OSSM-8079 Automate Expose Grpc With Passthrough Gateway (#748)

images.yaml

@@ -123,3 +123,7 @@ grpcurl:
   z: quay.io/maistra/grpcurl:latest
   arm64: quay.io/maistra/grpcurl:latest
 
+grpc-echo:
+  x86: gcr.io/istio-testing/app:latest
+  arm64: gcr.io/istio-testing/app:latest
+

pkg/tests/tasks/traffic/ingress/grpc_https_gateway_test.go

@@ -32,6 +32,12 @@ var (
 	//go:embed yaml/grpc_https_gateway.yaml
 	grpcurlTLSGatewayHTTPS string
 
+	//go:embed yaml/grpc_passthrough_gateway.yaml
+	grpcurlPassthroughGatewayHTTPS string
+
+	//go:embed yaml/grpc_echo_server_tls.yaml
+	grpcEchoServerTlsTemplate string
+
 	//go:embed yaml/grpc_echo_server.yaml
 	grpcEchoServerTemplate string
 
@@ -86,3 +92,52 @@ func TestExposeGrpcWithHttpsGateway(t *testing.T) {
 
 	})
 }
+
+func TestExposeGrpcWitPassthroughGateway(t *testing.T) {
+	test.NewTest(t).Id("T45").Groups(test.Full, test.InterOp, test.ARM).Run(func(t test.TestHelper) {
+
+		t.Log("This test verifies secure grpc traffic with passthrough gateway configuration.")
+
+		if env.GetArch() == "z" || env.GetArch() == "p" {
+			t.Skip("gcr.io/istio-testing/app:latest image is not supported on IBM Z&P")
+		}
+
+		t.Cleanup(func() {
+			app.Uninstall(t, app.GrpCurl(ns.Default))
+			oc.DeleteNamespace(t, ns.EchoGrpc)
+			oc.RecreateNamespace(t, meshNamespace)
+		})
+
+		t.LogStep("Create echo-grpc project")
+		oc.CreateNamespace(t, ns.EchoGrpc)
+
+		t.LogStep("Deploy Control Plane")
+		ossm.DeployControlPlane(t)
+		smcpName := env.GetDefaultSMCPName()
+
+		t.LogStep("Apply SMCP with mTLS true")
+		oc.Patch(t,
+			meshNamespace, "smcp", smcpName, "merge",
+			`{"spec":{"security":{"dataPlane":{"mtls":true}}}}`,
+		)
+
+		t.LogStep("Update SMMR to include EchoGrpc Namespaces")
+		oc.ApplyString(t, meshNamespace, ossm.AppendDefaultSMMR(ns.EchoGrpc))
+		oc.WaitSMMRReady(t, meshNamespace)
+
+		t.LogStep("Create Echo Grpc Server")
+		oc.ApplyTemplate(t, ns.EchoGrpc, grpcEchoServerTlsTemplate, nil)
+
+		t.LogStep("Configure a TLS ingress gateway for a single host")
+		oc.ApplyString(t, ns.EchoGrpc, grpcurlPassthroughGatewayHTTPS)
+
+		t.LogStep("Install grpcurl image")
+		app.Install(t, app.GrpCurl(ns.Default))
+		retry.UntilSuccessWithOptions(t, retry.Options().MaxAttempts(20), func(t test.TestHelper) {
+			oc.LogsFromPods(t,
+				ns.Default,
+				"app=grpcurl",
+				assert.OutputContains("EchoTestService", "rpc command worked successfully", "rpc error"))
+		})
+	})
+}

pkg/tests/tasks/traffic/ingress/yaml/grpc_echo_server.yaml

@@ -62,7 +62,7 @@ spec:
               fieldRef:
                 apiVersion: v1
                 fieldPath: status.podIP
-          image: gcr.io/istio-testing/app:latest
+          image: {{ image "grpc-echo" }}
           imagePullPolicy: Always
           livenessProbe:
             failureThreshold: 10
@@ -143,7 +143,7 @@ spec:
               fieldRef:
                 apiVersion: v1
                 fieldPath: status.podIP
-          image: gcr.io/istio-testing/app:latest
+          image: {{ image "grpc-echo" }}
           imagePullPolicy: Always
           livenessProbe:
             failureThreshold: 10

pkg/tests/tasks/traffic/ingress/yaml/grpc_echo_server_tls.yaml

@@ -0,0 +1,192 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: echo
+  name: echo
+  namespace: echo-grpc
+spec:
+  selector:
+    app: echo
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 80
+    targetPort: 18080
+  - name: tls-grpc
+    protocol: TCP
+    port: 7070
+    targetPort: 17070
+  - name: tcp
+    port: 9090
+    targetPort: 19090
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: echo-v1
+  namespace: echo-grpc
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: echo
+      version: v1
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "true"
+      labels:
+        app: echo
+        version: v1
+    spec:
+      containers:
+        - args:
+          - --metrics=15014
+          - --port
+          - "18080"
+          - --tcp
+          - "19090"
+          - --grpc
+          - "17070"
+          - '--tls'
+          - '17070'
+          - --grpc
+          - "17171"
+          - --port
+          - "3333"
+          - --port
+          - "8080"
+          - --version
+          - v1
+          - --crt=/cert.crt
+          - --key=/cert.key
+          env:
+          - name: INSTANCE_IP
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: status.podIP
+          image: {{ image "grpc-echo" }}
+          imagePullPolicy: Always
+          livenessProbe:
+            failureThreshold: 10
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: tcp-health-port
+            timeoutSeconds: 1
+          name: app
+          ports:
+          - containerPort: 17070
+            protocol: TCP
+          - containerPort: 17171
+            protocol: TCP
+          - containerPort: 8080
+            protocol: TCP
+          - containerPort: 3333
+            name: tcp-health-port
+            protocol: TCP
+          readinessProbe:
+            failureThreshold: 10
+            httpGet:
+              path: /
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 1
+            periodSeconds: 2
+            successThreshold: 1
+            timeoutSeconds: 1
+          startupProbe:
+            failureThreshold: 10
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: tcp-health-port
+            timeoutSeconds: 1
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: echo-v2
+  namespace: echo-grpc
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: echo
+      version: v2
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "true"
+      labels:
+        app: echo
+        version: v2
+    spec:
+      containers:
+        - args:
+          - --metrics=15014
+          - --port
+          - "18080"
+          - --tcp
+          - "19090"
+          - --grpc
+          - "17070"
+          - '--tls'
+          - '17070'
+          - --grpc
+          - "17171"
+          - --port
+          - "3333"
+          - --port
+          - "8080"
+          - --version
+          - v2
+          - --crt=/cert.crt
+          - --key=/cert.key
+          env:
+          - name: INSTANCE_IP
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: status.podIP
+          image: {{ image "grpc-echo" }}
+          imagePullPolicy: Always
+          livenessProbe:
+            failureThreshold: 10
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: tcp-health-port
+            timeoutSeconds: 1
+          name: app
+          ports:
+          - containerPort: 17070
+            protocol: TCP
+          - containerPort: 17171
+            protocol: TCP
+          - containerPort: 8080
+            protocol: TCP
+          - containerPort: 3333
+            name: tcp-health-port
+            protocol: TCP
+          readinessProbe:
+            failureThreshold: 10
+            httpGet:
+              path: /
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 1
+            periodSeconds: 2
+            successThreshold: 1
+            timeoutSeconds: 1
+          startupProbe:
+            failureThreshold: 10
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: tcp-health-port
+            timeoutSeconds: 1

pkg/tests/tasks/traffic/ingress/yaml/grpc_passthrough_gateway.yaml

@@ -0,0 +1,36 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: grpc-gateway
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 443
+      name: tls
+      protocol: TLS
+    tls:
+      mode: PASSTHROUGH
+    hosts:
+    - grpc.example.com
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: grpc
+spec:
+  hosts:
+  - grpc.example.com
+  gateways:
+  - grpc-gateway
+  tls:
+  - match:
+    - port: 443
+      sniHosts:
+      - grpc.example.com
+    route:
+    - destination:
+        host: echo.echo-grpc.svc.cluster.local
+        port:
+          number: 7070

sampleCerts/grpc.example.com/grpc.example.com.crt

@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
 MIIDITCCAgmgAwIBAgIBADANBgkqhkiG9w0BAQsFADAtMRUwEwYDVQQKDAxleGFt
-cGxlIEluYy4xFDASBgNVBAMMC2V4YW1wbGUuY29tMB4XDTI0MDkxMzA4MzUyM1oX
-DTI1MDkxMzA4MzUyM1owNzEZMBcGA1UEAwwQZ3JwYy5leGFtcGxlLmNvbTEaMBgG
-A1UECgwRZ3JwYyBvcmdhbml6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQDHBwwCOZP/tcEDlxfyBmnyhOoS+1VQH9C92cZnnLsmSH/p6FwX2VJT
-jj274JXI0iu+tJ1zcAjJrIgKMvI5CkBqwI9GTVqtzEz7Y6fXi+OHKFE+XT2yRV/k
-4yV2stFBHL5tZvcSZdQ/+Hm+BRB/Zfg2j8tmVdGJfLFe3F0wlPxsuLfXVwgu4uHz
-b1fhlFESCSZQaPYwAyHEa+csMG1EVDjQuIaQl+bNE7ZH9juF1XWfnbWBf3htORGF
-WvQZrp8BGDprqdgM+kjNb3lZDjjwzo8tIO+cSCp1eovCV8fhheQ3Qu4yN0de5c/o
-EaU5YeM94TntODVkTDYeOyU9xbzZ1tMHAgMBAAGjQjBAMB0GA1UdDgQWBBRSmeNJ
-ZNX5IVuggHLMOtkooAPElTAfBgNVHSMEGDAWgBTQpJ9L4z2EoZRTo0fvOcJ+BEWI
-ijANBgkqhkiG9w0BAQsFAAOCAQEArzxbdL/ZSLXsZUjPPnPpAPQvSzPHOJJR/etu
-9okha5X5JCwYglqPtuxpyBXooICmA0+Pa1b2QvsAyZQSjV0jFI8ag2XyQUMiS5Qd
-u31wI+ltzVbkir4xdeRpcFSqbg8LkfRUm6GHggE9LX+z2KVXqD0ZllaPJcJEAzW0
-+hTtNWaQGgk6uK5W0R68HdSjoAQX3goFdn/K/L9dbAFrc6LYTgNVskzw1eOwG0Pe
-KVPTPfLUfe3DVwuokpui/3mrhgzUuAvwGI4CzAN/X9575nOH8riybFDOBzxJyjcB
-Ah9VJR76EopSeugCGLscIjAqUZ7u8zmk1qi6auCQ4+4c5TWL1w==
+cGxlIEluYy4xFDASBgNVBAMMC2V4YW1wbGUuY29tMB4XDTI0MDkyNjE0NDkzMVoX
+DTI1MDkyNjE0NDkzMVowNzEZMBcGA1UEAwwQZ3JwYy5leGFtcGxlLmNvbTEaMBgG
+A1UECgwRc29tZSBvcmdhbml6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDC1oTJy4To1N33xqxX5jOp8BIWcn08DxRSelx3p1FP3KD/+ACO1gt/
+0LU8QjjmgmSv2S/xfnbqdgB1rxs1n9xF1MpRW5EKlVriUYIKKX38h4VC6P/ewfRZ
+EXLjxTa9F/VPhKRNfACA3ghyzObE2VlbCsH8kjC4trLRTi3e2fhdo1JwfRWQP/9Z
+Z5B51393V1N8YMPegxAOh7BpI0pkMHG1TxF3hZuteLaL2G21OhFMrUUCbHjljIff
+Auu+hUUI/gCnFB0uxtNJDeua7Gh4wW8HnRSQjLsSF0It29e1jdbFjLJ/OPCNGJ4H
+Z+biTZgdwvwgxLbEwoXBcNyzVFXLPMvZAgMBAAGjQjBAMB0GA1UdDgQWBBSS0ybf
+v3Ok1J3WH0aj8djKquJbsTAfBgNVHSMEGDAWgBQntdRVQMFrLYmkwYdQqjPvUrDx
+FDANBgkqhkiG9w0BAQsFAAOCAQEA5Wzbjjf3z396dRwXKkZl73sLRyAjxjtmlIwR
+DPGfkmW+17+5ao6g5Beq3Nm13vS7oC+/Pp1+CCYG2CF0ehfAHOoSmouoMh9lPm0r
+E+KBjtebfd3rNNBiPamXZuaJqTZdeXIcARxrYe3pzKshsKDWfYjSrZgryKrR27R+
+Z9gdpxb73cc7sSNcs4M0Gyth7IbO9GW9WlDHjqWo2os/YtLVTtAFLiV5hQ44VCRO
+Ug7e6jfV5ZGmfYIdI2GcsXRxuOd11RdAc7OoY98WIBdDQM11LVXRVip+QKlya1cj
+jw6jd3XtAUj1ub9VWTxuPSL5bTu5KUhvAFxumGSfkNS5Ze+gVg==
 -----END CERTIFICATE-----