yaml \ + -f ingress/single-cluster/ingress-asm-multi-backendconfig/istio-ingressgateway-service.yaml \ No newline at end of file