[NET-11187] Nightly openshift basic test (#4424)

* basic test cases

* test fixtures

* working openshift test

* openshift test packages

* update Makefile

* Correct name of added Make target

* Correct import blocking

* Make assertions more robust, clean up code/comments

* Add a PR trigger for acceptance tests

* Use different source for branch name provided to workflow

* Rename PR-triggered workflow

* Use local checkout of Helm chart for installation

* Use workspace from environment

* Add the hashicorp helm repo as part of test setup

We will need to consume the cloned repo chart in the future, but I'm trying to get something working first

* new chart path

* Remove unused code, retry gateway connection, improve logging

* Remove PR trigger for nightly acceptance tests

* move cleanup calls before the error so they'll clean up even if it errrors

* Update acceptance/tests/openshift/main_test.go

* update flags to use config

* readd pr trigger test to validate change

* add license mounting config

* fix cert reference

---------

Co-authored-by: Nathan Coleman <[email protected]>

Makefile

@@ -334,6 +334,11 @@ eks-test-packages: ## eks test packages
 aks-test-packages: ## aks test packages
 	@./control-plane/build-support/scripts/set_test_package_matrix.sh "acceptance/ci-inputs/aks_acceptance_test_packages.yaml"
 
+
+.PHONY: openshift-test-packages
+openshift-test-packages: ## openshift test packages
+	@./control-plane/build-support/scripts/set_test_package_matrix.sh "acceptance/ci-inputs/openshift_acceptance_test_packages.yaml"
+
 .PHONY: go-mod-tidy
 go-mod-tidy: ## Recursively run go mod tidy on all subdirectories
 	@./control-plane/build-support/scripts/mod_tidy.sh

acceptance/ci-inputs/openshift_acceptance_test_packages.yaml

@@ -0,0 +1,5 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# Cloud package is not included in test suite as it is triggered from a non consul-k8s repo and requires HCP credentials
+- {runner: 0, test-packages: "openshift"}

acceptance/framework/config/config.go

@@ -107,6 +107,7 @@ type TestConfig struct {
 	UseGKE          bool
 	UseGKEAutopilot bool
 	UseKind         bool
+	UseOpenshift    bool
 
 	helmChartPath string
 }

acceptance/framework/flags/flags.go

@@ -10,8 +10,9 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/hashicorp/consul-k8s/acceptance/framework/config"
 	"github.com/hashicorp/go-version"
+
+	"github.com/hashicorp/consul-k8s/acceptance/framework/config"
 )
 
 type TestFlags struct {
@@ -57,6 +58,7 @@ type TestFlags struct {
 	flagUseGKE          bool
 	flagUseGKEAutopilot bool
 	flagUseKind         bool
+	flagUseOpenshift    bool
 
 	flagDisablePeering bool
 
@@ -154,6 +156,9 @@ func (t *TestFlags) init() {
 	flag.BoolVar(&t.flagUseKind, "use-kind", false,
 		"If true, the tests will assume they are running against a local kind cluster(s).")
 
+	flag.BoolVar(&t.flagUseOpenshift, "use-openshift", false,
+		"If true, the tests will assume they are running against an openshift cluster(s).")
+
 	flag.BoolVar(&t.flagDisablePeering, "disable-peering", false,
 		"If true, the peering tests will not run.")
 
@@ -246,6 +251,7 @@ func (t *TestFlags) TestConfigFromFlags() *config.TestConfig {
 		UseGKE:             t.flagUseGKE,
 		UseGKEAutopilot:    t.flagUseGKEAutopilot,
 		UseKind:            t.flagUseKind,
+		UseOpenshift:       t.flagUseOpenshift,
 	}
 
 	return c

acceptance/tests/fixtures/cases/openshift/basic/backend.yaml

@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: backend
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: backend
+  namespace: backend
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend
+  namespace: backend
+spec:
+  selector:
+    matchLabels:
+      app: backend
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: backend
+      annotations:
+        consul.hashicorp.com/connect-inject: "true"
+    spec:
+      serviceAccountName: backend
+      containers:
+      - name: backend
+        image: nicholasjackson/fake-service:v0.26.0
+        ports:
+        - containerPort: 8080
+        env:
+        - name: LISTEN_ADDR
+          value: "0.0.0.0:8080"
+        - name: NAME
+          value: backend
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend
+  namespace: backend
+spec:
+  type: ClusterIP
+  selector:
+    app: backend
+  ports:
+    - port: 8080
+---
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceDefaults
+metadata:
+  name: backend
+  namespace: backend
+spec:
+  protocol: http

acceptance/tests/fixtures/cases/openshift/basic/frontend.yaml

@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: frontend
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: frontend
+  namespace: frontend
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend
+  namespace: frontend
+spec:
+  selector:
+    matchLabels:
+      app: frontend
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: frontend
+      annotations:
+        consul.hashicorp.com/connect-inject: "true"
+    spec:
+      serviceAccountName: frontend
+      containers:
+      - name: frontend
+        image: nicholasjackson/fake-service:v0.26.0
+        ports:
+        - containerPort: 8080
+        env:
+        - name: LISTEN_ADDR
+          value: "0.0.0.0:8080"
+        - name: NAME
+          value: frontend
+        - name: UPSTREAM_URIS
+          value: 'http://backend.backend:8080'
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend
+  namespace: frontend
+spec:
+  type: ClusterIP
+  selector:
+    app: frontend
+  ports:
+    - port: 8080
+---
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceDefaults
+metadata:
+  name: frontend
+  namespace: frontend
+spec:
+  protocol: http

acceptance/tests/fixtures/cases/openshift/basic/gateway.yaml

@@ -0,0 +1,15 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: api-gateway
+  namespace: consul
+spec:
+  gatewayClassName: consul
+  listeners:
+  - name: https
+    protocol: HTTPS
+    port: 443
+    tls:
+      certificateRefs:
+      - name: consul-server-cert
+        namespace: consul

acceptance/tests/fixtures/cases/openshift/basic/intentions.yaml

@@ -0,0 +1,23 @@
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceIntentions
+metadata:
+  name: to-backend-default
+  namespace: default
+spec:
+  destination:
+    name: backend
+  sources:
+    - name: frontend
+      action: allow
+---
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceIntentions
+metadata:
+  name: to-frontend-default
+  namespace: default
+spec:
+  destination:
+    name: frontend
+  sources:
+    - name: api-gateway
+      action: allow

acceptance/tests/fixtures/cases/openshift/basic/route.yaml

@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: frontend-route-default
+  namespace: consul
+spec:
+  parentRefs:
+    - name: api-gateway
+  rules: 
+    - backendRefs:
+      - kind: Service
+        name: frontend
+        namespace: frontend
+        port: 8080
+
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: service-grant
+  namespace: frontend
+spec:
+  from:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    namespace: consul
+  to:
+  - group: ""
+    kind: Service
+    name: frontend