security tests refactor (#40209)

* security tests refactor * updated the logic to create custom configs
istio · Aug 5, 2022 · 8ab3d92 · 8ab3d92
1 parent e0b61e2
commit 8ab3d92
Show file tree

Hide file tree

Showing 11 changed files with 384 additions and 334 deletions.
diff --git a/pkg/test/framework/components/echo/common/deployment/echos.go b/pkg/test/framework/components/echo/common/deployment/echos.go
@@ -17,6 +17,7 @@ package deployment
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"strings"
 
 	"github.com/hashicorp/go-multierror"
@@ -63,7 +64,7 @@ type Config struct {
 	//
 	// Custom echo instances will be accessible from the `All` field in the namespace(s) under which they
 	// were created.
-	Custom echo.CustomGetter
+	Configs echo.ConfigGetter
 }
 
 func (c *Config) fillDefaults(ctx resource.Context) error {
@@ -74,22 +75,25 @@ func (c *Config) fillDefaults(ctx resource.Context) error {
 		c.Echos = &Echos{}
 	}
 
+	if c.Configs == nil {
+		defaultConfigs := c.DefaultEchoConfigs(ctx)
+		c.Configs = echo.ConfigFuture(&defaultConfigs)
+	}
+
 	// Verify the namespace for any custom deployments.
-	if c.Custom != nil {
-		for _, custom := range c.Custom.Get() {
-			if custom.Namespace != nil {
-				found := false
-				for _, ns := range c.Namespaces {
-					if custom.Namespace.Name() == ns.Get().Name() {
-						found = true
-						break
-					}
-				}
-				if !found {
-					return fmt.Errorf("custom echo deployment %s uses unconfigured namespace %s",
-						custom.NamespacedName().String(), custom.NamespaceName())
+	for _, config := range c.Configs.Get() {
+		if config.Namespace != nil {
+			found := false
+			for _, ns := range c.Namespaces {
+				if config.Namespace.Name() == ns.Get().Name() {
+					found = true
+					break
 				}
 			}
+			if !found {
+				return fmt.Errorf("custom echo deployment %s uses unconfigured namespace %s",
+					config.NamespacedName().String(), config.NamespaceName())
+			}
 		}
 	}
 
@@ -152,6 +156,125 @@ func (c *Config) fillDefaults(ctx resource.Context) error {
 	return g.Wait()
 }
 
+func (c *Config) DefaultEchoConfigs(t resource.Context) []echo.Config {
+	var defaultConfigs []echo.Config
+
+	a := echo.Config{
+		Service:         ASvc,
+		ServiceAccount:  true,
+		Ports:           ports.All(),
+		Subsets:         []echo.SubsetConfig{{}},
+		Locality:        "region.zone.subzone",
+		IncludeExtAuthz: c.IncludeExtAuthz,
+	}
+
+	b := echo.Config{
+		Service:         BSvc,
+		ServiceAccount:  true,
+		Ports:           ports.All(),
+		Subsets:         []echo.SubsetConfig{{}},
+		IncludeExtAuthz: c.IncludeExtAuthz,
+	}
+
+	cSvc := echo.Config{
+		Service:         CSvc,
+		ServiceAccount:  true,
+		Ports:           ports.All(),
+		Subsets:         []echo.SubsetConfig{{}},
+		IncludeExtAuthz: c.IncludeExtAuthz,
+	}
+
+	headless := echo.Config{
+		Service:         HeadlessSvc,
+		ServiceAccount:  true,
+		Headless:        true,
+		Ports:           ports.Headless(),
+		Subsets:         []echo.SubsetConfig{{}},
+		IncludeExtAuthz: c.IncludeExtAuthz,
+	}
+
+	stateful := echo.Config{
+		Service:         StatefulSetSvc,
+		ServiceAccount:  true,
+		Headless:        true,
+		StatefulSet:     true,
+		Ports:           ports.Headless(),
+		Subsets:         []echo.SubsetConfig{{}},
+		IncludeExtAuthz: c.IncludeExtAuthz,
+	}
+
+	naked := echo.Config{
+		Service:        NakedSvc,
+		ServiceAccount: true,
+		Ports:          ports.All(),
+		Subsets: []echo.SubsetConfig{
+			{
+				Annotations: map[echo.Annotation]*echo.AnnotationValue{
+					echo.SidecarInject: {
+						Value: strconv.FormatBool(false),
+					},
+				},
+			},
+		},
+	}
+
+	tProxy := echo.Config{
+		Service:        TproxySvc,
+		ServiceAccount: true,
+		Ports:          ports.All(),
+		Subsets: []echo.SubsetConfig{{
+			Annotations: echo.NewAnnotations().Set(echo.SidecarInterceptionMode, "TPROXY"),
+		}},
+		IncludeExtAuthz: c.IncludeExtAuthz,
+	}
+
+	vmSvc := echo.Config{
+		Service:         VMSvc,
+		ServiceAccount:  true,
+		Ports:           ports.All(),
+		DeployAsVM:      true,
+		AutoRegisterVM:  true,
+		Subsets:         []echo.SubsetConfig{{}},
+		IncludeExtAuthz: c.IncludeExtAuthz,
+	}
+
+	defaultConfigs = append(defaultConfigs, a, b, cSvc, headless, stateful, naked, tProxy, vmSvc)
+
+	if !skipDeltaXDS(t) {
+		delta := echo.Config{
+			Service:        DeltaSvc,
+			ServiceAccount: true,
+			Ports:          ports.All(),
+			Subsets: []echo.SubsetConfig{{
+				Annotations: echo.NewAnnotations().Set(echo.SidecarProxyConfig, `proxyMetadata:
+ISTIO_DELTA_XDS: "true"`),
+			}},
+		}
+		defaultConfigs = append(defaultConfigs, delta)
+	}
+
+	if !t.Clusters().IsMulticluster() {
+		// TODO when agent handles secure control-plane connection for grpc-less, deploy to "remote" clusters
+		proxylessGRPC := echo.Config{
+			Service:        ProxylessGRPCSvc,
+			ServiceAccount: true,
+			Ports:          ports.All(),
+			Subsets: []echo.SubsetConfig{
+				{
+					Annotations: map[echo.Annotation]*echo.AnnotationValue{
+						echo.SidecarInjectTemplates: {
+							Value: "grpc-agent",
+						},
+					},
+				},
+			},
+		}
+		defaultConfigs = append(defaultConfigs, proxylessGRPC)
+	}
+
+	return defaultConfigs
+}
+
 // View of an Echos deployment.
 type View interface {
 	// Echos returns the underlying Echos deployment for this view.
@@ -237,7 +360,7 @@ func New(ctx resource.Context, cfg Config) (*Echos, error) {
 
 	builder := deployment.New(ctx).WithClusters(ctx.Clusters()...)
 	for _, n := range apps.NS {
-		builder = n.build(ctx, builder, cfg)
+		builder = n.build(builder, cfg)
 	}
 
 	if !cfg.NoExternalNamespace {

diff --git a/pkg/test/framework/components/echo/common/deployment/namespace.go b/pkg/test/framework/components/echo/common/deployment/namespace.go
@@ -16,10 +16,8 @@ package deployment
 
 import (
 	"fmt"
-	"strconv"
 
 	"istio.io/istio/pkg/test/framework/components/echo"
-	"istio.io/istio/pkg/test/framework/components/echo/common/ports"
 	"istio.io/istio/pkg/test/framework/components/echo/deployment"
 	"istio.io/istio/pkg/test/framework/components/echo/match"
 	"istio.io/istio/pkg/test/framework/components/namespace"
@@ -69,131 +67,12 @@ type EchoNamespace struct {
 	All echo.Services
 }
 
-func (n EchoNamespace) build(t resource.Context, b deployment.Builder, cfg Config) deployment.Builder {
-	b = b.WithConfig(echo.Config{
-		Service:         ASvc,
-		Namespace:       n.Namespace,
-		ServiceAccount:  true,
-		Ports:           ports.All(),
-		Subsets:         []echo.SubsetConfig{{}},
-		Locality:        "region.zone.subzone",
-		IncludeExtAuthz: cfg.IncludeExtAuthz,
-	}).
-		WithConfig(echo.Config{
-			Service:         BSvc,
-			Namespace:       n.Namespace,
-			ServiceAccount:  true,
-			Ports:           ports.All(),
-			Subsets:         []echo.SubsetConfig{{}},
-			IncludeExtAuthz: cfg.IncludeExtAuthz,
-		}).
-		WithConfig(echo.Config{
-			Service:         CSvc,
-			Namespace:       n.Namespace,
-			ServiceAccount:  true,
-			Ports:           ports.All(),
-			Subsets:         []echo.SubsetConfig{{}},
-			IncludeExtAuthz: cfg.IncludeExtAuthz,
-		}).
-		WithConfig(echo.Config{
-			Service:         HeadlessSvc,
-			Namespace:       n.Namespace,
-			ServiceAccount:  true,
-			Headless:        true,
-			Ports:           ports.Headless(),
-			Subsets:         []echo.SubsetConfig{{}},
-			IncludeExtAuthz: cfg.IncludeExtAuthz,
-		}).
-		WithConfig(echo.Config{
-			Service:         StatefulSetSvc,
-			Namespace:       n.Namespace,
-			ServiceAccount:  true,
-			Headless:        true,
-			StatefulSet:     true,
-			Ports:           ports.Headless(),
-			Subsets:         []echo.SubsetConfig{{}},
-			IncludeExtAuthz: cfg.IncludeExtAuthz,
-		}).
-		WithConfig(echo.Config{
-			Service:        NakedSvc,
-			Namespace:      n.Namespace,
-			ServiceAccount: true,
-			Ports:          ports.All(),
-			Subsets: []echo.SubsetConfig{
-				{
-					Annotations: map[echo.Annotation]*echo.AnnotationValue{
-						echo.SidecarInject: {
-							Value: strconv.FormatBool(false),
-						},
-					},
-				},
-			},
-		}).
-		WithConfig(echo.Config{
-			Service:        TproxySvc,
-			Namespace:      n.Namespace,
-			ServiceAccount: true,
-			Ports:          ports.All(),
-			Subsets: []echo.SubsetConfig{{
-				Annotations: echo.NewAnnotations().Set(echo.SidecarInterceptionMode, "TPROXY"),
-			}},
-			IncludeExtAuthz: cfg.IncludeExtAuthz,
-		}).
-		WithConfig(echo.Config{
-			Service:         VMSvc,
-			Namespace:       n.Namespace,
-			ServiceAccount:  true,
-			Ports:           ports.All(),
-			DeployAsVM:      true,
-			AutoRegisterVM:  true,
-			Subsets:         []echo.SubsetConfig{{}},
-			IncludeExtAuthz: cfg.IncludeExtAuthz,
-		})
-
-	if !skipDeltaXDS(t) {
-		b = b.
-			WithConfig(echo.Config{
-				Service:        DeltaSvc,
-				Namespace:      n.Namespace,
-				ServiceAccount: true,
-				Ports:          ports.All(),
-				Subsets: []echo.SubsetConfig{{
-					Annotations: echo.NewAnnotations().Set(echo.SidecarProxyConfig, `proxyMetadata:
-  ISTIO_DELTA_XDS: "true"`),
-				}},
-			})
-	}
-
-	if !t.Clusters().IsMulticluster() {
-		b = b.
-			// TODO when agent handles secure control-plane connection for grpc-less, deploy to "remote" clusters
-			WithConfig(echo.Config{
-				Service:        ProxylessGRPCSvc,
-				Namespace:      n.Namespace,
-				ServiceAccount: true,
-				Ports:          ports.All(),
-				Subsets: []echo.SubsetConfig{
-					{
-						Annotations: map[echo.Annotation]*echo.AnnotationValue{
-							echo.SidecarInjectTemplates: {
-								Value: "grpc-agent",
-							},
-						},
-					},
-				},
-			})
-	}
-
-	// Add any custom deployments.
-	if cfg.Custom != nil {
-		for _, custom := range cfg.Custom.Get() {
-			if custom.Namespace == nil {
-				custom.Namespace = n.Namespace
-			}
-			if custom.NamespaceName() == n.Namespace.Name() {
-				b.WithConfig(custom)
-			}
+func (n EchoNamespace) build(b deployment.Builder, cfg Config) deployment.Builder {
+	for _, config := range cfg.Configs.Get() {
+		if config.Namespace == nil {
+			config.Namespace = n.Namespace
 		}
+		b = b.WithConfig(config)
 	}
 
 	return b

diff --git a/pkg/test/framework/components/echo/config.go b/pkg/test/framework/components/echo/config.go
@@ -171,16 +171,16 @@ type Config struct {
 }
 
 // Getter for a custom echo deployment
-type CustomGetter func() []Config
+type ConfigGetter func() []Config
 
 // Get is a utility method that helps in readability of call sites.
-func (g CustomGetter) Get() []Config {
+func (g ConfigGetter) Get() []Config {
 	return g()
 }
 
 // Future creates a Getter for a variable the custom echo deployment that will be set at sometime in the future.
 // This is helpful for configuring a setup chain for a test suite that operates on global variables.
-func CustomFuture(custom *[]Config) CustomGetter {
+func ConfigFuture(custom *[]Config) ConfigGetter {
 	return func() []Config {
 		return *custom
 	}

diff --git a/pkg/test/framework/components/istio/config.go b/pkg/test/framework/components/istio/config.go
@@ -156,6 +156,9 @@ type Config struct {
 
 	// custom deployment for ingress and egress gateway on remote clusters.
 	GatewayValues string
+
+	// Custom deploymeny for east-west gateway
+	EastWestGatewayValues string
 }
 
 func (c *Config) OverridesYAML(s *resource.Settings) string {

diff --git a/pkg/test/framework/components/istio/eastwest.go b/pkg/test/framework/components/istio/eastwest.go
@@ -46,7 +46,7 @@ var (
 )
 
 // deployEastWestGateway will create a separate gateway deployment for cross-cluster discovery or cross-network services.
-func (i *istioImpl) deployEastWestGateway(cluster cluster.Cluster, revision string) error {
+func (i *istioImpl) deployEastWestGateway(cluster cluster.Cluster, revision string, customSettings string) error {
 	// generate istio operator yaml
 	args := []string{
 		"--cluster", cluster.Name(),
@@ -69,10 +69,15 @@ func (i *istioImpl) deployEastWestGateway(cluster cluster.Cluster, revision stri
 
 	// Install the gateway
 	s := i.ctx.Settings()
+	var inFileNames []string
+	inFileNames = append(inFileNames, iopFile)
+	if customSettings != "" {
+		inFileNames = append(inFileNames, customSettings)
+	}
 	if err := i.installer.Install(cluster, installArgs{
 		ComponentName: "eastwestgateway",
 		Revision:      revision,
-		Files:         []string{iopFile},
+		Files:         inFileNames,
 		Set: []string{
 			"hub=" + s.Image.Hub,
 			"tag=" + s.Image.Tag,