-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add connectivity tests for auth #1505
Conversation
Commit b501de8 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
b501de8
to
89a84e6
Compare
Commit b501de8 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
89a84e6
to
ac518d3
Compare
Commit b501de8 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM ✔️, I don't think there is any dependency to merge this PR in as the feature requirement is in place.
$ cilium connectivity test --test auth
...
[=] Test [echo-ingress-auth-always-fail]
........
[=] Test [echo-ingress-auth-mtls-spiffe]
........
[=] Skipping Test [dns-only]
[=] Skipping Test [to-fqdns]
✅ All 2 tests (16 actions) successful, 35 tests skipped, 0 scenarios skipped.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
great - thanks a lot 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CI failures look related:
Running test echo-ingress-auth-always-fail: setting up test: applying network policies: policy application failed: CiliumNetworkPolicy.cilium.io "auth-ingress-fail" is invalid: spec.ingress[0].auth.type: Unsupported value: "always-fail": supported values: "null"
https://github.com/cilium/cilium-cli/actions/runs/4677138302/jobs/8284385441?pr=1505
CI is still running with Cilium v1.13 and we want keep supporting the Cilium versions listed in https://github.com/cilium/cilium-cli/blob/master/README.md#releases (i.e. Cilium ≥ 1.11).
ac518d3
to
9819445
Compare
9819445
to
dd5a796
Compare
dd5a796
to
272f8c6
Compare
272f8c6
to
2321f8b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🚀 One minor non-blocking comment.
This adds tests to validate that the auth handling in policy is working. These tests will only run on clusters with auth enabled on Cilium v1.14.0+. It uses the always-fail type to test the fail case. It will also perfom a successful test run with mTLS-SPIFFE when enabled. Signed-off-by: Maartje Eyskens <[email protected]>
2321f8b
to
e484ca8
Compare
(sorry forgot to push my yubikey so i thought the push worked but it didn't) |
This adds tests to validate that the auth handling in policy is working. It uses the always-fail type to test the fail case. If mTLS-SPIFFE is enabled in the cluster it will also perfom a successful test run with mTLS enabled.
The auth-fail tests will be able to run against
master
of cilium, the mTLS tests can be enabled in installation once cilium/cilium#24765 is merged