connectivity: use the right test namespace in cnps #330
Conversation
bmcustodio
force-pushed
the
bruno-fix-test-namespace
branch
from
bbf8f4a to
f50deb9
Compare
bmcustodio
force-pushed
the
bruno-fix-test-namespace
branch
from
f50deb9 to
9745579
Compare
bmcustodio
force-pushed
the
bruno-fix-test-namespace
branch
from
9745579 to
5e6a31b
Compare
There was a problem hiding this comment.
Related: #275. Also, see #276, which makes spinning down test namespaces quite time-consuming at the moment. Should be an easy fix, though. Let's hold off on generating random namespaces for now.
I think a solution to this problem might require some more thought. Populating the namespace field is trivial, but the target field of matchLabel annotations looks a bit trickier. Any thoughts?
connectivity/check/policy.go
Outdated
| @@ -32,6 +32,11 @@ import ( | |||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | |||
| ) | |||
|
|
|||
| const ( | |||
| // testNamespacePlaceholder will get replaced with the test namespace in use when parsing CPNs from YAML. | |||
| testNamespacePlaceholder = "${TEST_NAMESPACE}" | |||
There was a problem hiding this comment.
I'm not a fan of the placeholder idea, that will create complexity sprawl in the long run.
My idea was to have policies in yaml form with e.g. the namespace field empty and populate them in Go during execution. (empty fields to make sure we don't inadvertently clobber them) This would mean these policies can no longer be applied using kubectl, but that's not the case with this approach either.
There was a problem hiding this comment.
This would mean these policies can no longer be applied using kubectl, but that's not the case with this approach either.
cat connectivity/manifests/client-egress-to-echo.yaml| TEST_NAMESPACE=foo envsubst | k apply -f- works 🙂 Of course it isn't as simple as just kubectling, but it does actually work.
install/uninstall.go
Outdated
| @@ -58,7 +58,7 @@ func (k *K8sUninstaller) Uninstall(ctx context.Context) error { | |||
| return err | |||
| } | |||
|
|
|||
| k.Log("🔥 Deleting cilium-test namespace...") | |||
| k.Log("🔥 Deleting the %q test namespace...", k.params.TestNamespace) | |||
There was a problem hiding this comment.
This would require passing the correct test namespace to cilium uninstall as well, which a user would quite easily overlook. Not a comment on this PR, but we've discussed before that this code shouldn't be here, only cilium test should be responsible for managing the lifecycle of the test namespace.
@ti-mo that's why I was proposing this as a quick, interim fix until we figure it out. 🙂 At least in the meantime users wouldn't be running into this issue. |
There was a problem hiding this comment.
I'm not a big fan of the placeholder idea either and I think that it will probably stick around for quite a while, even if we create an issue to eventually replace it 😉
How about modifying the policy in Go code as suggested by @ti-mo? Or is there any problem with that approach?
Would something like along the lines of the following, naïve, untested change work?
diff --git a/connectivity/check/test.go b/connectivity/check/test.go
index 634ee982acc0..31606ad6917a 100644
--- a/connectivity/check/test.go
+++ b/connectivity/check/test.go
@@ -22,6 +22,7 @@ import (
"sync"
"time"
+ k8sConst "github.com/cilium/cilium/pkg/k8s/apis/cilium.io"
ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
)
@@ -209,6 +210,19 @@ func (t *Test) WithPolicy(policy string) *Test {
t.Fatal("Error parsing policy YAML: %w", err)
}
+ for i := range pl {
+ pl[i].Namespace = t.ctx.params.TestNamespace
+ if pl[i].Spec != nil {
+ for _, e := range pl[i].Spec.Egress {
+ for _, es := range e.ToEndpoints {
+ if _, ok := es.MatchLabels[k8sConst.PodNamespaceLabel]; ok {
+ es.MatchLabels[k8sConst.PodNamespaceLabel] = t.ctx.params.TestNamespace
+ }
+ }
+ }
+ }
+ }
+
if err := t.addCNPs(pl...); err != nil {
t.Fatal("adding CNPs to policy context: %w", err)
}
bmcustodio
force-pushed
the
bruno-fix-test-namespace
branch
from
5e6a31b to
a3f59e9
Compare
|
@tklauser nice one — I have based the new approach on that, with slight changes (cc @ti-mo @jrajahalme). |
bmcustodio
force-pushed
the
bruno-fix-test-namespace
branch
from
53f129d to
a59701e
Compare
jrajahalme
added
ready-to-merge
tklauser
removed
the
ready-to-merge
|
Removed the |
maintainer-s-little-helper
bot
added
the
ready-to-merge
tklauser
force-pushed
the
bruno-fix-test-namespace
branch
from
a59701e to
974527d
Compare
Done and force pushed. |
tklauser
removed
the
ready-to-merge
Previously, the CNPs created during the connectivity test referenced 'cilium-test' in 'matchLabels' as opposed to the user-specified namespace. This commit addresses that by looking up potential matches and doing the proper replacement. Signed-off-by: Bruno Miguel Custódio <[email protected]>
Signed-off-by: Bruno Miguel Custódio <[email protected]>
tklauser
force-pushed
the
bruno-fix-test-namespace
branch
from
974527d to
c616cca
Compare
As the connectivity test can be from another namespace, which is passed by --test-namespace CLI flag, we should not have any hard coded namespace in all related policy manifests. The namespace label is automatically added as part of cilium#330, so we don't need to hard code it in match labels. Signed-off-by: Tam Mach <[email protected]>
As the connectivity test can be from another namespace, which is passed by --test-namespace CLI flag, we should not have any hard coded namespace in all related policy manifests. The namespace label is automatically added as part of cilium#330, so we don't need to hard code it in match labels. Related: cilium#1112 Signed-off-by: Tam Mach <[email protected]>
Previously, the CNPs created during the connectivity test referenced
cilium-testinmatchLabelsas opposed to the user-specified namespace. This commit addresses that by looking up potential matches and doing the proper replacement.