Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add connectivity tests for auth #1505

Merged
merged 1 commit into from
Apr 13, 2023
Merged

Conversation

meyskens
Copy link
Member

This adds tests to validate that the auth handling in policy is working. It uses the always-fail type to test the fail case. If mTLS-SPIFFE is enabled in the cluster it will also perfom a successful test run with mTLS enabled.

The auth-fail tests will be able to run against master of cilium, the mTLS tests can be enabled in installation once cilium/cilium#24765 is merged

@meyskens meyskens requested a review from a team as a code owner April 12, 2023 09:50
@meyskens meyskens requested a review from asauber April 12, 2023 09:50
@meyskens meyskens temporarily deployed to ci April 12, 2023 09:50 — with GitHub Actions Inactive
@maintainer-s-little-helper
Copy link

Commit b501de8 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper
Copy link

Commit b501de8 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper
Copy link

Commit b501de8 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@meyskens meyskens temporarily deployed to ci April 12, 2023 10:11 — with GitHub Actions Inactive
Copy link
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ✔️, I don't think there is any dependency to merge this PR in as the feature requirement is in place.

$ cilium connectivity test --test auth
...
[=] Test [echo-ingress-auth-always-fail]
........
[=] Test [echo-ingress-auth-mtls-spiffe]
........

[=] Skipping Test [dns-only]

[=] Skipping Test [to-fqdns]

✅ All 2 tests (16 actions) successful, 35 tests skipped, 0 scenarios skipped.

Copy link
Member

@mhofstetter mhofstetter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great - thanks a lot 👍

Copy link
Member

@tklauser tklauser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI failures look related:

Running test echo-ingress-auth-always-fail: setting up test: applying network policies: policy application failed: CiliumNetworkPolicy.cilium.io "auth-ingress-fail" is invalid: spec.ingress[0].auth.type: Unsupported value: "always-fail": supported values: "null"

https://github.com/cilium/cilium-cli/actions/runs/4677138302/jobs/8284385441?pr=1505

CI is still running with Cilium v1.13 and we want keep supporting the Cilium versions listed in https://github.com/cilium/cilium-cli/blob/master/README.md#releases (i.e. Cilium ≥ 1.11).

@meyskens meyskens force-pushed the meyskens/mtls-e2e branch from ac518d3 to 9819445 Compare April 12, 2023 12:12
@meyskens meyskens temporarily deployed to ci April 12, 2023 12:12 — with GitHub Actions Inactive
@meyskens meyskens force-pushed the meyskens/mtls-e2e branch from 9819445 to dd5a796 Compare April 12, 2023 12:55
@meyskens meyskens temporarily deployed to ci April 12, 2023 12:55 — with GitHub Actions Inactive
@meyskens meyskens force-pushed the meyskens/mtls-e2e branch from dd5a796 to 272f8c6 Compare April 13, 2023 08:09
@meyskens meyskens requested a review from tklauser April 13, 2023 08:10
connectivity/suite.go Outdated Show resolved Hide resolved
@meyskens meyskens force-pushed the meyskens/mtls-e2e branch from 272f8c6 to 2321f8b Compare April 13, 2023 08:17
@meyskens meyskens temporarily deployed to ci April 13, 2023 08:17 — with GitHub Actions Inactive
@meyskens meyskens requested a review from tklauser April 13, 2023 08:19
Copy link
Member

@tklauser tklauser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀 One minor non-blocking comment.

connectivity/check/policy.go Outdated Show resolved Hide resolved
This adds tests to validate that the auth handling in policy is working.
These tests will only run on clusters with auth enabled on Cilium v1.14.0+.
It uses the always-fail type to test the fail case.
It will also perfom a successful test run with mTLS-SPIFFE when enabled.

Signed-off-by: Maartje Eyskens <[email protected]>
@meyskens meyskens force-pushed the meyskens/mtls-e2e branch from 2321f8b to e484ca8 Compare April 13, 2023 13:03
@meyskens meyskens temporarily deployed to ci April 13, 2023 13:03 — with GitHub Actions Inactive
@meyskens
Copy link
Member Author

(sorry forgot to push my yubikey so i thought the push worked but it didn't)

@tklauser tklauser merged commit 44807f1 into cilium:master Apr 13, 2023
@meyskens meyskens deleted the meyskens/mtls-e2e branch April 13, 2023 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/servicemesh Service mesh
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants