[release-1.14] Helm and gateway tests (#11394)

* add tests to gateway setup

* manually cleanup the minimal istio install

* Add canary upgrade test

* convert rewrite-repo to a helper function

* upgrade helm test

* lint fixes

* left over validatingwebhook from a prior test

* remove boilerplate check

* undo elided pod names

* gen snip

* Remove validatingwebhookconfigurations deletion

* remove webhook configs pending fix in istio

* remove webhook configs pending fix in istio

* revert some changes

* remove temp webhook removals

* remove revision labeled mutating webhooks

* revert revision-tags-middle change

* make gen

Co-authored-by: Daniel Hawton <daniel.hawton@solo.io>

content/en/boilerplates/revision-tags-middle.md

@@ -18,4 +18,4 @@ prod-stable 1-9-5    ...
 
 After the cluster operator is satisfied with the stability of the control plane tagged with `prod-canary`, namespaces labeled
 `istio.io/rev=prod-stable` can be updated with one action by modifying the `prod-stable` revision tag to point to the newer
-`1-10-0` revision.
+`1-10-0` revision.

content/en/docs/setup/additional-setup/gateway/index.md

@@ -4,7 +4,7 @@ description: Install and customize Istio Gateways.
 weight: 40
 keywords: [install,gateway,kubernetes]
 owner: istio/wg-environments-maintainers
-test: no
+test: yes
 ---
 
 Along with creating a service mesh, Istio allows you to manage [gateways](/docs/concepts/traffic-management/#gateways),
@@ -291,9 +291,9 @@ spec:
 When this deployment is created, you will then have two versions of the gateway, both selected by the same Service:
 
 {{< text bash >}}
-$ kubectl get endpoints -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name"
+$ kubectl get endpoints -n istio-ingress -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name"
 NAME                   PODS
-istio-ingressgateway   istio-ingressgateway-788854c955-8gv96,istio-ingressgateway-canary-b78944cbd-mq2qf
+istio-ingressgateway   istio-ingressgateway-...,istio-ingressgateway-canary-...
 {{< /text >}}
 
 {{< image width="50%" link="canary-upgrade.svg" caption="Canary upgrade in progress" >}}

content/en/docs/setup/additional-setup/gateway/snips.sh

@@ -0,0 +1,167 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+#          docs/setup/additional-setup/gateway/index.md
+####################################################################################################
+
+! read -r -d '' snip_deploying_a_gateway_1 <<\ENDSNIP
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+  name: ingress
+spec:
+  profile: empty # Do not install CRDs or the control plane
+  components:
+    ingressGateways:
+    - name: ingressgateway
+      namespace: istio-ingress
+      enabled: true
+      label:
+        # Set a unique label for the gateway. This is required to ensure Gateways
+        # can select this workload
+        istio: ingressgateway
+  values:
+    gateways:
+      istio-ingressgateway:
+        # Enable gateway injection
+        injectionTemplate: gateway
+ENDSNIP
+
+snip_deploying_a_gateway_2() {
+kubectl create namespace istio-ingress
+istioctl install -f ingress.yaml
+}
+
+snip_deploying_a_gateway_3() {
+kubectl create namespace istio-ingress
+helm install istio-ingress istio/gateway -n istio-ingress
+}
+
+! read -r -d '' snip_deploying_a_gateway_4 <<\ENDSNIP
+apiVersion: v1
+kind: Service
+metadata:
+  name: istio-ingressgateway
+  namespace: istio-ingress
+spec:
+  type: LoadBalancer
+  selector:
+    istio: ingressgateway
+  ports:
+  - port: 80
+    name: http
+  - port: 443
+    name: https
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istio-ingressgateway
+  namespace: istio-ingress
+spec:
+  selector:
+    matchLabels:
+      istio: ingressgateway
+  template:
+    metadata:
+      annotations:
+        # Select the gateway injection template (rather than the default sidecar template)
+        inject.istio.io/templates: gateway
+      labels:
+        # Set a unique label for the gateway. This is required to ensure Gateways can select this workload
+        istio: ingressgateway
+        # Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name"
+        sidecar.istio.io/inject: "true"
+    spec:
+      containers:
+      - name: istio-proxy
+        image: auto # The image will automatically update each time the pod starts.
+---
+# Set up roles to allow reading credentials for TLS
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istio-ingressgateway-sds
+  namespace: istio-ingress
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istio-ingressgateway-sds
+  namespace: istio-ingress
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istio-ingressgateway-sds
+subjects:
+- kind: ServiceAccount
+  name: default
+ENDSNIP
+
+snip_deploying_a_gateway_5() {
+kubectl create namespace istio-ingress
+kubectl apply -f ingress.yaml
+}
+
+! read -r -d '' snip_gateway_selectors_1 <<\ENDSNIP
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: gateway
+spec:
+  selector:
+    istio: ingressgateway
+...
+ENDSNIP
+
+! read -r -d '' snip_canary_upgrade_advanced_1 <<\ENDSNIP
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istio-ingressgateway-canary
+  namespace: istio-ingress
+spec:
+  selector:
+    matchLabels:
+      istio: ingressgateway
+  template:
+    metadata:
+      annotations:
+        inject.istio.io/templates: gateway
+      labels:
+        istio: ingressgateway
+        istio.io/rev: canary # Set to the control plane revision you want to deploy
+    spec:
+      containers:
+      - name: istio-proxy
+        image: auto
+ENDSNIP
+
+snip_canary_upgrade_advanced_2() {
+kubectl get endpoints -n istio-ingress -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name"
+}
+
+! read -r -d '' snip_canary_upgrade_advanced_2_out <<\ENDSNIP
+NAME                   PODS
+istio-ingressgateway   istio-ingressgateway-...,istio-ingressgateway-canary-...
+ENDSNIP

content/en/docs/setup/additional-setup/gateway/test.sh

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+set -u
+
+set -o pipefail
+
+# @setup profile=none
+function rebuild() {
+    istioctl x uninstall --purge --skip-confirmation
+    kubectl delete namespace istio-ingress
+    istioctl install --skip-confirmation --set profile=minimal
+}
+
+istioctl install --skip-confirmation --set profile=minimal
+_wait_for_deployment istio-system istiod
+
+# shellcheck disable=SC2154
+cat <<EOF >ingress.yaml
+$snip_deploying_a_gateway_1
+EOF
+
+echo y | snip_deploying_a_gateway_2
+_wait_for_deployment istio-ingress ingressgateway
+
+rebuild
+_rewrite_helm_repo snip_deploying_a_gateway_3
+_wait_for_deployment istio-ingress istio-ingress
+
+rebuild
+# shellcheck disable=SC2154
+cat <<EOF >ingress.yaml
+$snip_deploying_a_gateway_4
+EOF
+snip_deploying_a_gateway_5
+_wait_for_deployment istio-ingress istio-ingressgateway
+
+istioctl install --skip-confirmation --set profile=minimal --set revision=canary
+_wait_for_deployment istio-system istiod-canary
+
+# shellcheck disable=SC2154
+cat <<EOF | kubectl apply -f -
+$snip_canary_upgrade_advanced_1
+EOF
+_wait_for_deployment istio-ingress istio-ingressgateway-canary
+
+# shellcheck disable=SC2154
+_verify_like snip_canary_upgrade_advanced_2 "${snip_canary_upgrade_advanced_2_out}"
+
+# @cleanup
+
+istioctl x uninstall --purge --skip-confirmation
+kubectl delete namespace istio-system
+kubectl delete namespace istio-ingress

content/en/docs/setup/install/external-controlplane/test.sh

@@ -21,18 +21,6 @@ set -e
 set -u
 set -o pipefail
 
-# rewrite-repo invokes bash make to rewrite a snippet to avoid installing from a real helm repository, and instead uses
-# local files
-# shellcheck disable=SC2001
-function rewrite-repo() {
-  # get function definition: https://stackoverflow.com/a/6916952/374797
-  cmd="$(type "${1:?snip}" | sed '1,3d;$d')"
-  cmd="$(echo "${cmd}" | sed 's|istio/base|manifests/charts/base|')"
-  cmd="$(echo "${cmd}" | sed 's|istio/istiod|manifests/charts/istio-control/istio-discovery|')"
-  cmd="$(echo "${cmd}" | sed 's|istio/gateway|manifests/charts/gateway|')"
-  eval "${cmd}"
-}
-
 kubectl_get_egress_gateway_for_remote_cluster() {
   response=$(kubectl get pod -l app=istio-egressgateway -n external-istiod --context="${CTX_REMOTE_CLUSTER}" -o jsonpath="{.items[*].status.phase}")
   echo "$response"
@@ -122,7 +110,7 @@ _verify_contains snip_deploy_a_sample_application_4 "Hello version: v1"
 echo y | snip_enable_gateways_1
 
 # And egress with helm
-rewrite-repo snip_enable_gateways_4
+_rewrite_helm_repo snip_enable_gateways_4
 
 _verify_same kubectl_get_egress_gateway_for_remote_cluster "Running" 
 

content/en/docs/setup/install/helm/test.sh

@@ -18,30 +18,18 @@ set -u
 
 set -o pipefail
 
-# rewrite-repo invokes bash make to rewrite a snippet to avoid installing from a real helm repository, and instead uses
-# local files
-# shellcheck disable=SC2001
-function rewrite-repo() {
-  # get function definition: https://stackoverflow.com/a/6916952/374797
-  cmd="$(type "${1:?snip}" | sed '1,3d;$d')"
-  cmd="$(echo "${cmd}" | sed 's|istio/base|manifests/charts/base|')"
-  cmd="$(echo "${cmd}" | sed 's|istio/istiod|manifests/charts/istio-control/istio-discovery|')"
-  cmd="$(echo "${cmd}" | sed 's|istio/gateway|manifests/charts/gateway|')"
-  eval "${cmd} --set global.tag=${ISTIO_IMAGE_VERSION=SHOULD_BE_SET}.${ISTIO_LONG_SHA=latest}"
-}
-
 # @setup profile=none
 
 # Delete a vailidatingwebhookconfiguration that seems to have been left around from a prior test.
 kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io istiod-default-validator  --ignore-not-found
 
 snip_create_istio_system_namespace
-rewrite-repo snip_install_base
+_rewrite_helm_repo snip_install_base
 
-rewrite-repo snip_install_discovery
+_rewrite_helm_repo snip_install_discovery
 _wait_for_deployment istio-system istiod
 
-rewrite-repo snip_install_ingressgateway
+_rewrite_helm_repo snip_install_ingressgateway
 _wait_for_deployment istio-ingress istio-ingress
 
 # shellcheck disable=SC2154

content/en/docs/setup/upgrade/helm/canaryupgrade_test.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+source "content/en/docs/setup/upgrade/helm/common.sh"
+
+set -e
+set -u
+
+set -o pipefail
+
+# @setup profile=none
+
+_install_istio_helm
+
+snip_canary_upgrade_recommended_1
+_rewrite_helm_repo snip_canary_upgrade_recommended_2
+_wait_for_deployment istio-system istiod-canary
+
+# shellcheck disable=SC2154
+_verify_like snip_canary_upgrade_recommended_3 "${snip_canary_upgrade_recommended_3_out}"
+
+snip_canary_upgrade_recommended_4
+_rewrite_helm_repo snip_canary_upgrade_recommended_5
+
+_rewrite_helm_repo helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-9-5 -n istio-system | kubectl delete -f -
+_rewrite_helm_repo helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-canary}" --set revision=1-10-0 -n istio-system | kubectl delete -f -
+helm uninstall istiod-canary -n istio-system
+_remove_istio_helm
+
+# @cleanup