Add option to run all e2e tests with different http and https settings

[taragu]

/lint

Part of #5148

Proposed Changes

• Add option to run all e2e tests with different http and https settings

Release Note

NONE

/cc @JRBANCEL
/cc @ZhiminXiang

[knative-prow-robot]

Hi @taragu. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[JRBANCEL]

Do we need to keep the _example?
It makes things less clear I feel.

[JRBANCEL]

http-only might be more explicit than http.
Same with https-only vs. https.

[taragu]

@JRBANCEL originally I was thinking of having flags that corresponded directly to the yaml values:

--http --> httpProtocol: "Enabled"
--no-http --> httpProtocol: "Disabled"
--auto-tls --> autoTLS: "Enabled"
--no-auto-tls --> autoTLS: "Disabled"

If we have flags http-only and https-only, do we need to introduce a third flag to indicate http and https?

[ZhiminXiang]

I would prefer not introducing auto TLS into this PR if we just want to test different HTTP and HTTPS setting because:

1. auto TLS needs more setup (DNS server, real domain, static IP, etc.)
2. If we run all E2E tests with auto TLS enabled, we can quickly run out of TLS certificates quota.

In this PR, I think we are targeting to test the scenario that HTTP server (https://github.com/knative/serving/blob/master/config/202-gateway.yaml#L27) is removed, and HTTPS server with certificates is added (https://github.com/knative/serving/blob/master/config/202-gateway.yaml#L34). So probably one flag is enough: --https-only. WDYT?

In addition, instead of customizing config-network.yaml, I think we just need to customize https://github.com/knative/serving/blob/master/config/202-gateway.yaml because httpProtocol:Disabled only works when we turn on either flag autoTLS or reconcileExternalGateway which is bit more complex to set up.

[taragu]

Thanks @ZhiminXiang ! I've added a gateway yaml for https only at test/https-gateway.yaml. I'm not sure where to put it so please let me know if you think there's a better destination.

[JRBANCEL]

This is good, but AutoTLS won't work magically right?
We need to set up some domain name and hook it up with Let'sEncrypt for example.
We will probably hit the Let'sEncrypt limits. @ZhiminXiang can you comment on how to set this up?

[JRBANCEL]

/ok-to-test

[ZhiminXiang]

We cannot turn on auto TLS in our E2E tests until 1) either we set up DNS servers for the real domain to get real CA signed TLS certificates or 2) we use CA issuers #4066 (comment) to get self-signed certificates.

At this point, in order to test HTTPS enabled, we may need to manually provide a self-signed certificate by using openssl and configure Gateway to support TLS.

[adrcunha]

Script-wise, the approach LGTM.
/approve

[mattmoor-sockpuppet]

Found go linting violations, please merge: taragu#5

[taragu]

/test pull-knative-serving-build-tests

[ZhiminXiang]

/cc @adrcunha
I think we probably want to put the yaml under test/config/https-gateway/ directory.

[adrcunha]

+1

[ZhiminXiang]

PASSTHOUGH actually does not work. Can we change it to:

tls:
      mode: SIMPLE
      credentialName: "tls-certificate"
    hosts:
    - "*"

We can think about how to generate the certificate as a TODO.

[taragu]

@ZhiminXiang I just applied this config and tried running the TestHelloWorld e2e test, but looking at the logs, routes were ready but they were not https. The test failed with. Am I missing something here?

    kubelogs.go:152: I 13:03:08.438 [route-controller] [serving-tests/hello-world-uyuibzpu] Updating targeted revisions.
    kubelogs.go:152: I 13:03:08.438 [route-controller] [serving-tests/hello-world-uyuibzpu] Creating placeholder k8s services
    kubelogs.go:152: I 13:03:08.455 [route-controller] [serving-tests/hello-world-uyuibzpu] Creating Ingress.
    kubelogs.go:152: I 13:03:08.482 [route-controller] [serving-tests/hello-world-uyuibzpu] Updating placeholder k8s services with clusterIngress information
    kubelogs.go:152: I 13:03:08.482 [route-controller] [serving-tests/hello-world-uyuibzpu] Route successfully synced
    kubelogs.go:152: I 13:03:08.482 [route-controller] [serving-tests/hello-world-uyuibzpu] Reconcile succeeded. Time taken: 44.180415ms.
    service.go:133: Checking to ensure Service Status is populated for Ready service hello-world-uyuibzpu
    service.go:139: Getting latest objects Created by Service hello-world-uyuibzpu
    kubelogs.go:152: D 13:03:09.241 [kpa-class-podautoscaler-controller] [serving-tests/hello-world-uyuibzpu-qm8r9] No data to scale on yet
    service.go:142: Successfully created Service hello-world-uyuibzpu
    helloworld_test.go:66: The endpoint for Route hello-world-uyuibzpu at domain hello-world-uyuibzpu.serving-tests.169.46.25.10.xip.io didn't serve the expected text "Hello World! How about some tasty noodles?": response: status: 404, body: , headers: map[Content-Length:[0] Date:[Mon, 19 Aug 2019 13:03:09 GMT] Server:[istio-envoy] Zipkin_trace_id:[34de09e4cccf986c15324e8dc95c5bc9]] did not pass checks: status = 404, want one of: [200]

EDIT: Actually I missed setting up the CA issuer (thanks @rmoe for the instructions). The TestHelloWorld test passes now

[adrcunha]

This option won't be automatically tested by presubmits or CI flows. Is it intended?

[taragu]

@adrcunha that's correct. The option won't be enabled until we add the command with --https-only to https://github.com/knative/test-infra/blob/master/ci/prow/config_knative.yaml#L15

[ZhiminXiang]

I am not sure if all of the E2E tests will be passed under this environment. We may want to start with making it as post-submit, and then consider to make it presubmit after we fix all of E2E tests.

[taragu]

/assign @tcnghia

[taragu]

@adrcunha @ZhiminXiang @tcnghia could you please take a look when you get a chance?

[adrcunha]

/lgtm

LGTM for the test-infra, but I would like yet another pair of eyes on the PR before approval.

[ZhiminXiang]

nit: we probably want to check if the Spec.Servers are the same btw currGateway and oldGateway. If they are the same, we don't need update.

[ZhiminXiang]

Can we use names.URL (

serving/test/crd.go

Line 36 in fdcec3b

URL *url.URL

) here?

[taragu]

Hmm names.URL actually won't be set until after the service is created, so I think this is the best way.

[ZhiminXiang]

I am not sure if we can move the part of configuring https (https://github.com/knative/serving/pull/5157/files#diff-cd1624ee494bbca6fd2e1e1a908d0dd3R131) after validateCreatedServiceStatus function (https://github.com/knative/serving/pull/5157/files#diff-cd1624ee494bbca6fd2e1e1a908d0dd3R174).
If we can, then names.URL will be available after validateCreatedServiceStatus function. And then we can use names.URL instead of using GetDomain.

[taragu]

@ZhiminXiang yes that does work. Thank you for the suggestion!

[taragu]

Thanks @ZhiminXiang @adrcunha @JRBANCEL for the review! I made a change to add transport option as a return arg for CreateRunLatestServiceReady as Zhimin brought up the problem of running tests in parallel. Please let me know what you think.

[JRBANCEL]

/lgtm

[taragu]

/retest

[ZhiminXiang]

Do we still need to do the splitN here?
From what I saw, we get the suffix of names.URL.Host, and then we combine it with the service name, which is essentially the same as names.URL.Host. So I think we can use names.URL.Host directly here.

[taragu]

Yeah I tried using names.URL.Host but it didn't work because it has the service name. domain name is serving-tests.169.48.185.45.xip.io but names.URL.Host is hello-world-gzzyzjel.serving-tests.169.48.185.45.xip.io

[ZhiminXiang]

what I mean here is we don't need to do SplitN and then combine the domain with service name in https://github.com/knative/serving/pull/5157/files/72501eed94be585c3d9060af4eabf2183b480185#diff-cd1624ee494bbca6fd2e1e1a908d0dd3R485. Instead, we can directly pass names.URL.Host to setUpHTTPS function.

[taragu]

Ah got it. That makes sense. I've just pushed up the simplification.

[ZhiminXiang]

/lgtm

[taragu]

@ZhiminXiang thanks for the review! @adrcunha would you take another look when you get a chance?

[adrcunha]

/lgtm
/approve

[tcnghia]

/approve

[knative-prow-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adrcunha, taragu, tcnghia

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/reconciler/OWNERS [tcnghia]
• test/OWNERS [adrcunha,tcnghia]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[taragu]

/retest

[knative-test-reporter-robot]

The following jobs failed:

Test name	Triggers	Retries
pull-knative-serving-unit-tests	pull-knative-serving-unit-tests	1/3

Automatically retrying due to test flakiness...
/test pull-knative-serving-unit-tests