Add additional tests for ingress recipes.

* Add ingress-asm-multi=backendconfig
* Add ingress-cloudarmor test.
* Add ingress-custom-default-backend test.
* Add ingress-custom-http-health-check test.
* Add ingress-https test.
* Add ingress-iap test.
* Add ingress-nginx test.

.gitignore

@@ -5,4 +5,4 @@ asm/
 .key
 .pem
 certs/
-test/test.conf
+test/test.conf

ingress/single-cluster/ingress-asm-multi-backendconfig/cleanup.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test/test.conf
+test_name="ingress-asm-multi-backendconfig"
+suffix=$(get_hash "${test_name}")
+project=$( gcloud config get-value project 2>&1 | head -n 1 )
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name" || true)
+# Set a non-empty value for conext since --context="" will default to use current context
+if [[ -z "${context}" ]]; then
+    context="empty-context"
+fi
+
+ingress_name="cloudarmor-test"
+fr=$(get_forwarding_rule "${ingress_name}" "${test_name}" "${context}")
+thp=$(get_target_http_proxy "${ingress_name}" "${test_name}" "${context}")
+thsp=$(get_target_https_proxy "${ingress_name}" "${test_name}" "${context}")
+um=$(get_url_map "${ingress_name}" "${test_name}" "${context}")
+backends=$(get_backends "${ingress_name}" "${test_name}" "${context}")
+negs=$(get_negs "${context}")
+
+kubectl --context "${context}" delete -f ingress/single-cluster/ingress-asm-multi-backendconfig/backend-services.yaml -n "${test_name}" || true
+kubectl --context "${context}" delete -f ingress/single-cluster/ingress-asm-multi-backendconfig/istio-ingressgateway-service.yaml -n "${test_name}" || true
+kubectl --context "${context}" delete -f ingress/single-cluster/ingress-asm-multi-backendconfig/asm/samples/gateways/istio-ingressgateway/serviceaccount.yaml -n "${test_name}" || true
+kubectl --context "${context}" delete -f ingress/single-cluster/ingress-asm-multi-backendconfig/asm/samples/gateways/istio-ingressgateway/role.yaml -n "${test_name}" || true
+kubectl --context "${context}" delete -f ingress/single-cluster/ingress-asm-multi-backendconfig/asm/samples/gateways/istio-ingressgateway/deployment.yaml -n "${test_name}" || true
+kubectl --context "${context}" label namespace "${test_name}" istio-injection- || true
+kubectl --context "${context}" delete secret my-cert -n "${test_name}" || true
+kubectl --context "${context}" delete secret my-secret -n "${test_name}" || true
+rm -f key.pem
+rm -f certificate.pem
+wait_for_glbc_deletion "${fr}" "${thp}" "${thsp}" "${um}" "${backends}" "${negs}"
+
+brand=$(get_or_create_oauth_brand)
+result=( $(get_oauth_client "${brand}" "${test_name}") )
+oauth_client_name="${result[0]}"
+gcloud iap oauth-clients delete "${oauth_client_name}" --brand="${brand}" --quiet || true
+
+rm -rf ./ingress/single-cluster/ingress-asm-multi-backendconfig/asm
+rm -rf ./ingress/single-cluster/ingress-asm-multi-backendconfig/asmcli
+
+kubectl --context "${context}" delete namespace "${test_name}" || true
+
+cleanup_gke_basic "${test_name}" "${zone}" "${subnet_region}"
+rm -rf istio-1.19.3/

ingress/single-cluster/ingress-asm-multi-backendconfig/run-test.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test/test.conf
+test_name="ingress-asm-multi-backendconfig"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name" || true)
+# Set a non-empty value for conext since --context="" will default to use current context
+if [[ -z "${context}" ]]; then
+    context="empty-context"
+fi
+
+vip=$(wait_for_ingress_ip "ingressgateway" "${test_name}" "${context}")
+echo "Load balancer IP is ${vip}"
+check_http_status "${vip}" 404
+
+kubectl apply -f ./ingress/single-cluster/ingress-asm-multi-backendconfig/backend-services.yaml -n "${test_name}"
+check_http_status "${vip}" 200 "host: foo.example.com"
+check_http_status "${vip}" 302 "host: bar.example.com"

ingress/single-cluster/ingress-asm-multi-backendconfig/setup.sh

@@ -0,0 +1,104 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test/test.conf
+test_name="ingress-asm-multi-backendconfig"
+suffix=$(get_hash "${test_name}")
+project=$( gcloud config get-value project 2>&1 | head -n 1 )
+
+resource_name="gke-net-recipes-${suffix}"
+network="${resource_name}"
+subnet="${resource_name}"
+instance="${resource_name}"
+cluster="${resource_name}"
+gcloud compute networks create "${network}" --subnet-mode="custom"
+gcloud compute networks subnets create "${subnet}" \
+    --network="${network}" \
+    --region="${subnet_region}" \
+    --range="10.1.2.0/24"
+gcloud compute instances create "${instance}" \
+    --zone="${zone}" \
+    --network="${network}" \
+    --subnet="${subnet}" \
+    --image-family="debian-11" \
+    --image-project="debian-cloud" \
+    --tags="allow-ssh"
+gcloud container clusters create "${cluster}" \
+    --zone="${zone}" \
+    --enable-ip-alias \
+    --machine-type="e2-standard-4" \
+    --workload-pool="${project}.svc.id.goog" \
+    --release-channel rapid \
+    --network="${network}" \
+    --subnetwork="${subnet}"
+gcloud container clusters get-credentials "${cluster}" --zone="${zone}"
+
+echo "y" | curl -L https://istio.io/downloadIstio | sh -
+export PATH=$PWD/istio-1.19.3/bin:$PATH
+istioctl install --set profile=demo -y
+
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name" || true)
+# Set a non-empty value for conext since --context="" will default to use current context
+if [[ -z "${context}" ]]; then
+    context="empty-context"
+fi
+
+kubectl --context "${context}" create namespace "${test_name}"
+
+asmcli="ingress/single-cluster/ingress-asm-multi-backendconfig/asmcli"
+curl https://storage.googleapis.com/csm-artifacts/asm/asmcli_1.18 > "${asmcli}"
+chmod +x "${asmcli}"
+
+# Answer y during installation.
+echo "y" | ./"${asmcli}" install \
+    --project_id "${project}" \
+    --cluster_location us-west1-a \
+    --cluster_name "${cluster}" \
+    --enable_all \
+    --output_dir "./ingress/single-cluster/ingress-asm-multi-backendconfig/asm"
+
+brand=$(get_or_create_oauth_brand)
+result=( $(get_oauth_client "${brand}" "${test_name}") )
+client_id="${result[1]}"
+secret="${result[2]}"
+
+kubectl --context "${context}" create secret generic my-secret \
+   --from-literal=client_id="${client_id}" \
+   --from-literal=client_secret="${secret}" \
+   -n "${test_name}"
+
+openssl req -newkey rsa:2048 -nodes \
+            -keyout key.pem -x509 \
+            -days 365 -out certificate.pem \
+            -subj "/CN=foo.example.com" \
+            -addext "subjectAltName=DNS:foo.example.com,DNS:bar.example.com"
+kubectl --context "${context}" create secret tls my-cert \
+    --key=key.pem \
+    --cert=certificate.pem \
+    -n "${test_name}"
+
+kubectl --context "${context}" label namespace "${test_name}" istio-injection=enabled --overwrite
+kubectl --context "${context}" apply -f ingress/single-cluster/ingress-asm-multi-backendconfig/asm/samples/gateways/istio-ingressgateway/serviceaccount.yaml -n "${test_name}"
+kubectl --context "${context}" apply -f ingress/single-cluster/ingress-asm-multi-backendconfig/asm/samples/gateways/istio-ingressgateway/role.yaml -n "${test_name}"
+kubectl --context "${context}" apply -f ingress/single-cluster/ingress-asm-multi-backendconfig/asm/samples/gateways/istio-ingressgateway/deployment.yaml -n "${test_name}"
+resource_yaml="ingress/single-cluster/ingress-asm-multi-backendconfig/istio-ingressgateway-service.yaml"
+kubectl --context "${context}" apply -f "${resource_yaml}" -n "${test_name}"

ingress/single-cluster/ingress-cloudarmor/cleanup.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test/test.conf
+test_name="ingress-cloudarmor"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name" || true)
+# Set a non-empty value for conext since --context="" will default to use current context
+if [[ -z "${context}" ]]; then
+    context="empty-context"
+fi
+
+ingress_name="cloudarmor-test"
+fr=$(get_forwarding_rule "${ingress_name}" "${test_name}" "${context}")
+thp=$(get_target_http_proxy "${ingress_name}" "${test_name}" "${context}")
+thsp=$(get_target_https_proxy "${ingress_name}" "${test_name}" "${context}")
+um=$(get_url_map "${ingress_name}" "${test_name}" "${context}")
+backends=$(get_backends "${ingress_name}" "${test_name}" "${context}")
+negs=$(get_negs "${context}")
+
+resource_yaml="ingress/single-cluster/ingress-cloudarmor/cloudarmor-ingress.yaml"
+kubectl --context "${context}" delete -f "${resource_yaml}" -n "${test_name}" || true
+kubectl --context "${context}" delete namespace "${test_name}" || true
+wait_for_glbc_deletion "${fr}" "${thp}" "${thsp}" "${um}" "${backends}" "${negs}"
+
+policy_name="allow-my-ip"
+sed -i'.bak' "s/${policy_name}/\$POLICY_NAME/g" "${resource_yaml}"
+rm -f "${resource_yaml}".bak
+gcloud compute security-policies delete "${policy_name}" --quiet || true
+
+cleanup_gke_basic "${test_name}" "${zone}" "${subnet_region}"

ingress/single-cluster/ingress-cloudarmor/run-test.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test/test.conf
+test_name="ingress-cloudarmor"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name" || true)
+# Set a non-empty value for conext since --context="" will default to use current context
+if [[ -z "${context}" ]]; then
+    context="empty-context"
+fi
+
+vip=$(wait_for_ingress_ip "cloudarmor-test" "${test_name}" "${context}")
+echo "Load balancer IP is ${vip}"
+
+check_http_status "${vip}/whereami" 200
+check_http_status "${vip}" 404
+check_http_status "${vip}/whereami" 502 "" "${test_name}" "${zone}"
+check_http_status "${vip}" 404 "" "${test_name}" "${zone}"

ingress/single-cluster/ingress-cloudarmor/setup.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test/test.conf
+test_name="ingress-cloudarmor"
+setup_gke_basic "${test_name}" "${zone}" "${subnet_region}"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name" || true)
+# Set a non-empty value for conext since --context="" will default to use current context
+if [[ -z "${context}" ]]; then
+    context="empty-context"
+fi
+
+resource_yaml="ingress/single-cluster/ingress-cloudarmor/cloudarmor-ingress.yaml"
+kubectl --context "${context}" create namespace "${test_name}"
+
+currentIP=$(curl -s ifconfig.me)
+policy_name="allow-my-ip"
+gcloud compute security-policies create "${policy_name}"
+gcloud compute security-policies rules update 2147483647  --security-policy "${policy_name}" --action "deny-502" # Update the default policy(2147483647 is the priority value for default rule).
+gcloud compute security-policies rules create 1000 --security-policy "${policy_name}" --src-ip-ranges "${currentIP}" --action "allow"
+sed -i'.bak' "s/\$POLICY_NAME/${policy_name}/g" "${resource_yaml}"
+
+kubectl --context "${context}" apply -f "${resource_yaml}" -n "${test_name}"

ingress/single-cluster/ingress-custom-default-backend/cleanup.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+source ./test/test.conf
+test_name="ingress-custom-default-backend"
+suffix=$(get_hash "${test_name}")
+context=$(kubectl config view -o json | jq -r ".contexts[] | select(.name | test(\"-${suffix}\")).name" || true)
+# Set a non-empty value for conext since --context="" will default to use current context
+if [[ -z "${context}" ]]; then
+    context="empty-context"
+fi
+
+ingress_name="foo-internal"
+fr=$(get_forwarding_rule "${ingress_name}" "${test_name}" "${context}")
+thp=$(get_target_http_proxy "${ingress_name}" "${test_name}" "${context}")
+thsp=$(get_target_https_proxy "${ingress_name}" "${test_name}" "${context}")
+um=$(get_url_map "${ingress_name}" "${test_name}" "${context}")
+backends=$(get_backends "${ingress_name}" "${test_name}" "${context}")
+negs=$(get_negs "${context}")
+
+resource_yaml="ingress/single-cluster/ingress-custom-default-backend/ingress-custom-default-backend.yaml"
+kubectl --context "${context}" delete -f "${resource_yaml}" -n "${test_name}" || true
+kubectl --context "${context}" delete namespace "${test_name}" || true
+wait_for_glbc_deletion "${fr}" "${thp}" "${thsp}" "${um}" "${backends}" "${negs}"
+
+cleanup_gke_basic "${test_name}" "${zone}" "${subnet_region}"