From 78f7d32073aac08c86e679b4f04e955f606a7fd0 Mon Sep 17 00:00:00 2001 From: Silvia Tarabova Date: Fri, 12 Jun 2026 09:42:53 +0200 Subject: [PATCH 1/3] feat(tests): handle clusters without OSSM Istio installation Signed-off-by: Silvia Tarabova --- pyproject.toml | 1 + testsuite/tests/conftest.py | 17 +++++++++ .../identity/x509/test_xfcc_forwarding.py | 2 +- .../gateway/mtls/test_mtls_behaviour.py | 2 +- .../gateway/mtls/test_mtls_configuration.py | 2 +- .../test_kuadrant_tracing.py | 38 ++++++++++++------- .../test_kuadrant_tracing_rate_limit_only.py | 18 ++++++--- 7 files changed, 58 insertions(+), 22 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index cf71956b1..ecdc2ff0c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -65,6 +65,7 @@ markers = [ "egress_gateway: Test is using egress gateway", "min_ocp_version: Minimum OpenShift version required for test (e.g., @pytest.mark.min_ocp_version((4, 20)))", "gateway_api_version: Gateway API version requirement (e.g., @pytest.mark.gateway_api_version((1, 5, 0)) or @pytest.mark.gateway_api_version((1, 5, 0), operator.eq))", + "required_ossm: Test requires user-managed OSSM3 Istio that can be modified (skipped with Gateway API-managed Istio)", ] filterwarnings = [ "ignore: WARNING the new order is not taken into account:UserWarning", diff --git a/testsuite/tests/conftest.py b/testsuite/tests/conftest.py index 5a22b8728..4e7a89bec 100644 --- a/testsuite/tests/conftest.py +++ b/testsuite/tests/conftest.py @@ -446,3 +446,20 @@ def check_min_ocp_version(request, openshift_version): pytest.skip("Could not detect OpenShift version") if openshift_version < required_version: pytest.skip(f"Requires OCP {'.'.join(map(str, required_version))}+") + + +@pytest.fixture(scope="session") +def has_ossm(cluster): + """True if a full OSSM3 Istio installation exists (not just Gateway API-managed Istio)""" + with cluster.context: + istios = selector("Istio", all_namespaces=True).objects() + return bool(istios) and not any(i.name() == "openshift-gateway" for i in istios) + + +@pytest.fixture(autouse=True) +def check_required_ossm(request, has_ossm, skip_or_fail): + """Skip tests that require a user-managed OSSM3 Istio (e.g. mTLS, sidecar injection). + Gateway API-managed Istio does not allow modifications to the Istio CR.""" + marker = request.node.get_closest_marker("required_ossm") + if marker and not has_ossm: + skip_or_fail("Test requires user-managed OSSM3 Istio; Gateway API-managed Istio cannot be modified") diff --git a/testsuite/tests/singlecluster/authorino/identity/x509/test_xfcc_forwarding.py b/testsuite/tests/singlecluster/authorino/identity/x509/test_xfcc_forwarding.py index 7380baea6..18bab860a 100644 --- a/testsuite/tests/singlecluster/authorino/identity/x509/test_xfcc_forwarding.py +++ b/testsuite/tests/singlecluster/authorino/identity/x509/test_xfcc_forwarding.py @@ -12,7 +12,7 @@ from testsuite.gateway.gateway_api.gateway import KuadrantGateway from .conftest import XFCC_HEADER_NAME -pytestmark = [pytest.mark.authorino, pytest.mark.kuadrant_only] +pytestmark = [pytest.mark.authorino, pytest.mark.kuadrant_only, pytest.mark.required_ossm] @pytest.fixture(scope="module") diff --git a/testsuite/tests/singlecluster/gateway/mtls/test_mtls_behaviour.py b/testsuite/tests/singlecluster/gateway/mtls/test_mtls_behaviour.py index 8395995b3..6ddf5d7db 100644 --- a/testsuite/tests/singlecluster/gateway/mtls/test_mtls_behaviour.py +++ b/testsuite/tests/singlecluster/gateway/mtls/test_mtls_behaviour.py @@ -4,7 +4,7 @@ import pytest -pytestmark = [pytest.mark.disruptive] +pytestmark = [pytest.mark.disruptive, pytest.mark.required_ossm] component_cases = [ pytest.param(["limitador"], id="limitador-only"), diff --git a/testsuite/tests/singlecluster/gateway/mtls/test_mtls_configuration.py b/testsuite/tests/singlecluster/gateway/mtls/test_mtls_configuration.py index 0953c7bc6..b5d7363d5 100644 --- a/testsuite/tests/singlecluster/gateway/mtls/test_mtls_configuration.py +++ b/testsuite/tests/singlecluster/gateway/mtls/test_mtls_configuration.py @@ -5,7 +5,7 @@ import pytest from openshift_client import selector -pytestmark = [pytest.mark.disruptive] +pytestmark = [pytest.mark.disruptive, pytest.mark.required_ossm] component_cases = [ pytest.param(["limitador"], id="limitador-only"), diff --git a/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing.py b/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing.py index 9ff86b214..ecae0daf8 100644 --- a/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing.py +++ b/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing.py @@ -3,6 +3,10 @@ This module validates that tracing correctly captures request flows through the entire Kuadrant stack, including wasm-shim, Authorino, Limitador, and gateway services. + +With Gateway API-managed Istio, gateway traces are not available because the Istio CR cannot be +modified to enable tracing (meshConfig.enableTracing, extensionProviders) and the Telemetry +resource cannot be created. Gateway service assertions are conditional on has_ossm. """ import os @@ -39,37 +43,39 @@ def trace_request_ids(client, auth): @pytest.fixture(scope="module") -def trace_200(trace_request_ids, tracing): +def trace_200(trace_request_ids, tracing, has_ossm): """Fetches and caches the full wasm-shim trace for the 200 response.""" request_id = trace_request_ids[0] - traces = tracing.get_traces(service="wasm-shim", min_processes=4, tags={"request_id": request_id}) + min_procs = 4 if has_ossm else 3 + traces = tracing.get_traces(service="wasm-shim", min_processes=min_procs, tags={"request_id": request_id}) assert len(traces) == 1, f"No trace was found in tracing backend with request_id: {request_id}" return traces[0] @pytest.fixture(scope="module") -def trace_429(trace_request_ids, tracing): +def trace_429(trace_request_ids, tracing, has_ossm): """Fetches and caches the full wasm-shim trace for the 429 response.""" request_id = trace_request_ids[1] - traces = tracing.get_traces(service="wasm-shim", min_processes=4, tags={"request_id": request_id}) + min_procs = 4 if has_ossm else 3 + traces = tracing.get_traces(service="wasm-shim", min_processes=min_procs, tags={"request_id": request_id}) assert len(traces) == 1, f"No trace was found in tracing backend with request_id: {request_id}" return traces[0] @pytest.fixture(scope="module") -def trace_401(client, tracing): - """ - Sends request producing 401 response and fetches the full wasm-shim trace""" +def trace_401(client, tracing, has_ossm): + """Sends request producing 401 response and fetches the full wasm-shim trace""" response_401 = client.get("/get", headers={"Traceparent": f"00-{os.urandom(16).hex()}-{os.urandom(8).hex()}-01"}) assert response_401.status_code == 401 request_id = response_401.headers.get("x-request-id") - traces = tracing.get_traces(service="wasm-shim", min_processes=3, tags={"request_id": request_id}) + min_procs = 3 if has_ossm else 2 + traces = tracing.get_traces(service="wasm-shim", min_processes=min_procs, tags={"request_id": request_id}) assert len(traces) == 1, f"No trace was found in tracing backend with request_id: {request_id}" return traces[0] -def test_trace_includes_all_kuadrant_services(trace_200, label): +def test_trace_includes_all_kuadrant_services(trace_200, label, has_ossm): """ Test that distributed tracing captures all Kuadrant components in a single trace. @@ -78,28 +84,32 @@ def test_trace_includes_all_kuadrant_services(trace_200, label): - wasm-shim: WASM plugin processing requests - authorino: Authorization service - limitador: Rate limiting service - - gateway: Istio/Envoy gateway service + - gateway: Istio/Envoy gateway service (only with full OSSM3) """ process_services = trace_200.get_process_services() - services = ["wasm-shim", "authorino", "limitador", f"{label}.kuadrant"] + services = ["wasm-shim", "authorino", "limitador"] + if has_ossm: + services.append(f"{label}.kuadrant") for service in services: assert service in process_services, f"Service '{service}' not found in trace processes: {process_services}" -def test_relevant_services_on_auth_denied(trace_401, label): +def test_relevant_services_on_auth_denied(trace_401, label, has_ossm): """ Test that auth-denied traces only include services up to the authorization step. When a request is rejected with 401, the trace should contain wasm-shim and authorino but not limitador, since the request is short-circuited before reaching the rate limiter. - Note: gateway service is not included since the request was sent without traceparent header. + Gateway service is only present with full OSSM3 Istio installation. """ process_services = trace_401.get_process_services() - services = ["wasm-shim", "authorino", f"{label}.kuadrant"] + services = ["wasm-shim", "authorino"] + if has_ossm: + services.append(f"{label}.kuadrant") for service in services: assert service in process_services, f"Service '{service}' not found in trace processes: {process_services}" diff --git a/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing_rate_limit_only.py b/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing_rate_limit_only.py index 980c22d5c..5b1de8f0b 100644 --- a/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing_rate_limit_only.py +++ b/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing_rate_limit_only.py @@ -1,5 +1,9 @@ """ Tests for distributed tracing with only a RateLimitPolicy configured (no AuthPolicy). + +With Gateway API-managed Istio, gateway traces are not available because the Istio CR cannot be +modified to enable tracing (meshConfig.enableTracing, extensionProviders) and the Telemetry +resource cannot be created. Gateway service assertions are conditional on has_ossm. """ import os @@ -28,7 +32,7 @@ def commit(request, rate_limit): @pytest.fixture(scope="module") -def trace_429(client, tracing): +def trace_429(client, tracing, has_ossm): """ Sends requests to exhaust the rate limit, produces a 429 response, and fetches the full wasm-shim trace. @@ -40,19 +44,23 @@ def trace_429(client, tracing): assert response_429.status_code == 429 request_id = response_429.headers.get("x-request-id") - traces = tracing.get_traces(service="wasm-shim", min_processes=3, tags={"request_id": request_id}) + min_procs = 3 if has_ossm else 2 + traces = tracing.get_traces(service="wasm-shim", min_processes=min_procs, tags={"request_id": request_id}) assert len(traces) == 1, f"No trace was found in tracing backend with request_id: {request_id}" return traces[0] -def test_relevant_services_rate_limit_only(trace_429, label): +def test_relevant_services_rate_limit_only(trace_429, label, has_ossm): """ - Test that traces with only a RateLimitPolicy include all relevant services (wasm-shim, limitador, and gateway). + Test that traces with only a RateLimitPolicy include relevant Kuadrant services. + Gateway service is only present with full OSSM3 Istio installation. Trace should not contain authorino since no authorization is involved. """ process_services = trace_429.get_process_services() - services = ["wasm-shim", "limitador", f"{label}.kuadrant"] + services = ["wasm-shim", "limitador"] + if has_ossm: + services.append(f"{label}.kuadrant") for service in services: assert service in process_services, f"Service '{service}' not found in trace processes: {process_services}" From 32575883d486bb0215c875bdae60c5e8ae9a2d0a Mon Sep 17 00:00:00 2001 From: Silvia Tarabova Date: Fri, 12 Jun 2026 14:33:51 +0200 Subject: [PATCH 2/3] feat(collector): detect Istio installation type in info collector Signed-off-by: Silvia Tarabova --- testsuite/component_metadata.py | 25 +++++++++++++++++++++++++ testsuite/tests/info_collector.py | 18 +++++++++++++----- 2 files changed, 38 insertions(+), 5 deletions(-) diff --git a/testsuite/component_metadata.py b/testsuite/component_metadata.py index aa6a7cb14..db5f76c97 100644 --- a/testsuite/component_metadata.py +++ b/testsuite/component_metadata.py @@ -127,6 +127,31 @@ def get_component_images(project) -> list[tuple]: return images + @staticmethod + def get_istio_type(cluster) -> tuple[str, Optional[str]]: + """Determine Istio installation type and namespace from cluster-wide Istio CRs. + + Returns (istio_type, namespace) where istio_type is one of: + - "gateway-api-managed" with namespace from the Istio CR spec + - "user-managed-ossm" with namespace from the Istio CR spec + - "none" with None + """ + try: + with cluster.context: + istios = oc.selector("Istio", all_namespaces=True).objects() + if not istios: + return "none", None + gateway_istio = next((i for i in istios if i.name() == "openshift-gateway"), None) + if gateway_istio: + return "gateway-api-managed", gateway_istio.model.spec.namespace + ossm_istio = next((i for i in istios if i.name() == "default"), None) + if ossm_istio: + return "user-managed-ossm", ossm_istio.model.spec.namespace + return "none", None + except (oc.OpenShiftPythonException, AttributeError, KeyError) as e: + logger.warning("Failed to detect Istio type: %s", e) + return "none", None + @staticmethod def get_istio_metadata(project) -> dict[str, str]: """Get Istio version and istiod image from the cluster.""" diff --git a/testsuite/tests/info_collector.py b/testsuite/tests/info_collector.py index b2b0b95c0..6fde2d743 100644 --- a/testsuite/tests/info_collector.py +++ b/testsuite/tests/info_collector.py @@ -130,14 +130,22 @@ def test_kuadrant_properties(record_testsuite_property): def test_istio_properties(record_testsuite_property): - """Record Istio related properties from all clusters.""" + """Record Istio installation type and metadata from all clusters.""" properties = [] cluster_data = {} - for cluster_name, _, project in _all_cluster_projects("istio-system"): - if project is None: - cluster_data[cluster_name] = ["namespace 'istio-system' not found"] + for cluster_name, cluster, _ in _all_cluster_projects("default"): + istio_type, namespace = ReportPortalMetadataCollector.get_istio_type(cluster) + cluster_data[cluster_name] = [f"istio_type:{istio_type}"] + properties.append(("istio_type", istio_type)) + + if namespace is None: continue - cluster_data[cluster_name] = [] + + project = cluster.change_project(namespace) + if not project.connected: + cluster_data[cluster_name].append(f"namespace '{namespace}' not found") + continue + istio_metadata = ReportPortalMetadataCollector.get_istio_metadata(project) for key, value in istio_metadata.items(): cluster_data[cluster_name].append(f"{key}:{value}") From db48de8039cfe09a9fdf39c9da10da954c2cdcfa Mon Sep 17 00:00:00 2001 From: Silvia Tarabova Date: Mon, 15 Jun 2026 15:48:59 +0200 Subject: [PATCH 3/3] refactor: rename OSSM marker to user_managed_istio Signed-off-by: Silvia Tarabova --- pyproject.toml | 2 +- testsuite/component_metadata.py | 15 +++++----- testsuite/tests/conftest.py | 16 +++++------ .../identity/x509/test_xfcc_forwarding.py | 2 +- .../gateway/mtls/test_mtls_behaviour.py | 2 +- .../gateway/mtls/test_mtls_configuration.py | 2 +- .../test_kuadrant_tracing.py | 28 +++++++++---------- .../test_kuadrant_tracing_rate_limit_only.py | 14 +++++----- 8 files changed, 40 insertions(+), 41 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index ecdc2ff0c..93d1860ce 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -65,7 +65,7 @@ markers = [ "egress_gateway: Test is using egress gateway", "min_ocp_version: Minimum OpenShift version required for test (e.g., @pytest.mark.min_ocp_version((4, 20)))", "gateway_api_version: Gateway API version requirement (e.g., @pytest.mark.gateway_api_version((1, 5, 0)) or @pytest.mark.gateway_api_version((1, 5, 0), operator.eq))", - "required_ossm: Test requires user-managed OSSM3 Istio that can be modified (skipped with Gateway API-managed Istio)", + "user_managed_istio: Test requires user-managed Istio that can be modified (skipped with OCP-managed Istio)", ] filterwarnings = [ "ignore: WARNING the new order is not taken into account:UserWarning", diff --git a/testsuite/component_metadata.py b/testsuite/component_metadata.py index db5f76c97..e70122a95 100644 --- a/testsuite/component_metadata.py +++ b/testsuite/component_metadata.py @@ -132,8 +132,8 @@ def get_istio_type(cluster) -> tuple[str, Optional[str]]: """Determine Istio installation type and namespace from cluster-wide Istio CRs. Returns (istio_type, namespace) where istio_type is one of: - - "gateway-api-managed" with namespace from the Istio CR spec - - "user-managed-ossm" with namespace from the Istio CR spec + - "ocp-managed" with namespace from the Istio CR spec + - "user-managed" with namespace from the Istio CR spec - "none" with None """ try: @@ -143,14 +143,13 @@ def get_istio_type(cluster) -> tuple[str, Optional[str]]: return "none", None gateway_istio = next((i for i in istios if i.name() == "openshift-gateway"), None) if gateway_istio: - return "gateway-api-managed", gateway_istio.model.spec.namespace - ossm_istio = next((i for i in istios if i.name() == "default"), None) - if ossm_istio: - return "user-managed-ossm", ossm_istio.model.spec.namespace - return "none", None + return "ocp-managed", gateway_istio.model.spec.namespace + default_istio = next((i for i in istios if i.name() == "default"), None) + if default_istio: + return "user-managed", default_istio.model.spec.namespace except (oc.OpenShiftPythonException, AttributeError, KeyError) as e: logger.warning("Failed to detect Istio type: %s", e) - return "none", None + return "none", None @staticmethod def get_istio_metadata(project) -> dict[str, str]: diff --git a/testsuite/tests/conftest.py b/testsuite/tests/conftest.py index 4e7a89bec..e8c596182 100644 --- a/testsuite/tests/conftest.py +++ b/testsuite/tests/conftest.py @@ -449,17 +449,17 @@ def check_min_ocp_version(request, openshift_version): @pytest.fixture(scope="session") -def has_ossm(cluster): - """True if a full OSSM3 Istio installation exists (not just Gateway API-managed Istio)""" +def has_user_managed_istio(cluster): + """True if a user-managed Istio installation exists (not OCP-managed Istio)""" with cluster.context: istios = selector("Istio", all_namespaces=True).objects() return bool(istios) and not any(i.name() == "openshift-gateway" for i in istios) @pytest.fixture(autouse=True) -def check_required_ossm(request, has_ossm, skip_or_fail): - """Skip tests that require a user-managed OSSM3 Istio (e.g. mTLS, sidecar injection). - Gateway API-managed Istio does not allow modifications to the Istio CR.""" - marker = request.node.get_closest_marker("required_ossm") - if marker and not has_ossm: - skip_or_fail("Test requires user-managed OSSM3 Istio; Gateway API-managed Istio cannot be modified") +def check_user_managed_istio(request, has_user_managed_istio, skip_or_fail): + """Skip tests that require a user-managed Istio (e.g. mTLS, sidecar injection). + OCP-managed Istio does not allow modifications to the Istio CR.""" + marker = request.node.get_closest_marker("user_managed_istio") + if marker and not has_user_managed_istio: + skip_or_fail("Test requires user-managed Istio installation") diff --git a/testsuite/tests/singlecluster/authorino/identity/x509/test_xfcc_forwarding.py b/testsuite/tests/singlecluster/authorino/identity/x509/test_xfcc_forwarding.py index 18bab860a..c438a7836 100644 --- a/testsuite/tests/singlecluster/authorino/identity/x509/test_xfcc_forwarding.py +++ b/testsuite/tests/singlecluster/authorino/identity/x509/test_xfcc_forwarding.py @@ -12,7 +12,7 @@ from testsuite.gateway.gateway_api.gateway import KuadrantGateway from .conftest import XFCC_HEADER_NAME -pytestmark = [pytest.mark.authorino, pytest.mark.kuadrant_only, pytest.mark.required_ossm] +pytestmark = [pytest.mark.authorino, pytest.mark.kuadrant_only, pytest.mark.user_managed_istio] @pytest.fixture(scope="module") diff --git a/testsuite/tests/singlecluster/gateway/mtls/test_mtls_behaviour.py b/testsuite/tests/singlecluster/gateway/mtls/test_mtls_behaviour.py index 6ddf5d7db..cb1e5ee2c 100644 --- a/testsuite/tests/singlecluster/gateway/mtls/test_mtls_behaviour.py +++ b/testsuite/tests/singlecluster/gateway/mtls/test_mtls_behaviour.py @@ -4,7 +4,7 @@ import pytest -pytestmark = [pytest.mark.disruptive, pytest.mark.required_ossm] +pytestmark = [pytest.mark.disruptive, pytest.mark.user_managed_istio] component_cases = [ pytest.param(["limitador"], id="limitador-only"), diff --git a/testsuite/tests/singlecluster/gateway/mtls/test_mtls_configuration.py b/testsuite/tests/singlecluster/gateway/mtls/test_mtls_configuration.py index b5d7363d5..f18a391c7 100644 --- a/testsuite/tests/singlecluster/gateway/mtls/test_mtls_configuration.py +++ b/testsuite/tests/singlecluster/gateway/mtls/test_mtls_configuration.py @@ -5,7 +5,7 @@ import pytest from openshift_client import selector -pytestmark = [pytest.mark.disruptive, pytest.mark.required_ossm] +pytestmark = [pytest.mark.disruptive, pytest.mark.user_managed_istio] component_cases = [ pytest.param(["limitador"], id="limitador-only"), diff --git a/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing.py b/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing.py index ecae0daf8..28338c6fb 100644 --- a/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing.py +++ b/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing.py @@ -4,9 +4,9 @@ This module validates that tracing correctly captures request flows through the entire Kuadrant stack, including wasm-shim, Authorino, Limitador, and gateway services. -With Gateway API-managed Istio, gateway traces are not available because the Istio CR cannot be +With OCP-managed Istio, gateway traces are not available because the Istio CR cannot be modified to enable tracing (meshConfig.enableTracing, extensionProviders) and the Telemetry -resource cannot be created. Gateway service assertions are conditional on has_ossm. +resource cannot be created. Gateway service assertions are conditional on user-managed Istio. """ import os @@ -43,39 +43,39 @@ def trace_request_ids(client, auth): @pytest.fixture(scope="module") -def trace_200(trace_request_ids, tracing, has_ossm): +def trace_200(trace_request_ids, tracing, has_user_managed_istio): """Fetches and caches the full wasm-shim trace for the 200 response.""" request_id = trace_request_ids[0] - min_procs = 4 if has_ossm else 3 + min_procs = 4 if has_user_managed_istio else 3 traces = tracing.get_traces(service="wasm-shim", min_processes=min_procs, tags={"request_id": request_id}) assert len(traces) == 1, f"No trace was found in tracing backend with request_id: {request_id}" return traces[0] @pytest.fixture(scope="module") -def trace_429(trace_request_ids, tracing, has_ossm): +def trace_429(trace_request_ids, tracing, has_user_managed_istio): """Fetches and caches the full wasm-shim trace for the 429 response.""" request_id = trace_request_ids[1] - min_procs = 4 if has_ossm else 3 + min_procs = 4 if has_user_managed_istio else 3 traces = tracing.get_traces(service="wasm-shim", min_processes=min_procs, tags={"request_id": request_id}) assert len(traces) == 1, f"No trace was found in tracing backend with request_id: {request_id}" return traces[0] @pytest.fixture(scope="module") -def trace_401(client, tracing, has_ossm): +def trace_401(client, tracing, has_user_managed_istio): """Sends request producing 401 response and fetches the full wasm-shim trace""" response_401 = client.get("/get", headers={"Traceparent": f"00-{os.urandom(16).hex()}-{os.urandom(8).hex()}-01"}) assert response_401.status_code == 401 request_id = response_401.headers.get("x-request-id") - min_procs = 3 if has_ossm else 2 + min_procs = 3 if has_user_managed_istio else 2 traces = tracing.get_traces(service="wasm-shim", min_processes=min_procs, tags={"request_id": request_id}) assert len(traces) == 1, f"No trace was found in tracing backend with request_id: {request_id}" return traces[0] -def test_trace_includes_all_kuadrant_services(trace_200, label, has_ossm): +def test_trace_includes_all_kuadrant_services(trace_200, label, has_user_managed_istio): """ Test that distributed tracing captures all Kuadrant components in a single trace. @@ -84,31 +84,31 @@ def test_trace_includes_all_kuadrant_services(trace_200, label, has_ossm): - wasm-shim: WASM plugin processing requests - authorino: Authorization service - limitador: Rate limiting service - - gateway: Istio/Envoy gateway service (only with full OSSM3) + - gateway: Istio/Envoy gateway service (only with user-managed Istio) """ process_services = trace_200.get_process_services() services = ["wasm-shim", "authorino", "limitador"] - if has_ossm: + if has_user_managed_istio: services.append(f"{label}.kuadrant") for service in services: assert service in process_services, f"Service '{service}' not found in trace processes: {process_services}" -def test_relevant_services_on_auth_denied(trace_401, label, has_ossm): +def test_relevant_services_on_auth_denied(trace_401, label, has_user_managed_istio): """ Test that auth-denied traces only include services up to the authorization step. When a request is rejected with 401, the trace should contain wasm-shim and authorino but not limitador, since the request is short-circuited before reaching the rate limiter. - Gateway service is only present with full OSSM3 Istio installation. + Gateway service is only present with user-managed Istio. """ process_services = trace_401.get_process_services() services = ["wasm-shim", "authorino"] - if has_ossm: + if has_user_managed_istio: services.append(f"{label}.kuadrant") for service in services: assert service in process_services, f"Service '{service}' not found in trace processes: {process_services}" diff --git a/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing_rate_limit_only.py b/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing_rate_limit_only.py index 5b1de8f0b..7b213fe93 100644 --- a/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing_rate_limit_only.py +++ b/testsuite/tests/singlecluster/tracing/data_plane_tracing/test_kuadrant_tracing_rate_limit_only.py @@ -1,9 +1,9 @@ """ Tests for distributed tracing with only a RateLimitPolicy configured (no AuthPolicy). -With Gateway API-managed Istio, gateway traces are not available because the Istio CR cannot be +With OCP-managed Istio, gateway traces are not available because the Istio CR cannot be modified to enable tracing (meshConfig.enableTracing, extensionProviders) and the Telemetry -resource cannot be created. Gateway service assertions are conditional on has_ossm. +resource cannot be created. Gateway service assertions are conditional on user-managed Istio. """ import os @@ -32,7 +32,7 @@ def commit(request, rate_limit): @pytest.fixture(scope="module") -def trace_429(client, tracing, has_ossm): +def trace_429(client, tracing, has_user_managed_istio): """ Sends requests to exhaust the rate limit, produces a 429 response, and fetches the full wasm-shim trace. @@ -44,22 +44,22 @@ def trace_429(client, tracing, has_ossm): assert response_429.status_code == 429 request_id = response_429.headers.get("x-request-id") - min_procs = 3 if has_ossm else 2 + min_procs = 3 if has_user_managed_istio else 2 traces = tracing.get_traces(service="wasm-shim", min_processes=min_procs, tags={"request_id": request_id}) assert len(traces) == 1, f"No trace was found in tracing backend with request_id: {request_id}" return traces[0] -def test_relevant_services_rate_limit_only(trace_429, label, has_ossm): +def test_relevant_services_rate_limit_only(trace_429, label, has_user_managed_istio): """ Test that traces with only a RateLimitPolicy include relevant Kuadrant services. - Gateway service is only present with full OSSM3 Istio installation. + Gateway service is only present with user-managed Istio. Trace should not contain authorino since no authorization is involved. """ process_services = trace_429.get_process_services() services = ["wasm-shim", "limitador"] - if has_ossm: + if has_user_managed_istio: services.append(f"{label}.kuadrant") for service in services: assert service in process_services, f"Service '{service}' not found in trace processes: {process_services}"