From a68459eba091f023a8fd9cb42dffabf670fe8d67 Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Mon, 25 Sep 2017 10:18:45 -0700 Subject: [PATCH] Enable cluster wide installation in tests (#902) * Enable cluster wide installation in tests * Check errors * Address code review comments * Code review * goftm -s * Fix the initializer * Updated readme * Try without initializer Former-commit-id: d24eca1fd255c99ee0e0e10e1483f908ea28c3e3 --- install/kubernetes/BUILD | 1 - install/kubernetes/istio-rbac-beta.yaml | 192 --------------------- install/updateVersion.sh | 6 - prow/e2e-suite-rbac-auth.sh | 8 +- prow/e2e-suite-rbac-no_auth.sh | 8 +- prow/new-e2e-rbac_no_auth.sh | 7 +- tests/e2e/README.md | 9 +- tests/e2e/framework/kubernetes.go | 211 ++++++++++++------------ tests/e2e/util/commonUtils.go | 3 +- 9 files changed, 120 insertions(+), 325 deletions(-) delete mode 100644 install/kubernetes/istio-rbac-beta.yaml diff --git a/install/kubernetes/BUILD b/install/kubernetes/BUILD index c96e40e8a6be..5a2766a116f2 100644 --- a/install/kubernetes/BUILD +++ b/install/kubernetes/BUILD @@ -6,7 +6,6 @@ filegroup( "istio-initializer.yaml", "istio-one-namespace.yaml", "istio-one-namespace-auth.yaml", - "istio-rbac-beta.yaml", ], visibility = ["//visibility:public"], ) diff --git a/install/kubernetes/istio-rbac-beta.yaml b/install/kubernetes/istio-rbac-beta.yaml deleted file mode 100644 index 2e1176dc2606..000000000000 --- a/install/kubernetes/istio-rbac-beta.yaml +++ /dev/null @@ -1,192 +0,0 @@ -# GENERATED FILE. Use with Kubernetes 1.7+ -# TO UPDATE, modify files in install/kubernetes/templates and run install/updateVersion.sh -# Permissions and roles for istio -# To debug: start the cluster with -vmodule=rbac,3 to enable verbose logging on RBAC DENY -# Also helps to enable logging on apiserver 'wrap' to see the URLs. -# Each RBAC deny needs to be mapped into a rule for the role. -# If using minikube, start with '--extra-config=apiserver.Authorization.Mode=RBAC' -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: istio-pilot-istio-system -rules: -- apiGroups: ["config.istio.io"] - resources: ["*"] - verbs: ["*"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["*"] -- apiGroups: ["istio.io"] - resources: ["istioconfigs", "istioconfigs.istio.io"] - verbs: ["*"] -- apiGroups: ["extensions"] - resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"] - verbs: ["*"] -- apiGroups: [""] - resources: ["configmaps", "endpoints", "pods", "services"] - verbs: ["*"] -- apiGroups: [""] - resources: ["namespaces", "nodes", "secrets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["externaladmissionhookconfigurations"] - verbs: ["create", "update", "delete"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: istio-initializer-istio-system -rules: -- apiGroups: ["*"] - resources: ["deployments", "statefulsets", "jobs", "cronjobs", "daemonsets", "replicasets", "replicationcontrollers"] - verbs: ["initialize", "patch", "watch", "list"] -- apiGroups: ["*"] - resources: ["configmaps"] - verbs: ["get", "list", "watch"] ---- -# Mixer CRD needs to watch and list CRDs -# It also uses discovery API to discover Kinds of config.istio.io -# K8s adapter needs to list pods, services etc. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: istio-mixer-istio-system -rules: -- apiGroups: ["config.istio.io"] # Istio CRD watcher - resources: ["*"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: istio-ca-istio-system -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create", "get", "watch", "list", "update"] -- apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "watch", "list"] ---- -# Permissions for the sidecar proxy. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: istio-sidecar-istio-system -rules: -- apiGroups: ["istio.io"] - resources: ["istioconfigs"] - verbs: ["get", "watch", "list"] -- apiGroups: ["extensions"] - resources: ["thirdpartyresources", "ingresses"] - verbs: ["get", "watch", "list", "update"] -- apiGroups: [""] - resources: ["configmaps", "pods", "endpoints", "services"] - verbs: ["get", "watch", "list"] ---- -# Grant permissions to the Pilot/discovery. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: istio-pilot-admin-role-binding-istio-system -subjects: -- kind: ServiceAccount - name: istio-pilot-service-account - namespace: istio-system -roleRef: - kind: ClusterRole - name: istio-pilot-istio-system - apiGroup: rbac.authorization.k8s.io ---- -# Grant permissions to the Sidecar initializer -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: istio-initializer-admin-role-binding-istio-system -subjects: -- kind: ServiceAccount - name: istio-initializer-service-account - namespace: istio-system -roleRef: - kind: ClusterRole - name: istio-initializer-istio-system - apiGroup: rbac.authorization.k8s.io ---- -# Grant permissions to the CA. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: istio-ca-role-binding-istio-system -subjects: -- kind: ServiceAccount - name: istio-ca-service-account - namespace: istio-system -roleRef: - kind: ClusterRole - name: istio-ca-istio-system - apiGroup: rbac.authorization.k8s.io ---- -# Grant permissions to the Ingress controller. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: istio-ingress-admin-role-binding-istio-system -subjects: -- kind: ServiceAccount - name: istio-ingress-service-account - namespace: istio-system -roleRef: - kind: ClusterRole - name: istio-pilot-istio-system - apiGroup: rbac.authorization.k8s.io ---- -# Grant permissions to the Egress controller. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: istio-egress-admin-role-binding-istio-system -subjects: -- kind: ServiceAccount - name: istio-egress-service-account - namespace: istio-system -roleRef: - kind: ClusterRole - name: istio-pilot-istio-system - apiGroup: rbac.authorization.k8s.io ---- -# Grant permissions to the sidecar. -# TEMPORARY: the istioctl should generate a separate service account for the proxy, and permission -# granted only to that account ! -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: istio-sidecar-role-binding-istio-system -subjects: -- kind: ServiceAccount - name: default - namespace: istio-system -roleRef: - kind: ClusterRole - name: istio-sidecar-istio-system - apiGroup: rbac.authorization.k8s.io ---- -# Grant permissions to Mixer. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: istio-mixer-admin-role-binding-istio-system -subjects: -- kind: ServiceAccount - name: istio-mixer-service-account - namespace: istio-system -roleRef: - kind: ClusterRole - name: istio-mixer-istio-system - apiGroup: rbac.authorization.k8s.io ---- diff --git a/install/updateVersion.sh b/install/updateVersion.sh index 3f798f5790da..57b9f532969c 100755 --- a/install/updateVersion.sh +++ b/install/updateVersion.sh @@ -125,12 +125,6 @@ function merge_files() { ISTIO_ONE_NAMESPACE_AUTH=$DEST/istio-one-namespace-auth.yaml ISTIO_INITIALIZER=$DEST/istio-initializer.yaml - # TODO remove 3 lines below once the e2e tests no longer look for this file - echo "# GENERATED FILE. Use with Kubernetes 1.7+" > $DEST/istio-rbac-beta.yaml - echo "# TO UPDATE, modify files in install/kubernetes/templates and run install/updateVersion.sh" >> $DEST/istio-rbac-beta.yaml - cat $SRC/istio-rbac-beta.yaml.tmpl >> $DEST/istio-rbac-beta.yaml - - echo "# GENERATED FILE. Use with Kubernetes 1.7+" > $ISTIO echo "# TO UPDATE, modify files in install/kubernetes/templates and run install/updateVersion.sh" >> $ISTIO cat $SRC/istio-ns.yaml.tmpl >> $ISTIO diff --git a/prow/e2e-suite-rbac-auth.sh b/prow/e2e-suite-rbac-auth.sh index da30acc2c6b3..68369f1db14a 100755 --- a/prow/e2e-suite-rbac-auth.sh +++ b/prow/e2e-suite-rbac-auth.sh @@ -28,7 +28,9 @@ set -u # Print commands set -x -RBAC_FILE='install/kubernetes/istio-rbac-beta.yaml' - echo 'Running e2e with rbac, with auth Tests' -./prow/e2e-suite.sh --rbac_path="${RBAC_FILE}" --auth_enable "${@}" +if [ "$#" != 0 ]; then + ./prow/e2e-suite.sh --auth_enable "${@}" +else + ./prow/e2e-suite.sh --auth_enable +fi diff --git a/prow/e2e-suite-rbac-no_auth.sh b/prow/e2e-suite-rbac-no_auth.sh index 0a6998ac7858..31a083e3ebc6 100755 --- a/prow/e2e-suite-rbac-no_auth.sh +++ b/prow/e2e-suite-rbac-no_auth.sh @@ -28,7 +28,9 @@ set -u # Print commands set -x -RBAC_FILE='install/kubernetes/istio-rbac-beta.yaml' - echo 'Running e2e with rbac, no auth Tests' -./prow/e2e-suite.sh --rbac_path="${RBAC_FILE}" "${@}" +if [ "$#" != 0 ]; then + ./prow/e2e-suite.sh "${@}" +else + ./prow/e2e-suite.sh +fi diff --git a/prow/new-e2e-rbac_no_auth.sh b/prow/new-e2e-rbac_no_auth.sh index 8c37b062ec6a..c97afc1fd5cc 100755 --- a/prow/new-e2e-rbac_no_auth.sh +++ b/prow/new-e2e-rbac_no_auth.sh @@ -33,7 +33,7 @@ ZONE=us-central1-f CLUSTER_VERSION=1.7.5 MACHINE_TYPE=n1-standard-4 NUM_NODES=1 -CLUSTER_NAME=rbac-n-auth-$(uuidgen | cut -c1-8) +CLUSTER_NAME=cluster-wide-auth-$(uuidgen | cut -c1-8 | tr "[A-Z]" "[a-z]") CLUSTER_CREATED=false @@ -56,6 +56,5 @@ CLUSTER_CREATED=true kubectl create clusterrolebinding prow-cluster-admin-binding --clusterrole=cluster-admin --user=istio-prow-test-job@istio-testing.iam.gserviceaccount.com -echo 'Running e2e rbac, no auth Tests' -./prow/e2e-suite-rbac-no_auth.sh "${@}" - +echo 'Running cluster-wide e2e rbac, auth Tests' +./prow/e2e-suite-rbac-auth.sh --cluster_wide "${@}" diff --git a/tests/e2e/README.md b/tests/e2e/README.md index 7bb7e77b108a..bbd6cc090d5b 100644 --- a/tests/e2e/README.md +++ b/tests/e2e/README.md @@ -15,7 +15,7 @@ gcloud container clusters create ${CLUSTER_NAME} --zone ${ZONE} --project ${PROJ If you hit the error ```bash -Error from server (Forbidden): error when creating "install/kubernetes/istio-rbac-beta.yaml": clusterroles.rbac.authorization.k8s.io "istio-pilot" is forbidden: attempt to grant extra privileges: [{[*] [istio.io] [istioconfigs] [] []} {[*] [istio.io] [istioconfigs.istio.io] [] []} {[*] [extensions] [thirdpartyresources] [] []} {[*] [extensions] [thirdpartyresources.extensions] [] []} {[*] [extensions] [ingresses] [] []} {[*] [] [configmaps] [] []} {[*] [] [endpoints] [] []} {[*] [] [pods] [] []} {[*] [] [services] [] []}] user=&{user@example.org [...] +Error from server (Forbidden): error when creating "install/kubernetes/istio.yaml": clusterroles.rbac.authorization.k8s.io "istio-pilot" is forbidden: attempt to grant extra privileges: [{[*] [istio.io] [istioconfigs] [] []} {[*] [istio.io] [istioconfigs.istio.io] [] []} {[*] [extensions] [thirdpartyresources] [] []} {[*] [extensions] [thirdpartyresources.extensions] [] []} {[*] [extensions] [ingresses] [] []} {[*] [] [configmaps] [] []} {[*] [] [endpoints] [] []} {[*] [] [pods] [] []} {[*] [] [services] [] []}] user=&{user@example.org [...] ``` You need to add the following: (replace the name with your own) ``` @@ -55,18 +55,19 @@ If not specify `namespace`, a randomly namespace would be generated for each tes ### For all the following example, you always need to add: * `--auth_enable` if you want to include auth -* `--rbac_path=install/kubernetes/istio-rbac-beta.yaml` if you are using a rbac cluster (which means you disabled legacy if using GKE) +* `--cluster_wide` if you want to run the cluster wide installation and tests +* `--use_initializer` if you want to do transparent sidecar injection ### Example From the repo checkout root directory * Run tests with the latest stable version of istio according to istio.VERSION : -`tests/e2e.sh --rbac_path=install/kubernetes/istio-rbac-beta.yaml --auth_enable` +`tests/e2e.sh --auth_enable` * Test commit in pilot repo, SHA:"dc738396fd21ab9779853635dd22693d9dd3f78a": -`tests/e2e.sh --pilot_hub=gcr.io/istio-testing --pilot_tag=dc738396fd21ab9779853635dd22693d9dd3f78a --istioctl_url=https://storage.googleapis.com/istio-artifacts/dc738396fd21ab9779853635dd22693d9dd3f78a/artifacts/istioctl --rbac_path=install/kubernetes/istio-rbac-beta.yaml --auth_enable` +`tests/e2e.sh --pilot_hub=gcr.io/istio-testing --pilot_tag=dc738396fd21ab9779853635dd22693d9dd3f78a --istioctl_url=https://storage.googleapis.com/istio-artifacts/dc738396fd21ab9779853635dd22693d9dd3f78a/artifacts/istioctl --auth_enable` * If you want to run one specific test, you can do: diff --git a/tests/e2e/framework/kubernetes.go b/tests/e2e/framework/kubernetes.go index b3392259fd6a..798abfa3d44b 100644 --- a/tests/e2e/framework/kubernetes.go +++ b/tests/e2e/framework/kubernetes.go @@ -30,13 +30,16 @@ import ( ) const ( - yamlSuffix = ".yaml" - istioInstallDir = "install/kubernetes" - istioAddonsDir = "install/kubernetes/addons" - nonAuthInstallFile = "istio-one-namespace.yaml" - authInstallFile = "istio-one-namespace-auth.yaml" - istioSystem = "istio-system" - mixerConfigDefault = "istio-config-default" + yamlSuffix = ".yaml" + istioInstallDir = "install/kubernetes" + istioAddonsDir = "install/kubernetes/addons" + nonAuthInstallFile = "istio.yaml" + authInstallFile = "istio-auth.yaml" + nonAuthInstallFileNamespace = "istio-one-namespace.yaml" + authInstallFileNamespace = "istio-one-namespace-auth.yaml" + istioSystem = "istio-system" + mixerConfigDefault = "istio-config-default" + istioInitializerFile = "istio-initializer.yaml" ) var ( @@ -48,10 +51,10 @@ var ( caHub = flag.String("ca_hub", "", "Ca hub") caTag = flag.String("ca_tag", "", "Ca tag") authEnable = flag.Bool("auth_enable", false, "Enable auth") - rbacfile = flag.String("rbac_path", "", "Rbac yaml file") localCluster = flag.Bool("use_local_cluster", false, "Whether the cluster is local or not") skipSetup = flag.Bool("skip_setup", false, "Skip namespace creation and istio cluster setup") - initializerFile = flag.String("initializer_file", "", "Initializer yaml file") + initializerFile = flag.String("initializer_file", istioInitializerFile, "Initializer yaml file") + clusterWide = flag.Bool("cluster_wide", false, "Run cluster wide tests") addons = []string{ "prometheus", @@ -80,7 +83,11 @@ type KubeInfo struct { // newKubeInfo create a new KubeInfo by given temp dir and runID func newKubeInfo(tmpDir, runID string) (*KubeInfo, error) { if *namespace == "" { - *namespace = runID + if *clusterWide { + *namespace = istioSystem + } else { + *namespace = runID + } } yamlDir := filepath.Join(tmpDir, "yaml") i, err := NewIstioctl(yamlDir, *namespace, *namespace, *pilotHub, *pilotTag) @@ -109,12 +116,6 @@ func (k *KubeInfo) Setup() error { } if !*skipSetup { - if err = util.CreateNamespace(k.Namespace); err != nil { - glog.Error("Failed to create namespace.") - return err - } - k.namespaceCreated = true - if err = k.deployIstio(); err != nil { glog.Error("Failed to deploy Istio.") return err @@ -142,45 +143,74 @@ func (k *KubeInfo) Setup() error { // Teardown clean up everything created by setup func (k *KubeInfo) Teardown() error { glog.Info("Cleaning up kubeInfo") - var err error - if *rbacfile != "" { + if *skipSetup { + return nil + } + + if *useInitializer { + testInitializerYAML := filepath.Join(k.TmpDir, "yaml", *initializerFile) - testRbacYaml := filepath.Join(k.TmpDir, "yaml", filepath.Base(*rbacfile)) - if _, err = os.Stat(testRbacYaml); os.IsNotExist(err) { - glog.Errorf("%s File does not exist", testRbacYaml) - } else if err = util.KubeDelete(k.Namespace, testRbacYaml); err != nil { - glog.Errorf("Rbac deletion failed, please remove stale ClusterRoleBindings") + if err := util.KubeDelete(k.Namespace, testInitializerYAML); err != nil { + glog.Errorf("Istio initializer %s deletion failed", testInitializerYAML) + return err } } - if k.namespaceCreated { - if err = util.DeleteNamespace(k.Namespace); err != nil { + if *clusterWide { + // for cluster-wide, we can verify the uninstall + istioYaml := nonAuthInstallFile + if *authEnable { + istioYaml = authInstallFile + } + + testIstioYaml := filepath.Join(k.TmpDir, "yaml", istioYaml) + + if err := util.KubeDelete(k.Namespace, testIstioYaml); err != nil { + glog.Infof("Safe to ignore resource not found errors in kubectl delete -f %s", testIstioYaml) + } + } else { + if err := util.DeleteNamespace(k.Namespace); err != nil { glog.Errorf("Failed to delete namespace %s", k.Namespace) return err } - // confirm the namespace is deleted as it will cause future creation to fail - maxAttempts := 15 - namespaceDeleted := false - totalWait := 0 - for attempts := 1; attempts <= maxAttempts; attempts++ { - namespaceDeleted, err = util.NamespaceDeleted(k.Namespace) - if namespaceDeleted { - break - } - totalWait += attempts - time.Sleep(time.Duration(attempts) * time.Second) + // ClusterRoleBindings are not namespaced and need to be deleted separately + if _, err := util.Shell("kubectl get clusterrolebinding -o jsonpath={.items[*].metadata.name}"+ + "|xargs -n 1|fgrep %s|xargs kubectl delete clusterrolebinding", + k.Namespace); err != nil { + glog.Errorf("Failed to delete clusterrolebindings associated with namespace %s", k.Namespace) + return err } - if !namespaceDeleted { - glog.Errorf("Failed to delete namespace %s after %v seconds", k.Namespace, totalWait) + // ClusterRoles are not namespaced and need to be deleted separately + if _, err := util.Shell("kubectl get clusterrole -o jsonpath={.items[*].metadata.name}"+ + "|xargs -n 1|fgrep %s|xargs kubectl delete clusterrole", + k.Namespace); err != nil { + glog.Errorf("Failed to delete clusterroles associated with namespace %s", k.Namespace) return err } - k.namespaceCreated = false - glog.Infof("Namespace %s deletion status: %v", k.Namespace, namespaceDeleted) } - return err + + // confirm the namespace is deleted as it will cause future creation to fail + maxAttempts := 20 + namespaceDeleted := false + for attempts := 1; attempts <= maxAttempts; attempts++ { + namespaceDeleted, _ = util.NamespaceDeleted(k.Namespace) + if namespaceDeleted { + break + } + time.Sleep(4 * time.Second) + } + + if !namespaceDeleted { + glog.Errorf("Failed to delete namespace %s after %v seconds", k.Namespace, maxAttempts*4) + return nil + } + + glog.Infof("Namespace %s deletion status: %v", k.Namespace, namespaceDeleted) + + return nil } func (k *KubeInfo) deployAddons() error { @@ -194,7 +224,9 @@ func (k *KubeInfo) deployAddons() error { return err } - content = replacePattern(k, content, istioSystem, k.Namespace) + if !*clusterWide { + content = replacePattern(k, content, istioSystem, k.Namespace) + } yamlFile := filepath.Join(k.TmpDir, "yaml", addon+".yaml") err = ioutil.WriteFile(yamlFile, content, 0600) @@ -211,91 +243,46 @@ func (k *KubeInfo) deployAddons() error { } func (k *KubeInfo) deployIstio() error { - istioYaml := nonAuthInstallFile - if *authEnable { - istioYaml = authInstallFile + istioYaml := nonAuthInstallFileNamespace + if *clusterWide { + if *authEnable { + istioYaml = authInstallFile + } else { + istioYaml = nonAuthInstallFile + } + } else { + if *authEnable { + istioYaml = authInstallFileNamespace + } } baseIstioYaml := util.GetResourcePath(filepath.Join(istioInstallDir, istioYaml)) testIstioYaml := filepath.Join(k.TmpDir, "yaml", istioYaml) - if *rbacfile != "" { - baseRbacYaml := util.GetResourcePath(*rbacfile) - testRbacYaml := filepath.Join(k.TmpDir, "yaml", filepath.Base(*rbacfile)) - if err := k.generateRbac(baseRbacYaml, testRbacYaml); err != nil { - glog.Errorf("Generating rbac yaml failed") - } - if err := util.KubeApply(k.Namespace, testRbacYaml); err != nil { - glog.Errorf("Rbac deployment failed") - return err - } + if err := k.generateIstio(baseIstioYaml, testIstioYaml); err != nil { + glog.Errorf("Generating yaml %s failed", testIstioYaml) + return err + } + if err := util.KubeApply(k.Namespace, testIstioYaml); err != nil { + glog.Errorf("Istio core %s deployment failed", testIstioYaml) + return err } if *useInitializer { - baseInitializerYAML := util.GetResourcePath(*initializerFile) - testInitializerYAML := filepath.Join(k.TmpDir, "yaml", filepath.Base(*initializerFile)) + baseInitializerYAML := util.GetResourcePath(filepath.Join(istioInstallDir, *initializerFile)) + testInitializerYAML := filepath.Join(k.TmpDir, "yaml", *initializerFile) if err := k.generateInitializer(baseInitializerYAML, testInitializerYAML); err != nil { glog.Errorf("Generating initializer yaml failed") return err } if err := util.KubeApply(k.Namespace, testInitializerYAML); err != nil { - glog.Errorf("Istio sidecar initializer %s deployment failed", testInitializerYAML) + glog.Errorf("Istio initializer %s deployment failed", testInitializerYAML) return err } } - if err := k.generateIstio(baseIstioYaml, testIstioYaml); err != nil { - glog.Errorf("Generating yaml %s failed", testIstioYaml) - return err - } - if err := util.KubeApply(k.Namespace, testIstioYaml); err != nil { - glog.Errorf("Istio core %s deployment failed", testIstioYaml) - return err - } - return nil } -func (k *KubeInfo) generateRbac(src, dst string) error { - content, err := ioutil.ReadFile(src) - if err != nil { - glog.Errorf("Cannot read original yaml file %s", src) - return err - } - - content = replacePattern(k, content, istioSystem, k.Namespace) - content = replacePattern(k, content, "namespace: default", - "namespace: "+k.Namespace) - - content = replacePattern(k, content, "istio-pilot-admin-role-binding", - "istio-pilot-admin-role-binding-"+k.Namespace) - - content = replacePattern(k, content, "istio-mixer-admin-role-binding", - "istio-mixer-admin-role-binding-"+k.Namespace) - - content = replacePattern(k, content, "istio-ca-role-binding", - "istio-ca-role-binding-"+k.Namespace) - - content = replacePattern(k, content, "istio-ingress-admin-role-binding", - "istio-ingress-admin-role-binding-"+k.Namespace) - - content = replacePattern(k, content, "istio-egress-admin-role-binding", - "istio-egress-admin-role-binding-"+k.Namespace) - - content = replacePattern(k, content, "istio-sidecar-role-binding", - "istio-sidecar-role-binding-"+k.Namespace) - - content = replacePattern(k, content, "istio-initializer-admin-role-binding", - "istio-initializer-admin-role-binding-"+k.Namespace) - - content = replacePattern(k, content, mixerConfigDefault, k.Namespace) - - err = ioutil.WriteFile(dst, content, 0600) - if err != nil { - glog.Errorf("Cannot write into generate rbac file %s", dst) - } - return err -} - func updateInjectImage(name, module, hub, tag string, content []byte) []byte { image := []byte(fmt.Sprintf("%s: %s/%s:%s", name, hub, module, tag)) r := regexp.MustCompile(fmt.Sprintf("%s: .*(\\/%s):.*", name, module)) @@ -315,7 +302,9 @@ func (k *KubeInfo) generateInitializer(src, dst string) error { return err } - content = replacePattern(k, content, istioSystem, k.Namespace) + if !*clusterWide { + content = replacePattern(k, content, istioSystem, k.Namespace) + } if *pilotHub != "" && *pilotTag != "" { content = updateIstioYaml("initializer", *pilotHub, *pilotTag, content) @@ -345,7 +334,9 @@ func (k *KubeInfo) generateIstio(src, dst string) error { return err } - content = replacePattern(k, content, istioSystem, k.Namespace) + if !*clusterWide { + content = replacePattern(k, content, istioSystem, k.Namespace) + } content = replacePattern(k, content, mixerConfigDefault, k.Namespace) // Replace long refresh delays with short ones for the sake of tests. diff --git a/tests/e2e/util/commonUtils.go b/tests/e2e/util/commonUtils.go index 0ef933aa534c..950936a83fbf 100644 --- a/tests/e2e/util/commonUtils.go +++ b/tests/e2e/util/commonUtils.go @@ -69,9 +69,8 @@ func WriteTempfile(tmpDir, prefix, suffix, contents string) (string, error) { // Shell run command on shell and get back output and error if get one func Shell(format string, args ...interface{}) (string, error) { command := fmt.Sprintf(format, args...) - parts := strings.Split(command, " ") glog.V(2).Infof("Running command %s", command) - c := exec.Command(parts[0], parts[1:]...) // #nosec + c := exec.Command("sh", "-c", command) // #nosec bytes, err := c.CombinedOutput() glog.V(2).Infof("Command output: \n %s, err: %v", string(bytes[:]), err) if err != nil {