Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make encryption-related connectivity tests more reliable #2035

Merged
merged 7 commits into from
Oct 19, 2023
84 changes: 44 additions & 40 deletions connectivity/check/deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -910,21 +910,23 @@ func (ct *ConnectivityTest) deploy(ctx context.Context) error {
}
}

_, err = ct.clients.src.GetDaemonSet(ctx, ct.params.TestNamespace, hostNetNSDeploymentName, metav1.GetOptions{})
if err != nil {
ct.Logf("✨ [%s] Deploying %s daemonset...", hostNetNSDeploymentName, ct.clients.src.ClusterName())
ds := newDaemonSet(daemonSetParameters{
Name: hostNetNSDeploymentName,
Kind: kindHostNetNS,
Image: ct.params.CurlImage,
Port: 8080,
Labels: map[string]string{"other": "host-netns"},
Command: []string{"/bin/ash", "-c", "sleep 10000000"},
HostNetwork: true,
})
_, err = ct.clients.src.CreateDaemonSet(ctx, ct.params.TestNamespace, ds, metav1.CreateOptions{})
for _, client := range ct.clients.clients() {
_, err = client.GetDaemonSet(ctx, ct.params.TestNamespace, hostNetNSDeploymentName, metav1.GetOptions{})
if err != nil {
return fmt.Errorf("unable to create daemonset %s: %w", hostNetNSDeploymentName, err)
ct.Logf("✨ [%s] Deploying %s daemonset...", hostNetNSDeploymentName, client.ClusterName())
ds := newDaemonSet(daemonSetParameters{
Name: hostNetNSDeploymentName,
Kind: kindHostNetNS,
Image: ct.params.CurlImage,
Port: 8080,
Labels: map[string]string{"other": "host-netns"},
Command: []string{"/bin/ash", "-c", "sleep 10000000"},
HostNetwork: true,
})
_, err = client.CreateDaemonSet(ctx, ct.params.TestNamespace, ds, metav1.CreateOptions{})
if err != nil {
return fmt.Errorf("unable to create daemonset %s: %w", hostNetNSDeploymentName, err)
}
}
}

Expand Down Expand Up @@ -1324,36 +1326,38 @@ func (ct *ConnectivityTest) validateDeployment(ctx context.Context) error {
}
}

hostNetNSPods, err := ct.client.ListPods(ctx, ct.params.TestNamespace, metav1.ListOptions{LabelSelector: "kind=" + kindHostNetNS})
if err != nil {
return fmt.Errorf("unable to list host netns pods: %w", err)
}

for _, pod := range hostNetNSPods.Items {
_, ok := ct.nodesWithoutCilium[pod.Spec.NodeName]
p := Pod{
K8sClient: ct.client,
Pod: pod.DeepCopy(),
Outside: ok,
for _, client := range ct.clients.clients() {
hostNetNSPods, err := client.ListPods(ctx, ct.params.TestNamespace, metav1.ListOptions{LabelSelector: "kind=" + kindHostNetNS})
if err != nil {
return fmt.Errorf("unable to list host netns pods: %w", err)
}
ct.hostNetNSPodsByNode[pod.Spec.NodeName] = p

if iface := ct.params.SecondaryNetworkIface; iface != "" {
if ct.Features[features.IPv4].Enabled {
cmd := []string{"/bin/sh", "-c", fmt.Sprintf("ip -family inet -oneline address show dev %s scope global | awk '{print $4}' | cut -d/ -f1", iface)}
addr, err := ct.client.ExecInPod(ctx, pod.Namespace, pod.Name, "", cmd)
if err != nil {
return fmt.Errorf("failed to fetch secondary network ip addr: %w", err)
}
ct.secondaryNetworkNodeIPv4[pod.Spec.NodeName] = strings.TrimSuffix(addr.String(), "\n")
for _, pod := range hostNetNSPods.Items {
_, ok := ct.nodesWithoutCilium[pod.Spec.NodeName]
p := Pod{
K8sClient: client,
Pod: pod.DeepCopy(),
Outside: ok,
}
if ct.Features[features.IPv4].Enabled {
cmd := []string{"/bin/sh", "-c", fmt.Sprintf("ip -family inet6 -oneline address show dev %s scope global | awk '{print $4}' | cut -d/ -f1", iface)}
addr, err := ct.client.ExecInPod(ctx, pod.Namespace, pod.Name, "", cmd)
if err != nil {
return fmt.Errorf("failed to fetch secondary network ip addr: %w", err)
ct.hostNetNSPodsByNode[pod.Spec.NodeName] = p

if iface := ct.params.SecondaryNetworkIface; iface != "" {
if ct.Features[features.IPv4].Enabled {
cmd := []string{"/bin/sh", "-c", fmt.Sprintf("ip -family inet -oneline address show dev %s scope global | awk '{print $4}' | cut -d/ -f1", iface)}
addr, err := client.ExecInPod(ctx, pod.Namespace, pod.Name, "", cmd)
if err != nil {
return fmt.Errorf("failed to fetch secondary network ip addr: %w", err)
}
ct.secondaryNetworkNodeIPv4[pod.Spec.NodeName] = strings.TrimSuffix(addr.String(), "\n")
}
if ct.Features[features.IPv4].Enabled {
cmd := []string{"/bin/sh", "-c", fmt.Sprintf("ip -family inet6 -oneline address show dev %s scope global | awk '{print $4}' | cut -d/ -f1", iface)}
addr, err := client.ExecInPod(ctx, pod.Namespace, pod.Name, "", cmd)
if err != nil {
return fmt.Errorf("failed to fetch secondary network ip addr: %w", err)
}
ct.secondaryNetworkNodeIPv6[pod.Spec.NodeName] = strings.TrimSuffix(addr.String(), "\n")
}
ct.secondaryNetworkNodeIPv6[pod.Spec.NodeName] = strings.TrimSuffix(addr.String(), "\n")
}
}
}
Expand Down
26 changes: 15 additions & 11 deletions connectivity/suite.go
Original file line number Diff line number Diff line change
Expand Up @@ -745,17 +745,21 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
tests.OutsideToNodePort(),
)

ct.NewTest("pod-to-pod-encryption").
WithFeatureRequirements(features.RequireEnabled(features.EncryptionPod)).
WithScenarios(
tests.PodToPodEncryption(),
)
ct.NewTest("node-to-node-encryption").
WithFeatureRequirements(features.RequireEnabled(features.EncryptionPod),
features.RequireEnabled(features.EncryptionNode)).
WithScenarios(
tests.NodeToNodeEncryption(),
)
if !ct.Params().SingleNode {
// Encryption checks are always executed as a sanity check, asserting whether
// unencrypted packets shall, or shall not, be observed based on the feature set.
ct.NewTest("pod-to-pod-encryption").
WithScenarios(
tests.PodToPodEncryption(features.RequireEnabled(features.EncryptionPod)),
)
ct.NewTest("node-to-node-encryption").
WithScenarios(
tests.NodeToNodeEncryption(
features.RequireEnabled(features.EncryptionPod),
features.RequireEnabled(features.EncryptionNode),
),
)
}

if ct.Params().IncludeUnsafeTests {
ct.NewTest("egress-gateway").
Expand Down
Loading
Loading