openshift-knative · ReToCode · Jun 19, 2023 · Jun 28, 2023 · Jun 28, 2023 · Jun 28, 2023
diff --git a/Makefile b/Makefile
@@ -25,6 +25,7 @@ install-serving:
 	INSTALL_EVENTING="false" ./hack/install.sh
 
 install-serving-with-mesh:
+	FULL_MESH="true" UNINSTALL_MESH="false" ./hack/mesh.sh
 	FULL_MESH=true SCALE_UP=4 INSTALL_SERVING=true INSTALL_EVENTING="false" ./hack/install.sh
 
 install-eventing:
@@ -127,8 +128,9 @@ test-e2e-with-mesh-testonly:
 test-e2e-with-mesh:
 	FULL_MESH="true" UNINSTALL_MESH="false" ./hack/mesh.sh
 	./hack/tracing.sh
-	FULL_MESH=true ENABLE_TRACING=true ./hack/install.sh
-	FULL_MESH=true ./test/e2e-tests.sh
+	UNINSTALL_STRIMZI="false" ./hack/strimzi.sh
+	FULL_MESH=true SCALE_UP=4 INSTALL_KAFKA="true" ENABLE_TRACING=true ./hack/install.sh
+	FULL_MESH=true TEST_KNATIVE_KAFKA=true ./test/e2e-tests.sh
 
 # Run both unit and E2E tests from the current repo.
 test-operator: test-unit test-e2e

diff --git a/hack/generate/csv.sh b/hack/generate/csv.sh
@@ -76,7 +76,7 @@ function default_knative_ingress_images() {
   export KNATIVE_KOURIER_GATEWAY=${KNATIVE_KOURIER_GATEWAY:-"quay.io/maistra-dev/proxyv2-ubi8:$(metadata.get dependencies.maistra)"}
 
   knative_istio="$(metadata.get dependencies.net_istio)"
-  export KNATIVE_ISTIO_CONTROLLER=${KNATIVE_ISTIO_CONTROLLER:-"${registry}/net-istio-controller:${knative_istio}"}
+  export KNATIVE_ISTIO_CONTROLLER="quay.io/rlehmann/main.go:latest"
   export KNATIVE_ISTIO_WEBHOOK=${KNATIVE_ISTIO_WEBHOOK:-"${registry}/net-istio-webhook:${knative_istio}"}
 }
 

diff --git a/hack/lib/mesh.bash b/hack/lib/mesh.bash
@@ -118,8 +118,24 @@ function deploy_gateways {
   oc apply -f "${resources_dir}"/smmr.yaml || return $?
   oc apply -f "${resources_dir}"/gateway.yaml || return $?
   oc apply -f "${resources_dir}"/peerauthentication.yaml || return $?
+  oc apply -f "${resources_dir}"/authorization-policies/setup || return $?
+  oc apply -f "${resources_dir}"/authorization-policies || return $?
+  oc apply -f "${resources_dir}"/destination-rules || return $?
+
+#  cat <<-EOF | oc apply -f -
+#apiVersion: security.istio.io/v1beta1
+#kind: AuthorizationPolicy
+#metadata:
+#  name: allow-traffic-to-cluster-domain
+#  namespace: istio-system
+#spec:
+#  action: ALLOW
+#  rules:
+#    - to:
+#        - operation:
+#            hosts: [ "*.${subdomain}" ]
+#EOF
 
-  oc create ns "${EVENTING_NAMESPACE}" --dry-run=client -oyaml | kubectl apply -f -
   oc apply -n "${EVENTING_NAMESPACE}" -f "${resources_dir}"/kafka-service-entry.yaml || return $?
   for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do
     oc apply -n "$ns" -f "${resources_dir}"/kafka-service-entry.yaml || return $?
@@ -128,6 +144,13 @@ function deploy_gateways {
 }
 
 function undeploy_gateways {
+  oc delete -n serverless-tests -f "${resources_dir}"/network-policy-monitoring.yaml --ignore-not-found || return $?
+  for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do
+    oc delete -n "$ns" -f "${resources_dir}"/kafka-service-entry.yaml --ignore-not-found || return $?
+  done
+  oc delete authorizationpolicy allow-traffic-to-cluster-domain -n istio-system --ignore-not-found || return $?
+  oc delete -f "${resources_dir}"/authorization-policies --ignore-not-found || return $?
+  oc delete -f "${resources_dir}"/authorization-policies/setup --ignore-not-found || return $?
   oc delete -f "${resources_dir}"/peerauthentication.yaml --ignore-not-found || return $?
   oc delete -f "${resources_dir}"/gateway.yaml --ignore-not-found || return $?
   oc delete -f "${resources_dir}"/smmr.yaml --ignore-not-found || return $?

diff --git a/hack/lib/mesh_resources/authorization-policies/allow-serving-tests-to-activator.yaml b/hack/lib/mesh_resources/authorization-policies/allow-serving-tests-to-activator.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-serving-tests-to-activator
+  namespace: knative-serving
+spec:
+  selector:
+    matchLabels:
+      app: activator
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            namespaces: [ "serving-tests" ]
+      to:
+        - operation:
+            hosts: [ "*.serving-tests.svc.cluster.local", "*.serving-tests", "*.serving-tests.svc" ]
diff --git a/hack/lib/mesh_resources/authorization-policies/allow-tenant-x-to-activator.yaml b/hack/lib/mesh_resources/authorization-policies/allow-tenant-x-to-activator.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-tenant-1-to-activator
+  namespace: knative-serving
+spec:
+  selector:
+    matchLabels:
+      app: activator
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            namespaces: [ "tenant-1" ]
+      to:
+        - operation:
+            hosts: [ "*.tenant-1.svc.cluster.local" ]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-tenant-2-to-activator
+  namespace: knative-serving
+spec:
+  selector:
+    matchLabels:
+      app: activator
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            namespaces: [ "tenant-2" ]
+      to:
+        - operation:
+            hosts: [ "*.tenant-2.svc.cluster.local" ]
diff --git a/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-serving-tests.yaml b/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-serving-tests.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-traffic-to-serving-tests
+  namespace: serving-tests
+spec:
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            namespaces: ["serving-tests", "knative-serving", "istio-system"]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-traffic-to-drain-port
+  namespace: serving-tests
+spec:
+  action: ALLOW
+  rules:
+  - to:
+      - operation:
+          ports: [ "8022" ]
+---
diff --git a/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-tenant-x.yaml b/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-tenant-x.yaml
@@ -0,0 +1,49 @@
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-traffic-to-tenant-1
+  namespace: tenant-1
+spec:
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            namespaces: ["tenant-1", "knative-serving", "istio-system"]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-traffic-to-tenant-2
+  namespace: tenant-2
+spec:
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            namespaces: ["tenant-2", "knative-serving", "istio-system"]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-traffic-to-drain-port
+  namespace: tenant-1
+spec:
+  action: ALLOW
+  rules:
+    - to:
+        - operation:
+            ports: [ "8022" ]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-traffic-to-drain-port
+  namespace: tenant-2
+spec:
+  action: ALLOW
+  rules:
+    - to:
+        - operation:
+            ports: [ "8022" ]
+---