Sync integration tests

.github/actions/upgrade-integration-test/action.yaml

@@ -0,0 +1,31 @@
+name: 'Upgrade integration test'
+description: 'Runs upgrade suite of integration tests'
+inputs:
+  upgrade-image-name:
+    description: 'Image that will api-gateway be upgraded to'
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/setup-go@v4
+      with:
+        go-version: "1.20"
+    - name: Add local.kyma.dev to /etc/hosts
+      shell: bash
+      run: |
+        sudo echo "127.0.0.1 local.kyma.dev" | sudo tee -a /etc/hosts
+    - name: Run upgrade integration test
+      env:
+        KYMA_DOMAIN: "local.kyma.dev"
+        TEST_UPGRADE_IMG: ${{ inputs.upgrade-image-name }}
+      run: |
+        wget -q -O - https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | sudo bash
+        sudo curl -Lo /usr/bin/kyma https://storage.googleapis.com/kyma-cli-unstable/kyma-linux
+        sudo chmod +x /usr/bin/kyma
+        sudo kyma provision k3d
+        KUBECONFIG=$(k3d kubeconfig merge kyma) EXPORT_RESULT=true make install-kyma test-upgrade
+      shell: bash
+    - uses: actions/upload-artifact@v3
+      with:
+        name: html-reports
+        path: tests/integration/reports/

.github/actions/wait-for-job-suceed-or-fail/action.yaml

@@ -0,0 +1,33 @@
+name: 'Wait for job'
+description: 'Waits for given job (check) to succeed or fails'
+inputs:
+  job-name:
+    description: 'Job name (check) for which we want to wait'
+    required: true
+  github-auth-token:
+    description: 'Github token which comes from secrets.GITHUB_TOKEN'
+    required: true
+  timeout:
+    description: 'Timeout for job finish'
+    required: false
+    default: "1800"
+  commit-ref:
+    description: 'Commit ref on which the status check will be done'
+    required: false
+    default: ${{ github.event.pull_request.head.sha }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Wait for job to succeed
+      uses: autotelic/action-wait-for-status-check@6556cf50c8fb6608412945382eae73581f56cbb4 # not versioned
+      id: wait-for-status
+      with:
+        token: ${{ inputs.github-auth-token }}
+        statusName: ${{ inputs.job-name }}
+        timeoutSeconds: ${{ inputs.timeout }}
+        ref: ${{ inputs.commit-ref }}
+    - name: Check if build status is success
+      if: steps.wait-for-status.outputs.state != 'success'
+      run: exit 1
+      shell: bash

.github/workflows/integration-tests.yaml

@@ -0,0 +1,56 @@
+# This workflow is responsible for all kinds of integration tests run on pull request.
+# Those tests depend on a container image so in the first job we wait for the image build to succeed.
+
+name: Pull Request integration tests
+
+on:
+  pull_request_target:
+    types: [synchronize, opened, reopened, ready_for_review]
+    paths-ignore:
+      - "docs/**"
+      - "**/*.md"
+      - "tests/performance/**"
+      - "OWNERS"
+      - "CODEOWNERS"
+      - "sec-scanners-config.yaml"
+      - ".github/**" #Ignoring since build job isn't triggered on the workflow directory changes
+    branches:
+      - main
+      - 'release-**'
+
+jobs:
+  wait-for-image-build:
+  # Checking out the PR with 'actions/checkout' is dangerous as the PR can contain malicious code, so it needs to be safeguarded by running in 'restricted' environment that needs approval to run
+    environment: ${{ github.event.pull_request.author_association != 'COLLABORATOR' && github.event.pull_request.author_association != 'OWNER' && 'restricted' || 'internal' }}
+    name: Wait for image build
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: ./.github/actions/wait-for-job-succeed-or-fail
+        with:
+          job-name: 'pull-api-gateway-build'
+          github-auth-token: ${{ secrets.GITHUB_TOKEN }}
+          commit-ref: ${{ github.event.pull_request.head.sha }}
+
+  api-gateway-upgrade-test:
+  # Checking out the PR with 'actions/checkout' is dangerous as the PR can contain malicious code, so it needs to be safeguarded by running in 'restricted' environment that needs approval to run
+    environment: ${{ github.event.pull_request.author_association != 'COLLABORATOR' && github.event.pull_request.author_association != 'OWNER' && 'restricted' || 'internal' }}
+    name: Istio upgrade integration test
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    needs: [wait-for-image-build]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+      - uses: ./.github/actions/upgrade-integration-test
+        env:
+          CLIENT_ID: ${{ secrets.CLIENT_ID }}
+          CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
+          OIDC_ISSUER_URL: ${{ secrets.OIDC_ISSUER_URL }}
+        with:
+          upgrade-image-name: "europe-docker.pkg.dev/kyma-project/dev/api-gateway-controller:PR-${{github.event.number}}"

Makefile

@@ -101,6 +101,10 @@ test: manifests generate fmt vet envtest ## Generate manifests and run tests.
 test-integration: generate fmt vet envtest ## Run integration tests.
 	source ./tests/integration/env_vars.sh && go test -timeout 1h ./tests/integration -v -race -run TestIstioJwt . && go test -timeout 1h ./tests/integration -v -race -run TestOryJwt .
 
+.PHONY: test-upgrade
+test-upgrade: generate fmt vet install ## Run API Gateway upgrade tests.
+	source ./tests/integration/env_vars.sh && $(GOTEST) ./tests/integration -v -race -run TestUpgrade .
+
 test-custom-domain:
 	source ./tests/integration/env_vars_custom_domain.sh && bash -c "trap 'kubectl delete secret google-credentials -n default' EXIT; \
              kubectl create secret generic google-credentials -n default --from-file=serviceaccount.json=${TEST_SA_ACCESS_KEY_PATH}; \

config/samples/api-gateway-confimap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: api-gateway-config
+  namespace: kyma-system
+data:
+  api-gateway-config: >
+    jwtHandler: "istio"

docs/contributor/04-30-ci-cd.md

@@ -0,0 +1,9 @@
+# CI/CD
+
+## Environments
+
+In this repository, certain jobs are set up to run within the context of the repository environment. This ensures that the jobs that require access to repository Secrets are manually allowed by repository maintainers.
+
+There are two environments configured:
+- 'internal' - used when a repository collaborator runs a job in the repository
+- 'restricted' - used when an outside collaborator runs a job in the repository. The run must be approved by @kyma-project/goat.

go.mod

@@ -3,7 +3,7 @@ module github.com/kyma-project/api-gateway
 go 1.20
 
 require (
-	github.com/avast/retry-go v3.0.0+incompatible
+	github.com/avast/retry-go/v4 v4.5.0
 	github.com/cucumber/godog v0.13.0
 	github.com/go-logr/logr v1.2.4
 	github.com/onsi/ginkgo/v2 v2.12.0

go.sum

@@ -47,8 +47,8 @@ github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmV
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/avast/retry-go v2.4.1+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY=
-github.com/avast/retry-go v3.0.0+incompatible h1:4SOWQ7Qs+oroOTQOYnAHqelpCO0biHSxpiH9JdtuBj0=
-github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY=
+github.com/avast/retry-go/v4 v4.5.0 h1:QoRAZZ90cj5oni2Lsgl2GW8mNTnUCnmpx/iKpwVisHg=
+github.com/avast/retry-go/v4 v4.5.0/go.mod h1:7hLEXp0oku2Nir2xBAsg0PTphp9z71bN5Aq1fboC3+I=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=

tests/integration/main_test.go

@@ -7,6 +7,7 @@ import (
 	"github.com/kyma-project/api-gateway/tests/integration/testsuites/custom-domain"
 	"github.com/kyma-project/api-gateway/tests/integration/testsuites/istio-jwt"
 	"github.com/kyma-project/api-gateway/tests/integration/testsuites/ory"
+	"github.com/kyma-project/api-gateway/tests/integration/testsuites/upgrade"
 	"log"
 	"os"
 	"testing"
@@ -39,6 +40,24 @@ func TestCustomDomain(t *testing.T) {
 	runTestsuite(t, ts, config)
 }
 
+func TestUpgrade(t *testing.T) {
+	config := testcontext.GetConfig()
+	config.TestConcurrency = 1
+	ts, err := testcontext.New(config, upgrade.NewTestsuite)
+
+	if err != nil {
+		t.Fatalf("Failed to create Upgrade testsuite %s", err.Error())
+	}
+	originalJwtHandler, err := SwitchJwtHandler(ts, "istio")
+	if err != nil {
+		log.Print(err.Error())
+		t.Fatalf("unable to switch to Istio jwtHandler")
+	}
+	defer cleanUp(ts, originalJwtHandler)
+	defer ts.TearDown()
+	runTestsuite(t, ts, config)
+}
+
 func TestOryJwt(t *testing.T) {
 	config := testcontext.GetConfig()
 	ts, err := testcontext.New(config, ory.NewTestsuite)

tests/integration/pkg/helpers/api_rule.go

@@ -3,7 +3,7 @@ package helpers
 import (
 	"encoding/json"
 	"errors"
-	"github.com/avast/retry-go"
+	"github.com/avast/retry-go/v4"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/client-go/dynamic"
 )

tests/integration/pkg/helpers/http_client.go

@@ -2,7 +2,7 @@ package helpers
 
 import (
 	"fmt"
-	"github.com/avast/retry-go"
+	"github.com/avast/retry-go/v4"
 	"github.com/pkg/errors"
 	"net/http"
 )

tests/integration/pkg/resource/manager.go

@@ -3,7 +3,7 @@ package resource
 import (
 	"context"
 	"fmt"
-	"github.com/avast/retry-go"
+	"github.com/avast/retry-go/v4"
 	"github.com/kyma-project/api-gateway/tests/integration/pkg/client"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -66,6 +66,31 @@ func (m *Manager) UpdateResources(k8sClient dynamic.Interface, resources ...unst
 	return gotRes, nil
 }
 
+func (m *Manager) CreateOrUpdateResources(k8sClient dynamic.Interface, resources ...unstructured.Unstructured) (*unstructured.Unstructured, error) {
+	gotRes := &unstructured.Unstructured{}
+	for _, res := range resources {
+		resourceSchema, ns, _ := m.GetResourceSchemaAndNamespace(res)
+		_, err := m.GetResource(k8sClient, resourceSchema, ns, res.GetName(), retry.Attempts(2), retry.Delay(1))
+
+		if err != nil {
+			if apierrors.IsNotFound(retry.Error{err}.Unwrap()) {
+				err := m.CreateResource(k8sClient, resourceSchema, ns, res)
+				if err != nil {
+					return nil, err
+				}
+			} else {
+				return nil, err
+			}
+		} else {
+			err = m.UpdateResource(k8sClient, resourceSchema, ns, res.GetName(), res)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+	return gotRes, nil
+}
+
 func (m *Manager) DeleteResources(k8sClient dynamic.Interface, resources ...unstructured.Unstructured) error {
 	for _, res := range resources {
 		resourceSchema, ns, name := m.GetResourceSchemaAndNamespace(res)
@@ -141,20 +166,36 @@ func (m *Manager) DeleteResource(client dynamic.Interface, resourceSchema schema
 }
 
 // GetResource returns chosed k8s object
-func (m *Manager) GetResource(client dynamic.Interface, resourceSchema schema.GroupVersionResource, namespace string, resourceName string) (*unstructured.Unstructured, error) {
+func (m *Manager) GetResource(client dynamic.Interface, resourceSchema schema.GroupVersionResource, namespace string, resourceName string, opts ...retry.Option) (*unstructured.Unstructured, error) {
 	var res *unstructured.Unstructured
-	err := retry.Do(
-		func() error {
-			var err error
-			res, err = client.Resource(resourceSchema).Namespace(namespace).Get(context.Background(), resourceName, metav1.GetOptions{})
-			if err != nil {
-				return err
-			}
-			return nil
-		}, m.retryOptions...)
-	if err != nil {
-		return nil, err
+	if len(opts) == 0 {
+		err := retry.Do(
+			func() error {
+				var err error
+				res, err = client.Resource(resourceSchema).Namespace(namespace).Get(context.Background(), resourceName, metav1.GetOptions{})
+				if err != nil {
+					return err
+				}
+				return nil
+			}, m.retryOptions...)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		err := retry.Do(
+			func() error {
+				var err error
+				res, err = client.Resource(resourceSchema).Namespace(namespace).Get(context.Background(), resourceName, metav1.GetOptions{})
+				if err != nil {
+					return err
+				}
+				return nil
+			}, opts...)
+		if err != nil {
+			return nil, err
+		}
 	}
+
 	return res, nil
 }
 

tests/integration/pkg/testcontext/config.go

@@ -2,7 +2,7 @@ package testcontext
 
 import (
 	"fmt"
-	"github.com/avast/retry-go"
+	"github.com/avast/retry-go/v4"
 	"github.com/vrischmann/envconfig"
 	"time"
 )

tests/integration/testsuites/ory/manifests/global-commons.yaml

@@ -2,13 +2,3 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: "{{.Namespace}}"
----
-apiVersion: v1
-data:
-  client_id: "{{.OauthClientID}}"
-  client_secret: "{{.OauthClientSecret}}"
-kind: Secret
-metadata:
-  name: "{{.OauthSecretName}}"
-  namespace: "{{.Namespace}}"
-type: Opaque