serving: Address istio mesh e2e mesh failures

/area test-and-release /area networking /kind cleanup /kind good-first-issue

Expected Behavior

e2e tests pass when running our e2e tests with istio and the local gateway disabled (mesh only) with mTLS enabled (STRICT). At a minimum we should be skipping tests we know that will fail when strict mTLS is enabled.

This also affects DomainMapping but that’s being tracked by https://github.com/knative-sandbox/net-istio/issues/562.

Actual Behavior

The following tests will always fail since we have global mTLS turned on (STRICT)

test/e2e: TestSvcToSvcViaActivator/both-disabled
test/e2e: TestSvcToSvcViaActivator/a-disabled
test/e2e: TestCallToPublicService/local_address

Steps to Reproduce the Problem

Ensure your net-istio latest/stable mesh has the right PeerAuthentication to ensure global mTLS is on ie. https://github.com/knative-sandbox/net-istio/pull/617
Once https://github.com/knative/serving/pull/11175 merges open a PR with a noop change and run

/test pull-knative-serving-istio-latest-mesh
/test pull-knative-serving-istio-stable-mesh

Additional Info

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 25 (22 by maintainers)

Commits related to this issue

Add short option to scale test This patch adds short option to e2e test and support it on scale test. Please see https://github.com/knative/serving/issues/11286 for the discussion. — committed to nak3/serving by nak3 3 years ago
Add short option to scale test (#11571) * Add short option to scale test This patch adds short option to e2e test and support it on scale test. Please see https://github.com/knative/serving/issues/... — committed to knative/serving by nak3 3 years ago

Most upvoted comments

So we will proceed this issue by the following steps:

Do not enable local-gateway.mesh in e2e (remove it from net-istio).
Consider (open an issue/send a mail knative-user@) to deprecate local-gateway.mesh option. (The deprecation was mentioned in https://github.com/knative-sandbox/net-istio/issues/562#issuecomment-809934621. And we should deprecate it as we no longer test it.)
Add a new test to verify svc-to-svc in mesh does not use local gateway.

I will send the PRs so please help your reviews 🙏

nak3 on Jun 14, 2021

Now, mesh test fails with only scale-200. HA test and TestHPAAutoscaleUpDownUp fails sometime but it was also caused by scale-200 test 😓 (It can be fixed by tweaking the test order as https://github.com/knative/serving/pull/11552).

Should we close this issue? Or keep open until scale-200 test could be fixed?

nak3 on Jun 28, 2021

Thanks all, sorry for dropping the ball on the previous PR (got busy with other things and then went on vacation for 2 weeks). Sounds like we’re going with a different solution and assign this issue to kenjiro.

/assign @nak3

arturenault on Jun 14, 2021