Remove Istio trust domain #9713
Conversation
github-actions
bot
added
the
keep pr updated
|
Issues linked to changelog: |
|
Visit the preview URL for this PR (updated for commit 0ff8863): https://gloo-edge--pr9713-npolshak-add-trust-d-bv7z2z6u.web.app (expires Wed, 17 Jul 2024 18:12:12 GMT) 🔥 via Firebase Hosting GitHub Action 🌎 Sign: 77c2b86e287749579b7ff9cadb81e099042ef677 |
test/kubernetes/e2e/tests/manifests/istio-custom-trust-domain-helm.yaml
Outdated
Show resolved
Hide resolved
| @@ -141,6 +141,10 @@ func (i *TestInstallation) InstallMinimalIstio(ctx context.Context) error { | |||
| return cluster.InstallMinimalIstio(ctx, i.IstioctlBinary, i.ClusterContext.KubeContext) | |||
| } | |||
|
|
|||
| func (i *TestInstallation) InstallRevisionedIstio(ctx context.Context) error { | |||
| return cluster.InstallRevisionedIstio(ctx, i.IstioctlBinary, i.ClusterContext.KubeContext, "1-22-1", "minimal") | |||
There was a problem hiding this comment.
what is the meaning of 1-22-1? is this an arbitrary string that a user can set?
There was a problem hiding this comment.
Yep- actually lemme make it configurable at the InstallRevisionedIstio() level!
| @@ -0,0 +1,7 @@ | |||
| changelog: | |||
There was a problem hiding this comment.
super-nit: the name of this file should be remove-istio-trust-domain.yaml
There was a problem hiding this comment.
Ah!! Not sure how to change this and make the bot happy- I think it's fine since it's not user facing? 😅
| @@ -29,7 +29,8 @@ func TestK8sGatewayIstioAutoMtls(t *testing.T) { | |||
| err := testInstallation.AddIstioctl(ctx) | |||
| if err != nil { | |||
| log.Printf("failed to install: %v\n", err) | |||
| t.Fail() | |||
| // immediately stop if Istio installation fails | |||
| t.Error() | |||
There was a problem hiding this comment.
according to the docs Error is equivalent to Log followed by Fail.
can the above log message be moved into the t.Error/Errorf?
(same question for all the other instances of t.Error)
There was a problem hiding this comment.
I think we can combine! This was because of the change from Fail() based on Nathan's suggestion
| @@ -0,0 +1,51 @@ | |||
| global: | |||
There was a problem hiding this comment.
nit: add -helm suffix to filename
| ) | ||
|
|
||
| // TestRevisionIstioRegression is the function which executes a series of tests against a given installation where | ||
| // the k8s Gateway controller is disabled and the deprecated Istio integration values are used to check for regressions |
There was a problem hiding this comment.
do we have somewhere tracking the removal of these tests once we stop supporting the deprecated values?
There was a problem hiding this comment.
The removal of which tests? The old Istio values? Those should probably be deleted in 1.18 once the values are removed from the helm chart completely.
These are net new revision tests that will be kept around for a while- I think this comment should be updated though?
| func RevisionIstioEdgeGatewaySuiteRunner() e2e.SuiteRunner { | ||
| revisionIstioSuiteRunner := e2e.NewSuiteRunner(false) | ||
|
|
||
| revisionIstioSuiteRunner.Register("IstioIntegration", istio.NewGlooTestingSuite) |
There was a problem hiding this comment.
i noticed that many other suite runners have registered the name "IstioIntegration" as well - just to confirm, is that ok as long as the name is unique within the suite runner?
There was a problem hiding this comment.
Yep, it's running the same feature tests, but with a different installation. So as long as the parent is differently named it should be fine. (And probably easier to tell which tests are which)
* add trust domain * changelog * tests * fix test name * add to workflow * Adding changelog file to new location * Deleting changelog file from old location * rebalance tests, fix helm * update workflow with numbers for loadbalancing between e2e test clusters * pr feedback * update gateway proxies to be disabled for k8s gateway e2e tests * cleanup istio install, remove old trust domain tests * fix merge * minimal ci change * fix test name * fix glooctl test helm chart * fix istio edge gw manifest * fix configmap template * Adding changelog file to new location * Deleting changelog file from old location * missing gatewayProxy * t.Error * Adding changelog file to new location * Deleting changelog file from old location --------- Co-authored-by: changelog-bot <changelog-bot> Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com>
* Remove Istio trust domain (#9713) * add trust domain * changelog * tests * fix test name * add to workflow * Adding changelog file to new location * Deleting changelog file from old location * rebalance tests, fix helm * update workflow with numbers for loadbalancing between e2e test clusters * pr feedback * update gateway proxies to be disabled for k8s gateway e2e tests * cleanup istio install, remove old trust domain tests * fix merge * minimal ci change * fix test name * fix glooctl test helm chart * fix istio edge gw manifest * fix configmap template * Adding changelog file to new location * Deleting changelog file from old location * missing gatewayProxy * t.Error * Adding changelog file to new location * Deleting changelog file from old location --------- Co-authored-by: changelog-bot <changelog-bot> Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com> * move changelog --------- Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com> Co-authored-by: Jacob Bohanon <jacob.bohanon@solo.io>
Description
Fill out any of the following sections that are relevant and remove the others
API changes
None
Code changes
CI changes
Adds new Istio integration test e2e scenarios:
These tests were added to cluster-two since that cluster has a total runtime of 16m: https://github.com/solo-io/gloo/actions/runs/9787855207/job/27025026149
Docs changes
None
Context
We don't currently have a way to change the trust domain in the Edge Gateway or Gloo k8s Gateway.
This is not an issue because the istio-proxy is not running Envoy (the env
DISABLE_ENVOY=trueis set), only the agent for the CSR request. Leaving the--trust-domainflag can cause confusion since it's not configurable and does not need to be set for the agent to do the CSR.See slack discussion: https://solo-io-corp.slack.com/archives/C07077NS0NP/p1719594402696959
Interesting decisions
None
Testing steps
Manually verification:
--trust-domaindoes not break Istio integrationNotes for reviewers
None
Checklist:
BOT NOTES:
resolves https://github.com/solo-io/solo-projects/issues/6472