From 704a275c5f3ba2af9af0d16316c218fe4731318c Mon Sep 17 00:00:00 2001 From: Shriram Rajagopalan Date: Tue, 3 Jul 2018 17:33:35 -0700 Subject: [PATCH] Cherry picking bug fixes from master into release-1.0 (#6834) * fix bug so that destination.service.** attributes are collected (#6801) * remove unnecessary generated attributes finding. (#6785) * modify docker template files for proxyv2 (#6790) * Long-running testing improvements (#6800) * Add values for config map settings, including access log. More docs. * Updates and improvements for the stress-testing configs. * Add values for config map settings, including access log. (#6797) * Add values for config map settings, including access log. More docs. * Updates and improvements for the stress-testing configs. * Address review comments * Merged wrong files * Add the setup helm file - this change now depend on the previous PR. * Sync with remote, remove accidentally added files. * Another accidental file * SNI routing from sidecar to gateway with virtual services (#6402) * quick sni matching 1st pass with no refactoring of existing code * use shriram's api sha * quick pass at using tls block * add some validation * copyright * fix lint + remove deadcode * rename protocol tcp_tls -> tls * update back to istio/api master * remove accidentally added test file * add tls block to gateway logic * add todos * basic sni wildcard implementation * add tcp, fix problems with rbac, matching * better tcp + tls validation * address code review comments * remove out of date comment * update comments * fix compile error * use tcp proxy in tcp routing * add tcp routing e2e test * add forgotten vs config file + update description of test * Comments, bug fixes Signed-off-by: Shriram Rajagopalan * cleanup gateway tcp test Signed-off-by: Shriram Rajagopalan * moving networking test yamls Signed-off-by: Shriram Rajagopalan * tcp/tls tests Signed-off-by: Shriram Rajagopalan * yaml fixes Signed-off-by: Shriram Rajagopalan * fix file switcheroo * port matches Signed-off-by: Shriram Rajagopalan * fix authN plugin overwriting TLS context Signed-off-by: Shriram Rajagopalan * more tests - route via egress gateway Signed-off-by: Shriram Rajagopalan * yaml fixes Signed-off-by: Shriram Rajagopalan * initialize prom variables Signed-off-by: Shriram Rajagopalan * split tests Signed-off-by: Shriram Rajagopalan * final test fix hopefully Signed-off-by: Shriram Rajagopalan * revert gateway tweaks Signed-off-by: Shriram Rajagopalan --- install/consul/templates/istio.yaml.tmpl | 2 + install/eureka/templates/istio.yaml.tmpl | 2 + .../templates/sidecar-injector-configmap.yaml | 2 +- .../kubernetes/helm/istio-remote/values.yaml | 4 +- .../helm/istio/templates/configmap.yaml | 20 +-- .../templates/sidecar-injector-configmap.yaml | 2 +- install/kubernetes/helm/istio/values.yaml | 36 +++- mixer/template/sample/template.gen.go | 2 +- mixer/template/template.gen.go | 2 +- .../test/spyAdapter/template/template.gen.go | 2 +- .../template/bootstrapTemplate.go | 2 +- .../testdata/template.gen.go.golden | 2 +- pilot/pkg/model/service.go | 16 +- pilot/pkg/model/validation.go | 112 +++++++++++-- pilot/pkg/networking/core/v1alpha3/gateway.go | 1 - .../pkg/networking/core/v1alpha3/listener.go | 83 ++++++---- .../networking/core/v1alpha3/networkfilter.go | 4 +- pilot/pkg/networking/core/v1alpha3/tls.go | 155 ++++++++++++++++++ .../networking/plugin/authn/authentication.go | 7 +- pilot/pkg/networking/plugin/plugin.go | 2 +- pilot/test/client/client.go | 8 + tests/e2e/tests/pilot/authn_policy_test.go | 6 +- tests/e2e/tests/pilot/egressgateway_test.go | 53 +++++- tests/e2e/tests/pilot/externalservice_test.go | 14 +- tests/e2e/tests/pilot/ingressgateway_test.go | 137 +++++++++------- tests/e2e/tests/pilot/routing_test.go | 38 ++++- .../v1alpha3/destination-rule-c.yaml | 0 .../v1alpha3/disable-mtls-egressgateway.yaml | 0 .../v1alpha3/egressgateway.yaml | 9 +- .../v1alpha3/envoyfilter-c.yaml | 0 .../v1alpha3/ingressgateway.yaml | 6 + ...-503test-destinationrule-c-add-subset.yaml | 0 ...-503test-destinationrule-c-del-subset.yaml | 0 .../rule-503test-destinationrule-c.yaml | 0 .../rule-503test-update-virtualservice.yaml | 4 +- .../v1alpha3/rule-503test-virtualservice.yaml | 4 +- .../v1alpha3/rule-content-route.yaml | 0 .../rule-default-route-append-headers.yaml | 0 .../rule-default-route-cors-policy.yaml | 0 .../v1alpha3/rule-default-route-mirrored.yaml | 0 .../v1alpha3/rule-default-route.yaml | 0 .../v1alpha3/rule-fault-injection.yaml | 0 .../v1alpha3/rule-ingressgateway.yaml | 29 ++++ .../v1alpha3/rule-redirect-injection.yaml | 0 .../v1alpha3/rule-regex-route.yaml | 0 .../rule-route-via-egressgateway.yaml | 24 +++ .../v1alpha3/rule-websocket-route.yaml | 0 .../v1alpha3/rule-weighted-route.yaml | 0 .../v1alpha3/service-entry-bookinfo.yaml} | 0 .../v1alpha3/service-entry-google.yaml | 12 ++ .../v1alpha3/serviceentry-httpbin.yaml | 0 .../v1alpha3/serviceentry-nghttp2.yaml | 0 .../serviceentry-tcp-wikipedia-cidr.yaml | 0 .../serviceentry-tcp-wikipedia-sni.yaml | 0 .../serviceentry-wildcard-httpbin.yaml | 0 .../v1alpha3/virtualservice-route-tcp-a.yaml | 30 ++++ .../testdata/v1alpha3/gateway-tcp-a.yaml | 18 -- .../rule-force-a-through-ingress-gateway.yaml | 19 --- .../testdata/v1alpha3/rule-gateway-a.yaml | 16 -- .../v1alpha3/rule-ingressgateway.yaml | 17 -- tests/helm/iperf3-noistio.yaml | 58 +++++++ tests/helm/setup.sh | 44 +++-- tests/helm/templates/fortio-080.yaml | 60 +++++++ tests/helm/templates/fortio-10rc1.yaml | 61 +++++++ tests/helm/templates/fortio-cli.yaml | 119 +++++++++++++- ...{fortio-alpha1.yaml => fortio-master.yaml} | 30 +++- tests/helm/templates/fortio-noistio.yaml | 91 +++------- tests/helm/templates/fortio-tls.yaml | 34 +++- tests/helm/templates/gateway.yaml | 103 ++---------- tests/helm/templates/iperf3-tls.yaml | 109 ++++++++++++ tests/helm/templates/iperf3.yaml | 109 ++---------- tests/helm/templates/virtual_service.yaml | 20 +-- tests/helm/values.yaml | 2 +- 73 files changed, 1201 insertions(+), 541 deletions(-) create mode 100644 pilot/pkg/networking/core/v1alpha3/tls.go rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/destination-rule-c.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/disable-mtls-egressgateway.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/egressgateway.yaml (76%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/envoyfilter-c.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/ingressgateway.yaml (90%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-503test-destinationrule-c-add-subset.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-503test-destinationrule-c-del-subset.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-503test-destinationrule-c.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-503test-update-virtualservice.yaml (91%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-503test-virtualservice.yaml (91%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-content-route.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-default-route-append-headers.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-default-route-cors-policy.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-default-route-mirrored.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-default-route.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-fault-injection.yaml (100%) create mode 100644 tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-ingressgateway.yaml rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-redirect-injection.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-regex-route.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-route-via-egressgateway.yaml (65%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-websocket-route.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/rule-weighted-route.yaml (100%) rename tests/e2e/tests/pilot/testdata/{v1alpha3/service-entry.yaml => networking/v1alpha3/service-entry-bookinfo.yaml} (100%) create mode 100644 tests/e2e/tests/pilot/testdata/networking/v1alpha3/service-entry-google.yaml rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/serviceentry-httpbin.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/serviceentry-nghttp2.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/serviceentry-tcp-wikipedia-cidr.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/serviceentry-tcp-wikipedia-sni.yaml (100%) rename tests/e2e/tests/pilot/testdata/{ => networking}/v1alpha3/serviceentry-wildcard-httpbin.yaml (100%) create mode 100644 tests/e2e/tests/pilot/testdata/networking/v1alpha3/virtualservice-route-tcp-a.yaml delete mode 100644 tests/e2e/tests/pilot/testdata/v1alpha3/gateway-tcp-a.yaml delete mode 100644 tests/e2e/tests/pilot/testdata/v1alpha3/rule-force-a-through-ingress-gateway.yaml delete mode 100644 tests/e2e/tests/pilot/testdata/v1alpha3/rule-gateway-a.yaml delete mode 100644 tests/e2e/tests/pilot/testdata/v1alpha3/rule-ingressgateway.yaml create mode 100644 tests/helm/iperf3-noistio.yaml create mode 100644 tests/helm/templates/fortio-080.yaml create mode 100644 tests/helm/templates/fortio-10rc1.yaml rename tests/helm/templates/{fortio-alpha1.yaml => fortio-master.yaml} (60%) create mode 100644 tests/helm/templates/iperf3-tls.yaml diff --git a/install/consul/templates/istio.yaml.tmpl b/install/consul/templates/istio.yaml.tmpl index e9a4d546ffdb..4c1227975739 100644 --- a/install/consul/templates/istio.yaml.tmpl +++ b/install/consul/templates/istio.yaml.tmpl @@ -57,6 +57,8 @@ services: aliases: - istio-pilot expose: + - "15003" + - "15005" - "15007" ports: - "8081:15007" diff --git a/install/eureka/templates/istio.yaml.tmpl b/install/eureka/templates/istio.yaml.tmpl index 0cb978d32eb1..f72432f5bc0d 100644 --- a/install/eureka/templates/istio.yaml.tmpl +++ b/install/eureka/templates/istio.yaml.tmpl @@ -39,6 +39,8 @@ services: istio-pilot: image: {PILOT_HUB}/pilot:{PILOT_TAG} expose: + - "15003" + - "15005" - "15007" ports: - "8081:15007" diff --git a/install/kubernetes/helm/istio-remote/templates/sidecar-injector-configmap.yaml b/install/kubernetes/helm/istio-remote/templates/sidecar-injector-configmap.yaml index 9b931e03e82b..4cbf015bcc47 100644 --- a/install/kubernetes/helm/istio-remote/templates/sidecar-injector-configmap.yaml +++ b/install/kubernetes/helm/istio-remote/templates/sidecar-injector-configmap.yaml @@ -11,7 +11,7 @@ metadata: istio: sidecar-injector data: config: |- - policy: {{ .Values.global.proxy.policy }} + policy: {{ .Values.global.proxy.autoInject }} template: |- initContainers: - name: istio-init diff --git a/install/kubernetes/helm/istio-remote/values.yaml b/install/kubernetes/helm/istio-remote/values.yaml index 59a33def0ffb..33c3cc6d5c53 100644 --- a/install/kubernetes/helm/istio-remote/values.yaml +++ b/install/kubernetes/helm/istio-remote/values.yaml @@ -37,7 +37,9 @@ global: # Redirect only selected ports: --includeInboundPorts="80,8080" includeInboundPorts: "*" excludeInboundPorts: "" - policy: enabled + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument # would be :). diff --git a/install/kubernetes/helm/istio/templates/configmap.yaml b/install/kubernetes/helm/istio/templates/configmap.yaml index 3bbd8b0d7be2..e6d93d186eb5 100644 --- a/install/kubernetes/helm/istio/templates/configmap.yaml +++ b/install/kubernetes/helm/istio/templates/configmap.yaml @@ -12,25 +12,21 @@ data: mesh: |- # Set the following variable to true to disable policy checks by the Mixer. # Note that metrics will still be reported to the Mixer. - disablePolicyChecks: false + disablePolicyChecks: {{ .Values.global.disablePolicyChecks }} + # Set enableTracing to false to disable request tracing. - enableTracing: true + enableTracing: {{ .Values.global.enableTracing }} + # Set accessLogFile to empty string to disable access log. - accessLogFile: "/dev/stdout" + accessLogFile: "{{ .Values.global.proxy.accessLogFile }}" # # To disable the mixer completely (including metrics), comment out # the following lines + # Deprecated: mixer is using EDS mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:15004 mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:15004 # This is the ingress service name, update if you used a different name ingressService: istio-ingress - # - # Along with discoveryRefreshDelay, this setting determines how - # frequently should Envoy fetch and update its internal configuration - # from istio Pilot. Lower refresh delay results in higher CPU - # utilization and potential performance loss in exchange for faster - # convergence. Tweak this value according to your setup. - rdsRefreshDelay: {{ .Values.global.refreshInterval }} # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. @@ -41,10 +37,6 @@ data: # defaultConfig: - # NOTE: If you change any values in this section, make sure to make - # the same changes in start up args in istio-ingress pods. - # See rdsRefreshDelay for explanation about this setting. - discoveryRefreshDelay: {{ .Values.global.refreshInterval }} # # TCP connection timeout between Envoy & the application, and between Envoys. connectTimeout: 10s diff --git a/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml b/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml index a9f0a6d7c5e2..b7ae5370fec9 100644 --- a/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml +++ b/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml @@ -11,7 +11,7 @@ metadata: istio: sidecar-injector data: config: |- - policy: {{ .Values.global.proxy.policy }} + policy: {{ .Values.global.proxy.autoInject }} template: |- initContainers: - name: istio-init diff --git a/install/kubernetes/helm/istio/values.yaml b/install/kubernetes/helm/istio/values.yaml index dca76d832291..2e3f2ff2be41 100644 --- a/install/kubernetes/helm/istio/values.yaml +++ b/install/kubernetes/helm/istio/values.yaml @@ -8,19 +8,20 @@ global: # Default repository for Istio images. # Releases are published to docker hub under 'istio' project. # Daily builds from prow are on gcr.io, and nightly builds from circle on - # docker.io/istionightly - hub: docker.io/istio + hub: docker.io/istionightly # Default tag for Istio images. - # Should track latest released version in the branch. - tag: 0.8.latest + tag: nightly-master + proxy: image: proxyv2 - # istio-sidecar-injector configmap stores configuration for sidecar injection. - # This config map is used by istioctl kube-inject and the injector webhook. + # Configures the access log for each sidecar. Setting it to an empty string will + # disable access log for sidecar. + accessLogFile: "/dev/stdout" + + # If set, newly injected sidecars will have core dumps enabled. enableCoreDump: false - replicaCount: 1 # istio egress capture whitelist # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly @@ -37,7 +38,9 @@ global: # Redirect only selected ports: --includeInboundPorts="80,8080" includeInboundPorts: "*" excludeInboundPorts: "" - policy: enabled + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument # would be :). @@ -64,6 +67,13 @@ global: # propagated, not recommended for tests. controlPlaneSecurityEnabled: false + # disablePolicyChecks disables mixer policy checks. + # Will set the value with same name in istio config map - pilot needs to be restarted to take effect. + disablePolicyChecks: false + + # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect. + enableTracing: true + # Default mtls policy. If true, mtls between services will be enabled by default. mtls: # Default setting for service-to-service mtls. Can be set explicitly using @@ -151,7 +161,15 @@ gateways: istio: ingressgateway replicaCount: 1 autoscaleMin: 1 - autoscaleMax: 1 + autoscaleMax: 5 + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + #requests: + # cpu: 1800m + # memory: 256Mi + loadBalancerIP: "" serviceAnnotations: {} type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be diff --git a/mixer/template/sample/template.gen.go b/mixer/template/sample/template.gen.go index 8ea962c76181..82790ebf367a 100644 --- a/mixer/template/sample/template.gen.go +++ b/mixer/template/sample/template.gen.go @@ -436,7 +436,7 @@ var ( outBag := newWrapperAttrBag( func(name string) (value interface{}, found bool) { field := strings.TrimPrefix(name, fullOutName) - if len(field) != len(name) && out.WasSet(field) { + if len(field) != len(name) { switch field { case "int64Primitive": diff --git a/mixer/template/template.gen.go b/mixer/template/template.gen.go index 7f227917c9a3..9654b68a9a60 100644 --- a/mixer/template/template.gen.go +++ b/mixer/template/template.gen.go @@ -327,7 +327,7 @@ var ( outBag := newWrapperAttrBag( func(name string) (value interface{}, found bool) { field := strings.TrimPrefix(name, fullOutName) - if len(field) != len(name) && out.WasSet(field) { + if len(field) != len(name) { switch field { case "source_pod_ip": diff --git a/mixer/test/spyAdapter/template/template.gen.go b/mixer/test/spyAdapter/template/template.gen.go index 60d10761dbbc..d71cef51fd2a 100644 --- a/mixer/test/spyAdapter/template/template.gen.go +++ b/mixer/test/spyAdapter/template/template.gen.go @@ -236,7 +236,7 @@ var ( outBag := newWrapperAttrBag( func(name string) (value interface{}, found bool) { field := strings.TrimPrefix(name, fullOutName) - if len(field) != len(name) && out.WasSet(field) { + if len(field) != len(name) { switch field { case "int64Primitive": diff --git a/mixer/tools/codegen/pkg/bootstrapgen/template/bootstrapTemplate.go b/mixer/tools/codegen/pkg/bootstrapgen/template/bootstrapTemplate.go index 5c419f98b0aa..5f5d03b2d664 100644 --- a/mixer/tools/codegen/pkg/bootstrapgen/template/bootstrapTemplate.go +++ b/mixer/tools/codegen/pkg/bootstrapgen/template/bootstrapTemplate.go @@ -338,7 +338,7 @@ var ( outBag := newWrapperAttrBag( func(name string) (value interface{}, found bool) { field := strings.TrimPrefix(name, fullOutName) - if len(field) != len(name) && out.WasSet(field) { + if len(field) != len(name) { switch field { {{range .OutputTemplateMessage.Fields}} case "{{.ProtoName}}": diff --git a/mixer/tools/codegen/pkg/bootstrapgen/testdata/template.gen.go.golden b/mixer/tools/codegen/pkg/bootstrapgen/testdata/template.gen.go.golden index 7e17d6e90619..1b69a8962a43 100644 --- a/mixer/tools/codegen/pkg/bootstrapgen/testdata/template.gen.go.golden +++ b/mixer/tools/codegen/pkg/bootstrapgen/testdata/template.gen.go.golden @@ -464,7 +464,7 @@ var ( outBag := newWrapperAttrBag( func(name string) (value interface{}, found bool) { field := strings.TrimPrefix(name, fullOutName) - if len(field) != len(name) && out.WasSet(field) { + if len(field) != len(name) { switch field { case "int64Primitive": diff --git a/pilot/pkg/model/service.go b/pilot/pkg/model/service.go index 7464323d0f4e..218c33685027 100644 --- a/pilot/pkg/model/service.go +++ b/pilot/pkg/model/service.go @@ -143,9 +143,9 @@ const ( // ProtocolTCP declares the the port uses TCP. // This is the default protocol for a service port. ProtocolTCP Protocol = "TCP" - // ProtocolTCPTLS declares that the port carries TLS traffic on top of TCP - // TLS traffic is assumed to contain SNI as part of the handshake - ProtocolTCPTLS Protocol = "TCP_TLS" + // ProtocolTLS declares that the port carries TLS traffic. + // TLS traffic is assumed to contain SNI as part of the handshake. + ProtocolTLS Protocol = "TLS" // ProtocolUDP declares that the port uses UDP. // Note that UDP protocol is not currently supported by the proxy. ProtocolUDP Protocol = "UDP" @@ -204,8 +204,8 @@ func ParseProtocol(s string) Protocol { return ProtocolHTTP2 case "https": return ProtocolHTTPS - case "tcp_tls": - return ProtocolTCPTLS + case "tls": + return ProtocolTLS case "mongo": return ProtocolMongo case "redis": @@ -238,7 +238,7 @@ func (p Protocol) IsHTTP() bool { // IsTCP is true for protocols that use TCP as transport protocol func (p Protocol) IsTCP() bool { switch p { - case ProtocolTCP, ProtocolHTTPS, ProtocolTCPTLS, ProtocolMongo, ProtocolRedis: + case ProtocolTCP, ProtocolHTTPS, ProtocolTLS, ProtocolMongo, ProtocolRedis: return true default: return false @@ -248,7 +248,7 @@ func (p Protocol) IsTCP() bool { // IsTLS is true for protocols on top of TLS (e.g. HTTPS) func (p Protocol) IsTLS() bool { switch p { - case ProtocolHTTPS, ProtocolTCPTLS: + case ProtocolHTTPS, ProtocolTLS: return true default: return false @@ -539,7 +539,7 @@ func (h Hostnames) Swap(i, j int) { h[i], h[j] = h[j], h[i] } -// SubsetOf is true if the tag has identical values for the keys +// SubsetOf is true if the label has identical values for the keys func (l Labels) SubsetOf(that Labels) bool { for k, v := range l { if that[k] != v { diff --git a/pilot/pkg/model/validation.go b/pilot/pkg/model/validation.go index 82015336c644..b7ed3bc1a162 100644 --- a/pilot/pkg/model/validation.go +++ b/pilot/pkg/model/validation.go @@ -1958,14 +1958,81 @@ func ValidateVirtualService(name, namespace string, msg proto.Message) (errs err } } - if len(virtualService.Http) == 0 && len(virtualService.Tcp) == 0 { - errs = appendErrors(errs, fmt.Errorf("http or tcp must be provided in virtual service")) + if len(virtualService.Http) == 0 && len(virtualService.Tcp) == 0 && len(virtualService.Tls) == 0 { + errs = appendErrors(errs, errors.New("http, tcp or tls must be provided in virtual service")) } for _, httpRoute := range virtualService.Http { errs = appendErrors(errs, validateHTTPRoute(httpRoute)) } - // TODO: validate TCP + for _, tlsRoute := range virtualService.Tls { + errs = appendErrors(errs, validateTLSRoute(tlsRoute)) + } + for _, tcpRoute := range virtualService.Tcp { + errs = appendErrors(errs, validateTCPRoute(tcpRoute)) + } + + return +} + +func validateTLSRoute(tls *networking.TLSRoute) (errs error) { + if tls == nil { + return nil + } + + if len(tls.Match) == 0 { + errs = appendErrors(errs, errors.New("TLS route must have at least one match condition")) + } + for _, match := range tls.Match { + errs = appendErrors(errs, validateTLSMatch(match)) + } + if len(tls.Route) != 1 { + errs = appendErrors(errs, errors.New("TLS route must have exactly one destination")) + } + errs = appendErrors(errs, validateDestinationWeights(tls.Route)) + return +} + +func validateTLSMatch(match *networking.TLSMatchAttributes) (errs error) { + if len(match.SniHosts) == 0 { + errs = appendErrors(errs, fmt.Errorf("TLS match must have at least one SNI host")) + } + if match.DestinationSubnet != "" { + errs = appendErrors(errs, ValidateIPv4Subnet(match.DestinationSubnet)) + } + if match.Port != 0 { + errs = appendErrors(errs, ValidatePort(int(match.Port))) + } + errs = appendErrors(errs, Labels(match.SourceLabels).Validate()) + errs = appendErrors(errs, validateGatewayNames(match.Gateways)) + return +} + +func validateTCPRoute(tcp *networking.TCPRoute) (errs error) { + if tcp == nil { + return nil + } + for _, match := range tcp.Match { + errs = appendErrors(errs, validateTCPMatch(match)) + } + if len(tcp.Route) != 1 { + errs = appendErrors(errs, errors.New("TLS route must have exactly one destination")) + } + errs = appendErrors(errs, validateDestinationWeights(tcp.Route)) + return +} +func validateTCPMatch(match *networking.L4MatchAttributes) (errs error) { + if match.DestinationSubnet != "" { + errs = appendErrors(errs, ValidateIPv4Subnet(match.DestinationSubnet)) + } + if match.SourceSubnet != "" { + errs = appendErrors(errs, ValidateIPv4Subnet(match.SourceSubnet)) + } + if match.Port != 0 { + errs = appendErrors(errs, ValidatePort(int(match.Port))) + } + errs = appendErrors(errs, Labels(match.SourceLabels).Validate()) + errs = appendErrors(errs, validateGatewayNames(match.Gateways)) return } @@ -2013,29 +2080,46 @@ func validateHTTPRoute(http *networking.HTTPRoute) (errs error) { errs = appendErrors(errs, ValidateHTTPHeaderName(name)) } - // TODO: validate match.Port + if match.Port != 0 { + errs = appendErrors(errs, ValidatePort(int(match.Port))) + } errs = appendErrors(errs, Labels(match.SourceLabels).Validate()) + errs = appendErrors(errs, validateGatewayNames(match.Gateways)) } errs = appendErrors(errs, validateDestination(http.Mirror)) errs = appendErrors(errs, validateHTTPRedirect(http.Redirect)) errs = appendErrors(errs, validateHTTPRetry(http.Retries)) errs = appendErrors(errs, validateHTTPRewrite(http.Rewrite)) + errs = appendErrors(errs, validateDestinationWeights(http.Route)) + if http.Timeout != nil { + errs = appendErrors(errs, ValidateDurationGogo(http.Timeout)) + } + + return +} + +func validateGatewayNames(gateways []string) (errs error) { + for _, gateway := range gateways { + if err := ValidateFQDN(gateway); err != nil { + errs = appendErrors(errs, err) + } + } + return +} + +func validateDestinationWeights(weights []*networking.DestinationWeight) (errs error) { var totalWeight int32 - for _, route := range http.Route { - if route.Destination == nil { + for _, weight := range weights { + if weight.Destination == nil { errs = multierror.Append(errs, errors.New("destination is required")) } - errs = appendErrors(errs, validateDestination(route.Destination)) - errs = appendErrors(errs, ValidatePercent(route.Weight)) - totalWeight += route.Weight + errs = appendErrors(errs, validateDestination(weight.Destination)) + errs = appendErrors(errs, ValidatePercent(weight.Weight)) + totalWeight += weight.Weight } - if len(http.Route) > 1 && totalWeight > 100 { + if len(weights) > 1 && totalWeight > 100 { errs = appendErrors(errs, fmt.Errorf("total destination weight %v > 100", totalWeight)) } - if http.Timeout != nil { - errs = appendErrors(errs, ValidateDurationGogo(http.Timeout)) - } - return } diff --git a/pilot/pkg/networking/core/v1alpha3/gateway.go b/pilot/pkg/networking/core/v1alpha3/gateway.go index ac106ce6c3bc..db4b2aa6e38e 100644 --- a/pilot/pkg/networking/core/v1alpha3/gateway.go +++ b/pilot/pkg/networking/core/v1alpha3/gateway.go @@ -346,7 +346,6 @@ func (configgen *ConfigGeneratorImpl) buildGatewayInboundHTTPRouteConfig( log.Debugf("omitting virtual service %q because its hosts don't match gateways %v server %d", v.Name, gateways, port) continue } - routes, err := istio_route.BuildHTTPRoutesForVirtualService(v, svcs, port, nil, gateways, env.IstioConfigStore) if err != nil { log.Debugf("omitting routes for service %v due to error: %v", v, err) diff --git a/pilot/pkg/networking/core/v1alpha3/listener.go b/pilot/pkg/networking/core/v1alpha3/listener.go index 887034271d81..b38b818bd45f 100644 --- a/pilot/pkg/networking/core/v1alpha3/listener.go +++ b/pilot/pkg/networking/core/v1alpha3/listener.go @@ -20,6 +20,7 @@ import ( "os" "reflect" "sort" + "strings" xdsapi "github.com/envoyproxy/go-control-plane/envoy/api/v2" "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" @@ -74,11 +75,16 @@ var ( Name: "pilot_invalid_out_listeners", Help: "Number of invalid outbound listeners.", }) + filterChainsConflict = prometheus.NewGauge(prometheus.GaugeOpts{ + Name: "pilot_conf_filter_chains", + Help: "Number of conflicting filter chains.", + }) ) func init() { prometheus.MustRegister(conflictingOutbound) prometheus.MustRegister(invalidOutboundListeners) + prometheus.MustRegister(filterChainsConflict) } // ListenersALPNProtocols denotes the the list of ALPN protocols that the listener @@ -347,6 +353,14 @@ func (configgen *ConfigGeneratorImpl) buildSidecarInboundListeners(env model.Env func (configgen *ConfigGeneratorImpl) buildSidecarOutboundListeners(env model.Environment, node model.Proxy, proxyInstances []*model.ServiceInstance, services []*model.Service) []*xdsapi.Listener { + var proxyLabels model.LabelsCollection + for _, w := range proxyInstances { + proxyLabels = append(proxyLabels, w.Labels) + } + + meshGateway := map[string]bool{model.IstioMeshGateway: true} + configs := env.VirtualServices(meshGateway) + var tcpListeners, httpListeners []*xdsapi.Listener var currentListener *xdsapi.Listener listenerTypeMap := make(map[string]model.Protocol) @@ -386,12 +400,6 @@ func (configgen *ConfigGeneratorImpl) buildSidecarOutboundListeners(env model.En operation := http_conn.EGRESS useRemoteAddress := false - if node.Type == model.Router { - // if this is in Router mode, then use ingress style trace operation, and remote address settings - useRemoteAddress = true - operation = http_conn.INGRESS - } - listenerOpts.protocol = servicePort.Protocol listenerOpts.filterChainOpts = []*filterChainOpts{{ httpOpts: &httpListenerOpts{ @@ -411,27 +419,18 @@ func (configgen *ConfigGeneratorImpl) buildSidecarOutboundListeners(env model.En listenerMapKey = fmt.Sprintf("%s:%d", listenAddress, servicePort.Port) var exists bool if currentListener, exists = listenerMap[listenerMapKey]; exists { - // Check if this is HTTPS port collision for external service. If so, we can use SNI to differentiate - // Internal TCP services will never hit this issue because they are bound by specific IP_port, while - // external service listeners are typically bound to 0.0.0.0 - if !listenerTypeMap[listenerMapKey].IsTCP() || !servicePort.Protocol.IsTLS() || !service.MeshExternal { + // Check for port collisions between TCP/TLS and HTTP. + // If configured correctly, TCP/TLS ports may not collide. + // We'll need to do additional work to find out if there is a collision within TCP/TLS. + if !listenerTypeMap[listenerMapKey].IsTCP() { conflictingOutbound.Add(1) log.Warnf("buildSidecarOutboundListeners: listener conflict (%v current and new %v) on %s, destination:%s, current Listener: (%s %v)", servicePort.Protocol, listenerTypeMap[listenerMapKey], listenerMapKey, clusterName, currentListener.Name, currentListener) continue } } - filterChainOption := &filterChainOpts{ - networkFilters: buildOutboundNetworkFilters(clusterName, addresses, servicePort), - } - // Set SNI hosts for External services only. It may or may not work for internal services. - // TODO (@rshriram): We need an explicit option to enable/disable SNI for a given service - if servicePort.Protocol.IsTLS() && service.MeshExternal { - filterChainOption.sniHosts = []string{service.Hostname.String()} - } - - listenerOpts.filterChainOpts = []*filterChainOpts{filterChainOption} + listenerOpts.filterChainOpts = buildOutboundTCPFilterChainOpts(env, configs, addresses, service, servicePort, proxyLabels, meshGateway) default: // UDP or other protocols: no need to log, it's too noisy continue @@ -506,7 +505,39 @@ func (configgen *ConfigGeneratorImpl) buildSidecarOutboundListeners(env model.En } } - return append(tcpListeners, httpListeners...) + listeners := append(tcpListeners, httpListeners...) + + // trim conflicting filter chains + // If there are two headless services on the same port, this loop will + // detect it and remove one of the listeners. This is fine because headless + // services (resolution NONE) are typically established with original dst clusters + // So, even though there is only one listener shared across two headless services, + // traffic will continue to go to the requested destination. The only problem here + // is that stats will end up being attributed to the incorrect service. + for _, l := range listeners { + filterChainMatches := make(map[string]bool) + + trimmedFilterChains := make([]listener.FilterChain, 0, len(l.FilterChains)) + for _, filterChain := range l.FilterChains { + key := "" // for filter chains without matches or SNI domains + if filterChain.FilterChainMatch != nil { + sniDomains := make([]string, len(filterChain.FilterChainMatch.ServerNames)) + copy(sniDomains, filterChain.FilterChainMatch.ServerNames) + sort.Strings(sniDomains) + key = strings.Join(sniDomains, ",") // sni domains is the only thing set in FilterChainMatch right now + } + if !filterChainMatches[key] { + trimmedFilterChains = append(trimmedFilterChains, filterChain) + filterChainMatches[key] = true + } else { + log.Warnf("omitting filterchain with duplicate filterchainmatch: %v", key) + filterChainsConflict.Add(1) + } + } + l.FilterChains = trimmedFilterChains + } + + return listeners } // buildSidecarInboundMgmtListeners creates inbound TCP only listeners for the management ports on @@ -533,7 +564,7 @@ func buildSidecarInboundMgmtListeners(managementPorts model.PortList, management for _, mPort := range managementPorts { switch mPort.Protocol { case model.ProtocolHTTP, model.ProtocolHTTP2, model.ProtocolGRPC, model.ProtocolTCP, - model.ProtocolHTTPS, model.ProtocolTCPTLS, model.ProtocolMongo, model.ProtocolRedis: + model.ProtocolHTTPS, model.ProtocolTLS, model.ProtocolMongo, model.ProtocolRedis: instance := &model.ServiceInstance{ Endpoint: model.NetworkEndpoint{ @@ -640,12 +671,6 @@ func buildHTTPConnectionManager(env model.Environment, httpOpts *httpListenerOpt connectionManager.RouteSpecifier = &http_conn.HttpConnectionManager_RouteConfig{RouteConfig: httpOpts.routeConfig} } - if connectionManager.RouteSpecifier == nil { - connectionManager.RouteSpecifier = &http_conn.HttpConnectionManager_RouteConfig{ - RouteConfig: httpOpts.routeConfig, - } - } - if env.Mesh.AccessLogFile != "" { fl := &fileaccesslog.FileAccessLog{ Path: env.Mesh.AccessLogFile, @@ -702,7 +727,7 @@ func buildListener(opts buildListenerOpts) *xdsapi.Listener { } } if !fullWildcardFound { - match.SniDomains = chain.sniHosts + match.ServerNames = chain.sniHosts } } if reflect.DeepEqual(*match, listener.FilterChainMatch{}) { diff --git a/pilot/pkg/networking/core/v1alpha3/networkfilter.go b/pilot/pkg/networking/core/v1alpha3/networkfilter.go index cf210d519498..297bd5c91be6 100644 --- a/pilot/pkg/networking/core/v1alpha3/networkfilter.go +++ b/pilot/pkg/networking/core/v1alpha3/networkfilter.go @@ -47,7 +47,7 @@ func buildInboundNetworkFilters(instance *model.ServiceInstance) []listener.Filt } } -func buildDeprecatedTCPProxyFilter(clusterName string, addresses []string, port *model.Port) (*listener.Filter, error) { +func buildDeprecatedTCPProxyFilter(clusterName string, addresses []string) (*listener.Filter, error) { route := &DeprecatedTCPRoute{ Cluster: clusterName, } @@ -112,7 +112,7 @@ func buildOutboundNetworkFilters(clusterName string, addresses []string, port *m var tcpFilter *listener.Filter var err error if len(addresses) > 0 { - if tcpFilter, err = buildDeprecatedTCPProxyFilter(clusterName, addresses, port); err != nil { + if tcpFilter, err = buildDeprecatedTCPProxyFilter(clusterName, addresses); err != nil { return nil } } else { diff --git a/pilot/pkg/networking/core/v1alpha3/tls.go b/pilot/pkg/networking/core/v1alpha3/tls.go new file mode 100644 index 000000000000..d116ad468c8c --- /dev/null +++ b/pilot/pkg/networking/core/v1alpha3/tls.go @@ -0,0 +1,155 @@ +// Copyright 2017 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package v1alpha3 + +import ( + "istio.io/api/networking/v1alpha3" + "istio.io/istio/pilot/pkg/model" + istio_route "istio.io/istio/pilot/pkg/networking/core/v1alpha3/route" + "istio.io/istio/pkg/log" +) + +// Match by source labels, the listener port where traffic comes in, the gateway on which the rule is being +// bound, etc. All these can be checked statically, since we are generating the configuration for a proxy +// with predefined labels, on a specific port. +func matchTLS(match *v1alpha3.TLSMatchAttributes, proxyLabels model.LabelsCollection, gateways map[string]bool, port int) bool { + if match == nil { + return true + } + + gatewayMatch := len(match.Gateways) == 0 + for _, gateway := range match.Gateways { + gatewayMatch = gatewayMatch || gateways[gateway] + } + + labelMatch := proxyLabels.IsSupersetOf(model.Labels(match.SourceLabels)) + + portMatch := match.Port == 0 || match.Port == uint32(port) + + return gatewayMatch && labelMatch && portMatch +} + +// Match by source labels, the listener port where traffic comes in, the gateway on which the rule is being +// bound, etc. All these can be checked statically, since we are generating the configuration for a proxy +// with predefined labels, on a specific port. +func matchTCP(match *v1alpha3.L4MatchAttributes, proxyLabels model.LabelsCollection, gateways map[string]bool, port int) bool { + if match == nil { + return true + } + + gatewayMatch := len(match.Gateways) == 0 + for _, gateway := range match.Gateways { + gatewayMatch = gatewayMatch || gateways[gateway] + } + + labelMatch := proxyLabels.IsSupersetOf(model.Labels(match.SourceLabels)) + + portMatch := match.Port == 0 || match.Port == uint32(port) + + return gatewayMatch && labelMatch && portMatch +} + +// Select the virtual service pertaining to the service being processed. +func getVirtualServiceForHost(host model.Hostname, configs []model.Config) *v1alpha3.VirtualService { + for _, config := range configs { + virtualService := config.Spec.(*v1alpha3.VirtualService) + for _, vsHost := range virtualService.Hosts { + if model.Hostname(vsHost).Matches(host) { + return virtualService + } + } + } + return nil +} + +func buildOutboundTCPFilterChainOpts(env model.Environment, configs []model.Config, addresses []string, + service *model.Service, listenPort *model.Port, proxyLabels model.LabelsCollection, gateways map[string]bool) []*filterChainOpts { + + out := make([]*filterChainOpts, 0) + defaultRouteAdded := false + virtualService := getVirtualServiceForHost(service.Hostname, configs) + // Ports marked as TLS will have SNI routing if and only if they have an accompanying + // virtual service for the same host, and the said virtual service has a TLS route block. + // Otherwise we treat ports marked as TLS as opaque TCP services, subject to same port + // collision handling. + if virtualService != nil { + // TODO: Make SNI compatible with RBAC. Deprecated tcp route configs are incompatible with SNI. + // RBAC requires deprecated tcp route configs, so RBAC is incompatible with SNI. + for _, tls := range virtualService.Tls { + // since we don't support weighted destinations yet there can only be exactly 1 destination + dest := tls.Route[0].Destination + destSvc, err := env.GetService(model.Hostname(dest.Host)) + if err != nil { + log.Debugf("failed to retrieve service for destination %q: %v", service.Hostname, err) + continue + } + clusterName := istio_route.GetDestinationCluster(dest, destSvc, listenPort.Port) + for _, match := range tls.Match { + if matchTLS(match, proxyLabels, gateways, listenPort.Port) { + out = append(out, &filterChainOpts{ + sniHosts: match.SniHosts, + // Do not add addresses here. Since we do filter chain match based on SNI + // and have multiple filter chains on a wildcard listener, each with + // a SNI match + networkFilters: buildOutboundNetworkFilters(clusterName, addresses, listenPort), + }) + } + } + } + + // very basic TCP (no L4 matching) + // break as soon as we add one network filter with no SNI match. + // This is the terminating condition in the filter chain match list + // TODO: rbac + TcpLoop: + for _, tcp := range virtualService.Tcp { + // since we don't support weighted destinations yet there can only be exactly 1 destination + dest := tcp.Route[0].Destination + destSvc, err := env.GetService(model.Hostname(dest.Host)) + if err != nil { + log.Debugf("failed to retrieve service for destination %q: %v", service.Hostname, err) + continue + } + clusterName := istio_route.GetDestinationCluster(dest, destSvc, listenPort.Port) + if len(tcp.Match) == 0 { // implicit match + out = append(out, &filterChainOpts{ + networkFilters: buildOutboundNetworkFilters(clusterName, addresses, listenPort), + }) + defaultRouteAdded = true + break TcpLoop + } + for _, match := range tcp.Match { + // In future, when we add proper support for src/dst IP matching in listener, + // we won't break out of the loop here. + if matchTCP(match, proxyLabels, gateways, listenPort.Port) { + out = append(out, &filterChainOpts{ + networkFilters: buildOutboundNetworkFilters(clusterName, addresses, listenPort), + }) + break TcpLoop + } + } + } + } + + // Add a default TCP route + if !defaultRouteAdded { + clusterName := model.BuildSubsetKey(model.TrafficDirectionOutbound, "", service.Hostname, int(listenPort.Port)) + out = append(out, &filterChainOpts{ + networkFilters: buildOutboundNetworkFilters(clusterName, addresses, listenPort), + }) + } + + return out +} diff --git a/pilot/pkg/networking/plugin/authn/authentication.go b/pilot/pkg/networking/plugin/authn/authentication.go index 0d8b5c7d1924..2fc11e9ea47a 100644 --- a/pilot/pkg/networking/plugin/authn/authentication.go +++ b/pilot/pkg/networking/plugin/authn/authentication.go @@ -342,8 +342,11 @@ func buildFilter(in *plugin.InputParams, mutable *plugin.MutableObjects) error { return fmt.Errorf("expected same number of filter chains in listener (%d) and mutable (%d)", len(mutable.Listener.FilterChains), len(mutable.FilterChains)) } for i := range mutable.Listener.FilterChains { - chain := &mutable.Listener.FilterChains[i] - chain.TlsContext = buildListenerTLSContext(authnPolicy, chain.FilterChainMatch, in.Node.Type) + if in.Node.Type == model.Sidecar { + // Add TLS context only for sidecars. Not for gateways that already have TLS context + chain := &mutable.Listener.FilterChains[i] + chain.TlsContext = buildListenerTLSContext(authnPolicy, chain.FilterChainMatch, in.Node.Type) + } if in.ListenerProtocol == plugin.ListenerProtocolHTTP { // Adding Jwt filter and authn filter, if needed. if filter := BuildJwtFilter(authnPolicy); filter != nil { diff --git a/pilot/pkg/networking/plugin/plugin.go b/pilot/pkg/networking/plugin/plugin.go index 6cd8f321ba83..644a4a8ab2f3 100644 --- a/pilot/pkg/networking/plugin/plugin.go +++ b/pilot/pkg/networking/plugin/plugin.go @@ -50,7 +50,7 @@ func ModelProtocolToListenerProtocol(protocol model.Protocol) ListenerProtocol { switch protocol { case model.ProtocolHTTP, model.ProtocolHTTP2, model.ProtocolGRPC: return ListenerProtocolHTTP - case model.ProtocolTCP, model.ProtocolHTTPS, model.ProtocolTCPTLS, + case model.ProtocolTCP, model.ProtocolHTTPS, model.ProtocolTLS, model.ProtocolMongo, model.ProtocolRedis: return ListenerProtocolTCP default: diff --git a/pilot/test/client/client.go b/pilot/test/client/client.go index 1cfb9e5e30e7..b4b7d6a44f60 100644 --- a/pilot/test/client/client.go +++ b/pilot/test/client/client.go @@ -83,6 +83,14 @@ func makeHTTPRequest(client *http.Client) job { log.Printf("[%d] Header=%s:%s\n", i, headerKey, headerVal) } + if strings.HasPrefix(url, "https://") { + // Set SNI value to be same as the request Host + // For use with SNI routing tests + var httpTransport *http.Transport + httpTransport = client.Transport.(*http.Transport) + httpTransport.TLSClientConfig.ServerName = req.Host + } + resp, err := client.Do(req) if err != nil { return err diff --git a/tests/e2e/tests/pilot/authn_policy_test.go b/tests/e2e/tests/pilot/authn_policy_test.go index 7e17842c2515..551049abe625 100644 --- a/tests/e2e/tests/pilot/authn_policy_test.go +++ b/tests/e2e/tests/pilot/authn_policy_test.go @@ -172,9 +172,9 @@ func TestGatewayIngress_AuthN_JWT(t *testing.T) { cfgs := &deployableConfig{ Namespace: tc.Kube.Namespace, YamlFiles: []string{ - "testdata/v1alpha3/ingressgateway.yaml", - maybeAddTLSForDestinationRule(tc, "testdata/v1alpha3/destination-rule-c.yaml"), - "testdata/v1alpha3/rule-ingressgateway.yaml", + "testdata/networking/v1alpha3/ingressgateway.yaml", + maybeAddTLSForDestinationRule(tc, "testdata/networking/v1alpha3/destination-rule-c.yaml"), + "testdata/networking/v1alpha3/rule-ingressgateway.yaml", "testdata/authn/v1alpha1/authn-policy-ingressgateway-jwt.yaml"}, } diff --git a/tests/e2e/tests/pilot/egressgateway_test.go b/tests/e2e/tests/pilot/egressgateway_test.go index 25cc0d8d4399..da1772b06ba5 100644 --- a/tests/e2e/tests/pilot/egressgateway_test.go +++ b/tests/e2e/tests/pilot/egressgateway_test.go @@ -29,17 +29,17 @@ import ( // 3.a. Traffic from all sidecars (i.e. mesh gateway) goes to egress gateway svc // 3.b. Traffic from egress gateway goes to actual destination (in our case, its t) // The tests will only check for requests from a->t with host matching ext service -func TestEgressGateway(t *testing.T) { +func TestRouteHTTPViaEgressGateway(t *testing.T) { // In authn enable test, mTLS is enabled globally, which mean all clients will use TLS // to talk to egress-gateway. We need to explicitly specify the TLSMode to DISABLE in the // DestinationRule to the gateway. cfgs := &deployableConfig{ Namespace: tc.Kube.Namespace, YamlFiles: []string{ - "testdata/v1alpha3/disable-mtls-egressgateway.yaml", - "testdata/v1alpha3/egressgateway.yaml", - "testdata/v1alpha3/service-entry.yaml", - "testdata/v1alpha3/rule-route-via-egressgateway.yaml"}, + "testdata/networking/v1alpha3/disable-mtls-egressgateway.yaml", + "testdata/networking/v1alpha3/egressgateway.yaml", + "testdata/networking/v1alpha3/service-entry-bookinfo.yaml", + "testdata/networking/v1alpha3/rule-route-via-egressgateway.yaml"}, kubeconfig: tc.Kube.KubeConfig, } if err := cfgs.Setup(); err != nil { @@ -48,7 +48,7 @@ func TestEgressGateway(t *testing.T) { defer cfgs.Teardown() for cluster := range tc.Kube.Clusters { - runRetriableTest(t, cluster, "RouteViaEgressGateway", defaultRetryBudget, func() error { + runRetriableTest(t, cluster, "RouteHTTPViaEgressGateway", defaultRetryBudget, func() error { // We use an arbitrary IP to ensure that the test fails if networking logic is implemented incorrectly reqURL := fmt.Sprintf("http://1.1.1.1/bookinfo") resp := ClientRequest(cluster, "a", reqURL, 100, "-key Host -val scooby.eu.bookinfo.com") @@ -68,3 +68,44 @@ func TestEgressGateway(t *testing.T) { }) } } + +// To route all external traffic to https://www.google.com via Istio Egress gateway +// 1. Add service entries +// 2. Add egress gateway +// 3. Add virtual service for each service entry such that +// 3.a. TLS Traffic from all sidecars (i.e. mesh gateway) goes to egress gateway svc +// 3.b. TLS Traffic from egress gateway goes to actual destination (in our case, its google.com) +func TestRouteSNIViaEgressGateway(t *testing.T) { + // In authn enable test, mTLS is enabled globally, which mean all clients will use TLS + // to talk to egress-gateway. We need to explicitly specify the TLSMode to DISABLE in the + // DestinationRule to the gateway. + cfgs := &deployableConfig{ + Namespace: tc.Kube.Namespace, + YamlFiles: []string{ + "testdata/networking/v1alpha3/disable-mtls-egressgateway.yaml", + "testdata/networking/v1alpha3/egressgateway.yaml", + "testdata/networking/v1alpha3/service-entry-google.yaml", + "testdata/networking/v1alpha3/rule-route-via-egressgateway.yaml"}, + kubeconfig: tc.Kube.KubeConfig, + } + if err := cfgs.Setup(); err != nil { + t.Fatal(err) + } + defer cfgs.Teardown() + + for cluster := range tc.Kube.Clusters { + runRetriableTest(t, cluster, "RouteSNIViaEgressGateway", defaultRetryBudget, func() error { + reqURL := fmt.Sprintf("https://www.google.com") + resp := ClientRequest(cluster, "a", reqURL, 100, "") + count := make(map[string]int) + for _, elt := range resp.Code { + count[elt]++ + } + log.Infof("request counts %v", count) + if count[httpOK] >= 95 { + return nil + } + return errAgain + }) + } +} diff --git a/tests/e2e/tests/pilot/externalservice_test.go b/tests/e2e/tests/pilot/externalservice_test.go index 663be6f4c06e..40e7d87ba610 100644 --- a/tests/e2e/tests/pilot/externalservice_test.go +++ b/tests/e2e/tests/pilot/externalservice_test.go @@ -36,44 +36,44 @@ func TestServiceEntry(t *testing.T) { }{ { name: "REACHABLE_httpbin.org", - config: "testdata/v1alpha3/serviceentry-httpbin.yaml", + config: "testdata/networking/v1alpha3/serviceentry-httpbin.yaml", url: "http://httpbin.org/headers", shouldBeReachable: true, }, { name: "UNREACHABLE_httpbin.org_443", - config: "testdata/v1alpha3/serviceentry-httpbin.yaml", + config: "testdata/networking/v1alpha3/serviceentry-httpbin.yaml", url: "https://httpbin.org:443/headers", shouldBeReachable: false, }, { name: "REACHABLE_www.httpbin.org", - config: "testdata/v1alpha3/serviceentry-wildcard-httpbin.yaml", + config: "testdata/networking/v1alpha3/serviceentry-wildcard-httpbin.yaml", url: "http://www.httpbin.org/headers", shouldBeReachable: true, }, { name: "UNREACHABLE_httpbin.org", - config: "testdata/v1alpha3/serviceentry-wildcard-httpbin.yaml", + config: "testdata/networking/v1alpha3/serviceentry-wildcard-httpbin.yaml", url: "http://httpbin.org/headers", shouldBeReachable: false, }, { name: "REACHABLE_wikipedia_sni", - config: "testdata/v1alpha3/serviceentry-tcp-wikipedia-sni.yaml", + config: "testdata/networking/v1alpha3/serviceentry-tcp-wikipedia-sni.yaml", url: "https://www.wikipedia.org", shouldBeReachable: true, }, // FIXME: re-enable once we get this working //{ // name: "REACHABLE_wikipedia_range", - // config: "testdata/v1alpha3/serviceentry-tcp-wikipedia-cidr.yaml", + // config: "testdata/networking/v1alpha3/serviceentry-tcp-wikipedia-cidr.yaml", // url: "https://www.wikipedia.org", // shouldBeReachable: true, //}, { name: "UNREACHABLE_cnn", - config: "testdata/v1alpha3/serviceentry-tcp-wikipedia-cidr.yaml", + config: "testdata/networking/v1alpha3/serviceentry-tcp-wikipedia-cidr.yaml", url: "https://cnn.com", shouldBeReachable: false, }, diff --git a/tests/e2e/tests/pilot/ingressgateway_test.go b/tests/e2e/tests/pilot/ingressgateway_test.go index e1ee24877d06..f76f486b2d2c 100644 --- a/tests/e2e/tests/pilot/ingressgateway_test.go +++ b/tests/e2e/tests/pilot/ingressgateway_test.go @@ -50,9 +50,9 @@ func TestGateway_HTTPIngress(t *testing.T) { cfgs := &deployableConfig{ Namespace: tc.Kube.Namespace, YamlFiles: []string{ - "testdata/v1alpha3/ingressgateway.yaml", - maybeAddTLSForDestinationRule(tc, "testdata/v1alpha3/destination-rule-c.yaml"), - "testdata/v1alpha3/rule-ingressgateway.yaml"}, + "testdata/networking/v1alpha3/ingressgateway.yaml", + maybeAddTLSForDestinationRule(tc, "testdata/networking/v1alpha3/destination-rule-c.yaml"), + "testdata/networking/v1alpha3/rule-ingressgateway.yaml"}, kubeconfig: tc.Kube.KubeConfig, } if err := cfgs.Setup(); err != nil { @@ -61,7 +61,7 @@ func TestGateway_HTTPIngress(t *testing.T) { defer cfgs.Teardown() for cluster := range tc.Kube.Clusters { - runRetriableTest(t, cluster, "VersionRouting", defaultRetryBudget, func() error { + runRetriableTest(t, cluster, "HTTPIngressGateway", defaultRetryBudget, func() error { reqURL := fmt.Sprintf("http://%s.%s/c", ingressGatewayServiceName, istioNamespace) resp := ClientRequest(cluster, "t", reqURL, 100, "-key Host -val uk.bookinfo.com") count := make(map[string]int) @@ -77,45 +77,115 @@ func TestGateway_HTTPIngress(t *testing.T) { } } +func TestGateway_HTTPSIngress(t *testing.T) { + istioNamespace := tc.Kube.IstioSystemNamespace() + ingressGatewayServiceName := tc.Kube.IstioIngressGatewayService() + + // Configure a route from us.bookinfo.com to "c-v2" only + cfgs := &deployableConfig{ + Namespace: tc.Kube.Namespace, + YamlFiles: []string{ + "testdata/networking/v1alpha3/ingressgateway.yaml", + maybeAddTLSForDestinationRule(tc, "testdata/networking/v1alpha3/destination-rule-c.yaml"), + "testdata/networking/v1alpha3/rule-ingressgateway.yaml"}, + kubeconfig: tc.Kube.KubeConfig, + } + if err := cfgs.Setup(); err != nil { + t.Fatal(err) + } + defer cfgs.Teardown() + + for cluster := range tc.Kube.Clusters { + runRetriableTest(t, cluster, "HTTPSIngressGateway", defaultRetryBudget, func() error { + reqURL := fmt.Sprintf("https://%s.%s/c", ingressGatewayServiceName, istioNamespace) + resp := ClientRequest(cluster, "t", reqURL, 100, "-key Host -val uk.bookinfo.com") + count := make(map[string]int) + for _, elt := range resp.Version { + count[elt] = count[elt] + 1 + } + log.Infof("request counts %v", count) + if count["v2"] >= 95 { + return nil + } + return errAgain + }) + } +} + +func TestGateway_TCPIngress(t *testing.T) { + istioNamespace := tc.Kube.IstioSystemNamespace() + ingressGatewayServiceName := tc.Kube.IstioIngressGatewayService() + + // Configure a route from us.bookinfo.com to "c-v2" only + cfgs := &deployableConfig{ + Namespace: tc.Kube.Namespace, + YamlFiles: []string{ + "testdata/networking/v1alpha3/ingressgateway.yaml", + maybeAddTLSForDestinationRule(tc, "testdata/networking/v1alpha3/destination-rule-c.yaml"), + "testdata/networking/v1alpha3/rule-ingressgateway.yaml"}, + kubeconfig: tc.Kube.KubeConfig, + } + if err := cfgs.Setup(); err != nil { + t.Fatal(err) + } + defer cfgs.Teardown() + + for cluster := range tc.Kube.Clusters { + runRetriableTest(t, cluster, "TCPIngressGateway", defaultRetryBudget, func() error { + reqURL := fmt.Sprintf("http://%s.%s:31400/c", ingressGatewayServiceName, istioNamespace) + resp := ClientRequest(cluster, "t", reqURL, 100, "-key Host -val uk.bookinfo.com") + count := make(map[string]int) + for _, elt := range resp.Version { + count[elt] = count[elt] + 1 + } + log.Infof("request counts %v", count) + if count["v1"] >= 95 { + return nil + } + return errAgain + }) + } +} + func TestIngressGateway503DuringRuleChange(t *testing.T) { istioNamespace := tc.Kube.IstioSystemNamespace() ingressGatewayServiceName := tc.Kube.IstioIngressGatewayService() gateway := &deployableConfig{ Namespace: tc.Kube.Namespace, - YamlFiles: []string{"testdata/v1alpha3/ingressgateway.yaml"}, + YamlFiles: []string{"testdata/networking/v1alpha3/ingressgateway.yaml"}, kubeconfig: tc.Kube.KubeConfig, } // Add subsets newDestRule := &deployableConfig{ Namespace: tc.Kube.Namespace, - YamlFiles: []string{maybeAddTLSForDestinationRule(tc, "testdata/v1alpha3/rule-503test-destinationrule-c.yaml")}, + YamlFiles: []string{maybeAddTLSForDestinationRule(tc, "testdata/networking/v1alpha3/rule-503test-destinationrule-c.yaml")}, kubeconfig: tc.Kube.KubeConfig, } // route to subsets newVirtService := &deployableConfig{ Namespace: tc.Kube.Namespace, - YamlFiles: []string{"testdata/v1alpha3/rule-503test-virtualservice.yaml"}, + YamlFiles: []string{"testdata/networking/v1alpha3/rule-503test-virtualservice.yaml"}, kubeconfig: tc.Kube.KubeConfig, } addMoreSubsets := &deployableConfig{ Namespace: tc.Kube.Namespace, - YamlFiles: []string{maybeAddTLSForDestinationRule(tc, "testdata/v1alpha3/rule-503test-destinationrule-c-add-subset.yaml")}, + YamlFiles: []string{maybeAddTLSForDestinationRule(tc, "testdata/networking/v1alpha3/rule-503test-destinationrule-c-add-subset.yaml")}, kubeconfig: tc.Kube.KubeConfig, } routeToNewSubsets := &deployableConfig{ Namespace: tc.Kube.Namespace, - YamlFiles: []string{"testdata/v1alpha3/rule-503test-update-virtualservice.yaml"}, + YamlFiles: []string{"testdata/networking/v1alpha3/rule-503test-update-virtualservice.yaml"}, kubeconfig: tc.Kube.KubeConfig, } deleteOldSubsets := &deployableConfig{ Namespace: tc.Kube.Namespace, - YamlFiles: []string{maybeAddTLSForDestinationRule(tc, "testdata/v1alpha3/rule-503test-destinationrule-c-del-subset.yaml")}, + YamlFiles: []string{maybeAddTLSForDestinationRule(tc, "testdata/networking/v1alpha3/rule-503test-destinationrule-c-del-subset.yaml")}, kubeconfig: tc.Kube.KubeConfig, } @@ -193,50 +263,3 @@ cleanup: } } } - -// TODO: rename this file gateway_test.go, merge w/ egress too? At least this test and test above -// use gateway as an "ingress" of sorts. -func TestGateway_TCP(t *testing.T) { - // TODO: use current namespace so test doesn't require --cluster_wide flag - // circle CI always runs with --cluster_wide, and its required for gateway tests atm due to - // gateway resource only being created in istio-system namespace - istioNamespace := tc.Kube.IstioSystemNamespace() - - cfgs := &deployableConfig{ - Namespace: istioNamespace, - YamlFiles: []string{ - "testdata/v1alpha3/rule-force-a-through-ingress-gateway.yaml", - "testdata/v1alpha3/rule-gateway-a.yaml", - "testdata/v1alpha3/gateway-tcp-a.yaml", - }, - kubeconfig: tc.Kube.KubeConfig, - } - if err := cfgs.Setup(); err != nil { - t.Fatal(err) - } - defer cfgs.Teardown() - - cases := []struct { - // empty destination to expect 404 - dst string - url string - }{ - { - dst: "a", - url: fmt.Sprintf("http://%s.%s:%d", "a", istioNamespace, 9090), - }, - } - t.Run("tcp_requests", func(t *testing.T) { - for _, c := range cases { - for cluster := range tc.Kube.Clusters { - runRetriableTest(t, cluster, c.url, defaultRetryBudget, func() error { - resp := ClientRequest(cluster, "b", c.url, 1, "") - if resp.IsHTTPOk() { - return nil - } - return errAgain - }) - } - } - }) -} diff --git a/tests/e2e/tests/pilot/routing_test.go b/tests/e2e/tests/pilot/routing_test.go index 506dd647e57e..bcc08216ec19 100644 --- a/tests/e2e/tests/pilot/routing_test.go +++ b/tests/e2e/tests/pilot/routing_test.go @@ -169,10 +169,34 @@ func TestRoutes(t *testing.T) { expectedCount: map[string]int{"v1": 100, "v2": 0}, operation: "c.istio-system.svc.cluster.local:80/*", }, + { + testName: "a->c[v2=100]", + description: "routing tcp traffic from a to c-v2", + config: "virtualservice-route-tcp-a.yaml", + scheme: "http", + src: "a", + dst: "c:9090", + headerKey: "", + headerVal: "", + expectedCount: map[string]int{"v1": 0, "v2": 100}, + operation: "", + }, + { + testName: "b->c[v1=100]", + description: "routing tcp traffic from b to c-v1", + config: "virtualservice-route-tcp-a.yaml", + scheme: "http", + src: "b", + dst: "c:9090", + headerKey: "", + headerVal: "", + expectedCount: map[string]int{"v1": 100, "v2": 0}, + operation: "", + }, } t.Run("v1alpha3", func(t *testing.T) { - destRule := maybeAddTLSForDestinationRule(tc, "testdata/v1alpha3/destination-rule-c.yaml") + destRule := maybeAddTLSForDestinationRule(tc, "testdata/networking/v1alpha3/destination-rule-c.yaml") cfgs := &deployableConfig{ Namespace: tc.Kube.Namespace, YamlFiles: []string{destRule}, @@ -188,7 +212,7 @@ func TestRoutes(t *testing.T) { for _, c := range cases { // Run each case in a function to scope the configuration's lifecycle. func() { - ruleYaml := fmt.Sprintf("testdata/v1alpha3/%s", c.config) + ruleYaml := fmt.Sprintf("testdata/networking/v1alpha3/%s", c.config) applyRuleFunc(t, ruleYaml) for cluster := range tc.Kube.Clusters { @@ -238,7 +262,7 @@ func TestRoutes(t *testing.T) { } func TestRouteFaultInjection(t *testing.T) { - destRule := maybeAddTLSForDestinationRule(tc, "testdata/v1alpha3/destination-rule-c.yaml") + destRule := maybeAddTLSForDestinationRule(tc, "testdata/networking/v1alpha3/destination-rule-c.yaml") dRule := &deployableConfig{ Namespace: tc.Kube.Namespace, YamlFiles: []string{destRule}, @@ -251,7 +275,7 @@ func TestRouteFaultInjection(t *testing.T) { // Setup() or the Teardown() for the final rule. defer dRule.TeardownNoDelay() - ruleYaml := fmt.Sprintf("testdata/v1alpha3/rule-fault-injection.yaml") + ruleYaml := fmt.Sprintf("testdata/networking/v1alpha3/rule-fault-injection.yaml") cfgs := &deployableConfig{ Namespace: tc.Kube.Namespace, YamlFiles: []string{ruleYaml}, @@ -290,7 +314,7 @@ func TestRouteFaultInjection(t *testing.T) { func TestRouteRedirectInjection(t *testing.T) { // Push the rule config. - ruleYaml := fmt.Sprintf("testdata/v1alpha3/rule-redirect-injection.yaml") + ruleYaml := fmt.Sprintf("testdata/networking/v1alpha3/rule-redirect-injection.yaml") cfgs := &deployableConfig{ Namespace: tc.Kube.Namespace, YamlFiles: []string{ruleYaml}, @@ -340,7 +364,7 @@ func TestRouteMirroring(t *testing.T) { t.Skipf("Skipping %s due to incomplete implementation", t.Name()) logs := newAccessLogs() // Push the rule config. - ruleYaml := fmt.Sprintf("testdata/v1alpha3/rule-default-route-mirrored.yaml") + ruleYaml := fmt.Sprintf("testdata/networking/v1alpha3/rule-default-route-mirrored.yaml") cfgs := &deployableConfig{ Namespace: tc.Kube.Namespace, YamlFiles: []string{ruleYaml}, @@ -372,7 +396,7 @@ func TestRouteMirroring(t *testing.T) { func TestEnvoyFilterConfigViaCRD(t *testing.T) { cfgs := &deployableConfig{ Namespace: tc.Kube.Namespace, - YamlFiles: []string{"testdata/v1alpha3/envoyfilter-c.yaml"}, + YamlFiles: []string{"testdata/networking/v1alpha3/envoyfilter-c.yaml"}, kubeconfig: tc.Kube.KubeConfig, } if err := cfgs.Setup(); err != nil { diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/destination-rule-c.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/destination-rule-c.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/destination-rule-c.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/destination-rule-c.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/disable-mtls-egressgateway.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/disable-mtls-egressgateway.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/disable-mtls-egressgateway.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/disable-mtls-egressgateway.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/egressgateway.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/egressgateway.yaml similarity index 76% rename from tests/e2e/tests/pilot/testdata/v1alpha3/egressgateway.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/egressgateway.yaml index 08fcc98ed772..3cf0480c3b6c 100644 --- a/tests/e2e/tests/pilot/testdata/v1alpha3/egressgateway.yaml +++ b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/egressgateway.yaml @@ -15,4 +15,11 @@ spec: protocol: HTTP hosts: - "*.bookinfo.com" - + - port: + number: 443 + name: sni + protocol: TLS + hosts: + - www.google.com + tls: + mode: PASSTHROUGH diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/envoyfilter-c.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/envoyfilter-c.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/envoyfilter-c.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/envoyfilter-c.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/ingressgateway.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/ingressgateway.yaml similarity index 90% rename from tests/e2e/tests/pilot/testdata/v1alpha3/ingressgateway.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/ingressgateway.yaml index 82ff4b2d561e..0dd8296aa212 100644 --- a/tests/e2e/tests/pilot/testdata/v1alpha3/ingressgateway.yaml +++ b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/ingressgateway.yaml @@ -30,3 +30,9 @@ spec: privateKey: /etc/certs/key.pem caCertificates: /etc/certs/root-cert.pem #mode: MUTUAL # TODO + - port: + number: 31400 + protocol: TCP + name: tcp + hosts: + - uk.bookinfo.com diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-503test-destinationrule-c-add-subset.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-503test-destinationrule-c-add-subset.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-503test-destinationrule-c-add-subset.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-503test-destinationrule-c-add-subset.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-503test-destinationrule-c-del-subset.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-503test-destinationrule-c-del-subset.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-503test-destinationrule-c-del-subset.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-503test-destinationrule-c-del-subset.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-503test-destinationrule-c.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-503test-destinationrule-c.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-503test-destinationrule-c.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-503test-destinationrule-c.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-503test-update-virtualservice.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-503test-update-virtualservice.yaml similarity index 91% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-503test-update-virtualservice.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-503test-update-virtualservice.yaml index 544e328e8662..c7100b6af3e9 100644 --- a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-503test-update-virtualservice.yaml +++ b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-503test-update-virtualservice.yaml @@ -8,7 +8,9 @@ spec: gateways: - istio-ingressgateway # pinned to ingress gateway only http: - - route: + - match: + - port: 80 + route: - destination: host: c subset: v3 diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-503test-virtualservice.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-503test-virtualservice.yaml similarity index 91% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-503test-virtualservice.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-503test-virtualservice.yaml index 9d1743ee3f90..a763c96e66fb 100644 --- a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-503test-virtualservice.yaml +++ b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-503test-virtualservice.yaml @@ -8,7 +8,9 @@ spec: gateways: - istio-ingressgateway # pinned to ingress gateway only http: - - route: + - match: + - port: 80 + route: - destination: host: c subset: v1 diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-content-route.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-content-route.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-content-route.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-content-route.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-default-route-append-headers.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-default-route-append-headers.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-default-route-append-headers.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-default-route-append-headers.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-default-route-cors-policy.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-default-route-cors-policy.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-default-route-cors-policy.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-default-route-cors-policy.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-default-route-mirrored.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-default-route-mirrored.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-default-route-mirrored.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-default-route-mirrored.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-default-route.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-default-route.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-default-route.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-default-route.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-fault-injection.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-fault-injection.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-fault-injection.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-fault-injection.yaml diff --git a/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-ingressgateway.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-ingressgateway.yaml new file mode 100644 index 000000000000..632e93721809 --- /dev/null +++ b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-ingressgateway.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: gateway-bound-route +spec: + hosts: + - uk.bookinfo.com + gateways: + - istio-ingressgateway # pinned to ingress gateway only + http: + - match: + - port: 80 + - port: 443 + route: + - destination: + host: c + subset: v2 + port: + number: 80 + tcp: + - match: + - port: 31400 + route: + - destination: + host: c + subset: v1 + port: + number: 90 + diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-redirect-injection.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-redirect-injection.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-redirect-injection.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-redirect-injection.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-regex-route.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-regex-route.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-regex-route.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-regex-route.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-route-via-egressgateway.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-route-via-egressgateway.yaml similarity index 65% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-route-via-egressgateway.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-route-via-egressgateway.yaml index af72d2f1ab3c..dc3ee68d608e 100644 --- a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-route-via-egressgateway.yaml +++ b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-route-via-egressgateway.yaml @@ -5,6 +5,7 @@ metadata: spec: hosts: - "*.bookinfo.com" + - www.google.com gateways: # Pinned to both the sidecars (mesh) and egress gateway - istio-egressgateway @@ -35,3 +36,26 @@ spec: weight: 100 appendHeaders: handled-by-egress-gateway: "true" + tls: + - match: + - gateways: + - mesh + port: 443 + sniHosts: + - www.google.com + route: + - destination: + host: istio-egressgateway.istio-system.svc.cluster.local + port: + number: 443 + - match: + - gateways: + - istio-egressgateway + port: 443 + sniHosts: + - www.google.com + route: + - destination: + host: www.google.com + port: + number: 443 diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-websocket-route.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-websocket-route.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-websocket-route.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-websocket-route.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-weighted-route.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-weighted-route.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/rule-weighted-route.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/rule-weighted-route.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/service-entry.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/service-entry-bookinfo.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/service-entry.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/service-entry-bookinfo.yaml diff --git a/tests/e2e/tests/pilot/testdata/networking/v1alpha3/service-entry-google.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/service-entry-google.yaml new file mode 100644 index 000000000000..f187aee1a278 --- /dev/null +++ b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/service-entry-google.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: service-entry-google +spec: + hosts: + - www.google.com + ports: + - number: 443 + name: https + protocol: TLS + resolution: DNS diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/serviceentry-httpbin.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/serviceentry-httpbin.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/serviceentry-httpbin.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/serviceentry-httpbin.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/serviceentry-nghttp2.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/serviceentry-nghttp2.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/serviceentry-nghttp2.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/serviceentry-nghttp2.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/serviceentry-tcp-wikipedia-cidr.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/serviceentry-tcp-wikipedia-cidr.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/serviceentry-tcp-wikipedia-cidr.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/serviceentry-tcp-wikipedia-cidr.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/serviceentry-tcp-wikipedia-sni.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/serviceentry-tcp-wikipedia-sni.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/serviceentry-tcp-wikipedia-sni.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/serviceentry-tcp-wikipedia-sni.yaml diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/serviceentry-wildcard-httpbin.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/serviceentry-wildcard-httpbin.yaml similarity index 100% rename from tests/e2e/tests/pilot/testdata/v1alpha3/serviceentry-wildcard-httpbin.yaml rename to tests/e2e/tests/pilot/testdata/networking/v1alpha3/serviceentry-wildcard-httpbin.yaml diff --git a/tests/e2e/tests/pilot/testdata/networking/v1alpha3/virtualservice-route-tcp-a.yaml b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/virtualservice-route-tcp-a.yaml new file mode 100644 index 000000000000..fdd1600b7dfc --- /dev/null +++ b/tests/e2e/tests/pilot/testdata/networking/v1alpha3/virtualservice-route-tcp-a.yaml @@ -0,0 +1,30 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: default-route + namespace: istio-system +spec: + hosts: + - c + tcp: + - match: + - port: 9090 + source_labels: + app: a + route: + - destination: + host: c + subset: v2 + port: + number: 9090 + weight: 100 + - match: + - port: 90 + - port: 9090 + route: + - destination: + host: c + subset: v1 + port: + number: 90 + weight: 100 diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/gateway-tcp-a.yaml b/tests/e2e/tests/pilot/testdata/v1alpha3/gateway-tcp-a.yaml deleted file mode 100644 index 47b663397ec6..000000000000 --- a/tests/e2e/tests/pilot/testdata/v1alpha3/gateway-tcp-a.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Routes TCP traffic through the ingressgateway Gateway to service A. -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: gateway-a -spec: - selector: - # DO NOT CHANGE THESE LABELS - # The ingressgateway is defined in install/kubernetes/helm/istio/values.yaml - # with these labels - istio: ingressgateway - servers: - - port: - number: 31400 - protocol: TCP - name: tcp - hosts: - - a.istio-system.svc.cluster.local diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-force-a-through-ingress-gateway.yaml b/tests/e2e/tests/pilot/testdata/v1alpha3/rule-force-a-through-ingress-gateway.yaml deleted file mode 100644 index 34add5d857cc..000000000000 --- a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-force-a-through-ingress-gateway.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: force-a-through-ingress-gateway -spec: - hosts: - - a - tcp: - - match: - # only match the TCP port so we don't affect HTTP traffic - - port: 9090 - # TODO: is this always safe for our tests? - sourceSubnet: "10.0.0.0/8" - route: - - destination: - # use the shortname so the test doesn't depend on istio-system namespace - host: istio-ingressgateway - port: - number: 31400 \ No newline at end of file diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-gateway-a.yaml b/tests/e2e/tests/pilot/testdata/v1alpha3/rule-gateway-a.yaml deleted file mode 100644 index 8f786a9dd7d3..000000000000 --- a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-gateway-a.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# Routes TCP traffic through the ingressgateway Gateway to service A. -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: rule-gateway-a -spec: - hosts: - - a.istio-system.svc.cluster.local - gateways: - - gateway-a - tcp: - - route: - - destination: - host: a - port: - number: 90 diff --git a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-ingressgateway.yaml b/tests/e2e/tests/pilot/testdata/v1alpha3/rule-ingressgateway.yaml deleted file mode 100644 index 44dd2d21e35e..000000000000 --- a/tests/e2e/tests/pilot/testdata/v1alpha3/rule-ingressgateway.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: gateway-bound-route -spec: - hosts: - - uk.bookinfo.com - gateways: - - istio-ingressgateway # pinned to ingress gateway only - http: - - route: - - destination: - host: c - subset: v2 - port: - number: 80 - weight: 100 diff --git a/tests/helm/iperf3-noistio.yaml b/tests/helm/iperf3-noistio.yaml new file mode 100644 index 000000000000..22f6912394a2 --- /dev/null +++ b/tests/helm/iperf3-noistio.yaml @@ -0,0 +1,58 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: iperfraw +spec: + hosts: + - "iperf3raw.{{ .Values.domain }}" + gateways: + - istio-gateway + tcp: + - route: + - destination: + host: iperf3-raw.test.svc.cluster.local + port: + number: 5202 +--- +apiVersion: v1 +kind: Service +metadata: + name: iperf3-raw +spec: + ports: + - name: tcp1 + port: 5202 + targetPort: 5202 + selector: + app: iperf3-raw +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: iperf3-raw +spec: + replicas: 1 + template: + metadata: + labels: + app: iperf3-raw + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - image: docker.io/networkstatic/iperf3 + imagePullPolicy: IfNotPresent + name: iperf3-raw + ports: + - containerPort: 5202 + args: + - '-s' + - '-p' + - '5202' + resources: + requests: + cpu: 1000m + memory: "1G" + limits: + cpu: 1000m + memory: "2G" \ No newline at end of file diff --git a/tests/helm/setup.sh b/tests/helm/setup.sh index 260010014ca9..9f8a916637ca 100644 --- a/tests/helm/setup.sh +++ b/tests/helm/setup.sh @@ -8,7 +8,15 @@ function testIstioSystem() { --values tests/helm/values-istio-test.yaml \ --set global.refreshInterval=30s \ --set global.tag=$TAG \ + --set global.proxy.accessLogFile="" \ + --set global.proxy.resources.requests.cpu=1100m \ + --set global.proxy.resources.requests.memory=256Mi \ + --set global.imagePullPolicy=Always \ --set global.hub=$HUB \ + --set gateways.istio-ingressgateway.resources.requests.cpu=1900m \ + --set gateways.istio-ingressgateway.resources.requests.memory=512Mi \ + --set gateways.istio-ingressgateway.resources.limits.cpu=1900m \ + --set gateways.istio-ingressgateway.resources.limits.memory=512Mi \ install/kubernetes/helm/istio | \ kubectl apply -n istio-system -f - popd @@ -20,11 +28,10 @@ function testInstall() { kubectl create ns istio-system testIstioSystem - kubectl -n test apply -f samples/httpbin/httpbin.yaml - kubectl create ns test kubectl label namespace test istio-injection=enabled + kubectl -n test apply -f samples/httpbin/httpbin.yaml kubectl create ns bookinfo kubectl label namespace bookinfo istio-injection=enabled kubectl -n bookinfo apply -f samples/bookinfo/kube/bookinfo.yaml @@ -33,7 +40,8 @@ function testInstall() { # Apply the helm template function testApply() { pushd $TOP/src/istio.io/istio - helm -n test template tests/helm |kubectl -n test apply -f - + helm -n test template \ + tests/helm |kubectl -n test apply -f - popd } @@ -46,17 +54,27 @@ function testCreateDNS() { gcloud dns --project=$DNS_PROJECT record-sets transaction start --zone=$DNS_ZONE - gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress08.$DNS_DOMAIN --name=grafana.v08.$DNS_DOMAIN --ttl=300 --type=CNAME --zone=$DNS_ZONE - gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress08.$DNS_DOMAIN --name=prom.v08.$DNS_DOMAIN --ttl=300 --type=CNAME --zone=$DNS_ZONE - gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress08.$DNS_DOMAIN --name=fortio2.v08.$DNS_DOMAIN --ttl=300 --type=CNAME --zone=$DNS_ZONE - gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress08.$DNS_DOMAIN --name=pilot.v08.$DNS_DOMAIN --ttl=300 --type=CNAME --zone=$DNS_ZONE - gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress08.$DNS_DOMAIN --name=fortio.v08.$DNS_DOMAIN --ttl=300 --type=CNAME --zone=$DNS_ZONE - gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress08.$DNS_DOMAIN --name=fortioraw.v08.$DNS_DOMAIN --ttl=300 --type=CNAME --zone=$DNS_ZONE - gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress08.$DNS_DOMAIN --name=bookinfo.v08.$DNS_DOMAIN --ttl=300 --type=CNAME --zone=$DNS_ZONE - gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress08.$DNS_DOMAIN --name=httpbin.v08.$DNS_DOMAIN --ttl=300 --type=CNAME --zone=$DNS_ZONE - gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress08.$DNS_DOMAIN --name=citadel.v08.$DNS_DOMAIN --ttl=300 --type=CNAME --zone=$DNS_ZONE - gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress08.$DNS_DOMAIN --name=mixer.v08.$DNS_DOMAIN --ttl=300 --type=CNAME --zone=$DNS_ZONE + # gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress10.${DNS_DOMAIN}. --name=grafana.v10.${DNS_DOMAIN}. --ttl=300 --type=CNAME --zone=$DNS_ZONE + gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress10.${DNS_DOMAIN}. --name=prom.v10.${DNS_DOMAIN}. --ttl=300 --type=CNAME --zone=$DNS_ZONE + gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress10.${DNS_DOMAIN}. --name=fortio2.v10.${DNS_DOMAIN}. --ttl=300 --type=CNAME --zone=$DNS_ZONE + gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress10.${DNS_DOMAIN}. --name=pilot.v10.${DNS_DOMAIN}. --ttl=300 --type=CNAME --zone=$DNS_ZONE + gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress10.${DNS_DOMAIN}. --name=fortio.v10.${DNS_DOMAIN}. --ttl=300 --type=CNAME --zone=$DNS_ZONE + gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress10.${DNS_DOMAIN}. --name=fortioraw.v10.${DNS_DOMAIN}. --ttl=300 --type=CNAME --zone=$DNS_ZONE + gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress10.${DNS_DOMAIN}. --name=bookinfo.v10.${DNS_DOMAIN}. --ttl=300 --type=CNAME --zone=$DNS_ZONE + gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress10.${DNS_DOMAIN}. --name=httpbin.v10.${DNS_DOMAIN}. --ttl=300 --type=CNAME --zone=$DNS_ZONE + gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress10.${DNS_DOMAIN}. --name=citadel.v10.${DNS_DOMAIN}. --ttl=300 --type=CNAME --zone=$DNS_ZONE + gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress10.${DNS_DOMAIN}. --name=mixer.v10.${DNS_DOMAIN}. --ttl=300 --type=CNAME --zone=$DNS_ZONE gcloud dns --project=$DNS_PROJECT record-sets transaction execute --zone=$DNS_ZONE } +# Run this after adding a new name for ingress testing +function testAddDNS() { + local N=$1 + + gcloud dns --project=$DNS_PROJECT record-sets transaction start --zone=$DNS_ZONE + + gcloud dns --project=$DNS_PROJECT record-sets transaction add ingress10.${DNS_DOMAIN}. --name=${N}.v10.${DNS_DOMAIN}. --ttl=300 --type=CNAME --zone=$DNS_ZONE + + gcloud dns --project=$DNS_PROJECT record-sets transaction execute --zone=$DNS_ZONE +} \ No newline at end of file diff --git a/tests/helm/templates/fortio-080.yaml b/tests/helm/templates/fortio-080.yaml new file mode 100644 index 000000000000..5b20a853cbd9 --- /dev/null +++ b/tests/helm/templates/fortio-080.yaml @@ -0,0 +1,60 @@ +# Fortio with 0.8.0 sidecar +apiVersion: v1 +kind: Service +metadata: + name: fortio080 +spec: + ports: + - port: 8080 + name: http-echo + - port: 8079 + name: grpc-ping + selector: + app: fortiov080 +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: fortiov080 +spec: + replicas: 1 + template: + metadata: + labels: + app: fortiov080 + version: fortio080 + annotations: + sidecar.istio.io/proxyImage: istio/proxyv2:0.8.0 + spec: + containers: + - name: echosrv + image: istio/fortio:latest + imagePullPolicy: Always + ports: + - containerPort: 8080 + - containerPort: 8079 + args: + - server + resources: + requests: + cpu: 800m + memory: "1G" + limits: + cpu: 1000m + memory: "1G" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: fortio080 +spec: + hosts: + - "fortio080.{{.Values.domain}}" + gateways: + - istio-gateway + http: + - route: + - destination: + host: fortio080.test.svc.cluster.local + port: + number: 8080 diff --git a/tests/helm/templates/fortio-10rc1.yaml b/tests/helm/templates/fortio-10rc1.yaml new file mode 100644 index 000000000000..3a7a17256a95 --- /dev/null +++ b/tests/helm/templates/fortio-10rc1.yaml @@ -0,0 +1,61 @@ +# Fortio with 1.0RC1 sidecar +apiVersion: v1 +kind: Service +metadata: + name: fortio10rc1 +spec: + ports: + - port: 8080 + name: http-echo + - port: 8079 + name: grpc-ping + selector: + app: fortio10rc1 +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: fortio10rc1 +spec: + replicas: 1 + template: + metadata: + labels: + app: fortio10rc1 + version: fortio10rc1 + annotations: + sidecar.istio.io/proxyImage: istio/proxyv2:1.0.0-snapshot.0 + spec: + containers: + - name: echosrv + image: istio/fortio:latest + imagePullPolicy: Always + ports: + - containerPort: 8080 + - containerPort: 8079 + args: + - server + resources: + requests: + cpu: 800m + memory: "1G" + limits: + cpu: 1000m + memory: "1G" + +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: fortio10rc1 +spec: + hosts: + - "fortio10rc1.{{.Values.domain}}" + gateways: + - istio-gateway + http: + - route: + - destination: + host: fortio10rc1.test.svc.cluster.local + port: + number: 8080 diff --git a/tests/helm/templates/fortio-cli.yaml b/tests/helm/templates/fortio-cli.yaml index 04ed238cacec..56dfb5270d72 100644 --- a/tests/helm/templates/fortio-cli.yaml +++ b/tests/helm/templates/fortio-cli.yaml @@ -1,13 +1,51 @@ +## Fortio clients generating traffic on different components. +# Generally use the ingress gateway - to capture non-istio service as well. +--- apiVersion: apps/v1beta1 kind: Deployment metadata: - name: fortio-cli1 + name: cli-fortio-tls spec: replicas: 1 template: metadata: labels: - app: fortio-cli1 + app: cli-fortio-tls + version: v1-tls + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: echosrv + image: istio/fortio:latest + imagePullPolicy: Always + args: + - load + - -t + - "0" + - -c + - "32" + - -qps + - "1000" + - http://fortiotls.{{ .Values.domain }}/echo?size=5000 + resources: + requests: + cpu: 800m + memory: "1G" + limits: + cpu: 1000m + memory: "1G" +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: fortio-cli-raw +spec: + replicas: 1 + template: + metadata: + labels: + app: fortio-cli-raw version: v1 annotations: sidecar.istio.io/inject: "false" @@ -24,7 +62,7 @@ spec: - "32" - -qps - "1000" - - http://fortio2.v08.istio.webinf.info/echo?size=5000 + - http://fortionoistio.{{ .Values.domain }}/echo?size=5000 resources: requests: cpu: 800m @@ -59,7 +97,7 @@ spec: - "32" - -qps - "1000" - - http://fortio.v08.istio.webinf.info/echo?size=5000 + - http://fortiomaster.{{ .Values.domain }}/echo?size=5000 resources: requests: cpu: 800m @@ -67,4 +105,75 @@ spec: limits: cpu: 1000m memory: "1G" ---- \ No newline at end of file + +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: cli-fortio10rc1 +spec: + replicas: 1 + template: + metadata: + labels: + app: cli-fortio10rc1 + version: cli-fortio10rc1 + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: echosrv + image: istio/fortio:latest + imagePullPolicy: Always + args: + - load + - -t + - "0" + - -c + - "32" + - -qps + - "1000" + - http://fortio10rc1.{{ .Values.domain }}/echo?size=5000 + resources: + requests: + cpu: 400m + memory: "1G" + limits: + cpu: 500m + memory: "1G" + +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: cli-fortio080 +spec: + replicas: 1 + template: + metadata: + labels: + app: cli-fortio080 + version: cli-fortio080 + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: echosrv + image: istio/fortio:latest + imagePullPolicy: Always + args: + - load + - -t + - "0" + - -c + - "32" + - -qps + - "1000" + - http://fortio080.{{ .Values.domain }}/echo?size=5000 + resources: + requests: + cpu: 400m + memory: "1G" + limits: + cpu: 500m + memory: "1G" diff --git a/tests/helm/templates/fortio-alpha1.yaml b/tests/helm/templates/fortio-master.yaml similarity index 60% rename from tests/helm/templates/fortio-alpha1.yaml rename to tests/helm/templates/fortio-master.yaml index e2c238c1461a..d88c4cd0f645 100644 --- a/tests/helm/templates/fortio-alpha1.yaml +++ b/tests/helm/templates/fortio-master.yaml @@ -1,8 +1,8 @@ -# Fortio with alpha1/v1 +# Fortio with latest sidecar apiVersion: v1 kind: Service metadata: - name: alpha1 + name: fortiomaster spec: ports: - port: 8080 @@ -10,20 +10,21 @@ spec: - port: 8079 name: grpc-ping selector: - app: alpha1 + app: fortiomaster --- apiVersion: apps/v1beta1 kind: Deployment metadata: - name: alpha1 + name: fortiomaster spec: replicas: 1 template: metadata: labels: - app: alpha1 + app: fortiomaster + version: fortiomaster annotations: - sidecar.istio.io/proxyImage: istionightly/proxyv2:nightly-release-0.8 + sidecar.istio.io/proxyImage: istionightly/proxyv2:nightly-master spec: containers: - name: echosrv @@ -41,3 +42,20 @@ spec: limits: cpu: 1000m memory: "1G" + +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: fortiomaster +spec: + hosts: + - "fortiomaster.{{.Values.domain}}" + gateways: + - istio-gateway + http: + - route: + - destination: + host: fortiomaster.test.svc.cluster.local + port: + number: 8080 diff --git a/tests/helm/templates/fortio-noistio.yaml b/tests/helm/templates/fortio-noistio.yaml index 369b58289f53..71fd8ce8fa24 100644 --- a/tests/helm/templates/fortio-noistio.yaml +++ b/tests/helm/templates/fortio-noistio.yaml @@ -1,35 +1,27 @@ # 2 fortio servers, not istio injected (to baseline service-to-service without istio) # 0.8 CPU each. -apiVersion: v1 -kind: Service -metadata: - name: fortio-noistio1 -spec: - ports: - - port: 8080 - name: http-echo - - port: 8079 - name: grpc-ping - selector: - name: fortio-noistio1 ---- -apiVersion: v1 -kind: Service + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService metadata: - name: fortio-noistio2 + name: fortionoistio spec: - ports: - - port: 8080 - name: http-echo - - port: 8079 - name: grpc-ping - selector: - name: fortio-noistio2 + hosts: + - "fortionoistio.{{.Values.domain}}" + gateways: + - istio-gateway + http: + - route: + - destination: + host: fortionoistio.test.svc.cluster.local + port: + number: 8080 --- + apiVersion: v1 kind: Service metadata: - name: fortio-noistio + name: fortionoistio spec: ports: - port: 8080 @@ -37,61 +29,20 @@ spec: - port: 8079 name: grpc-ping selector: - app: fortio-noistio ---- -apiVersion: v1 -kind: Service -metadata: - name: fortio-noistio-headless -spec: - clusterIP: None - ports: - - port: 8080 - name: http-echo - - port: 8079 - name: grpc-ping - selector: - app: fortio-noistio ---- -apiVersion: apps/v1beta1 -kind: Deployment -metadata: - name: fortio-noistio1 -spec: - replicas: 1 - template: - metadata: - labels: - app: fortio-noistio - name: fortio-noistio1 - annotations: - sidecar.istio.io/inject: "false" - spec: - containers: - - name: echosrv - image: istio/fortio:latest - imagePullPolicy: Always - args: - - server - resources: - requests: - cpu: 800m - memory: "1G" - limits: - cpu: 1000m - memory: "1G" + name: fortionoistio --- apiVersion: apps/v1beta1 kind: Deployment metadata: - name: fortio-noistio2 + name: fortionoistio spec: replicas: 1 template: metadata: labels: - app: fortio-noistio - name: fortio-noistio2 + app: fortionoistio + name: fortionoistio + version: fortionoistio annotations: sidecar.istio.io/inject: "false" spec: diff --git a/tests/helm/templates/fortio-tls.yaml b/tests/helm/templates/fortio-tls.yaml index d0162cbae1b6..4f7ef952afe0 100644 --- a/tests/helm/templates/fortio-tls.yaml +++ b/tests/helm/templates/fortio-tls.yaml @@ -2,14 +2,14 @@ apiVersion: "authentication.istio.io/v1alpha1" kind: "Policy" metadata: - name: "fortio-mtls" + name: fortiotls spec: peers: - mtls: {} peer_is_optional: true targets: # Must be short name of service - - name: "fortio-tls" + - name: fortiotls # subsets: "v2" ports: # name also supported @@ -19,9 +19,9 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: - name: fortio-tls + name: fortiotls spec: - host: fortio-tls.test.svc.cluster.local + host: fortiotls.test.svc.cluster.local trafficPolicy: tls: # Equivalent with ISTIO_MUTUAL @@ -37,7 +37,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: fortio-tls + name: fortiotls spec: ports: - port: 8080 @@ -48,12 +48,12 @@ spec: - port: 8079 name: grpc-ping selector: - app: fortio-tls + app: fortiotls --- apiVersion: apps/v1beta1 kind: Deployment metadata: - name: fortio-tls + name: fortiotls spec: replicas: 1 template: @@ -62,7 +62,7 @@ spec: sidecar.istio.io/controlPlaneAuthPolicy: MUTUAL_TLS sidecar.istio.io/discoveryAddress: istio-pilot.istio-system:15005 labels: - app: fortio-tls + app: fortiotls version: tls spec: containers: @@ -80,3 +80,21 @@ spec: limits: cpu: 1000m memory: "1G" + +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: fortiotls +spec: + hosts: + - "fortiotls.{{ .Values.domain }}" + gateways: + - istio-gateway + http: + - route: + - destination: + host: fortiotls.test.svc.cluster.local + port: + number: 8080 diff --git a/tests/helm/templates/gateway.yaml b/tests/helm/templates/gateway.yaml index 07afc9b5300f..70e964298337 100644 --- a/tests/helm/templates/gateway.yaml +++ b/tests/helm/templates/gateway.yaml @@ -3,7 +3,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: - name: istio08-gateway + name: istio-gateway spec: selector: istio: ingressgateway @@ -18,22 +18,26 @@ spec: - "pilot.{{ .Values.domain }}" - "fortio.{{ .Values.domain }}" - "fortio2.{{ .Values.domain }}" - - "fortioraw.{{ .Values.domain }}" + - "fortiotls.{{ .Values.domain }}" + - "fortionoistio.{{ .Values.domain }}" - "bookinfo.{{ .Values.domain }}" - "httpbin.{{ .Values.domain }}" + - "fortio080.{{ .Values.domain }}" + - "fortio10rc1.{{ .Values.domain }}" + - "fortiomaster.{{ .Values.domain }}" + - "fortiocli.{{ .Values.domain }}" - port: - number: 5203 + number: 5201 protocol: TCP - name: tcp-iperf + name: tcp-iperf3 hosts: - "*" - port: - number: 5202 + number: 5203 protocol: TCP - name: tcp-iperfraw + name: tcp-iperf-tls hosts: - "*" - --- apiVersion: networking.istio.io/v1alpha3 @@ -44,7 +48,7 @@ spec: hosts: - "pilot.{{ .Values.domain }}" gateways: - - istio08-gateway + - istio-gateway http: - route: - destination: @@ -62,7 +66,7 @@ spec: hosts: - "httpbin.{{ .Values.domain }}" gateways: - - istio08-gateway + - istio-gateway http: - route: - destination: @@ -79,7 +83,7 @@ spec: hosts: - "grafana.{{ .Values.domain }}" gateways: - - istio08-gateway + - istio-gateway http: - route: - destination: @@ -98,7 +102,7 @@ spec: hosts: - "prom.{{ .Values.domain }}" gateways: - - istio08-gateway + - istio-gateway http: - route: - destination: @@ -115,7 +119,7 @@ spec: hosts: - "bookinfo.{{ .Values.domain }}" gateways: - - istio08-gateway + - istio-gateway http: - route: - destination: @@ -123,77 +127,4 @@ spec: port: number: 9080 ---- - -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: fortio -spec: - hosts: - - "fortioraw.{{.Values.domain}}" - gateways: - - istio08-gateway - http: - - route: - - destination: - host: fortio-noistio.test.svc.cluster.local - port: - number: 8080 - ---- - -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: fortioistio -spec: - hosts: - - "fortio.{{ .Values.domain }}" - gateways: - - istio08-gateway - http: - - route: - - destination: - host: fortiov1.test.svc.cluster.local - port: - number: 8080 - - ---- - -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: fortio2istio -spec: - hosts: - - "fortio2.{{ .Values.domain }}" - gateways: - - istio08-gateway - http: - - route: - - destination: - host: fortio-tls.test.svc.cluster.local - port: - number: 8080 - ---- - -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: iperf -spec: - hosts: - - "iperf.{{ .Values.domain }}" - gateways: - - istio08-gateway - tcp: - - route: - - destination: - host: iperf3.test.svc.cluster.local - port: - number: 5202 - ---- +--- \ No newline at end of file diff --git a/tests/helm/templates/iperf3-tls.yaml b/tests/helm/templates/iperf3-tls.yaml new file mode 100644 index 000000000000..ba9cae951191 --- /dev/null +++ b/tests/helm/templates/iperf3-tls.yaml @@ -0,0 +1,109 @@ + +#apiVersion: networking.istio.io/v1alpha3 +#kind: Gateway +#metadata: +# name: istio-iperf-gateway +#spec: +# selector: +# istio: ingressgateway +# servers: +# - port: +# number: 5203 +# protocol: TCP +# name: tcp-iperf-tls +# hosts: +# - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: iperf-tls +spec: + hosts: + - "iperf-tls.{{ .Values.domain }}" + gateways: + - istio-gateway + tcp: + - match: + - port: 5203 + route: + - destination: + host: iperf3-tls.test.svc.cluster.local + port: + number: 5203 +--- +apiVersion: v1 +kind: Service +metadata: + name: iperf3-tls +spec: + ports: + - name: tcp + port: 5203 + targetPort: 5203 + selector: + app: iperf3-tls +--- +apiVersion: "authentication.istio.io/v1alpha1" +kind: "Policy" +metadata: + name: iperf3-tls +spec: + peers: + - mtls: {} + peer_is_optional: true + targets: + # Must be short name of service + - name: iperf3-tls + # subsets: "v2" + ports: + # name also supported + # TODO: this should be target port (container) + - number: 5203 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: iperf3tls +spec: + host: iperf3-tls.test.svc.cluster.local + trafficPolicy: + tls: + # Equivalent with ISTIO_MUTUAL + mode: MUTUAL + client_certificate: /etc/certs/cert-chain.pem + private_key: /etc/certs/key.pem + ca_certificates: /etc/certs/root-cert.pem + subject_alt_names: + - spiffe://cluster.local/ns/test/sa/default + + +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: iperf3-tls +spec: + replicas: 1 + template: + metadata: + labels: + app: iperf3-tls + spec: + containers: + - image: docker.io/networkstatic/iperf3 + imagePullPolicy: IfNotPresent + name: iperf3 + ports: + - containerPort: 5203 + args: + - '-s' + - '-p' + - '5203' + resources: + requests: + cpu: 1000m + memory: "1G" + limits: + cpu: 1000m + memory: "2G" diff --git a/tests/helm/templates/iperf3.yaml b/tests/helm/templates/iperf3.yaml index 2017100d78db..262cbd8f29f5 100644 --- a/tests/helm/templates/iperf3.yaml +++ b/tests/helm/templates/iperf3.yaml @@ -1,15 +1,22 @@ --- -apiVersion: v1 -kind: Service + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService metadata: - name: iperf3-raw + name: iperf3 spec: - ports: - - name: tcp - port: 5202 - targetPort: 5201 - selector: - app: iperf3-raw + hosts: + - "iperf.{{ .Values.domain }}" + gateways: + - istio-gateway + tcp: + - match: + - port: 5201 + route: + - destination: + host: iperf3.test.svc.cluster.local + port: + number: 5201 --- apiVersion: v1 kind: Service @@ -18,68 +25,14 @@ metadata: spec: ports: - name: tcp - port: 5203 + port: 5201 targetPort: 5201 selector: app: iperf3 ---- -apiVersion: v1 -kind: Service -metadata: - name: iperf3-tls -spec: - ports: - - name: tcp - port: 5204 - targetPort: 5201 - selector: - app: iperf3-tls ---- -apiVersion: "authentication.istio.io/v1alpha1" -kind: Policy -metadata: - name: iperf3-tls -spec: - peers: - - mtls: - peer_is_optional: true - targets: - - name: "iperf3-tls" - ports: - - number: 5201 --- apiVersion: extensions/v1beta1 kind: Deployment -metadata: - name: iperf3-raw -spec: - replicas: 1 - template: - metadata: - labels: - app: iperf3-raw - annotations: - sidecar.istio.io/inject: "false" - spec: - containers: - - image: docker.io/networkstatic/iperf3 - imagePullPolicy: IfNotPresent - name: iperf3-raw - ports: - - containerPort: 5201 - args: - - '-s' - resources: - requests: - cpu: 1000m - memory: "1G" - limits: - cpu: 1000m - memory: "2G" ---- -apiVersion: extensions/v1beta1 -kind: Deployment metadata: name: iperf3 spec: @@ -104,31 +57,3 @@ spec: limits: cpu: 1000m memory: "2G" - ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: iperf3-tls -spec: - replicas: 1 - template: - metadata: - labels: - app: iperf3-tls - spec: - containers: - - image: docker.io/networkstatic/iperf3 - imagePullPolicy: IfNotPresent - name: iperf3 - ports: - - containerPort: 5201 - args: - - '-s' - resources: - requests: - cpu: 1000m - memory: "1G" - limits: - cpu: 1000m - memory: "2G" diff --git a/tests/helm/templates/virtual_service.yaml b/tests/helm/templates/virtual_service.yaml index 60c05d8d49fb..1cb5361386cc 100644 --- a/tests/helm/templates/virtual_service.yaml +++ b/tests/helm/templates/virtual_service.yaml @@ -23,7 +23,7 @@ metadata: name: fortiov1 spec: hosts: - - fortio.v08.istio.webinf.info + - fortio.{{ .Values.domain }} - fortiov1.test.svc.cluster.local http: - route: @@ -33,21 +33,3 @@ spec: port: number: 8080 ---- - -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: fortiotls -spec: - hosts: - - fortio2.v08.istio.webinf.info - #- fortio-tls.test.svc.cluster.local - http: - - route: - # service selects multiple deployments, has 2 subsets - - destination: - host: fortiov-tls.test.svc.cluster.local - port: - number: 8080 - diff --git a/tests/helm/values.yaml b/tests/helm/values.yaml index b9db06c6ccd2..e0cbcd2fce3b 100644 --- a/tests/helm/values.yaml +++ b/tests/helm/values.yaml @@ -2,7 +2,7 @@ healthPort: true testHub: docker.io/istionightly testTag: nightly-release-0.8 -domain: v08.istio.webinf.info +domain: v10.istio.webinf.info # Namespace where istio control plane is installed. istioNamespace: istio-system