1 files changed, 197 insertions, 0 deletions

diff --git a/spec/services/clusters/kubernetes/configure_istio_ingress_service_spec.rb b/spec/services/clusters/kubernetes/configure_istio_ingress_service_spec.rb
new file mode 100644
index 00000000000..572e2b91187
--- /dev/null
+++ b/spec/services/clusters/kubernetes/configure_istio_ingress_service_spec.rb
@@ -0,0 +1,197 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Clusters::Kubernetes::ConfigureIstioIngressService, '#execute' do
+  include KubernetesHelpers
+
+  let(:cluster) { create(:cluster, :project, :provided_by_gcp) }
+  let(:api_url) { 'https://kubernetes.example.com' }
+  let(:project) { cluster.project }
+  let(:environment) { create(:environment, project: project) }
+  let(:cluster_project) { cluster.cluster_project }
+  let(:namespace) { "#{project.name}-#{project.id}-#{environment.slug}" }
+  let(:kubeclient) { cluster.kubeclient }
+
+  subject do
+    described_class.new(
+      cluster: cluster
+    ).execute
+  end
+
+  before do
+    stub_kubeclient_discover_istio(api_url)
+    stub_kubeclient_create_secret(api_url, namespace: namespace)
+    stub_kubeclient_put_secret(api_url, "#{namespace}-token", namespace: namespace)
+
+    stub_kubeclient_get_secret(
+      api_url,
+      {
+        metadata_name: "#{namespace}-token",
+        token: Base64.encode64('sample-token'),
+        namespace: namespace
+      }
+    )
+
+    stub_kubeclient_get_secret(
+      api_url,
+      {
+        metadata_name: 'istio-ingressgateway-ca-certs',
+        namespace: 'istio-system'
+      }
+    )
+
+    stub_kubeclient_get_secret(
+      api_url,
+      {
+        metadata_name: 'istio-ingressgateway-certs',
+        namespace: 'istio-system'
+      }
+    )
+
+    stub_kubeclient_put_secret(api_url, 'istio-ingressgateway-ca-certs', namespace: 'istio-system')
+    stub_kubeclient_put_secret(api_url, 'istio-ingressgateway-certs', namespace: 'istio-system')
+    stub_kubeclient_get_gateway(api_url, 'knative-ingress-gateway', namespace: 'knative-serving')
+    stub_kubeclient_put_gateway(api_url, 'knative-ingress-gateway', namespace: 'knative-serving')
+  end
+
+  context 'without a serverless_domain_cluster' do
+    it 'configures gateway to use PASSTHROUGH' do
+      subject
+
+      expect(WebMock).to have_requested(:put, api_url + '/apis/networking.istio.io/v1alpha3/namespaces/knative-serving/gateways/knative-ingress-gateway').with(
+        body: hash_including(
+          apiVersion: "networking.istio.io/v1alpha3",
+          kind: "Gateway",
+          metadata: {
+            generation: 1,
+            labels: {
+              "networking.knative.dev/ingress-provider" => "istio",
+              "serving.knative.dev/release" => "v0.7.0"
+            },
+            name: "knative-ingress-gateway",
+            namespace: "knative-serving",
+            selfLink: "/apis/networking.istio.io/v1alpha3/namespaces/knative-serving/gateways/knative-ingress-gateway"
+          },
+          spec: {
+            selector: {
+              istio: "ingressgateway"
+            },
+            servers: [
+              {
+                hosts: ["*"],
+                port: {
+                  name: "http",
+                  number: 80,
+                  protocol: "HTTP"
+                }
+              },
+              {
+                hosts: ["*"],
+                port: {
+                  name: "https",
+                  number: 443,
+                  protocol: "HTTPS"
+                },
+                tls: {
+                  mode: "PASSTHROUGH"
+                }
+              }
+            ]
+          }
+        )
+      )
+    end
+  end
+
+  context 'with a serverless_domain_cluster' do
+    let(:serverless_domain_cluster) { create(:serverless_domain_cluster) }
+    let(:certificate) { OpenSSL::X509::Certificate.new(serverless_domain_cluster.certificate) }
+
+    before do
+      cluster.application_knative = serverless_domain_cluster.knative
+    end
+
+    it 'configures certificates' do
+      subject
+
+      expect(serverless_domain_cluster.reload.key).not_to be_blank
+      expect(serverless_domain_cluster.reload.certificate).not_to be_blank
+
+      expect(certificate.subject.to_s).to include(serverless_domain_cluster.knative.hostname)
+
+      expect(certificate.not_before).to be_within(1.minute).of(Time.now)
+      expect(certificate.not_after).to be_within(1.minute).of(Time.now + 1000.years)
+
+      expect(WebMock).to have_requested(:put, api_url + '/api/v1/namespaces/istio-system/secrets/istio-ingressgateway-ca-certs').with(
+        body: hash_including(
+          metadata: {
+            name: 'istio-ingressgateway-ca-certs',
+            namespace: 'istio-system'
+          },
+          type: 'Opaque'
+        )
+      )
+
+      expect(WebMock).to have_requested(:put, api_url + '/api/v1/namespaces/istio-system/secrets/istio-ingressgateway-certs').with(
+        body: hash_including(
+          metadata: {
+            name: 'istio-ingressgateway-certs',
+            namespace: 'istio-system'
+          },
+          type: 'kubernetes.io/tls'
+        )
+      )
+    end
+
+    it 'configures gateway to use MUTUAL' do
+      subject
+
+      expect(WebMock).to have_requested(:put, api_url + '/apis/networking.istio.io/v1alpha3/namespaces/knative-serving/gateways/knative-ingress-gateway').with(
+        body: {
+          apiVersion: "networking.istio.io/v1alpha3",
+          kind: "Gateway",
+          metadata: {
+            generation: 1,
+            labels: {
+              "networking.knative.dev/ingress-provider" => "istio",
+              "serving.knative.dev/release" => "v0.7.0"
+            },
+            name: "knative-ingress-gateway",
+            namespace: "knative-serving",
+            selfLink: "/apis/networking.istio.io/v1alpha3/namespaces/knative-serving/gateways/knative-ingress-gateway"
+          },
+          spec: {
+            selector: {
+              istio: "ingressgateway"
+            },
+            servers: [
+              {
+                hosts: ["*"],
+                port: {
+                  name: "http",
+                  number: 80,
+                  protocol: "HTTP"
+                }
+              },
+              {
+                hosts: ["*"],
+                port: {
+                  name: "https",
+                  number: 443,
+                  protocol: "HTTPS"
+                },
+                tls: {
+                  mode: "MUTUAL",
+                  privateKey: "/etc/istio/ingressgateway-certs/tls.key",
+                  serverCertificate: "/etc/istio/ingressgateway-certs/tls.crt",
+                  caCertificates: "/etc/istio/ingressgateway-ca-certs/cert.pem"
+                }
+              }
+            ]
+          }
+        }
+      )
+    end
+  end
+end