[nonrtric.git] / test / common / istio_api_functions.sh

#!/bin/bash

#  ============LICENSE_START===============================================
#  Copyright (C) 2021 Nordix Foundation. All rights reserved.
#  ========================================================================
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
#  ============LICENSE_END=================================================
#

# This is a script that contains function to handle helm on localhost


################ Test engine functions ################

# Create the image var used during the test
# arg: <image-tag-suffix> (selects staging, snapshot, release etc)
# <image-tag-suffix> is present only for images with staging, snapshot,release tags
__ISTIO_imagesetup() {
        :
}

# Pull image from remote repo or use locally built image
# arg: <pull-policy-override> <pull-policy-original>
# <pull-policy-override> Shall be used for images allowing overriding. For example use a local image when test is started to use released images
# <pull-policy-original> Shall be used for images that does not allow overriding
# Both var may contain: 'remote', 'remote-remove' or 'local'
__ISTIO_imagepull() {
        :
}

# Build image (only for simulator or interfaces stubs owned by the test environment)
# arg: <image-tag-suffix> (selects staging, snapshot, release etc)
# <image-tag-suffix> is present only for images with staging, snapshot,release tags
__ISTIO_imagebuild() {
        :
}

# Generate a string for each included image using the app display name and a docker images format string
# If a custom image repo is used then also the source image from the local repo is listed
# arg: <docker-images-format-string> <file-to-append>
__ISTIO_image_data() {
        :
}

# Scale kubernetes resources to zero
# All resources shall be ordered to be scaled to 0, if relevant. If not relevant to scale, then do no action.
# This function is called for apps fully managed by the test script
__ISTIO_kube_scale_zero() {
        :
}

# Scale kubernetes resources to zero and wait until this has been accomplished, if relevant. If not relevant to scale, then do no action.
# This function is called for prestarted apps not managed by the test script.
__ISTIO_kube_scale_zero_and_wait() {
        :
}

# Delete all kube resouces for the app
# This function is called for apps managed by the test script.
__ISTIO_kube_delete_all() {
        __kube_delete_all_resources $KUBE_NONRTRIC_NAMESPACE autotest ISTIO
}

# Store docker logs
# This function is called for apps managed by the test script.
# args: <log-dir> <file-prexix>
__ISTIO_store_docker_logs() {
        :
}

# Initial setup of protocol, host and ports
# This function is called for apps managed by the test script.
# args: -
__ISTIO_initial_setup() {
        # See jwt-info.txt in simulator-group/kubeproxy for detailed info
        KUBE_PROXY_CURL_JWT=$ISTIO_GENERIC_JWT
        KUBE_PROXY_ISTIO_JWKS_KEYS=$ISTIO_GENERIC_JWKS_KEY
}

# Set app short-name, app name and namespace for logging runtime statistics of kubernets pods or docker containers
# For docker, the namespace shall be excluded
# This function is called for apps managed by the test script as well as for prestarted apps.
# args: -
__ISTIO_statisics_setup() {
        :
}

# Check application requirements, e.g. helm, the the test needs. Exit 1 if req not satisfied
# args: -
__ISTIO_test_requirements() {

        kubectl $KUBECONF get requestauthentications -A &> /dev/null
        if [ $? -ne 0 ]; then
                echo $RED" Istio api: kubectl get requestauthentications is not installed"
                exit 1
        fi
        kubectl $KUBECONF get authorizationpolicies -A &> /dev/null
        if [ $? -ne 0 ]; then
                echo $RED" Istio api: kubectl get authorizationpolicies is not installed"
                exit 1
        fi
}

#######################################################


# Enable istio on namespace
# arg: <namespace>
istio_enable_istio_namespace() {
        __log_conf_start $@
    if [ $# -ne 1 ]; then
        __print_err "<namespace>" $@
        return 1
    fi
        __kube_create_namespace $1
        __kube_label_non_ns_instance ns $1 "istio-injection=enabled"
        __log_conf_ok
        return 0
}

# Request authorization by jwksuri
# args: <app> <namespace> <realm>
istio_req_auth_by_jwksuri() {
        __log_conf_start $@
    if [ $# -ne 3 ]; then
        __print_err "<app> <namespace> <realm>" $@
        return 1
    fi
        name="ra-jwksuri-"$3"-"$1"-"$2
        export  ISTIO_TEMPLATE_REPLACE_RA_NAME=$(echo $name | tr '[:upper:]' '[:lower:]')
        export  ISTIO_TEMPLATE_REPLACE_RA_NS=$2
        export  ISTIO_TEMPLATE_REPLACE_RA_APP_NAME=$1
        export  ISTIO_TEMPLATE_REPLACE_RA_ISSUER=$KEYCLOAK_ISSUER_PATH$KEYCLOAK_TOKEN_URL_PREFIX/$3
        export  ISTIO_TEMPLATE_REPLACE_RA_JWKSURI=$KEYCLOAK_SERVICE_PATH$KEYCLOAK_TOKEN_URL_PREFIX/$3/protocol/openid-connect/certs
        inputfile=$SIM_GROUP/$ISTIO_COMPOSE_DIR/ra-jwksuri-template.yaml
        outputfile=tmp/$ISTIO_TEMPLATE_REPLACE_RA_NAME".yaml"
        envsubst < $inputfile > $outputfile
        if [ $? -ne 0 ]; then
                __log_conf_fail_general "Cannot substitute yaml: $inputfile"
                return 1
        fi
        kubectl $KUBECONF apply -f $outputfile &> tmp/kubeerr
        if [ $? -ne 0 ]; then
                __log_conf_fail_general "Cannot apply yaml: $outputfile"
                return 1
        fi
        __log_conf_ok
        return 0
}

# Request authorization by jwks (inline keys)
# args: <app> <namespace> <issuer> <key>
istio_req_auth_by_jwks() {
        __log_conf_start $@
    if [ $# -ne 4 ]; then
        __print_err "<app> <namespace> <issuer> <key>" $@
        return 1
    fi
        name="ra-jwks-"$3"-"$1"-"$2
        export  ISTIO_TEMPLATE_REPLACE_RA_NAME=$(echo $name | tr '[:upper:]' '[:lower:]')
        export  ISTIO_TEMPLATE_REPLACE_RA_NS=$2
        export  ISTIO_TEMPLATE_REPLACE_RA_APP_NAME=$1
        export  ISTIO_TEMPLATE_REPLACE_RA_ISSUER=$3
        export  ISTIO_TEMPLATE_REPLACE_RA_JWKS=$4
        inputfile=$SIM_GROUP/$ISTIO_COMPOSE_DIR/ra-jwks-template.yaml
        outputfile=tmp/$ISTIO_TEMPLATE_REPLACE_RA_NAME".yaml"
        envsubst < $inputfile > $outputfile
        if [ $? -ne 0 ]; then
                __log_conf_fail_general "Cannot substitute yaml: $inputfile"
                return 1
        fi
        kubectl $KUBECONF apply -f $outputfile &> tmp/kubeerr
        if [ $? -ne 0 ]; then
                __log_conf_fail_general "Cannot apply yaml: $outputfile"
                return 1
        fi
        __log_conf_ok
        return 0
}

# Authorization policy - by realm
# args: <app> <namespace> <realam>
istio_auth_policy_by_realm() {
        __log_conf_start $@
    if [ $# -ne 3 ]; then
        __print_err "<app> <namespace> <realam>" $@
        return 1
    fi
        name="ap-realm-"$3"-"$1"-"$2
        export  ISTIO_TEMPLATE_REPLACE_AP_NAME=$(echo $name | tr '[:upper:]' '[:lower:]')
        export  ISTIO_TEMPLATE_REPLACE_AP_NS=$2
        export  ISTIO_TEMPLATE_REPLACE_AP_APP_NAME=$1
        export  ISTIO_TEMPLATE_REPLACE_AP_PRINCIPAL="$KEYCLOAK_ISSUER_PATH$KEYCLOAK_TOKEN_URL_PREFIX/$3/*"
        inputfile=$SIM_GROUP/$ISTIO_COMPOSE_DIR/ap-principal-template.yaml
        outputfile=tmp/$ISTIO_TEMPLATE_REPLACE_AP_NAME".yaml"
        envsubst < $inputfile > $outputfile
        if [ $? -ne 0 ]; then
                __log_conf_fail_general "Cannot substitute yaml: $inputfile"
                return 1
        fi
        kubectl $KUBECONF apply -f $outputfile &> tmp/kubeerr
        if [ $? -ne 0 ]; then
                __log_conf_fail_general "Cannot apply yaml: $outputfile"
                return 1
        fi
        __log_conf_ok
        return 0
}

# Authorization policy - by issuer
# args: <app> <namespace> <issuer>
istio_auth_policy_by_issuer() {
        __log_conf_start $@
    if [ $# -ne 3 ]; then
        __print_err "<app> <namespace> <issuer>" $@
        return 1
    fi
        name="ap-iss-"$3"-"$1"-"$2
        export  ISTIO_TEMPLATE_REPLACE_AP_NAME=$(echo $name | tr '[:upper:]' '[:lower:]')
        export  ISTIO_TEMPLATE_REPLACE_AP_NS=$2
        export  ISTIO_TEMPLATE_REPLACE_AP_APP_NAME=$1
        export  ISTIO_TEMPLATE_REPLACE_AP_PRINCIPAL="$3/*"
        inputfile=$SIM_GROUP/$ISTIO_COMPOSE_DIR/ap-principal-template.yaml
        outputfile=tmp/$ISTIO_TEMPLATE_REPLACE_AP_NAME".yaml"
        envsubst < $inputfile > $outputfile
        if [ $? -ne 0 ]; then
                __log_conf_fail_general "Cannot substitute yaml: $inputfile"
                return 1
        fi
        kubectl $KUBECONF apply -f $outputfile &> tmp/kubeerr
        if [ $? -ne 0 ]; then
                __log_conf_fail_general "Cannot apply yaml: $outputfile"
                return 1
        fi
        __log_conf_ok
        return 0
}