Backport Kuma updates to 0.39 (#1017)

* feat: install default allow-all traffic permission when kuma >= 2.6.0 (#957)

* feat: use kuma version when installing it (#949)

Co-authored-by: Jakub Warczarek <jakub.warczarek@konghq.com>

* chore: test on PRs to release branches

* run lint workflow for all branches

* fix linter issues

---------

Co-authored-by: Grzegorz Burzyński <czeslavo@gmail.com>
Co-authored-by: Jakub Warczarek <jakub.warczarek@konghq.com>

Author: 3 people

.github/workflows/lint.yaml

@@ -3,12 +3,12 @@ name: lint
 on:
   pull_request:
     branches:
-    - '*'
+    - '**'
   push:
     branches:
     - 'main'
     tags:
-    - '*'
+    - '**'
   workflow_dispatch: {}
 
 jobs:

.github/workflows/tests.yaml

@@ -10,6 +10,7 @@ on:
   pull_request:
     branches:
     - 'main'
+    - 'release/[0-9]+.[0-9]+.x'
   push:
     branches:
     - 'main'
@@ -114,7 +115,7 @@ jobs:
       if: steps.detect_if_should_run_enterprise.outputs.result == 'true'
       id: license
       with:
-        password: ${{ secrets.PULP_PASSWORD }}
+        op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
 
     - name: setup golang
       uses: actions/setup-go@v4
@@ -196,7 +197,7 @@ jobs:
         if: steps.detect_if_should_run.outputs.result == 'true'
         id: license
         with:
-          password: ${{ secrets.PULP_PASSWORD }}
+          op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
 
       - name: checkout repository
         if: steps.detect_if_should_run.outputs.result == 'true'

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## v0.39.2
+
+- Backport Kuma changes to honor version and handle Kuma 2.6.0 traffic
+  permissions properly.
+  [#1017](https://github.com/Kong/kubernetes-testing-framework/pull/1017)
+
 ## v0.39.1
 
 - Removed a module exclude that made `go install` unhappy.

internal/cmd/ktf/environments.go

@@ -62,7 +62,7 @@ func init() { //nolint:gochecknoinits
 var environmentsCreateCmd = &cobra.Command{
 	Use:   "create",
 	Short: "create a new testing environment",
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(cmd *cobra.Command, _ []string) {
 		ctx, cancel := context.WithTimeout(context.Background(), EnvironmentCreateTimeout)
 		defer cancel()
 
@@ -286,7 +286,7 @@ func init() { //nolint:gochecknoinits
 var environmentsDeleteCmd = &cobra.Command{
 	Use:   "delete",
 	Short: "delete a testing environment",
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(cmd *cobra.Command, _ []string) {
 		ctx, cancel := context.WithTimeout(context.Background(), EnvironmentCreateTimeout)
 		defer cancel()
 

pkg/clusters/addons/kong/addon.go

@@ -240,7 +240,7 @@ func (a *Addon) Deploy(ctx context.Context, cluster clusters.Cluster) error {
 		if opts.Server == "" {
 			opts.Server = "https://index.docker.io/v1/"
 		}
-		opts.PrintObj = func(obj runtime.Object) error {
+		opts.PrintObj = func(_ runtime.Object) error {
 			return nil
 		}
 
@@ -606,7 +606,8 @@ func urlForService(ctx context.Context, cluster clusters.Cluster, nsn types.Name
 		return nil, err
 	}
 
-	switch service.Spec.Type { //nolint:exhaustive
+	//nolint:exhaustive
+	switch service.Spec.Type {
 	case corev1.ServiceTypeLoadBalancer:
 		if len(service.Status.LoadBalancer.Ingress) == 1 {
 			return url.Parse(fmt.Sprintf("http://%s:%d", service.Status.LoadBalancer.Ingress[0].IP, port))

pkg/clusters/addons/kuma/addon.go

@@ -45,7 +45,7 @@ type Addon struct {
 	name   string
 	logger *logrus.Logger
 
-	version semver.Version
+	version *semver.Version
 
 	mtlsEnabled bool
 }
@@ -61,9 +61,14 @@ func (a *Addon) Namespace() string {
 	return Namespace
 }
 
-// Version indicates the Kuma version for this addon.
-func (a *Addon) Version() semver.Version {
-	return a.version
+// Version returns the version of the Kuma Helm chart deployed by the addon.
+// If the version is not set, the second return value will be false and the latest local
+// chart version will be used.
+func (a *Addon) Version() (v semver.Version, ok bool) {
+	if a.version == nil {
+		return semver.Version{}, false
+	}
+	return *a.version, true
 }
 
 // -----------------------------------------------------------------------------
@@ -144,6 +149,10 @@ func (a *Addon) Deploy(ctx context.Context, cluster clusters.Cluster) error {
 	// if the dbmode is postgres, set several related values
 	args := []string{"--kubeconfig", kubeconfig.Name(), "install", DefaultReleaseName, "kuma/kuma"}
 
+	if a.version != nil {
+		args = append(args, "--version", a.version.String())
+	}
+
 	// compile the helm installation values
 	args = append(args, "--create-namespace", "--namespace", Namespace)
 	a.logger.Debugf("helm install arguments: %+v", args)
@@ -225,20 +234,49 @@ spec:
       name: ca-1
       type: builtin
     enabledBackend: ca-1`
+
+	allowAllTrafficPermission = `apiVersion: kuma.io/v1alpha1
+kind: MeshTrafficPermission
+metadata:
+  name: allow-all
+  namespace: kuma-system
+  labels:
+    kuma.io/mesh: default
+spec:
+  targetRef:
+    kind: Mesh
+  from:
+  - targetRef:
+      kind: Mesh
+    default:
+      action: Allow`
+)
+
+var (
+	// From Kuma 2.6.0, the default mesh traffic permission is no longer created by default
+	// and must be created manually if mTLS is enabled.
+	// https://github.com/kumahq/kuma/blob/2.6.0/UPGRADE.md#default-trafficroute-and-trafficpermission-resources-are-not-created-when-creating-a-new-mesh
+	installDefaultMeshTrafficPermissionCutoffVersion = semver.MustParse("2.6.0")
 )
 
 // enableMTLS attempts to apply a Mesh resource with a basic retry mechanism to deal with delays in the Kuma webhook
 // startup
 func (a *Addon) enableMTLS(ctx context.Context, cluster clusters.Cluster) (err error) {
 	ticker := time.NewTicker(5 * time.Second) //nolint:gomnd
+	defer ticker.Stop()
 	timeoutTimer := time.NewTimer(time.Minute)
 
 	for {
 		select {
 		case <-ctx.Done():
 			return fmt.Errorf("context completed while retrying to apply Mesh")
 		case <-ticker.C:
-			err = clusters.ApplyManifestByYAML(ctx, cluster, mtlsEnabledDefaultMesh)
+			yamlToApply := mtlsEnabledDefaultMesh
+			if v, ok := a.Version(); ok && v.GTE(installDefaultMeshTrafficPermissionCutoffVersion) {
+				a.logger.Infof("Kuma version is %s or later, creating default mesh traffic permission", installDefaultMeshTrafficPermissionCutoffVersion)
+				yamlToApply = strings.Join([]string{mtlsEnabledDefaultMesh, allowAllTrafficPermission}, "\n---\n")
+			}
+			err = clusters.ApplyManifestByYAML(ctx, cluster, yamlToApply)
 			if err == nil {
 				return nil
 			}

pkg/clusters/addons/kuma/builder.go

@@ -14,7 +14,7 @@ import (
 // Builder is a configuration tool to generate Kuma cluster addons.
 type Builder struct {
 	name    string
-	version semver.Version
+	version *semver.Version
 	logger  *logrus.Logger
 
 	mtlsEnabled bool
@@ -29,7 +29,7 @@ func NewBuilder() *Builder {
 
 // WithVersion configures the specific version of Kuma which should be deployed.
 func (b *Builder) WithVersion(version semver.Version) *Builder {
-	b.version = version
+	b.version = &version
 	return b
 }
 

pkg/environments/builder.go

@@ -185,7 +185,7 @@ func (b *Builder) Build(ctx context.Context) (env Environment, err error) {
 			cluster: cluster,
 		}, nil
 	case 1:
-		return nil, addonDeploymentErrors[0] //nolint:gosec
+		return nil, addonDeploymentErrors[0]
 	default:
 		errMsgs := make([]string, 0, totalFailures)
 		for _, err := range addonDeploymentErrors {

pkg/utils/kong/fake_admin_api.go

@@ -41,7 +41,7 @@ type FakeAdminAPIServer struct {
 func NewFakeAdminAPIServer() (*FakeAdminAPIServer, error) {
 	// start up the fake admin api server
 	mocks := make(chan AdminAPIResponse, maxMocks)
-	endpoint := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	endpoint := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		select {
 		case override := <-mocks:
 			// run any callbacks that were configured in the mock (these are optional)

test/e2e/gke_cluster_test.go

@@ -28,6 +28,11 @@ import (
 	"github.com/kong/kubernetes-testing-framework/pkg/utils/kubernetes/generators"
 )
 
+const (
+	gkeVersionMajor = 1
+	gkeVersionMinor = 29
+)
+
 var (
 	gkeCreds    = os.Getenv(gke.GKECredsVar)
 	gkeProject  = os.Getenv(gke.GKEProjectVar)
@@ -60,7 +65,7 @@ func testGKECluster(t *testing.T, createSubnet bool) {
 
 	t.Logf("configuring the GKE cluster PROJECT=(%s) LOCATION=(%s)", gkeProject, gkeLocation)
 	builder := gke.NewBuilder([]byte(gkeCreds), gkeProject, gkeLocation)
-	builder.WithClusterMinorVersion(1, 24)
+	builder.WithClusterMinorVersion(gkeVersionMajor, gkeVersionMinor)
 	builder.WithWaitForTeardown(false)
 	builder.WithCreateSubnet(createSubnet)
 	builder.WithLabels(map[string]string{"test-cluster": "true"})
@@ -113,8 +118,8 @@ func testGKECluster(t *testing.T, createSubnet bool) {
 	t.Log("validating kubernetes cluster version")
 	kubernetesVersion, err := env.Cluster().Version()
 	require.NoError(t, err)
-	require.Equal(t, uint64(1), kubernetesVersion.Major)
-	require.Equal(t, uint64(24), kubernetesVersion.Minor)
+	require.Equal(t, uint64(gkeVersionMajor), kubernetesVersion.Major)
+	require.Equal(t, uint64(gkeVersionMinor), kubernetesVersion.Minor)
 
 	t.Log("verifying that the kong addon deployed both proxy and controller")
 	kongAddon, err := env.Cluster().GetAddon("kong")