connectivity/tests: omit IPs and vendor names from test names

Construct the test names using the generic string "external" and the IP
that is actually used, e.g. using the external IP 1.2.3.4 would lead to
the test being named "external-1234".

Also change all references to specific IP addresses from the tests and
manifests and replace them by External{,Other}{IP,CIDR} placeholders.

Fixes #1542

Signed-off-by: Tobias Klauser <[email protected]>

connectivity/manifests/client-egress-to-cidr-1111-deny.yaml → connectivity/manifests/client-egress-to-cidr-external-deny.yaml

@@ -1,8 +1,6 @@
 # This policy denies packets towards {{.ExternalOtherIP}}, but not {{.ExternalIP}}
 # Please note that if there is no other allowed rule, the policy
 # will be automatically denied {{.ExternalIP}} as well.
-#
-# Both addresses are owned by CloudFlare/APNIC.
 apiVersion: "cilium.io/v2"
 kind: CiliumNetworkPolicy
 metadata:

connectivity/manifests/client-egress-to-cidr-1111.yaml → connectivity/manifests/client-egress-to-cidr-external.yaml

@@ -1,5 +1,4 @@
 # This policy allows packets towards {{.ExternalIP}}, but not {{.ExternalOtherIP}}.
-# Both addresses are owned by CloudFlare/APNIC.
 apiVersion: "cilium.io/v2"
 kind: CiliumNetworkPolicy
 metadata:

connectivity/suite.go

@@ -101,14 +101,14 @@ var (
 	//go:embed manifests/client-egress-to-entities-world.yaml
 	clientEgressToEntitiesWorldPolicyYAML string
 
-	//go:embed manifests/client-egress-to-cidr-1111.yaml
-	clientEgressToCIDR1111PolicyYAML string
+	//go:embed manifests/client-egress-to-cidr-external.yaml
+	clientEgressToCIDRExternalPolicyYAML string
 
-	//go:embed manifests/client-egress-to-cidr-1111-knp.yaml
-	clientEgressToCIDR1111PolicyKNPYAML string
+	//go:embed manifests/client-egress-to-cidr-external-knp.yaml
+	clientEgressToCIDRExternalPolicyKNPYAML string
 
-	//go:embed manifests/client-egress-to-cidr-1111-deny.yaml
-	clientEgressToCIDR1111DenyPolicyYAML string
+	//go:embed manifests/client-egress-to-cidr-external-deny.yaml
+	clientEgressToCIDRExternalDenyPolicyYAML string
 
 	//go:embed manifests/client-egress-l7-http.yaml
 	clientEgressL7HTTPPolicyYAML string
@@ -161,15 +161,15 @@ func Run(ctx context.Context, ct *check.ConnectivityTest) error {
 
 	// render templates, if any problems fail early
 	for key, temp := range map[string]string{
-		"clientEgressToCIDR1111PolicyYAML":        clientEgressToCIDR1111PolicyYAML,
-		"clientEgressToCIDR1111PolicyKNPYAML":     clientEgressToCIDR1111PolicyKNPYAML,
-		"clientEgressToCIDR1111DenyPolicyYAML":    clientEgressToCIDR1111DenyPolicyYAML,
-		"clientEgressL7HTTPPolicyYAML":            clientEgressL7HTTPPolicyYAML,
-		"clientEgressL7HTTPNamedPortPolicyYAML":   clientEgressL7HTTPNamedPortPolicyYAML,
-		"clientEgressToFQDNsCiliumIOPolicyYAML":   clientEgressToFQDNsCiliumIOPolicyYAML,
-		"clientEgressL7TLSPolicyYAML":             clientEgressL7TLSPolicyYAML,
-		"clientEgressL7HTTPMatchheaderSecretYAML": clientEgressL7HTTPMatchheaderSecretYAML,
-		"echoIngressFromCIDRYAML":                 echoIngressFromCIDRYAML,
+		"clientEgressToCIDRExternalPolicyYAML":     clientEgressToCIDRExternalPolicyYAML,
+		"clientEgressToCIDRExternalPolicyKNPYAML":  clientEgressToCIDRExternalPolicyKNPYAML,
+		"clientEgressToCIDRExternalDenyPolicyYAML": clientEgressToCIDRExternalDenyPolicyYAML,
+		"clientEgressL7HTTPPolicyYAML":             clientEgressL7HTTPPolicyYAML,
+		"clientEgressL7HTTPNamedPortPolicyYAML":    clientEgressL7HTTPNamedPortPolicyYAML,
+		"clientEgressToFQDNsCiliumIOPolicyYAML":    clientEgressToFQDNsCiliumIOPolicyYAML,
+		"clientEgressL7TLSPolicyYAML":              clientEgressL7TLSPolicyYAML,
+		"clientEgressL7HTTPMatchheaderSecretYAML":  clientEgressL7HTTPMatchheaderSecretYAML,
+		"echoIngressFromCIDRYAML":                  echoIngressFromCIDRYAML,
 	} {
 		val, err := utils.RenderTemplate(temp, ct.Params())
 		if err != nil {
@@ -465,31 +465,31 @@ func Run(ctx context.Context, ct *check.ConnectivityTest) error {
 			return check.ResultDropCurlTimeout, check.ResultNone
 		})
 
-	// This policy allows L3 traffic to 1.0.0.0/24 (including 1.1.1.1), with the
-	// exception of 1.0.0.1.
-	ct.NewTest("to-cidr-1111").
-		WithCiliumPolicy(renderedTemplates["clientEgressToCIDR1111PolicyYAML"]).
+	// This policy allows L3 traffic to ExternalCIDR/24 (including ExternalIP), with the
+	// exception of ExternalOtherIP.
+	ct.NewTest("to-cidr-external").
+		WithCiliumPolicy(renderedTemplates["clientEgressToCIDRExternalPolicyYAML"]).
 		WithScenarios(
 			tests.PodToCIDR(),
 		).
 		WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
 			if a.Destination().Address(check.IPFamilyV4) == ct.Params().ExternalOtherIP {
-				// Expect packets for 1.0.0.1 to be dropped.
+				// Expect packets for ExternalOtherIP to be dropped.
 				return check.ResultDropCurlTimeout, check.ResultNone
 			}
 			return check.ResultOK, check.ResultNone
 		})
 
-	// This policy allows L3 traffic to 1.0.0.0/24 (including 1.1.1.1), with the
-	// exception of 1.0.0.1.
-	ct.NewTest("to-cidr-1111-knp").
-		WithK8SPolicy(renderedTemplates["clientEgressToCIDR1111PolicyKNPYAML"]).
+	// This policy allows L3 traffic to ExternalCIDR/24 (including ExternalIP), with the
+	// exception of ExternalOtherIP.
+	ct.NewTest("to-cidr-external-knp").
+		WithK8SPolicy(renderedTemplates["clientEgressToCIDRExternalPolicyKNPYAML"]).
 		WithScenarios(
 			tests.PodToCIDR(),
 		).
 		WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
 			if a.Destination().Address(check.IPFamilyV4) == ct.Params().ExternalOtherIP {
-				// Expect packets for 1.0.0.1 to be dropped.
+				// Expect packets for ExternalOtherIP to be dropped.
 				return check.ResultDropCurlTimeout, check.ResultNone
 			}
 			return check.ResultOK, check.ResultNone
@@ -611,12 +611,12 @@ func Run(ctx context.Context, ct *check.ConnectivityTest) error {
 			return check.ResultOK, check.ResultOK
 		})
 
-	// This policy denies L3 traffic to 1.0.0.1/8 CIDR except 1.1.1.1/32
+	// This policy denies L3 traffic to ExternalCIDR except ExternalIP/32
 	ct.NewTest("client-egress-to-cidr-deny").
 		WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic
-		WithCiliumPolicy(renderedTemplates["clientEgressToCIDR1111DenyPolicyYAML"]).
+		WithCiliumPolicy(renderedTemplates["clientEgressToCIDRExternalDenyPolicyYAML"]).
 		WithScenarios(
-			tests.PodToCIDR(), // Denies all traffic to 1.0.0.1, but allow 1.1.1.1
+			tests.PodToCIDR(), // Denies all traffic to ExternalOtherIP, but allow ExternalIP
 		).
 		WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
 			if a.Destination().Address(check.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP {
@@ -631,9 +631,9 @@ func Run(ctx context.Context, ct *check.ConnectivityTest) error {
 	// This test is same as the previous one, but there is no allowed policy.
 	// The goal is to test default deny policy
 	ct.NewTest("client-egress-to-cidr-deny-default").
-		WithCiliumPolicy(renderedTemplates["clientEgressToCIDR1111DenyPolicyYAML"]).
+		WithCiliumPolicy(renderedTemplates["clientEgressToCIDRExternalDenyPolicyYAML"]).
 		WithScenarios(
-			tests.PodToCIDR(), // Denies all traffic to 1.0.0.1, but allow 1.1.1.1
+			tests.PodToCIDR(), // Denies all traffic to ExternalOtherIP, but allow ExternalIP
 		).
 		WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
 			if a.Destination().Address(check.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP {

connectivity/tests/to-cidr.go

@@ -6,12 +6,13 @@ package tests
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"github.com/cilium/cilium-cli/connectivity/check"
 )
 
 // PodToCIDR sends an ICMP packet from each client Pod
-// to 1.1.1.1 and 1.0.0.1.
+// to ExternalIP and ExternalOtherIP.
 func PodToCIDR() check.Scenario {
 	return &podToCIDR{}
 }
@@ -24,13 +25,11 @@ func (s *podToCIDR) Name() string {
 }
 
 func (s *podToCIDR) Run(ctx context.Context, t *check.Test) {
-	eps := []check.TestPeer{
-		check.HTTPEndpoint("cloudflare-1001", "https://"+t.Context().Params().ExternalOtherIP),
-		check.HTTPEndpoint("cloudflare-1111", "https://"+t.Context().Params().ExternalIP),
-	}
 	ct := t.Context()
 
-	for _, ep := range eps {
+	for _, ip := range []string{ct.Params().ExternalIP, ct.Params().ExternalOtherIP} {
+		ep := check.HTTPEndpoint(fmt.Sprintf("external-%s", strings.ReplaceAll(ip, ".", "")), "https://"+ip)
+
 		var i int
 		for _, src := range ct.ClientPods() {
 			src := src // copy to avoid memory aliasing when using reference