Run upstream e2e test with net-istio

Makefile

@@ -70,6 +70,12 @@ test-upstream-e2e:
 	UNINSTALL_STRIMZI="false" ./hack/strimzi.sh
 	INSTALL_KAFKA=true TEST_KNATIVE_KAFKA=true ./test/upstream-e2e-tests.sh
 
+# Run upstream E2E tests with net-istio and sidecar.
+# TODO: Enable upgrade tests once upstream fixed the issue https://github.com/knative/serving/issues/11535.
+test-upstream-e2e-mesh:
+	UNINSTALL_STRIMZI="false" ./hack/strimzi.sh
+	FULL_MESH=true INSTALL_KAFKA=false TEST_KNATIVE_KAFKA=false TEST_KNATIVE_UPGRADE=false ./test/upstream-e2e-tests.sh
+
 # Run upstream E2E tests without upgrades.
 test-upstream-e2e-no-upgrade:
 	UNINSTALL_STRIMZI="false" ./hack/strimzi.sh
@@ -131,4 +137,4 @@ lint:
 	golangci-lint run
 	find . -type f -path './**/*.*sh' -not -path '*vendor*' | xargs -r shellcheck
 	operator-sdk bundle validate ./olm-catalog/serverless-operator
-	git ls-files | grep -Ev '^(vendor/|.git)' | xargs misspell -error
+	git ls-files | grep -Ev '^(vendor/|.git)' | xargs misspell -error

hack/lib/serverless.bash

@@ -153,12 +153,57 @@ function deploy_knativeserving_cr {
   # This is a way to test backwards compatibility of the product with the older full-blown configuration.
   oc apply -n "${SERVING_NAMESPACE}" -f "${rootdir}/test/v1alpha1/resources/operator.knative.dev_v1alpha1_knativeserving_cr.yaml"
 
+  if [[ $FULL_MESH == "true" ]]; then
+    enable_net_istio
+  fi
+
   timeout 900 "[[ \$(oc get knativeserving.operator.knative.dev knative-serving \
     -n ${SERVING_NAMESPACE} -o=jsonpath='{.status.conditions[?(@.type==\"Ready\")].status}') != True ]]"
 
   logger.success 'Knative Serving has been installed successfully.'
 }
 
+# enable_net_istio adds patch to KnativeServing:
+# - Set ingress.istio.enbled to "true"
+# - Set inject and rewriteAppHTTPProbers annotations for activator and autoscaler
+# - Override observability.metrics.backend-destination to "none",
+#   as "test/v1alpha1/resources/operator.knative.dev_v1alpha1_knativeserving_cr.yaml" has the value "prometheus".
+function enable_net_istio {
+  patchfile="$(mktemp -t knative-serving-XXXXX.yaml)"
+  cat - << EOF > "${patchfile}"
+spec:
+  ingress:
+    istio:
+      enabled: true
+  deployments:
+  - annotations:
+      sidecar.istio.io/inject: "true"
+      sidecar.istio.io/rewriteAppHTTPProbers: "true"
+    name: activator
+  - annotations:
+      sidecar.istio.io/inject: "true"
+      sidecar.istio.io/rewriteAppHTTPProbers: "true"
+    name: autoscaler
+  - name: domain-mapping
+    replicas: 2
+  config:
+    observability:
+      metrics.backend-destination: "none"
+EOF
+
+  oc patch knativeserving knative-serving \
+    -n "${SERVING_NAMESPACE}" \
+    --type merge --patch-file="${patchfile}"
+
+  timeout 900 "[[ \$(oc get knativeserving.operator.knative.dev knative-serving \
+    -n ${SERVING_NAMESPACE} -o=jsonpath='{.status.conditions[?(@.type==\"Ready\")].status}') != True ]]"
+
+  logger.success 'KnativeServing has been updated successfully.'
+
+  # metadata-webhook adds istio annotations for e2e test by webhook.
+  oc apply -f https://raw.githubusercontent.com/nak3/metadata-webhook/main/examples/release.yaml
+}
+
 function deploy_knativeeventing_cr {
   logger.info 'Deploy Knative Eventing'
 

hack/lib/vars.bash

@@ -69,3 +69,4 @@ export TEST_KNATIVE_KAFKA="${TEST_KNATIVE_KAFKA:-false}"
 export INSTALL_SERVING="${INSTALL_SERVING:-true}"
 export INSTALL_EVENTING="${INSTALL_EVENTING:-true}"
 export INSTALL_KAFKA="${INSTALL_KAFKA:-false}"
+export FULL_MESH="${FULL_MESH:-false}"

test/serving.bash

@@ -48,11 +48,27 @@ function upstream_knative_serving_e2e_and_conformance_tests {
   image_template="registry.ci.openshift.org/openshift/knative-${KNATIVE_SERVING_VERSION}:knative-serving-test-{{.Name}}"
   OPENSHIFT_TEST_OPTIONS="--kubeconfig $KUBECONFIG --enable-beta --enable-alpha --resolvabledomain"
 
+  if [[ $FULL_MESH == "true" ]]; then
+    subdomain=$(oc get ingresses.config.openshift.io cluster  -o jsonpath="{.spec.domain}")
+    OPENSHIFT_TEST_OPTIONS+=" --https --customdomain=$subdomain"
+
+    # Use x509ignoreCN=0.
+    # This should not be necesssary if we could ceate certs with SAN. However, openssl command in the CI
+    # seems old version and so it does not have "-addext" option to add SAN.
+    export GODEBUG="x509ignoreCN=0"
+
+    # TODO: SRVKS-211: Can not run grpc and http2 tests.
+    rm ./test/e2e/grpc_test.go
+    rm ./test/e2e/http2_test.go
+    # Remove h2c test
+    sed -ie '46,50d' ./test/conformance/runtime/protocol_test.go
+  fi
+
   local parallel=3
 
   if [[ $(oc get infrastructure cluster -ojsonpath='{.status.platform}') = VSphere ]]; then
     # Since we don't have LoadBalancers working, gRPC tests will always fail.
-    rm ./test/e2e/grpc_test.go
+    rm -f ./test/e2e/grpc_test.go
     parallel=2
   fi
 

test/upstream-e2e-tests.sh

@@ -19,6 +19,11 @@ logger.success '🚀 Cluster prepared for testing.'
 
 scale_up_workers
 
+# Install ServiceMesh and enable mTLS.
+if [[ $FULL_MESH == true ]]; then
+   UNINSTALL_MESH="false" install_mesh
+fi
+
 # Run upgrade tests
 if [[ $TEST_KNATIVE_UPGRADE == true ]]; then
   install_serverless_previous