Merge branch 'main' into proxy-restart-annotation

config/ui-extensions/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
 - authorizationpolicies
 - sidecars
 - telemetries
+- requestauthentications
 
 labels:
   - includeSelectors: true

config/ui-extensions/requestauthentications/dataSources

@@ -0,0 +1,5 @@
+podSelector:
+  resource:
+    kind: Pod
+    version: v1
+  filter: $matchByLabelSelector($item, $root.spec.selector.matchLabels)

config/ui-extensions/requestauthentications/details

@@ -0,0 +1,51 @@
+body:
+  - source: spec.jwtRules
+    name: spec.jwtRules
+    showHeader: false
+    widget: Table
+    collapsibleTitle: '"Issuer " & $item.issuer'
+    collapsible:
+      - source: issuer
+        name: spec.jwtRules.issuer
+        widget: Text
+      - source: jwksUri
+        name: spec.jwtRules.jwksUri
+        widget: Text
+      - source: audiences
+        name: spec.jwtRules.audiences
+        widget: JoinedArray
+      - source: fromParams
+        name: spec.jwtRules.fromParams
+        widget: JoinedArray
+      - source: fromCookies
+        name: spec.jwtRules.fromCookies
+        widget: JoinedArray
+      - source: fromHeaders
+        name: spec.jwtRules.fromHeaders
+        widget: Table
+        showHeader: false
+        collapsibleTitle: '"Header " & $item.name'
+        collapsible:
+          - source: name
+            name: spec.jwtRules.fromHeaders.name
+            widget: Text
+          - source: prefix
+            name: spec.jwtRules.fromHeaders.prefix
+            widget: Text
+  - widget: Panel
+    name: spec.selector.matchLabels
+    disablePadding: true
+    children:
+      - source: $podSelector()
+        widget: ResourceList
+        disableCreate: true
+        visibility: $exists($root.spec.selector.matchLabels) and $boolean($root.spec.selector.matchLabels)
+      - source: spec.selector
+        widget: Panel
+        name: selector.matchesAllPods
+        visibility: $not($exists($value)) or $not($boolean($value))
+    header:
+      - source: spec.selector.matchLabels
+        widget: Labels
+        name: spec.selector.matchLabels
+        visibility: $exists($value) and $boolean($value)

config/ui-extensions/requestauthentications/form

@@ -0,0 +1,29 @@
+- path: spec.selector.matchLabels
+  widget: KeyValuePair
+  defaultExpanded: true
+- path: spec.jwtRules
+  name: spec.jwtRules
+  widget: GenericList
+  simple: true
+  children:
+    - path: '[].issuer'
+    - path: '[].jwksUri'
+      name: spec.jwtRules.jwksUri
+    - path: '[].audiences'
+      widget: SimpleList
+      children:
+          - path: '[]'
+    - path: '[].fromParams'
+      widget: SimpleList
+      children:
+          - path: '[]'
+    - path: '[].fromCookies'
+      widget: SimpleList
+      children:
+          - path: '[]'
+    - path: '[].fromHeaders'
+      simple: true
+      widget: GenericList
+      children:
+        - path: '[].name'
+        - path: '[].prefix'

config/ui-extensions/requestauthentications/general

@@ -0,0 +1,12 @@
+resource:
+  kind: RequestAuthentication
+  group: security.istio.io
+  version: v1beta1
+urlPath: requestauthentications
+category: Istio
+name: Request Authentications
+scope: namespace
+description: >-
+  {{[Istio Request Authentication](https://istio.io/latest/docs/reference/config/security/request_authentication)}}
+  defines what request authentication methods are supported by a workload.
+

config/ui-extensions/requestauthentications/kustomization.yaml

@@ -0,0 +1,14 @@
+configMapGenerator:
+- name: requestauthentications-ui.operator.kyma-project.io
+  namespace: kyma-system
+  files:
+  - general
+  - dataSources
+  - details
+  - form
+  - translations
+  options:
+    disableNameSuffixHash: true
+    labels:
+      busola.io/extension: resource
+      busola.io/extension-version: "0.5"

config/ui-extensions/requestauthentications/translations

@@ -0,0 +1,13 @@
+en:
+  spec.jwtRules: JWT Rules
+  spec.jwtRules.issuer: Issuer
+  spec.jwtRules.jwksUri: JWKS URI
+  spec.jwtRules.jwks: JWKS
+  spec.jwtRules.audiences: Audiences
+  spec.jwtRules.fromParams: From Params
+  spec.jwtRules.fromCookies: From Cookies
+  spec.jwtRules.fromHeaders: From Headers
+  spec.jwtRules.fromHeaders.name: Name
+  spec.jwtRules.fromHeaders.prefix: Prefix
+  spec.selector.matchLabels: Selector
+  selector.matchesAllPods: Matches all Pods in the Namespace

docs/release-notes/1.7.0.md

@@ -2,4 +2,5 @@
 
 - Allow for opting out of the **ENABLE_EXTERNAL_NAME_ALIAS** Istio pilot environment variable in the Istio custom resource. This allows for retaining behavior that was present in Istio prior to version 1.21. See issue [#787](https://github.com/kyma-project/istio/issues/787 ).
 - Update the Istio version to 1.21.2 [#802](https://github.com/kyma-project/istio/pull/802). Read [Istio 1.21.2 Release Announcement](https://istio.io/latest/news/releases/1.21.x/announcing-1.21.2/) and [Change Notes](https://istio.io/latest/news/releases/1.21.x/announcing-1.21/change-notes/) for more details.
+- Add Request Authentication UI for Kyma dashboard [#816](https://github.com/kyma-project/istio/pull/816)
 - Now Pods with Istio Sidecar, which contain custom image annotations, are not restarted by the Istio Operator. See issue [#698](https://github.com/kyma-project/istio/issues/698) and the [Istio documentation](https://istio.io/latest/docs/reference/config/annotations/#SidecarProxyImage) for more details.

docs/user/troubleshooting/03-70-cannot-connect-to-hana-db.md

@@ -0,0 +1,60 @@
+# Issues with Connection to SAP HANA Database
+
+## Symptom
+
+You're unable to connect an application to a SAP HANA Database instance.
+
+## Troubleshooting
+
+The Istio module's default configuration does not restrict outbound traffic. This means that the application should have no issues connecting to the SAP HANA Database instance.
+To determine the cause of the connection issue, follow the troubleshooting steps.
+
+### Connect to the SAP HANA Database Instance from Outside of the Cluster
+1. Download SAP HANA Client for your operating system from the [SAP Development Tools](https://tools.hana.ondemand.com/#hanatools).
+2. Unpack the downloaded archive.
+3. Install SAP HANA Client.
+4. Connect to SAP HANA Database instance using the following command:
+    ```bash
+    hdbsql -n {HANA_DB_INSTANCE_ADDRESS} -u {HANA_DB_USER} -p {HANA_DB_PASSWORD}
+    ```
+    For example:
+    ```bash
+    hdbsql -n aaa.bbb.ccc.ddd:30015 -u my_user -p mypassword
+    ```
+5. If the connection is successful and you can execute queries, the issue is not related to the SAP HANA Database instance.
+### Connect to the SAP HANA Database Instance from Inside of the Cluster
+1. Build a Docker image with the SAP HANA Client installed. You can use the following Dockerfile:
+    ```Dockerfile
+    FROM eclipse-temurin:17
+    WORKDIR /build
+    COPY client.tar client.tar
+    RUN tar -xvf client.tar
+    RUN echo "/usr/local/bin" | ./client/hdbinst
+
+    ENTRYPOINT ["sleep", "8000"]
+    ```
+    Download the SAP HANA Client for Linux x86 64-bit from [SAP Development Tools](https://tools.hana.ondemand.com/#hanatools) and save it as `client.tar` in the same directory as the Dockerfile. Then, run the following command to build the image:
+    ```bash
+    docker buildx build --platform=linux/amd64 -t hdbsql .
+    ```
+2. To test your image, run the following command:
+    ```bash
+    docker run --entrypoint "hdbsql" hdbsql -v
+    ```
+    You get an output similar to this example:
+    ```
+    HDBSQL version 2.20.20.1712178305, the SAP HANA Database interactive terminal.
+    Copyright 2000-2024 by SAP SE.
+    ```
+3. Publish the image to a container registry.
+4. Run the image in the Kubernetes cluster:
+    ```bash
+    kubectl create deployment hdbsql --image={PUBLISHED_IMAGE_NAME}
+    ```
+5. Attach to the Pod and try to connect to the SAP HANA Database instance using the following command:
+    ```bash
+    hdbsql -n {HANA_DB_INSTANCE_ADDRESS} -u {HANA_DB_USER} -p {HANA_DB_PASSWORD}
+    ```
+6. If the connection is successful and you can execute queries, the issue is not related to the setup of the cluster.
+7. Check the connection from a Pod that has the Istio sidecar injected. In that case, create the Deployment in a namespace with Istio sidecar injection enabled. The connection should be successful.
+

tests/ui/cypress.config.ts

@@ -33,4 +33,7 @@ module.exports = defineConfig({
     ],
     supportFile: 'support/index.ts',
   },
+  retries: {
+    runMode: 2,
+  },
 });

tests/ui/fixtures/pod-httpbin-sleep.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: placeholderName
+  namespace: placeholderNamespace
+  labels:
+    app: placeholderName
+spec:
+  containers:
+    - name: test-container
+      image: eu.gcr.io/kyma-project/external/kennethreitz/httpbin
+      command: ["/bin/sh", "-c"]
+      args:
+        - while true; do sleep 1; done;

tests/ui/package.json

@@ -9,7 +9,7 @@
     "start-k3d": "./scripts/k3d-local-dev.sh"
   },
   "devDependencies": {
-    "cypress": "13.8.1",
+    "cypress": "13.9.0",
     "cypress-file-upload": "5.0.8",
     "js-yaml": "4.1.0",
     "typescript": "5.4.5",

tests/ui/support/input.ts

@@ -1,12 +1,13 @@
 Cypress.Commands.add('inputClearAndType', (selector: string, newValue: string, filterFilledInputs = false): void => {
-    let input = cy.get(selector)
-        .find('input:visible');
+    let input = cy.get(selector);
 
     if (filterFilledInputs) {
         input = input.filterWithNoValue();
     }
 
-    input.click()
+    input.scrollIntoView()
+        .find('input:visible')
+        .click()
         .clear({force: true})
         .type(newValue, {force: true});
 });

tests/ui/support/k8sclient/commands.ts

@@ -3,4 +3,5 @@ export interface Commands {
     createService(namespace: string, name: string): void
     createNamespace(name: string): void
     deleteNamespace(name: string): void
+    createHttpbinSleepPod(name: string, namespace: string): void
 }

tests/ui/support/k8sclient/index.ts

@@ -1,6 +1,7 @@
 import "./authorizationPolicy"
 import "./namespace"
 import "./service"
+import "./pod";
 export {Commands as K8sClientCommands} from "./commands";
 export {KubernetesConfig, getK8sCurrentContext} from "./kubeconfig";
 

tests/ui/support/k8sclient/pod.ts

@@ -0,0 +1,16 @@
+import {loadFixture} from "./loadFile";
+import * as k8s from "@kubernetes/client-node";
+import {postApi} from "./httpClient";
+
+Cypress.Commands.add('createHttpbinSleepPod', (name: string, namespace: string) => {
+  // @ts-ignore Typing of cy.then is not good enough
+  cy.wrap(loadFixture('pod-httpbin-sleep.yaml')).then((s: k8s.V1Pod): void => {
+    s.metadata!.name = name
+    s.metadata!.namespace = namespace
+    s.metadata!.labels ? s.metadata!.labels["app"] = name : s.metadata!.labels = {"app": name}
+    // We have to use cy.wrap, since the post command uses a cy.fixture internally
+    cy.wrap(postApi(`v1/namespaces/${namespace}/pods`, s)).should("be.true");
+  })
+});
+
+

tests/ui/support/navigation.ts

@@ -7,6 +7,8 @@ export interface NavigationCommands {
     navigateToAuthorizationPolicies(namespace: string): void
     navigateToTelemetries(namespace: string): void
     navigateToTelemetry(name: string, namespace: string): void
+    navigateToRequestAuthentications(namespace: string): void
+    navigateToRequestAuthentication(name: string, namespace: string): void
     navigateToDestinationRule(name: string, namespace: string): void
     navigateToDestinationRules(namespace: string): void
     navigateToGateway(name: string, namespace: string): void
@@ -116,3 +118,17 @@ Cypress.Commands.add('navigateToSidecars', (namespace: string): void => {
         cy.wait(2000);
     });
 });
+
+Cypress.Commands.add('navigateToRequestAuthentication', (namespace: string, name: string): void => {
+    cy.wrap(getK8sCurrentContext()).then((context) => {
+        cy.visit(`${config.clusterAddress}/cluster/${context}/namespaces/${namespace}/requestauthentications/${name}`)
+        cy.wait(2000);
+    });
+});
+
+Cypress.Commands.add('navigateToRequestAuthentications', (namespace: string): void => {
+    cy.wrap(getK8sCurrentContext()).then((context) => {
+        cy.visit(`${config.clusterAddress}/cluster/${context}/namespaces/${namespace}/requestauthentications`)
+        cy.wait(2000);
+    });
+});

tests/ui/support/resource/commands.ts

@@ -5,7 +5,8 @@ import { VirtualServiceCommands } from "./virtualService";
 import { ServiceEntryCommands } from "./serviceEntry";
 import { SidecarCommands } from "./sidecar";
 import { TelemetryCommands } from "./telemetries";
+import {RequestAuthenticationCommands} from "./requestAuthentication";
 
 export interface Commands extends AuthorizationPolicyCommands, TelemetryCommands, DestinationRuleCommands, GatewayCommands,
-        VirtualServiceCommands, ServiceEntryCommands, SidecarCommands {
+        VirtualServiceCommands, ServiceEntryCommands, SidecarCommands, RequestAuthenticationCommands {
 }

tests/ui/support/resource/index.ts

@@ -5,5 +5,6 @@ import './virtualService';
 import './serviceEntry';
 import './sidecar';
 import './telemetries';
+import './requestAuthentication';
 
 export { Commands as ResourceCommands } from "./commands";