diff --git a/config/settings.local.yaml.tpl b/config/settings.local.yaml.tpl index 963d9cf6..384108e5 100644 --- a/config/settings.local.yaml.tpl +++ b/config/settings.local.yaml.tpl @@ -23,4 +23,6 @@ # authorino: # image: "quay.io/kuadrant/authorino:latest" # If specified will override the authorino image # deploy: false # If false, the testsuite will use already deployed authorino for testing -# url: "" # URL for already deployed Authorino \ No newline at end of file +# url: "" # URL for already deployed Authorino +# envoy: +# image: "docker.io/envoyproxy/envoy:v1.23-latest" # Envoy image, the testsuite should use, only for Authorino tests now \ No newline at end of file diff --git a/config/settings.yaml b/config/settings.yaml index 60ce197c..24f68e45 100644 --- a/config/settings.yaml +++ b/config/settings.yaml @@ -10,4 +10,6 @@ default: username: "testUser" password: "testPassword" authorino: - deploy: true \ No newline at end of file + deploy: true + envoy: + image: "docker.io/envoyproxy/envoy:v1.23-latest" \ No newline at end of file diff --git a/testsuite/openshift/envoy.py b/testsuite/openshift/envoy.py index 72b4c292..18b5cc4d 100644 --- a/testsuite/openshift/envoy.py +++ b/testsuite/openshift/envoy.py @@ -9,12 +9,13 @@ class Envoy(LifecycleObject): """Envoy deployed from template""" - def __init__(self, openshift: OpenShiftClient, authorino, name, label, httpbin_hostname) -> None: + def __init__(self, openshift: OpenShiftClient, authorino, name, label, httpbin_hostname, image) -> None: self.openshift = openshift self.authorino = authorino self.name = name self.label = label self.httpbin_hostname = httpbin_hostname + self.image = image self.envoy_objects = None @@ -50,7 +51,8 @@ def commit(self): "NAME": self.name, "LABEL": self.label, "AUTHORINO_URL": self.authorino.authorization_url, - "UPSTREAM_URL": self.httpbin_hostname + "UPSTREAM_URL": self.httpbin_hostname, + "ENVOY_IMAGE": self.image }) with self.openshift.context: assert self.openshift.is_ready(self.envoy_objects.narrow("deployment")), "Envoy wasn't ready in time" @@ -65,9 +67,9 @@ def delete(self): class TLSEnvoy(Envoy): """Envoy with TLS enabled and all required certificates set up, requires using a client certificate""" - def __init__(self, openshift, authorino, name, label, httpbin_hostname, + def __init__(self, openshift, authorino, name, label, httpbin_hostname, image, authorino_ca_secret, envoy_ca_secret, envoy_cert_secret) -> None: - super().__init__(openshift, authorino, name, label, httpbin_hostname) + super().__init__(openshift, authorino, name, label, httpbin_hostname, image) self.authorino_ca_secret = authorino_ca_secret self.backend_ca_secret = envoy_ca_secret self.envoy_cert_secret = envoy_cert_secret @@ -86,6 +88,7 @@ def commit(self): "AUTHORINO_CA_SECRET": self.authorino_ca_secret, "ENVOY_CA_SECRET": self.backend_ca_secret, "ENVOY_CERT_SECRET": self.envoy_cert_secret, + "ENVOY_IMAGE": self.image }) with self.openshift.context: diff --git a/testsuite/resources/envoy.yaml b/testsuite/resources/envoy.yaml index 683d7269..f49617e4 100644 --- a/testsuite/resources/envoy.yaml +++ b/testsuite/resources/envoy.yaml @@ -51,14 +51,14 @@ objects: cluster_name: external_auth timeout: 1s - name: envoy.filters.http.router - typed_config: {} + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router use_remote_address: true clusters: - name: external_auth connect_timeout: 0.25s type: strict_dns lb_policy: round_robin - http2_protocol_options: {} load_assignment: cluster_name: external_auth endpoints: @@ -68,6 +68,13 @@ objects: socket_address: address: ${AUTHORINO_URL} port_value: 50051 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + upstream_http_protocol_options: + auto_sni: true + explicit_http_config: + http2_protocol_options: {} - name: httpbin connect_timeout: 0.25s type: strict_dns @@ -82,7 +89,6 @@ objects: address: ${UPSTREAM_URL} port_value: 8080 admin: - access_log_path: "/tmp/admin_access.log" address: socket_address: address: 0.0.0.0 @@ -174,4 +180,3 @@ parameters: required: true - name: ENVOY_IMAGE required: false - value: envoyproxy/envoy:v1.19-latest \ No newline at end of file diff --git a/testsuite/resources/tls/envoy.yaml b/testsuite/resources/tls/envoy.yaml index b5626fda..363a20fb 100644 --- a/testsuite/resources/tls/envoy.yaml +++ b/testsuite/resources/tls/envoy.yaml @@ -63,14 +63,14 @@ objects: cluster_name: external_auth timeout: 1s - name: envoy.filters.http.router - typed_config: {} + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router use_remote_address: true clusters: - name: external_auth connect_timeout: 0.25s type: strict_dns lb_policy: round_robin - http2_protocol_options: {} load_assignment: cluster_name: external_auth endpoints: @@ -80,6 +80,13 @@ objects: socket_address: address: ${AUTHORINO_URL} port_value: 50051 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + upstream_http_protocol_options: + auto_sni: true + explicit_http_config: + http2_protocol_options: {} transport_socket: name: envoy.transport_sockets.tls typed_config: @@ -102,7 +109,6 @@ objects: address: ${UPSTREAM_URL} port_value: 8080 admin: - access_log_path: "/tmp/admin_access.log" address: socket_address: address: 0.0.0.0 @@ -221,5 +227,4 @@ parameters: description: "Secret containing CA for communication with Authorino, only public cert is required" required: true - name: ENVOY_IMAGE - required: false - value: envoyproxy/envoy:v1.19-latest \ No newline at end of file + required: true diff --git a/testsuite/tests/conftest.py b/testsuite/tests/conftest.py index 37d51c1b..ef2bb4f7 100644 --- a/testsuite/tests/conftest.py +++ b/testsuite/tests/conftest.py @@ -136,9 +136,9 @@ def backend(request, openshift, blame, label): @pytest.fixture(scope="module") -def envoy(request, authorino, openshift, blame, backend, module_label): +def envoy(request, authorino, openshift, blame, backend, module_label, testconfig): """Deploys Envoy that wire up the Backend behind the reverse-proxy and Authorino instance""" - envoy = Envoy(openshift, authorino, blame("envoy"), module_label, backend.url) + envoy = Envoy(openshift, authorino, blame("envoy"), module_label, backend.url, testconfig["envoy"]["image"]) request.addfinalizer(envoy.delete) envoy.commit() return envoy diff --git a/testsuite/tests/kuadrant/authorino/operator/sharding/conftest.py b/testsuite/tests/kuadrant/authorino/operator/sharding/conftest.py index 6e4f4e04..b53352c4 100644 --- a/testsuite/tests/kuadrant/authorino/operator/sharding/conftest.py +++ b/testsuite/tests/kuadrant/authorino/operator/sharding/conftest.py @@ -6,11 +6,11 @@ @pytest.fixture(scope="module") -def envoy(request, authorino, openshift, blame, backend): +def envoy(request, authorino, openshift, blame, backend, testconfig): """Envoy""" def _envoy(auth=authorino): - envoy = Envoy(openshift, auth, blame("envoy"), blame("label"), backend.url) + envoy = Envoy(openshift, auth, blame("envoy"), blame("label"), backend.url, testconfig["envoy"]["image"]) request.addfinalizer(envoy.delete) envoy.commit() return envoy diff --git a/testsuite/tests/kuadrant/authorino/operator/tls/conftest.py b/testsuite/tests/kuadrant/authorino/operator/tls/conftest.py index 2f09ed95..e8876136 100644 --- a/testsuite/tests/kuadrant/authorino/operator/tls/conftest.py +++ b/testsuite/tests/kuadrant/authorino/operator/tls/conftest.py @@ -98,13 +98,13 @@ def invalid_cert(invalid_authority, cfssl, wildcard_domain): @pytest.fixture(scope="module") def envoy(request, authorino, openshift, create_secret, blame, label, backend, - authorino_authority, envoy_authority, envoy_cert): + authorino_authority, envoy_authority, envoy_cert, testconfig): """Envoy + Httpbin backend""" authorino_secret = create_secret(authorino_authority, "authca") envoy_ca_secret = create_secret(envoy_authority, "backendca") envoy_secret = create_secret(envoy_cert, "envoycert") - envoy = TLSEnvoy(openshift, authorino, blame("backend"), label, backend.url, + envoy = TLSEnvoy(openshift, authorino, blame("backend"), label, backend.url, testconfig["envoy"]["image"], authorino_secret, envoy_ca_secret, envoy_secret) request.addfinalizer(envoy.delete) envoy.commit()