internal encryption e2e tests #14092
Conversation
knative-prow
bot
added
do-not-merge/work-in-progress
knative-prow
bot
added
area/autoscale
area/networking
area/test-and-release
KauzClay
force-pushed
the
ck-internal-encryption-e2e-tests
branch
from
a6ca6fa
to
ed90501
Compare
knative-prow
bot
added
size/XL
KauzClay
force-pushed
the
ck-internal-encryption-e2e-tests
branch
5 times, most recently
from
c0c3824
to
a99da3c
Compare
knative-prow
bot
added
size/L
KauzClay
force-pushed
the
ck-internal-encryption-e2e-tests
branch
from
a99da3c
to
f83b492
Compare
Codecov ReportAll modified lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #14092 +/- ##
==========================================
+ Coverage 86.04% 86.10% +0.06%
==========================================
Files 196 196
Lines 14880 14887 +7
==========================================
+ Hits 12803 12818 +15
+ Misses 1764 1759 -5
+ Partials 313 310 -3
☔ View full report in Codecov by Sentry. |
KauzClay
force-pushed
the
ck-internal-encryption-e2e-tests
branch
from
f83b492
to
380eb72
Compare
|
@evankanderson this is an attempt at the idea you shared during a past Security WG meeting. |
knative-prow
bot
added
size/XL
KauzClay
force-pushed
the
ck-internal-encryption-e2e-tests
branch
2 times, most recently
from
73c1f11
to
db3ca6f
Compare
| if isTLS { | ||
| pkgmetrics.Record(reporterCtx, tlsConnectionCountM.M(1)) | ||
| } |
There was a problem hiding this comment.
Rather than reporting a second metric, how about adding a tag to the existing metric, ala:
securityMode := // get security mode from context
reporterCtx, _ := tag.New(reporterCtx, tag.Upsert(SecurityMode, securityMode))That will also provide a tag which you can use to check the mutual-TLS mode when it's implemented, and doesn't need to expose an extra metric.
There was a problem hiding this comment.
ah cool, I didn't know about tags. That makes sense, this will be easier to expand when the rest of the trust levels are implemented.
I'll make a first attempt at this where I pass the trustmode into the MetricHandler creation, instead of pulling it from Context.
As far as I understand, the activator doesn't have a watcher for the config-network configmap, so I don't think you can pull it from the context. And I'm less confident about changing that right now.
There was a problem hiding this comment.
ah, now it does have that ability, so I can probably pull from context now: #13694
nevermind, that is about certs, not the configuration itself
pkg/activator/handler/metrics.go
Outdated
| Description: "The number of requests that the Activator handles with TLS", | ||
| Measure: tlsConnectionCountM, | ||
| Aggregation: view.Count(), | ||
| TagKeys: []tag.Key{metrics.PodKey, metrics.ContainerKey, metrics.ResponseCodeKey, metrics.ResponseCodeClassKey}, |
There was a problem hiding this comment.
If you take my tagging suggestion, You'd need to add the SecurityMode to requestCountM. I'd add it to responseTimeInMsecM as well (and maybe requestConcurrencyM), to allow comparing request latency for TLS and non-TLS if we decide to do that some day.
| source $(dirname $0)/e2e-common.sh | ||
|
|
||
| function setup_internal_encryption_env_variables() { | ||
| export TLS_TEST_NAMESPACE="tls" | ||
|
|
||
| local INGRESS_NAMESPACE=${GATEWAY_NAMESPACE_OVERRIDE} | ||
| if [[ -z "${GATEWAY_NAMESPACE_OVERRIDE}" ]]; then | ||
| INGRESS_NAMESPACE="istio-system" | ||
| fi | ||
| local INGRESS_SERVICE=${GATEWAY_OVERRIDE} | ||
| if [[ -z "${GATEWAY_OVERRIDE}" ]]; then | ||
| INGRESS_SERVICE="istio-ingressgateway" | ||
| fi | ||
| local IP=$(kubectl get svc -n ${INGRESS_NAMESPACE} ${INGRESS_SERVICE} -o jsonpath="{.status.loadBalancer.ingress[0].ip}") | ||
| export INTERNAL_ENCRYPTION_TEST_INGRESS_IP=${IP} | ||
| } | ||
|
|
||
| function setup_internal_encryption() { | ||
| toggle_feature dataplane-trust enabled config-network | ||
|
|
||
| sleep 5 | ||
|
|
||
| # with the current implementation, Activator is always in the request path, and needs to be restarted after configuring dataplane-trust | ||
| kubectl -n ${SYSTEM_NAMESPACE} delete pod -l app=activator | ||
| } | ||
|
|
||
| function cleanup_internal_encryption() { | ||
| toggle_feature dataplane-trust disabled config-network | ||
|
|
||
| sleep 5 | ||
|
|
||
| # with the current implementation, Activator is always in the request path, and needs to be restarted after configuring dataplane-trust | ||
| kubectl -n ${SYSTEM_NAMESPACE} delete pod -l app=activator | ||
| } | ||
|
|
||
| # Script entry point. | ||
| initialize "$@" --skip-istio-addon --min-nodes=4 --max-nodes=4 --enable-ha --cluster-version=1.25 | ||
|
|
||
| # Run the tests | ||
| header "Running tests" | ||
|
|
||
| failed=0 | ||
|
|
||
| # Currently only Contour and Kourier implement the alpha features. | ||
| alpha="" | ||
| if [[ "${INGRESS_CLASS}" == "contour.ingress.networking.knative.dev" || "${INGRESS_CLASS}" == "kourier.ingress.networking.knative.dev" ]]; then | ||
| alpha="--enable-alpha" | ||
| fi | ||
|
|
||
| INTERNAL_ENCRYPTION_TEST_OPTIONS="${INTERNAL_ENCRYPTION_TEST_OPTIONS:-${alpha} --enable-beta}" | ||
|
|
||
| # Auto TLS E2E tests mutate the cluster and must be ran separately | ||
| # because they need auto-tls and cert-manager specific configurations | ||
| subheader "Setup internal encryption" | ||
| setup_internal_encryption | ||
| add_trap "cleanup_internal_encryption" EXIT SIGKILL SIGTERM SIGQUIT |
There was a problem hiding this comment.
Eeep... any way this could be less shell, or have a little block explaining why it's shell?
There was a problem hiding this comment.
(Maybe "see the README" is sufficient...)
There was a problem hiding this comment.
ah yeah, this part was one I wasn't so sure on. I was under the impression you needed a script like this if you needed to change a config on the test cluster (like setting dataplane-trust), so I just tried to base things on the auto-tls tests.
But I'll be honest, I don't completely understand how that script ties into the rest of the tooling so that the tests actually run.
There was a problem hiding this comment.
okay, I got a little clarification, and I think I can move the core behavior here into the e2e-tests.sh file, and get rid of the file itself.
|
|
||
| In order to test Internal Encryption, this test looks at `tls_connection_count` metrics from the Activator and QueueProxy. | ||
|
|
||
| The `metricsreader` test image [here](../../test_images/metricsreader/README.md) was created for this purpose. Given the PodIPs of the Activator and the Knative Service pod (i.e. the QueueProxy), it will make requests to each respective `/metrics` endpoint, pull out the `*_tls_connection_count` metric, and respond with the value. |
There was a problem hiding this comment.
Can metricsreader find the pods using label queries and/or DNS queries (if the services are headless services -- I don't know if / how that would perturb the rest of Knative, though.)
There was a problem hiding this comment.
Hmm I'm not sure I'm following. Are you suggesting that the metricsreader image itself gets the IPs, rather than gathering that info as part of the test code?
Right now, I have the test getting that info, since it seemed easier to test and make sure everything was up and ready. My initial intention was to make the metricsreader image do as little as possible.
KauzClay
force-pushed
the
ck-internal-encryption-e2e-tests
branch
from
432196e
to
b443b09
Compare
* also only run for Contour and Kourier right now
* was having some bash issues with properly interpretting the patch
* we have switched to system-internal-tls
|
/test kourier-stable |
KauzClay
force-pushed
the
ck-internal-encryption-e2e-tests
branch
from
3f255b2
to
bf69494
Compare
|
/retest |
|
/test kourier-stable |
|
/lgtm Thank you 🎉 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: KauzClay, nak3 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow
bot
added
the
approved
|
/retest |
Fixes #14367
Proposed Changes
Release Note