From 960191e230b728d042b2784711e27c6c75880e7b Mon Sep 17 00:00:00 2001
From: Tobias Klauser <tobias@cilium.io>
Date: Thu, 9 Mar 2023 17:12:26 +0100
Subject: [PATCH] connectivity: allow to restrict connectivity test pods using
 nodeSelector
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The connectivity test pods will be restricted to nodes matching labels
given in the --node-selector flag.

Usage:

    $ kubectl get nodes
    NAME                 STATUS   ROLES           AGE   VERSION
    kind-control-plane   Ready    control-plane   15m   v1.25.3
    kind-worker          Ready    <none>          15m   v1.25.3
    kind-worker2         Ready    <none>          15m   v1.25.3
    kind-worker3         Ready    <none>          15m   v1.25.3
    kind-worker4         Ready    <none>          15m   v1.25.3
    $ kubectl label nodes kind-worker{2,3} connectivity.cilium.io/test=true
    $ cilium connectivity test --node-selector connectivity.cilium.io/test=true
    [...]
    ✅ All 32 tests (261 actions) successful, 2 tests skipped, 1 scenarios skipped.
    $ kubectl get pods -n cilium-test -o wide
    NAME                              READY   STATUS    RESTARTS   AGE     IP             NODE           NOMINATED NODE   READINESS GATES
    client-7858556799-xd52x           1/1     Running   0          5m56s   10.244.2.120   kind-worker3   <none>           <none>
    client2-646989676f-zgxxl          1/1     Running   0          5m56s   10.244.2.55    kind-worker3   <none>           <none>
    echo-other-node-79659b5c6-8dzfw   2/2     Running   0          5m55s   10.244.3.148   kind-worker2   <none>           <none>
    echo-same-node-69f7699d84-5bvxj   2/2     Running   0          5m56s   10.244.2.168   kind-worker3   <none>           <none>

Fixes #1269

Signed-off-by: Tobias Klauser <tobias@cilium.io>
---
 connectivity/check/check.go      |  1 +
 connectivity/check/deployment.go | 26 +++++++++++++++++---------
 internal/cli/cmd/connectivity.go |  1 +
 3 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/connectivity/check/check.go b/connectivity/check/check.go
index 94e09b7a65..84899845f5 100644
--- a/connectivity/check/check.go
+++ b/connectivity/check/check.go
@@ -50,6 +50,7 @@ type Parameters struct {
 	DNSTestServerImage    string
 	Datapath              bool
 	AgentPodSelector      string
+	NodeSelector          map[string]string
 	ExternalTarget        string
 	ExternalCIDR          string
 	ExternalIP            string
diff --git a/connectivity/check/deployment.go b/connectivity/check/deployment.go
index c9ad297a73..342cbda919 100644
--- a/connectivity/check/deployment.go
+++ b/connectivity/check/deployment.go
@@ -93,6 +93,7 @@ type deploymentParameters struct {
 	HostPort       int
 	Command        []string
 	Affinity       *corev1.Affinity
+	NodeSelector   map[string]string
 	ReadinessProbe *corev1.Probe
 	Labels         map[string]string
 	HostNetwork    bool
@@ -146,6 +147,7 @@ func newDeployment(p deploymentParameters) *appsv1.Deployment {
 						},
 					},
 					Affinity:           p.Affinity,
+					NodeSelector:       p.NodeSelector,
 					HostNetwork:        p.HostNetwork,
 					ServiceAccountName: p.Name,
 				},
@@ -396,7 +398,8 @@ func (ct *ConnectivityTest) deploy(ctx context.Context) error {
 						},
 					},
 				},
-				HostNetwork: ct.params.PerfHostNet,
+				NodeSelector: ct.params.NodeSelector,
+				HostNetwork:  ct.params.PerfHostNet,
 			})
 			_, err = ct.clients.src.CreateServiceAccount(ctx, ct.params.TestNamespace, k8s.NewServiceAccount(nm.ClientName()), metav1.CreateOptions{})
 			if err != nil {
@@ -446,7 +449,8 @@ func (ct *ConnectivityTest) deploy(ctx context.Context) error {
 						},
 					},
 				},
-				HostNetwork: ct.params.PerfHostNet,
+				NodeSelector: ct.params.NodeSelector,
+				HostNetwork:  ct.params.PerfHostNet,
 			})
 			_, err = ct.clients.src.CreateServiceAccount(ctx, ct.params.TestNamespace, k8s.NewServiceAccount(nm.ServerName()), metav1.CreateOptions{})
 			if err != nil {
@@ -493,7 +497,8 @@ func (ct *ConnectivityTest) deploy(ctx context.Context) error {
 										{Key: "name", Operator: metav1.LabelSelectorOpIn, Values: []string{nm.ClientName()}}}},
 									TopologyKey: "kubernetes.io/hostname"}}}},
 					},
-					HostNetwork: ct.params.PerfHostNet,
+					NodeSelector: ct.params.NodeSelector,
+					HostNetwork:  ct.params.PerfHostNet,
 				})
 				_, err = ct.clients.src.CreateServiceAccount(ctx, ct.params.TestNamespace, k8s.NewServiceAccount(nm.ClientAcrossName()), metav1.CreateOptions{})
 				if err != nil {
@@ -629,12 +634,13 @@ func (ct *ConnectivityTest) deploy(ctx context.Context) error {
 	if err != nil {
 		ct.Logf("✨ [%s] Deploying %s deployment...", ct.clients.src.ClusterName(), clientDeploymentName)
 		clientDeployment := newDeployment(deploymentParameters{
-			Name:      clientDeploymentName,
-			Kind:      kindClientName,
-			NamedPort: "http-8080",
-			Port:      8080,
-			Image:     ct.params.CurlImage,
-			Command:   []string{"/bin/ash", "-c", "sleep 10000000"},
+			Name:         clientDeploymentName,
+			Kind:         kindClientName,
+			NamedPort:    "http-8080",
+			Port:         8080,
+			Image:        ct.params.CurlImage,
+			Command:      []string{"/bin/ash", "-c", "sleep 10000000"},
+			NodeSelector: ct.params.NodeSelector,
 		})
 		_, err = ct.clients.src.CreateServiceAccount(ctx, ct.params.TestNamespace, k8s.NewServiceAccount(clientDeploymentName), metav1.CreateOptions{})
 		if err != nil {
@@ -672,6 +678,7 @@ func (ct *ConnectivityTest) deploy(ctx context.Context) error {
 					},
 				},
 			},
+			NodeSelector: ct.params.NodeSelector,
 		})
 		_, err = ct.clients.src.CreateServiceAccount(ctx, ct.params.TestNamespace, k8s.NewServiceAccount(client2DeploymentName), metav1.CreateOptions{})
 		if err != nil {
@@ -727,6 +734,7 @@ func (ct *ConnectivityTest) deploy(ctx context.Context) error {
 						},
 					},
 				},
+				NodeSelector:   ct.params.NodeSelector,
 				ReadinessProbe: newLocalReadinessProbe(containerPort, "/"),
 			}, ct.params.DNSTestServerImage)
 			_, err = ct.clients.dst.CreateServiceAccount(ctx, ct.params.TestNamespace, k8s.NewServiceAccount(echoOtherNodeDeploymentName), metav1.CreateOptions{})
diff --git a/internal/cli/cmd/connectivity.go b/internal/cli/cmd/connectivity.go
index 0cf7b86aaa..2eafcfae22 100644
--- a/internal/cli/cmd/connectivity.go
+++ b/internal/cli/cmd/connectivity.go
@@ -119,6 +119,7 @@ func newCmdConnectivityTest() *cobra.Command {
 	cmd.Flags().StringVar(&params.TestNamespace, "test-namespace", defaults.ConnectivityCheckNamespace, "Namespace to perform the connectivity test in")
 	cmd.Flags().StringVar(&params.AgentDaemonSetName, "agent-daemonset-name", defaults.AgentDaemonSetName, "Name of cilium agent daemonset")
 	cmd.Flags().StringVar(&params.AgentPodSelector, "agent-pod-selector", defaults.AgentPodSelector, "Label on cilium-agent pods to select with")
+	cmd.Flags().StringToStringVar(&params.NodeSelector, "node-selector", map[string]string{}, "Restrict connectivity test pods to nodes matching this label")
 	cmd.Flags().StringVar(&params.MultiCluster, "multi-cluster", "", "Test across clusters to given context")
 	cmd.Flags().StringSliceVar(&tests, "test", []string{}, "Run tests that match one of the given regular expressions, skip tests by starting the expression with '!', target Scenarios with e.g. '/pod-to-cidr'")
 	cmd.Flags().StringVar(&params.FlowValidation, "flow-validation", check.FlowValidationModeWarning, "Enable Hubble flow validation { disabled | warning | strict }")