[OSSM-6092] Add ROSA env in the SMCP where it was missing + [OSSM-688…

…6] remove hardcoded istio-system (#723) * [OSSM-6092] Add ROSA env in the SMCP where it was missing * [OSSM-6886] Remove hardcoded istio-system
maistra · Aug 7, 2024 · 02058d6 · 02058d6
1 parent 975234f
commit 02058d6
Show file tree

Hide file tree

Showing 14 changed files with 67 additions and 39 deletions.
diff --git a/pkg/tests/ossm/bug_istiopods_test.go b/pkg/tests/ossm/bug_istiopods_test.go
@@ -70,7 +70,7 @@ func TestIstiodPodFailsWithValidationMessages(t *testing.T) {
 		oc.WaitPodRunning(t, istiodPod)
 		retry.UntilSuccessWithOptions(t, retry.Options().MaxAttempts(10), func(t TestHelper) {
 			oc.LogsFromPods(t, meshNamespace, "app=istiod", assert.OutputContains(
-				"successfully acquired lease istio-system/istio-analyze-leader",
+				"successfully acquired lease "+meshNamespace+"/istio-analyze-leader",
 				"Successfully acquired lease for analyzer in istiod pod",
 				"Expected to acquire lease for analyzer in istiod pod, but was not",
 			),

diff --git a/pkg/tests/ossm/operator/clusterwide_mode_test.go b/pkg/tests/ossm/operator/clusterwide_mode_test.go
@@ -187,12 +187,12 @@ func TestClusterWideMode(t *testing.T) {
 			t.LogStep("Check that Rolebindings are not created in the member namespaces")
 			retry.UntilSuccess(t, func(t TestHelper) {
 				oc.Get(t, "member-0", "rolebindings", "",
-					assert.OutputDoesNotContain("istiod-clusterrole-basic-istio-system",
-						"The Rolebings does not contains istiod-clusterrole-basic-istio-system RoleBinding",
-						"The Rolebings contains istiod-clusterrole-basic-istio-system RoleBinding"),
-					assert.OutputDoesNotContain("istiod-gateway-controller-basic-istio-system",
-						"The Rolebings does not contains istiod-gateway-controller-basic-istio-system",
-						"The Rolebings contains istiod-gateway-controller-basic-istio-system"))
+					assert.OutputDoesNotContain("istiod-clusterrole-basic-"+meshNamespace,
+						"The Rolebings does not contains istiod-clusterrole-basic-"+meshNamespace+" RoleBinding",
+						"The Rolebings contains istiod-clusterrole-basic-"+meshNamespace+" RoleBinding"),
+					assert.OutputDoesNotContain("istiod-gateway-controller-basic-"+meshNamespace,
+						"The Rolebings does not contains istiod-gateway-controller-basic-"+meshNamespace,
+						"The Rolebings contains istiod-gateway-controller-basic-"+meshNamespace))
 			})
 		})
 
@@ -510,7 +510,11 @@ spec:
 			oc.ApplyTemplate(t,
 				meshNamespace,
 				clusterWideSMCPWithProfile,
-				map[string]string{"Name": "cluster-wide", "Version": env.GetSMCPVersion().String()})
+				map[string]interface{}{
+					"Name":    "cluster-wide",
+					"Version": env.GetSMCPVersion().String(),
+					"Rosa":    env.IsRosa(),
+				})
 			oc.WaitSMCPReady(t, meshNamespace, "cluster-wide")
 
 			t.LogStep("Check whether SMMR is created automatically")
@@ -688,7 +692,12 @@ metadata:
 spec:
   version: {{ .Version }}
   profiles:
-  - gateway-controller`
+  - gateway-controller
+  {{ if .Rosa }} 
+  security:
+    identity:
+      type: ThirdParty
+  {{ end }}`
 
 	customSMMR = `
 apiVersion: maistra.io/v1

diff --git a/pkg/tests/ossm/prometheus_scoped_scraping_test.go b/pkg/tests/ossm/prometheus_scoped_scraping_test.go
@@ -21,7 +21,7 @@ import (
 	"github.com/maistra/maistra-test-tool/pkg/util/version"
 )
 
-var prometheusPodSelector oc.PodLocatorFunc = pod.MatchingSelector("app=prometheus,maistra-control-plane=istio-system", meshNamespace)
+var prometheusPodSelector oc.PodLocatorFunc = pod.MatchingSelector("app=prometheus,maistra-control-plane="+meshNamespace, meshNamespace)
 
 func TestOperatorCanUpdatePrometheusConfigMap(t *testing.T) {
 	test.NewTest(t).Groups(test.Full, test.ARM).Run(func(t test.TestHelper) {

diff --git a/pkg/tests/ossm/smcp_must_gather_test.go b/pkg/tests/ossm/smcp_must_gather_test.go
@@ -113,19 +113,19 @@ func TestMustGather(t *testing.T) {
 			if env.GetOperatorVersion().LessThan(version.OPERATOR_2_6_0) {
 				assertFilesExist(t,
 					dir,
-					"**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterrolebindings/istiod-internal-basic-istio-system.yaml",
+					"**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterrolebindings/istiod-internal-basic-"+meshNamespace+".yaml",
 					"**/cluster-scoped-resources/admissionregistration.k8s.io/mutatingwebhookconfigurations/openshift-operators.servicemesh-resources.maistra.io.yaml",
-					"**/cluster-scoped-resources/admissionregistration.k8s.io/mutatingwebhookconfigurations/istiod-basic-istio-system.yaml",
+					"**/cluster-scoped-resources/admissionregistration.k8s.io/mutatingwebhookconfigurations/istiod-basic-"+meshNamespace+".yaml",
 					"**/cluster-scoped-resources/admissionregistration.k8s.io/validatingwebhookconfigurations/openshift-operators.servicemesh-resources.maistra.io.yaml",
-					"**/cluster-scoped-resources/admissionregistration.k8s.io/validatingwebhookconfigurations/istio-validator-basic-istio-system.yaml",
-					"**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterroles/istiod-clusterrole-basic-istio-system.yaml")
+					"**/cluster-scoped-resources/admissionregistration.k8s.io/validatingwebhookconfigurations/istio-validator-basic-"+meshNamespace+".yaml",
+					"**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterroles/istiod-clusterrole-basic-"+meshNamespace+".yaml")
 			} else {
 				assertFilesExist(t,
 					dir,
-					"**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterrolebindings/istiod-internal-basic-istio-system.yaml",
-					"**/cluster-scoped-resources/admissionregistration.k8s.io/mutatingwebhookconfigurations/istiod-basic-istio-system.yaml",
-					"**/cluster-scoped-resources/admissionregistration.k8s.io/validatingwebhookconfigurations/istio-validator-basic-istio-system.yaml",
-					"**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterroles/istiod-clusterrole-basic-istio-system.yaml")
+					"**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterrolebindings/istiod-internal-basic-"+meshNamespace+".yaml",
+					"**/cluster-scoped-resources/admissionregistration.k8s.io/mutatingwebhookconfigurations/istiod-basic-"+meshNamespace+".yaml",
+					"**/cluster-scoped-resources/admissionregistration.k8s.io/validatingwebhookconfigurations/istio-validator-basic-"+meshNamespace+".yaml",
+					"**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterroles/istiod-clusterrole-basic-"+meshNamespace+".yaml")
 
 				webhookMap := map[string]string{
 					"smcp.mutation.maistra.io":   "mutatingwebhookconfigurations",
@@ -146,11 +146,11 @@ func TestMustGather(t *testing.T) {
 		})
 
 		t.NewSubTest("resource for namespaces exist").Run(func(t TestHelper) {
-			t.LogStep("verify that resources for namespaces are created including bookinfo and istio-system folders")
+			t.LogStep("verify that resources for namespaces are created including bookinfo and " + meshNamespace + " folders")
 			assertFilesExist(t,
 				dir,
-				"**/namespaces/istio-system/debug-syncz.json",
-				"**/namespaces/istio-system/istio-system.yaml",
+				"**/namespaces/"+meshNamespace+"/debug-syncz.json",
+				"**/namespaces/"+meshNamespace+"/"+meshNamespace+".yaml",
 				"**/namespaces/bookinfo/bookinfo.yaml",
 				"**/namespaces/openshift-operators/openshift-operators.yaml",
 				"**/namespaces/*/rbac.authorization.k8s.io/rolebindings/mesh-users.yaml")

diff --git a/pkg/tests/ossm/smcp_secret_test.go b/pkg/tests/ossm/smcp_secret_test.go
@@ -36,7 +36,7 @@ func TestSMCPSecret(t *testing.T) {
 
 			DeployControlPlane(t)
 
-			output := shell.Execute(t, `oc get secret -n istio-system htpasswd -o json | jq .data.auth | tr -d \" | base64 -d | sed 's/}.*/}REDACTED\n/'`)
+			output := shell.Execute(t, fmt.Sprintf(`oc get secret -n %s htpasswd -o json | jq .data.auth | tr -d \" | base64 -d | sed 's/}.*/}REDACTED\n/'`, meshNamespace))
 			str := "$2a$"
 
 			if strings.Contains(output, str) {

diff --git a/pkg/tests/ossm/smm_test.go b/pkg/tests/ossm/smm_test.go
@@ -123,6 +123,5 @@ metadata:
 spec:
   controlPlaneRef:
     name: basic
-    namespace: istio-system
-  `
+    namespace: ` + meshNamespace
 )
diff --git a/pkg/tests/tasks/extensions/threescale_wasm_plugin_test.go b/pkg/tests/tasks/extensions/threescale_wasm_plugin_test.go
@@ -43,6 +43,7 @@ func TestThreeScaleWasmPlugin(t *testing.T) {
 			"Version":          env.GetSMCPVersion().String(),
 			"Member":           ns.Foo,
 			"ClusterWideProxy": false,
+			"Rosa":             env.IsRosa(),
 		}
 
 		//If there is a cluster-wide proxy in front of OCP, it needs to be set in istio-proxy to be able to download the 3scale plugin from Quay

diff --git a/pkg/tests/tasks/extensions/yaml/mesh.tmpl.yaml b/pkg/tests/tasks/extensions/yaml/mesh.tmpl.yaml
@@ -46,6 +46,11 @@ spec:
             {{ end }}
   tracing:
     type: None
+  {{ if .Rosa }} 
+  security:
+    identity:
+      type: ThirdParty
+  {{ end }}
   version: {{ .Version }}
 ---
 apiVersion: maistra.io/v1

diff --git a/pkg/tests/tasks/injection/yaml/mesh.tmpl.yaml b/pkg/tests/tasks/injection/yaml/mesh.tmpl.yaml
@@ -18,11 +18,11 @@ spec:
           env:
             ENABLE_NATIVE_SIDECARS: "true"
   {{ end }}
+  {{ if .Rosa }}
   security:
-    {{ if .Rosa }}
     identity:
       type: ThirdParty
-    {{ end }}
+  {{ end }}
   tracing:
     type: None
   version: {{ .Version }}

diff --git a/pkg/tests/tasks/observability/custom_prometheus_test.go b/pkg/tests/tasks/observability/custom_prometheus_test.go
@@ -143,7 +143,7 @@ spec:
 
 func createSmcpWithPrometheusExtensionProvider(t test.TestHelper, smcpNs, prometheusNs, additionalSmmrNs string) {
 	t.T().Helper()
-	oc.ApplyString(t, smcpNs, `
+	oc.ApplyTemplate(t, smcpNs, `
 apiVersion: maistra.io/v2
 kind: ServiceMeshControlPlane
 metadata:
@@ -171,9 +171,14 @@ spec:
   security:
     dataPlane:
       mtls: true
+    {{ if .Rosa }}
+    identity:
+      type: ThirdParty
+    {{ end }}
   tracing:
-    type: None`,
-		fmt.Sprintf(`
+    type: None`, map[string]interface{}{"Rosa": env.IsRosa()})
+
+	oc.ApplyString(t, smcpNs, fmt.Sprintf(`
 apiVersion: maistra.io/v1
 kind: ServiceMeshMemberRoll
 metadata:
@@ -182,8 +187,8 @@ spec:
   members:
   - %s
   - %s`,
-			prometheusNs,
-			additionalSmmrNs))
+		prometheusNs,
+		additionalSmmrNs))
 }
 
 func installPrometheus(t test.TestHelper, ns string, permittedNs ...string) {

diff --git a/pkg/tests/tasks/security/certificate/alpn_filter_non_istio_test.go b/pkg/tests/tasks/security/certificate/alpn_filter_non_istio_test.go
@@ -28,7 +28,7 @@ func TestAlpnFilterDisabledForNonIstioMtls(t *testing.T) {
 		ossm.DeployControlPlane(t)
 
 		// We need the cluster IP of the ingress gateway service to override DNS resolution during the connection test
-		ingressGwServIP := oc.DefaultOC.Invoke(t, `oc get service/istio-ingressgateway -o=jsonpath='{.spec.clusterIP}' -n istio-system`)
+		ingressGwServIP := oc.DefaultOC.Invoke(t, `oc get service/istio-ingressgateway -o=jsonpath='{.spec.clusterIP}' -n `+meshNamespace)
 
 		t.Log("Deploying nginx app")
 		app.InstallAndWaitReady(t, app.Nginx(ns.Foo))

diff --git a/pkg/tests/tasks/security/certmanager/plugin_ca_test.go b/pkg/tests/tasks/security/certmanager/plugin_ca_test.go
@@ -47,7 +47,7 @@ func TestPluginCaCert(t *testing.T) {
 
 		t.Cleanup(func() {
 			oc.DeleteFromTemplate(t, meshNamespace, serviceMeshCacertsTmpl, meshValues)
-			oc.DeleteFromString(t, meshNamespace, cacerts)
+			oc.DeleteFromTemplate(t, meshNamespace, cacerts, map[string]interface{}{"MeshNs": meshNamespace})
 			oc.DeleteSecret(t, meshNamespace, "cacerts")
 			oc.RecreateNamespace(t, ns.Foo)
 			certmanageroperator.Uninstall(t)
@@ -59,7 +59,7 @@ func TestPluginCaCert(t *testing.T) {
 		oc.RecreateNamespace(t, meshNamespace)
 
 		t.LogStep("Create intermediate CA certificate for Istio")
-		oc.ApplyString(t, meshNamespace, cacerts)
+		oc.ApplyTemplate(t, meshNamespace, cacerts, map[string]interface{}{"MeshNs": meshNamespace})
 
 		t.LogStep("Deploy SMCP " + smcpVer.String() + " and SMMR")
 		oc.ApplyTemplate(t, meshNamespace, serviceMeshCacertsTmpl, meshValues)

diff --git a/pkg/tests/tasks/security/certmanager/yaml/cacerts/cacerts.yaml b/pkg/tests/tasks/security/certmanager/yaml/cacerts/cacerts.yaml
@@ -2,19 +2,19 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: cacerts
-  namespace: istio-system
+  namespace: {{ .MeshNs }}
 spec:
   secretName: cacerts
   duration: 1440h
   renewBefore: 360h
-  commonName: istiod-basic.istio-system.svc
+  commonName: istiod-basic.{{ .MeshNs }}.svc
   isCA: true
   usages:
   - digital signature
   - key encipherment
   - cert sign
   dnsNames:
-  - istiod-basic.istio-system.svc
+  - istiod-basic.{{ .MeshNs }}.svc
   issuerRef:
     name: root-ca
     kind: ClusterIssuer

diff --git a/pkg/tests/tasks/traffic/ingress/gatewayapi_test.go b/pkg/tests/tasks/traffic/ingress/gatewayapi_test.go
@@ -157,7 +157,11 @@ func TestGatewayApi(t *testing.T) {
 			oc.ApplyTemplate(t,
 				meshNamespace,
 				gatewayControllerProfile,
-				map[string]string{"Name": "basic", "Version": env.GetSMCPVersion().String()})
+				map[string]interface{}{
+					"Name":    "basic",
+					"Version": env.GetSMCPVersion().String(),
+					"Rosa":    env.IsRosa(),
+				})
 			oc.WaitSMCPReady(t, meshNamespace, "basic")
 
 			t.LogStep("delete default SMMR and create custom SMMR")
@@ -197,7 +201,12 @@ metadata:
 spec:
   version: {{ .Version }}
   profiles:
-  - gateway-controller`
+  - gateway-controller
+  {{ if .Rosa }}
+  security:
+    identity:
+      type: ThirdParty
+  {{ end }}`
 
 const createSMMR = `
 apiVersion: maistra.io/v1