add probe path for whitelisting

pkg/activator/net/revision_backends.go

@@ -63,6 +63,7 @@ type revisionDestsUpdate struct {
 const (
 	probeTimeout   time.Duration = 300 * time.Millisecond
 	probeFrequency time.Duration = 200 * time.Millisecond
+	probePath                    = "/_internal/knative/activator/probe"
 )
 
 // revisionWatcher watches the podIPs and ClusterIP of the service for a revision. It implements the logic
@@ -135,6 +136,7 @@ func (rw *revisionWatcher) probe(ctx context.Context, dest string) (bool, error)
 	httpDest := url.URL{
 		Scheme: "http",
 		Host:   dest,
+		Path:   probePath,
 	}
 	// NOTE: changes below may require changes to testing/roundtripper.go to make unit tests passing.
 	return prober.Do(ctx, rw.transport, httpDest.String(),

test/config/100-namespace.yaml

@@ -21,3 +21,10 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: serving-tests-alt
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: serving-tests-sidecar-enabled
+  labels:
+    istio-injection: enabled  

test/config/auth/policy.yaml

@@ -0,0 +1,16 @@
+apiVersion: authentication.istio.io/v1alpha1
+kind: Policy
+metadata:
+  name: default
+  namespace: serving-tests-sidecar-enabled
+spec:
+  origins:
+  - jwt:
+      issuer: testing@secure.istio.io
+      jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json
+      triggerRules:
+      - excludedPaths:
+        - prefix: /metrics
+        - prefix: /_internal/knative/activator/probe
+  principalBinding: USE_ORIGIN
+

test/conformance.go

@@ -44,6 +44,7 @@ const (
 	PizzaPlanetText1 = "What a spaceport!"
 	PizzaPlanetText2 = "Re-energize yourself with a slice of pepperoni!"
 	HelloWorldText   = "Hello World! How about some tasty noodles?"
+	UnauthorizedText = "Origin authentication failed."
 
 	ConcurrentRequests = 50
 	// We expect to see 100% of requests succeed for traffic sent directly to revisions.

test/e2e/e2e.go

@@ -50,6 +50,11 @@ func SetupAlternativeNamespace(t *testing.T) *test.Clients {
 	return SetupWithNamespace(t, test.AlternativeServingNamespace)
 }
 
+//set up sidecar enabled ns
+func SetupSideCarEnabledNamespace(t *testing.T) *test.Clients {
+	return SetupWithNamespace(t, test.SideCarServingNamespace)
+}
+
 // SetupWithNamespace creates the client objects needed in the e2e tests under the specified namespace.
 func SetupWithNamespace(t *testing.T, namespace string) *test.Clients {
 	pkgTest.SetupLoggingFlags()

test/e2e/probe_whitelist_test.go

@@ -0,0 +1,84 @@
+// +build e2e
+
+/*
+Copyright 2018 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2e
+
+import (
+	"testing"
+
+	pkgTest "knative.dev/pkg/test"
+	"knative.dev/pkg/test/logstream"
+	"knative.dev/serving/test"
+	v1a1test "knative.dev/serving/test/v1alpha1"
+)
+
+//This test checks if the activator can probe
+//the service when istio end user auth policy is
+//applied on the service.
+//This test needs istio side car injected and
+//istio policy check enabled. If both are not
+//enabled the test will pass
+//policy is present test/config/auth/policy.yaml
+//apply policy before running this test
+func TestProbeWhitelist(t *testing.T) {
+	t.Parallel()
+	cancel := logstream.Start(t)
+	defer cancel()
+
+	clients := SetupSideCarEnabledNamespace(t)
+
+	names := test.ResourceNames{
+		Service: test.ObjectNameForTest(t),
+		Image:   "helloworld",
+	}
+
+	test.CleanupOnInterrupt(func() { test.TearDown(clients, names) })
+	defer test.TearDown(clients, names)
+
+	t.Log("Creating a new Service")
+	resources, httpsTransportOption, err := v1a1test.CreateRunLatestServiceReady(t, clients, &names, test.ServingFlags.Https)
+	if err != nil {
+		t.Fatalf("Failed to create initial Service: %v: %v", names.Service, err)
+	}
+
+	url := resources.Route.Status.URL.URL()
+	var opt interface{}
+	if test.ServingFlags.Https {
+		url.Scheme = "https"
+		if httpsTransportOption == nil {
+			t.Fatalf("Https transport option is nil")
+		}
+		opt = *httpsTransportOption
+	}
+	if _, err := pkgTest.WaitForEndpointState(
+		clients.KubeClient,
+		t.Logf,
+		url,
+		v1a1test.RetryingRouteInconsistency(pkgTest.MatchesAllOf(pkgTest.MatchesBody(test.UnauthorizedText))),
+		"HelloWorldServesAuthFailed",
+		test.ServingFlags.ResolvableDomain,
+		opt); err != nil {
+		// check if side car is injected before reporting error
+		_, err = getContainer(clients.KubeClient, resources.Service.Name, "istio-proxy", resources.Service.Namespace)
+		if err != nil {
+			t.Log("side car not enabled, skipping test")
+			return
+		}
+		t.Fatalf("The endpoint %s for Route %s didn't serve the expected text %q: %v", url, names.Route, test.UnauthorizedText, err)
+	}
+}

test/e2e_flags.go

@@ -33,6 +33,8 @@ const (
 	// namespace tests in.
 	AlternativeServingNamespace = "serving-tests-alt"
 
+	// side car injected ns
+	SideCarServingNamespace = "serving-tests-sidecar-enabled"
 	// Environment propagation conformance test objects
 
 	// ConformanceConfigMap is the name of the configmap to propagate env variables from