Skip to content

fix: fixes test which fails for distroless#56965

Merged
istio-testing merged 1 commit intoistio:masterfrom
nilekhc:nilekh/t/fix-crl-integration-test
Jul 11, 2025
Merged

fix: fixes test which fails for distroless#56965
istio-testing merged 1 commit intoistio:masterfrom
nilekhc:nilekh/t/fix-crl-integration-test

Conversation

@nilekhc
Copy link
Copy Markdown
Contributor

@nilekhc nilekhc commented Jul 10, 2025
edited by istio-policy-bot
Loading

Please provide a description of this PR:

This PR fixes CRL integration tests for distroless image.

Fixes #56964

@nilekhc
fix: fixes test which fails for distroless
5e9f671 
Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com>
@nilekhc nilekhc requested a review from a team as a code owner July 10, 2025 17:51
@istio-policy-bot istio-policy-bot added area/security release-notes-none Indicates a PR that does not require release notes. labels Jul 10, 2025
@istio-testing istio-testing added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jul 10, 2025
nilekhc
nilekhc commented Jul 10, 2025
View reviewed changes
tests/integration/security/crl/util/cert.go

// verify CRL is updated in workloads
retry.UntilSuccessOrFail(t, func() error {
return verifyCRLInWorkloads(t, bundle.crlPEM, instances...)
Copy link
Copy Markdown
Contributor Author

@nilekhc nilekhc Jul 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The volume mount check fails in distroless images since we can’t exec into the container to read the volume. This check was an extra measure to validate volume mount updates, but it’s usually unnecessary as the pod updates the ConfigMap in the volume within ~100ms. Removing this check and instead adding retry.UntilSuccessOrFail in the test to validate the call, ensuring we retry in case the volume mount hasn’t been updated yet.

jaellio
jaellio reviewed Jul 11, 2025
View reviewed changes
tests/integration/security/crl/crl_test.go
opts.Check = check.Error()
t.Logf("testing mTLS call after CRL update, expecting failure")
client.CallOrFail(t, opts)
retry.UntilSuccessOrFail(t, func() error {
Copy link
Copy Markdown
Contributor

@jaellio jaellio Jul 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to be wrapped in a retry? Do we do this elsewhere?

Copy link
Copy Markdown
Contributor Author

@nilekhc nilekhc Jul 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is to make sure we do not fail on first try if volume mount is not yet updated.

Removing this check and instead adding retry.UntilSuccessOrFail in the test to validate the call, ensuring we retry in case the volume mount hasn’t been updated yet.

@nilekhc
Copy link
Copy Markdown
Contributor Author

nilekhc commented Jul 11, 2025

/retest

1 similar comment
@nilekhc
Copy link
Copy Markdown
Contributor Author

nilekhc commented Jul 11, 2025

/retest

@istio-testing istio-testing merged commit c7fc80e into istio:master Jul 11, 2025
31 checks passed
@nilekhc nilekhc deleted the nilekh/t/fix-crl-integration-test branch July 11, 2025 16:12
@keithmattix keithmattix added the cherrypick/release-1.27 Set this label on a PR to auto-merge it to the release-1.27 branch label Jul 12, 2025
@istio-testing
Copy link
Copy Markdown
Collaborator

istio-testing commented Jul 12, 2025

In response to a cherrypick label: new pull request created: #56989

@istio-testing istio-testing mentioned this pull request Jul 12, 2025
Merged
fjglira pushed a commit to fjglira/istio that referenced this pull request Sep 26, 2025
Automator: merge upstream changes to openshift-service-mesh/istio@master
3a3260c 
* upstream/master: (21 commits)
  feat: skip queue for status updates on gw (istio#56962)
  Automator: update proxy@master in istio/istio@master (istio#56993)
  Automator: update proxy@master in istio/istio@master (istio#56990)
  Change host iptables rule addition from Append to Insert to ensure Istio's rules take precedence (istio#56414)
  support specifying proxy admin port for describe (istio#56854)
  support reset log level or stack trace level separately for admin log (istio#56642)
  improve example format for istioctl x describe (istio#56951)
  Automator: update ztunnel@master in istio/istio@master (istio#56971)
  Remove flaky test (istio#56919)
  fix: fixes test which fails for distroless (istio#56965)
  Automator: update proxy@master in istio/istio@master (istio#56969)
  Ambient Multicluster SplitHorizon WDS Implementation (istio#56844)
  Fix log message in cni install.go file (istio#56966)
  add env vars for ip auto allocate ipv4/v6 cidr prefixes (istio#56276)
  Update BASE_VERSION to master-2025-07-10T19-01-16 (istio#56967)
  Add AllowCRDsMismatch parameter to gateway conformance options. (istio#56945)
  Revert "feat: represent revision tags using services (istio#56851)" (istio#56941)
  Automator: update proxy@master in istio/istio@master (istio#56954)
  Automator: update istio/client-go@master dependency in istio/istio@master (istio#56911)
  Automator: update common-files@master in istio/istio@master (istio#56952)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jaellio jaellio jaellio approved these changes

Assignees

No one assigned

Labels

area/security cherrypick/release-1.27 Set this label on a PR to auto-merge it to the release-1.27 branch release-notes-none Indicates a PR that does not require release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix CRL integration tests for distroless

5 participants

@nilekhc @istio-testing @jaellio @keithmattix @istio-policy-bot