Kubernetes and Istio test suites

.github/workflows/ci.yaml

@@ -71,6 +71,9 @@ jobs:
     runs-on: ubuntu-latest
     env:
       E2E_TEST_OPTS: -v -count=1
+    strategy:
+      matrix:
+        group: [docker,k8s]
     steps:
       - uses: docker/setup-qemu-action@v3
         with:
@@ -80,16 +83,12 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-      # Configure the Docker hostname to be able to access the host from the containers
-      - name: Add Docker internal host to /etc/hosts
-        run: echo "127.0.0.1 host.docker.internal" | sudo tee -a /etc/hosts
-      - run: make docker e2e
-
+      - run: make docker e2e/${{ matrix.group }}
       - name: Upload e2e logs on failure
         uses: actions/upload-artifact@v4
         if: failure()
         with:
-          name: e2e-logs
+          name: e2e-${{ matrix.group }}-logs
           path: |
             e2e/**/logs/*
             e2e/**/certs/*

.gitignore

@@ -3,3 +3,5 @@ bin/
 .makerc
 .vimrc
 logs/
+cluster/kubeconfig
+certs/

.licenserignore

@@ -9,3 +9,8 @@ bin/
 .vimrc
 *.json
 LICENSE
+*.crt
+*.csr
+*.srl
+*.key
+kubeconfig

DEVELOPMENT.md

@@ -11,6 +11,8 @@ The following software and tools are needed to build the project and run the tes
 * [Go](https://golang.org/dl/)
 * [GNU make](https://www.gnu.org/software/make/)
 * [Docker](https://docs.docker.com/get-docker/)
+* [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) (needed to run the Istio e2e test suite)
+* [Helm](https://helm.sh/docs/intro/install/) (needed to run the Istio e2e test suite)
 
 
 ## Generating the API code

Makefile

@@ -12,15 +12,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-NAME       ?= authservice
 PKG	   	   ?= ./cmd
 BUILD_OPTS ?=
 TEST_OPTS  ?=
 TEST_PKGS  ?= $(shell go list ./... | grep -v /e2e)
 OUTDIR     ?= bin
 
 include env.mk    # Load common variables
--include .makerc  # Pick up any local overrides.
 
 
 ##@ Build targets

e2e/Makefile

@@ -12,12 +12,19 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
-SUITES := mock redis keycloak
+SUITES_DOCKER := mock redis keycloak
+SUITES_K8S    := istio
+SUITES        := $(SUITES_DOCKER) $(SUITES_K8S)
 
 .PHONY: e2e
 e2e: $(SUITES:%=e2e/%)  ## Run all e2e tests
 
+.PHONY: e2e/docker
+e2e/docker: $(SUITES_DOCKER:%=e2e/%)
+
+.PHONY: e2e/k8s
+e2e/k8s: $(SUITES_K8S:%=e2e/%)
+
 e2e/%:
 	@$(MAKE) -C $(@F) $(@D)
 

e2e/istio/Makefile

@@ -0,0 +1,30 @@
+# Copyright 2024 Tetrate
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+include ../suite-certs.mk
+include ../suite-k8s.mk
+
+.PHONY: gen-certs
+gen-certs: clean-certs ca/ca.authservice.internal certificate/http-echo.authservice.internal
+	@chmod -R a+r $(CERTS_DIR)
+
+.PHONY: clean
+clean:: clean-certs
+
+.PHONY: e2e-pre
+e2e-pre:: gen-certs
+	@kubectl --kubeconfig $(E2E_KUBECONFIG) create namespace istio-system
+	@kubectl --kubeconfig $(E2E_KUBECONFIG) -n istio-system create secret tls http-echo-certs \
+		--cert=certs/http-echo.authservice.internal.crt \
+		--key=certs/http-echo.authservice.internal.key

e2e/istio/README.md

@@ -0,0 +1,28 @@
+# Istio e2e tests
+
+The [Istio](https://istio.io/) end-to-end tests are designed to verify the integration of the
+Auth Service with Istio.
+
+They deploy a [KinD](https://kind.sigs.k8s.io/) Kubernetes cluster where Istio and the Auth Service are
+installed and then run a series of tests to verify the integration. 
+
+## Accessing the cluster from the host machine
+
+For convenience, the Kind cluster Kubeconfig is generated in `cluster/kubeconfig`, and  an be used to access
+the cluster from the host machine. For example:
+
+```bash
+$ kubectl --kubeconfig cluster/kubeconfig get namespaces
+```
+
+## Manually creating and destroying the cluster
+
+The Kind cluster is automatically created and destroyed when running the test suites. However, it is
+possible to manually create and destroy the cluster by running the following commands:
+
+```bash
+$ make kind-create
+$ make kind-destroy
+```
+
+This is useful for debugging purposes.

e2e/istio/cluster/istiod-config.yaml

@@ -0,0 +1,41 @@
+# Copyright 2024 Tetrate
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+pilot:
+  # Clear the default resources to allow it to run in very constrained local environments
+  # without explicitly requesting more memory than the one that might be available in the
+  # local Kind cluster.
+  resources: null
+
+#global:
+#  proxy:
+#    # Default log levels to be used by sidecars and gateways.
+#    # The HTTP and RBAC loggers will print the requests and responses with all the headers,
+#    # and the access decision records.
+#    # The `misc` is a bit noisy due to the version of Envoy being used, and we just silence
+#    # it to remove deprecation warning messages.
+#    componentLogLevel: "http:debug,rbac:debug,misc:error"
+
+meshConfig:
+  defaultConfig:
+    # Make sure everything is up and running before we start trying to
+    # send traffic to the services
+    holdApplicationUntilProxyStarts: true
+  extensionProviders:
+    # Configure the backend for the Auth Service provider that can be used in AuthorizationPolicies
+    # in CUSTOM mode.
+    - name: authservice-grpc
+      envoyExtAuthzGrpc:
+        service: "authservice.authservice.svc.cluster.local"
+        port: "10003"

e2e/istio/cluster/istiogw-config.yaml

@@ -0,0 +1,32 @@
+# Copyright 2023 Tetrate
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Configure the ingress as NodePort to make accessible to the local test environment
+service:
+  type: NodePort
+  ports:
+    - name: status-port
+      port: 15021
+      protocol: TCP
+      targetPort: 15021
+    - name: https
+      port: 443
+      nodePort: 30000  # Make it accessible form the host without having to install MetalLB or others
+      protocol: TCP
+      targetPort: 443
+
+# Clear the default resources to allow it to run in very constrained local environments
+# without explicitly requesting more memory than the one that might be available in the
+# local Kind cluster.
+resources: null

e2e/istio/cluster/kind-config.yaml

@@ -0,0 +1,25 @@
+# Copyright 2024 Tetrate
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kind.x-k8s.io/v1alpha4
+kind: Cluster
+nodes:
+  - role: control-plane
+    extraPortMappings:
+      # We expose the httpbin service in these host ports to make them accessible from the host without
+      # having to install additional tooling such as MetalLB to access it.
+      - containerPort: 30000
+        hostPort: 30000
+      - containerPort: 30001
+        hostPort: 30001

e2e/istio/cluster/manifests/authservice.yaml

@@ -0,0 +1,133 @@
+# Copyright 2024 Tetrate
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authservice
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: authservice
+  namespace: authservice
+  labels:
+    app: authservice
+spec:
+  ports:
+    - port: 10003
+      targetPort: 10003
+      name: grpc-authservice
+      protocol: TCP
+    - port: 10004
+      targetPort: 10004
+      name: grpc-health
+      protocol: TCP
+  selector:
+    app: authservice
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: authservice
+  namespace: authservice
+  labels:
+    app: authservice
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authservice
+  namespace: authservice
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authservice
+      version: v1
+  template:
+    metadata:
+      labels:
+        app: authservice
+        version: v1
+    spec:
+      serviceAccountName: authservice
+      containers:
+        - name: authservice
+          # This image is automatically generated by the e2e test setup in the `make kind-load` target
+          image: kind-local/authservice:e2e
+          imagePullPolicy: Never # Load directly from kind
+          ports:
+            - name: authz
+              containerPort: 10003
+              protocol: TCP
+            - name: health
+              containerPort: 10004
+              protocol: TCP
+          volumeMounts:
+            - name: config
+              mountPath: /etc/authservice
+          livenessProbe:
+            initialDelaySeconds: 1
+            periodSeconds: 5
+            tcpSocket:
+              port: 10003
+          readinessProbe:
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            httpGet:
+              port: 10004
+              path: /healthz
+      volumes:
+        - name: config
+          configMap:
+            name: authservice-config
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: authservice-config
+  namespace: authservice
+data:
+  config.json: |
+    {
+      "listen_address": "0.0.0.0",
+      "listen_port": "10003",
+      "log_level": "debug",
+      "allow_unmatched_requests": false,
+      "chains": [
+        {
+          "name": "keycloak",
+          "filters": [
+            {
+              "oidc":
+              {
+                "configuration_uri": "http://keycloak.keycloak:8080/realms/master/.well-known/openid-configuration",
+                "callback_uri": "https://http-echo.authservice.internal/callback",
+                "client_id": "authservice",
+                "client_secret": "authservice-secret",
+                "cookie_name_prefix": "authservice",
+                "id_token": {
+                  "preamble": "Bearer",
+                  "header": "Authorization"
+                },
+                "redis_session_store_config": {
+                  "server_uri": "redis://redis.redis.svc.cluster.local:6379"
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }