Add Istio upstream tests

[npolshakova]

Description

Adds Istio integration tests with Upstreams.

Upgrade/downgrade doc for Istio automtls integration: https://docs.google.com/document/d/1QmapbTCVb6BIrgkmgeL60lSwL5KLLIn_MN2KiRLW-is/edit?usp=sharing

Code changes

This introduces the following net new tests:

• Override test for Istio integration with Upstream and automtls disabled for k8s Gateway resources (validated with disabled peer auth policy)
• Override test for Istio integration with Upstream and automtls disabled for Edge Gateway resources (validated with disabled peer auth policy)
• sslConfig based strict peer auth test for Gloo Gateway API resources
• Upgrade test for Istio Integration with Upstream with sslConfig -> automtls for Edge Gateway resources
• Downgrade test Istio Integration with Upstream with automtls -> sslConfig on Upstream for Edge Gateway resources

These can be added if we decide they are worthwhile:

• Adding the SSL config via cli with glooctl istio enable-mtls --upstream httpbin-upstream, removing the SSL config with glooctl istio disable-mtls --upstream httpbin-upstream. Currently the tests directly apply the Upstream with sslConfig since discovery is disabled on the Istio tests. The original Istio regression tests were using discovery and editing the Upstream through the cli. This can cause flakes when updating the Upstream resource.

Manual validation:

• Sending constant traffic with a pod for the Upgrade tests. Recording of demo

1. Install gloo with automtls enabled. Setup initial resources that use sslConfig on Upstream:

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: httpbin-vs
  namespace: automtls-istio-edge-api-test
spec:
  virtualHost:
    domains:
    - httpbin
    routes:
    - matchers:
      - prefix: /
      routeAction:
        single:
          upstream:
            name: httpbin-upstream
            namespace: automtls-istio-edge-api-test
---
apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
  name: httpbin-upstream
  namespace: automtls-istio-edge-api-test
spec:
  kube:
    selector:
      app: httpbin
    serviceName: httpbin
    serviceNamespace: httpbin
    servicePort: 8000
  sslConfig:
    alpnProtocols:
    - istio
    sds:
      certificatesSecretName: istio_server_cert
      clusterName: gateway_proxy_sds
      targetUri: 127.0.0.1:8234
      validationContextName: istio_validation_context

2. Port-forward gateway:

k port-forward deploy/gateway-proxy -n automtls-istio-edge-api-test 8080:8080

3. Send constant traffic to check headers

for i in {1..1000}
do
  curl localhost:8080/headers -H "host: httpbin" -v
  echo "Request $i sent"
done

I checked the X-Forwarded-Client-Cert was present by grepping the response:

for i in {1..1000}; do echo "Request $i:"; response=$(curl -s -H "host: httpbin" "http://localhost:8080/headers"); echo "$response" | grep -q "X-Forwarded-Client-Cert" && echo "Header found" || echo "Error: Header not found"; done

4. Update to Upstream to remove sslConfig

apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
  name: httpbin-upstream
  namespace: automtls-istio-edge-api-test
spec:
  kube:
    selector:
      app: httpbin
    serviceName: httpbin
    serviceNamespace: httpbin
    servicePort: 8000

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

[github-actions]

Visit the preview URL for this PR (updated for commit 93dad84):

https://gloo-edge--pr9463-npolshak-add-istio-u-pbs2lyjw.web.app

_{(expires Thu, 23 May 2024 16:01:56 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: 77c2b86e287749579b7ff9cadb81e099042ef677}