[WIP] [DNM] Tests for multitenancy with Service Mesh

Makefile

@@ -25,6 +25,7 @@ install-serving:
 	INSTALL_EVENTING="false" ./hack/install.sh
 
 install-serving-with-mesh:
+	FULL_MESH="true" UNINSTALL_MESH="false" ./hack/mesh.sh
 	FULL_MESH=true SCALE_UP=4 INSTALL_SERVING=true INSTALL_EVENTING="false" ./hack/install.sh
 
 install-eventing:
@@ -122,13 +123,14 @@ test-e2e-with-kafka:
 
 # Run E2E tests from the current repo for serving+eventing+mesh
 test-e2e-with-mesh-testonly:
-	FULL_MESH=true ./test/e2e-tests.sh
+	FULL_MESH=true TEST_KNATIVE_KAFKA=true ./test/e2e-tests.sh
 
 test-e2e-with-mesh:
 	FULL_MESH="true" UNINSTALL_MESH="false" ./hack/mesh.sh
 	./hack/tracing.sh
-	FULL_MESH=true ENABLE_TRACING=true ./hack/install.sh
-	FULL_MESH=true ./test/e2e-tests.sh
+	UNINSTALL_STRIMZI="false" ./hack/strimzi.sh
+	FULL_MESH=true SCALE_UP=4 INSTALL_KAFKA="true" ENABLE_TRACING=true ./hack/install.sh
+	FULL_MESH=true TEST_KNATIVE_KAFKA=true ./test/e2e-tests.sh
 
 # Run both unit and E2E tests from the current repo.
 test-operator: test-unit test-e2e

hack/lib/mesh.bash

@@ -117,9 +117,9 @@ function deploy_gateways {
   oc apply -f "${resources_dir}"/namespace.yaml || return $?
   oc apply -f "${resources_dir}"/smmr.yaml || return $?
   oc apply -f "${resources_dir}"/gateway.yaml || return $?
-  oc apply -f "${resources_dir}"/peerauthentication.yaml || return $?
+  oc apply -f "${resources_dir}"/authorization-policies/setup || return $?
+  oc apply -f "${resources_dir}"/authorization-policies || return $?
 
-  oc create ns "${EVENTING_NAMESPACE}" --dry-run=client -oyaml | kubectl apply -f -
   oc apply -n "${EVENTING_NAMESPACE}" -f "${resources_dir}"/kafka-service-entry.yaml || return $?
   for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do
     oc apply -n "$ns" -f "${resources_dir}"/kafka-service-entry.yaml || return $?
@@ -128,6 +128,13 @@ function deploy_gateways {
 }
 
 function undeploy_gateways {
+  oc delete -n serverless-tests -f "${resources_dir}"/network-policy-monitoring.yaml --ignore-not-found || return $?
+  for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do
+    oc delete -n "$ns" -f "${resources_dir}"/kafka-service-entry.yaml --ignore-not-found || return $?
+  done
+  oc delete authorizationpolicy allow-traffic-to-cluster-domain -n istio-system --ignore-not-found || return $?
+  oc delete -f "${resources_dir}"/authorization-policies --ignore-not-found || return $?
+  oc delete -f "${resources_dir}"/authorization-policies/setup --ignore-not-found || return $?
   oc delete -f "${resources_dir}"/peerauthentication.yaml --ignore-not-found || return $?
   oc delete -f "${resources_dir}"/gateway.yaml --ignore-not-found || return $?
   oc delete -f "${resources_dir}"/smmr.yaml --ignore-not-found || return $?

hack/lib/mesh_resources/authorization-policies/README.md

@@ -0,0 +1,12 @@
+The resources in this folder are based on https://github.com/openshift-knative/knative-istio-authz-chart.
+`setup` can be copied 1:1, the other ones are generated using the helm generator:
+
+```bash
+helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "name=tenant-1" --set "namespaces={tenant-1}" > helm-tenant-1.yaml
+
+helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "name=tenant-2" --set "namespaces={tenant-2}" > helm-tenant-2.yaml
+
+helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "name=serving-tests" --set "namespaces={serving-tests}" > helm-serving-tests.yaml
+```
+
+