From ed905013731dd03c39ca1be8cdcaf257a24dbade Mon Sep 17 00:00:00 2001
From: Clay Kauzlaric <ckauzlaric@vmware.com>
Date: Mon, 12 Jun 2023 12:24:31 -0400
Subject: [PATCH] wip: add script to run internal encryption e2e tests

---
 test/e2e-internal-encryption-tests.sh | 70 ++++++++++++++++++++++++++-
 1 file changed, 69 insertions(+), 1 deletion(-)

diff --git a/test/e2e-internal-encryption-tests.sh b/test/e2e-internal-encryption-tests.sh
index 37e94c6f31b3..6099658ce0d5 100755
--- a/test/e2e-internal-encryption-tests.sh
+++ b/test/e2e-internal-encryption-tests.sh
@@ -14,6 +14,74 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-echo "TODO(KauzClay): Implement Me!"
+source $(dirname $0)/e2e-common.sh
+
+function setup_internal_encryption_env_variables() {
+  export TLS_TEST_NAMESPACE="tls"
+
+  local INGRESS_NAMESPACE=${GATEWAY_NAMESPACE_OVERRIDE}
+  if [[ -z "${GATEWAY_NAMESPACE_OVERRIDE}" ]]; then
+    INGRESS_NAMESPACE="istio-system"
+  fi
+  local INGRESS_SERVICE=${GATEWAY_OVERRIDE}
+  if [[ -z "${GATEWAY_OVERRIDE}" ]]; then
+    INGRESS_SERVICE="istio-ingressgateway"
+  fi
+  local IP=$(kubectl get svc -n ${INGRESS_NAMESPACE} ${INGRESS_SERVICE} -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
+  export INTERNAL_ENCRYPTION_TEST_INGRESS_IP=${IP}
+}
+
+function setup_internal_encryption() {
+  toggle_feature dataplane-trust enabled config-network
+
+  sleep 5
+
+  # with the current implementation, Activator is always in the request path, and needs to be restarted after configuring dataplane-trust
+  kubectl -n ${SYSTEM_NAMESPACE} delete pod -l app=activator
+}
+
+function cleanup_internal_encryption() {
+  toggle_feature dataplane-trust disabled config-network
+
+  sleep 5
+
+  # with the current implementation, Activator is always in the request path, and needs to be restarted after configuring dataplane-trust
+  kubectl -n ${SYSTEM_NAMESPACE} delete pod -l app=activator
+}
+
+# Script entry point.
+initialize "$@" --skip-istio-addon --min-nodes=4 --max-nodes=4 --enable-ha --cluster-version=1.25
+
+# Run the tests
+header "Running tests"
+
+failed=0
+
+# Currently only Contour and Kourier implement the alpha features.
+alpha=""
+if [[ -z "${INGRESS_CLASS}" \
+  || "${INGRESS_CLASS}" == "contour.ingress.networking.knative.dev" \
+  || "${INGRESS_CLASS}" == "kourier.ingress.networking.knative.dev" ]]; then
+  alpha="--enable-alpha"
+fi
+
+INTERNAL_ENCRYPTION_TEST_OPTIONS="${INTERNAL_ENCRYPTION_TEST_OPTIONS:-${alpha} --enable-beta}"
+
+# Auto TLS E2E tests mutate the cluster and must be ran separately
+# because they need auto-tls and cert-manager specific configurations
+subheader "Setup internal encryption"
+setup_internal_encryption
+add_trap "cleanup_internal_encryption" EXIT SIGKILL SIGTERM SIGQUIT
+
+(( failed )) && fail_test
+
+subheader "Cleanup internal encryption"
+cleanup_internal_encryption
+
+# Remove the kail log file if the test flow passes.
+# This is for preventing too many large log files to be uploaded to GCS in CI.
+rm "${ARTIFACTS}/k8s.log-$(basename "${E2E_SCRIPT}").txt"
+success
+
 exit 0