istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/pilot/gw_topology_test.go (about) 1 //go:build integ 2 // +build integ 3 4 // Copyright Istio Authors 5 // 6 // Licensed under the Apache License, Version 2.0 (the "License"); 7 // you may not use this file except in compliance with the License. 8 // You may obtain a copy of the License at 9 // 10 // http://www.apache.org/licenses/LICENSE-2.0 11 // 12 // Unless required by applicable law or agreed to in writing, software 13 // distributed under the License is distributed on an "AS IS" BASIS, 14 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 // See the License for the specific language governing permissions and 16 // limitations under the License. 17 18 package pilot 19 20 import ( 21 "fmt" 22 "testing" 23 "time" 24 25 "istio.io/istio/pkg/test/framework" 26 kubecluster "istio.io/istio/pkg/test/framework/components/cluster/kube" 27 "istio.io/istio/pkg/test/framework/components/namespace" 28 "istio.io/istio/pkg/test/framework/resource/config/apply" 29 kubetest "istio.io/istio/pkg/test/kube" 30 "istio.io/istio/pkg/test/util/retry" 31 "istio.io/istio/tests/integration/pilot/common" 32 ) 33 34 func TestXFFGateway(t *testing.T) { 35 framework. 36 NewTest(t). 37 Run(func(t framework.TestContext) { 38 inject := false 39 if t.Settings().Compatibility { 40 inject = true 41 } 42 gatewayNs := namespace.NewOrFail(t, t, namespace.Config{Prefix: "custom-gateway", Inject: inject}) 43 injectLabel := `sidecar.istio.io/inject: "true"` 44 if len(t.Settings().Revisions.Default()) > 0 { 45 injectLabel = fmt.Sprintf(`istio.io/rev: "%v"`, t.Settings().Revisions.Default()) 46 } 47 48 templateParams := map[string]string{ 49 "imagePullSecret": t.Settings().Image.PullSecret, 50 "injectLabel": injectLabel, 51 "imagePullPolicy": t.Settings().Image.PullPolicy, 52 } 53 54 // we only apply to config clusters 55 t.ConfigIstio().Eval(gatewayNs.Name(), templateParams, `apiVersion: v1 56 kind: Service 57 metadata: 58 name: custom-gateway 59 labels: 60 istio: ingressgateway 61 spec: 62 ports: 63 - port: 80 64 targetPort: 8080 65 name: http 66 selector: 67 istio: ingressgateway 68 --- 69 apiVersion: apps/v1 70 kind: Deployment 71 metadata: 72 name: custom-gateway 73 spec: 74 selector: 75 matchLabels: 76 istio: ingressgateway 77 template: 78 metadata: 79 annotations: 80 inject.istio.io/templates: gateway 81 proxy.istio.io/config: | 82 gatewayTopology: 83 numTrustedProxies: 2 84 labels: 85 istio: ingressgateway 86 {{ .injectLabel }} 87 spec: 88 {{- if ne .imagePullSecret "" }} 89 imagePullSecrets: 90 - name: {{ .imagePullSecret }} 91 {{- end }} 92 containers: 93 - name: istio-proxy 94 image: auto 95 imagePullPolicy: {{ .imagePullPolicy }} 96 --- 97 `).ApplyOrFail(t, apply.NoCleanup) 98 cs := t.Clusters().Default().(*kubecluster.Cluster) 99 retry.UntilSuccessOrFail(t, func() error { 100 _, err := kubetest.CheckPodsAreReady(kubetest.NewPodFetch(cs, gatewayNs.Name(), "istio=ingressgateway")) 101 return err 102 }, retry.Timeout(time.Minute*2), retry.Delay(time.Second)) 103 for _, tt := range common.XFFGatewayCase(&apps, fmt.Sprintf("custom-gateway.%s.svc.cluster.local", gatewayNs.Name())) { 104 tt.Run(t, apps.Namespace.Name()) 105 } 106 }) 107 } 108 109 // If the PROXY protocol is enabled, and no XFF header is provided, client forwarded IPs from the PROXY protocol payload 110 // should be used to populate the upstream XFF header. 111 // 112 // If the PROXY protocol is enabled, and additionally an XFF header is provided AND numTrustedProxies is set, the XFF header on the incoming request 113 // will take precedence when populating the upstream XFF header. 114 func TestProxyProtocolTCPGateway(t *testing.T) { 115 framework. 116 NewTest(t). 117 Run(func(t framework.TestContext) { 118 inject := false 119 if t.Settings().Compatibility { 120 inject = true 121 } 122 gatewayNs := namespace.NewOrFail(t, t, namespace.Config{Prefix: "custom-gateway", Inject: inject}) 123 injectLabel := `sidecar.istio.io/inject: "true"` 124 if len(t.Settings().Revisions.Default()) > 0 { 125 injectLabel = fmt.Sprintf(`istio.io/rev: "%v"`, t.Settings().Revisions.Default()) 126 } 127 128 templateParams := map[string]string{ 129 "imagePullSecret": t.Settings().Image.PullSecret, 130 "injectLabel": injectLabel, 131 "imagePullPolicy": t.Settings().Image.PullPolicy, 132 } 133 134 // we only apply to config clusters 135 t.ConfigIstio().Eval(gatewayNs.Name(), templateParams, `apiVersion: v1 136 kind: Service 137 metadata: 138 name: custom-gateway 139 labels: 140 istio: ingressgateway 141 spec: 142 ports: 143 - port: 80 144 targetPort: 8080 145 name: tcp 146 selector: 147 istio: ingressgateway 148 --- 149 apiVersion: apps/v1 150 kind: Deployment 151 metadata: 152 name: custom-gateway 153 spec: 154 selector: 155 matchLabels: 156 istio: ingressgateway 157 template: 158 metadata: 159 annotations: 160 inject.istio.io/templates: gateway 161 sidecar.istio.io/componentLogLevel: conn_handler:debug,connection:debug,http:debug 162 proxy.istio.io/config: | 163 gatewayTopology: 164 numTrustedProxies: 1 165 proxyProtocol: {} 166 labels: 167 istio: ingressgateway 168 {{ .injectLabel }} 169 spec: 170 {{- if ne .imagePullSecret "" }} 171 imagePullSecrets: 172 - name: {{ .imagePullSecret }} 173 {{- end }} 174 containers: 175 - name: istio-proxy 176 image: auto 177 imagePullPolicy: {{ .imagePullPolicy }} 178 --- 179 `).ApplyOrFail(t, apply.CleanupConditionally) 180 // Wait for gateway readiness 181 cs := t.Clusters().Default().(*kubecluster.Cluster) 182 retry.UntilSuccessOrFail(t, func() error { 183 _, err := kubetest.CheckPodsAreReady(kubetest.NewPodFetch(cs, gatewayNs.Name(), "istio=ingressgateway")) 184 return err 185 }, retry.Timeout(time.Minute*2), retry.Delay(time.Second)) 186 187 // Apply an envoy filter in a subtest to the existing gateway 188 t.NewSubTest("filter").Run(func(t framework.TestContext) { 189 for _, tt := range common.ProxyProtocolFilterAppliedGatewayCase(&apps, fmt.Sprintf("custom-gateway.%s.svc.cluster.local", gatewayNs.Name())) { 190 tt.Run(t, apps.Namespace.Name()) 191 } 192 }) 193 }) 194 } 195 196 func TestUpstreamProxyProtocol(t *testing.T) { 197 framework. 198 NewTest(t). 199 Run(func(t framework.TestContext) { 200 injectLabel := `sidecar.istio.io/inject: "true"` 201 if len(t.Settings().Revisions.Default()) > 0 { 202 injectLabel = fmt.Sprintf(`istio.io/rev: "%v"`, t.Settings().Revisions.Default()) 203 } 204 205 templateParams := map[string]string{ 206 "imagePullSecret": t.Settings().Image.PullSecret, 207 "injectLabel": injectLabel, 208 "imagePullPolicy": t.Settings().Image.PullPolicy, 209 } 210 211 // we only apply to config clusters 212 // make custom gateway in same ns as app, so we can apply the destination rule 213 // otherwise, the destinationrule will be ignorred by the `restrict-to-namespace` sidecar 214 gatewayNs := apps.Namespace 215 t.ConfigIstio().Eval(gatewayNs.Name(), templateParams, `apiVersion: v1 216 kind: Service 217 metadata: 218 name: custom-gateway 219 labels: 220 istio: ingressgateway 221 spec: 222 ports: 223 - port: 80 224 targetPort: 8080 225 name: tcp 226 selector: 227 istio: ingressgateway 228 --- 229 apiVersion: apps/v1 230 kind: Deployment 231 metadata: 232 name: custom-gateway 233 spec: 234 selector: 235 matchLabels: 236 istio: ingressgateway 237 template: 238 metadata: 239 annotations: 240 inject.istio.io/templates: gateway 241 sidecar.istio.io/componentLogLevel: conn_handler:debug,connection:debug,http:debug 242 proxy.istio.io/config: | 243 gatewayTopology: 244 numTrustedProxies: 1 245 proxyProtocol: {} 246 labels: 247 istio: ingressgateway 248 {{ .injectLabel }} 249 spec: 250 {{- if ne .imagePullSecret "" }} 251 imagePullSecrets: 252 - name: {{ .imagePullSecret }} 253 {{- end }} 254 containers: 255 - name: istio-proxy 256 image: auto 257 imagePullPolicy: {{ .imagePullPolicy }} 258 --- 259 `).ApplyOrFail(t, apply.CleanupConditionally) 260 // Wait for gateway readiness 261 cs := t.Clusters().Default().(*kubecluster.Cluster) 262 retry.UntilSuccessOrFail(t, func() error { 263 _, err := kubetest.CheckPodsAreReady(kubetest.NewPodFetch(cs, gatewayNs.Name(), "istio=ingressgateway")) 264 return err 265 }, retry.Timeout(time.Minute*2), retry.Delay(time.Second)) 266 for _, tt := range common.UpstreamProxyProtocolCase(&apps, fmt.Sprintf("custom-gateway.%s.svc.cluster.local", gatewayNs.Name())) { 267 tt.Run(t, apps.Namespace.Name()) 268 } 269 }) 270 }