From 5165fd15b7e71619f783b333e77ad589e589663f Mon Sep 17 00:00:00 2001
From: Paul Chaignon <paul.chaignon@gmail.com>
Date: Wed, 6 Dec 2023 15:14:49 +0100
Subject: [PATCH] connectivity: Add flag --expected-drop-reasons

This new flag can be used to customize the set of expected reasons for
packet drops, for the new test that ensure we don't have any unexpected
packet drops.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
---
 connectivity/check/check.go      |  7 +++++--
 connectivity/suite.go            |  2 +-
 connectivity/tests/errors.go     | 19 +++++++++++++++----
 defaults/defaults.go             |  5 +++++
 internal/cli/cmd/connectivity.go |  3 +++
 5 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/connectivity/check/check.go b/connectivity/check/check.go
index 25bdefc66c..a05347bd26 100644
--- a/connectivity/check/check.go
+++ b/connectivity/check/check.go
@@ -74,8 +74,11 @@ type Parameters struct {
 	ConnDisruptTestRestartsPath   string
 	ConnDisruptTestXfrmErrorsPath string
 	ConnDisruptDispatchInterval   time.Duration
-	FlushCT                       bool
-	SecondaryNetworkIface         string
+
+	ExpectedDropReasons []string
+
+	FlushCT               bool
+	SecondaryNetworkIface string
 
 	K8sVersion           string
 	HelmChartDirectory   string
diff --git a/connectivity/suite.go b/connectivity/suite.go
index 49234627e8..e32d7bfa23 100644
--- a/connectivity/suite.go
+++ b/connectivity/suite.go
@@ -261,7 +261,7 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
 		}
 	}
 
-	ct.NewTest("no-unexpected-packet-drops").WithScenarios(tests.NoUnexpectedPacketDrops())
+	ct.NewTest("no-unexpected-packet-drops").WithScenarios(tests.NoUnexpectedPacketDrops(ct.Params().ExpectedDropReasons))
 
 	// Run all tests without any policies in place.
 	noPoliciesScenarios := []check.Scenario{
diff --git a/connectivity/tests/errors.go b/connectivity/tests/errors.go
index 8d5146e6b0..348e7d00aa 100644
--- a/connectivity/tests/errors.go
+++ b/connectivity/tests/errors.go
@@ -5,6 +5,7 @@ package tests
 
 import (
 	"context"
+	"fmt"
 	"strings"
 	"time"
 
@@ -76,11 +77,13 @@ func (n *noErrorsInLogs) Run(ctx context.Context, t *check.Test) {
 
 // NoUnexpectedPacketDrops checks whether there were no drops due to expected
 // packet drops.
-func NoUnexpectedPacketDrops() check.Scenario {
-	return &noUnexpectedPacketDrops{}
+func NoUnexpectedPacketDrops(expectedDrops []string) check.Scenario {
+	return &noUnexpectedPacketDrops{expectedDrops}
 }
 
-type noUnexpectedPacketDrops struct{}
+type noUnexpectedPacketDrops struct {
+	expectedDrops []string
+}
 
 func (n *noUnexpectedPacketDrops) Name() string {
 	return "no-unexpected-packet-drops"
@@ -88,9 +91,17 @@ func (n *noUnexpectedPacketDrops) Name() string {
 
 func (n *noUnexpectedPacketDrops) Run(ctx context.Context, t *check.Test) {
 	ct := t.Context()
+
+	filter := ""
+	if len(n.expectedDrops) > 0 {
+		filter = fmt.Sprintf("%q", n.expectedDrops[0])
+		for _, reason := range n.expectedDrops[1:] {
+			filter = fmt.Sprintf("%s, %q", filter, reason)
+		}
+	}
 	cmd := []string{
 		"/bin/sh", "-c",
-		"cilium metrics list -o json | jq '.[] | select((.name == \"cilium_drop_count_total\") and (.labels.reason | IN(\"Policy denied\", \"Policy denied by denylist\") | not))'",
+		fmt.Sprintf("cilium metrics list -o json | jq '.[] | select((.name == \"cilium_drop_count_total\") and (.labels.reason | IN(%s) | not))'", filter),
 	}
 
 	for _, pod := range ct.CiliumPods() {
diff --git a/defaults/defaults.go b/defaults/defaults.go
index 10cde1bcb6..70626a1d22 100644
--- a/defaults/defaults.go
+++ b/defaults/defaults.go
@@ -190,4 +190,9 @@ var (
 		"authentication.mutual.spire.install.agent.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator=NotIn",
 		"authentication.mutual.spire.install.agent.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0]=true",
 	}
+
+	ExpectedDropReasons = []string{
+		"Policy denied",
+		"Policy denied by denylist",
+	}
 )
diff --git a/internal/cli/cmd/connectivity.go b/internal/cli/cmd/connectivity.go
index 0e668cfe4a..23dea03992 100644
--- a/internal/cli/cmd/connectivity.go
+++ b/internal/cli/cmd/connectivity.go
@@ -190,6 +190,9 @@ func newCmdConnectivityTest(hooks Hooks) *cobra.Command {
 	cmd.Flags().StringVar(&params.ConnDisruptTestRestartsPath, "conn-disrupt-test-restarts-path", "/tmp/cilium-conn-disrupt-restarts", "Conn disrupt test temporary result file (used internally)")
 	cmd.Flags().StringVar(&params.ConnDisruptTestXfrmErrorsPath, "conn-disrupt-test-xfrm-errors-path", "/tmp/cilium-conn-disrupt-xfrm-errors", "Conn disrupt test temporary result file (used internally)")
 	cmd.Flags().DurationVar(&params.ConnDisruptDispatchInterval, "conn-disrupt-dispatch-interval", 0, "TCP packet dispatch interval")
+
+	cmd.Flags().StringSliceVar(&params.ExpectedDropReasons, "expected-drop-reasons", defaults.ExpectedDropReasons, "List of expected drop reasons")
+
 	cmd.Flags().BoolVar(&params.FlushCT, "flush-ct", false, "Flush conntrack of Cilium on each node")
 	cmd.Flags().MarkHidden("flush-ct")
 	cmd.Flags().StringVar(&params.SecondaryNetworkIface, "secondary-network-iface", "", "Secondary network iface name (e.g., to test NodePort BPF on multiple networks)")