From 0b1759deda854bbe4fc4c054871b454036b82612 Mon Sep 17 00:00:00 2001 From: Gilberto Bertin Date: Mon, 23 Oct 2023 14:02:08 +0200 Subject: [PATCH] check: don't pass policy YAML to WithCiliumEgressPolicy() As CiliumEgressGatewayPolicyParams allows now to use a single policy template across all test scenarios, stop passing the same policy template to all invocations of WithCiliumEgressPolicy() Signed-off-by: Gilberto Bertin --- .../manifests/egress-gateway-policy.yaml | 0 connectivity/check/test.go | 7 +++++-- connectivity/suite.go | 9 +++----- connectivity/tests/egressgateway.go | 21 ++++++++++++------- 4 files changed, 21 insertions(+), 16 deletions(-) rename connectivity/{ => check}/manifests/egress-gateway-policy.yaml (100%) diff --git a/connectivity/manifests/egress-gateway-policy.yaml b/connectivity/check/manifests/egress-gateway-policy.yaml similarity index 100% rename from connectivity/manifests/egress-gateway-policy.yaml rename to connectivity/check/manifests/egress-gateway-policy.yaml diff --git a/connectivity/check/test.go b/connectivity/check/test.go index a7f058168e..2f54078b77 100644 --- a/connectivity/check/test.go +++ b/connectivity/check/test.go @@ -37,6 +37,9 @@ import ( "github.com/cloudflare/cfssl/signer/local" ) +//go:embed manifests/egress-gateway-policy.yaml +var egressGatewayPolicyYAML string + const ( // KubernetesSourcedLabelPrefix is the optional prefix used in labels to // indicate they are sourced from Kubernetes. @@ -485,8 +488,8 @@ type CiliumEgressGatewayPolicyParams struct { // Test, to be applied when the test starts running. When calling this method, // note that the egress gateway enabled feature requirement is applied directly // here. -func (t *Test) WithCiliumEgressGatewayPolicy(policy string, params CiliumEgressGatewayPolicyParams) *Test { - pl, err := parseCiliumEgressGatewayPolicyYAML(policy) +func (t *Test) WithCiliumEgressGatewayPolicy(params CiliumEgressGatewayPolicyParams) *Test { + pl, err := parseCiliumEgressGatewayPolicyYAML(egressGatewayPolicyYAML) if err != nil { t.Fatalf("Parsing policy YAML: %s", err) } diff --git a/connectivity/suite.go b/connectivity/suite.go index 37500b83fa..adfea3af1e 100644 --- a/connectivity/suite.go +++ b/connectivity/suite.go @@ -185,9 +185,6 @@ var ( //go:embed manifests/echo-ingress-mutual-authentication.yaml echoIngressMutualAuthPolicyYAML string - - //go:embed manifests/egress-gateway-policy.yaml - egressGatewayPolicyYAML string ) var ( @@ -794,11 +791,11 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch if ct.Params().IncludeUnsafeTests { ct.NewTest("egress-gateway"). - WithCiliumEgressGatewayPolicy(egressGatewayPolicyYAML, check.CiliumEgressGatewayPolicyParams{ + WithCiliumEgressGatewayPolicy(check.CiliumEgressGatewayPolicyParams{ Name: "cegp-sample-client", PodSelectorKind: "client", }). - WithCiliumEgressGatewayPolicy(egressGatewayPolicyYAML, check.CiliumEgressGatewayPolicyParams{ + WithCiliumEgressGatewayPolicy(check.CiliumEgressGatewayPolicyParams{ Name: "cegp-sample-echo", PodSelectorKind: "echo", }). @@ -812,7 +809,7 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch if versioncheck.MustCompile(">=1.14.0")(ct.CiliumVersion) { ct.NewTest("egress-gateway-excluded-cidrs"). - WithCiliumEgressGatewayPolicy(egressGatewayPolicyYAML, check.CiliumEgressGatewayPolicyParams{ + WithCiliumEgressGatewayPolicy(check.CiliumEgressGatewayPolicyParams{ Name: "cegp-sample-client", PodSelectorKind: "client", ExcludedCIDRs: check.ExternalNodeExcludedCIDRs, diff --git a/connectivity/tests/egressgateway.go b/connectivity/tests/egressgateway.go index 1078569f9b..db174cf687 100644 --- a/connectivity/tests/egressgateway.go +++ b/connectivity/tests/egressgateway.go @@ -37,10 +37,11 @@ func (e *bpfEgressGatewayPolicyEntry) matches(t bpfEgressGatewayPolicyEntry) boo t.GatewayIP == e.GatewayIP } -// waitForBpfPolicyEntries waits for the egress gateway policy maps on each node to be populated with the entries for -// the cegp-sample CiliumEgressGatewayExcludedCIDRsPolicy +// waitForBpfPolicyEntries waits for the egress gateway policy maps on each node to be populated with the entries +// returned by the targetEntriesCallback func waitForBpfPolicyEntries(ctx context.Context, t *check.Test, - targetEntriesCallback func(ciliumPod check.Pod) []bpfEgressGatewayPolicyEntry) { + targetEntriesCallback func(ciliumPod check.Pod) []bpfEgressGatewayPolicyEntry, +) { ct := t.Context() w := wait.NewObserver(ctx, wait.Parameters{Timeout: 10 * time.Second}) @@ -132,12 +133,17 @@ func extractClientIPFromResponse(res string) net.IP { return net.ParseIP(clientIP.ClientIP).To4() } -// EgressGateway is a test case which, given the cegp-sample CiliumEgressGatewayPolicy targeting: +// EgressGateway is a test case which, given the cegp-sample-client CiliumEgressGatewayPolicy targeting: // - a couple of client pods (kind=client) as source // - the 0.0.0.0/0 destination CIDR // - kind-worker2 as gateway node // -// This suite tests connectivity for: +// and the cegp-sample-echo CiliumEgressGatewayPolicy targeting: +// - the echo service pods (kind=echo) as source +// - the 0.0.0.0/0 destination CIDR +// - kind-worker2 as gateway node +// +// tests connectivity for: // - pod to host traffic // - pod to service traffic // - pod to external IP traffic @@ -290,15 +296,14 @@ func (s *egressGateway) Run(ctx context.Context, t *check.Test) { } } -// EgressGatewayExcludedCIDRs is a test case which, given the cegp-sample-excluded-cidrs CiliumEgressGatewayPolicy +// EgressGatewayExcludedCIDRs is a test case which, given the cegp-sample CiliumEgressGatewayPolicy targeting: // targeting: // - a couple of client pods (kind=client) as source // - the 0.0.0.0/0 destination CIDR // - the IP of the external node as excluded CIDR // - kind-worker2 as gateway node // -// This suite tests tests the excludedCIDRs property and ensure traffic matching -// an excluded CIDR does not get masqueraded with the egress IP. +// This suite tests the excludedCIDRs property and ensure traffic matching an excluded CIDR does not get masqueraded with the egress IP func EgressGatewayExcludedCIDRs() check.Scenario { return &egressGatewayExcludedCIDRs{} }