Tests for Multi Tenancy with Service Mesh

Makefile

@@ -128,8 +128,9 @@ test-e2e-with-mesh-testonly:
 test-e2e-with-mesh:
 	FULL_MESH="true" UNINSTALL_MESH="false" ./hack/mesh.sh
 	./hack/tracing.sh
-	FULL_MESH=true ENABLE_TRACING=true ./hack/install.sh
-	FULL_MESH=true ./test/e2e-tests.sh
+	UNINSTALL_STRIMZI="false" ./hack/strimzi.sh
+	FULL_MESH=true SCALE_UP=4 INSTALL_KAFKA="true" ENABLE_TRACING=true ./hack/install.sh
+	FULL_MESH=true TEST_KNATIVE_KAFKA=true ./test/e2e-tests.sh
 
 # Run both unit and E2E tests from the current repo.
 test-operator: test-unit test-e2e
@@ -144,7 +145,7 @@ test-upstream-e2e-mesh:
 	FULL_MESH="true" UNINSTALL_MESH="false" ./hack/mesh.sh
 	TRACING_BACKEND=zipkin TRACING_NAMESPACE=knative-eventing ./hack/tracing.sh
 	UNINSTALL_STRIMZI="false" ./hack/strimzi.sh
-	FULL_MESH=true SCALE_UP=5 INSTALL_SERVING=true INSTALL_EVENTING=true INSTALL_KAFKA=true TRACING_BACKEND=zipkin TRACING_NAMESPACE=knative-eventing ENABLE_TRACING=true ./hack/install.sh
+	FULL_MESH=true SCALE_UP=6 INSTALL_SERVING=true INSTALL_EVENTING=true INSTALL_KAFKA=true TRACING_BACKEND=zipkin TRACING_NAMESPACE=knative-eventing ENABLE_TRACING=true ./hack/install.sh
 	FULL_MESH=true TEST_KNATIVE_KAFKA=true ./test/e2e-tests.sh
 	FULL_MESH=true TEST_KNATIVE_KAFKA=false TEST_KNATIVE_SERVING=true TEST_KNATIVE_EVENTING=true TEST_KNATIVE_KAFKA_BROKER=true TEST_KNATIVE_UPGRADE=false ./test/upstream-e2e-tests.sh
 
@@ -253,6 +254,9 @@ release-files:
 	./hack/generate/quickstart.sh \
   	templates/serverless-application-quickstart.yaml \
   	knative-operator/deploy/resources/quickstart/serverless-application-quickstart.yaml
+# TODO: uncomment as soon as chart changes are merged
+#	./hack/generate/mesh-auth-policies.sh \
+#  	tenant-1,tenant-2,serving-tests,serverless-tests
 
 # Generates all files that can be generated, includes release files, code generation
 # and updates vendoring.

hack/generate/mesh-auth-policies.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -Eeuo pipefail
+
+tenants="${1:?Provide tenants as comma-delimited as arg[1]}"
+
+# exit if helm is not installed
+helm > /dev/null || exit 127
+
+# shellcheck disable=SC1091,SC1090
+source "$(dirname "${BASH_SOURCE[0]}")/../lib/metadata.bash"
+
+policies_path="$(dirname "${BASH_SOURCE[0]}")/../lib/mesh_resources/authorization-policies/helm"
+chart_version="$(metadata.get project.version)"
+
+echo "Cleaning up old resources in $policies_path"
+
+rm -rf "$policies_path"
+mkdir -p "$policies_path"
+
+for tenant in ${tenants//,/ }; do
+  echo "Generating AuthorizationPolicies for tenant $tenant"
+
+  helm template oci://quay.io/openshift-knative/knative-istio-authz-onboarding --version "$chart_version" --set "name=$tenant" --set "namespaces={$tenant}" > "$policies_path/$tenant.yaml"
+done
+
+echo "Istio AuthorizationPolicies successfully updated for version $chart_version"

hack/lib/mesh.bash

@@ -118,8 +118,10 @@ function deploy_gateways {
   oc apply -f "${resources_dir}"/smmr.yaml || return $?
   oc apply -f "${resources_dir}"/gateway.yaml || return $?
   oc apply -f "${resources_dir}"/peerauthentication.yaml || return $?
+  oc apply -f "${resources_dir}"/authorization-policies/setup || return $?
+  oc apply -f "${resources_dir}"/authorization-policies/helm || return $?
+  oc apply -f "${resources_dir}"/destination-rules.yaml || return $?
 
-  oc create ns "${EVENTING_NAMESPACE}" --dry-run=client -oyaml | kubectl apply -f -
   oc apply -n "${EVENTING_NAMESPACE}" -f "${resources_dir}"/kafka-service-entry.yaml || return $?
   for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do
     oc apply -n "$ns" -f "${resources_dir}"/kafka-service-entry.yaml || return $?
@@ -132,6 +134,9 @@ function undeploy_gateways {
   for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do
     oc delete -n "$ns" -f "${resources_dir}"/kafka-service-entry.yaml --ignore-not-found || return $?
   done
+  oc delete -f "${resources_dir}"/destination-rules.yaml --ignore-not-found || return $?
+  oc delete -f "${resources_dir}"/authorization-policies/helm --ignore-not-found || return $?
+  oc delete -f "${resources_dir}"/authorization-policies/setup --ignore-not-found || return $?
   oc delete -f "${resources_dir}"/peerauthentication.yaml --ignore-not-found || return $?
   oc delete -f "${resources_dir}"/gateway.yaml --ignore-not-found || return $?
   oc delete -f "${resources_dir}"/smmr.yaml --ignore-not-found || return $?