From ed5ca6b28a2af9ad03c069c72e2f5025d4248ac8 Mon Sep 17 00:00:00 2001 From: Mikhail Abramov Date: Fri, 26 Jan 2024 11:46:33 +0100 Subject: [PATCH] OSSM-4847: Increase test coverage over Cluster Wide test case (#652) --- .../ossm/operator/clusterwide_mode_test.go | 117 +++++++++++++++++- pkg/util/oc/pod_commands.go | 1 + 2 files changed, 114 insertions(+), 4 deletions(-) diff --git a/pkg/tests/ossm/operator/clusterwide_mode_test.go b/pkg/tests/ossm/operator/clusterwide_mode_test.go index 26314e82..6a9877c8 100644 --- a/pkg/tests/ossm/operator/clusterwide_mode_test.go +++ b/pkg/tests/ossm/operator/clusterwide_mode_test.go @@ -47,8 +47,6 @@ func TestClusterWideMode(t *testing.T) { t.LogStep("Install cluster-wide SMCP") oc.ApplyTemplate(t, meshNamespace, clusterWideSMCP, ossm.DefaultSMCP()) - - t.LogStep("Wait for SMCP to be Ready") oc.WaitSMCPReady(t, meshNamespace, smcpName) t.NewSubTest("SMMR auto-creation").Run(func(t test.TestHelper) { @@ -305,6 +303,100 @@ spec: }) }) + t.NewSubTest("verify that namespaces without istio-enable label are not included to the SMMR list").Run(func(t test.TestHelper) { + membersList := []string{"member-1", "member-3"} + notInMembersList := []string{"member-0", "member-2", "member-4"} + + t.Cleanup(func() { + for _, member := range []string{"member-0", "member-2", "member-4"} { + oc.RemoveLabel(t, "", "Namespace", member, "istio-injection") + oc.Label(t, "", "Namespace", member, "istio-injection=enabled") + } + }) + + t.LogStep("Wait for SMMR to be Ready") + oc.WaitSMMRReady(t, meshNamespace) + + t.LogStep("Remove istio-injection=enabled label from member-0/2/4 namespaces") + for _, member := range []string{"member-0", "member-2", "member-4"} { + t.Logf("Removing label from namespace %s", member) + oc.RemoveLabel(t, "", "Namespace", member, "istio-injection") + } + + t.LogStep("Wait for SMMR to be Ready") + oc.WaitSMMRReady(t, meshNamespace) + + t.LogStep("Check whether the SMMR shows the 2 namespaces created as members") + assertMembers(t, meshNamespace, membersList) + assertNonMembers(t, meshNamespace, notInMembersList) + + t.LogStep("Add other label istio-injection to the namespaces....") + t.Log("Add istio-injection=disabled label to member-2 namespace") + oc.Label(t, "", "Namespace", "member-2", "istio-injection=disabled") + t.Log("Add istio-injection=notanoption label to member-4 namespace") + oc.Label(t, "", "Namespace", "member-4", "istio-injection=notanoption") + + t.LogStep("Wait for SMMR to be Ready") + oc.WaitSMMRReady(t, meshNamespace) + + t.LogStep("Check whether the SMMR shows the 2 namespaces created as members") + assertMembers(t, meshNamespace, membersList) + assertNonMembers(t, meshNamespace, notInMembersList) + }) + + t.NewSubTest("verify strict mTLS across service mesh members and not members").Run(func(t test.TestHelper) { + t.Log("Test strict mTLS across service mesh members") + t.Log("Doc: https://docs.openshift.com/container-platform/4.14/service_mesh/v2x/ossm-security.html#ossm-security-enabling-strict-mtls_ossm-security") + + t.Cleanup(func() { + oc.RecreateNamespace(t, "foo", "legacy") + oc.Patch(t, + meshNamespace, "smcp", smcpName, "merge", + `{"spec":{"security":{"dataPlane":{"mtls":false}}}}`, + ) + oc.WaitSMCPReady(t, meshNamespace, smcpName) + }) + + t.LogStep("Apply SMMR to select foo and legacy as members") + oc.ApplyString(t, meshNamespace, fooLegacySMMR) + oc.WaitSMCPReady(t, meshNamespace, smcpName) + + t.LogStep("Install sleep in foo and legacy namespaces") + app.InstallAndWaitReady(t, + app.Sleep("foo"), + app.Httpbin("foo"), + app.HttpbinNoSidecar("legacy")) + + t.LogStep("Apply SMCP with STRICT mTLS true") + oc.Patch(t, + meshNamespace, "smcp", smcpName, "merge", + `{"spec":{"security":{"dataPlane":{"mtls":true}}}}`, + ) + oc.WaitSMCPReady(t, meshNamespace, smcpName) + + t.LogStep("Check if mTLS is enabled in foo") + retry.UntilSuccess(t, func(t test.TestHelper) { + oc.Exec(t, + pod.MatchingSelector("app=sleep", "foo"), + "sleep", + "curl http://httpbin.foo:8000/headers -s", + assert.OutputContains("X-Forwarded-Client-Cert", + "mTLS is enabled in namespace foo (X-Forwarded-Client-Cert header is present)", + "mTLS is not enabled in namespace foo (X-Forwarded-Client-Cert header is not present)")) + }) + + t.LogStep("Check that mTLS is NOT enabled in legacy") + retry.UntilSuccess(t, func(t test.TestHelper) { + oc.Exec(t, + pod.MatchingSelector("app=sleep", "foo"), + "sleep", + "curl http://httpbin.legacy:8000/headers -s", + assert.OutputDoesNotContain("X-Forwarded-Client-Cert", + "mTLS is not enabled in namespace legacy (X-Forwarded-Client-Cert header is not present)", + "mTLS is enabled in namespace legacy, but shouldn't be (X-Forwarded-Client-Cert header is present when it shouldn't be)")) + }) + }) + t.NewSubTest("cluster wide works with profiles").Run(func(t test.TestHelper) { t.Log("Check whether the cluster wide feature works with profiles") @@ -371,9 +463,15 @@ func verifyMembersInSMMR(t test.TestHelper, meshNamespace string, membersList [] } if found != shouldExist { if shouldExist { - t.Fatalf("The member '%s' is missing from the members list.", member) + t.Fatalf("FAILURE: The member '%s' is missing from the members list.", member) } else { - t.Fatalf("Expected namespace %s to not be a member, but it was", member) + t.Fatalf("FAILURE: Expected namespace %s to not be a member, but it was", member) + } + } else { + if shouldExist { + t.Logf("SUCCESS: Namespace %s is a member of the SMMR", member) + } else { + t.Logf("SUCCESS: Namespace %s is not a member of the SMMR as expected", member) } } } @@ -504,6 +602,17 @@ spec: members: - member-0 - member-1 + memberSelectors: []` + + fooLegacySMMR = ` +apiVersion: maistra.io/v1 +kind: ServiceMeshMemberRoll +metadata: + name: default +spec: + members: + - foo + - legacy memberSelectors: []` smmrMultipleSelectors = ` diff --git a/pkg/util/oc/pod_commands.go b/pkg/util/oc/pod_commands.go index eaf8837f..325962f1 100644 --- a/pkg/util/oc/pod_commands.go +++ b/pkg/util/oc/pod_commands.go @@ -186,6 +186,7 @@ func (o OC) WaitFor(t test.TestHelper, ns string, kind string, name string, forC func (o OC) WaitSMMRReady(t test.TestHelper, ns string) { t.T().Helper() + t.Logf("Wait for smmr/default to be ready in namespace %s", ns) o.withKubeconfig(t, func() { t.T().Helper() shell.Executef(t, `oc -n %s wait --for condition=Ready smmr/default --timeout 300s`, ns)