Add tests for multitenancy with Service Mesh

[ReToCode]

Fixes

• https://issues.redhat.com/browse/SRVCOM-2522
• https://issues.redhat.com/browse/SRVCOM-2356
• https://issues.redhat.com/browse/SRVKS-1099

Incorporates changes from #2126

Changes

From Martins PR:

• Rewrite tests from https://github.com/ReToCode/knative-multitenancy in Golang. They're under test/servinge2e/servicemesh/
• Remove TestKnativeVersusKubeServicesInOneNamespace as it's redundant. Having Knative and k8s service in one namespace is tested with all Eventing tests which now include KSVC in the test scenarios.
• Add authorization policies so that Eventing and Eventing Kafka Broker tests pass. But this PR doesn't include any tests for verifying cross-tenant traffic for Eventing. They depend on Send namespace header in MT components knative/eventing#7048 to be merged and backported.
• Split the test webhook under serving/metadata-webhook into cluster-resources and namespaced-resources. The second one needs to be applied with -n <namespace>. This is to reduce duplication of code because the webhook is now used in two namespaces: serving-tests, serverless-tests.

Additional Changes

• Automatically generate AuthorizationPolicies from helm chart
• Use a specific label for the Knative Gateways to omit issues with conflicting gateways (SRVCOM-2356)
• Set knative-local-gateway to tls.mode: ISTIO_MUTUAL to make DomainMapping work
• Set security.dataPlane.mtls: true in SMCP to automatically force the whole mesh to mTLS
• Drop TERMINATION_DRAIN_DURATION_SECONDS from metadata-webhook, as this no longer works
• Add terminationDrainDuration: 35s to SMCP to make envoy wait longer with termination
• Exclude port 8022 from istio-proxy to fix an issue with PreStopHook not working
• Increase rekt test timeout to 4 minutes
• Reduce parallelism of mesh tests to 8 because istio-proxies are to slow otherwise

/hold

[ReToCode]

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ReToCode

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ReToCode]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ReToCode]

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[ReToCode]

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[ReToCode]

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[ReToCode]

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[ReToCode]

/retest

[ReToCode]

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[ReToCode]

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[ReToCode]

Again, just eventing errors.

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[ReToCode]

/test ?

[openshift-ci]

@ReToCode: The following commands are available to trigger required jobs:

• /test 4.10-images
• /test 4.10-operator-e2e-aws-ocp-410
• /test 4.10-ui-tests
• /test 4.13-aws-ovn-images
• /test 4.13-azure-images
• /test 4.13-gcp-images
• /test 4.13-hypershift-images
• /test 4.13-images
• /test 4.13-operator-e2e-aws-ocp-413
• /test 4.13-osd-images
• /test 4.13-single-node-images
• /test 4.13-ui-tests
• /test 4.13-vsphere-images
• /test ocp4.14-lp-interop-images
• /test unit-test

The following commands are available to trigger optional jobs:

• /test 4.10-e2e-kitchensink-ocp-410
• /test 4.10-upgrade-kitchensink-ocp-410
• /test 4.10-upgrade-tests-aws-ocp-410
• /test 4.10-upstream-e2e-aws-ocp-410
• /test 4.10-upstream-e2e-kafka-aws-ocp-410
• /test 4.10-upstream-e2e-mesh-aws-ocp-410
• /test 4.13-e2e-kitchensink-ocp-413
• /test 4.13-upgrade-kitchensink-ocp-413
• /test 4.13-upgrade-tests-aws-ocp-413
• /test 4.13-upstream-e2e-aws-ocp-413
• /test 4.13-upstream-e2e-kafka-aws-ocp-413
• /test 4.13-upstream-e2e-mesh-aws-ocp-413

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-openshift-knative-serverless-operator-main-4.10-images
• pull-ci-openshift-knative-serverless-operator-main-4.13-aws-ovn-images
• pull-ci-openshift-knative-serverless-operator-main-4.13-azure-images
• pull-ci-openshift-knative-serverless-operator-main-4.13-gcp-images
• pull-ci-openshift-knative-serverless-operator-main-4.13-hypershift-images
• pull-ci-openshift-knative-serverless-operator-main-4.13-images
• pull-ci-openshift-knative-serverless-operator-main-4.13-operator-e2e-aws-ocp-413
• pull-ci-openshift-knative-serverless-operator-main-4.13-osd-images
• pull-ci-openshift-knative-serverless-operator-main-4.13-single-node-images
• pull-ci-openshift-knative-serverless-operator-main-4.13-upgrade-tests-aws-ocp-413
• pull-ci-openshift-knative-serverless-operator-main-4.13-upstream-e2e-aws-ocp-413
• pull-ci-openshift-knative-serverless-operator-main-4.13-upstream-e2e-kafka-aws-ocp-413
• pull-ci-openshift-knative-serverless-operator-main-4.13-vsphere-images
• pull-ci-openshift-knative-serverless-operator-main-ocp4.14-lp-interop-images
• pull-ci-openshift-knative-serverless-operator-main-unit-test

Details

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ReToCode]

/test 4.10-operator-e2e-aws-ocp-410

[ReToCode]

Again, just eventing errors.

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[ReToCode]

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[ReToCode]

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[ReToCode]

/retest

[ReToCode]

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[ReToCode]

/retest

[ReToCode]

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[ReToCode]

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[pierDipi]

The ideal would be that we generate those as part of make generated-files so that we pick up changes automatically as we do them on the chart (and we can test them here before releasing them)

[ReToCode]

Makes sense. I'll add this as we will now have a aligned version of the chart 👍

[ReToCode]

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[ReToCode]

/test 4.13-upstream-e2e-mesh-aws-ocp-413

[openshift-ci]

@ReToCode: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.12-aws-ovn-images	9708629	link	true	/test 4.12-aws-ovn-images
ci/prow/4.12-azure-images	9708629	link	true	/test 4.12-azure-images
ci/prow/4.12-gcp-images	9708629	link	true	/test 4.12-gcp-images
ci/prow/4.12-hypershift-images	9708629	link	true	/test 4.12-hypershift-images
ci/prow/4.12-osd-images	9708629	link	true	/test 4.12-osd-images
ci/prow/4.12-single-node-images	9708629	link	true	/test 4.12-single-node-images
ci/prow/4.12-vsphere-images	9708629	link	true	/test 4.12-vsphere-images
ci/prow/4.10-upgrade-kitchensink-ocp-410	f6e1273	link	false	/test 4.10-upgrade-kitchensink-ocp-410
ci/prow/4.13-upgrade-kitchensink-ocp-413	f6e1273	link	false	/test 4.13-upgrade-kitchensink-ocp-413
ci/prow/4.10-upstream-e2e-mesh-aws-ocp-410	f6e1273	link	false	/test 4.10-upstream-e2e-mesh-aws-ocp-410
ci/prow/4.13-upstream-e2e-mesh-aws-ocp-413	bf83511	link	false	/test 4.13-upstream-e2e-mesh-aws-ocp-413

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[ReToCode]

We are doing that partial PRs now.