openshift-service-mesh · openshift-merge-bot · Apr 8, 2025 · Feb 20, 2025 · Feb 24, 2025 · Feb 25, 2025
diff --git a/prow/config/sail-operator/egress-gateway-values.yaml b/prow/config/sail-operator/egress-gateway-values.yaml
@@ -0,0 +1,9 @@
+platform: openshift
+autoscaling:
+  enabled: false
+
+meshConfig:
+  accessLogFile: /dev/stdout
+
+service:
+  type: ClusterIP
diff --git a/prow/config/sail-operator/ingress-gateway-values.yaml b/prow/config/sail-operator/ingress-gateway-values.yaml
@@ -0,0 +1,32 @@
+platform: openshift
+autoscaling:
+  enabled: false
+
+meshConfig:
+  accessLogFile: /dev/stdout
+
+service:
+  ports:
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+      ## Extra ports for testing
+    - port: 15012
+      targetPort: 15012
+      name: tls-istiod
+    - port: 15017
+      targetPort: 15017
+      name: tls-webhook
+    - port: 31400
+      targetPort: 31400
+      name: tcp
diff --git a/prow/config/sail-operator/istio-cni.yaml b/prow/config/sail-operator/istio-cni.yaml
@@ -0,0 +1,8 @@
+apiVersion: sailoperator.io/v1
+kind: IstioCNI
+metadata:
+  name: default
+spec:
+  namespace: ${ISTIOCNI_NAMESPACE}
+  version: ${ISTIO_VERSION}
+  profile: openshift
diff --git a/prow/config/sail-operator/validatingwebhook.yaml b/prow/config/sail-operator/validatingwebhook.yaml
@@ -0,0 +1,26 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istiod-default-validator
+  labels:
+    app: istiod
+    release: istio
+webhooks:
+  - name: rev.validation.istio.io
+    clientConfig:
+      service:
+        name: istiod
+        namespace: istio-system
+        path: /validate
+      caBundle: <base64-encoded-CA-cert>
+    rules:
+      - apiGroups: ["security.istio.io", "networking.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+        apiVersions: ["*"]
+        operations: ["CREATE", "UPDATE"]
+        resources: ["*"]
+        scope: "*"
+    failurePolicy: Fail
+    matchPolicy: Equivalent
+    admissionReviewVersions: ["v1"]
+    sideEffects: None
+    timeoutSeconds: 10
diff --git a/prow/integ-suite-ocp.sh b/prow/integ-suite-ocp.sh
@@ -29,6 +29,10 @@ SKIP_TESTS="${2:-""}"
 TEST_SUITE="${1:-"pilot"}"
 SKIP_SETUP="${SKIP_SETUP:-"false"}"
 INSTALL_METALLB="${INSTALL_METALLB:-"false"}"
+OPERATOR_NAMESPACE="${OPERATOR_NAMESPACE:-"sail-operator"}"
+CONTROL_PLANE_SOURCE="${CONTROL_PLANE_SOURCE:-"istio"}"
+INSTALL_SAIL_OPERATOR="${INSTALL_SAIL_OPERATOR:-"false"}"
+
 # Important: SKIP_TEST_RUN is a workaround until downstream tests can be executed by using this script. 
 # To execute the tests in downstream, set SKIP_TEST_RUN to true
 # Jira: https://issues.redhat.com/browse/OSSM-8029
@@ -96,6 +100,11 @@ else
     echo "Skipping the setup"
 fi
 
+# Install Sail Operator
+if [ "${INSTALL_SAIL_OPERATOR}" == "true" ]; then
+    deploy_operator
+fi
+
 # Check if the test run should be skipped
 # This is a workaround until downstream tests can be executed by using this script.
 # Jira: https://issues.redhat.com/browse/OSSM-8029
@@ -135,6 +144,13 @@ base_cmd=("go" "test" "-p" "1" "-v" "-count=1" "-tags=integ" "-vet=off" "-timeou
           "--istio.test.tag=${TAG}"
           "--istio.test.openshift")
 
+# Append sail operator setup script to base command
+if [ "${CONTROL_PLANE_SOURCE}" == "sail" ]; then
+    SAIL_SETUP_SCRIPT="${WD}/setup/sail-operator-setup.sh"
+    base_cmd+=("--istio.test.kube.deploy=false")
+    base_cmd+=("--istio.test.kube.controlPlaneInstaller=${SAIL_SETUP_SCRIPT}")
+fi
+
 # Append skip tests flag if SKIP_TESTS is set
 if [ -n "${SKIP_TESTS}" ]; then
     base_cmd+=("-skip" "${SKIP_TESTS}")
@@ -152,4 +168,4 @@ else
 fi
 
 # Exit with the status of the test command
-exit $test_status
+exit "$test_status"
diff --git a/prow/setup/ocp_setup.sh b/prow/setup/ocp_setup.sh
@@ -31,6 +31,7 @@ WD=$(dirname "$0")
 WD=$(cd "$WD"; pwd)
 TIMEOUT=300
 export NAMESPACE="${NAMESPACE:-"istio-system"}"
+SAIL_REPO_URL="https://github.com/istio-ecosystem/sail-operator.git"
 
 function setup_internal_registry() {
   # Validate that the internal registry is running in the OCP Cluster, configure the variable to be used in the make target. 
@@ -177,4 +178,33 @@ spec:
   timeout --foreground -v -s SIGHUP -k ${TIMEOUT} ${TIMEOUT} bash -c 'until oc get IPAddressPool default -n metallb-system; do sleep 5; done && echo "The IP address pool has been created."'
 
   echo "MetalLB has been deployed and configured with the IP address pool."
+}
+
+#need to change env variables since make deploy of sail-operator uses them
+function env_save(){
+  INICIAL_NAMESPACE="$NAMESPACE"
+  INICIAL_HUB="$HUB"
+  INITIAL_TAG="$TAG"
+}
+function cleanup_sail_repo() {
+    echo "Cleaning up..."
+    cd .. 2>/dev/null || true
+    rm -rf sail-operator
+    export NAMESPACE="$INICIAL_NAMESPACE"
+    export HUB="$INICIAL_HUB"
+    export TAG="$INITIAL_TAG"
+}
+
+function deploy_operator(){
+  env_save
+  unset HUB
+  unset TAG
+  unset NAMESPACE
+  git clone --depth 1 --branch main $SAIL_REPO_URL || { echo "Failed to clone sail-operator repo"; exit 1; }
+  cd sail-operator
+  make deploy || { echo "sail-operator make deploy failed"; cleanup_sail_repo ; exit 1; }
+  oc -n sail-operator wait --for=condition=Available deployment/sail-operator --timeout=240s || { echo "Failed to start sail-operator"; exit 1; }
+  cleanup_sail_repo
+  echo "Sail operator deployed"
+
 }
diff --git a/prow/setup/sail-operator-setup.sh b/prow/setup/sail-operator-setup.sh
@@ -0,0 +1,185 @@
+#!/bin/bash
+
+# Copyright 2019 Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# The integration test runtime is calling this script two times if istio.test.kube.controlPlaneInstaller parameter set. One call is with 
+# install and another is with cleanup. On install script is used to convert istio in-cluster operator config to sail operator config and install istiod, istio-cni and gateways.
+# On cleanup  istiod, istio-cni, istio-ingressgateway and istio-engressgateway are cleaned
+# The output log of this script is printed under working directory set by: --istio.test.work_dir/sail-operator-setup.log
+# Upstream WoW to call this script is documented in here: https://github.com/openshift-service-mesh/istio/tree/master/tests/integration#running-tests-on-custom-deployment
+
+LOG_FILE="$2/sail-operator-setup.log"
+# Redirect stdout and stderr to the log file
+exec > >(awk '{print strftime("[%Y-%m-%d %H:%M:%S]"), $0}' | tee -a "$LOG_FILE") 2>&1
+
+# Exit immediately for non zero status
+set -e
+# Check unset variables
+set -u
+# Print commands
+set -x
+# fail if any command in the pipeline fails
+set -o pipefail
+
+SKIP_CLEANUP="${SKIP_CLEANUP:-"false"}"
+
+
+function usage() {
+    echo "Usage: $0 <install|cleanup> <input_yaml>"
+    echo "Example: $0 install /path/to/iop.yaml"
+    exit 1
+}
+
+if [[ $# -lt 2 ]]; then
+    echo "Error: Missing required arguments."
+    usage
+fi
+
+if ! command -v yq &>/dev/null; then
+    echo "Error: 'yq' is not installed. Please install it before running the script."
+    exit 1
+fi
+
+if ! command -v helm &> /dev/null; then
+    echo "Helm is not installed. Please install Helm before proceeding."
+    exit 1
+fi
+
+WD=$(dirname "$0")
+PROW="$(dirname "$WD")"
+ROOT="$(dirname "$PROW")"
+
+WORKDIR="$2"
+# iop.yaml is the static file name for istiod config created by upstream integration test runtime
+IOP_FILE="$2"/iop.yaml
+SAIL_IOP_FILE="$(basename "${IOP_FILE%.yaml}")-sail.yaml"
+
+CONVERTER_BRANCH="${CONVERTER_BRANCH:-main}"
+
+# get istio version from versions.yaml
+VERSION_FILE="https://raw.githubusercontent.com/istio-ecosystem/sail-operator/$CONVERTER_BRANCH/pkg/istioversion/versions.yaml"
+if [ -z "${ISTIO_VERSION:-}" ]; then
+  ISTIO_VERSION="$(curl -s "$VERSION_FILE" | grep -E 'name: v[0-9]+\.[0-9]+' | sed -E 's/.*(v[0-9]+\.[0-9]+).*/\1/' | sort -Vr | head -n1)-latest"
+fi
+
+NAMESPACE="${NAMESPACE:-istio-system}"
+ISTIOCNI_NAMESPACE="${ISTIOCNI_NAMESPACE:-istio-cni}"
+
+ISTIOCNI="${PROW}/config/sail-operator/istio-cni.yaml"
+INGRESS_GATEWAY_VALUES="${PROW}/config/sail-operator/ingress-gateway-values.yaml"
+EGRESS_GATEWAY_VALUES="${PROW}/config/sail-operator/egress-gateway-values.yaml"
+
+CONVERTER_ADDRESS="https://raw.githubusercontent.com/istio-ecosystem/sail-operator/$CONVERTER_BRANCH/tools/configuration-converter.sh"
+CONVERTER_SCRIPT=$(basename "$CONVERTER_ADDRESS")
+
+function download_execute_converter(){
+  cd "${PROW}"
+  curl -fsSL "$CONVERTER_ADDRESS" -o "$CONVERTER_SCRIPT" || { echo "Failed to download converter script"; exit 1; }
+  chmod +x "$CONVERTER_SCRIPT"
+  bash "$CONVERTER_SCRIPT" "$IOP_FILE" -v "$ISTIO_VERSION" -n "$NAMESPACE" || { echo "Failed to execute converter script"; exit 1; }
+  rm "$CONVERTER_SCRIPT"
+}
+
+function install_istio_cni(){
+  oc create namespace "${ISTIOCNI_NAMESPACE}" || true
+  TMP_ISTIOCNI=$WORKDIR/istio-cni.yaml
+  cp "$ISTIOCNI" "$TMP_ISTIOCNI"
+  yq -i ".spec.namespace=\"$ISTIOCNI_NAMESPACE\"" "$TMP_ISTIOCNI"
+  yq -i ".spec.version=\"$ISTIO_VERSION\"" "$TMP_ISTIOCNI"
+  oc apply -f "$TMP_ISTIOCNI"
+  echo "istioCNI created."
+}
+
+function install_istio(){
+  # overwrite sailoperator version before applying it
+  oc create namespace "${NAMESPACE}" || true
+  if [ "${SAIL_API_VERSION:-}" != "" ]; then
+    yq -i eval ".apiVersion = \"sailoperator.io/$SAIL_API_VERSION\"" "$WORKDIR/$SAIL_IOP_FILE"
+  fi
+  patch_config
+  oc apply -f "$WORKDIR/$SAIL_IOP_FILE" || { echo "Failed to install istio"; kubectl get istio default -o yaml;}
+  oc -n "$NAMESPACE" wait --for=condition=Available deployment/istiod --timeout=240s || { sleep 60; }
+  echo "istiod created."
+}
+
+SECRET_NAME="istio-ca-secret"
+WEBHOOK_FILE="$PROW/config/sail-operator/validatingwebhook.yaml"
+
+function patch_config() {
+  # adds some control plane values that are mandatory and not available in iop.yaml
+  if [[ "$WORKDIR" == *"telemetry-tracing-zipkin"* ]]; then
+  # Workaround until https://github.com/istio/istio/pull/55408 is merged
+    yq eval '
+      .spec.values.meshConfig.enableTracing = true |
+      .spec.values.pilot.traceSampling = 100.0 |
+      .spec.values.global.proxy.tracer = "zipkin"
+    ' -i "$WORKDIR/$SAIL_IOP_FILE"
+    echo "Configured tracing for Zipkin."
+  fi
+
+  # Workaround until https://github.com/istio-ecosystem/sail-operator/issues/749 is fixed
+  CA_BUNDLE=$(kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o yaml 2>/dev/null | grep "ca-cert" | awk '{print $2}')
+
+  # If not found, sleep for 5 seconds and retry once
+  if [ -z "$CA_BUNDLE" ]; then
+    echo "Secret not found. Sleeping for 5 seconds before retrying..."
+    sleep 5
+
+    # Retry once
+    CA_BUNDLE=$(kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o yaml 2>/dev/null | grep "ca-cert" | awk '{print $2}')
+
+    if [ -z "$CA_BUNDLE" ]; then
+      echo "Secret still not found after retry. Exiting."
+      exit 1
+    fi
+  fi  
+
+  sed -i "s|<base64-encoded-CA-cert>|$CA_BUNDLE|g" "$WEBHOOK_FILE"
+  kubectl apply -f "$WEBHOOK_FILE"
+  sed -i "s|$CA_BUNDLE|<base64-encoded-CA-cert>|g" "$WEBHOOK_FILE"
+}
+
+# Install ingress and egress gateways
+function install_gateways(){
+  helm template -n "$NAMESPACE" istio-ingressgateway "${ROOT}"/manifests/charts/gateway --values "$INGRESS_GATEWAY_VALUES" > "${WORKDIR}"/istio-ingressgateway.yaml
+  oc apply -f "${WORKDIR}"/istio-ingressgateway.yaml
+  helm template -n "$NAMESPACE" istio-egressgateway "${ROOT}"/manifests/charts/gateway --values "$EGRESS_GATEWAY_VALUES" > "${WORKDIR}"/istio-egressgateway.yaml
+  oc apply -f "${WORKDIR}"/istio-egressgateway.yaml
+  oc -n "$NAMESPACE" wait --for=condition=Available deployment/istio-ingressgateway --timeout=60s || { echo "Failed to start istio-ingressgateway"; oc get pods -n "$NAMESPACE" -o wide; oc describe pod $(oc get pods -n istio-system --no-headers | awk "$3==\"ErrImagePull\" {print $1}" | head -n 1) -n istio-system; exit 1;}
+  oc -n "$NAMESPACE" wait --for=condition=Available deployment/istio-egressgateway --timeout=60s || { echo "Failed to start istio-egressgateway";  kubectl get istios; oc get pods -n "$NAMESPACE" -o wide; exit 1;}
+  echo "Gateways created."
+}
+
+function cleanup_istio(){
+  kubectl delete all --all -n "$ISTIOCNI_NAMESPACE"
+  kubectl delete all --all -n "$NAMESPACE"
+  kubectl delete istios.sailoperator.io --all --all-namespaces --wait=true
+  kubectl get clusterrole | grep istio | awk '{print $1}' | xargs kubectl delete clusterrole
+  kubectl get clusterrolebinding | grep istio | awk '{print $1}' | xargs kubectl delete clusterrolebinding
+  echo "Cleanup completed."
+}
+
+if [ "$1" = "install" ]; then
+  download_execute_converter || { echo "Failed to execute converter"; exit 1; }
+  install_istio_cni || { echo "Failed to install Istio CNI"; exit 1; }
+  install_istio || { echo "Failed to install Istio"; exit 1; }
+  install_gateways || { echo "Failed to install gateways"; exit 1; }
+elif [ "$1" = "cleanup" ]; then
+  if [ "$SKIP_CLEANUP" = "true" ]; then
+    echo "Skipping cleanup because SKIP_CLEANUP is set to true."
+  else
+    cleanup_istio || { echo "Failed to cleanup cluster"; exit 1; }
+  fi
+fi