From 02058d67a47d90abe398e33f4f500a8daf2408ca Mon Sep 17 00:00:00 2001 From: Matej Kralik Date: Wed, 7 Aug 2024 12:11:53 +0200 Subject: [PATCH] [OSSM-6092] Add ROSA env in the SMCP where it was missing + [OSSM-6886] remove hardcoded istio-system (#723) * [OSSM-6092] Add ROSA env in the SMCP where it was missing * [OSSM-6886] Remove hardcoded istio-system --- pkg/tests/ossm/bug_istiopods_test.go | 2 +- .../ossm/operator/clusterwide_mode_test.go | 25 +++++++++++++------ .../ossm/prometheus_scoped_scraping_test.go | 2 +- pkg/tests/ossm/smcp_must_gather_test.go | 22 ++++++++-------- pkg/tests/ossm/smcp_secret_test.go | 2 +- pkg/tests/ossm/smm_test.go | 3 +-- .../extensions/threescale_wasm_plugin_test.go | 1 + .../tasks/extensions/yaml/mesh.tmpl.yaml | 5 ++++ pkg/tests/tasks/injection/yaml/mesh.tmpl.yaml | 4 +-- .../observability/custom_prometheus_test.go | 15 +++++++---- .../certificate/alpn_filter_non_istio_test.go | 2 +- .../security/certmanager/plugin_ca_test.go | 4 +-- .../certmanager/yaml/cacerts/cacerts.yaml | 6 ++--- .../tasks/traffic/ingress/gatewayapi_test.go | 13 ++++++++-- 14 files changed, 67 insertions(+), 39 deletions(-) diff --git a/pkg/tests/ossm/bug_istiopods_test.go b/pkg/tests/ossm/bug_istiopods_test.go index dd26468d..ca360f3f 100644 --- a/pkg/tests/ossm/bug_istiopods_test.go +++ b/pkg/tests/ossm/bug_istiopods_test.go @@ -70,7 +70,7 @@ func TestIstiodPodFailsWithValidationMessages(t *testing.T) { oc.WaitPodRunning(t, istiodPod) retry.UntilSuccessWithOptions(t, retry.Options().MaxAttempts(10), func(t TestHelper) { oc.LogsFromPods(t, meshNamespace, "app=istiod", assert.OutputContains( - "successfully acquired lease istio-system/istio-analyze-leader", + "successfully acquired lease "+meshNamespace+"/istio-analyze-leader", "Successfully acquired lease for analyzer in istiod pod", "Expected to acquire lease for analyzer in istiod pod, but was not", ), diff --git a/pkg/tests/ossm/operator/clusterwide_mode_test.go b/pkg/tests/ossm/operator/clusterwide_mode_test.go index 7c6fae5c..7f0d6e89 100644 --- a/pkg/tests/ossm/operator/clusterwide_mode_test.go +++ b/pkg/tests/ossm/operator/clusterwide_mode_test.go @@ -187,12 +187,12 @@ func TestClusterWideMode(t *testing.T) { t.LogStep("Check that Rolebindings are not created in the member namespaces") retry.UntilSuccess(t, func(t TestHelper) { oc.Get(t, "member-0", "rolebindings", "", - assert.OutputDoesNotContain("istiod-clusterrole-basic-istio-system", - "The Rolebings does not contains istiod-clusterrole-basic-istio-system RoleBinding", - "The Rolebings contains istiod-clusterrole-basic-istio-system RoleBinding"), - assert.OutputDoesNotContain("istiod-gateway-controller-basic-istio-system", - "The Rolebings does not contains istiod-gateway-controller-basic-istio-system", - "The Rolebings contains istiod-gateway-controller-basic-istio-system")) + assert.OutputDoesNotContain("istiod-clusterrole-basic-"+meshNamespace, + "The Rolebings does not contains istiod-clusterrole-basic-"+meshNamespace+" RoleBinding", + "The Rolebings contains istiod-clusterrole-basic-"+meshNamespace+" RoleBinding"), + assert.OutputDoesNotContain("istiod-gateway-controller-basic-"+meshNamespace, + "The Rolebings does not contains istiod-gateway-controller-basic-"+meshNamespace, + "The Rolebings contains istiod-gateway-controller-basic-"+meshNamespace)) }) }) @@ -510,7 +510,11 @@ spec: oc.ApplyTemplate(t, meshNamespace, clusterWideSMCPWithProfile, - map[string]string{"Name": "cluster-wide", "Version": env.GetSMCPVersion().String()}) + map[string]interface{}{ + "Name": "cluster-wide", + "Version": env.GetSMCPVersion().String(), + "Rosa": env.IsRosa(), + }) oc.WaitSMCPReady(t, meshNamespace, "cluster-wide") t.LogStep("Check whether SMMR is created automatically") @@ -688,7 +692,12 @@ metadata: spec: version: {{ .Version }} profiles: - - gateway-controller` + - gateway-controller + {{ if .Rosa }} + security: + identity: + type: ThirdParty + {{ end }}` customSMMR = ` apiVersion: maistra.io/v1 diff --git a/pkg/tests/ossm/prometheus_scoped_scraping_test.go b/pkg/tests/ossm/prometheus_scoped_scraping_test.go index f1486eb5..f015fc9b 100644 --- a/pkg/tests/ossm/prometheus_scoped_scraping_test.go +++ b/pkg/tests/ossm/prometheus_scoped_scraping_test.go @@ -21,7 +21,7 @@ import ( "github.com/maistra/maistra-test-tool/pkg/util/version" ) -var prometheusPodSelector oc.PodLocatorFunc = pod.MatchingSelector("app=prometheus,maistra-control-plane=istio-system", meshNamespace) +var prometheusPodSelector oc.PodLocatorFunc = pod.MatchingSelector("app=prometheus,maistra-control-plane="+meshNamespace, meshNamespace) func TestOperatorCanUpdatePrometheusConfigMap(t *testing.T) { test.NewTest(t).Groups(test.Full, test.ARM).Run(func(t test.TestHelper) { diff --git a/pkg/tests/ossm/smcp_must_gather_test.go b/pkg/tests/ossm/smcp_must_gather_test.go index d0b19345..841ec094 100644 --- a/pkg/tests/ossm/smcp_must_gather_test.go +++ b/pkg/tests/ossm/smcp_must_gather_test.go @@ -113,19 +113,19 @@ func TestMustGather(t *testing.T) { if env.GetOperatorVersion().LessThan(version.OPERATOR_2_6_0) { assertFilesExist(t, dir, - "**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterrolebindings/istiod-internal-basic-istio-system.yaml", + "**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterrolebindings/istiod-internal-basic-"+meshNamespace+".yaml", "**/cluster-scoped-resources/admissionregistration.k8s.io/mutatingwebhookconfigurations/openshift-operators.servicemesh-resources.maistra.io.yaml", - "**/cluster-scoped-resources/admissionregistration.k8s.io/mutatingwebhookconfigurations/istiod-basic-istio-system.yaml", + "**/cluster-scoped-resources/admissionregistration.k8s.io/mutatingwebhookconfigurations/istiod-basic-"+meshNamespace+".yaml", "**/cluster-scoped-resources/admissionregistration.k8s.io/validatingwebhookconfigurations/openshift-operators.servicemesh-resources.maistra.io.yaml", - "**/cluster-scoped-resources/admissionregistration.k8s.io/validatingwebhookconfigurations/istio-validator-basic-istio-system.yaml", - "**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterroles/istiod-clusterrole-basic-istio-system.yaml") + "**/cluster-scoped-resources/admissionregistration.k8s.io/validatingwebhookconfigurations/istio-validator-basic-"+meshNamespace+".yaml", + "**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterroles/istiod-clusterrole-basic-"+meshNamespace+".yaml") } else { assertFilesExist(t, dir, - "**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterrolebindings/istiod-internal-basic-istio-system.yaml", - "**/cluster-scoped-resources/admissionregistration.k8s.io/mutatingwebhookconfigurations/istiod-basic-istio-system.yaml", - "**/cluster-scoped-resources/admissionregistration.k8s.io/validatingwebhookconfigurations/istio-validator-basic-istio-system.yaml", - "**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterroles/istiod-clusterrole-basic-istio-system.yaml") + "**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterrolebindings/istiod-internal-basic-"+meshNamespace+".yaml", + "**/cluster-scoped-resources/admissionregistration.k8s.io/mutatingwebhookconfigurations/istiod-basic-"+meshNamespace+".yaml", + "**/cluster-scoped-resources/admissionregistration.k8s.io/validatingwebhookconfigurations/istio-validator-basic-"+meshNamespace+".yaml", + "**/cluster-scoped-resources/rbac.authorization.k8s.io/clusterroles/istiod-clusterrole-basic-"+meshNamespace+".yaml") webhookMap := map[string]string{ "smcp.mutation.maistra.io": "mutatingwebhookconfigurations", @@ -146,11 +146,11 @@ func TestMustGather(t *testing.T) { }) t.NewSubTest("resource for namespaces exist").Run(func(t TestHelper) { - t.LogStep("verify that resources for namespaces are created including bookinfo and istio-system folders") + t.LogStep("verify that resources for namespaces are created including bookinfo and " + meshNamespace + " folders") assertFilesExist(t, dir, - "**/namespaces/istio-system/debug-syncz.json", - "**/namespaces/istio-system/istio-system.yaml", + "**/namespaces/"+meshNamespace+"/debug-syncz.json", + "**/namespaces/"+meshNamespace+"/"+meshNamespace+".yaml", "**/namespaces/bookinfo/bookinfo.yaml", "**/namespaces/openshift-operators/openshift-operators.yaml", "**/namespaces/*/rbac.authorization.k8s.io/rolebindings/mesh-users.yaml") diff --git a/pkg/tests/ossm/smcp_secret_test.go b/pkg/tests/ossm/smcp_secret_test.go index 8c2a54c9..6148eaee 100644 --- a/pkg/tests/ossm/smcp_secret_test.go +++ b/pkg/tests/ossm/smcp_secret_test.go @@ -36,7 +36,7 @@ func TestSMCPSecret(t *testing.T) { DeployControlPlane(t) - output := shell.Execute(t, `oc get secret -n istio-system htpasswd -o json | jq .data.auth | tr -d \" | base64 -d | sed 's/}.*/}REDACTED\n/'`) + output := shell.Execute(t, fmt.Sprintf(`oc get secret -n %s htpasswd -o json | jq .data.auth | tr -d \" | base64 -d | sed 's/}.*/}REDACTED\n/'`, meshNamespace)) str := "$2a$" if strings.Contains(output, str) { diff --git a/pkg/tests/ossm/smm_test.go b/pkg/tests/ossm/smm_test.go index 7e6deb6c..f26aeb69 100644 --- a/pkg/tests/ossm/smm_test.go +++ b/pkg/tests/ossm/smm_test.go @@ -123,6 +123,5 @@ metadata: spec: controlPlaneRef: name: basic - namespace: istio-system - ` + namespace: ` + meshNamespace ) diff --git a/pkg/tests/tasks/extensions/threescale_wasm_plugin_test.go b/pkg/tests/tasks/extensions/threescale_wasm_plugin_test.go index d56cd6af..90b204d3 100644 --- a/pkg/tests/tasks/extensions/threescale_wasm_plugin_test.go +++ b/pkg/tests/tasks/extensions/threescale_wasm_plugin_test.go @@ -43,6 +43,7 @@ func TestThreeScaleWasmPlugin(t *testing.T) { "Version": env.GetSMCPVersion().String(), "Member": ns.Foo, "ClusterWideProxy": false, + "Rosa": env.IsRosa(), } //If there is a cluster-wide proxy in front of OCP, it needs to be set in istio-proxy to be able to download the 3scale plugin from Quay diff --git a/pkg/tests/tasks/extensions/yaml/mesh.tmpl.yaml b/pkg/tests/tasks/extensions/yaml/mesh.tmpl.yaml index e78e9311..56435fe0 100644 --- a/pkg/tests/tasks/extensions/yaml/mesh.tmpl.yaml +++ b/pkg/tests/tasks/extensions/yaml/mesh.tmpl.yaml @@ -46,6 +46,11 @@ spec: {{ end }} tracing: type: None + {{ if .Rosa }} + security: + identity: + type: ThirdParty + {{ end }} version: {{ .Version }} --- apiVersion: maistra.io/v1 diff --git a/pkg/tests/tasks/injection/yaml/mesh.tmpl.yaml b/pkg/tests/tasks/injection/yaml/mesh.tmpl.yaml index aa2823e9..8fecff3b 100644 --- a/pkg/tests/tasks/injection/yaml/mesh.tmpl.yaml +++ b/pkg/tests/tasks/injection/yaml/mesh.tmpl.yaml @@ -18,11 +18,11 @@ spec: env: ENABLE_NATIVE_SIDECARS: "true" {{ end }} + {{ if .Rosa }} security: - {{ if .Rosa }} identity: type: ThirdParty - {{ end }} + {{ end }} tracing: type: None version: {{ .Version }} diff --git a/pkg/tests/tasks/observability/custom_prometheus_test.go b/pkg/tests/tasks/observability/custom_prometheus_test.go index d75bf35f..88330e62 100644 --- a/pkg/tests/tasks/observability/custom_prometheus_test.go +++ b/pkg/tests/tasks/observability/custom_prometheus_test.go @@ -143,7 +143,7 @@ spec: func createSmcpWithPrometheusExtensionProvider(t test.TestHelper, smcpNs, prometheusNs, additionalSmmrNs string) { t.T().Helper() - oc.ApplyString(t, smcpNs, ` + oc.ApplyTemplate(t, smcpNs, ` apiVersion: maistra.io/v2 kind: ServiceMeshControlPlane metadata: @@ -171,9 +171,14 @@ spec: security: dataPlane: mtls: true + {{ if .Rosa }} + identity: + type: ThirdParty + {{ end }} tracing: - type: None`, - fmt.Sprintf(` + type: None`, map[string]interface{}{"Rosa": env.IsRosa()}) + + oc.ApplyString(t, smcpNs, fmt.Sprintf(` apiVersion: maistra.io/v1 kind: ServiceMeshMemberRoll metadata: @@ -182,8 +187,8 @@ spec: members: - %s - %s`, - prometheusNs, - additionalSmmrNs)) + prometheusNs, + additionalSmmrNs)) } func installPrometheus(t test.TestHelper, ns string, permittedNs ...string) { diff --git a/pkg/tests/tasks/security/certificate/alpn_filter_non_istio_test.go b/pkg/tests/tasks/security/certificate/alpn_filter_non_istio_test.go index 7c0cf194..c8a6fd71 100644 --- a/pkg/tests/tasks/security/certificate/alpn_filter_non_istio_test.go +++ b/pkg/tests/tasks/security/certificate/alpn_filter_non_istio_test.go @@ -28,7 +28,7 @@ func TestAlpnFilterDisabledForNonIstioMtls(t *testing.T) { ossm.DeployControlPlane(t) // We need the cluster IP of the ingress gateway service to override DNS resolution during the connection test - ingressGwServIP := oc.DefaultOC.Invoke(t, `oc get service/istio-ingressgateway -o=jsonpath='{.spec.clusterIP}' -n istio-system`) + ingressGwServIP := oc.DefaultOC.Invoke(t, `oc get service/istio-ingressgateway -o=jsonpath='{.spec.clusterIP}' -n `+meshNamespace) t.Log("Deploying nginx app") app.InstallAndWaitReady(t, app.Nginx(ns.Foo)) diff --git a/pkg/tests/tasks/security/certmanager/plugin_ca_test.go b/pkg/tests/tasks/security/certmanager/plugin_ca_test.go index 1e02c149..e0107b86 100644 --- a/pkg/tests/tasks/security/certmanager/plugin_ca_test.go +++ b/pkg/tests/tasks/security/certmanager/plugin_ca_test.go @@ -47,7 +47,7 @@ func TestPluginCaCert(t *testing.T) { t.Cleanup(func() { oc.DeleteFromTemplate(t, meshNamespace, serviceMeshCacertsTmpl, meshValues) - oc.DeleteFromString(t, meshNamespace, cacerts) + oc.DeleteFromTemplate(t, meshNamespace, cacerts, map[string]interface{}{"MeshNs": meshNamespace}) oc.DeleteSecret(t, meshNamespace, "cacerts") oc.RecreateNamespace(t, ns.Foo) certmanageroperator.Uninstall(t) @@ -59,7 +59,7 @@ func TestPluginCaCert(t *testing.T) { oc.RecreateNamespace(t, meshNamespace) t.LogStep("Create intermediate CA certificate for Istio") - oc.ApplyString(t, meshNamespace, cacerts) + oc.ApplyTemplate(t, meshNamespace, cacerts, map[string]interface{}{"MeshNs": meshNamespace}) t.LogStep("Deploy SMCP " + smcpVer.String() + " and SMMR") oc.ApplyTemplate(t, meshNamespace, serviceMeshCacertsTmpl, meshValues) diff --git a/pkg/tests/tasks/security/certmanager/yaml/cacerts/cacerts.yaml b/pkg/tests/tasks/security/certmanager/yaml/cacerts/cacerts.yaml index 305f4f12..a1f6b758 100644 --- a/pkg/tests/tasks/security/certmanager/yaml/cacerts/cacerts.yaml +++ b/pkg/tests/tasks/security/certmanager/yaml/cacerts/cacerts.yaml @@ -2,19 +2,19 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: cacerts - namespace: istio-system + namespace: {{ .MeshNs }} spec: secretName: cacerts duration: 1440h renewBefore: 360h - commonName: istiod-basic.istio-system.svc + commonName: istiod-basic.{{ .MeshNs }}.svc isCA: true usages: - digital signature - key encipherment - cert sign dnsNames: - - istiod-basic.istio-system.svc + - istiod-basic.{{ .MeshNs }}.svc issuerRef: name: root-ca kind: ClusterIssuer diff --git a/pkg/tests/tasks/traffic/ingress/gatewayapi_test.go b/pkg/tests/tasks/traffic/ingress/gatewayapi_test.go index 6b004b81..150643f5 100644 --- a/pkg/tests/tasks/traffic/ingress/gatewayapi_test.go +++ b/pkg/tests/tasks/traffic/ingress/gatewayapi_test.go @@ -157,7 +157,11 @@ func TestGatewayApi(t *testing.T) { oc.ApplyTemplate(t, meshNamespace, gatewayControllerProfile, - map[string]string{"Name": "basic", "Version": env.GetSMCPVersion().String()}) + map[string]interface{}{ + "Name": "basic", + "Version": env.GetSMCPVersion().String(), + "Rosa": env.IsRosa(), + }) oc.WaitSMCPReady(t, meshNamespace, "basic") t.LogStep("delete default SMMR and create custom SMMR") @@ -197,7 +201,12 @@ metadata: spec: version: {{ .Version }} profiles: - - gateway-controller` + - gateway-controller + {{ if .Rosa }} + security: + identity: + type: ThirdParty + {{ end }}` const createSMMR = ` apiVersion: maistra.io/v1