Add istio.io docs test for security/authn-policy

pkg/test/istio.io/tasks/security/authn-policy/authn-policy_test.go

@@ -0,0 +1,168 @@
+// Copyright 2019 Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+package tests
+
+import (
+	"testing"
+
+	"istio.io/istio/pkg/test/framework"
+	"istio.io/istio/pkg/test/framework/components/environment"
+	"istio.io/istio/pkg/test/framework/components/istio"
+	"istio.io/istio/pkg/test/istio.io/examples"
+)
+
+var (
+	ist istio.Instance
+)
+
+func TestMain(m *testing.M) {
+	framework.NewSuite("authn-policy", m).
+		SetupOnEnv(environment.Kube, istio.Setup(&ist, setupConfig)).
+		RequireEnvironment(environment.Kube).
+		Run()
+}
+
+func setupConfig(cfg *istio.Config) {
+	if cfg == nil {
+		return
+	}
+	// This is redundant, but setting it explicitly to match the docs as it's explicitly required
+	// in the docs.
+	cfg.Values["global.mtls.enabled"] = "false"
+}
+
+// https://preliminary.istio.io/docs/tasks/security/authn-policy/
+// https://github.com/istio/istio.io/blob/master/content/docs/tasks/security/authn-policy/index.md
+func TestAuthnPolicy(t *testing.T) {
+	ex := examples.New(t, "Setup")
+
+	ex.AddScript("", "create-namespaces.sh", examples.TextOutput)
+	ex.AddFile("foo", "samples/httpbin/httpbin.yaml")
+	ex.AddFile("foo", "samples/sleep/sleep.yaml")
+	ex.AddFile("bar", "samples/httpbin/httpbin.yaml")
+	ex.AddFile("bar", "samples/sleep/sleep.yaml")
+	ex.AddFile("legacy", "samples/httpbin/httpbin.yaml")
+	ex.AddFile("legacy", "samples/sleep/sleep.yaml")
+
+	// This is missing from the docs, but it is necessary before continuing.
+	ex.AddScript("", "wait-for-containers.sh", examples.TextOutput)
+	ex.AddScript("", "verify-reachability.sh", examples.TextOutput)
+
+	// TODO: Update the docs to use commands that succeed or fail, to check the authentication
+	//  policies and destination rules, and use the same commands here.
+	ex.Run()
+
+	ex = examples.New(t, "Globally enabling Istio mutual TLS")
+
+	ex.AddScript("", "part1-configure-authentication-meshpolicy.sh", examples.TextOutput)
+	// TODO: Update the docs to add instructions to wait until the policy has been propagated,
+	//  and use the same commands here.
+
+	// TODO: Check the output of the command. Fail if curl doesn't fail.
+	ex.AddScript("", "part1-verify-reachability-from-istio.sh", examples.TextOutput)
+	ex.AddScript("", "part1-configure-destinationrule-default.sh", examples.TextOutput)
+	// TODO: Fail if curl fails.
+	ex.AddScript("", "part1-verify-reachability-from-istio.sh", examples.TextOutput)
+	// TODO: Fail if curl doesn't fail.
+	ex.AddScript("", "part1-verify-reachability-from-non-istio.sh", examples.TextOutput)
+
+	// TODO: Fail if curl doesn't fail.
+	ex.AddScript("", "part1-verify-reachability-to-legacy.sh", examples.TextOutput)
+	ex.AddScript("", "part1-configure-destinationrule-httpbin-legacy.sh", examples.TextOutput)
+	// TODO: Fail if curl fails.
+	ex.AddScript("", "part1-verify-reachability-to-legacy.sh", examples.TextOutput)
+
+	// TODO: Fail if curl doesn't fail.
+	ex.AddScript("", "part1-verify-reachability-to-k8s-api.sh", examples.TextOutput)
+	ex.AddScript("", "part1-configure-destinationrule-api-server.sh", examples.TextOutput)
+	// TODO: Fail if curl fails.
+	ex.AddScript("", "part1-verify-reachability-to-k8s-api.sh", examples.TextOutput)
+
+	ex.AddScript("", "part1-cleanup.sh", examples.TextOutput)
+
+	ex.Run()
+
+	ex = examples.New(t, "Enable mutual TLS per namespace or service")
+
+	ex.AddScript("", "part2-configure-authentication-policy-default.sh", examples.TextOutput)
+	ex.AddScript("", "part2-configure-destinationrule-default.sh", examples.TextOutput)
+	// TODO: Update the docs to add instructions to wait until the policy has been propagated,
+	//  and use the same commands here.
+
+	// TODO: Fail if curl from foo or bar to any other namespace fails.
+	// TODO: Fail if curl from legacy to foo succeeds.
+	ex.AddScript("", "part2-verify-reachability.sh", examples.TextOutput)
+	ex.AddScript("", "part2-configure-authentication-policy-httpbin.sh", examples.TextOutput)
+	ex.AddScript("", "part2-configure-destinationrule-httpbin.sh", examples.TextOutput)
+	// TODO: Fail if curl from foo or bar to any other namespace fails.
+	// TODO: Fail if curl from legacy to foo OR bar succeeds.
+	ex.AddScript("", "part2-verify-reachability.sh", examples.TextOutput)
+
+	ex.AddScript("", "part2-configure-authentication-policy-httpbin-port.sh", examples.TextOutput)
+	ex.AddScript("", "part2-configure-destinationrule-httpbin-port.sh", examples.TextOutput)
+	// TODO: Fail if curl fails.
+	ex.AddScript("", "part2-verify-reachability-to-bar-port-8000.sh", examples.TextOutput)
+
+	ex.AddScript("", "part2-configure-authentication-policy-overwrite-example.sh", examples.TextOutput)
+	ex.AddScript("", "part2-configure-destinationrule-overwrite-example.sh", examples.TextOutput)
+	// TODO: Fail if curl fails.
+	ex.AddScript("", "part2-verify-reachability-to-foo-port-8000.sh", examples.TextOutput)
+
+	ex.AddScript("", "part2-cleanup.sh", examples.TextOutput)
+
+	ex.Run()
+
+	ex = examples.New(t, "End-user authentication")
+
+	ex.AddScript("", "part3-configure-gateway-httpbin.sh", examples.TextOutput)
+	ex.AddScript("", "part3-configure-virtualservice-httpbin.sh", examples.TextOutput)
+	// TODO: Update the docs to add instructions to wait until the gateway is ready,
+	//  and use the same commands here.
+
+	// TODO: Fail if curl fails.
+	ex.AddScript("", "part3-verify-reachability-headers-without-token.sh", examples.TextOutput)
+	ex.AddScript("", "part3-configure-authentication-policy-jwt-example.sh", examples.TextOutput)
+	// TODO: Fail if curl succeeds.
+	ex.AddScript("", "part3-verify-reachability-headers-without-token.sh", examples.TextOutput)
+	// TODO: Fail if curl fails.
+	ex.AddScript("", "part3-verify-reachability-headers-with-token.sh", examples.TextOutput)
+
+	// TODO: Add the test that runs security/tools/jwt/samples/gen-jwt.py against
+	//  security/tools/jwt/samples/key.pem.
+	//  This requires having Python and the jwcrypto library installed locally.
+
+	ex.AddScript("", "part3-configure-authentication-policy-jwt-example-exclude.sh", examples.TextOutput)
+	// TODO: Fail if curl fails.
+	ex.AddScript("", "part3-verify-reachability-useragent-without-token.sh", examples.TextOutput)
+	// TODO: Fail if curl succeeds.
+	ex.AddScript("", "part3-verify-reachability-headers-without-token.sh", examples.TextOutput)
+
+	ex.AddScript("", "part3-configure-authentication-policy-jwt-example-include.sh", examples.TextOutput)
+	// TODO: Fail if curl fails.
+	ex.AddScript("", "part3-verify-reachability-useragent-without-token.sh", examples.TextOutput)
+	// TODO: Fail if curl succeeds.
+	ex.AddScript("", "part3-verify-reachability-ip-without-token.sh", examples.TextOutput)
+	// TODO: Fail if curl fails.
+	ex.AddScript("", "part3-verify-reachability-ip-with-token.sh", examples.TextOutput)
+
+	ex.AddScript("", "part3-configure-authentication-policy-jwt-mtls.sh", examples.TextOutput)
+	ex.AddScript("", "part3-configure-destinationrule-httpbin.sh", examples.TextOutput)
+	// TODO: Fail if curl fails.
+	ex.AddScript("", "part3-verify-reachability-from-istio-with-token.sh", examples.TextOutput)
+	// TODO: Fail if curl succeeds.
+	ex.AddScript("", "part3-verify-reachability-from-non-istio-with-token.sh", examples.TextOutput)
+
+	ex.AddScript("", "part3-cleanup.sh", examples.TextOutput)
+
+	ex.Run()
+}

pkg/test/istio.io/tasks/security/authn-policy/create-namespaces.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+set -e
+kubectl create ns foo
+kubectl create ns bar
+kubectl create ns legacy

pkg/test/istio.io/tasks/security/authn-policy/part1-cleanup.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+kubectl delete meshpolicy default
+kubectl delete destinationrules httpbin-legacy -n legacy
+kubectl delete destinationrules api-server -n istio-system
+kubectl delete destinationrules default -n istio-system

pkg/test/istio.io/tasks/security/authn-policy/part1-configure-authentication-meshpolicy.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+kubectl apply -f - <<EOF
+apiVersion: "authentication.istio.io/v1alpha1"
+kind: "MeshPolicy"
+metadata:
+  name: "default"
+spec:
+  peers:
+  - mtls: {}
+EOF

pkg/test/istio.io/tasks/security/authn-policy/part1-configure-destinationrule-api-server.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+set -e
+kubectl apply -f - <<EOF
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: "api-server"
+ namespace: istio-system
+spec:
+ host: "kubernetes.default.svc.cluster.local"
+ trafficPolicy:
+   tls:
+     mode: DISABLE
+EOF

pkg/test/istio.io/tasks/security/authn-policy/part1-configure-destinationrule-default.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+set -e
+kubectl apply -f - <<EOF
+apiVersion: "networking.istio.io/v1alpha3"
+kind: "DestinationRule"
+metadata:
+  name: "default"
+  namespace: "istio-system"
+spec:
+  host: "*.local"
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+EOF

pkg/test/istio.io/tasks/security/authn-policy/part1-configure-destinationrule-httpbin-legacy.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+set -e
+kubectl apply -f - <<EOF
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: "httpbin-legacy"
+ namespace: "legacy"
+spec:
+ host: "httpbin.legacy.svc.cluster.local"
+ trafficPolicy:
+   tls:
+     mode: DISABLE
+EOF

pkg/test/istio.io/tasks/security/authn-policy/part1-verify-reachability-from-istio.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+for from in "foo" "bar"; do for to in "foo" "bar"; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done

pkg/test/istio.io/tasks/security/authn-policy/part1-verify-reachability-from-non-istio.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+for from in "legacy"; do for to in "foo" "bar"; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done

pkg/test/istio.io/tasks/security/authn-policy/part1-verify-reachability-to-k8s-api.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+TOKEN=$(kubectl describe secret $(kubectl get secrets | grep default-token | cut -f1 -d ' ' | head -1) | grep -E '^token' | cut -f2 -d':' | tr -d '\t')
+kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- curl https://kubernetes.default/api --header "Authorization: Bearer $TOKEN" --insecure -s -o /dev/null -w "%{http_code}\n"

pkg/test/istio.io/tasks/security/authn-policy/part1-verify-reachability-to-legacy.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+for from in "foo" "bar"; do for to in "legacy"; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done

pkg/test/istio.io/tasks/security/authn-policy/part2-cleanup.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+kubectl delete policy default overwrite-example -n foo
+kubectl delete policy httpbin -n bar
+kubectl delete destinationrules default overwrite-example -n foo
+kubectl delete destinationrules httpbin -n bar

pkg/test/istio.io/tasks/security/authn-policy/part2-configure-authentication-policy-default.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+kubectl apply -f - <<EOF
+apiVersion: "authentication.istio.io/v1alpha1"
+kind: "Policy"
+metadata:
+  name: "default"
+  namespace: "foo"
+spec:
+  peers:
+  - mtls: {}
+EOF

pkg/test/istio.io/tasks/security/authn-policy/part2-configure-authentication-policy-httpbin-port.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+set -e
+cat <<EOF | kubectl apply -n bar -f -
+apiVersion: "authentication.istio.io/v1alpha1"
+kind: "Policy"
+metadata:
+  name: "httpbin"
+spec:
+  targets:
+  - name: httpbin
+    ports:
+    - number: 1234
+  peers:
+  - mtls: {}
+EOF

pkg/test/istio.io/tasks/security/authn-policy/part2-configure-authentication-policy-httpbin.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+cat <<EOF | kubectl apply -n bar -f -
+apiVersion: "authentication.istio.io/v1alpha1"
+kind: "Policy"
+metadata:
+  name: "httpbin"
+spec:
+  targets:
+  - name: httpbin
+  peers:
+  - mtls: {}
+EOF

pkg/test/istio.io/tasks/security/authn-policy/part2-configure-authentication-policy-overwrite-example.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+cat <<EOF | kubectl apply -n foo -f -
+apiVersion: "authentication.istio.io/v1alpha1"
+kind: "Policy"
+metadata:
+  name: "overwrite-example"
+spec:
+  targets:
+  - name: httpbin
+EOF

pkg/test/istio.io/tasks/security/authn-policy/part2-configure-destinationrule-default.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+set -e
+kubectl apply -f - <<EOF
+apiVersion: "networking.istio.io/v1alpha3"
+kind: "DestinationRule"
+metadata:
+  name: "default"
+  namespace: "foo"
+spec:
+  host: "*.foo.svc.cluster.local"
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+EOF

pkg/test/istio.io/tasks/security/authn-policy/part2-configure-destinationrule-httpbin-port.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+cat <<EOF | kubectl apply -n bar -f -
+apiVersion: "networking.istio.io/v1alpha3"
+kind: "DestinationRule"
+metadata:
+  name: "httpbin"
+spec:
+  host: httpbin.bar.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: DISABLE
+    portLevelSettings:
+    - port:
+        number: 1234
+      tls:
+        mode: ISTIO_MUTUAL
+EOF

pkg/test/istio.io/tasks/security/authn-policy/part2-configure-destinationrule-httpbin.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+cat <<EOF | kubectl apply -n bar -f -
+apiVersion: "networking.istio.io/v1alpha3"
+kind: "DestinationRule"
+metadata:
+  name: "httpbin"
+spec:
+  host: "httpbin.bar.svc.cluster.local"
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+EOF

pkg/test/istio.io/tasks/security/authn-policy/part2-configure-destinationrule-overwrite-example.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+cat <<EOF | kubectl apply -n foo -f -
+apiVersion: "networking.istio.io/v1alpha3"
+kind: "DestinationRule"
+metadata:
+  name: "overwrite-example"
+spec:
+  host: httpbin.foo.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: DISABLE
+EOF

pkg/test/istio.io/tasks/security/authn-policy/part2-verify-reachability-to-bar-port-8000.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+kubectl exec $(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..metadata.name}) -c sleep -n legacy -- curl http://httpbin.bar:8000/ip -s -o /dev/null -w "%{http_code}\n"

pkg/test/istio.io/tasks/security/authn-policy/part2-verify-reachability-to-foo-port-8000.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+kubectl exec $(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..metadata.name}) -c sleep -n legacy -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w "%{http_code}\n"

pkg/test/istio.io/tasks/security/authn-policy/part2-verify-reachability.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done

pkg/test/istio.io/tasks/security/authn-policy/part3-cleanup.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+kubectl -n foo delete policy jwt-example
+kubectl -n foo delete destinationrule httpbin
+kubectl delete ns foo bar legacy