Merge branch 'openshift-istio-test' into 'release/4.2'

Openshift istio test

See merge request weblogic-cloud/weblogic-kubernetes-operator!4958

Author: rjeberhard

Jenkinsfile.openshift

@@ -3,9 +3,9 @@
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 //
 
-CRON_SETTINGS = '''H 1 * * * % MAVEN_PROFILE_NAME=wko-okd-wls-srg
-                   H 2 * * * % MAVEN_PROFILE_NAME=wko-okd-wls-mrg
-                   H 3 * * * % MAVEN_PROFILE_NAME=wko-okd-fmw-cert'''
+CRON_SETTINGS = '''H 1 * * 0 % MAVEN_PROFILE_NAME=wko-okd-wls-srg
+                   H 3 * * 0 % MAVEN_PROFILE_NAME=wko-okd-wls-mrg
+                   H 5 * * 0 % MAVEN_PROFILE_NAME=wko-okd-fmw-cert'''
 
 pipeline {
     agent { label 'large' }
@@ -15,7 +15,7 @@ pipeline {
     }
     triggers {
         // timer trigger for "nightly build"
-        parameterizedCron(env.JOB_NAME == 'wko-release42-nightly-okd' ?
+        parameterizedCron(env.JOB_NAME == 'openshift-release42-weekly' ?
         CRON_SETTINGS : '')
     }
 

integration-tests/src/test/java/oracle/weblogic/kubernetes/ItIstioMiiDomain.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2020, 2024, Oracle and/or its affiliates.
+// Copyright (c) 2020, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.weblogic.kubernetes;
@@ -45,6 +45,7 @@
 import static oracle.weblogic.kubernetes.TestConstants.MII_BASIC_IMAGE_NAME;
 import static oracle.weblogic.kubernetes.TestConstants.MII_BASIC_IMAGE_TAG;
 import static oracle.weblogic.kubernetes.TestConstants.OCNE;
+import static oracle.weblogic.kubernetes.TestConstants.OKD;
 import static oracle.weblogic.kubernetes.TestConstants.OKE_CLUSTER;
 import static oracle.weblogic.kubernetes.TestConstants.TEST_IMAGES_REPO_SECRET_NAME;
 import static oracle.weblogic.kubernetes.actions.ActionConstants.MODEL_DIR;
@@ -65,6 +66,7 @@
 import static oracle.weblogic.kubernetes.utils.CommonTestUtils.withStandardRetryPolicy;
 import static oracle.weblogic.kubernetes.utils.ConfigMapUtils.createConfigMapAndVerify;
 import static oracle.weblogic.kubernetes.utils.DomainUtils.createDomainAndVerify;
+import static oracle.weblogic.kubernetes.utils.ExecCommand.exec;
 import static oracle.weblogic.kubernetes.utils.FileUtils.generateFileFromTemplate;
 import static oracle.weblogic.kubernetes.utils.FileUtils.replaceStringInFile;
 import static oracle.weblogic.kubernetes.utils.ImageUtils.createBaseRepoSecret;
@@ -126,8 +128,19 @@ public static void initAll(@Namespaces(2) List<String> namespaces) {
     // Label the domain/operator namespace with istio-injection=enabled
     Map<String, String> labelMap = new HashMap<>();
     labelMap.put("istio-injection", "enabled");
-    assertDoesNotThrow(() -> addLabelsToNamespace(domainNamespace,labelMap));
-    assertDoesNotThrow(() -> addLabelsToNamespace(opNamespace,labelMap));
+    labelMap.put("istio-discovery", "enabled");
+    testUntil(
+        withStandardRetryPolicy,
+        addLabelsToNamespace(domainNamespace, labelMap, true),
+        logger,
+        "adding istio labels to domain namespace {0}",
+        domainNamespace);
+    testUntil(
+        withStandardRetryPolicy,
+        addLabelsToNamespace(opNamespace, labelMap, true),
+        logger,
+        "adding istio labels to operator namespace {0}",
+        opNamespace);
 
     // install and verify operator
     installAndVerifyOperator(opNamespace, domainNamespace);
@@ -221,33 +234,59 @@ void testIstioModelInImageDomain() throws UnknownHostException, IOException, Int
     Path targetHttpFile = assertDoesNotThrow(
         () -> generateFileFromTemplate(srcHttpFile.toString(), "istio-http.yaml", templateMap));
     logger.info("Generated Http VS/Gateway file path is {0}", targetHttpFile);
+    if (OKD) {
+      replaceStringInFile(targetHttpFile.toString(), domainNamespace + ".org", "*");
+    }
 
     boolean deployRes = assertDoesNotThrow(
         () -> deployHttpIstioGatewayAndVirtualservice(targetHttpFile));
     assertTrue(deployRes, "Failed to deploy Http Istio Gateway/VirtualService");
 
-    Path srcDrFile = Paths.get(RESOURCE_DIR, "istio", "istio-dr-template.yaml");
-    Path targetDrFile = assertDoesNotThrow(
-        () -> generateFileFromTemplate(srcDrFile.toString(), "istio-dr.yaml", templateMap));
-    logger.info("Generated DestinationRule file path is {0}", targetDrFile);
-
-    deployRes = assertDoesNotThrow(() -> deployIstioDestinationRule(targetDrFile));
-    assertTrue(deployRes, "Failed to deploy Istio DestinationRule");
-
-    int istioIngressPort = getIstioHttpIngressPort();
-    String host = formatIPv6Host(K8S_NODEPORT_HOST);
-    logger.info("Istio Ingress Port is {0}", istioIngressPort);
-    logger.info("host {0}", host);
-
-    // In internal OKE env, use Istio EXTERNAL-IP; in non-OKE env, use K8S_NODEPORT_HOST + ":" + istioIngressPort
-    String hostAndPort = getServiceExtIPAddrtOke(istioIngressServiceName, istioNamespace) != null
-        ? getServiceExtIPAddrtOke(istioIngressServiceName, istioNamespace) : host + ":" + istioIngressPort;
+    Path targetDrFile;
+    if (!OKD) {
+      Path srcDrFile = Paths.get(RESOURCE_DIR, "istio", "istio-dr-template.yaml");
+      targetDrFile = assertDoesNotThrow(
+          () -> generateFileFromTemplate(srcDrFile.toString(), "istio-dr.yaml", templateMap));
+      logger.info("Generated DestinationRule file path is {0}", targetDrFile);
+
+      deployRes = assertDoesNotThrow(() -> deployIstioDestinationRule(targetDrFile));
+      assertTrue(deployRes, "Failed to deploy Istio DestinationRule");
+    } else {
+      Path srcDrFile = Paths.get(RESOURCE_DIR, "istio", "openshift-istio-roles-template.yaml");
+      targetDrFile = assertDoesNotThrow(
+          () -> generateFileFromTemplate(srcDrFile.toString(), "openshift-istio-roles.yaml", templateMap));
+      logger.info("Generated Gateway roles and service file path is {0}", targetDrFile);
+
+      deployRes = assertDoesNotThrow(() -> deployIstioDestinationRule(targetDrFile));
+      //assertTrue(deployRes, "Failed to deploy Istio DestinationRule");
+
+      String command = "oc expose service istio-ingressgateway -n " + domainNamespace;
+      result = exec(command, true);
+      assertEquals(0, result.exitValue(), "Failed to expose istio-ingressgateway service");
+    }
 
+    String hostAndPort = "";
     String workManagers = "/management/weblogic/latest/domainConfig/selfTuning/workManagers/";
     String newWM = workManagers + "newWM/";
-    if (!TestConstants.WLSIMG_BUILDER.equals(TestConstants.WLSIMG_BUILDER_DEFAULT) && !OCNE) {
-      istioIngressPort = ISTIO_HTTP_HOSTPORT;
-      hostAndPort = InetAddress.getLocalHost().getHostAddress() + ":" + istioIngressPort;
+    
+    if (!OKD) {
+      int istioIngressPort = getIstioHttpIngressPort();
+      String host = formatIPv6Host(K8S_NODEPORT_HOST);
+      logger.info("Istio Ingress Port is {0}", istioIngressPort);
+      logger.info("host {0}", host);
+
+      // In internal OKE env, use Istio EXTERNAL-IP; in non-OKE env, use K8S_NODEPORT_HOST + ":" + istioIngressPort
+      hostAndPort = getServiceExtIPAddrtOke(istioIngressServiceName, istioNamespace) != null
+          ? getServiceExtIPAddrtOke(istioIngressServiceName, istioNamespace) : host + ":" + istioIngressPort;
+
+      if (!TestConstants.WLSIMG_BUILDER.equals(TestConstants.WLSIMG_BUILDER_DEFAULT) && !OCNE) {
+        istioIngressPort = ISTIO_HTTP_HOSTPORT;
+        hostAndPort = InetAddress.getLocalHost().getHostAddress() + ":" + istioIngressPort;
+      }
+    } else {
+      result = exec("oc get route istio-ingressgateway -n " + domainNamespace + " -o jsonpath='{.spec.host}'", true);
+      assertEquals(0, result.exitValue(), "Failed to get route");
+      hostAndPort = result.stdout();
     }
 
     String url = "http://" + hostAndPort + "/management/tenant-monitoring/servers/";
@@ -351,7 +390,15 @@ private static void enableStrictMode(String namespace) {
 
   private void checkApp(String url) {
     testUntil(
-        () -> checkAppUsingHostHeader(url, domainNamespace + ".org"),
+        () -> {
+          if (!OKD) {
+            checkAppUsingHostHeader(url, domainNamespace + ".org");
+            return true;
+          } else {
+            checkAppUsingHostHeader(url, null);
+            return true;
+          }
+        },
         logger,
         "application to be ready {0}",
         url);

integration-tests/src/test/java/oracle/weblogic/kubernetes/actions/TestActions.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2020, 2024, Oracle and/or its affiliates.
+// Copyright (c) 2020, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.weblogic.kubernetes.actions;
@@ -750,6 +750,20 @@ public static void addLabelsToNamespace(String name, Map<String, String> labels)
     Namespace.addLabelsToNamespace(name, labels);
   }
 
+  /**
+   * Add labels to a namespace.
+   *
+   * @param name name of the namespace
+   * @param labels map of labels to add to the namespace
+   * @param result to return result
+   * @return if replaced
+   */
+  public static Callable<Boolean> addLabelsToNamespace(String name, Map<String, String> labels, boolean result) {
+    return (() -> {
+      return Namespace.addLabelsToNamespace(name, labels, result);
+    });
+  }
+
   /**
    * Create a namespace with unique name.
    *

integration-tests/src/test/java/oracle/weblogic/kubernetes/actions/impl/Namespace.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2020, 2022, Oracle and/or its affiliates.
+// Copyright (c) 2020, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.weblogic.kubernetes.actions.impl;
@@ -94,4 +94,33 @@ public static void addLabelsToNamespace(String name, Map<String, String> labels)
       getLogger().severe("Namespace {0} not found or failed to add labels", name);
     }
   }
+  
+  /**
+   * Add labels to a namespace.
+   *
+   * @param name name of the namespace
+   * @param labels map of labels to add to the namespace
+   * @param result to return the result
+   * @return if replaced
+   * @throws ApiException when adding labels to namespace fails
+   */
+  public static boolean addLabelsToNamespace(String name, Map<String, String> labels, boolean result) {
+    boolean success = false;
+    try {
+      V1NamespaceList namespaces = Kubernetes.listNamespacesAsObjects();
+      if (!namespaces.getItems().isEmpty()) {
+        for (var ns : namespaces.getItems()) {
+          if (name.equals(ns.getMetadata().getName())) {
+            ns.metadata(ns.getMetadata().labels(labels));
+            Kubernetes.replaceNamespace(ns);
+            return true;
+          }
+        }
+        getLogger().severe("Namespace {0} not found or failed to add labels", name);
+      }
+    } catch (ApiException ex) {
+      return success;
+    }
+    return success;
+  }
 }

integration-tests/src/test/resources/istio/openshift-istio-roles-template.yaml

@@ -0,0 +1,83 @@
+# Copyright (c) 2025, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: istio-ingressgateway
+  namespace: NAMESPACE
+spec:
+  type: ClusterIP
+  selector:
+    istio: ingressgateway
+  ports:
+  - name: http2
+    port: 80
+    targetPort: 8080
+  - name: https
+    port: 443
+    targetPort: 8443
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istio-ingressgateway
+  namespace: NAMESPACE
+spec:
+  selector:
+    matchLabels:
+      istio: ingressgateway
+  template:
+    metadata:
+      annotations:
+        # Select the gateway injection template (rather than the default sidecar template)
+        inject.istio.io/templates: gateway
+      labels:
+        # Set a unique label for the gateway. This is required to ensure Gateways can select this workload
+        istio: ingressgateway
+        # Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name"
+        sidecar.istio.io/inject: "true"
+    spec:
+      containers:
+      - name: istio-proxy
+        image: auto # The image will automatically update each time the pod starts.
+
+---
+# Set up roles to allow reading credentials for TLS
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istio-ingressgateway-sds
+  namespace: NAMESPACE
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istio-ingressgateway-sds
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istio-ingressgateway-sds
+subjects:
+- kind: ServiceAccount
+  name: default
+#---
+# Allow outside traffic to access the gateway
+# This is optional, only needed in case your cluster contains restrictive NetworkPolicies
+#apiVersion: networking.k8s.io/v1
+#kind: NetworkPolicy
+#metadata:
+#  name: gatewayingress
+#spec:
+#  podSelector:
+#    matchLabels:
+#      istio: ingressgateway
+#  ingress:
+#    - {}
+#  policyTypes:
+#  - Ingress
+