diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 4339445b5a30..9f5773197221 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -5,25 +5,11 @@ body: attributes: value: | Thanks for taking the time to fill out this bug report! - - type: checkboxes - id: security-check - attributes: - label: Is this the right place to submit this? - description: |- - This is used to report product bugs: - To report a security vulnerability, please visit . - Any crashes are potentially security vulnerabilities and should be treated as such. - To ask questions about how to use Istio, please visit . - options: - - label: "This is not a security vulnerability or a crashing bug" - required: true - - label: "This is not a question about how to use Istio" - required: true - type: textarea id: bug-description attributes: label: Bug Description - description: Tell us what issues you ran into. + description: Tell us what issues you ran into placeholder: Include information about what you tried, what you expected to happen, and what actually happened. The more details, the better! validations: required: true @@ -40,7 +26,7 @@ body: $ kubectl version --short Client Version: v1.0.0 Server Version: v1.0.0 - render: Text + render: prose validations: required: true - type: textarea @@ -48,7 +34,7 @@ body: attributes: label: Additional Information description: | - Please include the output of [`istioctl bug-report`](https://istio.io/help/bugs/#generating-a-cluster-state-archive). + Please include the output of [`istioctl bug-report`](http://istio.io/help/bugs/#generating-a-cluster-state-archive). If you are unable to do so, please ensure you have collected the relevant debugging information manually and attached below; issue without enough information will not be resolvable. - type: checkboxes @@ -56,7 +42,6 @@ body: attributes: label: Affected product area options: - - label: "Ambient" - label: "Docs" - label: "Installation" - label: "Networking" @@ -70,3 +55,16 @@ body: - label: "Multi Cluster" - label: "Virtual Machine" - label: "Control Plane Revisions" + - type: checkboxes + id: security-check + attributes: + label: Is this the right place to submit this? + description: |- + This is used to report product bugs: + To report a security vulnerability, please visit + To ask questions about how to use Istio, please visit + options: + - label: "This is not a security vulnerability" + required: true + - label: "This is not a question about how to use Istio" + required: true \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index af408a6350ef..5e16d4942db8 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -11,7 +11,6 @@ about: Suggest an idea to improve Istio **Affected product area (please put an X in all that apply)** -[ ] Ambient [ ] Docs [ ] Installation [ ] Networking diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 0295e43836ee..ed4d3c2f01e6 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -8,9 +8,7 @@ Information about supported Istio versions can be found on the ## Reporting a Vulnerability Instructions for reporting a vulnerability can be found on the -[Istio Security Vulnerabilities] page. The Istio Product Security Working Group receives -vulnerability and security issue reports, and the company affiliation of the members of -the group can be found at [Early Disclosure Membership]. +[Istio Security Vulnerabilities] page. ## Security Bulletins @@ -20,4 +18,3 @@ Information about previous Istio vulnerabilities can be found on the [Support Announcements]: https://istio.io/news/support/ [Istio Security Vulnerabilities]: https://istio.io/about/security-vulnerabilities/ [Security Bulletins]: https://istio.io/news/security/ -[Early Disclosure Membership]: https://github.com/istio/community/blob/master/EARLY-DISCLOSURE.md#membership diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index d42d00f8fe0d..672b0189a846 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -4,7 +4,6 @@ **To help us figure out who should review this PR, please put an X in all the areas that this PR affects.** -- [ ] Ambient - [ ] Configuration Infrastructure - [ ] Docs - [ ] Installation diff --git a/.github/workflows/e2e_tests.yml b/.github/workflows/e2e_tests.yml index 8acbaede38bf..0add376d67a6 100644 --- a/.github/workflows/e2e_tests.yml +++ b/.github/workflows/e2e_tests.yml @@ -7,61 +7,54 @@ on: env: HUB: ${{ secrets.TEST_HUB }} + SHA: "dd53c92c6803e5c426359f7fda07fcc166d3701b" jobs: # copied from make_release.yml build_fips_proxy: # Only run this job when the release type equals "fips". if: contains(github.event.ref, 'fips') + name: build fips proxy binary timeout-minutes: 840 runs-on: ['self-hosted','Linux','x64','c5.4xlarge'] env: RELEASE_GCS_PATH: gs://getistio-build/proxy-fips + IMG: gcr.io/tid-testing/build-tools-proxy:v5 steps: - name: Get the tag id: get_tag run: echo ::set-output name=TAG::${GITHUB_REF#refs/tags/} + - name: Get normalized tag - id: get_normalized_ver - run: echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/test-//g' | sed 's/-.*//g') - shell: bash - env: - TAG: ${{ steps.get_tag.outputs.TAG }} - - name: Get minor version id: get_minor_ver - run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') + run: echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/test-//g' | sed 's/-.*//g') shell: bash env: TAG: ${{ steps.get_tag.outputs.TAG }} + - name: Checkout uses: actions/checkout@v2 with: repository: "istio/proxy" - ref: ${{ steps.get_normalized_ver.outputs.NORMALIZED_TAG }} + ref: ${{ steps.get_minor_ver.outputs.NORMALIZED_TAG }} + - name: Set up Cloud SDK uses: google-github-actions/setup-gcloud@v0 with: project_id: ${{ secrets.GCP_PROJECT_ID }} service_account_key: ${{ secrets.GCP_SA_KEY }} export_default_credentials: true + - name: Check if already built id: check_already_built - env: - REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} - TAG: ${{ steps.get_tag.outputs.TAG }} run: | - SHA=$(echo $TAG | sed 's/test-//g' | sed 's/[0-9].[0-9][0-9].[0-9]-[A-Za-z]*-//g' | sed 's/-.*//g') SHOULD_BUILD=1 - SHOULD_COPY=1 if gsutil ls ${RELEASE_GCS_PATH} | grep "${SHA}[^-]" ; then SHOULD_BUILD=0 - fi - if [ $(bc <<< "$REL_BRANCH_VER > 1.17") -eq 1 ];then - SHOULD_COPY=0 fi echo ::set-output name=should_build::${SHOULD_BUILD} - echo ::set-output name=should_copy::${SHOULD_COPY} + - name: Tweak make recipe if: ${{ steps.check_already_built.outputs.should_build == '1' }} # 1) remove unnecessary dependency on naive "build" target @@ -70,7 +63,7 @@ jobs: # from push_release. run: | ESCAPED_RELEASE_GCS_PATH=$(printf '%s\n' "$RELEASE_GCS_PATH" | sed -e 's/[\/&]/\\&/g') - sed -i "s/\-p//g; s/push_release: build/push_release:/g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk + sed -i "s/PUSH_RELEASE_FLAGS ?= -p//g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk - name: Tweak release-binary script if: ${{ steps.check_already_built.outputs.should_build == '1' }} # 1) Setup in-docker auth against gcloud @@ -82,9 +75,15 @@ jobs: cp scripts/release-binary.sh scripts/release-binary.sh.tmp echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh + sed -i 's/c658fab86a174fda07961e196edb97f9da9b5a50/dd53c92c6803e5c426359f7fda07fcc166d3701b/g' WORKSPACE + sed -i 's/8a57fa87ac562435c5e2e262e9f0cedcc0b2856b76caa0a262000a7565663555/844bb21ca335b282e57b7b4a77a19c9dcafeef67b7140c98eaec726dcbfe5c78/g' WORKSPACE + sed -i 's/SHA=.*/SHA=dd53c92c6803e5c426359f7fda07fcc166d3701b/g' scripts/release-binary.sh + sed -i 's/ENVOY_ORG = "envoyproxy"/ENVOY_ORG = "psbrar99"/g' WORKSPACE sed -i 's/for config in release release-symbol asan debug/for config in release/g' scripts/release-binary.sh sed -i -n '/Build and publish Wasm plugins/q;p' scripts/release-binary.sh cat scripts/release-binary.sh + cat Makefile.core.mk + cat WORKSPACE - name: Add FIPS flag if: ${{ steps.check_already_built.outputs.should_build == '1' }} @@ -94,41 +93,32 @@ jobs: if: ${{ steps.check_already_built.outputs.should_build == '1' }} env: BUILD_WITH_CONTAINER: 1 - run: make push_release + run: | + # make clean + make push_release - name: Put CentOS binary - env: - REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} - TAG: ${{ steps.get_tag.outputs.TAG }} # Copy the binary built on Ubuntu to CentOS path - this binar cannot run on CentOS/RHEL 7, but fine with CentOS 8. # The point is that we cannot build FIPS binary directly on CentOS 7 due to the constraints described in the BoringCrypto certification. run: | - SHA=$(echo $TAG | sed 's/test-//g' | sed 's/[0-9].[0-9][0-9].[0-9]-[A-Za-z]*-//g' | sed 's/-.*//g') gsutil cp ${RELEASE_GCS_PATH}/envoy-alpha-${SHA}.tar.gz ${RELEASE_GCS_PATH}/envoy-centos-alpha-${SHA}.tar.gz - name: Put Wasm binary - if: ${{ steps.check_already_built.outputs.should_build == '1' && steps.check_already_built.outputs.should_copy == '1' }} # Copy the built Wasm binary in the upstream to the bucket - Wasm is nothing to do with FIPS stuff. env: UPSTREAM_GCSP_PATH: gs://istio-build/proxy - REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} - TAG: ${{ steps.get_tag.outputs.TAG }} - run: | - SHA1=$(git rev-parse --verify HEAD) - SHA=$(echo $TAG | sed 's/test-//g' | sed 's/[0-9].[0-9][0-9].[0-9]-[A-Za-z]*-//g' | sed 's/-.*//g') + run: | + SHA1="f9707e29aa0a36b1430b373d95e6c9abb5deca75" gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.compiled.wasm" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.compiled.wasm" gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.compiled.wasm.sha256" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.compiled.wasm.sha256" gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.wasm" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.wasm" gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.wasm.sha256" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.wasm.sha256" - gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA1}.compiled.wasm" "${RELEASE_GCS_PATH}/stats-${SHA}.compiled.wasm" - gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA1}.compiled.wasm.sha256" "${RELEASE_GCS_PATH}/stats-${SHA}.compiled.wasm.sha256" - gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA1}.wasm" "${RELEASE_GCS_PATH}/stats-${SHA}.wasm" - gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA1}.wasm.sha256" "${RELEASE_GCS_PATH}/stats-${SHA}.wasm.sha256" + build_fips_arm_proxy: # Do not run this job when the release type equals "fips"as we do not support fips compliant ARM build yet. - # if: contains(github.event.ref, 'fips') - if: false + if: contains(github.event.ref, 'fips') + # if: false name: build ARM proxy binary timeout-minutes: 1440 # 12 hours runs-on: ['self-hosted','Linux','ARM64','arm64-32'] @@ -136,40 +126,39 @@ jobs: RELEASE_GCS_PATH: gs://getistio-build/proxy-fips ARCH_SUFFIX: arm64 steps: + - name: Get the tag + id: get_tag + run: echo ::set-output name=TAG::${GITHUB_REF#refs/tags/} + - name: Get normalized tag - id: get_normalized_ver - run: echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/test-//g' | sed 's/-.*//g') - shell: bash - env: - TAG: ${{ steps.get_tag.outputs.TAG }} - - name: Get minor version id: get_minor_ver - run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') + run: | + echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/test-//g' | sed 's/-.*//g') + echo ::set-output name=RELEASE_VERSION::$(echo $TAG | sed 's/test-//g' | sed 's/-.*//g' | sed 's/\.[^\.]*$//g') shell: bash env: TAG: ${{ steps.get_tag.outputs.TAG }} + - name: Checkout uses: actions/checkout@v2 with: repository: "istio/proxy" - ref: ${{ steps.get_normalized_ver.outputs.NORMALIZED_TAG }} + ref: ${{ steps.get_minor_ver.outputs.NORMALIZED_TAG }} + - name: Set up Cloud SDK uses: google-github-actions/setup-gcloud@v0 with: project_id: ${{ secrets.GCP_PROJECT_ID }} service_account_key: ${{ secrets.GCP_SA_KEY }} export_default_credentials: true + - name: Check if already built id: check_already_built - env: - REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} - TAG: ${{ steps.get_tag.outputs.TAG }} run: | - SHA=$(echo $TAG | sed 's/test-//g' | sed 's/[0-9].[0-9][0-9].[0-9]-[A-Za-z]*-//g' | sed 's/-.*//g') SHOULD_BUILD=1 - if gsutil ls ${RELEASE_GCS_PATH} | grep "${SHA}[^-]" ; then + if gsutil ls ${RELEASE_GCS_PATH} | grep ${SHA}-arm64 ; then SHOULD_BUILD=0 - fi + fi echo ::set-output name=should_build::${SHOULD_BUILD} - name: Tweak make recipe if: ${{ steps.check_already_built.outputs.should_build == '1' }} @@ -191,18 +180,25 @@ jobs: cp scripts/release-binary.sh scripts/release-binary.sh.tmp echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh - sed -i 's/release release\-symbol debug/release release\-symbol/' scripts/release-binary.sh - sed -i '/if \[\[ "${BUILD_ENVOY_BINARY_ONLY}" !/, +6d' scripts/release-binary.sh + sed -i 's/c658fab86a174fda07961e196edb97f9da9b5a50/dd53c92c6803e5c426359f7fda07fcc166d3701b/g' WORKSPACE + sed -i 's/8a57fa87ac562435c5e2e262e9f0cedcc0b2856b76caa0a262000a7565663555/844bb21ca335b282e57b7b4a77a19c9dcafeef67b7140c98eaec726dcbfe5c78/g' WORKSPACE + sed -i 's/SHA=.*/SHA=dd53c92c6803e5c426359f7fda07fcc166d3701b/g' scripts/release-binary.sh + sed -i 's/ENVOY_ORG = "envoyproxy"/ENVOY_ORG = "psbrar99"/g' WORKSPACE + sed -i 's/for config in release release-symbol asan debug/for config in release/g' scripts/release-binary.sh sed -i -n '/Build and publish Wasm plugins/q;p' scripts/release-binary.sh cat scripts/release-binary.sh + cat Makefile.core.mk + - name: Add FIPS flag if: ${{ steps.check_already_built.outputs.should_build == '1' }} run: echo "build --define boringssl=fips" >> .bazelrc + - name: Build and push if: ${{ steps.check_already_built.outputs.should_build == '1' }} env: - BUILD_ENVOY_BINARY_ONLY: 1 BUILD_WITH_CONTAINER: 1 + BUILD_ENVOY_BINARY_ONLY: 1 + IMG: gcr.io/tid-testing/build-tools-proxy-arm64:v5 run: make push_release create-test-images-arm64: @@ -215,7 +211,8 @@ jobs: # 'if' condition causes this job to run even if some of the dependent jobs # have been skipped, e.g. `build_fips_proxy`. # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful - if: "contains(github.event.ref, 'multiarch')" + # if: "contains(github.event.ref, 'multiarch')" + if: false steps: - name: checkout @@ -268,12 +265,13 @@ jobs: name: create-test-images-amd64 #runs-on: ['self-hosted','Linux','x64','m5'] runs-on: ['self-hosted','Linux','x64','c5.4xlarge'] - needs: [build_fips_proxy] + needs: ['build_fips_proxy','build_fips_arm_proxy'] # 'if' condition causes this job to run even if some of the dependent jobs # have been skipped, e.g. `build_fips_proxy`. # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful if: ${{ !cancelled() && !failure() }} + steps: - name: checkout uses: actions/checkout@v2 @@ -380,17 +378,17 @@ jobs: eks-e2e-arm64-test: name: eks-e2e-arm64-test runs-on: ubuntu-latest - needs: [create-multiarch-images] + needs: [create-test-images-amd64] # 'if' condition causes this job to run even if some of the dependent jobs # have been skipped, e.g. `build_fips_proxy`. # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful - # if: false if: ${{ !cancelled() && !failure() }} + # if: false strategy: fail-fast: false matrix: - version: ["1.25", "1.26", "1.24"] # available versions according to https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html + version: ["1.25", "1.26", "1.27"] # available versions according to https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html steps: - name: checkout @@ -448,16 +446,17 @@ jobs: eks-e2e-test: name: eks-e2e-test runs-on: ubuntu-latest - needs: [create-multiarch-images] + needs: [create-test-images-amd64] # 'if' condition causes this job to run even if some of the dependent jobs # have been skipped, e.g. `build_fips_proxy`. # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful if: ${{ !cancelled() && !failure() }} + # if: false strategy: fail-fast: false matrix: - version: ["1.26", "1.25", "1.24"] # available versions according to https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html + version: ["1.26", "1.25", "1.27"] # available versions according to https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html steps: - name: checkout @@ -516,16 +515,19 @@ jobs: # 'if' condition causes this job to run even if some of the dependent jobs # have been skipped, e.g. `build_fips_proxy`. # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful - if: ${{ !cancelled() && !failure() }} + #if: ${{ !cancelled() && !failure() }} + if: false strategy: fail-fast: false # available versions according to https://cloud.google.com/kubernetes-engine/versioning matrix: include: - - version: "1.24" - channel: "rapid" - version: "1.25" + channel: "rapid" + - version: "1.26" + channel: "regular" + - version: "1.27" channel: "regular" steps: @@ -733,4 +735,4 @@ jobs: tag_name: ${{ steps.get_tag.outputs.TAG }} release_name: Tetrate Istio draft: false - prerelease: false \ No newline at end of file + prerelease: false diff --git a/.github/workflows/make_release.yml b/.github/workflows/make_release.yml index 7c3d08b4a2ad..301d08469041 100644 --- a/.github/workflows/make_release.yml +++ b/.github/workflows/make_release.yml @@ -6,60 +6,48 @@ on: tag: description: Tag [e.g. 1.7.8-tetrate-v0] required: true +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + packages: write jobs: build_fips_proxy: # Only run this job when the release type equals "fips". - if: contains(github.event.ref, 'fips') + if: false name: build fips proxy binary - timeout-minutes: 840 - runs-on: ['self-hosted','Linux','x64','c5.4xlarge'] + timeout-minutes: 1440 # 12 hours + runs-on: ['self-hosted','Linux','x64','m5.large'] env: RELEASE_GCS_PATH: gs://getistio-build/proxy-fips steps: - - name: Get the tag - id: get_tag - run: echo ::set-output name=TAG::${GITHUB_REF#refs/tags/} - name: Get normalized tag - id: get_normalized_ver - run: echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/test-//g' | sed 's/-.*//g') - shell: bash - env: - TAG: ${{ steps.get_tag.outputs.TAG }} - - name: Get minor version id: get_minor_ver - run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') + run: echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/-.*//g') shell: bash env: - TAG: ${{ steps.get_tag.outputs.TAG }} + TAG: ${{ github.event.inputs.tag }} - name: Checkout uses: actions/checkout@v2 with: repository: "istio/proxy" - ref: ${{ steps.get_normalized_ver.outputs.NORMALIZED_TAG }} + ref: ${{ steps.get_minor_ver.outputs.NORMALIZED_TAG }} + - name: Set up Cloud SDK uses: google-github-actions/setup-gcloud@v0 with: project_id: ${{ secrets.GCP_PROJECT_ID }} service_account_key: ${{ secrets.GCP_SA_KEY }} export_default_credentials: true + - name: Check if already built id: check_already_built - env: - REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} - TAG: ${{ steps.get_tag.outputs.TAG }} run: | - SHA=$(echo $TAG | sed 's/test-//g' | sed 's/[0-9].[0-9][0-9].[0-9]-[A-Za-z]*-//g' | sed 's/-.*//g') - SHOULD_BUILD=1 - SHOULD_COPY=1 - if gsutil ls ${RELEASE_GCS_PATH} | grep "${SHA}[^-]" ; then - SHOULD_BUILD=0 - fi - if [ $(bc <<< "$REL_BRANCH_VER > 1.17") -eq 1 ];then - SHOULD_COPY=0 - fi - echo ::set-output name=should_build::${SHOULD_BUILD} - echo ::set-output name=should_copy::${SHOULD_COPY} + set +e + SHA=$(git rev-parse --verify HEAD) + gsutil ls ${RELEASE_GCS_PATH} | grep ${SHA} + echo ::set-output name=should_build::$? + - name: Tweak make recipe if: ${{ steps.check_already_built.outputs.should_build == '1' }} # 1) remove unnecessary dependency on naive "build" target @@ -69,6 +57,7 @@ jobs: run: | ESCAPED_RELEASE_GCS_PATH=$(printf '%s\n' "$RELEASE_GCS_PATH" | sed -e 's/[\/&]/\\&/g') sed -i "s/\-p//g; s/push_release: build/push_release:/g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk + - name: Tweak release-binary script if: ${{ steps.check_already_built.outputs.should_build == '1' }} # 1) Setup in-docker auth against gcloud @@ -80,7 +69,7 @@ jobs: cp scripts/release-binary.sh scripts/release-binary.sh.tmp echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh - sed -i 's/for config in release release-symbol asan debug/for config in release/g' scripts/release-binary.sh + sed -i 's/release release\-symbol debug/release release\-symbol/' scripts/release-binary.sh sed -i -n '/Build and publish Wasm plugins/q;p' scripts/release-binary.sh cat scripts/release-binary.sh @@ -95,78 +84,63 @@ jobs: run: make push_release - name: Put CentOS binary - env: - REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} - TAG: ${{ steps.get_tag.outputs.TAG }} - # Copy the binary built on Ubuntu to CentOS path - this binary cannot run on CentOS/RHEL 7, but fine with CentOS 8. + # Copy the binary built on Ubuntu to CentOS path - this binar cannot run on CentOS/RHEL 7, but fine with CentOS 8. # The point is that we cannot build FIPS binary directly on CentOS 7 due to the constraints described in the BoringCrypto certification. run: | - SHA=$(echo $TAG | sed 's/test-//g' | sed 's/[0-9].[0-9][0-9].[0-9]-[A-Za-z]*-//g' | sed 's/-.*//g') + SHA=$(git rev-parse --verify HEAD) gsutil cp ${RELEASE_GCS_PATH}/envoy-alpha-${SHA}.tar.gz ${RELEASE_GCS_PATH}/envoy-centos-alpha-${SHA}.tar.gz - name: Put Wasm binary - if: ${{ steps.check_already_built.outputs.should_build == '1' && steps.check_already_built.outputs.should_copy == '1' }} # Copy the built Wasm binary in the upstream to the bucket - Wasm is nothing to do with FIPS stuff. env: UPSTREAM_GCSP_PATH: gs://istio-build/proxy - REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} - TAG: ${{ steps.get_tag.outputs.TAG }} - run: | - SHA1=$(git rev-parse --verify HEAD) - SHA=$(echo $TAG | sed 's/test-//g' | sed 's/[0-9].[0-9][0-9].[0-9]-[A-Za-z]*-//g' | sed 's/-.*//g') - gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.compiled.wasm" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.compiled.wasm" - gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.compiled.wasm.sha256" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.compiled.wasm.sha256" - gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.wasm" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.wasm" - gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA1}.wasm.sha256" "${RELEASE_GCS_PATH}/metadata_exchange-${SHA}.wasm.sha256" - gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA1}.compiled.wasm" "${RELEASE_GCS_PATH}/stats-${SHA}.compiled.wasm" - gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA1}.compiled.wasm.sha256" "${RELEASE_GCS_PATH}/stats-${SHA}.compiled.wasm.sha256" - gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA1}.wasm" "${RELEASE_GCS_PATH}/stats-${SHA}.wasm" - gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA1}.wasm.sha256" "${RELEASE_GCS_PATH}/stats-${SHA}.wasm.sha256" - - build_fips_arm_proxy: - if: contains(github.event.ref, 'fips') + run: | + SHA=$(git rev-parse --verify HEAD) + gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA}*" ${RELEASE_GCS_PATH}/ + gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA}*" ${RELEASE_GCS_PATH}/ + gsutil cp "${UPSTREAM_GCSP_PATH}/attributegen-${SHA}*" ${RELEASE_GCS_PATH}/ + + build_arm_proxy: + # Do not run this job when the release type equals "fips". + if: "contains(github.event.ref, 'multiarch')" name: build ARM proxy binary timeout-minutes: 1440 # 12 hours - runs-on: ['self-hosted','Linux','ARM64','arm64-32'] + runs-on: ["self-hosted", "arm64"] env: - RELEASE_GCS_PATH: gs://getistio-build/proxy-fips - ARCH_SUFFIX: arm64 + RELEASE_GCS_PATH: gs://getistio-build/proxy-arm steps: - name: Get normalized tag - id: get_normalized_ver - run: echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/test-//g' | sed 's/-.*//g') - shell: bash - env: - TAG: ${{ steps.get_tag.outputs.TAG }} - - name: Get minor version id: get_minor_ver - run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') + run: | + echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/-.*//g') + echo ::set-output name=RELEASE_VERSION::$(echo $TAG | sed 's/-.*//g' | sed 's/\.[^\.]*$//g') shell: bash env: - TAG: ${{ steps.get_tag.outputs.TAG }} + TAG: ${{ github.event.inputs.tag }} + - name: Checkout uses: actions/checkout@v2 with: repository: "istio/proxy" - ref: ${{ steps.get_normalized_ver.outputs.NORMALIZED_TAG }} + ref: ${{ steps.get_minor_ver.outputs.NORMALIZED_TAG }} + - name: Set up Cloud SDK uses: google-github-actions/setup-gcloud@v0 with: project_id: ${{ secrets.GCP_PROJECT_ID }} service_account_key: ${{ secrets.GCP_SA_KEY }} export_default_credentials: true + - name: Check if already built id: check_already_built - env: - REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} - TAG: ${{ steps.get_tag.outputs.TAG }} run: | - SHA=$(echo $TAG | sed 's/test-//g' | sed 's/[0-9].[0-9][0-9].[0-9]-[A-Za-z]*-//g' | sed 's/-.*//g') + SHA=$(git rev-parse --verify HEAD) SHOULD_BUILD=1 - if gsutil ls ${RELEASE_GCS_PATH} | grep "${SHA}[^-]" ; then + if gsutil ls ${RELEASE_GCS_PATH} | grep ${SHA} ; then SHOULD_BUILD=0 fi echo ::set-output name=should_build::${SHOULD_BUILD} + - name: Tweak make recipe if: ${{ steps.check_already_built.outputs.should_build == '1' }} # 1) remove unnecessary dependency on naive "build" target @@ -176,6 +150,7 @@ jobs: run: | ESCAPED_RELEASE_GCS_PATH=$(printf '%s\n' "$RELEASE_GCS_PATH" | sed -e 's/[\/&]/\\&/g') sed -i "s/\-p//g; s/push_release: build/push_release:/g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk + - name: Tweak release-binary script if: ${{ steps.check_already_built.outputs.should_build == '1' }} # 1) Setup in-docker auth against gcloud @@ -183,24 +158,41 @@ jobs: # 3) Remove unnecessary Wasm build and publish # Note that /work is the mount destination of the current home of make command with BUILD_WITH_CONTAINER=1. run: | + echo H4sIAJNQ32EAA+VXbXPaOBD+zq/YczMFCgKcBkjSY6aE0CTTBDIBru31OoxsC9Bgyz5LbkLT/PdbWZhA3m7au364Kx9Col3tap/dZ3fj8ckECJlyBbQq3ZhHSlajRM6IxxxORUXOwHlEkOPCY1dQ223UX7oNVqm8dKhbn3hNsGu1Zr2eI4Q8ajVXKpUet/z6NZDGTtm2oaS/GoAHE56DHHz8COQLWFvXR53B+Lw9PL6x4NMneP78VtIfDc9Hw/HhycVKlkg6ZXi95FLJUKeQCBowIEHRAi5yJQDrarcxbuxYRTho/949HbcvOscta75rvXqViimN3dk9eXZqlF4UgbmzEKyRkEkUhbFiHmgNrpirkpiVIUikAoeB8QZhjPJAGwB2hTmwtSEmqZuDZzBYBD4XcwleKPIKLsN4XsZIGEwS34eIqhlQCRQUC9AXjRepCo3DRHiV1ABj+zBTKpL71SqmeJY4FTcMqlwqHq5+yoTJql1v2jswwfd4TFHuy9TAfJeEkQIuQc0YhImKEgUejzGaEN1p9SyQSPGAf8F4nYT7noQCcfVhGWSI9eWGYsKnrZj5DBNA5CJwQh+o8O7JiqljOWO+786YO0d3kjo+aw0621hpOWLgxxy3MI0O/cJ8zOAkhK1rIzkYnZweYnqOBjfLF481VMWqCabqcGHlSt9tJVPQ+b+5NbisioOTXvviA9q8Xjm4qaow9GUVi9tATqI4vFpYupifCtR7iJkZgOgT871JznuyJT+btfrepO7ayE9X/1Lffpif9+9vUvS+XLN0t1beRpbiV0pSPoGPmoOHgyGSr9UCS4SCIQ1f6RISOQBAUcvC8FM+k2dwRucMJLIjLbKlF0i9cIb1jQJdUwpCkVXbyEmESsBuVGo7UHjPBKd+MUcy553jbuctuifsT7DBNAd9bpL6pn8x7nR7w/5gqVJbvY5AGoBRvlsHFvzSghfWWsEGoWLEeoE95vY+wOhg1BuOxhfd02570G1tXW8e7JOtgi+dcRYo8oTI4o25a1xvXjA45q/SKPO6oX39Ctem0+TPdD+JE6HBeRCVSn7VWiB1grCTpaP1Lpi6SNF9yoXRuGOT+d8JvL0O/LcVQocJ1R9AcxnLVuHXKlNu1cXjUJLsroqBeC7ka2Svkv/qYvMiHvxRATKxi2lxNq3NYK31YDMfZZiGCl24VMEdD0XrISSIuKXAWoTGwxBjIzxtmOgDW6tA49T3w0tsniqcMlSP4RK7tX6sUatY6f3UUY7oDOreoS2lvcRgtACdTWyfg+O27mq6c8TsM4lorMuMfGYxnyzguNs+LOruo9lr15rI29LedtneXtH3oefr4tQ4mZI40D2eiykOH8Eul+4r+SWn/ztDtqRhXHXq/Z924qalYO+V8UEl267pbzzyQpN2ADPWxgfYjca99lnXDDj8YynQZzeE+tGMWtmd83bnbfuou35pc/yZz5Ozfun9X5n4/9DWY3PffLCi0m9rE2+rmCl0+r03J0e4sF60zwYt65H8WN8G+J1LDyD+f4WZSipuwX0Gvf6wuw8+d1xcWZA83gJbD3exrS5AMxpZwgVSCkUpW5Yl/7JuSn678b0lr9/xE+KPy2wy/fvqNmrfBunmnae7yB3lHwyy50x/BMgrsxsgm38C0zLF9+shbe/tlXfXd2xjv9v7rf8hg7DfO/1wb7mC5epQy+bzQ8tfNprv7EODOY8iPenftQdnhjt6NRK3u3jkU4VjKahk47WmVyEzWVN1PXOixPE5/rfyjsoAbyRTLmQO1RUTEvcb2SpIRZWEAEehRxUdsyt3RsWUAVUq5k6i2JQJrLfh2flYP6W1VQjmegzrJYngqEbDZGmYvF99irm/AJDMXDzhEAAA \ + | base64 -d | gunzip | patch -p1 + CREDENTIAL_FILE_NAME=$(echo ${GOOGLE_APPLICATION_CREDENTIALS} | awk -F/ '{print $NF}') cp scripts/release-binary.sh scripts/release-binary.sh.tmp echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh sed -i 's/release release\-symbol debug/release release\-symbol/' scripts/release-binary.sh - sed -i '/if \[\[ "${BUILD_ENVOY_BINARY_ONLY}" !/, +6d' scripts/release-binary.sh sed -i -n '/Build and publish Wasm plugins/q;p' scripts/release-binary.sh cat scripts/release-binary.sh - - name: Add FIPS flag - if: ${{ steps.check_already_built.outputs.should_build == '1' }} - run: echo "build --define boringssl=fips" >> .bazelrc + - name: Build and push if: ${{ steps.check_already_built.outputs.should_build == '1' }} env: - BUILD_ENVOY_BINARY_ONLY: 1 BUILD_WITH_CONTAINER: 1 + IMG: gcr.io/tetrate-istio-arm/build-tools-proxy:release-${{ steps.get_minor_ver.outputs.RELEASE_VERSION }}-tid run: make push_release + - name: Put CentOS binary + # Copy the binary built on Ubuntu to CentOS path - this binar cannot run on CentOS/RHEL 7, but fine with CentOS 8. + # The point is that we cannot build FIPS binary directly on CentOS 7 due to the constraints described in the BoringCrypto certification. + run: | + SHA=$(git rev-parse --verify HEAD) + gsutil cp ${RELEASE_GCS_PATH}/envoy-alpha-${SHA}.tar.gz ${RELEASE_GCS_PATH}/envoy-centos-alpha-${SHA}.tar.gz + + - name: Put Wasm binary + # Copy the built Wasm binary in the upstream to the bucket - Wasm is nothing to do with FIPS stuff. + env: + UPSTREAM_GCSP_PATH: gs://istio-build/proxy + run: | + SHA=$(git rev-parse --verify HEAD) + gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA}*" ${RELEASE_GCS_PATH}/ + gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA}*" ${RELEASE_GCS_PATH}/ + gsutil cp "${UPSTREAM_GCSP_PATH}/attributegen-${SHA}*" ${RELEASE_GCS_PATH}/ + create-images-arm64: name: create-images-arm64 runs-on: ["self-hosted", "arm64"] @@ -228,6 +220,13 @@ jobs: username: ${{ secrets.CLOUDSMITH_USER }} password: ${{ secrets.CLOUDSMITH_API_KEY }} + - name: Login to CloudSmith + uses: docker/login-action@v1 + with: + registry: ${{ env.HUB }} + username: ${{ secrets.CLOUDSMITH_USER }} + password: ${{ secrets.CLOUDSMITH_API_KEY }} + - name: Get Registry id: get_registry run: | @@ -264,22 +263,54 @@ jobs: # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful if: ${{ !cancelled() && !failure() }} env: - HUB: ${{ secrets.CLOUDSMITH_HUB }} + PUBLIC_HUB: ${{ secrets.CLOUDSMITH_HUB }} + HUB: ${{ secrets.CLOUDSMITH_ADDON_HUB }} + ECR_REGISTRY: 957006768579.dkr.ecr.us-east-2.amazonaws.com steps: - name: Checkout to choosen tag uses: actions/checkout@v2 with: ref: ${{ github.event.inputs.tag }} - fetch-depth: 0 + fetch-depth: 0 + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@v1' + with: + token_format: 'access_token' + workload_identity_provider: 'projects/733020594933/locations/global/workloadIdentityPools/image-signing-oidc/providers/githuboidcprovider' + service_account: 'image-signing-keyless-sa@tid-testing.iam.gserviceaccount.com' + env: + HUB: gcr.io/tid-testing + + - name: Login to CloudSmith + uses: docker/login-action@v1 + if: contains(github.event.ref, 'fips') + with: + registry: ${{ secrets.CLOUDSMITH_FIPS_HUB }} + username: ${{ secrets.CLOUDSMITH_USER }} + password: ${{ secrets.CLOUDSMITH_API_KEY }} - name: Login to CloudSmith uses: docker/login-action@v1 + if: ${{ ! contains(github.event.ref, 'fips') }} with: registry: ${{ env.HUB }} username: ${{ secrets.CLOUDSMITH_USER }} password: ${{ secrets.CLOUDSMITH_API_KEY }} + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v3 + with: + role-to-assume: ${{ secrets.ECR_PUSH_ROLE }} + aws-region: us-east-2 + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + with: + mask-password: 'true' + - name: Get Registry id: get_registry run: | @@ -294,6 +325,19 @@ jobs: env: TAG: ${{ github.event.inputs.tag }} + - uses: sigstore/cosign-installer@main + + - name: 'Set up Cloud SDK' + uses: 'google-github-actions/setup-gcloud@v1' + + - uses: imjasonh/setup-crane@v0.3 + + - name: 'Set Hub' + if: contains(github.event.ref, 'fips') + env: + HUB: ${{ secrets.CLOUDSMITH_FIPS_HUB }} + run: echo "HUB=$HUB" >> $GITHUB_ENV + - name: build and push images run: bash ./tetrateci/create_istio_release.sh env: @@ -301,33 +345,26 @@ jobs: CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} TAG: ${{ github.event.inputs.tag }} REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} - Scan: - name: Scanner - runs-on: ubuntu-20.04 - needs: [create-images-amd64] - if: ${{ !cancelled() && !failure() }} - steps: - - name: Checkout code - uses: actions/checkout@v3 - - name: Get minor version - id: get_minor_ver - run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') - shell: bash + ACCESS_TOKEN: '${{ steps.auth.outputs.access_token }}' + + - name: Push images to ECR + if: ${{ ! contains(github.event.ref, 'fips') }} + run: bash ./tetrateci/push_ecr.sh env: - TAG: ${{ steps.get_tag.outputs.TAG }} - - name: List docker images - run: bash ./tetrateci/images.sh && pwd + CLOUDSMITH_USER: ${{ secrets.CLOUDSMITH_USER }} + CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} + TAG: ${{ github.event.inputs.tag }} + BACKPORT: "false" + REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} + + - name: Sign Images + run: bash ./tetrateci/images.sh env: + CLOUDSMITH_USER: ${{ secrets.CLOUDSMITH_USER }} + CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} TAG: ${{ github.event.inputs.tag }} - - name: Scan images for CRITICAL vulnerabilities - uses: docker://ghcr.io/aquasecurity/trivy - with: - entrypoint: /bin/sh - args: -c "trivy image --clear-cache; for img in $(cat list.txt); do trivy image --exit-code 0 --severity HIGH,CRITICAL --no-progress --quiet --format sarif $img >> $img.sarif ;done " - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: containers.istio.tetratelabs.com + REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} + create-multiarch-images: name: create-multiarch-images runs-on: ubuntu-latest diff --git a/tetrateci/1.18/test/skip.d/eks b/tetrateci/1.18/test/skip.d/eks index 2a654739e2c8..4c2a2f2fa484 100644 --- a/tetrateci/1.18/test/skip.d/eks +++ b/tetrateci/1.18/test/skip.d/eks @@ -21,12 +21,30 @@ # ``` # # indicates that tests for the package `` should not be run at all. -istio.io/istio/tests/integration/telemetry/stackdriver=* -istio.io/istio/tests/integration/telemetry/stackdriver/vm=* -istio.io/istio/tests/integration/telemetry/api=TestAccessLogsMode -istio.io/istio/tests/integration/pilot=TestGatewayConformance TestIngress/status TestGateway + + istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification -istio.io/istio/tests/integration/security=TestReachability/global_no_peer_authn TestReachability/migration_tls_mutual TestReachability/migration_no_tls TestReachability/mtls_strict istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic +istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/telemetry=* +istio.io/istio/tests/integration/telemetry/api=* +istio.io/istio/tests/integration/telemetry/common=* +istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=* +istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=* +istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=* +istio.io/istio/tests/integration/telemetry/policy=* +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry/tracing=* +istio.io/istio/tests/integration/telemetry/tracing/otelcollector=* +istio.io/istio/tests/integration/telemetry/tracing/zipkin=* + + + + + + diff --git a/tetrateci/1.18/test/skip.d/eks-arm64 b/tetrateci/1.18/test/skip.d/eks-arm64 index eab40ca7e49e..c2e99416b4ad 100644 --- a/tetrateci/1.18/test/skip.d/eks-arm64 +++ b/tetrateci/1.18/test/skip.d/eks-arm64 @@ -21,11 +21,22 @@ # ``` # # indicates that tests for the package `` should not be run at all. -istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification -istio.io/istio/tests/integration/pilot=TestGatewayConformance istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt +istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic +istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/telemetry=* +istio.io/istio/tests/integration/telemetry/api=* +istio.io/istio/tests/integration/telemetry/common=* +istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=* +istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=* +istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=* +istio.io/istio/tests/integration/telemetry/policy=* istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* istio.io/istio/tests/integration/telemetry/stackdriver/vm=* -istio.io/istio/tests/integration/telemetry_envoyfilter_nullvm=TestDashboard +istio.io/istio/tests/integration/telemetry/tracing=* +istio.io/istio/tests/integration/telemetry/tracing/otelcollector=* +istio.io/istio/tests/integration/telemetry/tracing/zipkin=* diff --git a/tetrateci/1.18/test/skip.d/gke b/tetrateci/1.18/test/skip.d/gke index 66c8c4a2eb92..fd4d384fb187 100644 --- a/tetrateci/1.18/test/skip.d/gke +++ b/tetrateci/1.18/test/skip.d/gke @@ -22,16 +22,22 @@ # # indicates that tests for the package `` should not be run at all. -istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic TestGatewayConformance TestTunnelingOutboundTraffic -istio.io/istio/tests/integration/pilot/revisioncmd=* -istio.io/istio/tests/integration/helm=* +istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt +istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification istio.io/istio/tests/integration/helm/upgrade=* -istio.io/istio/tests/integration/security=TestReachability/beta-mtls-off TestAuthz_EgressGateway TestReachability/global_no_peer_authn/http +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic +istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability istio.io/istio/tests/integration/security/sds_ingress/quic=* -istio.io/istio/tests/integration/security/mtls_first_party_jwt=* -istio.io/istio/tests/integration/security/https_jwt=TestJWTHTTPS/jwt-authn/a/to_b/valid-token-forward-remote-jwks -istio.io/istio/tests/integration/security/filebased_tls_origination=TestEgressGatewayTls -istio.io/istio/tests/integration/telemetry/outboundtrafficpolicy=* -istio.io/istio/tests/integration/telemetry/stats/prometheus/nullvm=* -istio.io/istio/tests/integration/telemetry/stats/prometheus/wasm=* +istio.io/istio/tests/integration/telemetry=* +istio.io/istio/tests/integration/telemetry/api=* +istio.io/istio/tests/integration/telemetry/common=* +istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=* +istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=* +istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=* +istio.io/istio/tests/integration/telemetry/policy=* istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry/tracing=* +istio.io/istio/tests/integration/telemetry/tracing/otelcollector=* +istio.io/istio/tests/integration/telemetry/tracing/zipkin=* diff --git a/tetrateci/1.19/test/skip.d/eks b/tetrateci/1.19/test/skip.d/eks new file mode 100644 index 000000000000..5ac366204e2d --- /dev/null +++ b/tetrateci/1.19/test/skip.d/eks @@ -0,0 +1,52 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + + +istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt +istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic TestGateway TestIngress +istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotHost TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability +istio.io/istio/tests/integration/security/sds_ingress=* +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/telemetry=* +istio.io/istio/tests/integration/telemetry/api=* +istio.io/istio/tests/integration/telemetry/common=* +istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=* +istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=* +istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=* +istio.io/istio/tests/integration/telemetry/policy=* +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry/tracing=* +istio.io/istio/tests/integration/telemetry/tracing/otelcollector=* +istio.io/istio/tests/integration/telemetry/tracing/zipkin=* + + + + + + + diff --git a/tetrateci/1.19/test/skip.d/eks-arm64 b/tetrateci/1.19/test/skip.d/eks-arm64 new file mode 100644 index 000000000000..385789097a71 --- /dev/null +++ b/tetrateci/1.19/test/skip.d/eks-arm64 @@ -0,0 +1,43 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. +istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt +istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic TestGateway TestIngress TestDescribe +istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotHost TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability +istio.io/istio/tests/integration/security/sds_ingress=* +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/telemetry=* +istio.io/istio/tests/integration/telemetry/api=* +istio.io/istio/tests/integration/telemetry/common=* +istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=* +istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=* +istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=* +istio.io/istio/tests/integration/telemetry/policy=* +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry/tracing=* +istio.io/istio/tests/integration/telemetry/tracing/otelcollector=* +istio.io/istio/tests/integration/telemetry/tracing/zipkin=* diff --git a/tetrateci/1.19/test/skip.d/gke b/tetrateci/1.19/test/skip.d/gke new file mode 100644 index 000000000000..14f40d976f9b --- /dev/null +++ b/tetrateci/1.19/test/skip.d/gke @@ -0,0 +1,44 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt +istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic TestGateway TestIngress TestRevisionCommand TestDescribe +istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotHost TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestAuthz_EgressGateway TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability +istio.io/istio/tests/integration/security/sds_ingress=* +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/telemetry=* +istio.io/istio/tests/integration/telemetry/api=* +istio.io/istio/tests/integration/telemetry/common=* +istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=* +istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=* +istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=* +istio.io/istio/tests/integration/telemetry/policy=* +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry/tracing=* +istio.io/istio/tests/integration/telemetry/tracing/otelcollector=* +istio.io/istio/tests/integration/telemetry/tracing/zipkin=* diff --git a/tetrateci/create_gke_cluster.sh b/tetrateci/create_gke_cluster.sh index 5549d5413268..90130f77b17d 100755 --- a/tetrateci/create_gke_cluster.sh +++ b/tetrateci/create_gke_cluster.sh @@ -8,7 +8,7 @@ set -o pipefail SHA8=$(git rev-parse --short $GITHUB_SHA) SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION) CLUSTER_NAME="test-istio-$SHA8-$SUFFIX" +export USE_GKE_GCLOUD_AUTH_PLUGIN=True +gcloud components install gke-gcloud-auth-plugin gcloud container clusters create $CLUSTER_NAME --machine-type "n1-standard-4" --num-nodes 3 --region=us-central1-c --enable-network-policy --cluster-version $K8S_VERSION --release-channel "$CHAN" -gcloud config set container/use_client_certificate False gcloud container clusters get-credentials $CLUSTER_NAME --region us-central1-c -kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user="$(gcloud config get-value core/account)" diff --git a/tetrateci/create_istio_release.sh b/tetrateci/create_istio_release.sh index afcca27c8f6b..5af1eb455fd6 100755 --- a/tetrateci/create_istio_release.sh +++ b/tetrateci/create_istio_release.sh @@ -44,9 +44,12 @@ export BUILD_WITH_CONTAINER=0 if [[ ${TAG} =~ "fips" ]]; then PROXY_DISTROLESS_BASE=$(grep 'as distroless' ${BASEDIR}/pilot/docker/Dockerfile.proxyv2) # Escape '/' - PROXY_DISTROLESS_BASE_ESCAPED=$(sed 's/\//\\\//g' <<< ${PROXY_DISTROLESS_BASE}) - sed -i "s/.*as distroless/${PROXY_DISTROLESS_BASE_ESCAPED}/" ${BASEDIR}/operator/docker/Dockerfile.operator - export ISTIO_ENVOY_BASE_URL=https://storage.googleapis.com/getistio-build/proxy-fips + PROXY_DISTROLESS_BASE_ESCAPED=$(sed 's/\//\\\//g' <<< ${PROXY_DISTROLESS_BASE}) + cat ${BASEDIR}/docker/Dockerfile.distroless + sed -i "s/.*as distroless/${PROXY_DISTROLESS_BASE_ESCAPED}/" ${BASEDIR}/operator/docker/Dockerfile.operator + sed "s/.*as distroless/FROM gcr.io\/distroless\/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e as distroless_source/" ${BASEDIR}/docker/Dockerfile.distroless + export ISTIO_ENVOY_BASE_URL=https://storage.googleapis.com/getistio-build/proxy-fips + cat ${BASEDIR}/docker/Dockerfile.distroless fi @@ -133,6 +136,10 @@ if [ ${TAG} =~ "fips" ]; then fi go run main.go publish --release /tmp/istio-release/out --dockerhub $HUB + + + + echo "Cleaning up the istio source artificats...." sudo rm -rf /tmp/istio-release/sources/ @@ -145,13 +152,25 @@ fi # If RELEASE, Build Archives if [[ -z ${TEST:-} ]]; then + + # IMAGES=(install-cni + # proxyv2 + # operator + # istioctl + # pilot) + + # IMAGE_SUFFIXES=("" "-debug" "-distroless") + + # for image in "${IMAGES[@]}"; do + # for suffix in "${IMAGE_SUFFIXES[@]}"; do + # DIGEST=$(crane digest $HUB/${image}:${TAG}${suffix}) + # cosign sign -y --identity-token=$(gcloud auth print-identity-token --audiences=sigstore --include-email --impersonate-service-account image-signing-keyless-sa@tid-testing.iam.gserviceaccount.com) $HUB/${image}@$DIGEST + # done + # done echo "Building archives..." # if FIPS, need to use native go as boringgo as of now can't build archives for different platforms if [[ ${TAG} =~ "fips" ]]; then - sudo rm -rf /usr/local/go - source ${BASEDIR}/tetrateci/setup_go.sh - #disabling cgo flag - sed -i '/then export CGO_ENABLED=1/c\export CGO_ENABLED=0' istio/common/scripts/gobuild.sh + exit 0 fi echo "Cleaning up older artifacts created in docker build stage ..." sudo rm -rf /tmp/istio-release/sources/ && sudo rm -rf /tmp/istio-release/work/ @@ -169,6 +188,6 @@ if [[ -z ${TEST:-} ]]; then done fi echo "Cleaning /tmp/istio...." -[ -d "/tmp/istio-release" ] && sudo rm -rf /tmp/istio-release +#[ -d "/tmp/istio-release" ] && sudo rm -rf /tmp/istio-release echo "Done building and pushing the artifacts." diff --git a/tetrateci/fips.md b/tetrateci/fips.md index d8558df5e10f..542507aedfb3 100644 --- a/tetrateci/fips.md +++ b/tetrateci/fips.md @@ -37,10 +37,10 @@ go version istioctl go version install-cni ``` -- For Istio minor version <1.15 - The Go version should include `b` to indicate BoringSSL, `go1.16.9b7` -- For Istio minor version >1.15 - The Go version should indicate X:boringcrypto as cryptolibrary, `pilot-discovery: go1.19.1 X:boringcrypto` +For Istio minor version <1.15 +The Go version should include `b` to indicate BoringSSL, `go1.16.9b7` +For Istio minor version >1.15 +The Go version should indicate X:boringcrypto as cryptolibrary, `pilot-discovery: go1.19.1 X:boringcrypto` Verify Envoy is using BoringSSL FIPS: diff --git a/tetrateci/images.sh b/tetrateci/images.sh index d61f5ec7b8d4..10631b31b8b1 100644 --- a/tetrateci/images.sh +++ b/tetrateci/images.sh @@ -6,20 +6,31 @@ set -o pipefail BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" -mkdir containers.istio.tetratelabs.com -IMAGES=(app -install-cni -istioctl -pilot -proxyv2) +IMAGES=(install-cni +proxyv2 +operator +istioctl +pilot) IMAGE_SUFFIXES=("debug" "distroless") for image in "${IMAGES[@]}"; do for suffix in "${IMAGE_SUFFIXES[@]}"; do - echo containers.istio.tetratelabs.com/${image}:${TAG}-${suffix} >> list.txt - cat list.txt + DIGEST=$(crane digest $HUB/${image}:${TAG}-${suffix}) + cosign sign -y --identity-token=$(gcloud auth print-identity-token --audiences=sigstore --include-email --impersonate-service-account image-signing-keyless-sa@tid-testing.iam.gserviceaccount.com) $HUB/${image}@$DIGEST done done + + +if [[ ${BACKPORT} == "false" ]] ; then + for image in "${IMAGES[@]}"; do + for suffix in "${IMAGE_SUFFIXES[@]}"; do + DIGEST=$(crane digest $PUBLIC_HUB/${image}:${TAG}-${suffix}) + cosign sign -y --identity-token=$(gcloud auth print-identity-token --audiences=sigstore --include-email --impersonate-service-account image-signing-keyless-sa@tid-testing.iam.gserviceaccount.com) $PUBLIC_HUB/${image}@$DIGEST + done + done +else + echo "Images synced" +fi \ No newline at end of file diff --git a/tetrateci/patches/eks/eks_1.19.patch b/tetrateci/patches/eks/eks_1.19.patch new file mode 100644 index 000000000000..22d1a65f42c7 --- /dev/null +++ b/tetrateci/patches/eks/eks_1.19.patch @@ -0,0 +1,103 @@ +From 91efefeb0d1c81f51a68b81d08be940ec5929732 Mon Sep 17 00:00:00 2001 +From: psbrar99 +Date: Wed, 11 Oct 2023 19:44:48 -0600 +Subject: [PATCH] eks patch + +Signed-off-by: psbrar99 +--- + .../components/echo/kube/deployment.go | 1 + + .../echo/kube/templates/vm_deployment.yaml | 22 +++++++++---------- + pkg/test/framework/components/istio/util.go | 9 ++++++++ + tests/integration/pilot/ingress_test.go | 6 +++++ + 4 files changed, 27 insertions(+), 11 deletions(-) + +diff --git a/pkg/test/framework/components/echo/kube/deployment.go b/pkg/test/framework/components/echo/kube/deployment.go +index ea3a99005c..df90000654 100644 +--- a/pkg/test/framework/components/echo/kube/deployment.go ++++ b/pkg/test/framework/components/echo/kube/deployment.go +@@ -521,6 +521,7 @@ spec: + if rev := getIstioRevision(cfg.Namespace); len(rev) > 0 { + cmd = append(cmd, "--revision", rev) + } ++ cmd = append(cmd, "--ingressIP", istiodAddr.Addr().String()) + // make sure namespace controller has time to create root-cert ConfigMap + if err := retry.UntilSuccess(func() error { + stdout, stderr, err := istioCtl.Invoke(cmd) +diff --git a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml +index 09f44ddf0f..1aaf7fc6fa 100644 +--- a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml ++++ b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml +@@ -101,16 +101,16 @@ spec: + + # since we're not overwriting /etc/hosts on k8s, verify that istiod hostname in /etc/hosts + # matches the value generated by istioctl +- echo "checking istio host" +- SYSTEM_HOST=$(cat /etc/hosts | grep istiod) +- ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) +- if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then +- echo "istiod host in /etc/hosts does not match value generated by istioctl" +- echo "/etc/hosts: $SYSTEM_HOST" +- echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" +- exit 1 +- fi +- echo "istiod host ok" ++ # echo "checking istio host" ++ # SYSTEM_HOST=$(cat /etc/hosts | grep istiod) ++ # ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) ++ # if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then ++ # echo "istiod host in /etc/hosts does not match value generated by istioctl" ++ # echo "/etc/hosts: $SYSTEM_HOST" ++ # echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" ++ # exit 1 ++ # fi ++ # echo "istiod host ok" + + # read certs from correct directory + sudo sh -c 'echo PROV_CERT=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env' +@@ -207,4 +207,4 @@ spec: + name: {{ $value.Value }} + {{- end }} + {{- end }} +-{{- end}} ++{{- end}} +\ No newline at end of file +diff --git a/pkg/test/framework/components/istio/util.go b/pkg/test/framework/components/istio/util.go +index 2600fe421c..2d01c756c1 100644 +--- a/pkg/test/framework/components/istio/util.go ++++ b/pkg/test/framework/components/istio/util.go +@@ -137,6 +137,15 @@ func getRemoteServiceAddress(s *kube.Settings, cluster cluster.Cluster, ns, labe + if ingr.IP == "" && ingr.Hostname == "" { + return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) + } ++ if ingr.Hostname != "" { ++ ip, err := net.LookupIP(ingr.Hostname) ++ if err != nil { ++ return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) ++ } ++ if len(ip) > 0 { ++ ingr.IP = ip[0].String() ++ } ++ } + if ingr.IP != "" { + ipaddr, err := netip.ParseAddr(ingr.IP) + if err != nil { +diff --git a/tests/integration/pilot/ingress_test.go b/tests/integration/pilot/ingress_test.go +index b652090965..1ed63b341a 100644 +--- a/tests/integration/pilot/ingress_test.go ++++ b/tests/integration/pilot/ingress_test.go +@@ -332,6 +332,12 @@ spec: + if hostIsIP { + got = ing.Status.LoadBalancer.Ingress[0].IP + } ++ if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { ++ ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) ++ if len(ip) > 0 { ++ got = ip[0].String() ++ } ++ } + if got != host { + return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) + } +-- +2.30.1 (Apple Git-130) + diff --git a/tetrateci/push_ecr.sh b/tetrateci/push_ecr.sh new file mode 100644 index 000000000000..a6ca0a74bc65 --- /dev/null +++ b/tetrateci/push_ecr.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail +# set -x + +BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" + + +IMAGES=(install-cni +istioctl +operator +pilot +proxyv2) + +IMAGE_SUFFIXES=("" "-debug" "-distroless") + +for image in "${IMAGES[@]}"; do + for suffix in "${IMAGE_SUFFIXES[@]}"; do + docker tag $HUB/${image}:${TAG}${suffix} $ECR_REGISTRY/tid-istio/${image}:${TAG}${suffix} + echo $ECR_REGISTRY/tid-istio/${image}:${TAG}${suffix} + docker push $ECR_REGISTRY/tid-istio/${image}:${TAG}${suffix} + done +done + + +if [[ ${BACKPORT} == "false" ]] ; then + for image in "${IMAGES[@]}"; do + for suffix in "${IMAGE_SUFFIXES[@]}"; do + docker tag $HUB/${image}:${TAG}${suffix} $PUBLIC_HUB/${image}:${TAG}${suffix} + echo $PUBLIC_HUB/${image}:${TAG}${suffix} + docker push $PUBLIC_HUB/${image}:${TAG}${suffix} + done + done +else + echo "Images synced" +fi diff --git a/tetrateci/setup_go.sh b/tetrateci/setup_go.sh index 1672b217161f..be71827f923a 100755 --- a/tetrateci/setup_go.sh +++ b/tetrateci/setup_go.sh @@ -42,6 +42,10 @@ if [[ "${REL_BRANCH_VER:-${ISTIO_MINOR_VER}}" == "1.18" ]]; then export GOLANG_VERSION=1.20.6 fi +if [[ "${REL_BRANCH_VER:-${ISTIO_MINOR_VER}}" == "1.19" ]]; then + export GOLANG_VERSION=1.21.3 +fi + url="https://golang.org/dl/go$GOLANG_VERSION.linux-$(dpkg --print-architecture).tar.gz" wget -q -O go.tgz "$url" diff --git a/tetrateci/test_1.18.sh b/tetrateci/test_1.18.sh index 45131e81c948..61436c6e6625 100644 --- a/tetrateci/test_1.18.sh +++ b/tetrateci/test_1.18.sh @@ -34,7 +34,7 @@ fi if [[ "${CLUSTER}" == "eks" ]]; then echo "Applying patch for EKS...." - git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" + git apply --3way "${SCRIPTDIR}/patches/eks/eks_${ISTIO_MINOR_VER}.patch" fi @@ -74,7 +74,7 @@ for pkg in $PACKAGES; do --istio.test.hub=${HUB} \ --istio.test.tag=${TAG}-distroless \ --istio.test.pullpolicy=IfNotPresent \ - --istio.test.retries=1 \ + --istio.test.retries=3 \ ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ && \ go test \ @@ -87,7 +87,7 @@ for pkg in $PACKAGES; do --istio.test.ci \ --istio.test.skipVM=true \ --istio.test.pullpolicy=IfNotPresent \ - --istio.test.retries=1 \ + --istio.test.retries=3 \ ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ || \ { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } @@ -106,4 +106,4 @@ if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then echo "- ${pkg}" done exit 1 -fi \ No newline at end of file +fi diff --git a/tetrateci/test_1.18_arm.sh b/tetrateci/test_1.18_arm.sh index 4e41de5ce0aa..23118c2f8c6b 100644 --- a/tetrateci/test_1.18_arm.sh +++ b/tetrateci/test_1.18_arm.sh @@ -35,7 +35,7 @@ fi if [[ "${CLUSTER}" == "eks" ]]; then echo "Applying patch for EKS...." - git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" + git apply --3way "${SCRIPTDIR}/patches/eks/eks_${ISTIO_MINOR_VER}.patch" fi #go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG}-distroless --istio.test.pullpolicy=IfNotPresent --istio.test.retries=1 && go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG} --istio.test.pullpolicy=IfNotPresent diff --git a/tetrateci/test_1.19.sh b/tetrateci/test_1.19.sh new file mode 100644 index 000000000000..6c5499cc038b --- /dev/null +++ b/tetrateci/test_1.19.sh @@ -0,0 +1,96 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + +fi + +#if [[ "${CLUSTER}" == "eks" ]]; then +# echo "Applying patch for EKS...." +# git apply "${SCRIPTDIR}/patches/eks/eks_${ISTIO_MINOR_VER}.patch" +#fi + + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.hub=${HUB} \ + --istio.test.tag=${TAG}-distroless \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/test_1.19_arm.sh b/tetrateci/test_1.19_arm.sh new file mode 100644 index 000000000000..4b06ee969e28 --- /dev/null +++ b/tetrateci/test_1.19_arm.sh @@ -0,0 +1,98 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + +#git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + +fi + +#if [[ "${CLUSTER}" == "eks" ]]; then +# echo "Applying patch for EKS...." +# git apply "${SCRIPTDIR}/patches/eks/eks_${ISTIO_MINOR_VER}.patch" +#fi + +#go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG}-distroless --istio.test.pullpolicy=IfNotPresent --istio.test.retries=1 && go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG} --istio.test.pullpolicy=IfNotPresent + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.hub=${HUB} \ + --istio.test.tag=${TAG} \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/tetrateci/1.11/test/skip.d/eks b/tetrateci/tetrateci/1.11/test/skip.d/eks new file mode 100644 index 000000000000..701835417d81 --- /dev/null +++ b/tetrateci/tetrateci/1.11/test/skip.d/eks @@ -0,0 +1,33 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/helm/upgrade=TestRevisionTagsUpgradeFromPrevious +MinorRelease + +istio.io/istio/tests/integration/pilot=TestIngress/status + +istio.io/istio/tests/integration/telemetry/tracing/zipkin/servertracing=TestProxyTracing + +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* diff --git a/tetrateci/tetrateci/1.11/test/skip.d/gke b/tetrateci/tetrateci/1.11/test/skip.d/gke new file mode 100644 index 000000000000..998342b10e03 --- /dev/null +++ b/tetrateci/tetrateci/1.11/test/skip.d/gke @@ -0,0 +1,30 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/helm/upgrade=TestRevisionTagsUpgradeFromPrevious +MinorRelease + +istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic + +istio.io/istio/tests/integration/telemetry/stackdriver=* diff --git a/tetrateci/tetrateci/1.12/test/skip.d/eks b/tetrateci/tetrateci/1.12/test/skip.d/eks new file mode 100644 index 000000000000..02eec985c196 --- /dev/null +++ b/tetrateci/tetrateci/1.12/test/skip.d/eks @@ -0,0 +1,42 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/helm/upgrade=* + +istio.io/istio/tests/integration/pilot=* +istio.io/istio/tests/integration/pilot/endpointslice=* +istio.io/istio/tests/integration/pilot/revisions=TestMultiRevision + +istio.io/istio/tests/integration/security=* +istio.io/istio/tests/integration/security/sds_ingress=* +istio.io/istio/tests/integration/security/sds_tls_origination=TestSimpleTlsOrigination TestMutualTlsOrigination + +istio.io/istio/tests/integration/telemetry/stats/prometheus/nullvm=TestAccessLogs +istio.io/istio/tests/integration/telemetry/tracing/opencensusagent=TestProxyTracing +istio.io/istio/tests/integration/telemetry/tracing/zipkin/clienttracing=TestClientTracing +istio.io/istio/tests/integration/telemetry/tracing/zipkin/servertracing=TestProxyTracing + +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* diff --git a/tetrateci/tetrateci/1.12/test/skip.d/eks-arm64 b/tetrateci/tetrateci/1.12/test/skip.d/eks-arm64 new file mode 100644 index 000000000000..6a584a50939a --- /dev/null +++ b/tetrateci/tetrateci/1.12/test/skip.d/eks-arm64 @@ -0,0 +1,44 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/helm/upgrade=* + +istio.io/istio/tests/integration/pilot=* +istio.io/istio/tests/integration/pilot/endpointslice=* +istio.io/istio/tests/integration/pilot/revisions=TestMultiRevision + +istio.io/istio/tests/integration/security=* +istio.io/istio/tests/integration/security/sds_ingress=* +istio.io/istio/tests/integration/security/sds_tls_origination=TestSimpleTlsOrigination TestMutualTlsOrigination + +istio.io/istio/tests/integration/telemetry/stats/prometheus/nullvm=TestAccessLogs +istio.io/istio/tests/integration/telemetry/tracing/zipkin/clienttracing=TestClientTracing +istio.io/istio/tests/integration/telemetry/tracing/zipkin/servertracing=TestProxyTracing + +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* + +istio.io/istio/tests/integration/telemetry/tracing/opencensusagent=* +istio.io/istio/tests/integration/telemetry/policy=* diff --git a/tetrateci/tetrateci/1.12/test/skip.d/gke b/tetrateci/tetrateci/1.12/test/skip.d/gke new file mode 100644 index 000000000000..0647f6a336d8 --- /dev/null +++ b/tetrateci/tetrateci/1.12/test/skip.d/gke @@ -0,0 +1,34 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/helm/upgrade=* + +istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic +istio.io/istio/tests/integration/pilot/endpointslice=TestTraffic/jwt-claim-route + +istio.io/istio/tests/integration/security=TestAuthorization_IngressGateway TestAuthorization_EgressGateway TestIngressRequestAuthentication/ingress-authn + +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* diff --git a/tetrateci/tetrateci/1.13/test/skip.d/eks b/tetrateci/tetrateci/1.13/test/skip.d/eks new file mode 100644 index 000000000000..701835417d81 --- /dev/null +++ b/tetrateci/tetrateci/1.13/test/skip.d/eks @@ -0,0 +1,33 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/helm/upgrade=TestRevisionTagsUpgradeFromPrevious +MinorRelease + +istio.io/istio/tests/integration/pilot=TestIngress/status + +istio.io/istio/tests/integration/telemetry/tracing/zipkin/servertracing=TestProxyTracing + +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* diff --git a/tetrateci/tetrateci/1.13/test/skip.d/eks-arm64 b/tetrateci/tetrateci/1.13/test/skip.d/eks-arm64 new file mode 100644 index 000000000000..8b1b324a06b5 --- /dev/null +++ b/tetrateci/tetrateci/1.13/test/skip.d/eks-arm64 @@ -0,0 +1,43 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/helm/upgrade=* + +istio.io/istio/tests/integration/pilot=* +istio.io/istio/tests/integration/pilot/endpointslice=* +istio.io/istio/tests/integration/pilot/revisions=TestMultiRevision + +istio.io/istio/tests/integration/security=* +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/security/https_jwt=* +istio.io/istio/tests/integration/security/sds_ingress=* +istio.io/istio/tests/integration/security/sds_tls_origination=TestSimpleTlsOrigination TestMutualTlsOrigination + +istio.io/istio/tests/integration/telemetry/tracing/zipkin/clienttracing=TestClientTracing +istio.io/istio/tests/integration/telemetry/tracing/zipkin/servertracing=TestProxyTracing +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry/tracing/opencensusagent=* +istio.io/istio/tests/integration/telemetry/policy=* diff --git a/tetrateci/tetrateci/1.13/test/skip.d/gke b/tetrateci/tetrateci/1.13/test/skip.d/gke new file mode 100644 index 000000000000..998342b10e03 --- /dev/null +++ b/tetrateci/tetrateci/1.13/test/skip.d/gke @@ -0,0 +1,30 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/helm/upgrade=TestRevisionTagsUpgradeFromPrevious +MinorRelease + +istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic + +istio.io/istio/tests/integration/telemetry/stackdriver=* diff --git a/tetrateci/tetrateci/1.14/test/skip.d/eks b/tetrateci/tetrateci/1.14/test/skip.d/eks new file mode 100644 index 000000000000..701835417d81 --- /dev/null +++ b/tetrateci/tetrateci/1.14/test/skip.d/eks @@ -0,0 +1,33 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/helm/upgrade=TestRevisionTagsUpgradeFromPrevious +MinorRelease + +istio.io/istio/tests/integration/pilot=TestIngress/status + +istio.io/istio/tests/integration/telemetry/tracing/zipkin/servertracing=TestProxyTracing + +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* diff --git a/tetrateci/tetrateci/1.14/test/skip.d/eks-arm64 b/tetrateci/tetrateci/1.14/test/skip.d/eks-arm64 new file mode 100644 index 000000000000..087f725dac0c --- /dev/null +++ b/tetrateci/tetrateci/1.14/test/skip.d/eks-arm64 @@ -0,0 +1,27 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/pilot=TestGatewayConformance +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/security/sds_ingress/quic=* diff --git a/tetrateci/tetrateci/1.14/test/skip.d/gke b/tetrateci/tetrateci/1.14/test/skip.d/gke new file mode 100644 index 000000000000..cfd5067d50c9 --- /dev/null +++ b/tetrateci/tetrateci/1.14/test/skip.d/gke @@ -0,0 +1,37 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/helm/upgrade=TestRevisionTagsUpgradeFromPrevious +MinorRelease + +istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic +istio.io/istio/tests/integration/helm=* +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/security=TestReachability/beta-mtls-off +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/security/mtls_first_party_jwt=* +istio.io/istio/tests/integration/security/https_jwt=TestJWTHTTPS/jwt-authn/a/to_b/valid-token-forward-remote-jwks +istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver=* diff --git a/tetrateci/tetrateci/1.15/test/skip.d/eks b/tetrateci/tetrateci/1.15/test/skip.d/eks new file mode 100644 index 000000000000..756ef590e7f1 --- /dev/null +++ b/tetrateci/tetrateci/1.15/test/skip.d/eks @@ -0,0 +1,27 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestIngress/status +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/security/sds_ingress/quic=* diff --git a/tetrateci/tetrateci/1.15/test/skip.d/eks-arm64 b/tetrateci/tetrateci/1.15/test/skip.d/eks-arm64 new file mode 100644 index 000000000000..087f725dac0c --- /dev/null +++ b/tetrateci/tetrateci/1.15/test/skip.d/eks-arm64 @@ -0,0 +1,27 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/pilot=TestGatewayConformance +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/security/sds_ingress/quic=* diff --git a/tetrateci/tetrateci/1.15/test/skip.d/gke b/tetrateci/tetrateci/1.15/test/skip.d/gke new file mode 100644 index 000000000000..66c8c4a2eb92 --- /dev/null +++ b/tetrateci/tetrateci/1.15/test/skip.d/gke @@ -0,0 +1,37 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic TestGatewayConformance TestTunnelingOutboundTraffic +istio.io/istio/tests/integration/pilot/revisioncmd=* +istio.io/istio/tests/integration/helm=* +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/security=TestReachability/beta-mtls-off TestAuthz_EgressGateway TestReachability/global_no_peer_authn/http +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/security/mtls_first_party_jwt=* +istio.io/istio/tests/integration/security/https_jwt=TestJWTHTTPS/jwt-authn/a/to_b/valid-token-forward-remote-jwks +istio.io/istio/tests/integration/security/filebased_tls_origination=TestEgressGatewayTls +istio.io/istio/tests/integration/telemetry/outboundtrafficpolicy=* +istio.io/istio/tests/integration/telemetry/stats/prometheus/nullvm=* +istio.io/istio/tests/integration/telemetry/stats/prometheus/wasm=* +istio.io/istio/tests/integration/telemetry/stackdriver=* diff --git a/tetrateci/tetrateci/1.16/test/skip.d/eks b/tetrateci/tetrateci/1.16/test/skip.d/eks new file mode 100644 index 000000000000..40ed004341a6 --- /dev/null +++ b/tetrateci/tetrateci/1.16/test/skip.d/eks @@ -0,0 +1,29 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestIngress/status +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/security/sds_ingress/quic=* diff --git a/tetrateci/tetrateci/1.16/test/skip.d/eks-arm64 b/tetrateci/tetrateci/1.16/test/skip.d/eks-arm64 new file mode 100644 index 000000000000..2df591d54737 --- /dev/null +++ b/tetrateci/tetrateci/1.16/test/skip.d/eks-arm64 @@ -0,0 +1,30 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. +istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification +istio.io/istio/tests/integration/pilot=TestGatewayConformance +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry_envoyfilter_nullvm=TestDashboard diff --git a/tetrateci/tetrateci/1.16/test/skip.d/gke b/tetrateci/tetrateci/1.16/test/skip.d/gke new file mode 100644 index 000000000000..66c8c4a2eb92 --- /dev/null +++ b/tetrateci/tetrateci/1.16/test/skip.d/gke @@ -0,0 +1,37 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic TestGatewayConformance TestTunnelingOutboundTraffic +istio.io/istio/tests/integration/pilot/revisioncmd=* +istio.io/istio/tests/integration/helm=* +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/security=TestReachability/beta-mtls-off TestAuthz_EgressGateway TestReachability/global_no_peer_authn/http +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/security/mtls_first_party_jwt=* +istio.io/istio/tests/integration/security/https_jwt=TestJWTHTTPS/jwt-authn/a/to_b/valid-token-forward-remote-jwks +istio.io/istio/tests/integration/security/filebased_tls_origination=TestEgressGatewayTls +istio.io/istio/tests/integration/telemetry/outboundtrafficpolicy=* +istio.io/istio/tests/integration/telemetry/stats/prometheus/nullvm=* +istio.io/istio/tests/integration/telemetry/stats/prometheus/wasm=* +istio.io/istio/tests/integration/telemetry/stackdriver=* diff --git a/tetrateci/tetrateci/1.17/test/skip.d/eks b/tetrateci/tetrateci/1.17/test/skip.d/eks new file mode 100644 index 000000000000..d94ed36c1f77 --- /dev/null +++ b/tetrateci/tetrateci/1.17/test/skip.d/eks @@ -0,0 +1,32 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry/api=TestAccessLogsMode +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestIngress/status +istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt +istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification +istio.io/istio/tests/integration/security=TestReachability/global_no_peer_authn TestReachability/migration_tls_mutual TestReachability/migration_no_tls TestReachability/mtls_strict +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/security/sds_ingress/quic=* diff --git a/tetrateci/tetrateci/1.17/test/skip.d/eks-arm64 b/tetrateci/tetrateci/1.17/test/skip.d/eks-arm64 new file mode 100644 index 000000000000..eab40ca7e49e --- /dev/null +++ b/tetrateci/tetrateci/1.17/test/skip.d/eks-arm64 @@ -0,0 +1,31 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. +istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification +istio.io/istio/tests/integration/pilot=TestGatewayConformance +istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry_envoyfilter_nullvm=TestDashboard diff --git a/tetrateci/tetrateci/1.17/test/skip.d/gke b/tetrateci/tetrateci/1.17/test/skip.d/gke new file mode 100644 index 000000000000..66c8c4a2eb92 --- /dev/null +++ b/tetrateci/tetrateci/1.17/test/skip.d/gke @@ -0,0 +1,37 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/pilot=TestGateway TestIngress TestDescribe TestTraffic TestGatewayConformance TestTunnelingOutboundTraffic +istio.io/istio/tests/integration/pilot/revisioncmd=* +istio.io/istio/tests/integration/helm=* +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/security=TestReachability/beta-mtls-off TestAuthz_EgressGateway TestReachability/global_no_peer_authn/http +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/security/mtls_first_party_jwt=* +istio.io/istio/tests/integration/security/https_jwt=TestJWTHTTPS/jwt-authn/a/to_b/valid-token-forward-remote-jwks +istio.io/istio/tests/integration/security/filebased_tls_origination=TestEgressGatewayTls +istio.io/istio/tests/integration/telemetry/outboundtrafficpolicy=* +istio.io/istio/tests/integration/telemetry/stats/prometheus/nullvm=* +istio.io/istio/tests/integration/telemetry/stats/prometheus/wasm=* +istio.io/istio/tests/integration/telemetry/stackdriver=* diff --git a/tetrateci/tetrateci/1.18/test/skip.d/eks b/tetrateci/tetrateci/1.18/test/skip.d/eks new file mode 100644 index 000000000000..4c2a2f2fa484 --- /dev/null +++ b/tetrateci/tetrateci/1.18/test/skip.d/eks @@ -0,0 +1,50 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + + +istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt +istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic +istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/telemetry=* +istio.io/istio/tests/integration/telemetry/api=* +istio.io/istio/tests/integration/telemetry/common=* +istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=* +istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=* +istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=* +istio.io/istio/tests/integration/telemetry/policy=* +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry/tracing=* +istio.io/istio/tests/integration/telemetry/tracing/otelcollector=* +istio.io/istio/tests/integration/telemetry/tracing/zipkin=* + + + + + + diff --git a/tetrateci/tetrateci/1.18/test/skip.d/eks-arm64 b/tetrateci/tetrateci/1.18/test/skip.d/eks-arm64 new file mode 100644 index 000000000000..c2e99416b4ad --- /dev/null +++ b/tetrateci/tetrateci/1.18/test/skip.d/eks-arm64 @@ -0,0 +1,42 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. +istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt +istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic +istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/telemetry=* +istio.io/istio/tests/integration/telemetry/api=* +istio.io/istio/tests/integration/telemetry/common=* +istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=* +istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=* +istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=* +istio.io/istio/tests/integration/telemetry/policy=* +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry/tracing=* +istio.io/istio/tests/integration/telemetry/tracing/otelcollector=* +istio.io/istio/tests/integration/telemetry/tracing/zipkin=* diff --git a/tetrateci/tetrateci/1.18/test/skip.d/gke b/tetrateci/tetrateci/1.18/test/skip.d/gke new file mode 100644 index 000000000000..fd4d384fb187 --- /dev/null +++ b/tetrateci/tetrateci/1.18/test/skip.d/gke @@ -0,0 +1,43 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt +istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic +istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/telemetry=* +istio.io/istio/tests/integration/telemetry/api=* +istio.io/istio/tests/integration/telemetry/common=* +istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=* +istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=* +istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=* +istio.io/istio/tests/integration/telemetry/policy=* +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry/tracing=* +istio.io/istio/tests/integration/telemetry/tracing/otelcollector=* +istio.io/istio/tests/integration/telemetry/tracing/zipkin=* diff --git a/tetrateci/tetrateci/1.19/test/skip.d/eks b/tetrateci/tetrateci/1.19/test/skip.d/eks new file mode 100644 index 000000000000..637ac7d2dff3 --- /dev/null +++ b/tetrateci/tetrateci/1.19/test/skip.d/eks @@ -0,0 +1,52 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + + +istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt +istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic TestIngress +istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotHost TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability +istio.io/istio/tests/integration/security/sds_ingress=* +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/telemetry=* +istio.io/istio/tests/integration/telemetry/api=* +istio.io/istio/tests/integration/telemetry/common=* +istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=* +istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=* +istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=* +istio.io/istio/tests/integration/telemetry/policy=* +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry/tracing=* +istio.io/istio/tests/integration/telemetry/tracing/otelcollector=* +istio.io/istio/tests/integration/telemetry/tracing/zipkin=* + + + + + + + diff --git a/tetrateci/tetrateci/1.19/test/skip.d/eks-arm64 b/tetrateci/tetrateci/1.19/test/skip.d/eks-arm64 new file mode 100644 index 000000000000..6d85049eb498 --- /dev/null +++ b/tetrateci/tetrateci/1.19/test/skip.d/eks-arm64 @@ -0,0 +1,43 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. +istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt +istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic TestIngress +istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotHost TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability +istio.io/istio/tests/integration/security/sds_ingress=* +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/telemetry=* +istio.io/istio/tests/integration/telemetry/api=* +istio.io/istio/tests/integration/telemetry/common=* +istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=* +istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=* +istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=* +istio.io/istio/tests/integration/telemetry/policy=* +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry/tracing=* +istio.io/istio/tests/integration/telemetry/tracing/otelcollector=* +istio.io/istio/tests/integration/telemetry/tracing/zipkin=* diff --git a/tetrateci/tetrateci/1.19/test/skip.d/gke b/tetrateci/tetrateci/1.19/test/skip.d/gke new file mode 100644 index 000000000000..b2532caf8187 --- /dev/null +++ b/tetrateci/tetrateci/1.19/test/skip.d/gke @@ -0,0 +1,46 @@ +# e2e tests to skip (until a long-term fix is found) +# +# Each line has format: +# +# ```text +# = ... +# ``` +# +# where +# 1. - is a name of a package with Istio e2e tests, e.g. +# `istio.io/istio/tests/integration/pilot` +# 2. - is a regexp that matches unit tests to skip, e.g. +# 'TestA', 'TestA|TestB|TestC', 'TestA/case-b', etc. +# Each `` value will be translated into the +# `--istio.test.skip` option of the Istio Test Framework. +# +# A special case, +# +# ```text +# =* +# ``` +# +# indicates that tests for the package `` should not be run at all. + +istio.io/istio/tests/integration/helm=TestDefaultInstall TestInstallWithFirstPartyJwt +istio.io/istio/tests/integration/operator=TestPostInstallControlPlaneVerification +istio.io/istio/tests/integration/helm/upgrade=* +istio.io/istio/tests/integration/pilot/revisioncmd=* +istio.io/istio/tests/integration/pilot=TestGatewayConformance TestTunnelingOutboundTraffic TestIngress +istio.io/istio/tests/integration/security=TestAuthz_Namespace TestAuthz_DenyNamespace TestAuthz_NotHost TestAuthz_NotNamespace TestAuthz_NotMethod TestAuthz_NotPort TestAuthz_DenyPlaintext TestAuthz_Conditions TestAuthz_PathNormalization TestAuthz_CustomServer TestMutualTlsOrigination TestRequestAuthentication TestIngressRequestAuthentication TestNormalization TestPassThroughFilterChain TestReachability TestSimpleTlsOrigination +istio.io/istio/tests/integration/security/sds_ingress=* +istio.io/istio/tests/integration/security/sds_ingress/quic=* +istio.io/istio/tests/integration/security/mtls_first_party_jwt=* +istio.io/istio/tests/integration/telemetry=* +istio.io/istio/tests/integration/telemetry/api=* +istio.io/istio/tests/integration/telemetry/common=* +istio.io/istio/tests/integration/telemetry/envoyfilter/customizemetrics=* +istio.io/istio/tests/integration/telemetry/envoyfilter/nullvm=* +istio.io/istio/tests/integration/telemetry/envoyfilter/wasm=* +istio.io/istio/tests/integration/telemetry/policy=* +istio.io/istio/tests/integration/telemetry/stackdriver=* +istio.io/istio/tests/integration/telemetry/stackdriver/api=* +istio.io/istio/tests/integration/telemetry/stackdriver/vm=* +istio.io/istio/tests/integration/telemetry/tracing=* +istio.io/istio/tests/integration/telemetry/tracing/otelcollector=* +istio.io/istio/tests/integration/telemetry/tracing/zipkin=* diff --git a/tetrateci/tetrateci/README.md b/tetrateci/tetrateci/README.md new file mode 100644 index 000000000000..de0cb71b8ffe --- /dev/null +++ b/tetrateci/tetrateci/README.md @@ -0,0 +1,10 @@ +# Tetrate Istio Distro + +This doc covers a few aspects of Tetrate Istio Distro. + +- [CI Workflow](https://github.com/tetratelabs/istio/blob/tetrate-workflow/tetrateci/docs/ci_workflow.md) +is a good start to understand the overall TID build process. +- [FIPS build](https://github.com/tetratelabs/istio/blob/tetrate-workflow/tetrateci/docs/fips.md) +covers some information about how FIPS version TID is built. +- [Release Process](https://github.com/tetratelabs/istio/blob/tetrate-workflow/tetrateci/docs/release.md) +document what a release manager should do to create a release. diff --git a/tetrateci/tetrateci/apply_e2e_build_patches.sh b/tetrateci/tetrateci/apply_e2e_build_patches.sh new file mode 100755 index 000000000000..93f77ffd5412 --- /dev/null +++ b/tetrateci/tetrateci/apply_e2e_build_patches.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2021 All Rights Reserved. + +# +# Apply patches to the Istio code base that are necessary to fix e2e tests. +# +# E.g., after we bumped version of Go from `1.16` to `1.17`, e2e tests of +# `Istio 1.11` started failing. +# +# To fix e2e tests, we had to backport changes from `Istio 1.12`. +# +# However, since required changes affected only test code and test images, +# we didn't want to include them into the release build. +# + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +while IFS= read -r -d '' patch +do + git apply "${patch}" +done < <(find "${SCRIPTDIR}/patches/build/e2e/${ISTIO_MINOR_VER}" -type f -name '*.patch' -print0) diff --git a/tetrateci/tetrateci/ci_workflow.md b/tetrateci/tetrateci/ci_workflow.md new file mode 100644 index 000000000000..bbf288e9142b --- /dev/null +++ b/tetrateci/tetrateci/ci_workflow.md @@ -0,0 +1,26 @@ +## Github Workflows +### backport_commits.yml +Creates a backports PR for any commit made to the `tetrate-workflow` branch to any branch which conform those regexes +- `origin/tetrate-release-[[:digit:]]+.[[:digit:]]+$` +- `origin/tetratefips-release-[[:digit:]]+.[[:digit:]]+$` + +The script is adapted from [here](https://github.com/repo-sync/pull-request). The catch is the script only ports changes if there are on the `tetrateci` or `.github/workflows` folders. Merging with a commit or rebasing is not used to avoid merge conflicts. + +### sync_fork.yml +Runs every midnight and checks if there are any new tag on `istio/istio`, if no new tags are founds the action is done. On the other hand if there are new tags, the script loops through them creating corresponding `test-tetrate-x.y.z-v0` & `test-tetratefips-x.y.z-v0` tags and merging them with `tetrate-release-x.y` & `tetratefips-release-x.y` branches. + +Also pushes the archives from `istio/istio` release to the cloudsmith repo. + +### e2e_tests.yml +Runs if there are any tags pushed with `test-` prefix. Utilizes `istio/release-builder` to generate docker images which are to be used for subsequent testing. The one thing to keep in mind it, the same script is used for making the releases and we only differentiate that based on whether the `TEST` environment variable is defined or not. + +Subsequent 4 jobs runs the istio integration tests on applicable versions of eks, gke, aks and eksd, though some of them are disable for various reasons for now. All the platforms have corresponding create and cleanup scripts. The `version_check.py` has a matrix of istio versions vs k8s versions which determines which versions we need to get the istio release tested on. + +All the minor versions of istio have their own testing scripts, the reason being there are patches which need to be applied before testing so the tests dont fail. The tests being written for `kind` have some default assumptions which might not be applicable for all the platforms we test on. + +After the tests pass, the `test-` prefix is stripped off the current tag and the tree is tagged with the remaining, cutting a release with something similar to `tetrate-x.y.z-vn`. + +Then the release builder is again triggered to create the release images and archives with `tetrate-x.y.z-vn` tag but this time without defining the `TEST` environment variable. A fips compliant build is only triggered if the tag contains `fips` in it. The only difference between fips and non fips build is the `Go` we are using. The `create_istio_release.sh` script sets up the environment manually instead if using the docker image is due to some restrictions in the Github Actions, it becomes a bit hard to procure the logs and monitor the whole process. + +### make_release.yml +It is same as the last process of `e2e_tests.yml` but with a manual trigger. Changes made to any of them must be backported to the other one, since they more or less do the same thing. diff --git a/tetrateci/tetrateci/cleanup_aks_cluster.sh b/tetrateci/tetrateci/cleanup_aks_cluster.sh new file mode 100755 index 000000000000..cad4b559be87 --- /dev/null +++ b/tetrateci/tetrateci/cleanup_aks_cluster.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +./tetrateci/version_check.py && exit + +set -o errexit +set -o pipefail + +SHA8=$(git rev-parse --short $GITHUB_SHA) +SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION) +CLUSTER_NAME="test-istio-$SHA8-$SUFFIX" +az aks delete --name $CLUSTER_NAME --resource-group $RESOURCE --yes diff --git a/tetrateci/tetrateci/cleanup_eks_cluster.sh b/tetrateci/tetrateci/cleanup_eks_cluster.sh new file mode 100755 index 000000000000..1f2cfea68f80 --- /dev/null +++ b/tetrateci/tetrateci/cleanup_eks_cluster.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +./tetrateci/version_check.py && exit + +set -o errexit +set -o pipefail + +SHA8=$(git rev-parse --short $GITHUB_SHA) +SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION.$TEST_ARCH) +CLUSTER_NAME="test-istio-$SHA8-$SUFFIX" +echo "Deleting eks cluster $CLUSTER_NAME" +eksctl delete cluster --name $CLUSTER_NAME diff --git a/tetrateci/tetrateci/cleanup_eksd_cluster.sh b/tetrateci/tetrateci/cleanup_eksd_cluster.sh new file mode 100755 index 000000000000..6ab1a0f0099c --- /dev/null +++ b/tetrateci/tetrateci/cleanup_eksd_cluster.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail + + +BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" + +if [[ ! -f ~/.aws/config && ! -f ~/.aws/credentials ]] +then + echo "warn: didn't find config and credentials in ~/.aws." + echo "checking for environment varibles...." + if [[ ! -v AWS_ACCESS_KEY_ID && ! -v AWS_SECRET_ACCESS_KEY ]] + then + echo "error: neither is aws_access_key_id and aws_secret_access_key is set." + exit 2 + fi +fi + +SHA8=$(git rev-parse --short $GITHUB_SHA) +SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION) + +## Cluster name has to end with k8s.local +CLUSTER_NAME="test-istio-$SHA8-$SUFFIX.k8s.local" + +cd $BASEDIR/../eks-distro/development/kops + +export KOPS_STATE_STORE=s3://${S3_BUCKET} +export KOPS_CLUSTER_NAME=${CLUSTER_NAME} + + +#Wait for the cluster to be created +./delete_cluster.sh + diff --git a/tetrateci/tetrateci/cleanup_gke_cluster.sh b/tetrateci/tetrateci/cleanup_gke_cluster.sh new file mode 100755 index 000000000000..2fc7e2d87d37 --- /dev/null +++ b/tetrateci/tetrateci/cleanup_gke_cluster.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +./tetrateci/version_check.py && exit + +set -o errexit +set -o pipefail + +SHA8=$(git rev-parse --short $GITHUB_SHA) +SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION) +CLUSTER_NAME="test-istio-$SHA8-$SUFFIX" +gcloud container clusters delete $CLUSTER_NAME --region us-central1-c --quiet diff --git a/tetrateci/tetrateci/create_aks_cluster.sh b/tetrateci/tetrateci/create_aks_cluster.sh new file mode 100755 index 000000000000..2c28afcd613e --- /dev/null +++ b/tetrateci/tetrateci/create_aks_cluster.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +./tetrateci/version_check.py && exit + +set -o errexit +set -o pipefail + +SHA8=$(git rev-parse --short $GITHUB_SHA) +SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION) +CLUSTER_NAME="test-istio-$SHA8-$SUFFIX" + +echo "Fetching location of the resource" +location=$(az group show -g $RESOURCE | jq '.location') + +echo "Fetching available kubernetes patch version for $K8S_VERSION" +version=$(az aks get-versions -l $location | jq '.orchestrators[] | .orchestratorVersion' | grep $K8S_VERSION | tail -n 1 | tr -d '"') + +echo "Kubernetes version selected: $version" + +az aks create --resource-group $RESOURCE --name $CLUSTER_NAME --node-count 3 --generate-ssh-keys --kubernetes-version $version -s standard_ds3_v2 --network-plugin azure +az aks get-credentials --resource-group $RESOURCE --name $CLUSTER_NAME diff --git a/tetrateci/tetrateci/create_eks_cluster.sh b/tetrateci/tetrateci/create_eks_cluster.sh new file mode 100755 index 000000000000..5cfe80b02584 --- /dev/null +++ b/tetrateci/tetrateci/create_eks_cluster.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +./tetrateci/version_check.py && exit + +set -o errexit +set -o pipefail + +if [[ ! -f ~/.aws/config && ! -f ~/.aws/credentials ]] +then + echo "warn: didn't find config and credentials in ~/.aws." + echo "checking for environment varibles...." + if [[ ! -v AWS_ACCESS_KEY_ID && ! -v AWS_SECRET_ACCESS_KEY ]] + then + echo "error: neither is aws_access_key_id and aws_secret_access_key is set." + exit 2 + fi +fi + +if ! command -v eksctl &> /dev/null +then + echo "warn: eksctl is not found in the \$path. downloading eksctl" + curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp + sudo mv /tmp/eksctl /usr/local/bin +fi + +SHA8=$(git rev-parse --short $GITHUB_SHA) +SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION.$TEST_ARCH) +CLUSTER_NAME="test-istio-$SHA8-$SUFFIX" +NODE_TYPE="m6a.4xlarge" +if [[ "${TEST_ARCH}" = "arm64" ]]; then + NODE_TYPE="m6g.4xlarge" +fi + +echo "creating a eks cluster with \"$CLUSTER_NAME\" name..." +eksctl create cluster --name $CLUSTER_NAME --version $K8S_VERSION --nodes 3 --node-type $NODE_TYPE --tags tetrate:owner=psb,tetrate:purpose=development,tetrate:team=eng:tid,tetrate:customer=internal,tetrate:lifespan=ongoing + diff --git a/tetrateci/tetrateci/create_eksd_cluster.sh b/tetrateci/tetrateci/create_eksd_cluster.sh new file mode 100755 index 000000000000..350725d5d9d4 --- /dev/null +++ b/tetrateci/tetrateci/create_eksd_cluster.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail + +BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" + +if [[ ! -f ~/.aws/config && ! -f ~/.aws/credentials ]] +then + echo "warn: didn't find config and credentials in ~/.aws." + echo "checking for environment varibles...." + if [[ ! -v AWS_ACCESS_KEY_ID && ! -v AWS_SECRET_ACCESS_KEY ]] + then + echo "error: neither is aws_access_key_id and aws_secret_access_key is set." + exit 2 + fi +fi + +SHA8=$(git rev-parse --short $GITHUB_SHA) +SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION) + +## Cluster name has to end with k8s.local +CLUSTER_NAME="test-istio-$SHA8-$SUFFIX.k8s.local" + +cd $BASEDIR/.. +git clone https://github.com/aws/eks-distro.git +cd eks-distro/development/kops + +export KOPS_STATE_STORE=s3://${S3_BUCKET} +export KOPS_CLUSTER_NAME=${CLUSTER_NAME} + +cp $BASEDIR/tetrateci/eks-d.tpl . + +# possible versions: 1-18, 1-19 +export RELEASE_BRANCH=$(sed 's/\./-/g' <<< $K8S_VERSION) + +echo "creating a eksd cluster with \"$CLUSTER_NAME\" name..." +./run_cluster.sh + +#Wait for the cluster to be created +./cluster_wait.sh + +cd $BASEDIR diff --git a/tetrateci/tetrateci/create_gke_cluster.sh b/tetrateci/tetrateci/create_gke_cluster.sh new file mode 100755 index 000000000000..90130f77b17d --- /dev/null +++ b/tetrateci/tetrateci/create_gke_cluster.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +./tetrateci/version_check.py && exit + +set -o errexit +set -o pipefail + +SHA8=$(git rev-parse --short $GITHUB_SHA) +SUFFIX=$(sed 's/\.//g' <<< $K8S_VERSION) +CLUSTER_NAME="test-istio-$SHA8-$SUFFIX" +export USE_GKE_GCLOUD_AUTH_PLUGIN=True +gcloud components install gke-gcloud-auth-plugin +gcloud container clusters create $CLUSTER_NAME --machine-type "n1-standard-4" --num-nodes 3 --region=us-central1-c --enable-network-policy --cluster-version $K8S_VERSION --release-channel "$CHAN" +gcloud container clusters get-credentials $CLUSTER_NAME --region us-central1-c diff --git a/tetrateci/tetrateci/create_istio_release.sh b/tetrateci/tetrateci/create_istio_release.sh new file mode 100755 index 000000000000..2dab89afea9d --- /dev/null +++ b/tetrateci/tetrateci/create_istio_release.sh @@ -0,0 +1,174 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail +set -x + +BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" + +sudo rm -rf /usr/local/go + +source ${BASEDIR}/tetrateci/setup_go.sh + + + +## Set up release-builder + +# BOM is needed for generating bill of materials, required by Istio since 1.13, https://github.com/istio/release-builder/pull/893 +# go install sigs.k8s.io/bom/cmd/bom@v0.2.2 +# sudo cp /home/runner/go/bin/bom /usr/local/bin/ + +sudo gem install fpm +sudo apt-get install go-bindata -y +export BRANCH=release-${REL_BRANCH_VER} +cd .. +rm -rf release-builder +git clone https://github.com/istio/release-builder --branch ${BRANCH} + + +# HACK : the github runner runs provides 14 GB free space. (https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources). +# Temporary thing, we should be moving to a custom runner instead. +echo "Deleting /usr/share/dotnet, /opt/ghc, /usr/local/share/boost to reclaim space" +for i in /usr/share/dotnet /opt/ghc /usr/local/share/boost; do echo deleting folder $i; [ -d $i ] && rm -rf "$i" ; done +echo "Deletion complete" + +# HACK : This is needed during istio build for istiod to serve version command +export ISTIO_VERSION=$TAG + +# We are not using a docker container to build the istioctl binary and images, so we make it explicit +export BUILD_WITH_CONTAINER=0 + +# HACK : For FIPS change the distroless base image to include glibc +# We would use the same distroless base image as istio-proxy for pilot and operator +# HACK : change envoy/wasm base URL to point to FIPS compliant one +if [[ ${TAG} =~ "fips" ]]; then + PROXY_DISTROLESS_BASE=$(grep 'as distroless' ${BASEDIR}/pilot/docker/Dockerfile.proxyv2) + # Escape '/' + PROXY_DISTROLESS_BASE_ESCAPED=$(sed 's/\//\\\//g' <<< ${PROXY_DISTROLESS_BASE}) + sed -i "s/.*as distroless/${PROXY_DISTROLESS_BASE_ESCAPED}/" ${BASEDIR}/operator/docker/Dockerfile.operator + export ISTIO_ENVOY_BASE_URL=https://storage.googleapis.com/getistio-build/proxy-fips +fi + + +if [[ "$(uname -m)" = "aarch64" ]]; then + sed -i 's/gcr\.io\/istio-release/gcr\.io\/tetrate-istio-arm/' $(find ${BASEDIR} | grep Dockerfile) + sed -i 's/gcr\.io\/tetrate-istio-arm\/iptables@sha256:[0-9a-f]*/gcr\.io\/istio-release\/iptables@sha256:8efeb55ddf08f2f513d303b8f0ff42c9f08f355de2f4124e641d209d11a6af91/' ${BASEDIR}/pilot/docker/Dockerfile.proxyv2 + export ISTIO_ENVOY_BASE_URL=https://storage.googleapis.com/getistio-build/proxy-arm + export BASE_VERSION=1602e34d9524a2a312907aab276bcd7100da52df # 1.12 + +fi + + + + +# HACK : default manifest from release builder is modified +echo "Generating the manifests" +# we are generating the different yamls for both the archive & docker image builds which are saved to release-builder folder +python3 -m pip install pyyaml --user +${BASEDIR}/tetrateci/gen_release_manifest.py ${BASEDIR}/../release-builder/example/manifest.yaml ${BASEDIR}/../release-builder/ + +# if length $TEST is zero we are making a RELEASE. It should have both images and archives +# The test flag is to check whether we are building images for testing or release +# in case of release we build the istioctl too which we don't need in case of testing. +echo "TEST flag is '${TEST:-}'" + +echo "Getting into release builder" +cd release-builder + +if [[ "$(uname -m)" = "aarch64" ]]; then + sed -i 's/linux_amd64/linux_arm64/' pkg/model/model.go +fi + +echo "Copying istio directory" +cp -r ../istio . +# export IMAGE_VERSION=$(curl https://raw.githubusercontent.com/istio/test-infra/master/prow/config/jobs/release-builder.yaml | grep "image: gcr.io" | head -n 1 | cut -d: -f3) +# make shell TODO: https://github.com/tetratelabs/getistio/issues/82 + +# "Enabling CGO for FIPS build via CGO_ENABLED=1" +echo "Enabling CGO for FIPS build via CGO_ENABLED=1 to istio/common/scripts/gobuild.sh" + +if [[ ${TAG} =~ "fips" ]]; then + echo "Checking if the upstream file is not changed" + if ! grep -q 'CGO_ENABLED=${CGO_ENABLED:-0}' istio/common/scripts/gobuild.sh;then exit 1;fi + text="if [[ "\${GOARCH}" == "amd64" ]]; then export CGO_ENABLED=1; else export CGO_ENABLED=0; fi" + sed -i 's/export CGO_ENABLED=${CGO_ENABLED:-0}/'"$text"'/g' istio/common/scripts/gobuild.sh +fi + +# Generalizing TAG variable exporting option to incorporate ARM build.We need amd64 and arm64 suffix in docker images to create multi-arch images.Not needed for tetrate and tetratefips build. +if [[ ${TAG} =~ "multiarch" ]]; then + if [[ "$(uname -m)" = "aarch64" ]]; then + export TAG="${TAG}-arm64" + else + export TAG="${TAG}-amd64" + fi +fi + +#install rpm-build package +sudo apt-get install rpm -y +# Build Docker Images +sudo rm -rf /tmp/istio-release && mkdir /tmp/istio-release + +if [[ ${TAG} =~ "fips" ]]; then + GOEXPERIMENT=boringcrypto go run main.go build --manifest manifest.docker.yaml +else + go run main.go build --manifest manifest.docker.yaml +fi +# go run main.go validate --release /tmp/istio-release/out # seems like it fails if not all the targets are generated + +#loading pilot image manually since docker container create command is failing due to unavailbilty of pilot image locally +docker load -i /tmp/istio-release/out/docker/pilot.tar.gz + +CONTAINER_ID=$(docker create $HUB/pilot:$TAG) +docker cp $CONTAINER_ID:/usr/local/bin/pilot-discovery pilot-bin +# go version with which the binaries for the docker images wi +BUILD_GO_VERSION=$(go version pilot-bin | cut -f2 -d" ") +echo "Images are built with: go $BUILD_GO_VERSION" + +[ $BUILD_GO_VERSION == go$GOLANG_VERSION ] || exit 1 + +# Check if binaries are compiled with boringcrypto +if [ ${TAG} =~ "fips" ]; then + CHECK_CRYPTO=$(go version pilot-bin| cut -f3 -d" ") + [[ $CHECK_CRYPTO == X:boringcrypto ]] || exit 1 +fi + +go run main.go publish --release /tmp/istio-release/out --dockerhub $HUB +echo "Cleaning up the istio source artificats...." +sudo rm -rf /tmp/istio-release/sources/ + +if [[ "$(uname -m)" = "x86_64" ]]; then + export TAG="${TAG%-amd64}" + ${BASEDIR}/tetrateci/gen_release_manifest.py ${BASEDIR}/../release-builder/example/manifest.yaml ${BASEDIR}/../release-builder/ +else + exit 0 +fi + +# If RELEASE, Build Archives +if [[ -z ${TEST:-} ]]; then + echo "Building archives..." + # if FIPS, need to use native go as boringgo as of now can't build archives for different platforms + if [[ ${TAG} =~ "fips" ]]; then + sudo rm -rf /usr/local/go + source ${BASEDIR}/tetrateci/setup_go.sh + #disabling cgo flag + sed -i '/then export CGO_ENABLED=1/c\export CGO_ENABLED=0' istio/common/scripts/gobuild.sh + fi + echo "Cleaning up older artifacts created in docker build stage ..." + sudo rm -rf /tmp/istio-release/sources/ && sudo rm -rf /tmp/istio-release/work/ + echo "Prunning docker images to reclaim more space for 1.13.x-fips release" + for i in `docker images | grep -i app_sidecar | awk {'print $3'} | tail -n +2`; do echo pruning $i; docker rmi $i --force; done + go run main.go build --manifest manifest.archive.yaml + + python3 -m pip install --upgrade cloudsmith-cli --user + export PATH=$PATH:/home/runner/.local/bin + + PACKAGES=$(ls /tmp/istio-release/out/ | grep "istio") + for package in $PACKAGES; do + echo "Publishing $package" + cloudsmith push raw tetrate/getistio /tmp/istio-release/out/$package + done +fi +echo "Cleaning /tmp/istio...." +#[ -d "/tmp/istio-release" ] && sudo rm -rf /tmp/istio-release + +echo "Done building and pushing the artifacts." diff --git a/tetrateci/tetrateci/create_multiarch_images.sh b/tetrateci/tetrateci/create_multiarch_images.sh new file mode 100755 index 000000000000..e6e154c59b63 --- /dev/null +++ b/tetrateci/tetrateci/create_multiarch_images.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail +# set -x + +BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" + +IMAGES=(app +app_sidecar_centos_7 +app_sidecar_centos_8 +app_sidecar_debian_10 +app_sidecar_debian_9 +app_sidecar_ubuntu_bionic +app_sidecar_ubuntu_focal +app_sidecar_ubuntu_xenial +install-cni +istioctl +operator +pilot +proxyv2) + +IMAGE_SUFFIXES=("" "-debug" "-distroless") + +for image in "${IMAGES[@]}"; do + for suffix in "${IMAGE_SUFFIXES[@]}"; do + AMD64_IMAGE=$HUB/${image}:${TAG}-amd64${suffix} + ARM64_IMAGE=$HUB/${image}:${TAG}-arm64${suffix} + MULTIARCH_IMAGE=$HUB/${image}:${TAG}${suffix} + + if docker manifest inspect ${AMD64_IMAGE} &> /dev/null && docker manifest inspect ${ARM64_IMAGE} &> /dev/null; then + docker manifest create ${MULTIARCH_IMAGE} --amend ${AMD64_IMAGE} --amend ${ARM64_IMAGE} + docker manifest push ${MULTIARCH_IMAGE} + fi + done +done diff --git a/tetrateci/tetrateci/docs/ci_workflow.md b/tetrateci/tetrateci/docs/ci_workflow.md new file mode 100644 index 000000000000..bbf288e9142b --- /dev/null +++ b/tetrateci/tetrateci/docs/ci_workflow.md @@ -0,0 +1,26 @@ +## Github Workflows +### backport_commits.yml +Creates a backports PR for any commit made to the `tetrate-workflow` branch to any branch which conform those regexes +- `origin/tetrate-release-[[:digit:]]+.[[:digit:]]+$` +- `origin/tetratefips-release-[[:digit:]]+.[[:digit:]]+$` + +The script is adapted from [here](https://github.com/repo-sync/pull-request). The catch is the script only ports changes if there are on the `tetrateci` or `.github/workflows` folders. Merging with a commit or rebasing is not used to avoid merge conflicts. + +### sync_fork.yml +Runs every midnight and checks if there are any new tag on `istio/istio`, if no new tags are founds the action is done. On the other hand if there are new tags, the script loops through them creating corresponding `test-tetrate-x.y.z-v0` & `test-tetratefips-x.y.z-v0` tags and merging them with `tetrate-release-x.y` & `tetratefips-release-x.y` branches. + +Also pushes the archives from `istio/istio` release to the cloudsmith repo. + +### e2e_tests.yml +Runs if there are any tags pushed with `test-` prefix. Utilizes `istio/release-builder` to generate docker images which are to be used for subsequent testing. The one thing to keep in mind it, the same script is used for making the releases and we only differentiate that based on whether the `TEST` environment variable is defined or not. + +Subsequent 4 jobs runs the istio integration tests on applicable versions of eks, gke, aks and eksd, though some of them are disable for various reasons for now. All the platforms have corresponding create and cleanup scripts. The `version_check.py` has a matrix of istio versions vs k8s versions which determines which versions we need to get the istio release tested on. + +All the minor versions of istio have their own testing scripts, the reason being there are patches which need to be applied before testing so the tests dont fail. The tests being written for `kind` have some default assumptions which might not be applicable for all the platforms we test on. + +After the tests pass, the `test-` prefix is stripped off the current tag and the tree is tagged with the remaining, cutting a release with something similar to `tetrate-x.y.z-vn`. + +Then the release builder is again triggered to create the release images and archives with `tetrate-x.y.z-vn` tag but this time without defining the `TEST` environment variable. A fips compliant build is only triggered if the tag contains `fips` in it. The only difference between fips and non fips build is the `Go` we are using. The `create_istio_release.sh` script sets up the environment manually instead if using the docker image is due to some restrictions in the Github Actions, it becomes a bit hard to procure the logs and monitor the whole process. + +### make_release.yml +It is same as the last process of `e2e_tests.yml` but with a manual trigger. Changes made to any of them must be backported to the other one, since they more or less do the same thing. diff --git a/tetrateci/tetrateci/docs/credentials.md b/tetrateci/tetrateci/docs/credentials.md new file mode 100644 index 000000000000..4de990a244e6 --- /dev/null +++ b/tetrateci/tetrateci/docs/credentials.md @@ -0,0 +1,18 @@ +## Setting up the CI/CD system + +###### Required Creds +1. AWS_ACCESS_KEY_ID +2. AWS_REGION +3. AWS_SECRET_ACCESS_KEY +4. AZURE_CREDENTIALS : [Note](https://github.com/Azure/login#configure-deployment-credentials) +5. AZURE_RESOURCE : [ Note : The azure resource name corresponding to the creds ] +6. BINTRAY_API_KEY +7. BINTRAY_ARCHIVE_API : [ Note : The archive API url, example - https://api.bintray.com/content/hellozee/istio-archives/istio ] +8. BINTRAY_USER +9. DEPLOY_HUB : [ Note : Link to the docker registry where final images would be pushed ] +10. GCP_PROJECT_ID +11. GCP_SA_KEY +12. GETISTIO_PUSH_KEY : [ Note : DEPLOY KEY that can push to the repo ] +13. TEST_HUB : [ Note : Link to docker registry for pushing test images ] +14. TEST_HUB_PASS +15. TEST_HUB_USER diff --git a/tetrateci/tetrateci/docs/fips.md b/tetrateci/tetrateci/docs/fips.md new file mode 100644 index 000000000000..a10dbf6eb75a --- /dev/null +++ b/tetrateci/tetrateci/docs/fips.md @@ -0,0 +1,105 @@ +## Introduction + +Google's BoringCrypto [module][1] is used for [FIPS-compliant Istio builds][2]. BoringCrypto is a core module of the +BoringSSL library and has been tested by CMVP to be [FIPS validated][3]. Both the Istio control plane and data plane +are built with these modules. The quickest way to get started with FIPS Istio is to use the +[Tetrate Istio Distribution][4]. + +## FIPS Build Process and Verification + +### Istio Control Plane FIPS Build Process + +This [doc](https://gokulchandrapr.medium.com/go-crypto-and-kubernetes-fips-140-2-fedramp-compliance-66d852ccccd2) +provides a good introduction on what's necessary to build a FIPS compliant go binaries by using boring crypto. + +Roughy speaking, we need to: + +1. Use boringcrypto version Golang toolset. In TID, we set up golang binaries differently, see [setup_boring_go.sh](https://github.com/tetratelabs/istio/blob/f7d03be560753dc71d4c764dceb06f961c4fcdbd/tetrateci/setup_boring_go.sh#L25). +1. Configure `CGO_ENABLED=1` when invoking `go build`. Istio uses a wrapper `gobuild.sh` script to build all Go binaries. +In TID, we ensure the `CGO_ENABLED=1` is patched to this script. For example, in [tetratefips-release-1.9](https://github.com/tetratelabs/istio/blob/tetratefips-release-1.9/common/scripts/gobuild.sh#L53). + TODO(psbrar99): provide link on other releases when we updated from 1.10 and beyond. +1. Optionally, some tutorial may suggest to verify the FIPS compliant build via `go tool nm ./out/linux_amd64/pilot-discovery | grep 'boringcrypto.*'`. + For now, when you run this against TID go binaries, you may not see the symbols, because currently Istio(TID as well) strips off + the symbols by providing [`-ldflags '-extldflags -static -s -w'`](https://github.com/tetratelabs/istio/blob/tetratefips-release-1.9/Makefile.core.mk#L270). + TODO(incfly): consider whether to retain the symbols this as part of the final build. + +### Istio Data Plane Build Process + +Istio dataplane, namely the sidecar proxy binaries, are built under FIPS compliant boringssl implementation. +Per [envoyproxy document](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2), +envoy must be built with `--define boringssl=fips` bazel option. + +TID does set that in the release pipeline, see [Add FIPS flags](https://github.com/tetratelabs/istio/blob/d0d39e76abd8c9293f5095bafc93f94808149c4d/.github/workflows/make_release.yml#L75) in our CI configuration. + + +### Verify Cipher Suite + +Istio could serve TLS in gateway or sidecar. + +1. Gateway, you can choose which Cipher suite to use via [Gateway.Tls]() configuration. +1. Sidecar mTLS, Istio configures a few [Cipher suite](https://github.com/istio/istio/pull/27500/files#diff-d125e7f730d1cbb88e68de5b3899a279868936baeaf2be780be5f052708a71c1R138). + +In either case, you can use the following command to figure out what's being used on both gateway and sidecar TLS. + +```sh +istioctl proxy-config all -ojson | grep -i "cipherSuites" -A10 + "cipherSuites": [ + "ECDHE-ECDSA-AES256-GCM-SHA384", + "ECDHE-RSA-AES256-GCM-SHA384", + "ECDHE-ECDSA-AES128-GCM-SHA256", + "ECDHE-RSA-AES128-GCM-SHA256", + "AES256-GCM-SHA384", + "AES128-GCM-SHA256" + ] + }, + "tlsCertificateSdsSecretConfigs": [ +``` + +### Verify Golang Version Used for Build + +The easiest way to verify the Go version is with Docker. First, create the containers from the [CloudSmith][5] images. +```shell +HUB=containers.istio.tetratelabs.com +TAG=1.11.4-tetratefips-v0 +PILOT_CONTAINER_ID=$(docker create $HUB/pilot:$TAG) +PROXY_CONTAINER_ID=$(docker create $HUB/proxyv2:$TAG) +OPERATOR_CONTAINER_ID=$(docker create $HUB/operator:$TAG) +ISTIOCTL_CONTAINER_ID=$(docker create $HUB/istioctl:$TAG) +CNI_CONTAINER_ID=$(docker create $HUB/install-cni:$TAG) +``` + +Copy the binaries from the containers to your local machine. +```shell +docker cp $PILOT_CONTAINER_ID:/usr/local/bin/pilot-discovery pilot-discovery +docker cp $PROXY_CONTAINER_ID:/usr/local/bin/pilot-agent pilot-agent +docker cp $PROXY_CONTAINER_ID:/usr/local/bin/envoy envoy +docker cp $OPERATOR_CONTAINER_ID:/usr/local/bin/operator operator +docker cp $ISTIOCTL_CONTAINER_ID:/usr/local/bin/istioctl istioctl +docker cp $CNI_CONTAINER_ID:/usr/local/bin/install-cni install-cni +``` + +Verify the Go version used by the binaries. +```shell +go version pilot-discovery | cut -f2 -d" " +go version pilot-agent | cut -f2 -d" " +go version operator | cut -f2 -d" " +go version istioctl | cut -f2 -d" " +go version install-cni | cut -f2 -d" " +``` +The Go version should include `b` to indicate BoringSSL, `go1.16.9b7` for example. + +Verify Envoy is using BoringSSL FIPS: +```shell +envoy --version | cut -f4 -d" " +``` + +The version should include `BoringSSL-FIPS`, for example: +```shell +ed148b62dfb0dc79adc8c8573ced4806883389c0/1.19.2-dev/Modified/RELEASE/BoringSSL-FIPS +``` + +[1]: https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md +[2]: https://go-boringcrypto.storage.googleapis.com +[3]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3678 +[4]: https://istio.tetratelabs.io/ +[5]: https://cloudsmith.io/~tetrate/repos/getistio-containers/packages/ diff --git a/tetrateci/tetrateci/docs/release.md b/tetrateci/tetrateci/docs/release.md new file mode 100644 index 000000000000..be590518c86b --- /dev/null +++ b/tetrateci/tetrateci/docs/release.md @@ -0,0 +1,3 @@ +# Release Process + +TODO(psbrar99): explain the process. diff --git a/tetrateci/tetrateci/eks-d.tpl b/tetrateci/tetrateci/eks-d.tpl new file mode 100644 index 000000000000..5bacbb487d73 --- /dev/null +++ b/tetrateci/tetrateci/eks-d.tpl @@ -0,0 +1,153 @@ +apiVersion: kops.k8s.io/v1alpha2 +kind: Cluster +metadata: + name: {{ .clusterName }} +spec: + api: + loadBalancer: + class: Classic + type: Public + authorization: + rbac: {} + channel: stable + cloudProvider: aws + configBase: {{ .configBase }} + containerRuntime: docker + etcdClusters: + - cpuRequest: 200m + etcdMembers: + - instanceGroup: control-plane-{{.awsRegion}}a + name: a + memoryRequest: 100Mi + name: main + - cpuRequest: 100m + etcdMembers: + - instanceGroup: control-plane-{{.awsRegion}}a + name: a + memoryRequest: 100Mi + name: events + iam: + allowContainerRegistry: true + legacy: false + kubernetesApiAccess: + - 0.0.0.0/0 + kubernetesVersion: {{ .kubernetesVersion }} + masterPublicName: api.{{ .clusterName }} + networkCIDR: 172.20.0.0/16 + networking: + amazonvpc: {} + nonMasqueradeCIDR: 100.64.0.0/10 + sshAccess: + - 0.0.0.0/0 + subnets: + - cidr: 172.20.32.0/19 + name: {{.awsRegion}}a + type: Public + zone: {{.awsRegion}}a + - cidr: 172.20.64.0/19 + name: {{.awsRegion}}b + type: Public + zone: {{.awsRegion}}b + - cidr: 172.20.96.0/19 + name: {{.awsRegion}}c + type: Public + zone: {{.awsRegion}}c + topology: + dns: + type: Public + masters: public + nodes: public + kubeAPIServer: + apiAudiences: + - api + - istio-ca + serviceAccountIssuer: kubernetes.default.svc + image: {{ .kube_apiserver.repository }}:{{ .kube_apiserver.tag }} + kubeControllerManager: + image: {{ .kube_controller_manager.repository }}:{{ .kube_controller_manager.tag }} + kubeScheduler: + image: {{ .kube_scheduler.repository }}:{{ .kube_scheduler.tag }} + kubeProxy: + image: {{ .kube_proxy.repository }}:{{ .kube_proxy.tag }} + # Metrics Server will be supported with kops 1.19 + metricsServer: + enabled: true + image: {{ .metrics_server.repository }}:{{ .metrics_server.tag }} + authentication: + aws: + image: {{ .awsiamauth.repository }}:{{ .awsiamauth.tag }} + kubeDNS: + provider: CoreDNS + coreDNSImage: {{ .coredns.repository }}:{{ .coredns.tag }} + externalCoreFile: | + .:53 { + errors + health { + lameduck 5s + } + kubernetes cluster.local. in-addr.arpa ip6.arpa { + pods insecure + #upstream + fallthrough in-addr.arpa ip6.arpa + } + prometheus :9153 + forward . /etc/resolv.conf + loop + cache 30 + loadbalance + reload + } + masterKubelet: + podInfraContainerImage: {{ .pause.repository }}:{{ .pause.tag }} + # kubelet might already be defined, append the following config + kubelet: + podInfraContainerImage: {{ .pause.repository }}:{{ .pause.tag }} + anonymousAuth: false + +--- + +apiVersion: kops.k8s.io/v1alpha2 +kind: InstanceGroup +metadata: + labels: + kops.k8s.io/cluster: {{.clusterName}} + name: control-plane-{{.awsRegion}}a +spec: + {{- if .controlPlaneInstanceProfileArn }} + iam: + profile: {{ .controlPlaneInstanceProfileArn }} + {{- end }} + image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20201026 + machineType: t3.medium + maxSize: 1 + minSize: 1 + nodeLabels: + kops.k8s.io/instancegroup: control-plane-{{.awsRegion}}a + role: Master + subnets: + - {{.awsRegion}}a + +--- + +apiVersion: kops.k8s.io/v1alpha2 +kind: InstanceGroup +metadata: + labels: + kops.k8s.io/cluster: {{.clusterName}} + name: nodes +spec: + {{- if .nodeInstanceProfileArn }} + iam: + profile: {{ .nodeInstanceProfileArn }} + {{- end }} + image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20201026 + machineType: t3.medium + maxSize: 3 + minSize: 3 + nodeLabels: + kops.k8s.io/instancegroup: nodes + role: Node + subnets: + - {{.awsRegion}}a + - {{.awsRegion}}b + - {{.awsRegion}}c diff --git a/tetrateci/tetrateci/fetch_all_tags.sh b/tetrateci/tetrateci/fetch_all_tags.sh new file mode 100755 index 000000000000..b3d5e49b08bf --- /dev/null +++ b/tetrateci/tetrateci/fetch_all_tags.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash +set -o errexit +set -o pipefail +# we first fetch all the tags from origin and then from upstream +# the tag should be in form of number.number.number +git remote add upstream https://github.com/istio/istio +git fetch --tags origin +git tag -l | grep -E "^[0-9]+.[0-9]+.[0-9]+$" > /tmp/oldtags +git fetch --tags upstream +git tag -l | grep -E "^[0-9]+.[0-9]+.[0-9]+$" > /tmp/newtags + +echo "print oldtags" +cat /tmp/oldtags +echo "print newtags" +cat /tmp/newtags + +# then compare the list and pick the ones unique to the second list +tags=$(comm -13 /tmp/oldtags /tmp/newtags) +echo "===================" +echo "New istio tags to be created $tags" +echo "===================" + +git config user.name github-actions +git config user.email github-actions@github.com + +for tag in $tags; do + # the branch names are suffixed with the first 2 numbers in the version + branch=$( echo $tag | cut -d. -f1,2 ) + if [[ ! $(git rev-parse --verify --quiet origin/tetrate-release-$branch) ]]; then + # create the tetrate release branch if it doesn't exist with the workflows + git checkout -b tetrate-release-$branch origin/tetrate-workflow + git merge $tag --no-edit --allow-unrelated-histories -X theirs + git tag test-$tag-tetrate-v0 + else + git checkout -b tetrate-release-$branch origin/tetrate-release-$branch + git merge $tag --no-edit --allow-unrelated-histories -X theirs + git tag test-$tag-tetrate-v0 + fi + + git push origin tetrate-release-$branch --tags + + # Now for FIPS + if [[ ! $(git rev-parse --verify --quiet origin/tetratefips-release-$branch) ]]; then + git checkout -b tetratefips-release-$branch origin/tetrate-workflow + git merge $tag --no-edit --allow-unrelated-histories -X theirs + # no tag created since we need to backport the corresponding patch for fips compliant build manually + else + git checkout -b tetratefips-release-$branch origin/tetratefips-release-$branch + git merge $tag --no-edit --allow-unrelated-histories -X theirs + git tag test-$tag-tetratefips-v0 + fi + + git push origin tetratefips-release-$branch --tags + + export TAG=$tag + ./tetrateci/upload_upstream_release.sh +done + +# finally push all the tags +git push --tags origin diff --git a/tetrateci/tetrateci/fips.md b/tetrateci/tetrateci/fips.md new file mode 100644 index 000000000000..542507aedfb3 --- /dev/null +++ b/tetrateci/tetrateci/fips.md @@ -0,0 +1,60 @@ +## Introduction + +Google's BoringCrypto [module][1] is used for [FIPS-compliant Istio builds][2]. BoringCrypto is a core module of the +BoringSSL library and has been tested by CMVP to be [FIPS validated][3]. Both the Istio control plane and data plane +are built with these modules. The quickest way to get started with FIPS Istio is to use the +[Tetrate Istio Distribution][4]. + +## FIPS Verification + +The easiest way to verify the Go version is with Docker. First, create the containers from the [CloudSmith][5] images. +```shell +HUB=containers.istio.tetratelabs.com +TAG=1.11.4-tetratefips-v0 +PILOT_CONTAINER_ID=$(docker create $HUB/pilot:$TAG) +PROXY_CONTAINER_ID=$(docker create $HUB/proxyv2:$TAG) +OPERATOR_CONTAINER_ID=$(docker create $HUB/operator:$TAG) +ISTIOCTL_CONTAINER_ID=$(docker create $HUB/istioctl:$TAG) +CNI_CONTAINER_ID=$(docker create $HUB/install-cni:$TAG) +``` + +Copy the binaries from the containers to your local machine. +```shell +docker cp $PILOT_CONTAINER_ID:/usr/local/bin/pilot-discovery pilot-discovery +docker cp $PROXY_CONTAINER_ID:/usr/local/bin/pilot-agent pilot-agent +docker cp $PROXY_CONTAINER_ID:/usr/local/bin/envoy envoy +docker cp $OPERATOR_CONTAINER_ID:/usr/local/bin/operator operator +docker cp $ISTIOCTL_CONTAINER_ID:/usr/local/bin/istioctl istioctl +docker cp $CNI_CONTAINER_ID:/usr/local/bin/install-cni install-cni +``` + +Verify the Go version used by the binaries. +```shell +go version pilot-discovery +go version pilot-agent +go version operator +go version istioctl +go version install-cni +``` + +For Istio minor version <1.15 +The Go version should include `b` to indicate BoringSSL, `go1.16.9b7` +For Istio minor version >1.15 +The Go version should indicate X:boringcrypto as cryptolibrary, `pilot-discovery: go1.19.1 X:boringcrypto` + + +Verify Envoy is using BoringSSL FIPS: +```shell +envoy --version | cut -f4 -d" " +``` + +The version should include `BoringSSL-FIPS`, for example: +```shell +ed148b62dfb0dc79adc8c8573ced4806883389c0/1.19.2-dev/Modified/RELEASE/BoringSSL-FIPS +``` + +[1]: https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md +[2]: https://go-boringcrypto.storage.googleapis.com +[3]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3678 +[4]: https://istio.tetratelabs.io/ +[5]: https://cloudsmith.io/~tetrate/repos/getistio-containers/packages/ diff --git a/tetrateci/tetrateci/gen_iop.py b/tetrateci/tetrateci/gen_iop.py new file mode 100755 index 000000000000..ab6364c51c54 --- /dev/null +++ b/tetrateci/tetrateci/gen_iop.py @@ -0,0 +1,14 @@ +#!/usr/bin/python + +import yaml + +extra = {'cni' : {'cniBinDir' : '/home/kubernetes/bin', 'excludeNamespaces' : ['istio-system', 'kube-system']}} + +with open(r'./tests/integration/iop-integration-test-defaults.yaml') as file : + iop_config = yaml.load(file, Loader=yaml.FullLoader) + if "values" not in iop_config['spec']: + iop_config['spec'] = dict(values=extra) + else: + iop_config['spec']['values'].update(extra) + f = open(r'./tetrateci/iop-gke-integration.yml', 'w') + yaml.dump(iop_config, f) diff --git a/tetrateci/tetrateci/gen_release_manifest.py b/tetrateci/tetrateci/gen_release_manifest.py new file mode 100755 index 000000000000..421dfe1393d9 --- /dev/null +++ b/tetrateci/tetrateci/gen_release_manifest.py @@ -0,0 +1,45 @@ +#!/usr/bin/python3 + +import yaml, sys, os + +if len(sys.argv) != 3: + print("Usage ./gen_release_manifest.py source_yaml distination_folder") + exit(1) + +print("Reading arguments") +source_yaml = sys.argv[1] +destination_folder = sys.argv[2] + +print("Reading environment variables") +hub = os.environ.get("HUB") +tag = os.environ.get("TAG") +branch = os.environ.get("BRANCH") + +print("HUB: ", hub) +print("TAG: ", tag) +print("BRANCH: ", branch) + +with open(source_yaml, "r") as file : + print("Loading source yaml: ", source_yaml) + manifest = yaml.load(file, Loader=yaml.FullLoader) + manifest["ignoreVulnerability"] = False + manifest["docker"] = hub + manifest["version"] = tag + manifest["dependencies"]["istio"] = {"localpath" : "./istio"} + manifest["dependencies"]["client-go"]["branch"] = branch + del manifest["dependencies"]["proxy"]["auto"] + manifest["dependencies"]["proxy"]["branch"] = branch + manifest["dependencies"]["tools"]["branch"] = branch + # genproto has been removed from 1.14 + # added check for "gogo-genproto" dependenciy if it present then assign branch + if "gogo-genproto" in manifest["dependencies"]: + manifest["dependencies"]["gogo-genproto"]["branch"] = branch + manifest["dependencies"]["envoy"]["git"] = "https://github.com/envoyproxy/envoy" + manifest['outputs'] = ["docker"] + f = open(os.path.join(destination_folder, "manifest.docker.yaml"), 'w') + yaml.dump(manifest, f) + print(manifest) + manifest['outputs'] = ["archive"] + print(manifest) + f = open(os.path.join(destination_folder, "manifest.archive.yaml"), 'w') + yaml.dump(manifest, f) \ No newline at end of file diff --git a/tetrateci/tetrateci/images.sh b/tetrateci/tetrateci/images.sh new file mode 100644 index 000000000000..d61f5ec7b8d4 --- /dev/null +++ b/tetrateci/tetrateci/images.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail +# set -x + +BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" + +mkdir containers.istio.tetratelabs.com + +IMAGES=(app +install-cni +istioctl +pilot +proxyv2) + + +IMAGE_SUFFIXES=("debug" "distroless") + +for image in "${IMAGES[@]}"; do + for suffix in "${IMAGE_SUFFIXES[@]}"; do + echo containers.istio.tetratelabs.com/${image}:${TAG}-${suffix} >> list.txt + cat list.txt + done +done diff --git a/tetrateci/tetrateci/iop-gke-integration.yml b/tetrateci/tetrateci/iop-gke-integration.yml new file mode 100644 index 000000000000..dc67026e68fb --- /dev/null +++ b/tetrateci/tetrateci/iop-gke-integration.yml @@ -0,0 +1,75 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: install +spec: + meshConfig: + accessLogFile: "/dev/stdout" + defaultConfig: + proxyMetadata: + ISTIO_META_DNS_CAPTURE: "true" + components: + ingressGateways: + - name: istio-ingressgateway + enabled: true + k8s: + service: + ports: + ## Default ports + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + ## Extra ports for testing + - port: 15012 + targetPort: 15012 + name: tls-istiod + - port: 15017 + targetPort: 15017 + name: tls-webhook + - port: 31400 + targetPort: 31400 + name: tcp + # Enable the egressgateway for all tests by default. + egressGateways: + - name: istio-egressgateway + enabled: true + values: + cni: + cniBinDir: /home/kubernetes/bin + excludeNamespaces: + - istio-system + - kube-system + global: + externalIstiod: true + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + pilot: + env: + PILOT_ENABLED_SERVICE_APIS: true + ENABLE_ADMIN_ENDPOINTS: true + PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION: true + gateways: + istio-ingressgateway: + autoscaleMax: 1 + resources: + requests: + cpu: 10m + memory: 40Mi + istio-egressgateway: + autoscaleMax: 1 + resources: + requests: + cpu: 10m diff --git a/tetrateci/tetrateci/manifest.yaml.in b/tetrateci/tetrateci/manifest.yaml.in new file mode 100644 index 000000000000..6d944f232bed --- /dev/null +++ b/tetrateci/tetrateci/manifest.yaml.in @@ -0,0 +1,46 @@ +version: $TAG + +docker: $HUB + +directory: /tmp/istio-release + +ignoreVulnerability: true + +dependencies: + istio: + localpath: ./istio + api: + git: https://github.com/istio/api + auto: modules + proxy: + git: https://github.com/istio/proxy + auto: deps + pkg: + git: https://github.com/istio/pkg + auto: modules + client-go: + git: https://github.com/istio/client-go + branch: $BRANCH + goversionenabled: true + gogo-genproto: + git: https://github.com/istio/gogo-genproto + branch: $BRANCH + test-infra: + git: https://github.com/istio/test-infra + branch: master + tools: + git: https://github.com/istio/tools + branch: $BRANCH + envoy: + git: https://github.com/envoyproxy/envoy + auto: proxy_workspace + +dashboards: + istio-extension-dashboard: 13277 + istio-mesh-dashboard: 7639 + istio-performance-dashboard: 11829 + istio-service-dashboard: 7636 + istio-workload-dashboard: 7630 + pilot-dashboard: 7645 + +outputs: diff --git a/tetrateci/tetrateci/patches/build/e2e/1.11/0001-Allow-turning-off-ALPN-in-echo-server-35447.patch b/tetrateci/tetrateci/patches/build/e2e/1.11/0001-Allow-turning-off-ALPN-in-echo-server-35447.patch new file mode 100644 index 000000000000..4d818afa43f9 --- /dev/null +++ b/tetrateci/tetrateci/patches/build/e2e/1.11/0001-Allow-turning-off-ALPN-in-echo-server-35447.patch @@ -0,0 +1,173 @@ +From a73e4473ebf9f35d15d825077253993f6e770020 Mon Sep 17 00:00:00 2001 +From: John Howard +Date: Mon, 4 Oct 2021 11:06:39 -0700 +Subject: [PATCH] Allow turning off ALPN in echo server (#35447) + +--- + pkg/test/echo/cmd/server/main.go | 3 +++ + pkg/test/echo/common/model.go | 5 +++++ + pkg/test/echo/server/endpoint/http.go | 6 +++++- + pkg/test/echo/server/endpoint/instance.go | 1 + + pkg/test/echo/server/instance.go | 2 ++ + .../components/echo/kube/deployment.go | 3 +++ + .../security/ca_custom_root/main_test.go | 21 +++++++++++-------- + 7 files changed, 31 insertions(+), 10 deletions(-) + +diff --git a/pkg/test/echo/cmd/server/main.go b/pkg/test/echo/cmd/server/main.go +index e32a07dff5..30bc9d7a01 100644 +--- a/pkg/test/echo/cmd/server/main.go ++++ b/pkg/test/echo/cmd/server/main.go +@@ -48,6 +48,7 @@ var ( + crt string + key string + istioVersion string ++ disableALPN bool + + loggingOptions = log.DefaultOptions() + +@@ -123,6 +124,7 @@ var ( + Cluster: cluster, + IstioVersion: istioVersion, + UDSServer: uds, ++ DisableALPN: disableALPN, + }) + + if err := s.Start(); err != nil { +@@ -164,6 +166,7 @@ func init() { + rootCmd.PersistentFlags().StringVar(&crt, "crt", "", "gRPC TLS server-side certificate") + rootCmd.PersistentFlags().StringVar(&key, "key", "", "gRPC TLS server-side key") + rootCmd.PersistentFlags().StringVar(&istioVersion, "istio-version", "", "Istio sidecar version") ++ rootCmd.PersistentFlags().BoolVar(&disableALPN, "disable-alpn", disableALPN, "disable ALPN negotiation") + + loggingOptions.AttachCobraFlags(rootCmd) + +diff --git a/pkg/test/echo/common/model.go b/pkg/test/echo/common/model.go +index 0433f36ef8..2e721ebdd7 100644 +--- a/pkg/test/echo/common/model.go ++++ b/pkg/test/echo/common/model.go +@@ -28,6 +28,11 @@ type TLSSettings struct { + Hostname string + // If set to true, the cert will be provisioned by proxy, and extra cert volume will be mounted. + ProxyProvision bool ++ // AcceptAnyALPN, if true, will make the server accept ANY ALPNs. This comes at the expense of ++ // allowing h2 negotiation and being able to detect the negotiated ALPN (as there is none), because ++ // Golang doesn't like us doing this (https://github.com/golang/go/issues/46310). ++ // This is useful when the server is simulating Envoy which does unconventional things with ALPN. ++ AcceptAnyALPN bool + } + + // Port represents a network port where a service is listening for +diff --git a/pkg/test/echo/server/endpoint/http.go b/pkg/test/echo/server/endpoint/http.go +index 59aa38abd6..2d93d55fa4 100644 +--- a/pkg/test/echo/server/endpoint/http.go ++++ b/pkg/test/echo/server/endpoint/http.go +@@ -86,9 +86,13 @@ func (s *httpInstance) Start(onReady OnReadyFunc) error { + if cerr != nil { + return fmt.Errorf("could not load TLS keys: %v", cerr) + } ++ nextProtos := []string{"h2", "http/1.1", "http/1.0"} ++ if s.DisableALPN { ++ nextProtos = nil ++ } + config := &tls.Config{ + Certificates: []tls.Certificate{cert}, +- NextProtos: []string{"h2", "http/1.1", "http/1.0"}, ++ NextProtos: nextProtos, + GetConfigForClient: func(info *tls.ClientHelloInfo) (*tls.Config, error) { + // There isn't a way to pass through all ALPNs presented by the client down to the + // HTTP server to return in the response. However, for debugging, we can at least log +diff --git a/pkg/test/echo/server/endpoint/instance.go b/pkg/test/echo/server/endpoint/instance.go +index f2ccbf5086..f6a0c7de16 100644 +--- a/pkg/test/echo/server/endpoint/instance.go ++++ b/pkg/test/echo/server/endpoint/instance.go +@@ -40,6 +40,7 @@ type Config struct { + Port *common.Port + ListenerIP string + IstioVersion string ++ DisableALPN bool + } + + // Instance of an endpoint that serves the Echo application on a single port/protocol. +diff --git a/pkg/test/echo/server/instance.go b/pkg/test/echo/server/instance.go +index b3040fcea7..ccf0557855 100644 +--- a/pkg/test/echo/server/instance.go ++++ b/pkg/test/echo/server/instance.go +@@ -47,6 +47,7 @@ type Config struct { + Cluster string + Dialer common.Dialer + IstioVersion string ++ DisableALPN bool + } + + func (c Config) String() string { +@@ -164,6 +165,7 @@ func (s *Instance) newEndpoint(port *common.Port, udsServer string) (endpoint.In + TLSKey: s.TLSKey, + Dialer: s.Dialer, + ListenerIP: ip, ++ DisableALPN: s.DisableALPN, + IstioVersion: s.IstioVersion, + }) + } +diff --git a/pkg/test/framework/components/echo/kube/deployment.go b/pkg/test/framework/components/echo/kube/deployment.go +index 667a79fa7c..75079eb210 100644 +--- a/pkg/test/framework/components/echo/kube/deployment.go ++++ b/pkg/test/framework/components/echo/kube/deployment.go +@@ -221,6 +221,9 @@ spec: + {{- if $.TLSSettings }} + - --crt=/etc/certs/custom/cert-chain.pem + - --key=/etc/certs/custom/key.pem ++{{- if $.TLSSettings.AcceptAnyALPN}} ++ - --disable-alpn ++{{- end }} + {{- else }} + - --crt=/cert.crt + - --key=/cert.key +diff --git a/tests/integration/security/ca_custom_root/main_test.go b/tests/integration/security/ca_custom_root/main_test.go +index 095a242184..293bc5c085 100644 +--- a/tests/integration/security/ca_custom_root/main_test.go ++++ b/tests/integration/security/ca_custom_root/main_test.go +@@ -141,9 +141,10 @@ func SetupApps(ctx resource.Context, apps *EchoDeployments) error { + }, + }, + TLSSettings: &common.TLSSettings{ +- RootCert: rootCert, +- ClientCert: clientCert, +- Key: Key, ++ RootCert: rootCert, ++ ClientCert: clientCert, ++ Key: Key, ++ AcceptAnyALPN: true, + }, + }). + WithConfig(echo.Config{ +@@ -165,9 +166,10 @@ func SetupApps(ctx resource.Context, apps *EchoDeployments) error { + }, + }, + TLSSettings: &common.TLSSettings{ +- RootCert: rootCert, +- ClientCert: clientCert, +- Key: Key, ++ RootCert: rootCert, ++ ClientCert: clientCert, ++ Key: Key, ++ AcceptAnyALPN: true, + }, + }). + WithConfig(echo.Config{ +@@ -190,9 +192,10 @@ func SetupApps(ctx resource.Context, apps *EchoDeployments) error { + }, + }, + TLSSettings: &common.TLSSettings{ +- RootCert: rootCertAlt, +- ClientCert: clientCertAlt, +- Key: keyAlt, ++ RootCert: rootCertAlt, ++ ClientCert: clientCertAlt, ++ Key: keyAlt, ++ AcceptAnyALPN: true, + }, + }). + WithConfig(echo.Config{ +-- +2.21.1 (Apple Git-122.3) + diff --git a/tetrateci/tetrateci/patches/build/e2e/1.11/README.md b/tetrateci/tetrateci/patches/build/e2e/1.11/README.md new file mode 100644 index 000000000000..0aeef44acd7e --- /dev/null +++ b/tetrateci/tetrateci/patches/build/e2e/1.11/README.md @@ -0,0 +1,14 @@ +# Patches to Istio 1.11 + +## 0001-Allow-turning-off-ALPN-in-echo-server-35447.patch + +### Why do we need it? + +Integration tests of `Istio 1.11` were relying on certain behaviour +of the HTTPS server from the Go standard library. + +In `Go 1.17`, behaviour of the HTTPS server has changed and tests started failing. + +In `Istio 1.12` they changed integration tests in order to be able to upgrade to `Go 1.17`. + +See https://github.com/istio/istio/pull/35447 diff --git a/tetrateci/tetrateci/patches/common/disable-autoscaling-on-cpu.1.8.patch b/tetrateci/tetrateci/patches/common/disable-autoscaling-on-cpu.1.8.patch new file mode 100644 index 000000000000..112ad1cb6440 --- /dev/null +++ b/tetrateci/tetrateci/patches/common/disable-autoscaling-on-cpu.1.8.patch @@ -0,0 +1,13 @@ +diff --git a/manifests/charts/istiocoredns/values.yaml b/manifests/charts/istiocoredns/values.yaml +index e163cc0e3d..63cac9b587 100644 +--- a/manifests/charts/istiocoredns/values.yaml ++++ b/manifests/charts/istiocoredns/values.yaml +@@ -3,7 +3,7 @@ + # + istiocoredns: + enabled: false +- autoscaleEnabled: true ++ autoscaleEnabled: false + autoscaleMin: 1 + autoscaleMax: 5 + replicaCount: 1 diff --git a/tetrateci/tetrateci/patches/common/disable-passthroughfilterchain.1.10.patch b/tetrateci/tetrateci/patches/common/disable-passthroughfilterchain.1.10.patch new file mode 100644 index 000000000000..779e6ee7c2d4 --- /dev/null +++ b/tetrateci/tetrateci/patches/common/disable-passthroughfilterchain.1.10.patch @@ -0,0 +1,12 @@ +diff --git a/tests/integration/security/pass_through_filter_chain_test.go b/tests/integration/security/pass_through_filter_chain_test.go +index 2c7c0a67ba..df93bf72c9 100644 +--- a/tests/integration/security/pass_through_filter_chain_test.go ++++ b/tests/integration/security/pass_through_filter_chain_test.go +@@ -33,6 +33,7 @@ import ( + + // TestPassThroughFilterChain tests the authN and authZ policy on the pass through filter chain. + func TestPassThroughFilterChain(t *testing.T) { ++ t.Skip("https://github.com/istio/istio/issues/32623") + framework. + NewTest(t). + Features("security.filterchain"). diff --git a/tetrateci/tetrateci/patches/common/disable-passthroughfilterchain.1.9.patch b/tetrateci/tetrateci/patches/common/disable-passthroughfilterchain.1.9.patch new file mode 100644 index 000000000000..779e6ee7c2d4 --- /dev/null +++ b/tetrateci/tetrateci/patches/common/disable-passthroughfilterchain.1.9.patch @@ -0,0 +1,12 @@ +diff --git a/tests/integration/security/pass_through_filter_chain_test.go b/tests/integration/security/pass_through_filter_chain_test.go +index 2c7c0a67ba..df93bf72c9 100644 +--- a/tests/integration/security/pass_through_filter_chain_test.go ++++ b/tests/integration/security/pass_through_filter_chain_test.go +@@ -33,6 +33,7 @@ import ( + + // TestPassThroughFilterChain tests the authN and authZ policy on the pass through filter chain. + func TestPassThroughFilterChain(t *testing.T) { ++ t.Skip("https://github.com/istio/istio/issues/32623") + framework. + NewTest(t). + Features("security.filterchain"). diff --git a/tetrateci/tetrateci/patches/common/disable-vmregistration.1.10.patch b/tetrateci/tetrateci/patches/common/disable-vmregistration.1.10.patch new file mode 100644 index 000000000000..849ede9a4f93 --- /dev/null +++ b/tetrateci/tetrateci/patches/common/disable-vmregistration.1.10.patch @@ -0,0 +1,12 @@ +diff --git a/tests/integration/pilot/vm_test.go b/tests/integration/pilot/vm_test.go +index 5aa5af8855..6b458503d0 100644 +--- a/tests/integration/pilot/vm_test.go ++++ b/tests/integration/pilot/vm_test.go +@@ -76,6 +76,7 @@ func TestVmOSPost(t *testing.T) { + } + + func TestVMRegistrationLifecycle(t *testing.T) { ++ t.Skip("https://github.com/istio/istio/issues/29100") + framework. + NewTest(t). + RequiresSingleCluster(). diff --git a/tetrateci/tetrateci/patches/common/disable-vmregistration.1.8.patch b/tetrateci/tetrateci/patches/common/disable-vmregistration.1.8.patch new file mode 100644 index 000000000000..849ede9a4f93 --- /dev/null +++ b/tetrateci/tetrateci/patches/common/disable-vmregistration.1.8.patch @@ -0,0 +1,12 @@ +diff --git a/tests/integration/pilot/vm_test.go b/tests/integration/pilot/vm_test.go +index 5aa5af8855..6b458503d0 100644 +--- a/tests/integration/pilot/vm_test.go ++++ b/tests/integration/pilot/vm_test.go +@@ -76,6 +76,7 @@ func TestVmOSPost(t *testing.T) { + } + + func TestVMRegistrationLifecycle(t *testing.T) { ++ t.Skip("https://github.com/istio/istio/issues/29100") + framework. + NewTest(t). + RequiresSingleCluster(). diff --git a/tetrateci/tetrateci/patches/common/disable-vmregistration.1.9.patch b/tetrateci/tetrateci/patches/common/disable-vmregistration.1.9.patch new file mode 100644 index 000000000000..849ede9a4f93 --- /dev/null +++ b/tetrateci/tetrateci/patches/common/disable-vmregistration.1.9.patch @@ -0,0 +1,12 @@ +diff --git a/tests/integration/pilot/vm_test.go b/tests/integration/pilot/vm_test.go +index 5aa5af8855..6b458503d0 100644 +--- a/tests/integration/pilot/vm_test.go ++++ b/tests/integration/pilot/vm_test.go +@@ -76,6 +76,7 @@ func TestVmOSPost(t *testing.T) { + } + + func TestVMRegistrationLifecycle(t *testing.T) { ++ t.Skip("https://github.com/istio/istio/issues/29100") + framework. + NewTest(t). + RequiresSingleCluster(). diff --git a/tetrateci/tetrateci/patches/common/enable-arm64.1.12.patch b/tetrateci/tetrateci/patches/common/enable-arm64.1.12.patch new file mode 100644 index 000000000000..d9e0e4845e18 --- /dev/null +++ b/tetrateci/tetrateci/patches/common/enable-arm64.1.12.patch @@ -0,0 +1,24 @@ +diff --git a/manifests/charts/gateways/istio-egress/values.yaml b/manifests/charts/gateways/istio-egress/values.yaml +index 5562ba5342..0308cbdd8c 100644 +--- a/manifests/charts/gateways/istio-egress/values.yaml ++++ b/manifests/charts/gateways/istio-egress/values.yaml +@@ -170,6 +170,7 @@ global: + # 3 - Most preferred + arch: + amd64: 2 ++ arm64: 2 + s390x: 2 + ppc64le: 2 + +diff --git a/manifests/charts/gateways/istio-ingress/values.yaml b/manifests/charts/gateways/istio-ingress/values.yaml +index 7be1815185..726aad6f0f 100644 +--- a/manifests/charts/gateways/istio-ingress/values.yaml ++++ b/manifests/charts/gateways/istio-ingress/values.yaml +@@ -183,6 +183,7 @@ global: + # 3 - Most preferred + arch: + amd64: 2 ++ arm64: 2 + s390x: 2 + ppc64le: 2 + diff --git a/tetrateci/tetrateci/patches/common/fix-version-check.1.9.patch b/tetrateci/tetrateci/patches/common/fix-version-check.1.9.patch new file mode 100644 index 000000000000..4f0e26bba987 --- /dev/null +++ b/tetrateci/tetrateci/patches/common/fix-version-check.1.9.patch @@ -0,0 +1,13 @@ +diff --git a/pkg/test/framework/components/cluster/topology.go b/pkg/test/framework/components/cluster/topology.go +index cb2f02b91c..b5eef8100a 100644 +--- a/pkg/test/framework/components/cluster/topology.go ++++ b/pkg/test/framework/components/cluster/topology.go +@@ -122,7 +122,7 @@ func (c Topology) MinKubeVersion(major, minor int) bool { + if err != nil { + return true + } +- serverMinor, err := strconv.Atoi(ver.Minor) ++ serverMinor, err := strconv.Atoi(ver.Minor[:2]) + if err != nil { + return true + } diff --git a/tetrateci/tetrateci/patches/common/increase-dashboard-timeout.1.10.patch b/tetrateci/tetrateci/patches/common/increase-dashboard-timeout.1.10.patch new file mode 100644 index 000000000000..7250fa0dea97 --- /dev/null +++ b/tetrateci/tetrateci/patches/common/increase-dashboard-timeout.1.10.patch @@ -0,0 +1,13 @@ +diff --git a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go +index 3f8d8cb32c..d3c7c0fecf 100644 +--- a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go ++++ b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go +@@ -177,7 +177,7 @@ func TestDashboard(t *testing.T) { + for _, query := range queries { + retry.UntilSuccessOrFail(t, func() error { + return checkMetric(cl, p, query, d.excluded) +- }, retry.Timeout(time.Minute)) ++ }, retry.Timeout(5*time.Minute)) + } + } + }) diff --git a/tetrateci/tetrateci/patches/common/increase-dashboard-timeout.1.11.patch b/tetrateci/tetrateci/patches/common/increase-dashboard-timeout.1.11.patch new file mode 100644 index 000000000000..7250fa0dea97 --- /dev/null +++ b/tetrateci/tetrateci/patches/common/increase-dashboard-timeout.1.11.patch @@ -0,0 +1,13 @@ +diff --git a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go +index 3f8d8cb32c..d3c7c0fecf 100644 +--- a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go ++++ b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go +@@ -177,7 +177,7 @@ func TestDashboard(t *testing.T) { + for _, query := range queries { + retry.UntilSuccessOrFail(t, func() error { + return checkMetric(cl, p, query, d.excluded) +- }, retry.Timeout(time.Minute)) ++ }, retry.Timeout(5*time.Minute)) + } + } + }) diff --git a/tetrateci/tetrateci/patches/common/increase-dashboard-timeout.1.8.patch b/tetrateci/tetrateci/patches/common/increase-dashboard-timeout.1.8.patch new file mode 100644 index 000000000000..326d67377f50 --- /dev/null +++ b/tetrateci/tetrateci/patches/common/increase-dashboard-timeout.1.8.patch @@ -0,0 +1,17 @@ +diff --git a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go +index f93c640be0..3cb5e255ef 100644 +--- a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go ++++ b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go +@@ -163,9 +163,9 @@ func TestDashboard(t *testing.T) { + } + + for _, query := range queries { +- if err := checkMetric(cl, p, query, d.excluded); err != nil { +- t.Errorf("Check query failed for cluster %s: %v", cl.Name(), err) +- } ++ retry.UntilSuccessOrFail(t, func() error { ++ return checkMetric(cl, p, query, d.excluded) ++ }, retry.Timeout(5 * time.Minute)) + } + } + }) diff --git a/tetrateci/tetrateci/patches/common/increase-dashboard-timeout.1.9.patch b/tetrateci/tetrateci/patches/common/increase-dashboard-timeout.1.9.patch new file mode 100644 index 000000000000..7250fa0dea97 --- /dev/null +++ b/tetrateci/tetrateci/patches/common/increase-dashboard-timeout.1.9.patch @@ -0,0 +1,13 @@ +diff --git a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go +index 3f8d8cb32c..d3c7c0fecf 100644 +--- a/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go ++++ b/tests/integration/telemetry/stats/prometheus/nullvm/dashboard_test.go +@@ -177,7 +177,7 @@ func TestDashboard(t *testing.T) { + for _, query := range queries { + retry.UntilSuccessOrFail(t, func() error { + return checkMetric(cl, p, query, d.excluded) +- }, retry.Timeout(time.Minute)) ++ }, retry.Timeout(5*time.Minute)) + } + } + }) diff --git a/tetrateci/tetrateci/patches/common/increase-sniffing-timeout.1.9.patch b/tetrateci/tetrateci/patches/common/increase-sniffing-timeout.1.9.patch new file mode 100644 index 000000000000..139a36a18dc6 --- /dev/null +++ b/tetrateci/tetrateci/patches/common/increase-sniffing-timeout.1.9.patch @@ -0,0 +1,13 @@ +diff --git a/tests/integration/pilot/common/routing.go b/tests/integration/pilot/common/routing.go +index 06048f21a8..ff517f1c05 100644 +--- a/tests/integration/pilot/common/routing.go ++++ b/tests/integration/pilot/common/routing.go +@@ -848,7 +848,7 @@ func protocolSniffingCases() []TrafficTestCase { + opts: echo.CallOptions{ + PortName: call.port, + Scheme: call.scheme, +- Timeout: time.Second * 5, ++ Timeout: time.Second * 30, + }, + validate: func(src echo.Instance, dst echo.Instances) echo.Validator { + if call.scheme == scheme.TCP { diff --git a/tetrateci/tetrateci/patches/common/increase-vm-timeout.1.8.patch b/tetrateci/tetrateci/patches/common/increase-vm-timeout.1.8.patch new file mode 100644 index 000000000000..81e3aabd1c96 --- /dev/null +++ b/tetrateci/tetrateci/patches/common/increase-vm-timeout.1.8.patch @@ -0,0 +1,31 @@ +diff --git a/tests/integration/pilot/vm_test.go b/tests/integration/pilot/vm_test.go +index 5aa5af8855..8563d7fdb4 100644 +--- a/tests/integration/pilot/vm_test.go ++++ b/tests/integration/pilot/vm_test.go +@@ -100,7 +100,7 @@ func TestVMRegistrationLifecycle(t *testing.T) { + return err + } + return res.CheckOK() +- }, retry.Timeout(15*time.Second)) ++ }, retry.Timeout(5*time.Minute)) + }) + ctx.NewSubTest("reconnect reuses WorkloadEntry").Run(func(ctx framework.TestContext) { + // ensure we have two pilot instances, other tests can pass before the second one comes up +@@ -114,7 +114,7 @@ func TestVMRegistrationLifecycle(t *testing.T) { + return errors.New("expected 2 pilots") + } + return nil +- }, retry.Timeout(10*time.Second)) ++ }, retry.Timeout(5*time.Minute)) + + // get the initial workload entry state + entries := getWorkloadEntriesOrFail(ctx, autoVM) +@@ -138,7 +138,7 @@ func TestVMRegistrationLifecycle(t *testing.T) { + return errors.New("expected WorkloadEntry to be updated by other pilot") + } + return nil +- }, retry.Delay(5*time.Second)) ++ }, retry.Delay(5*time.Minute)) + }) + ctx.NewSubTest("disconnect deletes WorkloadEntry").Run(func(ctx framework.TestContext) { + deployment := fmt.Sprintf("%s-%s", autoVM.Config().Service, "v1") diff --git a/tetrateci/tetrateci/patches/common/increase-vm-timeout.1.9.patch b/tetrateci/tetrateci/patches/common/increase-vm-timeout.1.9.patch new file mode 100644 index 000000000000..2909ba89cffe --- /dev/null +++ b/tetrateci/tetrateci/patches/common/increase-vm-timeout.1.9.patch @@ -0,0 +1,13 @@ +diff --git a/tests/integration/pilot/vm_test.go b/tests/integration/pilot/vm_test.go +index 5aa5af8855..2cc94751ad 100644 +--- a/tests/integration/pilot/vm_test.go ++++ b/tests/integration/pilot/vm_test.go +@@ -114,7 +114,7 @@ func TestVMRegistrationLifecycle(t *testing.T) { + return errors.New("expected 2 pilots") + } + return nil +- }, retry.Timeout(10*time.Second)) ++ }, retry.Timeout(5*time.Minute)) + + // get the initial workload entry state + entries := getWorkloadEntriesOrFail(ctx, autoVM) diff --git a/tetrateci/tetrateci/patches/common/wait-for-envoy.1.8.patch b/tetrateci/tetrateci/patches/common/wait-for-envoy.1.8.patch new file mode 100644 index 000000000000..939f090a70cf --- /dev/null +++ b/tetrateci/tetrateci/patches/common/wait-for-envoy.1.8.patch @@ -0,0 +1,53 @@ +diff --git a/tests/integration/telemetry/policy/envoy_ratelimit_test.go b/tests/integration/telemetry/policy/envoy_ratelimit_test.go +index 368c1ff9ea..8fa191ab08 100644 +--- a/tests/integration/telemetry/policy/envoy_ratelimit_test.go ++++ b/tests/integration/telemetry/policy/envoy_ratelimit_test.go +@@ -16,6 +16,7 @@ + package policy + + import ( ++ "fmt" + "io/ioutil" + "testing" + "time" +@@ -31,6 +32,7 @@ import ( + "istio.io/istio/pkg/test/framework/label" + "istio.io/istio/pkg/test/framework/resource" + "istio.io/istio/pkg/test/kube" ++ "istio.io/istio/pkg/test/util/retry" + "istio.io/istio/pkg/test/util/tmpl" + ) + +@@ -159,12 +161,32 @@ func setupEnvoyFilter(ctx resource.Context) error { + + func sendTrafficAndCheckIfRatelimited(t *testing.T) bool { + t.Helper() ++ ++ testCall := echo.CallOptions{ ++ Target: srv, ++ PortName: "http", ++ Count: 1, ++ } ++ ++ retry.UntilSuccessOrFail(t, func() error { ++ t.Logf("Sending a test request to see if envoy is up or not.....") ++ if parsedResponse, err := clt.Call(testCall); err == nil { ++ for _, resp := range parsedResponse { ++ if response.StatusCodeOK != resp.Code { ++ return fmt.Errorf("envoy not ready, wanted 200 got %v", resp.Code) ++ } ++ } ++ } ++ return nil ++ }, retry.Timeout(5*time.Minute)) ++ + t.Logf("Sending 300 requests...") + httpOpts := echo.CallOptions{ + Target: srv, + PortName: "http", + Count: 300, + } ++ + if parsedResponse, err := clt.Call(httpOpts); err == nil { + for _, resp := range parsedResponse { + if response.StatusCodeTooManyRequests == resp.Code { diff --git a/tetrateci/tetrateci/patches/eks/eks_1.15.patch b/tetrateci/tetrateci/patches/eks/eks_1.15.patch new file mode 100644 index 000000000000..72cffcba51ed --- /dev/null +++ b/tetrateci/tetrateci/patches/eks/eks_1.15.patch @@ -0,0 +1,125 @@ +From a2e8b635a71ac66273edd6388ba883a0214b9cf8 Mon Sep 17 00:00:00 2001 +From: psbrar99 +Date: Thu, 3 Aug 2023 16:25:50 -0600 +Subject: [PATCH] 1.15 patch + +Signed-off-by: psbrar99 +--- + .../components/echo/kube/deployment.go | 1 + + .../echo/kube/templates/vm_deployment.yaml | 22 +++++++++---------- + pkg/test/framework/components/istio/util.go | 9 ++++++++ + tests/integration/pilot/ingress_test.go | 14 +++++++++++- + 4 files changed, 34 insertions(+), 12 deletions(-) + +diff --git a/pkg/test/framework/components/echo/kube/deployment.go b/pkg/test/framework/components/echo/kube/deployment.go +index dbad3eb0be..9a53ff95dd 100644 +--- a/pkg/test/framework/components/echo/kube/deployment.go ++++ b/pkg/test/framework/components/echo/kube/deployment.go +@@ -515,6 +515,7 @@ spec: + // LoadBalancer may not be supported and the command doesn't have NodePort fallback logic that the tests do + cmd = append(cmd, "--ingressIP", istiodAddr.IP.String()) + } ++ cmd = append(cmd, "--ingressIP", istiodAddr.IP.String()) + if rev := getIstioRevision(cfg.Namespace); len(rev) > 0 { + cmd = append(cmd, "--revision", rev) + } +diff --git a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml +index 4343abcd5c..1c61d2c1a5 100644 +--- a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml ++++ b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml +@@ -85,16 +85,16 @@ spec: + + # since we're not overwriting /etc/hosts on k8s, verify that istiod hostname in /etc/hosts + # matches the value generated by istioctl +- echo "checking istio host" +- SYSTEM_HOST=$(cat /etc/hosts | grep istiod) +- ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) +- if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then +- echo "istiod host in /etc/hosts does not match value generated by istioctl" +- echo "/etc/hosts: $SYSTEM_HOST" +- echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" +- exit 1 +- fi +- echo "istiod host ok" ++ # echo "checking istio host" ++ # SYSTEM_HOST=$(cat /etc/hosts | grep istiod) ++ # ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) ++ # if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then ++ # echo "istiod host in /etc/hosts does not match value generated by istioctl" ++ # echo "/etc/hosts: $SYSTEM_HOST" ++ # echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" ++ # exit 1 ++ # fi ++ # echo "istiod host ok" + + # read certs from correct directory + sudo sh -c 'echo PROV_CERT=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env' +@@ -173,4 +173,4 @@ spec: + name: {{ $value.Value }} + {{- end }} + {{- end }} +-{{- end}} ++{{- end}} +\ No newline at end of file +diff --git a/pkg/test/framework/components/istio/util.go b/pkg/test/framework/components/istio/util.go +index 18c5502e1d..60198b4f7d 100644 +--- a/pkg/test/framework/components/istio/util.go ++++ b/pkg/test/framework/components/istio/util.go +@@ -132,6 +132,15 @@ func getRemoteServiceAddress(s *kube.Settings, cluster cluster.Cluster, ns, labe + if ingr.IP == "" && ingr.Hostname == "" { + return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) + } ++ if ingr.Hostname != "" { ++ ip, err := net.LookupIP(ingr.Hostname) ++ if err != nil { ++ return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) ++ } ++ if len(ip) > 0 { ++ ingr.IP = ip[0].String() ++ } ++ } + if ingr.IP != "" { + return net.TCPAddr{IP: net.ParseIP(ingr.IP), Port: port}, true, nil + } +diff --git a/tests/integration/pilot/ingress_test.go b/tests/integration/pilot/ingress_test.go +index 217da4f89c..9bd5a9287f 100644 +--- a/tests/integration/pilot/ingress_test.go ++++ b/tests/integration/pilot/ingress_test.go +@@ -228,7 +228,7 @@ spec: + }) + t.NewSubTest("status").Run(func(t framework.TestContext) { + retry.UntilSuccessOrFail(t, func() error { +- gwc, err := t.Clusters().Kube().Default().GatewayAPI().GatewayV1beta1().GatewayClasses().Get(context.Background(), "istio", metav1.GetOptions{}) ++ gwc, err := t.Clusters().Kube().Default().GatewayAPI().GatewayV1alpha2().GatewayClasses().Get(context.Background(), "istio", metav1.GetOptions{}) + if err != nil { + return err + } +@@ -601,6 +601,12 @@ spec: + if hostIsIP { + got = ing.Status.LoadBalancer.Ingress[0].IP + } ++ if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { ++ ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) ++ if len(ip) > 0 { ++ got = ip[0].String() ++ } ++ } + if got != host { + return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) + } +@@ -617,6 +623,12 @@ spec: + if hostIsIP { + got = ing.Status.LoadBalancer.Ingress[0].IP + } ++ if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { ++ ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) ++ if len(ip) > 0 { ++ got = ip[0].String() ++ } ++ } + if got != host { + return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) + } +-- +2.30.1 (Apple Git-130) + diff --git a/tetrateci/tetrateci/patches/eks/eks_1.16.patch b/tetrateci/tetrateci/patches/eks/eks_1.16.patch new file mode 100644 index 000000000000..88ca540a7a44 --- /dev/null +++ b/tetrateci/tetrateci/patches/eks/eks_1.16.patch @@ -0,0 +1,124 @@ +From db64738688316472d1840c5f0e58fcdf6b7c51d9 Mon Sep 17 00:00:00 2001 +From: psbrar99 +Date: Thu, 3 Aug 2023 13:52:36 -0600 +Subject: [PATCH] 1.16 patch + +Signed-off-by: psbrar99 +--- + .../components/echo/kube/deployment.go | 1 + + .../echo/kube/templates/vm_deployment.yaml | 22 +++++++++---------- + pkg/test/framework/components/istio/util.go | 9 ++++++++ + tests/integration/pilot/ingress_test.go | 13 +++++++++++ + 4 files changed, 34 insertions(+), 11 deletions(-) + +diff --git a/pkg/test/framework/components/echo/kube/deployment.go b/pkg/test/framework/components/echo/kube/deployment.go +index 3eb41c570b..bd9b567b83 100644 +--- a/pkg/test/framework/components/echo/kube/deployment.go ++++ b/pkg/test/framework/components/echo/kube/deployment.go +@@ -521,6 +521,7 @@ spec: + if rev := getIstioRevision(cfg.Namespace); len(rev) > 0 { + cmd = append(cmd, "--revision", rev) + } ++ cmd = append(cmd, "--ingressIP", istiodAddr.Addr().String()) + // make sure namespace controller has time to create root-cert ConfigMap + if err := retry.UntilSuccess(func() error { + stdout, stderr, err := istioCtl.Invoke(cmd) +diff --git a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml +index 4343abcd5c..1c61d2c1a5 100644 +--- a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml ++++ b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml +@@ -85,16 +85,16 @@ spec: + + # since we're not overwriting /etc/hosts on k8s, verify that istiod hostname in /etc/hosts + # matches the value generated by istioctl +- echo "checking istio host" +- SYSTEM_HOST=$(cat /etc/hosts | grep istiod) +- ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) +- if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then +- echo "istiod host in /etc/hosts does not match value generated by istioctl" +- echo "/etc/hosts: $SYSTEM_HOST" +- echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" +- exit 1 +- fi +- echo "istiod host ok" ++ # echo "checking istio host" ++ # SYSTEM_HOST=$(cat /etc/hosts | grep istiod) ++ # ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) ++ # if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then ++ # echo "istiod host in /etc/hosts does not match value generated by istioctl" ++ # echo "/etc/hosts: $SYSTEM_HOST" ++ # echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" ++ # exit 1 ++ # fi ++ # echo "istiod host ok" + + # read certs from correct directory + sudo sh -c 'echo PROV_CERT=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env' +@@ -173,4 +173,4 @@ spec: + name: {{ $value.Value }} + {{- end }} + {{- end }} +-{{- end}} ++{{- end}} +\ No newline at end of file +diff --git a/pkg/test/framework/components/istio/util.go b/pkg/test/framework/components/istio/util.go +index 2600fe421c..2d01c756c1 100644 +--- a/pkg/test/framework/components/istio/util.go ++++ b/pkg/test/framework/components/istio/util.go +@@ -137,6 +137,15 @@ func getRemoteServiceAddress(s *kube.Settings, cluster cluster.Cluster, ns, labe + if ingr.IP == "" && ingr.Hostname == "" { + return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) + } ++ if ingr.Hostname != "" { ++ ip, err := net.LookupIP(ingr.Hostname) ++ if err != nil { ++ return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) ++ } ++ if len(ip) > 0 { ++ ingr.IP = ip[0].String() ++ } ++ } + if ingr.IP != "" { + ipaddr, err := netip.ParseAddr(ingr.IP) + if err != nil { +diff --git a/tests/integration/pilot/ingress_test.go b/tests/integration/pilot/ingress_test.go +index 258dcf8de0..d1cd0601be 100644 +--- a/tests/integration/pilot/ingress_test.go ++++ b/tests/integration/pilot/ingress_test.go +@@ -232,6 +232,7 @@ spec: + if err != nil { + return err + } ++ + if s := kstatus.GetCondition(gwc.Status.Conditions, string(k8s.GatewayClassConditionStatusAccepted)).Status; s != metav1.ConditionTrue { + return fmt.Errorf("expected status %q, got %q", metav1.ConditionTrue, s) + } +@@ -601,6 +602,12 @@ spec: + if hostIsIP { + got = ing.Status.LoadBalancer.Ingress[0].IP + } ++ if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { ++ ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) ++ if len(ip) > 0 { ++ got = ip[0].String() ++ } ++ } + if got != host { + return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) + } +@@ -617,6 +624,12 @@ spec: + if hostIsIP { + got = ing.Status.LoadBalancer.Ingress[0].IP + } ++ if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { ++ ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) ++ if len(ip) > 0 { ++ got = ip[0].String() ++ } ++ } + if got != host { + return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) + } +-- +2.30.1 (Apple Git-130) + diff --git a/tetrateci/tetrateci/patches/eks/eks_1.17.patch b/tetrateci/tetrateci/patches/eks/eks_1.17.patch new file mode 100644 index 000000000000..02aa5e33e918 --- /dev/null +++ b/tetrateci/tetrateci/patches/eks/eks_1.17.patch @@ -0,0 +1,124 @@ +From 5de4783fd311442f004213871142e75ec320c135 Mon Sep 17 00:00:00 2001 +From: psbrar99 +Date: Thu, 3 Aug 2023 15:51:42 -0600 +Subject: [PATCH] 1.17 patch + +Signed-off-by: psbrar99 +--- + .../components/echo/kube/deployment.go | 1 + + .../echo/kube/templates/vm_deployment.yaml | 22 +++++++++---------- + pkg/test/framework/components/istio/util.go | 9 ++++++++ + tests/integration/pilot/ingress_test.go | 13 +++++++++++ + 4 files changed, 34 insertions(+), 11 deletions(-) + +diff --git a/pkg/test/framework/components/echo/kube/deployment.go b/pkg/test/framework/components/echo/kube/deployment.go +index 7574ed58c4..6f418d7f17 100644 +--- a/pkg/test/framework/components/echo/kube/deployment.go ++++ b/pkg/test/framework/components/echo/kube/deployment.go +@@ -521,6 +521,7 @@ spec: + if rev := getIstioRevision(cfg.Namespace); len(rev) > 0 { + cmd = append(cmd, "--revision", rev) + } ++ cmd = append(cmd, "--ingressIP", istiodAddr.Addr().String()) + // make sure namespace controller has time to create root-cert ConfigMap + if err := retry.UntilSuccess(func() error { + stdout, stderr, err := istioCtl.Invoke(cmd) +diff --git a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml +index 4343abcd5c..1c61d2c1a5 100644 +--- a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml ++++ b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml +@@ -85,16 +85,16 @@ spec: + + # since we're not overwriting /etc/hosts on k8s, verify that istiod hostname in /etc/hosts + # matches the value generated by istioctl +- echo "checking istio host" +- SYSTEM_HOST=$(cat /etc/hosts | grep istiod) +- ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) +- if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then +- echo "istiod host in /etc/hosts does not match value generated by istioctl" +- echo "/etc/hosts: $SYSTEM_HOST" +- echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" +- exit 1 +- fi +- echo "istiod host ok" ++ # echo "checking istio host" ++ # SYSTEM_HOST=$(cat /etc/hosts | grep istiod) ++ # ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) ++ # if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then ++ # echo "istiod host in /etc/hosts does not match value generated by istioctl" ++ # echo "/etc/hosts: $SYSTEM_HOST" ++ # echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" ++ # exit 1 ++ # fi ++ # echo "istiod host ok" + + # read certs from correct directory + sudo sh -c 'echo PROV_CERT=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env' +@@ -173,4 +173,4 @@ spec: + name: {{ $value.Value }} + {{- end }} + {{- end }} +-{{- end}} ++{{- end}} +\ No newline at end of file +diff --git a/pkg/test/framework/components/istio/util.go b/pkg/test/framework/components/istio/util.go +index 2600fe421c..2d01c756c1 100644 +--- a/pkg/test/framework/components/istio/util.go ++++ b/pkg/test/framework/components/istio/util.go +@@ -137,6 +137,15 @@ func getRemoteServiceAddress(s *kube.Settings, cluster cluster.Cluster, ns, labe + if ingr.IP == "" && ingr.Hostname == "" { + return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) + } ++ if ingr.Hostname != "" { ++ ip, err := net.LookupIP(ingr.Hostname) ++ if err != nil { ++ return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) ++ } ++ if len(ip) > 0 { ++ ingr.IP = ip[0].String() ++ } ++ } + if ingr.IP != "" { + ipaddr, err := netip.ParseAddr(ingr.IP) + if err != nil { +diff --git a/tests/integration/pilot/ingress_test.go b/tests/integration/pilot/ingress_test.go +index 82766cfc3c..6e1ef41f9f 100644 +--- a/tests/integration/pilot/ingress_test.go ++++ b/tests/integration/pilot/ingress_test.go +@@ -232,6 +232,7 @@ spec: + if err != nil { + return err + } ++ + if s := kstatus.GetCondition(gwc.Status.Conditions, string(k8s.GatewayClassConditionStatusAccepted)).Status; s != metav1.ConditionTrue { + return fmt.Errorf("expected status %q, got %q", metav1.ConditionTrue, s) + } +@@ -601,6 +602,12 @@ spec: + if hostIsIP { + got = ing.Status.LoadBalancer.Ingress[0].IP + } ++ if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { ++ ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) ++ if len(ip) > 0 { ++ got = ip[0].String() ++ } ++ } + if got != host { + return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) + } +@@ -617,6 +624,12 @@ spec: + if hostIsIP { + got = ing.Status.LoadBalancer.Ingress[0].IP + } ++ if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { ++ ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) ++ if len(ip) > 0 { ++ got = ip[0].String() ++ } ++ } + if got != host { + return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) + } +-- +2.30.1 (Apple Git-130) + diff --git a/tetrateci/tetrateci/patches/eks/eks_1.18.patch b/tetrateci/tetrateci/patches/eks/eks_1.18.patch new file mode 100644 index 000000000000..b6f27d9abd00 --- /dev/null +++ b/tetrateci/tetrateci/patches/eks/eks_1.18.patch @@ -0,0 +1,123 @@ +From 76ba05e0d163dc99389959c9922fd51d89e41f53 Mon Sep 17 00:00:00 2001 +From: psbrar99 +Date: Wed, 2 Aug 2023 15:05:54 -0600 +Subject: [PATCH] patch + +Signed-off-by: psbrar99 +--- + .../components/echo/kube/deployment.go | 1 + + .../echo/kube/templates/vm_deployment.yaml | 22 +++++++++---------- + pkg/test/framework/components/istio/util.go | 9 ++++++++ + tests/integration/pilot/ingress_test.go | 12 +++++----- + 4 files changed, 28 insertions(+), 16 deletions(-) + +diff --git a/pkg/test/framework/components/echo/kube/deployment.go b/pkg/test/framework/components/echo/kube/deployment.go +index a0c723e0e8..0739d0b0bf 100644 +--- a/pkg/test/framework/components/echo/kube/deployment.go ++++ b/pkg/test/framework/components/echo/kube/deployment.go +@@ -522,6 +522,7 @@ spec: + if rev := getIstioRevision(cfg.Namespace); len(rev) > 0 { + cmd = append(cmd, "--revision", rev) + } ++ cmd = append(cmd, "--ingressIP", istiodAddr.Addr().String()) + // make sure namespace controller has time to create root-cert ConfigMap + if err := retry.UntilSuccess(func() error { + stdout, stderr, err := istioCtl.Invoke(cmd) +diff --git a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml +index 4343abcd5c..1c61d2c1a5 100644 +--- a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml ++++ b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml +@@ -85,16 +85,16 @@ spec: + + # since we're not overwriting /etc/hosts on k8s, verify that istiod hostname in /etc/hosts + # matches the value generated by istioctl +- echo "checking istio host" +- SYSTEM_HOST=$(cat /etc/hosts | grep istiod) +- ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) +- if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then +- echo "istiod host in /etc/hosts does not match value generated by istioctl" +- echo "/etc/hosts: $SYSTEM_HOST" +- echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" +- exit 1 +- fi +- echo "istiod host ok" ++ # echo "checking istio host" ++ # SYSTEM_HOST=$(cat /etc/hosts | grep istiod) ++ # ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) ++ # if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then ++ # echo "istiod host in /etc/hosts does not match value generated by istioctl" ++ # echo "/etc/hosts: $SYSTEM_HOST" ++ # echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" ++ # exit 1 ++ # fi ++ # echo "istiod host ok" + + # read certs from correct directory + sudo sh -c 'echo PROV_CERT=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env' +@@ -173,4 +173,4 @@ spec: + name: {{ $value.Value }} + {{- end }} + {{- end }} +-{{- end}} ++{{- end}} +\ No newline at end of file +diff --git a/pkg/test/framework/components/istio/util.go b/pkg/test/framework/components/istio/util.go +index 2600fe421c..2d01c756c1 100644 +--- a/pkg/test/framework/components/istio/util.go ++++ b/pkg/test/framework/components/istio/util.go +@@ -137,6 +137,15 @@ func getRemoteServiceAddress(s *kube.Settings, cluster cluster.Cluster, ns, labe + if ingr.IP == "" && ingr.Hostname == "" { + return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) + } ++ if ingr.Hostname != "" { ++ ip, err := net.LookupIP(ingr.Hostname) ++ if err != nil { ++ return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) ++ } ++ if len(ip) > 0 { ++ ingr.IP = ip[0].String() ++ } ++ } + if ingr.IP != "" { + ipaddr, err := netip.ParseAddr(ingr.IP) + if err != nil { +diff --git a/tests/integration/pilot/ingress_test.go b/tests/integration/pilot/ingress_test.go +index 4f158b96ef..c332e1630e 100644 +--- a/tests/integration/pilot/ingress_test.go ++++ b/tests/integration/pilot/ingress_test.go +@@ -332,6 +332,12 @@ spec: + if hostIsIP { + got = ing.Status.LoadBalancer.Ingress[0].IP + } ++ if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { ++ ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) ++ if len(ip) > 0 { ++ got = ip[0].String() ++ } ++ } + if got != host { + return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) + } +@@ -441,10 +447,6 @@ func TestCustomGateway(t *testing.T) { + NewTest(t). + Features("traffic.ingress.custom"). + Run(func(t framework.TestContext) { +- inject := false +- if t.Settings().Compatibility { +- inject = true +- } + injectLabel := `sidecar.istio.io/inject: "true"` + if t.Settings().Revisions.Default() != "" { + injectLabel = fmt.Sprintf(`istio.io/rev: "%v"`, t.Settings().Revisions.Default()) +@@ -458,7 +460,7 @@ func TestCustomGateway(t *testing.T) { + } + + t.NewSubTest("minimal").Run(func(t framework.TestContext) { +- gatewayNs := namespace.NewOrFail(t, t, namespace.Config{Prefix: "custom-gateway-minimal", Inject: inject}) ++ gatewayNs := namespace.NewOrFail(t, t, namespace.Config{Prefix: "custom-gateway-minimal"}) + _ = t.ConfigIstio().Eval(gatewayNs.Name(), templateParams, `apiVersion: v1 + kind: Service + metadata: +-- +2.30.1 (Apple Git-130) + diff --git a/tetrateci/tetrateci/patches/eks/eks_1.19.patch b/tetrateci/tetrateci/patches/eks/eks_1.19.patch new file mode 100644 index 000000000000..b6f27d9abd00 --- /dev/null +++ b/tetrateci/tetrateci/patches/eks/eks_1.19.patch @@ -0,0 +1,123 @@ +From 76ba05e0d163dc99389959c9922fd51d89e41f53 Mon Sep 17 00:00:00 2001 +From: psbrar99 +Date: Wed, 2 Aug 2023 15:05:54 -0600 +Subject: [PATCH] patch + +Signed-off-by: psbrar99 +--- + .../components/echo/kube/deployment.go | 1 + + .../echo/kube/templates/vm_deployment.yaml | 22 +++++++++---------- + pkg/test/framework/components/istio/util.go | 9 ++++++++ + tests/integration/pilot/ingress_test.go | 12 +++++----- + 4 files changed, 28 insertions(+), 16 deletions(-) + +diff --git a/pkg/test/framework/components/echo/kube/deployment.go b/pkg/test/framework/components/echo/kube/deployment.go +index a0c723e0e8..0739d0b0bf 100644 +--- a/pkg/test/framework/components/echo/kube/deployment.go ++++ b/pkg/test/framework/components/echo/kube/deployment.go +@@ -522,6 +522,7 @@ spec: + if rev := getIstioRevision(cfg.Namespace); len(rev) > 0 { + cmd = append(cmd, "--revision", rev) + } ++ cmd = append(cmd, "--ingressIP", istiodAddr.Addr().String()) + // make sure namespace controller has time to create root-cert ConfigMap + if err := retry.UntilSuccess(func() error { + stdout, stderr, err := istioCtl.Invoke(cmd) +diff --git a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml +index 4343abcd5c..1c61d2c1a5 100644 +--- a/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml ++++ b/pkg/test/framework/components/echo/kube/templates/vm_deployment.yaml +@@ -85,16 +85,16 @@ spec: + + # since we're not overwriting /etc/hosts on k8s, verify that istiod hostname in /etc/hosts + # matches the value generated by istioctl +- echo "checking istio host" +- SYSTEM_HOST=$(cat /etc/hosts | grep istiod) +- ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) +- if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then +- echo "istiod host in /etc/hosts does not match value generated by istioctl" +- echo "/etc/hosts: $SYSTEM_HOST" +- echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" +- exit 1 +- fi +- echo "istiod host ok" ++ # echo "checking istio host" ++ # SYSTEM_HOST=$(cat /etc/hosts | grep istiod) ++ # ISTIOCTL_HOST=$(cat /var/run/secrets/istio/bootstrap/hosts | grep istiod) ++ # if [ "$(echo "$SYSTEM_HOST" | tr -d '[:space:]')" != "$(echo "$ISTIOCTL_HOST" | tr -d '[:space:]')" ]; then ++ # echo "istiod host in /etc/hosts does not match value generated by istioctl" ++ # echo "/etc/hosts: $SYSTEM_HOST" ++ # echo "/var/run/secrets/istio/bootstrap/hosts: $ISTIOCTL_HOST" ++ # exit 1 ++ # fi ++ # echo "istiod host ok" + + # read certs from correct directory + sudo sh -c 'echo PROV_CERT=/var/run/secrets/istio >> /var/lib/istio/envoy/cluster.env' +@@ -173,4 +173,4 @@ spec: + name: {{ $value.Value }} + {{- end }} + {{- end }} +-{{- end}} ++{{- end}} +\ No newline at end of file +diff --git a/pkg/test/framework/components/istio/util.go b/pkg/test/framework/components/istio/util.go +index 2600fe421c..2d01c756c1 100644 +--- a/pkg/test/framework/components/istio/util.go ++++ b/pkg/test/framework/components/istio/util.go +@@ -137,6 +137,15 @@ func getRemoteServiceAddress(s *kube.Settings, cluster cluster.Cluster, ns, labe + if ingr.IP == "" && ingr.Hostname == "" { + return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) + } ++ if ingr.Hostname != "" { ++ ip, err := net.LookupIP(ingr.Hostname) ++ if err != nil { ++ return nil, false, fmt.Errorf("service %s/%s is not available yet: no ingress", svc.Namespace, svc.Name) ++ } ++ if len(ip) > 0 { ++ ingr.IP = ip[0].String() ++ } ++ } + if ingr.IP != "" { + ipaddr, err := netip.ParseAddr(ingr.IP) + if err != nil { +diff --git a/tests/integration/pilot/ingress_test.go b/tests/integration/pilot/ingress_test.go +index 4f158b96ef..c332e1630e 100644 +--- a/tests/integration/pilot/ingress_test.go ++++ b/tests/integration/pilot/ingress_test.go +@@ -332,6 +332,12 @@ spec: + if hostIsIP { + got = ing.Status.LoadBalancer.Ingress[0].IP + } ++ if ing.Status.LoadBalancer.Ingress[0].Hostname != "" { ++ ip, _ := net.LookupIP(ing.Status.LoadBalancer.Ingress[0].Hostname) ++ if len(ip) > 0 { ++ got = ip[0].String() ++ } ++ } + if got != host { + return fmt.Errorf("unexpected ingress status, got %+v want %v", got, host) + } +@@ -441,10 +447,6 @@ func TestCustomGateway(t *testing.T) { + NewTest(t). + Features("traffic.ingress.custom"). + Run(func(t framework.TestContext) { +- inject := false +- if t.Settings().Compatibility { +- inject = true +- } + injectLabel := `sidecar.istio.io/inject: "true"` + if t.Settings().Revisions.Default() != "" { + injectLabel = fmt.Sprintf(`istio.io/rev: "%v"`, t.Settings().Revisions.Default()) +@@ -458,7 +460,7 @@ func TestCustomGateway(t *testing.T) { + } + + t.NewSubTest("minimal").Run(func(t framework.TestContext) { +- gatewayNs := namespace.NewOrFail(t, t, namespace.Config{Prefix: "custom-gateway-minimal", Inject: inject}) ++ gatewayNs := namespace.NewOrFail(t, t, namespace.Config{Prefix: "custom-gateway-minimal"}) + _ = t.ConfigIstio().Eval(gatewayNs.Name(), templateParams, `apiVersion: v1 + kind: Service + metadata: +-- +2.30.1 (Apple Git-130) + diff --git a/tetrateci/tetrateci/patches/gke/chiron-gke.patch b/tetrateci/tetrateci/patches/gke/chiron-gke.patch new file mode 100644 index 000000000000..04985f994af5 --- /dev/null +++ b/tetrateci/tetrateci/patches/gke/chiron-gke.patch @@ -0,0 +1,24 @@ +diff --git a/security/pkg/pki/util/verify_cert.go b/security/pkg/pki/util/verify_cert.go +index 517e10ff3f..d2a52e1b52 100644 +--- a/security/pkg/pki/util/verify_cert.go ++++ b/security/pkg/pki/util/verify_cert.go +@@ -128,13 +128,13 @@ func VerifyCertificate(privPem []byte, certChainPem []byte, rootCertPem []byte, + return fmt.Errorf("unexpected value for 'NotAfter' - 'NotBefore': want %v but got %v", ttl, cert.NotAfter.Sub(cert.NotBefore)) + } + +- if eku := sortExtKeyUsage(expectedFields.ExtKeyUsage); !reflect.DeepEqual(eku, sortExtKeyUsage(cert.ExtKeyUsage)) { +- return fmt.Errorf("unexpected value for 'ExtKeyUsage' field: want %v but got %v", eku, cert.ExtKeyUsage) +- } ++ // if eku := sortExtKeyUsage(expectedFields.ExtKeyUsage); !reflect.DeepEqual(eku, sortExtKeyUsage(cert.ExtKeyUsage)) { ++ // return fmt.Errorf("unexpected value for 'ExtKeyUsage' field: want %v but got %v", eku, cert.ExtKeyUsage) ++ // } + +- if ku := expectedFields.KeyUsage; ku != cert.KeyUsage { +- return fmt.Errorf("unexpected value for 'KeyUsage' field: want %v but got %v", ku, cert.KeyUsage) +- } ++ // if ku := expectedFields.KeyUsage; ku != cert.KeyUsage { ++ // return fmt.Errorf("unexpected value for 'KeyUsage' field: want %v but got %v", ku, cert.KeyUsage) ++ // } + + if isCA := expectedFields.IsCA; isCA != cert.IsCA { + return fmt.Errorf("unexpected value for 'IsCA' field: want %t but got %t", isCA, cert.IsCA) diff --git a/tetrateci/tetrateci/port_patches_to_release.sh b/tetrateci/tetrateci/port_patches_to_release.sh new file mode 100755 index 000000000000..00c61d95c87e --- /dev/null +++ b/tetrateci/tetrateci/port_patches_to_release.sh @@ -0,0 +1,63 @@ +#!/usr/bin/env bash +set -o errexit +set -o pipefail + +if [[ -z "$GITHUB_TOKEN" ]]; then + echo "Undefined GITHUB_TOKEN environment variable." + exit 1 +fi + +echo "Configuring git" + +cat <<- EOF > $HOME/.netrc + machine github.com + login $GITHUB_ACTOR + password $GITHUB_TOKEN + machine api.github.com + login $GITHUB_ACTOR + password $GITHUB_TOKEN +EOF +chmod 600 $HOME/.netrc + +git config user.name $GITHUB_ACTOR +git config user.email github-actions@github.com + +echo "Fetching target branches" + +git fetch --all --verbose +TARGETS=$(git branch -r| grep -E "origin/tetrate-release-[[:digit:]]+.[[:digit:]]+$" | xargs) + +function create_pr_using_temp() { + echo "Getting branch name for $1" + local branch_name=$(cut -f2 -d"/" <<< $1) + + temp_branch=temp-github-actions-$branch_name + + echo "Creating a temporary branch" + git checkout -b $temp_branch $1 + + echo "Checking out the changes" + git checkout origin/tetrate-workflow -- tetrateci + git checkout origin/tetrate-workflow -- .github/workflows + git commit -m "Merging tetrate-workflow with $branch_name" + + echo "Pushing temporary branch to origin" + git push origin $temp_branch --force + + echo "Creating PR for $branch_name" + hub pull-request -b $branch_name -m "AUTO: Backporting patches to $branch_name" +} + +echo "Creating PRs" + +for branch in $TARGETS; do + create_pr_using_temp $branch +done + +echo "Creating PRs for FIPS branches" + +FIPS_TARGETS=$(git branch -r| grep -E "origin/tetratefips-release-[[:digit:]]+.[[:digit:]]+$" | xargs) + +for branch in $FIPS_TARGETS; do + create_pr_using_temp $branch +done diff --git a/tetrateci/tetrateci/setup_go.sh b/tetrateci/tetrateci/setup_go.sh new file mode 100755 index 000000000000..e78147038746 --- /dev/null +++ b/tetrateci/tetrateci/setup_go.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash +set -e +set -u + +if $(grep -q "1.7" <<< $TAG); then + export GOLANG_VERSION=1.14.12 +fi + +if $(grep -q "1.8" <<< $TAG || grep -q "1.9" <<< $TAG); then + export GOLANG_VERSION=1.15.7 +fi + +if $(grep -q "1.10" <<< $TAG); then + export GOLANG_VERSION=1.16.9 +fi + +if $(grep -q "1.11" <<< $TAG); then + export GOLANG_VERSION=1.17.6 +fi + +if $(grep -q "1.12" <<< $TAG) || [[ "${REL_BRANCH_VER:-${ISTIO_MINOR_VER}}" == "1.13" ]]; then + export GOLANG_VERSION=1.17.8 +fi + +if $(grep -q "1.14" <<< $TAG); then + export GOLANG_VERSION=1.18.4 +fi + +if $(grep -q "1.15" <<< $TAG); then + export GOLANG_VERSION=1.19.2 +fi + +if [[ "${REL_BRANCH_VER:-${ISTIO_MINOR_VER}}" == "1.16" ]]; then + export GOLANG_VERSION=1.19.5 +fi + +if [[ "${REL_BRANCH_VER:-${ISTIO_MINOR_VER}}" == "1.17" ]]; then + export GOLANG_VERSION=1.20.2 +fi + +if [[ "${REL_BRANCH_VER:-${ISTIO_MINOR_VER}}" == "1.18" ]]; then + export GOLANG_VERSION=1.20.6 +fi + +if [[ "${REL_BRANCH_VER:-${ISTIO_MINOR_VER}}" == "1.19" ]]; then + export GOLANG_VERSION=1.21.1 +fi + +url="https://golang.org/dl/go$GOLANG_VERSION.linux-$(dpkg --print-architecture).tar.gz" + +wget -q -O go.tgz "$url" + +sudo tar -C /usr/local -xzf go.tgz +rm go.tgz + +export GOROOT=/usr/local/go +export PATH="$GOROOT/bin:$PATH" + +echo "Go installed" +go version diff --git a/tetrateci/tetrateci/test_1.10.sh b/tetrateci/tetrateci/test_1.10.sh new file mode 100755 index 000000000000..8778ec86bd8c --- /dev/null +++ b/tetrateci/tetrateci/test_1.10.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash +./tetrateci/version_check.py && exit +set -e + +source ./tetrateci/setup_go.sh + +echo "Applying patches...." + +# git apply tetrateci/patches/common/increase-vm-timeout.1.9.patch +# git apply tetrateci/patches/common/increase-sniffing-timeout.1.9.patch +git apply tetrateci/patches/common/increase-dashboard-timeout.1.10.patch +git apply tetrateci/patches/common/disable-vmregistration.1.10.patch # https://github.com/istio/istio/issues/29100 +git apply tetrateci/patches/common/disable-passthroughfilterchain.1.10.patch # https://github.com/istio/istio/issues/32623 + +# the code fails whenever there is something other than digits in the k8s minor version +# in our case which is a "+" symbol due to extra patching by corresponding vendor +# so we get 1.17+ instead of 1.17 +# git apply tetrateci/patches/common/fix-version-check.1.9.patch + +if [[ ${CLUSTER} == "gke" ]]; then + echo "Generating operator config for GKE" + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && ./tetrateci/gen_iop.py + CLUSTERFLAGS="-istio.test.kube.helm.iopFile $(pwd)/tetrateci/iop-gke-integration.yml" + + echo "Applying GKE specific patches...." + git apply tetrateci/patches/gke/chiron-gke.patch +fi + +if [[ ${CLUSTER} == "eks" ]]; then + echo "Applying Ingress patch for EKS...." + git apply tetrateci/patches/eks/eks-ingress.1.10.patch +fi + +if $(grep -q "1.17" <<< ${K8S_VERSION}); then + PACKAGES=$(go list -tags=integ ./tests/integration/... | grep -v /qualification | grep -v /examples | grep -v /multicluster | grep -v /endpointslice | grep -v /stackdriver) +else + PACKAGES=$(go list -tags=integ ./tests/integration/... | grep -v /qualification | grep -v /examples | grep -v /multicluster | grep -v /stackdriver) +fi + +echo "Starting Testing" + +for package in $PACKAGES; do + n=0 + until [ "$n" -ge 3 ] + do + echo "========================================================TESTING $package | TRY $n========================================================" + go test -test.v -tags=integ $package -timeout 30m --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.pullpolicy IfNotPresent ${CLUSTERFLAGS} && break || echo "Test Failed: $package" + for folder in $(ls -d /tmp/* | grep istio); do sudo rm -rf -- $folder; done + n=$((n+1)) + done + [ "$n" -ge 3 ] && exit 1 +done + +echo "Testing Done" diff --git a/tetrateci/tetrateci/test_1.11.sh b/tetrateci/tetrateci/test_1.11.sh new file mode 100644 index 000000000000..6474f997b1bf --- /dev/null +++ b/tetrateci/tetrateci/test_1.11.sh @@ -0,0 +1,95 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + +git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + + echo "Applying GKE specific patches...." + git apply "${SCRIPTDIR}/patches/gke/chiron-gke.patch" +fi + +if [[ "${CLUSTER}" == "eks" ]]; then + echo "Applying Ingress patch for EKS...." + git apply "${SCRIPTDIR}/patches/eks/eks-ingress.1.11.patch" +fi + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/tetrateci/test_1.12.sh b/tetrateci/tetrateci/test_1.12.sh new file mode 100755 index 000000000000..ad7d9a53294e --- /dev/null +++ b/tetrateci/tetrateci/test_1.12.sh @@ -0,0 +1,80 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2021 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) +fi + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/tetrateci/test_1.13.sh b/tetrateci/tetrateci/test_1.13.sh new file mode 100644 index 000000000000..6474f997b1bf --- /dev/null +++ b/tetrateci/tetrateci/test_1.13.sh @@ -0,0 +1,95 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + +git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + + echo "Applying GKE specific patches...." + git apply "${SCRIPTDIR}/patches/gke/chiron-gke.patch" +fi + +if [[ "${CLUSTER}" == "eks" ]]; then + echo "Applying Ingress patch for EKS...." + git apply "${SCRIPTDIR}/patches/eks/eks-ingress.1.11.patch" +fi + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/tetrateci/test_1.14.sh b/tetrateci/tetrateci/test_1.14.sh new file mode 100644 index 000000000000..898b7cf02532 --- /dev/null +++ b/tetrateci/tetrateci/test_1.14.sh @@ -0,0 +1,107 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + +git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + +fi + +if [[ "${CLUSTER}" == "eks" ]]; then + echo "Applying Ingress patch for EKS...." + git apply "${SCRIPTDIR}/patches/eks/eks-ingress.1.13.patch" +fi + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.hub=${HUB} \ + --istio.test.tag=${TAG}-distroless \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + && \ + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/tetrateci/test_1.15.sh b/tetrateci/tetrateci/test_1.15.sh new file mode 100644 index 000000000000..69f20af588a9 --- /dev/null +++ b/tetrateci/tetrateci/test_1.15.sh @@ -0,0 +1,108 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + +git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + +fi + +if [[ "${CLUSTER}" == "eks" ]]; then + echo "Applying patch for EKS...." + git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" +fi + + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.hub=${HUB} \ + --istio.test.tag=${TAG}-distroless \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + && \ + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/tetrateci/test_1.15_arm.sh b/tetrateci/tetrateci/test_1.15_arm.sh new file mode 100644 index 000000000000..51457acc93ce --- /dev/null +++ b/tetrateci/tetrateci/test_1.15_arm.sh @@ -0,0 +1,111 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + +git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + +fi + +if [[ "${CLUSTER}" == "eks" ]]; then + echo "Applying patch for EKS...." + git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" +fi + +#go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG}-distroless --istio.test.pullpolicy=IfNotPresent --istio.test.retries=1 && go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG} --istio.test.pullpolicy=IfNotPresent + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.hub=${HUB} \ + --istio.test.tag=${TAG}-distroless \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + && \ + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/tetrateci/test_1.16.sh b/tetrateci/tetrateci/test_1.16.sh new file mode 100644 index 000000000000..087521b02d95 --- /dev/null +++ b/tetrateci/tetrateci/test_1.16.sh @@ -0,0 +1,107 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + +fi + +if [[ "${CLUSTER}" == "eks" ]]; then + echo "Applying patch for EKS...." + git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" +fi + + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.hub=${HUB} \ + --istio.test.tag=${TAG}-distroless \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + && \ + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/tetrateci/test_1.16_arm.sh b/tetrateci/tetrateci/test_1.16_arm.sh new file mode 100644 index 000000000000..97c23342d529 --- /dev/null +++ b/tetrateci/tetrateci/test_1.16_arm.sh @@ -0,0 +1,111 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + +#git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + +fi + +if [[ "${CLUSTER}" == "eks" ]]; then + echo "Applying patch for EKS...." + git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" +fi + +#go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG}-distroless --istio.test.pullpolicy=IfNotPresent --istio.test.retries=1 && go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG} --istio.test.pullpolicy=IfNotPresent + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.hub=${HUB} \ + --istio.test.tag=${TAG}-distroless \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + && \ + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/tetrateci/test_1.17.sh b/tetrateci/tetrateci/test_1.17.sh new file mode 100644 index 000000000000..6526631843e3 --- /dev/null +++ b/tetrateci/tetrateci/test_1.17.sh @@ -0,0 +1,109 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + +fi + +if [[ "${CLUSTER}" == "eks" ]]; then + echo "Applying patch for EKS...." + git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" +fi + + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.hub=${HUB} \ + --istio.test.tag=${TAG}-distroless \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + && \ + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/tetrateci/test_1.17_arm.sh b/tetrateci/tetrateci/test_1.17_arm.sh new file mode 100644 index 000000000000..97c23342d529 --- /dev/null +++ b/tetrateci/tetrateci/test_1.17_arm.sh @@ -0,0 +1,111 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + +#git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + +fi + +if [[ "${CLUSTER}" == "eks" ]]; then + echo "Applying patch for EKS...." + git apply --3way "${SCRIPTDIR}/patches/eks/eks.${ISTIO_MINOR_VER}.patch" +fi + +#go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG}-distroless --istio.test.pullpolicy=IfNotPresent --istio.test.retries=1 && go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG} --istio.test.pullpolicy=IfNotPresent + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.hub=${HUB} \ + --istio.test.tag=${TAG}-distroless \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + && \ + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/tetrateci/test_1.18.sh b/tetrateci/tetrateci/test_1.18.sh new file mode 100644 index 000000000000..61436c6e6625 --- /dev/null +++ b/tetrateci/tetrateci/test_1.18.sh @@ -0,0 +1,109 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + +fi + +if [[ "${CLUSTER}" == "eks" ]]; then + echo "Applying patch for EKS...." + git apply --3way "${SCRIPTDIR}/patches/eks/eks_${ISTIO_MINOR_VER}.patch" +fi + + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.hub=${HUB} \ + --istio.test.tag=${TAG}-distroless \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=3 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + && \ + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=3 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/tetrateci/test_1.18_arm.sh b/tetrateci/tetrateci/test_1.18_arm.sh new file mode 100644 index 000000000000..23118c2f8c6b --- /dev/null +++ b/tetrateci/tetrateci/test_1.18_arm.sh @@ -0,0 +1,111 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + +#git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + +fi + +if [[ "${CLUSTER}" == "eks" ]]; then + echo "Applying patch for EKS...." + git apply --3way "${SCRIPTDIR}/patches/eks/eks_${ISTIO_MINOR_VER}.patch" +fi + +#go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG}-distroless --istio.test.pullpolicy=IfNotPresent --istio.test.retries=1 && go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG} --istio.test.pullpolicy=IfNotPresent + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.hub=${HUB} \ + --istio.test.tag=${TAG}-distroless \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + && \ + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi \ No newline at end of file diff --git a/tetrateci/tetrateci/test_1.19.sh b/tetrateci/tetrateci/test_1.19.sh new file mode 100644 index 000000000000..fd646a685a11 --- /dev/null +++ b/tetrateci/tetrateci/test_1.19.sh @@ -0,0 +1,96 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + +fi + +#if [[ "${CLUSTER}" == "eks" ]]; then +# echo "Applying patch for EKS...." +# git apply "${SCRIPTDIR}/patches/eks/eks_${ISTIO_MINOR_VER}.patch" +#fi + + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.hub=${HUB} \ + --istio.test.tag=${TAG} \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/tetrateci/test_1.19_arm.sh b/tetrateci/tetrateci/test_1.19_arm.sh new file mode 100644 index 000000000000..dd05d7928b6c --- /dev/null +++ b/tetrateci/tetrateci/test_1.19_arm.sh @@ -0,0 +1,98 @@ +#!/usr/bin/env bash +# +# Copyright (c) Tetrate, Inc 2022 All Rights Reserved. + +set -e +set -u +set -x + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +ROOTDIR=$( cd "${SCRIPTDIR}/.." && pwd ) + +"${SCRIPTDIR}/version_check.py" && exit + +# shellcheck disable=SC1091 +source "${SCRIPTDIR}/setup_go.sh" + +COMMON_TEST_FLAGS=() + +echo "Applying patches...." + +# Apply the same patches that were applies when building test images +"${SCRIPTDIR}/apply_e2e_build_patches.sh" + +#git apply "${SCRIPTDIR}/patches/common/increase-dashboard-timeout.1.11.patch" + +if [[ "${CLUSTER}" == "gke" ]]; then + echo "Generating operator config for GKE" + + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && python3 "${SCRIPTDIR}/gen_iop.py" + + COMMON_TEST_FLAGS+=( "-istio.test.kube.helm.iopFile=${SCRIPTDIR}/iop-gke-integration.yml" ) + +fi + +#if [[ "${CLUSTER}" == "eks" ]]; then +# echo "Applying patch for EKS...." +# git apply "${SCRIPTDIR}/patches/eks/eks_${ISTIO_MINOR_VER}.patch" +#fi + +#go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG}-distroless --istio.test.pullpolicy=IfNotPresent --istio.test.retries=1 && go test -test.v -timeout 2h -tags=integ istio.io/istio/tests/integration/security --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.hub=${HUB} --istio.test.tag=${TAG} --istio.test.pullpolicy=IfNotPresent + +PACKAGES=$(go list -tags=integ "${ROOTDIR}/tests/integration/...") + +echo "Starting Testing" + +FAILED_PACKAGES=() + +for pkg in $PACKAGES; do + echo "========================================================TESTING ${pkg} ========================================================" + + SKIP_RULE=$( grep -F "${pkg}=" "${SCRIPTDIR}/${ISTIO_MINOR_VER}/test/skip.d/${CLUSTER}" 2>/dev/null || echo "" ) + SKIP_TESTS=$( echo -n "${SKIP_RULE#${pkg}=}" ) + + if [[ "${SKIP_TESTS}" == "*" ]]; then + echo "Skipping according to the rule: ${SKIP_RULE}" + continue + fi + + read -ra SKIP_TESTS_ARRAY <<< "${SKIP_TESTS}" + + SKIP_TEST_FLAGS=() + for test in ${SKIP_TESTS_ARRAY[@]+"${SKIP_TESTS_ARRAY[@]}"} ; do + SKIP_TEST_FLAGS+=( "--istio.test.skip=${test}" ) + done + + go test \ + -test.v \ + -timeout 2h \ + -tags=integ \ + "${pkg}" \ + --istio.test.select=-postsubmit,-flaky \ + ${SKIP_TEST_FLAGS[@]+"${SKIP_TEST_FLAGS[@]}"} \ + --istio.test.ci \ + --istio.test.skipVM=true \ + --istio.test.hub=${HUB} \ + --istio.test.tag=${TAG}-distroless \ + --istio.test.pullpolicy=IfNotPresent \ + --istio.test.retries=1 \ + ${COMMON_TEST_FLAGS[@]+"${COMMON_TEST_FLAGS[@]}"} \ + || \ + { FAILED_PACKAGES+=( "${pkg}" ) && echo "Test Failed: ${pkg}" ; } + + find /tmp -mindepth 1 -maxdepth 1 -type d -name '*istio*' -exec sudo rm -f -- {} \; +done + +echo "Testing Done" + +if [[ ${#FAILED_PACKAGES[@]} -gt 0 ]]; then + echo "" + echo "Some of the tests have failed :(" + echo "" + echo "Packages with failed tests:" + for pkg in "${FAILED_PACKAGES[@]}"; do + echo "- ${pkg}" + done + exit 1 +fi diff --git a/tetrateci/tetrateci/test_1.7.sh b/tetrateci/tetrateci/test_1.7.sh new file mode 100755 index 000000000000..d5fcc54a42d4 --- /dev/null +++ b/tetrateci/tetrateci/test_1.7.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash +./tetrateci/version_check.py && exit +set -e + +# need this variable to run the tests outside GOPATH +export REPO_ROOT=$(pwd) +echo "Set REPO_ROOT=$REPO_ROOT" +source ./tetrateci/setup_go.sh + +echo "Applying patches...." + +if [[ ${CLUSTER} == "gke" ]]; then + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio-old/issues/76 + echo "Generating operator config for GKE" + python3 -m pip install pyyaml --user && ./tetrateci/gen_iop.py + CLUSTERFLAGS="-istio.test.kube.helm.iopFile $(pwd)/tetrateci/iop-gke-integration.yml" + + echo "Applying GKE specific patches...." + git apply tetrateci/patches/gke/chiron-gke.patch +fi + +if [[ ${CLUSTER} == "eks" ]]; then + echo "Applying Ingress patch for EKS...." + git apply tetrateci/patches/eks/eks-ingress.1.7.patch +fi + +PACKAGES=$(go list ./tests/integration/... | grep -v /qualification | grep -v /examples | grep -v /multicluster | grep -v /stackdriver) + +echo "Starting Testing" + +for package in $PACKAGES; do + n=0 + until [ "$n" -ge 3 ] + do + echo "========================================================TESTING $package | TRY $n========================================================" + go test -test.v $package -timeout 30m --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.pullpolicy IfNotPresent ${CLUSTERFLAGS} && break || echo "Test Failed: $package" + for folder in $(ls -d /tmp/* | grep istio); do sudo rm -rf -- $folder; done + n=$((n+1)) + done + [ "$n" -ge 3 ] && exit 1 +done + +echo "Testing Done" diff --git a/tetrateci/tetrateci/test_1.8.sh b/tetrateci/tetrateci/test_1.8.sh new file mode 100755 index 000000000000..5c0edbb6cb65 --- /dev/null +++ b/tetrateci/tetrateci/test_1.8.sh @@ -0,0 +1,52 @@ +#!/usr/bin/env bash +./tetrateci/version_check.py && exit +set -e + +# need this variable to run the tests outside GOPATH +export REPO_ROOT=$(pwd) +echo "Set REPO_ROOT=$REPO_ROOT" +source ./tetrateci/setup_go.sh + +echo "Applying patches...." +git apply tetrateci/patches/common/increase-dashboard-timeout.1.8.patch +git apply tetrateci/patches/common/wait-for-envoy.1.8.patch +#git apply tetrateci/patches/common/increase-vm-timeout.1.8.patch +#git apply tetrateci/patches/common/disable-autoscaling-on-cpu.1.8.patch +git apply tetrateci/patches/common/disable-vmregistration.1.8.patch # https://github.com/istio/istio/issues/29100 + +if [[ ${CLUSTER} == "gke" ]]; then + echo "Generating operator config for GKE" + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && ./tetrateci/gen_iop.py + CLUSTERFLAGS="-istio.test.kube.helm.iopFile $(pwd)/tetrateci/iop-gke-integration.yml" + + echo "Applying GKE specific patches...." + git apply tetrateci/patches/gke/chiron-gke.patch +fi + +if [[ ${CLUSTER} == "eks" ]]; then + echo "Applying Ingress patch for EKS...." + git apply tetrateci/patches/eks/eks-ingress.1.8.patch +fi + +if $(grep -q "1.17" <<< ${K8S_VERSION} ); then + PACKAGES=$(go list -tags=integ ./tests/integration/... | grep -v /qualification | grep -v /examples | grep -v /multicluster | grep -v /endpointslice | grep -v /stackdriver) +else + PACKAGES=$(go list -tags=integ ./tests/integration/... | grep -v /qualification | grep -v /examples | grep -v /multicluster | grep -v /stackdriver) +fi + +echo "Starting Testing" + +for package in $PACKAGES; do + n=0 + until [ "$n" -ge 3 ] + do + echo "========================================================TESTING $package | TRY $n========================================================" + go test -test.v -tags=integ $package -timeout 30m --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.pullpolicy IfNotPresent ${CLUSTERFLAGS} && break || echo "Test Failed: $package" + for folder in $(ls -d /tmp/* | grep istio); do sudo rm -rf -- $folder; done + n=$((n+1)) + done + [ "$n" -ge 3 ] && exit 1 +done + +echo "Testing Done" diff --git a/tetrateci/tetrateci/test_1.9.sh b/tetrateci/tetrateci/test_1.9.sh new file mode 100755 index 000000000000..59277f82e8e9 --- /dev/null +++ b/tetrateci/tetrateci/test_1.9.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash +./tetrateci/version_check.py && exit +set -e + +source ./tetrateci/setup_go.sh + +echo "Applying patches...." + +# git apply tetrateci/patches/common/increase-vm-timeout.1.9.patch +git apply tetrateci/patches/common/increase-sniffing-timeout.1.9.patch +git apply tetrateci/patches/common/increase-dashboard-timeout.1.9.patch +git apply tetrateci/patches/common/disable-vmregistration.1.9.patch # https://github.com/istio/istio/issues/29100 +git apply tetrateci/patches/common/disable-passthroughfilterchain.1.9.patch # https://github.com/istio/istio/issues/32623 + +# the code fails whenever there is something other than digits in the k8s minor version +# in our case which is a "+" symbol due to extra patching by corresponding vendor +# so we get 1.17+ instead of 1.17 +git apply tetrateci/patches/common/fix-version-check.1.9.patch + +if [[ ${CLUSTER} == "gke" ]]; then + echo "Generating operator config for GKE" + # Overlay CNI Parameters for GCP : https://github.com/tetratelabs/getistio/issues/76 + python3 -m pip install pyyaml --user && ./tetrateci/gen_iop.py + CLUSTERFLAGS="-istio.test.kube.helm.iopFile $(pwd)/tetrateci/iop-gke-integration.yml" + + echo "Applying GKE specific patches...." + git apply tetrateci/patches/gke/chiron-gke.patch +fi + +if [[ ${CLUSTER} == "eks" ]]; then + echo "Applying Ingress patch for EKS...." + git apply tetrateci/patches/eks/eks-ingress.1.9.patch +fi + +if $(grep -q "1.17" <<< ${K8S_VERSION}); then + PACKAGES=$(go list -tags=integ ./tests/integration/... | grep -v /qualification | grep -v /examples | grep -v /multicluster | grep -v /endpointslice | grep -v /stackdriver) +else + PACKAGES=$(go list -tags=integ ./tests/integration/... | grep -v /qualification | grep -v /examples | grep -v /multicluster | grep -v /stackdriver) +fi + +echo "Starting Testing" + +for package in $PACKAGES; do + n=0 + until [ "$n" -ge 3 ] + do + echo "========================================================TESTING $package | TRY $n========================================================" + go test -test.v -tags=integ $package -timeout 30m --istio.test.select=-postsubmit,-flaky --istio.test.ci --istio.test.pullpolicy IfNotPresent ${CLUSTERFLAGS} && break || echo "Test Failed: $package" + for folder in $(ls -d /tmp/* | grep istio); do sudo rm -rf -- $folder; done + n=$((n+1)) + done + [ "$n" -ge 3 ] && exit 1 +done + +echo "Testing Done" diff --git a/tetrateci/tetrateci/test_istio.sh b/tetrateci/tetrateci/test_istio.sh new file mode 100755 index 000000000000..6c26eea75f84 --- /dev/null +++ b/tetrateci/tetrateci/test_istio.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +# this is just for reference won't be used +# master for now +git clone https://github.com/istio/istio +cd istio/test/integration/ + +go test -tags=integ ./operator/... -istio.test.skipVM true -p 1 +go test -tags=integ ./helm/... -istio.test.skipVM true -p 1 +go test -tags=integ -run='TestEmptyCluster|TestFileOnly|TestDirectoryWithoutRecursion|TestDirectoryWithRecursion|TestInvalidFileError|TestJsonInputFile|TestJsonOutput|TestKubeOnly|TestFileAndKubeCombined|TestAllNamespaces|TestTimeout|TestErrorLine|TestWait|TestVersion|TestDescribe|TestAddToAndRemoveFromMesh|TestProxyConfig|TestProxyStatus|TestAuthZCheck|TestLocality|TestMain|TestMirroring|TestMirroringExternalService|TestTproxy|TestRevisionedUpgrade|TestValidation|TestEnsureNoMissingCRDs|TestWebhook' ./pilot/ -istio.test.skipVM true -p 1 +go test -tags=integ ./pilot/analysis/... -istio.test.skipVM true -p 1 +go test -tags=integ ./pilot/cni/... -istio.test.skipVM true -p 1 +go test -tags=integ ./pilot/revisions/... -istio.test.skipVM true -p 1 +go test -tags=integ -run='TestStatsFilter|TestStatsTCPFilter|TestSetup|TestIstioctlMetrics|TestTcpMetric|TestStatsFilter|TestWASMTcpMetric|TestWasmStatsFilter|TestMain|TestCustomizeMetrics' ./telemetry/stats/... -istio.test.skipVM true -p 1 +go test -tags=integ ./security/ca_custom_root/... -istio.test.skipVM true -p 1 +go test -tags=integ ./security/chiron/... -istio.test.skipVM true -p 1 +go test -tags=integ ./security/file_mounted_certs/... -istio.test.skipVM true -p 1 +go test -tags=integ ./security/filebased_tls_origination/... -istio.test.skipVM true -p 1 +go test -tags=integ ./security/mtls_first_party_jwt/... -istio.test.skipVM true -p 1 +go test -tags=integ ./security/mtlsk8sca/... -istio.test.skipVM true -p 1 +go test -tags=integ ./security/sds_egress/... -istio.test.skipVM true -p 1 +go test -tags=integ ./security/sds_tls_origination/... -istio.test.skipVM true -p 1 +go test -tags=integ ./security/webhook/... -istio.test.skipVM true -p 1 diff --git a/tetrateci/tetrateci/testing-report.xlsx b/tetrateci/tetrateci/testing-report.xlsx new file mode 100644 index 000000000000..e6f800ec64c1 Binary files /dev/null and b/tetrateci/tetrateci/testing-report.xlsx differ diff --git a/tetrateci/tetrateci/upload_upstream_release.sh b/tetrateci/tetrateci/upload_upstream_release.sh new file mode 100755 index 000000000000..7567d27ae523 --- /dev/null +++ b/tetrateci/tetrateci/upload_upstream_release.sh @@ -0,0 +1,52 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail + +NEWTAG=$TAG-istio-v0 + +python3 -m pip install --upgrade cloudsmith-cli --user +# exit if the tag already exist +cloudsmith ls pkgs tetrate/getistio -F json | jq -r '.data[].filename' | cut -f1-3 -d. | rev | cut -f3- -d- | rev | grep istioctl | cut -f2 -d- | uniq | grep -q "$NEWTAG" && exit + +echo "Creating a temporary directory to download $TAG release assets" +mkdir /tmp/release +cd /tmp/release + +echo "Fetching the download urls for the $TAG release" +urls=$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/istio/istio/releases/tags/$TAG | jq -r '.assets[] | .browser_download_url') + +for url in $urls; do + echo "Downloading from $url" + wget $url +done + +echo "Renaming packages" + +istiopkgs=$(ls | grep "istio-$TAG") + +for pkg in $istiopkgs; do + name=$(sed "s/istio-$TAG/istio-$TAG-istio-v0/g" <<< $pkg) + echo "Renaming $pkg to $name" + mv $pkg $name +done + +istioctlpkgs=$(ls | grep "istioctl-$TAG") + +for pkg in $istioctlpkgs; do + name=$(sed "s/istioctl-$TAG/istioctl-$TAG-istio-v0/g" <<< $pkg) + echo "Renaming $pkg to $name" + mv $pkg $name +done + +PACKAGES=$(ls | grep "istio") + +for package in $PACKAGES; do + echo "Publishing $package" + cloudsmith push raw tetrate/getistio ./$package +done + +echo "Cleaning up the the downloaded artifacts" + +cd .. +rm -rf release diff --git a/tetrateci/tetrateci/version_check.py b/tetrateci/tetrateci/version_check.py new file mode 100755 index 000000000000..1f61b0a353a4 --- /dev/null +++ b/tetrateci/tetrateci/version_check.py @@ -0,0 +1,34 @@ +#!/usr/bin/python3 + +import sys, os + +version_matrix = { + "1.7": {"1.16", "1.17", "1.18"}, + "1.8": {"1.16", "1.17", "1.18", "1.19"}, + "1.9": {"1.17", "1.18", "1.19", "1.20"}, + "1.10": {"1.18", "1.19", "1.20", "1.21"}, + "1.11": {"1.18", "1.19", "1.20", "1.21", "1.22"}, + "1.12": {"1.19", "1.20", "1.21", "1.22"}, # officially supported versions according to https://istio.io/latest/news/releases/1.12.x/announcing-1.12 + "1.13": {"1.20", "1.21", "1.22", "1.23"}, # officially supported versions according to https://istio.io/latest/news/releases/1.13.x/announcing-1.13 + "1.14": {"1.20","1.21", "1.22", "1.23", "1.24"} , # officially supported versions according to https://istio.io/latest/news/releases/1.14.x/announcing-1.14 + "1.15": {"1.21","1.22", "1.23", "1.24", "1.25"} , # officially supported versions according to https://istio.io/latest/news/releases/1.15.x/announcing-1.15 + "1.16": {"1.22", "1.23", "1.24", "1.25"} , # officially supported versions according to https://istio.io/latest/news/releases/1.16.x/announcing-1.16 + "1.17": {"1.22", "1.23", "1.24", "1.25"} , # officially supported versions according to https://istio.io/latest/news/releases/1.17.x/announcing-1.17 + "1.18": {"1.24", "1.25", "1.26", "1.27"} , # officially supported versions according to https://istio.io/latest/news/releases/1.18.x/announcing-1.18 + "1.19": {"1.25", "1.26", "1.27", "1.28"} , # officially supported versions according to https://istio.io/latest/news/releases/1.19.x/announcing-1.19 + +} + +istio_ver = os.environ.get("ISTIO_MINOR_VER") +k8s_ver = os.environ.get("K8S_VERSION") + +print("Istio Version : ", istio_ver) +print("Kubernetes Version : ", k8s_ver) + +if istio_ver in version_matrix: + if k8s_ver in version_matrix[istio_ver]: + print("Version matched!!") + sys.exit(1) + +print("Version not matched!!") +sys.exit(0) diff --git a/tetrateci/version_check.py b/tetrateci/version_check.py index 93ddd11e6f89..1f61b0a353a4 100755 --- a/tetrateci/version_check.py +++ b/tetrateci/version_check.py @@ -15,6 +15,8 @@ "1.16": {"1.22", "1.23", "1.24", "1.25"} , # officially supported versions according to https://istio.io/latest/news/releases/1.16.x/announcing-1.16 "1.17": {"1.22", "1.23", "1.24", "1.25"} , # officially supported versions according to https://istio.io/latest/news/releases/1.17.x/announcing-1.17 "1.18": {"1.24", "1.25", "1.26", "1.27"} , # officially supported versions according to https://istio.io/latest/news/releases/1.18.x/announcing-1.18 + "1.19": {"1.25", "1.26", "1.27", "1.28"} , # officially supported versions according to https://istio.io/latest/news/releases/1.19.x/announcing-1.19 + } istio_ver = os.environ.get("ISTIO_MINOR_VER")