From 271d52949c89ed05958ab11ec00dfa5bc20a118a Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Mon, 13 Jun 2022 10:17:08 -0700 Subject: [PATCH] [release-1.14] Helm and gateway tests (#11394) * add tests to gateway setup * manually cleanup the minimal istio install * Add canary upgrade test * convert rewrite-repo to a helper function * upgrade helm test * lint fixes * left over validatingwebhook from a prior test * remove boilerplate check * undo elided pod names * gen snip * Remove validatingwebhookconfigurations deletion * remove webhook configs pending fix in istio * remove webhook configs pending fix in istio * revert some changes * remove temp webhook removals * remove revision labeled mutating webhooks * revert revision-tags-middle change * make gen Co-authored-by: Daniel Hawton --- .../en/boilerplates/revision-tags-middle.md | 2 +- .../setup/additional-setup/gateway/index.md | 6 +- .../setup/additional-setup/gateway/snips.sh | 167 ++++++++++++++++++ .../setup/additional-setup/gateway/test.sh | 67 +++++++ .../install/external-controlplane/test.sh | 14 +- content/en/docs/setup/install/helm/test.sh | 18 +- .../setup/upgrade/helm/canaryupgrade_test.sh | 41 +++++ content/en/docs/setup/upgrade/helm/common.sh | 32 ++++ content/en/docs/setup/upgrade/helm/index.md | 14 +- .../docs/setup/upgrade/helm/inplace_test.sh | 31 ++++ .../docs/setup/upgrade/helm/revlabels_test.sh | 36 ++++ content/en/docs/setup/upgrade/helm/snips.sh | 90 ++++++++++ tests/util/helpers.sh | 14 ++ 13 files changed, 493 insertions(+), 39 deletions(-) create mode 100644 content/en/docs/setup/additional-setup/gateway/snips.sh create mode 100644 content/en/docs/setup/additional-setup/gateway/test.sh create mode 100644 content/en/docs/setup/upgrade/helm/canaryupgrade_test.sh create mode 100644 content/en/docs/setup/upgrade/helm/common.sh create mode 100644 content/en/docs/setup/upgrade/helm/inplace_test.sh create mode 100644 content/en/docs/setup/upgrade/helm/revlabels_test.sh create mode 100644 content/en/docs/setup/upgrade/helm/snips.sh diff --git a/content/en/boilerplates/revision-tags-middle.md b/content/en/boilerplates/revision-tags-middle.md index 80c975345bf74..85cb1fff9ac81 100644 --- a/content/en/boilerplates/revision-tags-middle.md +++ b/content/en/boilerplates/revision-tags-middle.md @@ -18,4 +18,4 @@ prod-stable 1-9-5 ... After the cluster operator is satisfied with the stability of the control plane tagged with `prod-canary`, namespaces labeled `istio.io/rev=prod-stable` can be updated with one action by modifying the `prod-stable` revision tag to point to the newer -`1-10-0` revision. \ No newline at end of file +`1-10-0` revision. diff --git a/content/en/docs/setup/additional-setup/gateway/index.md b/content/en/docs/setup/additional-setup/gateway/index.md index d62d8bcf84bc8..d421a50c56695 100644 --- a/content/en/docs/setup/additional-setup/gateway/index.md +++ b/content/en/docs/setup/additional-setup/gateway/index.md @@ -4,7 +4,7 @@ description: Install and customize Istio Gateways. weight: 40 keywords: [install,gateway,kubernetes] owner: istio/wg-environments-maintainers -test: no +test: yes --- Along with creating a service mesh, Istio allows you to manage [gateways](/docs/concepts/traffic-management/#gateways), @@ -291,9 +291,9 @@ spec: When this deployment is created, you will then have two versions of the gateway, both selected by the same Service: {{< text bash >}} -$ kubectl get endpoints -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name" +$ kubectl get endpoints -n istio-ingress -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name" NAME PODS -istio-ingressgateway istio-ingressgateway-788854c955-8gv96,istio-ingressgateway-canary-b78944cbd-mq2qf +istio-ingressgateway istio-ingressgateway-...,istio-ingressgateway-canary-... {{< /text >}} {{< image width="50%" link="canary-upgrade.svg" caption="Canary upgrade in progress" >}} diff --git a/content/en/docs/setup/additional-setup/gateway/snips.sh b/content/en/docs/setup/additional-setup/gateway/snips.sh new file mode 100644 index 0000000000000..26e4b13d46977 --- /dev/null +++ b/content/en/docs/setup/additional-setup/gateway/snips.sh @@ -0,0 +1,167 @@ +#!/bin/bash +# shellcheck disable=SC2034,SC2153,SC2155,SC2164 + +# Copyright Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#################################################################################################### +# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE: +# docs/setup/additional-setup/gateway/index.md +#################################################################################################### + +! read -r -d '' snip_deploying_a_gateway_1 <<\ENDSNIP +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: ingress +spec: + profile: empty # Do not install CRDs or the control plane + components: + ingressGateways: + - name: ingressgateway + namespace: istio-ingress + enabled: true + label: + # Set a unique label for the gateway. This is required to ensure Gateways + # can select this workload + istio: ingressgateway + values: + gateways: + istio-ingressgateway: + # Enable gateway injection + injectionTemplate: gateway +ENDSNIP + +snip_deploying_a_gateway_2() { +kubectl create namespace istio-ingress +istioctl install -f ingress.yaml +} + +snip_deploying_a_gateway_3() { +kubectl create namespace istio-ingress +helm install istio-ingress istio/gateway -n istio-ingress +} + +! read -r -d '' snip_deploying_a_gateway_4 <<\ENDSNIP +apiVersion: v1 +kind: Service +metadata: + name: istio-ingressgateway + namespace: istio-ingress +spec: + type: LoadBalancer + selector: + istio: ingressgateway + ports: + - port: 80 + name: http + - port: 443 + name: https +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-ingressgateway + namespace: istio-ingress +spec: + selector: + matchLabels: + istio: ingressgateway + template: + metadata: + annotations: + # Select the gateway injection template (rather than the default sidecar template) + inject.istio.io/templates: gateway + labels: + # Set a unique label for the gateway. This is required to ensure Gateways can select this workload + istio: ingressgateway + # Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name" + sidecar.istio.io/inject: "true" + spec: + containers: + - name: istio-proxy + image: auto # The image will automatically update each time the pod starts. +--- +# Set up roles to allow reading credentials for TLS +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-ingressgateway-sds + namespace: istio-ingress +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-ingressgateway-sds + namespace: istio-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-ingressgateway-sds +subjects: +- kind: ServiceAccount + name: default +ENDSNIP + +snip_deploying_a_gateway_5() { +kubectl create namespace istio-ingress +kubectl apply -f ingress.yaml +} + +! read -r -d '' snip_gateway_selectors_1 <<\ENDSNIP +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: gateway +spec: + selector: + istio: ingressgateway +... +ENDSNIP + +! read -r -d '' snip_canary_upgrade_advanced_1 <<\ENDSNIP +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-ingressgateway-canary + namespace: istio-ingress +spec: + selector: + matchLabels: + istio: ingressgateway + template: + metadata: + annotations: + inject.istio.io/templates: gateway + labels: + istio: ingressgateway + istio.io/rev: canary # Set to the control plane revision you want to deploy + spec: + containers: + - name: istio-proxy + image: auto +ENDSNIP + +snip_canary_upgrade_advanced_2() { +kubectl get endpoints -n istio-ingress -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name" +} + +! read -r -d '' snip_canary_upgrade_advanced_2_out <<\ENDSNIP +NAME PODS +istio-ingressgateway istio-ingressgateway-...,istio-ingressgateway-canary-... +ENDSNIP diff --git a/content/en/docs/setup/additional-setup/gateway/test.sh b/content/en/docs/setup/additional-setup/gateway/test.sh new file mode 100644 index 0000000000000..f2b4d675230a0 --- /dev/null +++ b/content/en/docs/setup/additional-setup/gateway/test.sh @@ -0,0 +1,67 @@ +#!/usr/bin/env bash +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e +set -u + +set -o pipefail + +# @setup profile=none +function rebuild() { + istioctl x uninstall --purge --skip-confirmation + kubectl delete namespace istio-ingress + istioctl install --skip-confirmation --set profile=minimal +} + +istioctl install --skip-confirmation --set profile=minimal +_wait_for_deployment istio-system istiod + +# shellcheck disable=SC2154 +cat <ingress.yaml +$snip_deploying_a_gateway_1 +EOF + +echo y | snip_deploying_a_gateway_2 +_wait_for_deployment istio-ingress ingressgateway + +rebuild +_rewrite_helm_repo snip_deploying_a_gateway_3 +_wait_for_deployment istio-ingress istio-ingress + +rebuild +# shellcheck disable=SC2154 +cat <ingress.yaml +$snip_deploying_a_gateway_4 +EOF +snip_deploying_a_gateway_5 +_wait_for_deployment istio-ingress istio-ingressgateway + +istioctl install --skip-confirmation --set profile=minimal --set revision=canary +_wait_for_deployment istio-system istiod-canary + +# shellcheck disable=SC2154 +cat <}} $ istioctl x precheck ✔ No issues found when checking the cluster. Istio is safe to install or upgrade! -To get started, check out https://istio.io/latest/docs/setup/getting-started/ + To get started, check out {{< /text >}} {{< warning >}} @@ -79,7 +79,7 @@ primary and canary installations. 1. Upgrade the Istio base chart, making the new revision the default. {{< text bash >}} - $ helm upgrade istio-base istio/base --defaultRevision canary -n istio-system --skip-crds + $ helm upgrade istio-base istio/base --set defaultRevision=canary -n istio-system --skip-crds {{< /text >}} ### Stable revision labels (experimental) @@ -91,8 +91,8 @@ primary and canary installations. {{< boilerplate revision-tags-usage >}} {{< text bash >}} -$ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags={prod-stable} --set revision=1-9-5 -n istio-system | kubectl apply -f - -$ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags={prod-canary} --set revision=1-10-0 -n istio-system | kubectl apply -f - +$ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-9-5 -n istio-system | kubectl apply -f - +$ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-canary}" --set revision=1-10-0 -n istio-system | kubectl apply -f - {{< /text >}} {{< warning >}} @@ -103,7 +103,7 @@ below to uninstall revision tags. {{< boilerplate revision-tags-middle >}} {{< text bash >}} -$ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags={prod-stable} --set revision=1-10-0 -n istio-system | kubectl apply -f - +$ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-10-0 -n istio-system | kubectl apply -f - {{< /text >}} {{< boilerplate revision-tags-prologue >}} @@ -113,7 +113,7 @@ $ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisi {{< boilerplate revision-tags-default-intro >}} {{< text bash >}} -$ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags={default} --set revision=1-10-0 -n istio-system | kubectl apply -f - +$ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{default}" --set revision=1-10-0 -n istio-system | kubectl apply -f - {{< /text >}} {{< boilerplate revision-tags-default-outro >}} diff --git a/content/en/docs/setup/upgrade/helm/inplace_test.sh b/content/en/docs/setup/upgrade/helm/inplace_test.sh new file mode 100644 index 0000000000000..38f33b55e645b --- /dev/null +++ b/content/en/docs/setup/upgrade/helm/inplace_test.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +source "content/en/docs/setup/upgrade/helm/common.sh" + +set -e +set -u + +set -o pipefail + +# @setup profile=none +_install_istio_helm + +_rewrite_helm_repo snip_in_place_upgrade_1 +_rewrite_helm_repo snip_in_place_upgrade_2 +_rewrite_helm_repo snip_in_place_upgrade_3 +_rewrite_helm_repo snip_in_place_upgrade_4 + +_remove_istio_helm +# @cleanup diff --git a/content/en/docs/setup/upgrade/helm/revlabels_test.sh b/content/en/docs/setup/upgrade/helm/revlabels_test.sh new file mode 100644 index 0000000000000..72bf3e227a75b --- /dev/null +++ b/content/en/docs/setup/upgrade/helm/revlabels_test.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +source "content/en/docs/setup/upgrade/helm/common.sh" + +set -e +set -u + +set -o pipefail + +# @setup profile=none +_install_istio_helm + +_rewrite_helm_repo snip_usage_1 + +_rewrite_helm_repo snip_usage_2 +_rewrite_helm_repo snip_default_tag_1 + +_remove_istio_helm + +kubectl delete mutatingwebhookconfiguration istio-revision-tag-default +kubectl delete mutatingwebhookconfiguration istio-revision-tag-prod-canary +kubectl delete mutatingwebhookconfiguration istio-revision-tag-prod-stable + +# @cleanup diff --git a/content/en/docs/setup/upgrade/helm/snips.sh b/content/en/docs/setup/upgrade/helm/snips.sh new file mode 100644 index 0000000000000..8b28b29e4d233 --- /dev/null +++ b/content/en/docs/setup/upgrade/helm/snips.sh @@ -0,0 +1,90 @@ +#!/bin/bash +# shellcheck disable=SC2034,SC2153,SC2155,SC2164 + +# Copyright Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#################################################################################################### +# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE: +# docs/setup/upgrade/helm/index.md +#################################################################################################### +source "content/en/boilerplates/snips/helm-prereqs.sh" +source "content/en/boilerplates/snips/revision-tags-middle.sh" +source "content/en/boilerplates/snips/revision-tags-prologue.sh" + +snip_upgrade_steps_1() { +istioctl x precheck +} + +! read -r -d '' snip_upgrade_steps_1_out <<\ENDSNIP +✔ No issues found when checking the cluster. Istio is safe to install or upgrade! + To get started, check out +ENDSNIP + +snip_canary_upgrade_recommended_1() { +kubectl apply -f manifests/charts/base/crds +} + +snip_canary_upgrade_recommended_2() { +helm install istiod-canary istio/istiod \ + --set revision=canary \ + -n istio-system +} + +snip_canary_upgrade_recommended_3() { +kubectl get pods -l app=istiod -L istio.io/rev -n istio-system +} + +! read -r -d '' snip_canary_upgrade_recommended_3_out <<\ENDSNIP + NAME READY STATUS RESTARTS AGE REV + istiod-5649c48ddc-dlkh8 1/1 Running 0 71m default + istiod-canary-9cc9fd96f-jpc7n 1/1 Running 0 34m canary +ENDSNIP + +snip_canary_upgrade_recommended_4() { +helm delete istiod -n istio-system +} + +snip_canary_upgrade_recommended_5() { +helm upgrade istio-base istio/base --set defaultRevision=canary -n istio-system --skip-crds +} + +snip_usage_1() { +helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-9-5 -n istio-system | kubectl apply -f - +helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-canary}" --set revision=1-10-0 -n istio-system | kubectl apply -f - +} + +snip_usage_2() { +helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-10-0 -n istio-system | kubectl apply -f - +} + +snip_default_tag_1() { +helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{default}" --set revision=1-10-0 -n istio-system | kubectl apply -f - +} + +snip_in_place_upgrade_1() { +kubectl apply -f manifests/charts/base/crds +} + +snip_in_place_upgrade_2() { +helm upgrade istio-base manifests/charts/base -n istio-system --skip-crds +} + +snip_in_place_upgrade_3() { +helm upgrade istiod istio/istiod -n istio-system +} + +snip_in_place_upgrade_4() { +helm upgrade istio-ingress istio/gateway -n istio-ingress +} diff --git a/tests/util/helpers.sh b/tests/util/helpers.sh index c86f81ebec311..3cd1ed9ce0e4c 100644 --- a/tests/util/helpers.sh +++ b/tests/util/helpers.sh @@ -112,3 +112,17 @@ _wait_for_istio() { _urlencode() { python3 -c "import urllib.parse; print(urllib.parse.quote('''$1'''))" } + +# Invokes bash make to rewrite a snippet to avoid installing from a real helm repository, and instead uses +# local files +# usage: _rewrite_helm_repo +# shellcheck disable=SC2001 +_rewrite_helm_repo() { + # get function definition: https://stackoverflow.com/a/6916952/374797 + cmd="$(type "${1:?snip}" | sed '1,3d;$d')" + cmd="$(echo "${cmd}" | sed 's|istio/base|manifests/charts/base|')" + cmd="$(echo "${cmd}" | sed 's|istio/istiod|manifests/charts/istio-control/istio-discovery|')" + cmd="$(echo "${cmd}" | sed 's|istio/gateway|manifests/charts/gateway|')" + cmd="$(echo "${cmd}" | sed -E "s|(helm[[:space:]]+[^[:space:]]+)|\1 --set global.tag=${ISTIO_IMAGE_VERSION=SHOULD_BE_SET}.${ISTIO_LONG_SHA=latest}|g")" + eval "${cmd}" +} \ No newline at end of file