Merge pull request #242 from zirain/tetrate-io

Adding Tetrate Istio Distribution

eks-anywhere-common/Addons/Partner/Tetrate.io/namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+  labels:
+    aws.conformance.vendor: tetrate.io
+    aws.conformance.vendor-solution: tetrate-istio-distribution
+    aws.conformance.vendor-solution-version: 1.18.1

eks-anywhere-common/Addons/Partner/Tetrate.io/tetrate-istiod-source.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: tetrate-istio-charts
+  namespace: flux-system
+spec:
+  interval: 30s
+  url: https://tetratelabs.github.io/helm-charts

eks-anywhere-common/Addons/Partner/Tetrate.io/tetrate-istiod.yaml

@@ -0,0 +1,16 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: tetrate-istiod
+  namespace: istio-system
+spec:
+  chart:
+    spec:
+      chart: istiod
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: tetrate-istio-charts
+        namespace: flux-system
+      version: 1.18.1
+  interval: 1m0s

eks-anywhere-common/Testers/Tetrate.io/tetrate-istiod-testjob-script.yaml

@@ -0,0 +1,143 @@
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tetrate-tetsjob-script
+  namespace: istio-system
+data:
+  run-functional-tests.sh: |-
+    #!/bin/sh
+
+    # Cleanup function to remove resources
+    cleanup() {
+        echo "Cleaning up resources..."
+        kubectl delete gateway httpbin-gateway -n istio-system
+        kubectl delete deployment custom-ingressgateway -n istio-system
+        # Any additional cleanup commands go here
+        echo "Cleanup completed."
+    }
+
+    # Trap statement to ensure cleanup runs on exit of the script
+    trap cleanup EXIT
+
+
+    error_exit()
+    {
+        echo "Test Failed: $1" 1>&2
+        exit 1
+    }
+    
+    deploy_custom_gateway() {
+        # Create a custom Istio ingress gateway
+        cat <<EOF | kubectl apply -f -
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: custom-ingressgateway
+      namespace: istio-system
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          istio: custom-ingress-gw
+      template:
+        metadata:
+          annotations:
+            inject.istio.io/templates: gateway
+          labels:
+            istio: custom-ingress-gw
+            sidecar.istio.io/inject: "true"
+        spec:
+          containers:
+          - name: istio-proxy
+            image: auto # Make sure to replace this with the actual image you want to use.
+    EOF
+    
+        # Verify the custom gateway has been deployed
+        kubectl get deployment custom-ingressgateway -n istio-system
+    }
+    
+    deploy_test_gateway() {
+        # Create a Gateway resource
+        cat <<EOF | kubectl apply -f -
+    apiVersion: networking.istio.io/v1alpha3
+    kind: Gateway
+    metadata:
+      name: httpbin-gateway
+      namespace: istio-system
+    spec:
+      selector:
+        istio: custom-ingress-gw # this should match the label of your Istio ingress gateway deployment
+      servers:
+      - port:
+          number: 80
+          name: http
+          protocol: HTTP
+        hosts:
+        - "httpbin.example.com"
+    EOF
+    
+        # Verify the Gateway has been created
+        kubectl get gateway httpbin-gateway -n istio-system
+    }
+    
+    deploy_test_virtualservice() {
+        # Create a VirtualService resource
+        cat <<EOF | kubectl apply -f -
+    apiVersion: networking.istio.io/v1alpha3
+    kind: VirtualService
+    metadata:
+      name: httpbin-virtualservice
+      namespace: istio-system
+    spec:
+      hosts:
+      - "httpbin.example.com"
+      gateways:
+      - httpbin-gateway
+      http:
+      - match:
+        - uri:
+            prefix: "/"
+        route:
+        - destination:
+            host: httpbin
+            port:
+              number: 80
+    EOF
+    
+        # Verify the VirtualService has been created
+        kubectl get virtualservice httpbin-virtualservice -n istio-system
+    }
+    
+    check_istio_gateway_config() {
+       # Get the name of the Istio ingressgateway pod
+       local ingress_gateway_pod=$(kubectl get pod -l istio=custom-ingress-gw -n istio-system -o jsonpath='{.items[0].metadata.name}')
+       
+       # Check if the ingress gateway has received configuration from Istiod
+       local gateway_status=$(kubectl exec "$ingress_gateway_pod" -n istio-system -- curl -s 'http://localhost:15000/config_dump')
+       
+       if echo "$gateway_status" | grep 'httpbin.example.com'; then
+           echo "Istio Ingress Gateway has received correct configuration from Istiod."
+       else
+           error_exit "Istio Ingress Gateway has not received correct configuration from Istiod."
+       fi
+    }
+    
+    echo "Deploying custom Istio Ingress Gateway..."
+    deploy_custom_gateway || error_exit "Failed to deploy custom Istio Ingress Gateway."
+
+    # Wait for the custom ingress gateway deployment to be ready
+    echo "Waiting for the custom ingress gateway deployment to be ready..."
+    kubectl rollout status deployment/custom-ingressgateway -n istio-system || error_exit "Custom Istio Ingress Gateway deployment is not ready."
+
+    echo "Deploying test gateway..."
+    deploy_test_gateway || error_exit "Failed to deploy test gateway."
+    
+    echo "Deploying test VirtualService..."
+    deploy_test_virtualservice || error_exit "Failed to deploy test VirtualService."
+    
+    echo "Checking Istio Ingress Gateway configuration..."
+    check_istio_gateway_config || error_exit "Ingress Gateway configuration check failed."
+    
+    echo "Istio functional test completed successfully."
+    exit 0

eks-anywhere-common/Testers/Tetrate.io/tetrate-istiod-testjob.yaml

@@ -0,0 +1,28 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: tetrate-istiod-health-test
+  namespace: istio-system  
+spec:
+  schedule: "10 10 * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: tetrate-istiod-healthtest
+              image: 'alpine/k8s:1.26.2'
+              imagePullPolicy: Always
+              command:
+                - /bin/run-functional-tests.sh
+              volumeMounts:
+                - name: functional-tests-volume
+                  mountPath: /bin/run-functional-tests.sh
+                  readOnly: true
+                  subPath: run-functional-tests.sh
+          volumes:
+            - name: functional-tests-volume
+              configMap:
+                defaultMode: 0700
+                name: tetrate-tetsjob-script
+          restartPolicy: Never

eks-anywhere-common/Testers/Tetrate.io/tetrate-testjob-role.yaml

@@ -0,0 +1,29 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tetrate-istiod-job-role
+  namespace: istio-system
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "pods/exec", "services"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["networking.istio.io"]
+    resources: ["gateways", "virtualservices", "destinationrules", "serviceentries", "envoyfilters"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tetrate-istiod-job-rolebinding
+  namespace: istio-system
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: istio-system
+roleRef:
+  kind: Role
+  name: tetrate-istiod-job-role
+  apiGroup: rbac.authorization.k8s.io