cilium · jibi · Jan 5, 2024 · Oct 23, 2023 · Oct 23, 2023 · Oct 23, 2023
@@ -1,17 +1,16 @@
 apiVersion: cilium.io/v2
 kind: CiliumEgressGatewayPolicy
 metadata:
-  name: cegp-sample-excluded-cidrs
+  name: # set by the check package in WithCiliumEgressGatewayPolicy()
 spec:
   selectors:
   - podSelector:
       matchLabels:
         io.kubernetes.pod.namespace: cilium-test
-        kind: client
+        kind: # set by the check package in WithCiliumEgressGatewayPolicy()
   destinationCIDRs:
   - 0.0.0.0/0
-  excludedCIDRs:
-  - NODE_WITHOUT_CILIUM_PLACEHOLDER/32
+  excludedCIDRs: # set by the check package in WithCiliumEgressGatewayPolicy()
   egressGateway:
     nodeSelector:
       matchLabels:

@@ -52,6 +52,9 @@ const (
 var (
 	//go:embed assets/cacert.pem
 	caBundle []byte
+
+	//go:embed manifests/egress-gateway-policy.yaml
+	egressGatewayPolicyYAML string
 )
 
 type Test struct {
@@ -460,25 +463,36 @@ func (t *Test) WithK8SPolicy(policy string) *Test {
 	return t
 }
 
+type ExcludedCIDRsKind int
+
 const (
-	NoExcludedCIDRs = iota
+	// NoExcludedCIDRs does not configure any excluded CIDRs in the policy
+	NoExcludedCIDRs ExcludedCIDRsKind = iota
+
+	// ExternalNodeExcludedCIDRs adds the IPs of the external nodes (i.e the ones with the "cilium.io/no-schedule" label) to the list of excluded CIDRs
 	ExternalNodeExcludedCIDRs
 )
 
 // CiliumEgressGatewayPolicyParams is used to configure how a CiliumEgressGatewayPolicy template should be configured
 // before being applied.
 type CiliumEgressGatewayPolicyParams struct {
-	// ExcludedCIDRs controls how the ExcludedCIDRs property should be configured
-	ExcludedCIDRs int
+	// Name controls the name of the policy
+	Name string
+
+	// PodSelectorKind is used to select the client pods. The parameter is used to select pods with a matching "kind" label
+	PodSelectorKind string
+
+	// ExcludedCIDRsConf controls how the ExcludedCIDRsConf property should be configured
+	ExcludedCIDRsConf ExcludedCIDRsKind
 }
 
 // WithCiliumEgressGatewayPolicy takes a string containing a YAML policy
 // document and adds the cilium egress gateway polic(y)(ies) to the scope of the
 // Test, to be applied when the test starts running. When calling this method,
 // note that the egress gateway enabled feature requirement is applied directly
 // here.
-func (t *Test) WithCiliumEgressGatewayPolicy(policy string, params CiliumEgressGatewayPolicyParams) *Test {
-	pl, err := parseCiliumEgressGatewayPolicyYAML(policy)
+func (t *Test) WithCiliumEgressGatewayPolicy(params CiliumEgressGatewayPolicyParams) *Test {
+	pl, err := parseCiliumEgressGatewayPolicyYAML(egressGatewayPolicyYAML)
 	if err != nil {
 		t.Fatalf("Parsing policy YAML: %s", err)
 	}
@@ -498,6 +512,12 @@ func (t *Test) WithCiliumEgressGatewayPolicy(policy string, params CiliumEgressG
 			}
 		}
 
+		// Set the policy name
+		pl[i].Name = params.Name
+
+		// Set the pod selector
+		pl[i].Spec.Selectors[0].PodSelector.MatchLabels["kind"] = params.PodSelectorKind
+
 		// Set the egress gateway node
 		egressGatewayNode := t.EgressGatewayNode()
 		if egressGatewayNode == "" {
@@ -509,7 +529,7 @@ func (t *Test) WithCiliumEgressGatewayPolicy(policy string, params CiliumEgressG
 		// Set the excluded CIDRs
 		pl[i].Spec.ExcludedCIDRs = []v2.IPv4CIDR{}
 
-		switch params.ExcludedCIDRs {
+		switch params.ExcludedCIDRsConf {
 		case ExternalNodeExcludedCIDRs:
 			for _, nodeWithoutCiliumIP := range t.Context().params.NodesWithoutCiliumIPs {
 				if parsedIP := net.ParseIP(nodeWithoutCiliumIP.IP); parsedIP.To4() == nil {

@@ -185,12 +185,6 @@ var (
 
 	//go:embed manifests/echo-ingress-mutual-authentication.yaml
 	echoIngressMutualAuthPolicyYAML string
-
-	//go:embed manifests/egress-gateway-policy.yaml
-	egressGatewayPolicyYAML string
-
-	//go:embed manifests/egress-gateway-policy-excluded-cidrs.yaml
-	egressGatewayPolicyExcludedCIDRsYAML string
 )
 
 var (
@@ -796,7 +790,14 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
 
 	if ct.Params().IncludeUnsafeTests {
 		ct.NewTest("egress-gateway").
-			WithCiliumEgressGatewayPolicy(egressGatewayPolicyYAML, check.CiliumEgressGatewayPolicyParams{}).
+			WithCiliumEgressGatewayPolicy(check.CiliumEgressGatewayPolicyParams{
+				Name:            "cegp-sample-client",
+				PodSelectorKind: "client",
+			}).
+			WithCiliumEgressGatewayPolicy(check.CiliumEgressGatewayPolicyParams{
+				Name:            "cegp-sample-echo",
+				PodSelectorKind: "echo",
+			}).
 			WithIPRoutesFromOutsideToPodCIDRs().
 			WithFeatureRequirements(features.RequireEnabled(features.EgressGateway),
 				features.RequireEnabled(features.NodeWithoutCilium)).
@@ -807,8 +808,11 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
 
 	if versioncheck.MustCompile(">=1.14.0")(ct.CiliumVersion) {
 		ct.NewTest("egress-gateway-excluded-cidrs").
-			WithCiliumEgressGatewayPolicy(egressGatewayPolicyExcludedCIDRsYAML,
-				check.CiliumEgressGatewayPolicyParams{ExcludedCIDRs: check.ExternalNodeExcludedCIDRs}).
+			WithCiliumEgressGatewayPolicy(check.CiliumEgressGatewayPolicyParams{
+				Name:              "cegp-sample-client",
+				PodSelectorKind:   "client",
+				ExcludedCIDRsConf: check.ExternalNodeExcludedCIDRs,
+			}).
 			WithFeatureRequirements(features.RequireEnabled(features.EgressGateway),
 				features.RequireEnabled(features.NodeWithoutCilium)).
 			WithScenarios(

@@ -37,10 +37,11 @@ func (e *bpfEgressGatewayPolicyEntry) matches(t bpfEgressGatewayPolicyEntry) boo
 		t.GatewayIP == e.GatewayIP
 }
 
-// waitForBpfPolicyEntries waits for the egress gateway policy maps on each node to be populated with the entries for
-// the cegp-sample CiliumEgressGatewayExcludedCIDRsPolicy
-func waitForBpfPolicyEntries(ctx context.Context, t *check.Test,
-	targetEntriesCallback func(ciliumPod check.Pod) []bpfEgressGatewayPolicyEntry) {
+// WaitForEgressGatewayBpfPolicyEntries waits for the egress gateway policy maps on each node to WaitForEgressGatewayBpfPolicyEntries
+// with the entries returned by the targetEntriesCallback
+func WaitForEgressGatewayBpfPolicyEntries(ctx context.Context, t *check.Test,
+	targetEntriesCallback func(ciliumPod check.Pod) []bpfEgressGatewayPolicyEntry,
+) {
 	ct := t.Context()
 
 	w := wait.NewObserver(ctx, wait.Parameters{Timeout: 10 * time.Second})
@@ -132,12 +133,17 @@ func extractClientIPFromResponse(res string) net.IP {
 	return net.ParseIP(clientIP.ClientIP).To4()
 }
 
-// EgressGateway is a test case which, given the cegp-sample CiliumEgressGatewayPolicy targeting:
+// EgressGateway is a test case which, given the cegp-sample-client CiliumEgressGatewayPolicy targeting:
 // - a couple of client pods (kind=client) as source
 // - the 0.0.0.0/0 destination CIDR
 // - kind-worker2 as gateway node
 //
-// This suite tests connectivity for:
+// and the cegp-sample-echo CiliumEgressGatewayPolicy targeting:
+// - the echo service pods (kind=echo) as source
+// - the 0.0.0.0/0 destination CIDR
+// - kind-worker2 as gateway node
+//
+// tests connectivity for:
 // - pod to host traffic
 // - pod to service traffic
 // - pod to external IP traffic
@@ -166,7 +172,7 @@ func (s *egressGateway) Run(ctx context.Context, t *check.Test) {
 		t.Fatal("Cannot get egress gateway node internal IP")
 	}
 
-	waitForBpfPolicyEntries(ctx, t, func(ciliumPod check.Pod) []bpfEgressGatewayPolicyEntry {
+	WaitForEgressGatewayBpfPolicyEntries(ctx, t, func(ciliumPod check.Pod) []bpfEgressGatewayPolicyEntry {
 		targetEntries := []bpfEgressGatewayPolicyEntry{}
 
 		egressIP := "0.0.0.0"
@@ -290,15 +296,14 @@ func (s *egressGateway) Run(ctx context.Context, t *check.Test) {
 	}
 }
 
-// EgressGatewayExcludedCIDRs is a test case which, given the cegp-sample-excluded-cidrs CiliumEgressGatewayPolicy
+// EgressGatewayExcludedCIDRs is a test case which, given the cegp-sample CiliumEgressGatewayPolicy targeting:
 // targeting:
 // - a couple of client pods (kind=client) as source
 // - the 0.0.0.0/0 destination CIDR
 // - the IP of the external node as excluded CIDR
 // - kind-worker2 as gateway node
 //
-// This suite tests tests the excludedCIDRs property and ensure traffic matching
-// an excluded CIDR does not get masqueraded with the egress IP.
+// This suite tests the excludedCIDRs property and ensure traffic matching an excluded CIDR does not get masqueraded with the egress IP
 func EgressGatewayExcludedCIDRs() check.Scenario {
 	return &egressGatewayExcludedCIDRs{}
 }
@@ -322,7 +327,7 @@ func (s *egressGatewayExcludedCIDRs) Run(ctx context.Context, t *check.Test) {
 		t.Fatal("Cannot get egress gateway node internal IP")
 	}
 
-	waitForBpfPolicyEntries(ctx, t, func(ciliumPod check.Pod) []bpfEgressGatewayPolicyEntry {
+	WaitForEgressGatewayBpfPolicyEntries(ctx, t, func(ciliumPod check.Pod) []bpfEgressGatewayPolicyEntry {
 		targetEntries := []bpfEgressGatewayPolicyEntry{}
 
 		egressIP := "0.0.0.0"