Add CI/testing to examples

.azure-pipelines/pipelines.yml

@@ -158,6 +158,24 @@ jobs:
           artifactName: docker
         condition: always()
 
+  - job: examples
+    dependsOn: ["docker"]
+    displayName: "Verify examples run as documented"
+    pool:
+      vmImage: "ubuntu-18.04"
+    steps:
+      - task: DownloadBuildArtifacts@0
+        inputs:
+          buildType: current
+          artifactName: "docker"
+          itemPattern: "docker/envoy-docker-images.tar.xz"
+          downloadType: single
+          targetPath: $(Build.StagingDirectory)
+      - bash: ./ci/do_ci.sh verify_examples
+        env:
+          ENVOY_DOCKER_BUILD_DIR: $(Build.StagingDirectory)
+          NO_BUILD_SETUP: 1
+
   - job: macOS
     dependsOn: ["format"]
     timeoutInMinutes: 360

ci/do_ci.sh

@@ -12,8 +12,11 @@ if [[ "$1" == "fix_format" || "$1" == "check_format" || "$1" == "check_repositor
 fi
 
 SRCDIR="${PWD}"
-. "$(dirname "$0")"/setup_cache.sh
-. "$(dirname "$0")"/build_setup.sh $build_setup_args
+NO_BUILD_SETUP="${NO_BUILD_SETUP:-}"
+if [[ -z "$NO_BUILD_SETUP" ]]; then
+    . "$(dirname "$0")"/setup_cache.sh
+    . "$(dirname "$0")"/build_setup.sh $build_setup_args
+fi
 cd "${SRCDIR}"
 
 if [[ "${ENVOY_BUILD_ARCH}" == "x86_64" ]]; then
@@ -365,6 +368,23 @@ elif [[ "$CI_TARGET" == "docs" ]]; then
   echo "generating docs..."
   docs/build.sh
   exit 0
+elif [[ "$CI_TARGET" == "verify_examples" ]]; then
+  echo "verify examples..."
+  docker load < "$ENVOY_DOCKER_BUILD_DIR/docker/envoy-docker-images.tar.xz"
+  images=($(docker image list --format "{{.Repository}}"))
+  tags=($(docker image list --format "{{.Tag}}"))
+  for i in "${!images[@]}"; do
+      if [[ "${images[i]}" =~ "envoy" ]]; then
+          docker tag "${images[$i]}:${tags[$i]}" "${images[$i]}:latest"
+      fi
+  done
+  docker images
+  sudo apt-get update -y
+  sudo apt-get install -y -qq --no-install-recommends redis-tools
+  export DOCKER_NO_PULL=1
+  umask 027
+  ci/verify_examples.sh
+  exit 0
 else
   echo "Invalid do_ci.sh target, see ci/README.md for valid targets."
   exit 1

ci/verify_examples.sh

@@ -1,43 +1,67 @@
-#!/bin/bash
+#!/bin/bash -E
 
-set -e
+TESTFILTER="${1:-*}"
+FAILED=()
+SRCDIR="${SRCDIR:-$(pwd)}"
+EXCLUDED_BUILD_CONFIGS=${EXCLUDED_BUILD_CONFIGS:-"^./jaeger-native-tracing|docker-compose"}
 
-verify() {
-  echo $1
-  CONTAINER_ID="$(docker ps -aqf name=$1)"
-  if [ "false" == "$(docker inspect -f {{.State.Running}} ${CONTAINER_ID})" ]
-  then
-    echo "error: $1 not running"
-    exit 1
-  fi
+
+trap_errors () {
+    local frame=0 command line sub file
+    if [[ -n "$example" ]]; then
+        command=" (${example})"
+    fi
+    set +v
+    while read -r line sub file < <(caller "$frame"); do
+        if [[ "$frame" -ne "0" ]]; then
+            FAILED+=("  > ${sub}@ ${file} :${line}")
+        else
+            FAILED+=("${sub}@ ${file} :${line}${command}")
+        fi
+        ((frame++))
+    done
+    set -v
+}
+
+trap trap_errors ERR
+trap exit 1 INT
+
+
+run_examples () {
+    local examples example
+    cd "${SRCDIR}/examples" || exit 1
+    examples=$(find . -mindepth 1 -maxdepth 1 -type d -name "$TESTFILTER" | sort)
+    for example in $examples; do
+        pushd "$example" > /dev/null || return 1
+        ./verify.sh
+        popd > /dev/null || return 1
+    done
 }
 
-# Test front proxy example
-cd examples/front-proxy
-docker-compose up --build -d
-for CONTAINER_NAME in "frontproxy_front-envoy" "frontproxy_service1" "frontproxy_service2"
-do
-  verify $CONTAINER_NAME
-done
-cd ../
-
-# Test grpc bridge example
-# install go
-GO_VERSION="1.14.7"
-curl -O https://storage.googleapis.com/golang/go$GO_VERSION.linux-amd64.tar.gz
-tar -xf go$GO_VERSION.linux-amd64.tar.gz
-sudo mv go /usr/local
-export PATH=$PATH:/usr/local/go/bin
-export GOPATH=$HOME/go
-mkdir -p $GOPATH/src/github.com/envoyproxy/envoy/examples/
-cp -r grpc-bridge $GOPATH/src/github.com/envoyproxy/envoy/examples/
-# build example
-cd $GOPATH/src/github.com/envoyproxy/envoy/examples/grpc-bridge
-./script/bootstrap
-./script/build
-# verify example works
-docker-compose up --build -d
-for CONTAINER_NAME in "grpcbridge_python" "grpcbridge_grpc"
-do
-  verify $CONTAINER_NAME
-done
+verify_build_configs () {
+    local config configs missing
+    missing=()
+    cd "${SRCDIR}/examples" || return 1
+    configs="$(find . -name "*.yaml" -o -name "*.lua" | grep -vE "${EXCLUDED_BUILD_CONFIGS}" | cut  -d/ -f2-)"
+    for config in $configs; do
+        grep "\"$config\"" BUILD || missing+=("$config")
+    done
+    if [[ -n "${missing[*]}" ]]; then
+       for config in "${missing[@]}"; do
+           echo "Missing config: $config" >&2
+       done
+       return 1
+    fi
+}
+
+verify_build_configs
+run_examples
+
+
+if [[ "${#FAILED[@]}" -ne "0" ]]; then
+    echo "TESTS FAILED:"
+    for failed in "${FAILED[@]}"; do
+        echo "$failed" >&2
+    done
+    exit 1
+fi

examples/cors/verify.sh

@@ -0,0 +1,47 @@
+#!/bin/bash -e
+
+export NAME=cors
+export PATHS=frontend,backend
+
+# shellcheck source=examples/verify-common.sh
+. "$(dirname "${BASH_SOURCE[0]}")/../verify-common.sh"
+
+
+run_log "Test service"
+responds_with \
+    "Envoy CORS Webpage" \
+    http://localhost:8000
+
+run_log "Test cors server: disabled"
+responds_with \
+    Success \
+    -H "Origin: http://example.com" \
+    http://localhost:8002/cors/disabled
+responds_without_header \
+    access-control-allow-origin \
+    -H "Origin: http://example.com" \
+    http://localhost:8002/cors/disabled
+
+run_log "Test cors server: open"
+responds_with \
+    Success \
+    -H 'Origin: http://example.com' \
+    http://localhost:8002/cors/open
+responds_with_header \
+    "access-control-allow-origin: http://example.com" \
+    -H "Origin: http://example.com" \
+    http://localhost:8002/cors/open
+
+run_log "Test cors server: restricted"
+responds_with \
+    Success \
+    -H "Origin: http://example.com" \
+    http://localhost:8002/cors/restricted
+responds_without_header \
+    access-control-allow-origin \
+    -H "Origin: http://example.com" \
+    http://localhost:8002/cors/restricted
+responds_with_header \
+    "access-control-allow-origin: http://foo.envoyproxy.io" \
+    -H "Origin: http://foo.envoyproxy.io" \
+    http://localhost:8002/cors/restricted

examples/csrf/verify.sh

@@ -0,0 +1,69 @@
+#!/bin/bash -e
+
+export NAME=csrf
+export PATHS=samesite,crosssite
+
+# shellcheck source=examples/verify-common.sh
+. "$(dirname "${BASH_SOURCE[0]}")/../verify-common.sh"
+
+
+run_log "Test services"
+responds_with \
+    "Envoy CSRF Demo" \
+    http://localhost:8002
+responds_with \
+    "Envoy CSRF Demo" \
+    http://localhost:8000
+
+run_log "Test stats server"
+responds_with \
+    ":" \
+    http://localhost:8001/stats
+
+run_log "Test csrf server: disabled"
+responds_with \
+    Success \
+    -X POST \
+    -H "Origin: http://example.com" \
+    http://localhost:8000/csrf/disabled
+responds_with_header \
+    "access-control-allow-origin: http://example.com" \
+    -X POST \
+    -H "Origin: http://example.com" \
+    http://localhost:8000/csrf/disabled
+
+run_log "Test csrf server: shadow"
+responds_with \
+    Success \
+    -X POST \
+    -H "Origin: http://example.com" \
+    http://localhost:8000/csrf/shadow
+responds_with_header \
+    "access-control-allow-origin: http://example.com" \
+    -X POST \
+    -H "Origin: http://example.com" \
+    http://localhost:8000/csrf/shadow
+
+run_log "Test csrf server: enabled"
+responds_with \
+    "Invalid origin" \
+    -X POST \
+    -H "Origin: http://example.com" \
+    http://localhost:8000/csrf/enabled
+responds_with_header \
+    "HTTP/1.1 403 Forbidden" \
+    -X POST \
+    -H "Origin: http://example.com" \
+    http://localhost:8000/csrf/enabled
+
+run_log "Test csrf server: additional_origin"
+responds_with \
+    Success \
+    -X POST \
+    -H "Origin: http://example.com" \
+    http://localhost:8000/csrf/additional_origin
+responds_with_header \
+    "access-control-allow-origin: http://example.com" \
+    -X POST \
+    -H "Origin: http://example.com" \
+    http://localhost:8000/csrf/additional_origin

examples/ext_authz/verify.sh

@@ -0,0 +1,47 @@
+#!/bin/bash -e
+
+export NAME=ext_authz
+
+# shellcheck source=examples/verify-common.sh
+. "$(dirname "${BASH_SOURCE[0]}")/../verify-common.sh"
+
+
+run_log "Test services responds with 403"
+responds_with_header \
+    "HTTP/1.1 403 Forbidden"\
+    http://localhost:8000/service
+
+run_log "Restart front-envoy with FRONT_ENVOY_YAML=config/http-service.yaml"
+docker-compose down
+FRONT_ENVOY_YAML=config/http-service.yaml docker-compose up -d
+sleep 10
+
+run_log "Test service responds with 403"
+responds_with_header \
+    "HTTP/1.1 403 Forbidden"\
+    http://localhost:8000/service
+
+run_log "Test authenticated service responds with 200"
+responds_with_header \
+    "HTTP/1.1 200 OK" \
+    -H "Authorization: Bearer token1" \
+    http://localhost:8000/service
+
+run_log "Restart front-envoy with FRONT_ENVOY_YAML=config/opa-service/v2.yaml"
+docker-compose down
+FRONT_ENVOY_YAML=config/opa-service/v2.yaml docker-compose up -d
+sleep 10
+
+run_log "Test OPA service responds with 200"
+responds_with_header \
+    "HTTP/1.1 200 OK" \
+    http://localhost:8000/service
+
+run_log "Check OPA logs"
+docker-compose logs ext_authz-opa-service | grep decision_id -A 30
+
+run_log "Check OPA service rejects POST"
+responds_with_header \
+    "HTTP/1.1 403 Forbidden" \
+    -X POST \
+    http://localhost:8000/service

examples/fault-injection/verify.sh

@@ -0,0 +1,59 @@
+#!/bin/bash -e
+
+export NAME=fault-injection
+
+# shellcheck source=examples/verify-common.sh
+. "$(dirname "${BASH_SOURCE[0]}")/../verify-common.sh"
+
+
+run_log "Send requests for 20 seconds"
+docker-compose exec -T envoy bash -c \
+               "bash send_request.sh & export pid=\$! && sleep 20 && kill \$pid" \
+    &> /dev/null
+
+run_log "Check logs"
+docker-compose logs | grep "HTTP/1.1\" 200"
+
+
+_fault_injection_test () {
+    local action code existing_200s existing_codes
+    action="$1"
+    code="$2"
+    existing_codes=0
+
+    # enable fault injection and check for http hits of type $code
+    existing_codes=$(docker-compose logs | grep -c "HTTP/1.1\" ${code}" || :)
+    run_log "Enable ${action} fault injection"
+    docker-compose exec -T envoy bash "enable_${action}_fault_injection.sh"
+    run_log "Send requests for 20 seconds"
+    docker-compose exec -T envoy bash -c \
+                   "bash send_request.sh & export pid=\$! && sleep 20 && kill \$pid" \
+        &> /dev/null
+    run_log "Check logs again"
+    new_codes=$(docker-compose logs | grep -c "HTTP/1.1\" ${code}")
+    if [[ "$new_codes" -le "$existing_codes" ]]; then
+        echo "ERROR: expected to find new logs with response code $code" >&2
+        return 1
+    fi
+
+    # disable fault injection and check for http hits of type 200
+    existing_200s=$(docker-compose logs | grep -c "HTTP/1.1\" 200")
+    run_log "Disable ${action} fault injection"
+    docker-compose exec -T envoy bash "disable_${action}_fault_injection.sh"
+    run_log "Send requests for 20 seconds"
+    docker-compose exec -T envoy bash -c \
+                   "bash send_request.sh & export pid=\$! && sleep 20 && kill \$pid" \
+        &> /dev/null
+    run_log "Check logs again"
+    new_200s=$(docker-compose logs | grep -c "HTTP/1.1\" 200")
+    if [[ "$new_200s" -le "$existing_200s" ]]; then
+        echo "ERROR: expected to find new logs with response code 200" >&2
+        return 1
+    fi
+}
+
+_fault_injection_test abort 503
+_fault_injection_test delay 200
+
+run_log "Check tree"
+docker-compose exec -T envoy tree /srv/runtime