From db100e5aaeea4ee6df92552e3f5ac196b423bf3f Mon Sep 17 00:00:00 2001 From: Francisco Herrera Date: Fri, 26 Apr 2024 13:40:16 +0200 Subject: [PATCH] OSSM-4505 Add script to run integration test againt OCP cluster (#4) * Initial changes to run istio integration test on OCP Update integ suite ocp script Working script to run the integration test over OCP clusters Adding an improvement in skip test Modify script based on the use of a common script to setup registry-s Delete unused rolebinding file Signed-off-by: frherrer * Adding improvements in the run script over OCP --------- Signed-off-by: frherrer --- prow/integ-suite-ocp.sh | 89 +++++++++++++++++++++++++++++++ prow/setup/ocp_setup.sh | 113 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 202 insertions(+) create mode 100755 prow/integ-suite-ocp.sh create mode 100644 prow/setup/ocp_setup.sh diff --git a/prow/integ-suite-ocp.sh b/prow/integ-suite-ocp.sh new file mode 100755 index 000000000000..f03b36a8464f --- /dev/null +++ b/prow/integ-suite-ocp.sh @@ -0,0 +1,89 @@ +#!/bin/bash + +# Copyright 2019 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This script is used to run the integration tests on OpenShift. +# Usage: ./integ-suite-ocp.sh TEST_SUITE SKIP_TESTS, example: /prow/integ-suite-ocp.sh telemetry "TestClientTracing|TestServerTracing" +# TEST_SUITE: The test suite to run. Default is "pilot". Available options are "pilot", "security", "telemetry", "helm". +# TODO: Use the same arguments as integ-suite.kind.sh uses + +WD=$(dirname "$0") +ROOT=$(dirname "$WD") +WD=$(cd "$WD"; pwd) +TIMEOUT=300 +export NAMESPACE="${NAMESPACE:-"istio-system"}" +export TAG="${TAG:-"istio-testing"}" +SKIP_TESTS="${2:-""}" +TEST_SUITE="${1:-"pilot"}" + +# Exit immediately for non zero status +set -e +# Check unset variables +set -u +# Print commands +set -x + +# shellcheck source=common/scripts/kind_provisioner.sh +source "${ROOT}/prow/setup/ocp_setup.sh" + +build_images() { + # Build just the images needed for tests + targets="docker.pilot docker.proxyv2 docker.install-cni " + + # Integration tests are always running on local architecture (no cross compiling), so find out what that is. + arch="linux/amd64" + if [[ "$(uname -m)" == "aarch64" ]]; then + arch="linux/arm64" + fi + + # use ubuntu:jammy to test vms by default + nonDistrolessTargets="docker.app docker.app_sidecar_ubuntu_jammy docker.ext-authz " + + DOCKER_ARCHITECTURES="${arch}" DOCKER_BUILD_VARIANTS="${VARIANT:-default}" DOCKER_TARGETS="${targets} ${nonDistrolessTargets}" make dockerx.pushx +} + +# Setup the internal registry for ocp cluster +setup_internal_registry + +# Build and push the images to the internal registry +build_images + +# Run the integration tests +echo "Running integration tests" + +# Set the HUB to the internal registry svc URL to avoid the need to authenticate to pull images +HUB="image-registry.openshift-image-registry.svc:5000/${NAMESPACE}" + +# Build the base command and store it in a variable. +# TODO: execute the test by running make target. Do we need first to add a skip flag to the make target to be able to skip failing test on OCP +# All the flags are needed to run the integration tests on OCP +base_cmd="go test -p 1 -v -count=1 -tags=integ -vet=off -timeout 60m ./tests/integration/${TEST_SUITE}/... \ +--istio.test.ci \ +--istio.test.pullpolicy=IfNotPresent \ +--istio.test.work_dir=result \ +--istio.test.skipTProxy=true \ +--istio.test.skipVM=true \ +--istio.test.kube.helm.values=profile=openshift,global.platform=openshift \ +--istio.test.istio.enableCNI=true \ +--istio.test.hub=\"${HUB}\" \ +--istio.test.tag=\"${TAG}\"" + +# Check if SKIP_TESTS is non-empty and append the -skip flag if it is. +if [ -n "${SKIP_TESTS}" ]; then + base_cmd+=" -skip '${SKIP_TESTS}'" +fi + +# Execute the command. +eval "$base_cmd" \ No newline at end of file diff --git a/prow/setup/ocp_setup.sh b/prow/setup/ocp_setup.sh new file mode 100644 index 000000000000..f4aa18b16926 --- /dev/null +++ b/prow/setup/ocp_setup.sh @@ -0,0 +1,113 @@ +#!/bin/bash + +# WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY +# +# The original version of this file is located in the https://github.com/istio/common-files repo. +# If you're looking at this file in a different repo and want to make a change, please go to the +# common-files repo, make the change there and check it in. Then come back to this repo and run +# "make update-common". + +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e +set -x + +# The purpose of this file is to unify ocp setup in both istio/istio and istio-ecosystem/sail-operator. +# repos to avoid code duplication. This is needed to setup the OCP environment for the tests. + +WD=$(dirname "$0") +WD=$(cd "$WD"; pwd) +TIMEOUT=300 +export NAMESPACE="${NAMESPACE:-"istio-system"}" + +function setup_internal_registry() { + # Validate that the internal registry is running in the OCP Cluster, configure the variable to be used in the make target. + # If there is no internal registry, the test can't be executed targeting to the internal registry + + # Check if the registry pods are running + oc get pods -n openshift-image-registry --no-headers | grep -v "Running\|Completed" && echo "It looks like the OCP image registry is not deployed or Running. This tests scenario requires it. Aborting." && exit 1 + + # Check if default route already exist + if [ -z "$(oc get route default-route -n openshift-image-registry -o name)" ]; then + echo "Route default-route does not exist, patching DefaultRoute to true on Image Registry." + oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge + + timeout --foreground -v -s SIGHUP -k ${TIMEOUT} ${TIMEOUT} bash --verbose -c \ + "until oc get route default-route -n openshift-image-registry &> /dev/null; do sleep 5; done && echo 'The 'default-route' has been created.'" + fi + + # Get the registry route + URL=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}') + # Hub will be equal to the route url/project-name(NameSpace) + export HUB="${URL}/${NAMESPACE}" + echo "Internal registry URL: ${HUB}" + + # Create namespace from where the image are going to be pushed + # This is needed because in the internal registry the images are stored in the namespace. + # If the namespace already exist, it will not fail + oc create namespace "${NAMESPACE}" || true + + deploy_rolebinding + + # Login to the internal registry when running on CRC (Only for local development) + # Take into count that you will need to add before the registry URL as Insecure registry in "/etc/docker/daemon.json" + if [[ ${URL} == *".apps-crc.testing"* ]]; then + echo "Executing Docker login to the internal registry" + if ! oc whoami -t | docker login -u "$(oc whoami)" --password-stdin "${URL}"; then + echo "***** Error: Failed to log in to Docker registry." + echo "***** Check the error and if is related to 'tls: failed to verify certificate' please add the registry URL as Insecure registry in '/etc/docker/daemon.json'" + exit 1 + fi + fi +} + +function deploy_rolebinding() { + # Adding roles to avoid the need to be authenticated to push images to the internal registry + # and pull them later in the any namespace + echo ' +kind: List +apiVersion: v1 +items: +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: image-puller + namespace: '"$NAMESPACE"' + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:image-puller + subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: system:unauthenticated + - kind: Group + name: system:serviceaccounts + apiGroup: rbac.authorization.k8s.io +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: image-pusher + namespace: '"$NAMESPACE"' + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:image-builder + subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: system:unauthenticated +' | oc apply -f - +} \ No newline at end of file