cilium · michi-covalent · Apr 11, 2024 · Apr 10, 2024 · Apr 10, 2024
@@ -27,6 +27,42 @@
 /bgp/ @cilium/sig-bgp
 /cmd/ @cilium/cli
 /clustermesh/ @cilium/sig-clustermesh
+/connectivity/ @cilium/ci-structure
+/connectivity/check/ipcache.go @cilium/ipcache
+/connectivity/check/metrics*.go @cilium/metrics
+/connectivity/check/policy.go @cilium/sig-policy
+/connectivity/builder/** @cilium/ci-structure
+/connectivity/builder/all_ingress_deny_from_outside.go @cilium/sig-encryption
+/connectivity/builder/cluster_entity_multi_cluster.go @cilium/sig-clustermesh
+/connectivity/builder/dns_only.go @cilium/sig-clustermesh
+/connectivity/builder/echo_ingress.go @cilium/sig-servicemesh
+/connectivity/builder/echo_ingress_auth_always_fail.go @cilium/sig-servicemesh
+/connectivity/builder/echo_ingress_from_other_client_deny.go @cilium/sig-servicemesh
+/connectivity/builder/echo_ingress_from_outside.go @cilium/sig-servicemesh
+/connectivity/builder/echo_ingress_knp.go @cilium/sig-servicemesh
+/connectivity/builder/echo_ingress_l7.go @cilium/sig-servicemesh
+/connectivity/builder/echo_ingress_l7_named_port.go @cilium/sig-servicemesh
+/connectivity/builder/echo_ingress_mutual_auth_spiffe.go @cilium/sig-servicemesh
+/connectivity/builder/egress_gateway.go @cilium/egress-gateway
+/connectivity/builder/egress_gateway_excluded_cidrs.go @cilium/egress-gateway
+/connectivity/builder/no_ipsec_xfrm_errors.go @cilium/sig-encryption
+/connectivity/builder/node_to_node_encryption.go @cilium/sig-encryption
+/connectivity/builder/pod_to_pod_encryption.go @cilium/sig-encryption
+/connectivity/tests/egressgateway.go @cilium/egress-gateway
+/connectivity/tests/encryption.go @cilium/sig-encryption
+/connectivity/tests/errors.go @cilium/sig-agent @cilium/sig-datapath
+/connectivity/tests/externalworkload.go @cilium/sig-clustermesh
+/connectivity/tests/from-cidr.go @cilium/sig-policy
+/connectivity/tests/health.go @cilium/sig-agent
+/connectivity/tests/host.go @cilium/sig-agent
+/connectivity/tests/ipsec_xfrm.go @cilium/ipsec
+/connectivity/tests/perfpod.go @cilium/sig-datapath
+/connectivity/tests/pod.go @cilium/sig-agent
+/connectivity/tests/service.go @cilium/sig-lb
+/connectivity/tests/testloop.sh @jrajahalme
+/connectivity/tests/to-cidr.go @cilium/sig-policy
+/connectivity/tests/upgrade.go @cilium/sig-datapath
+/connectivity/tests/world.go @cilium/proxy
 /encrypt/ @cilium/sig-encryption
 /hubble/ @cilium/sig-hubble
 /install/ @cilium/cli @cilium/helm

@@ -6,11 +6,11 @@ package api
 import (
 	"context"
 
-	"github.com/cilium/cilium/cilium-cli/connectivity"
-	"github.com/cilium/cilium/cilium-cli/connectivity/check"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 
+	"github.com/cilium/cilium-cli/connectivity"
+	"github.com/cilium/cilium-cli/connectivity/check"
 	"github.com/cilium/cilium-cli/k8s"
 	"github.com/cilium/cilium-cli/sysdump"
 )

@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"os"
 
-	command "github.com/cilium/cilium/cilium-cli/cli"
 	"github.com/spf13/cobra"
 
 	"github.com/cilium/cilium-cli/api"
@@ -86,7 +85,7 @@ cilium connectivity test`,
 		newCmdBgp(),
 		newCmdClusterMesh(),
 		newCmdConfig(),
-		command.NewCmdConnectivity(hooks),
+		newCmdConnectivity(hooks),
 		newCmdContext(),
 		newCmdEncrypt(),
 		newCmdHubble(),

@@ -7,27 +7,26 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"github.com/cilium/cilium/cilium-cli/connectivity"
-	check2 "github.com/cilium/cilium/cilium-cli/connectivity/check"
 	"os"
 	"os/signal"
 	"regexp"
 	"strings"
 	"syscall"
+	"time"
 
-	"github.com/cilium/cilium-cli/api"
-	"github.com/cilium/cilium-cli/defaults"
-	"github.com/cilium/cilium-cli/sysdump"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 
-	"github.com/cilium/cilium/pkg/option"
-	"github.com/cilium/cilium/pkg/time"
+	"github.com/cilium/cilium-cli/api"
+	"github.com/cilium/cilium-cli/connectivity"
+	"github.com/cilium/cilium-cli/connectivity/check"
+	"github.com/cilium/cilium-cli/defaults"
+	"github.com/cilium/cilium-cli/sysdump"
 )
 
 var errInternal = errors.New("encountered internal error, exiting")
 
-func NewCmdConnectivity(hooks api.Hooks) *cobra.Command {
+func newCmdConnectivity(hooks api.Hooks) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "connectivity",
 		Short: "Connectivity troubleshooting",
@@ -40,7 +39,7 @@ func NewCmdConnectivity(hooks api.Hooks) *cobra.Command {
 	return cmd
 }
 
-var params = check2.Parameters{
+var params = check.Parameters{
 	Writer: os.Stdout,
 	SysdumpOptions: sysdump.Options{
 		LargeSysdumpAbortTimeout: sysdump.DefaultLargeSysdumpAbortTimeout,
@@ -53,15 +52,6 @@ var tests []string
 
 func RunE(hooks api.Hooks) func(cmd *cobra.Command, args []string) error {
 	return func(cmd *cobra.Command, _ []string) error {
-		namespace, ok := api.GetNamespaceContextValue(cmd.Context())
-		if !ok {
-			return fmt.Errorf("failed to get namespace")
-		}
-		k8sClient, ok := api.GetK8sClientContextValue(cmd.Context())
-		if !ok {
-			return fmt.Errorf("failed to get k8sClient")
-		}
-
 		params.CiliumNamespace = namespace
 
 		for _, test := range tests {
@@ -81,7 +71,7 @@ func RunE(hooks api.Hooks) func(cmd *cobra.Command, args []string) error {
 		}
 
 		// Instantiate the test harness.
-		cc, err := check2.NewConnectivityTest(k8sClient, params, defaults.CLIVersion)
+		cc, err := check.NewConnectivityTest(k8sClient, params, defaults.CLIVersion)
 		if err != nil {
 			return err
 		}
@@ -148,7 +138,7 @@ func newCmdConnectivityTest(hooks api.Hooks) *cobra.Command {
 	cmd.Flags().MarkHidden("deployment-pod-annotations")
 	cmd.Flags().StringVar(&params.MultiCluster, "multi-cluster", "", "Test across clusters to given context")
 	cmd.Flags().StringSliceVar(&tests, "test", []string{}, "Run tests that match one of the given regular expressions, skip tests by starting the expression with '!', target Scenarios with e.g. '/pod-to-cidr'")
-	cmd.Flags().StringVar(&params.FlowValidation, "flow-validation", check2.FlowValidationModeWarning, "Enable Hubble flow validation { disabled | warning | strict }")
+	cmd.Flags().StringVar(&params.FlowValidation, "flow-validation", check.FlowValidationModeWarning, "Enable Hubble flow validation { disabled | warning | strict }")
 	cmd.Flags().BoolVar(&params.AllFlows, "all-flows", false, "Print all flows during flow validation")
 	cmd.Flags().StringVar(&params.AssumeCiliumVersion, "assume-cilium-version", "", "Assume Cilium version for connectivity tests")
 	cmd.Flags().BoolVarP(&params.Verbose, "verbose", "v", false, "Show informational messages and don't buffer any lines")
@@ -162,7 +152,7 @@ func newCmdConnectivityTest(hooks api.Hooks) *cobra.Command {
 	cmd.Flags().StringVar(&params.ExternalOtherIP, "external-other-ip", "1.0.0.1", "Other IP to use as external target in connectivity tests")
 	cmd.Flags().StringSliceVar(&params.NodeCIDRs, "node-cidr", nil, "one or more CIDRs that cover all nodes in the cluster")
 	cmd.Flags().StringVar(&params.JunitFile, "junit-file", "", "Generate junit report and write to file")
-	cmd.Flags().Var(option.NewNamedMapOptions("kvstore-opts", &params.JunitProperties, nil), "junit-property", "Add key=value properties to the generated junit file")
+	cmd.Flags().StringToStringVar(&params.JunitProperties, "junit-property", map[string]string{}, "Add key=value properties to the generated junit file")
 	cmd.Flags().BoolVar(&params.SkipIPCacheCheck, "skip-ip-cache-check", true, "Skip IPCache check")
 	cmd.Flags().MarkHidden("skip-ip-cache-check")
 	cmd.Flags().BoolVar(&params.IncludeUnsafeTests, "include-unsafe-tests", false, "Include tests which can modify cluster nodes state")
@@ -243,7 +233,7 @@ func newCmdConnectivityPerf(hooks api.Hooks) *cobra.Command {
 
 func registerCommonFlags(flags *pflag.FlagSet) {
 	flags.BoolVarP(&params.Debug, "debug", "d", false, "Show debug messages")
-	flags.Var(option.NewNamedMapOptions("node-selector", &params.NodeSelector, nil), "node-selector", "Restrict connectivity pods to nodes matching this label")
+	flags.StringToStringVar(&params.NodeSelector, "node-selector", map[string]string{}, "Restrict connectivity pods to nodes matching this label")
 	flags.StringVar(&params.TestNamespace, "test-namespace", defaults.ConnectivityCheckNamespace, "Namespace to perform the connectivity in")
 	flags.Var(&params.DeploymentAnnotations, "deployment-pod-annotations", "Add annotations to the connectivity pods, e.g. '{\"client\":{\"foo\":\"bar\"}}'")
 }
@@ -9,13 +9,13 @@ import (
 	"io"
 	"os"
 
-	"github.com/cilium/cilium/cilium-cli/connectivity/check"
 	"github.com/cilium/cilium/pkg/inctimer"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"github.com/cilium/cilium-cli/connectivity/check"
 	"github.com/cilium/cilium-cli/defaults"
 	"github.com/cilium/cilium-cli/hubble"
 	"github.com/cilium/cilium-cli/install"

@@ -5,24 +5,25 @@ package builder
 
 import (
 	_ "embed"
-	check2 "github.com/cilium/cilium/cilium-cli/connectivity/check"
-	"github.com/cilium/cilium/cilium-cli/connectivity/tests"
+
+	"github.com/cilium/cilium-cli/connectivity/check"
+	"github.com/cilium/cilium-cli/connectivity/tests"
 )
 
 //go:embed manifests/deny-all-egress.yaml
 var denyAllEgressPolicyYAML string
 
 type allEgressDeny struct{}
 
-func (t allEgressDeny) build(ct *check2.ConnectivityTest, _ map[string]string) {
+func (t allEgressDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
 	// This policy denies all egresses by default
 	newTest("all-egress-deny", ct).
 		WithCiliumPolicy(denyAllEgressPolicyYAML).
 		WithScenarios(
 			tests.PodToPod(),
 			tests.PodToPodWithEndpoints(),
 		).
-		WithExpectations(func(_ *check2.Action) (egress, ingress check2.Result) {
-			return check2.ResultDefaultDenyEgressDrop, check2.ResultNone
+		WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
+			return check.ResultDefaultDenyEgressDrop, check.ResultNone
 		})
 }
@@ -5,24 +5,25 @@ package builder
 
 import (
 	_ "embed"
-	check2 "github.com/cilium/cilium/cilium-cli/connectivity/check"
-	"github.com/cilium/cilium/cilium-cli/connectivity/tests"
+
+	"github.com/cilium/cilium-cli/connectivity/check"
+	"github.com/cilium/cilium-cli/connectivity/tests"
 )
 
 //go:embed manifests/deny-all-egress-knp.yaml
 var denyAllEgressPolicyKNPYAML string
 
 type allEgressDenyKnp struct{}
 
-func (t allEgressDenyKnp) build(ct *check2.ConnectivityTest, _ map[string]string) {
+func (t allEgressDenyKnp) build(ct *check.ConnectivityTest, _ map[string]string) {
 	// This policy denies all egresses by default using KNP.
 	newTest("all-egress-deny-knp", ct).
 		WithK8SPolicy(denyAllEgressPolicyKNPYAML).
 		WithScenarios(
 			tests.PodToPod(),
 			tests.PodToPodWithEndpoints(),
 		).
-		WithExpectations(func(_ *check2.Action) (egress, ingress check2.Result) {
-			return check2.ResultDefaultDenyEgressDrop, check2.ResultNone
+		WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
+			return check.ResultDefaultDenyEgressDrop, check.ResultNone
 		})
 }
@@ -0,0 +1,29 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Cilium
+
+package builder
+
+import (
+	_ "embed"
+
+	"github.com/cilium/cilium-cli/connectivity/check"
+	"github.com/cilium/cilium-cli/connectivity/tests"
+)
+
+//go:embed manifests/deny-all-entities.yaml
+var denyAllEntitiesPolicyYAML string
+
+type allEntitiesDeny struct{}
+
+func (t allEntitiesDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
+	// This policy denies all entities by default
+	newTest("all-entities-deny", ct).
+		WithCiliumPolicy(denyAllEntitiesPolicyYAML).
+		WithScenarios(
+			tests.PodToPod(),
+			tests.PodToCIDR(),
+		).
+		WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
+			return check.ResultPolicyDenyEgressDrop, check.ResultNone
+		})
+}
@@ -4,14 +4,14 @@
 package builder
 
 import (
+	"github.com/cilium/cilium-cli/connectivity/check"
+	"github.com/cilium/cilium-cli/connectivity/tests"
 	"github.com/cilium/cilium-cli/utils/features"
-	check2 "github.com/cilium/cilium/cilium-cli/connectivity/check"
-	tests2 "github.com/cilium/cilium/cilium-cli/connectivity/tests"
 )
 
 type allIngressDeny struct{}
 
-func (t allIngressDeny) build(ct *check2.ConnectivityTest, _ map[string]string) {
+func (t allIngressDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
 	// This policy denies all ingresses by default.
 	//
 	// 1. Pod to Pod fails because there is no egress policy (so egress traffic originating from a pod is allowed),
@@ -21,12 +21,12 @@ func (t allIngressDeny) build(ct *check2.ConnectivityTest, _ map[string]string)
 	//    so they are not subject to ingress policy.
 	newTest("all-ingress-deny", ct).
 		WithCiliumPolicy(denyAllIngressPolicyYAML).
-		WithScenarios(tests2.PodToPod(), tests2.PodToCIDR(tests2.WithRetryAll())).
-		WithExpectations(func(a *check2.Action) (egress, ingress check2.Result) {
+		WithScenarios(tests.PodToPod(), tests.PodToCIDR(tests.WithRetryAll())).
+		WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
 			if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP ||
 				a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
-				return check2.ResultOK, check2.ResultNone
+				return check.ResultOK, check.ResultNone
 			}
-			return check2.ResultDrop, check2.ResultDefaultDenyIngressDrop
+			return check.ResultDrop, check.ResultDefaultDenyIngressDrop
 		})
 }
@@ -4,25 +4,25 @@
 package builder
 
 import (
+	"github.com/cilium/cilium-cli/connectivity/check"
+	"github.com/cilium/cilium-cli/connectivity/tests"
 	"github.com/cilium/cilium-cli/utils/features"
-	check2 "github.com/cilium/cilium/cilium-cli/connectivity/check"
-	"github.com/cilium/cilium/cilium-cli/connectivity/tests"
 )
 
 type allIngressDenyFromOutside struct{}
 
-func (t allIngressDenyFromOutside) build(ct *check2.ConnectivityTest, _ map[string]string) {
+func (t allIngressDenyFromOutside) build(ct *check.ConnectivityTest, _ map[string]string) {
 	newTest("all-ingress-deny-from-outside", ct).
 		WithCondition(func() bool { return ct.Params().IncludeUnsafeTests }).
 		WithCiliumPolicy(denyAllIngressPolicyYAML).
 		WithFeatureRequirements(features.RequireEnabled(features.NodeWithoutCilium)).
 		WithIPRoutesFromOutsideToPodCIDRs().
 		WithScenarios(tests.FromCIDRToPod()).
-		WithExpectations(func(a *check2.Action) (egress, ingress check2.Result) {
+		WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
 			if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP ||
 				a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
-				return check2.ResultOK, check2.ResultNone
+				return check.ResultOK, check.ResultNone
 			}
-			return check2.ResultDrop, check2.ResultDefaultDenyIngressDrop
+			return check.ResultDrop, check.ResultDefaultDenyIngressDrop
 		})
 }
@@ -5,9 +5,9 @@ package builder
 
 import (
 	_ "embed"
-	check2 "github.com/cilium/cilium/cilium-cli/connectivity/check"
-	tests2 "github.com/cilium/cilium/cilium-cli/connectivity/tests"
 
+	"github.com/cilium/cilium-cli/connectivity/check"
+	"github.com/cilium/cilium-cli/connectivity/tests"
 	"github.com/cilium/cilium-cli/utils/features"
 )
 
@@ -16,24 +16,24 @@ var denyAllIngressPolicyKNPYAML string
 
 type allIngressDenyKnp struct{}
 
-func (t allIngressDenyKnp) build(ct *check2.ConnectivityTest, _ map[string]string) {
+func (t allIngressDenyKnp) build(ct *check.ConnectivityTest, _ map[string]string) {
 	// This policy denies all ingresses by default
 	newTest("all-ingress-deny-knp", ct).
 		WithK8SPolicy(denyAllIngressPolicyKNPYAML).
 		WithScenarios(
 			// Pod to Pod fails because there is no egress policy (so egress traffic originating from a pod is allowed),
 			// but then at the destination there is ingress policy that denies the traffic.
-			tests2.PodToPod(),
+			tests.PodToPod(),
 			// Egress to world works because there is no egress policy (so egress traffic originating from a pod is allowed),
 			// then when replies come back, they are considered as "replies" to the outbound connection.
 			// so they are not subject to ingress policy.
-			tests2.PodToCIDR(tests2.WithRetryAll()),
+			tests.PodToCIDR(tests.WithRetryAll()),
 		).
-		WithExpectations(func(a *check2.Action) (egress, ingress check2.Result) {
+		WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
 			if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP ||
 				a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
-				return check2.ResultOK, check2.ResultNone
+				return check.ResultOK, check.ResultNone
 			}
-			return check2.ResultDrop, check2.ResultDefaultDenyIngressDrop
+			return check.ResultDrop, check.ResultDefaultDenyIngressDrop
 		})
 }