Fix Istio ingress service.yaml and add test. (gardener#9098)

* Fix istio-ingress service.yaml and add test. * Add test for istio ingress service. Test service template with dualstack and external traffic policy
nickytd · Feb 1, 2024 · 52bf755 · 52bf755
1 parent 1af2f77
commit 52bf755
Show file tree

Hide file tree

Showing 7 changed files with 188 additions and 14 deletions.
diff --git a/pkg/component/istio/charts/istio/istio-ingress/templates/service.yaml b/pkg/component/istio/charts/istio/istio-ingress/templates/service.yaml
@@ -26,9 +26,9 @@ spec:
   loadBalancerIP: {{ .Values.loadBalancerIP }}
 {{- end }}
 {{- if .Values.externalTrafficPolicy }}
-  externalTrafficPolicy: {{ .Values.externalTrafficPolicy -}}
-{{- end -}}
-{{- if eq .Values.dualStack true -}}
+  externalTrafficPolicy: {{ .Values.externalTrafficPolicy }}
+{{- end }}
+{{- if eq .Values.dualStack true }}
   ipFamilies:
   - IPv6
   - IPv4

diff --git a/pkg/component/istio/istio_test.go b/pkg/component/istio/istio_test.go
@@ -189,13 +189,29 @@ var _ = Describe("istiod", func() {
 			return string(data)
 		}
 
-		istioIngressService = func(externalTrafficPolicy *corev1.ServiceExternalTrafficPolicyType) string {
-			policy := ""
-			if externalTrafficPolicy != nil {
-				policy = "  externalTrafficPolicy: " + string(*externalTrafficPolicy)
-			}
+		istioIngressService = func() string {
 			data, _ := os.ReadFile("./test_charts/ingress_service.yaml")
-			return strings.TrimSpace(strings.ReplaceAll(string(data), "<EXTERNAL_TRAFFIC_POLICY>", policy))
+			return string(data)
+		}
+
+		istioIngressServiceDualStack = func() string {
+			data, _ := os.ReadFile("./test_charts/ingress_service_dualstack.yaml")
+			return string(data)
+		}
+
+		istioIngressServiceDualStackETP = func() string {
+			data, _ := os.ReadFile("./test_charts/ingress_service_dualstack_etp.yaml")
+			return string(data)
+		}
+
+		istioIngressServiceETPCluster = func() string {
+			data, _ := os.ReadFile("./test_charts/ingress_service_etp_cluster.yaml")
+			return string(data)
+		}
+
+		istioIngressServiceETPLocal = func() string {
+			data, _ := os.ReadFile("./test_charts/ingress_service_etp_local.yaml")
+			return string(data)
 		}
 
 		istioIngressServiceAccount = func() string {
@@ -364,7 +380,7 @@ var _ = Describe("istiod", func() {
 			Expect(diffConfig(string(managedResourceIstioSecret.Data["istio-ingress_templates_poddisruptionbudget_test-ingress.yaml"]), istioIngressPodDisruptionBudget())).To(BeEmpty())
 			Expect(diffConfig(string(managedResourceIstioSecret.Data["istio-ingress_templates_role_test-ingress.yaml"]), istioIngressRole())).To(BeEmpty())
 			Expect(diffConfig(string(managedResourceIstioSecret.Data["istio-ingress_templates_rolebindings_test-ingress.yaml"]), istioIngressRoleBinding())).To(BeEmpty())
-			Expect(diffConfig(string(managedResourceIstioSecret.Data["istio-ingress_templates_service_test-ingress.yaml"]), istioIngressService(nil))).To(BeEmpty())
+			Expect(diffConfig(string(managedResourceIstioSecret.Data["istio-ingress_templates_service_test-ingress.yaml"]), istioIngressService())).To(BeEmpty())
 			Expect(diffConfig(string(managedResourceIstioSecret.Data["istio-ingress_templates_serviceaccount_test-ingress.yaml"]), istioIngressServiceAccount())).To(BeEmpty())
 			Expect(diffConfig(string(managedResourceIstioSecret.Data["istio-ingress_templates_deployment_test-ingress.yaml"]), istioIngressDeployment(nil))).To(BeEmpty())
 
@@ -528,7 +544,7 @@ var _ = Describe("istiod", func() {
 
 			It("should successfully deploy correct external traffic policy", func() {
 				Expect(c.Get(ctx, client.ObjectKeyFromObject(managedResourceIstioSecret), managedResourceIstioSecret)).To(Succeed())
-				Expect(diffConfig(string(managedResourceIstioSecret.Data["istio-ingress_templates_service_test-ingress.yaml"]), istioIngressService(&externalTrafficPolicy))).To(BeEmpty())
+				Expect(diffConfig(string(managedResourceIstioSecret.Data["istio-ingress_templates_service_test-ingress.yaml"]), istioIngressServiceETPCluster())).To(BeEmpty())
 			})
 		})
 
@@ -554,7 +570,59 @@ var _ = Describe("istiod", func() {
 
 			It("should successfully deploy correct external traffic policy", func() {
 				Expect(c.Get(ctx, client.ObjectKeyFromObject(managedResourceIstioSecret), managedResourceIstioSecret)).To(Succeed())
-				Expect(diffConfig(string(managedResourceIstioSecret.Data["istio-ingress_templates_service_test-ingress.yaml"]), istioIngressService(&externalTrafficPolicy))).To(BeEmpty())
+				Expect(diffConfig(string(managedResourceIstioSecret.Data["istio-ingress_templates_service_test-ingress.yaml"]), istioIngressServiceETPLocal())).To(BeEmpty())
+			})
+		})
+
+		Context("dual stack istio service", func() {
+			BeforeEach(func() {
+				externalTrafficPolicy = corev1.ServiceExternalTrafficPolicyTypeLocal
+				igw[0].ExternalTrafficPolicy = &externalTrafficPolicy
+				igw[0].DualStack = true
+				istiod = NewIstio(
+					c,
+					renderer,
+					Values{
+						Istiod: IstiodValues{
+							Enabled:     true,
+							Image:       "foo/bar",
+							Namespace:   deployNS,
+							TrustDomain: "foo.local",
+							Zones:       []string{"a", "b", "c"},
+						},
+						IngressGateway: igw,
+					},
+				)
+			})
+
+			It("should successfully deploy correct dualStack config and traffic policy local", func() {
+				Expect(c.Get(ctx, client.ObjectKeyFromObject(managedResourceIstioSecret), managedResourceIstioSecret)).To(Succeed())
+				Expect(diffConfig(string(managedResourceIstioSecret.Data["istio-ingress_templates_service_test-ingress.yaml"]), istioIngressServiceDualStackETP())).To(BeEmpty())
+			})
+		})
+
+		Context("dual stack istio service with traffic policy local", func() {
+			BeforeEach(func() {
+				igw[0].DualStack = true
+				istiod = NewIstio(
+					c,
+					renderer,
+					Values{
+						Istiod: IstiodValues{
+							Enabled:     true,
+							Image:       "foo/bar",
+							Namespace:   deployNS,
+							TrustDomain: "foo.local",
+							Zones:       []string{"a", "b", "c"},
+						},
+						IngressGateway: igw,
+					},
+				)
+			})
+
+			It("should successfully deploy correct dualStack config", func() {
+				Expect(c.Get(ctx, client.ObjectKeyFromObject(managedResourceIstioSecret), managedResourceIstioSecret)).To(Succeed())
+				Expect(diffConfig(string(managedResourceIstioSecret.Data["istio-ingress_templates_service_test-ingress.yaml"]), istioIngressServiceDualStack())).To(BeEmpty())
 			})
 		})
 

diff --git a/pkg/component/istio/test_charts/ingress_service.yaml b/pkg/component/istio/test_charts/ingress_service.yaml
@@ -21,5 +21,4 @@ spec:
   ports:
   - name: foo
     port: 999
-    targetPort: 999
-<EXTERNAL_TRAFFIC_POLICY>
+    targetPort: 999
diff --git a/pkg/component/istio/test_charts/ingress_service_dualstack.yaml b/pkg/component/istio/test_charts/ingress_service_dualstack.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: istio-ingressgateway
+  namespace: test-ingress
+  annotations:
+    networking.resources.gardener.cloud/from-world-to-ports: '[{"port":8132,"protocol":"TCP"},{"port":8443,"protocol":"TCP"},{"port":9443,"protocol":"TCP"}]'
+    networking.resources.gardener.cloud/namespace-selectors: '[{"matchLabels":{"gardener.cloud/role":"shoot"}},{"matchLabels":{"kubernetes.io/metadata.name":"garden"}}]'
+    networking.resources.gardener.cloud/pod-label-selector-namespace-alias: all-istio-ingresses
+    networking.resources.gardener.cloud/from-all-seed-scrape-targets-allowed-ports: '[{"port":15020,"protocol":"TCP"}]'
+    foo: bar
+  labels:
+    app.kubernetes.io/version: 1.19.3
+    app: istio-ingressgateway
+    foo: bar
+spec:
+  type: LoadBalancer
+  selector:
+    app: istio-ingressgateway
+    foo: bar
+  ports:
+  - name: foo
+    port: 999
+    targetPort: 999
+  ipFamilies:
+  - IPv6
+  - IPv4
+  ipFamilyPolicy: PreferDualStack
diff --git a/pkg/component/istio/test_charts/ingress_service_dualstack_etp.yaml b/pkg/component/istio/test_charts/ingress_service_dualstack_etp.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: istio-ingressgateway
+  namespace: test-ingress
+  annotations:
+    networking.resources.gardener.cloud/from-world-to-ports: '[{"port":8132,"protocol":"TCP"},{"port":8443,"protocol":"TCP"},{"port":9443,"protocol":"TCP"}]'
+    networking.resources.gardener.cloud/namespace-selectors: '[{"matchLabels":{"gardener.cloud/role":"shoot"}},{"matchLabels":{"kubernetes.io/metadata.name":"garden"}}]'
+    networking.resources.gardener.cloud/pod-label-selector-namespace-alias: all-istio-ingresses
+    networking.resources.gardener.cloud/from-all-seed-scrape-targets-allowed-ports: '[{"port":15020,"protocol":"TCP"}]'
+    foo: bar
+  labels:
+    app.kubernetes.io/version: 1.19.3
+    app: istio-ingressgateway
+    foo: bar
+spec:
+  type: LoadBalancer
+  selector:
+    app: istio-ingressgateway
+    foo: bar
+  ports:
+  - name: foo
+    port: 999
+    targetPort: 999
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv6
+  - IPv4
+  ipFamilyPolicy: PreferDualStack
diff --git a/pkg/component/istio/test_charts/ingress_service_etp_cluster.yaml b/pkg/component/istio/test_charts/ingress_service_etp_cluster.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: istio-ingressgateway
+  namespace: test-ingress
+  annotations:
+    networking.resources.gardener.cloud/from-world-to-ports: '[{"port":8132,"protocol":"TCP"},{"port":8443,"protocol":"TCP"},{"port":9443,"protocol":"TCP"}]'
+    networking.resources.gardener.cloud/namespace-selectors: '[{"matchLabels":{"gardener.cloud/role":"shoot"}},{"matchLabels":{"kubernetes.io/metadata.name":"garden"}}]'
+    networking.resources.gardener.cloud/pod-label-selector-namespace-alias: all-istio-ingresses
+    networking.resources.gardener.cloud/from-all-seed-scrape-targets-allowed-ports: '[{"port":15020,"protocol":"TCP"}]'
+    foo: bar
+  labels:
+    app.kubernetes.io/version: 1.19.3
+    app: istio-ingressgateway
+    foo: bar
+spec:
+  type: LoadBalancer
+  selector:
+    app: istio-ingressgateway
+    foo: bar
+  ports:
+  - name: foo
+    port: 999
+    targetPort: 999
+  externalTrafficPolicy: Cluster
diff --git a/pkg/component/istio/test_charts/ingress_service_etp_local.yaml b/pkg/component/istio/test_charts/ingress_service_etp_local.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: istio-ingressgateway
+  namespace: test-ingress
+  annotations:
+    networking.resources.gardener.cloud/from-world-to-ports: '[{"port":8132,"protocol":"TCP"},{"port":8443,"protocol":"TCP"},{"port":9443,"protocol":"TCP"}]'
+    networking.resources.gardener.cloud/namespace-selectors: '[{"matchLabels":{"gardener.cloud/role":"shoot"}},{"matchLabels":{"kubernetes.io/metadata.name":"garden"}}]'
+    networking.resources.gardener.cloud/pod-label-selector-namespace-alias: all-istio-ingresses
+    networking.resources.gardener.cloud/from-all-seed-scrape-targets-allowed-ports: '[{"port":15020,"protocol":"TCP"}]'
+    foo: bar
+  labels:
+    app.kubernetes.io/version: 1.19.3
+    app: istio-ingressgateway
+    foo: bar
+spec:
+  type: LoadBalancer
+  selector:
+    app: istio-ingressgateway
+    foo: bar
+  ports:
+  - name: foo
+    port: 999
+    targetPort: 999
+  externalTrafficPolicy: Local