Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v2.4] Add more tests for TCPMappings #4493

Merged
merged 13 commits into from
Sep 16, 2022
Merged

[v2.4] Add more tests for TCPMappings #4493

merged 13 commits into from
Sep 16, 2022

Conversation

LukeShu
Copy link
Contributor

@LukeShu LukeShu commented Sep 7, 2022
edited
Loading

Description

This PR adds a bunch of tests for TCPMappings, many of them marked xfail. Even so, it isn't quite as complete as I would like it to be; see the "TODO" comments at the bottom of t_tcpmapping.py.

This builds on the tests that are verified to work with 1.14 from #4477.

Cherry-picks some reliability improvements from #4308

Related Issues

Testing

That's all this is.

Checklist

  • I made sure to update CHANGELOG.md. - no applicable changes

    Remember, the CHANGELOG needs to mention:

    • Any new features
    • Any changes to our included version of Envoy
    • Any non-backward-compatible changes
    • Any deprecations

  • This is unlikely to impact how Ambassador performs at scale. - not a runtime change

    Remember, things that might have an impact at scale include:

    • Any significant changes in memory use that might require adjusting the memory limits
    • Any significant changes in CPU use that might require adjusting the CPU limits
    • Anything that might change how many replicas users should use
    • Changes that impact data-plane latency/scalability

  • My change is adequately tested. - that's all this is

    Remember when considering testing:

    • Your change needs to be specifically covered by tests.
      • Tests need to cover all the states where your change is relevant: for example, if you add a behavior that can be enabled or disabled, you'll need tests that cover the enabled case and tests that cover the disabled case. It's not sufficient just to test with the behavior enabled.
    • You also need to make sure that the entire area being changed has adequate test coverage.
      • If existing tests don't actually cover the entire area being changed, add tests.
      • This applies even for aspects of the area that you're not changing – check the test coverage, and improve it if needed!
    • We should lean on the bulk of code being covered by unit tests, but...
    • ... an end-to-end test should cover the integration points

  • I updated DEVELOPING.md with any any special dev tricks I had to use to work on this code efficiently. - no tricks

  • The changes in this PR have been reviewed for security concerns and adherence to security best practices.

LukeShu added 7 commits August 31, 2022 20:03
@LukeShu
deps: Bump typed-ast 1.4.1→1.4.3 and pytest 6.1.2→6.2.5
2a8ffbf 
These two bumps are required for pytest to work with Python 3.10.
This doesn't matter for builds, or for in CI, but this does matter for
developers whose system Python is up-to-date.

Since Emissary 1.14 is in maintenance mode, I did the smallest
upgrades possible to get things working.

For typed-ast, that means including
python/typed_ast#158, which was first included
in 1.4.3.

For pytest, that means 6.2.5, since that's when the changelog mentions
"Python 3.10 is now supported."
https://docs.pytest.org/en/stable/changelog.html#pytest-6-2-5-2021-08-29

Signed-off-by: Luke Shumaker <[email protected]>
@LukeShu
Merge commit '2a8ffbfc3ff2445ce7570dcceb9b42187c3a0497' into lukeshu/…
15d2973 
…v2.4-tcpmapping
@LukeShu
Merge build-aux-local/ in to build-aux/
d7c4a29 
Signed-off-by: Luke Shumaker <[email protected]>
(cherry picked from commit fc40a4d)
@LukeShu
Modify test_shadow.py to use selfsigned.py
1016904 
Signed-off-by: Luke Shumaker <[email protected]>
(cherry picked from commit 03be3e9)
@LukeShu
Merge commit '1016904a5f0b82fb414a9acc337585f534785324' into lukeshu/…
eb00717 
…v2.4-tcpmapping2
@LukeShu
Re-generate all of the test self-signed certs to set SAN correctly
87487f8 
Signed-off-by: Luke Shumaker <[email protected]>

(cherry picked from commit e3af51a)

This cherry pick is needed because several of the certs are now expired;
I don't care about the SAN, I care about the timestamps.

I also had to touch up t_tls.py, since it's checking for some details
of the certs, and those details changed.  I didn't have to do that in
the original commit because I guess those tests had been marked as
xfail.  Yikes!

Signed-off-by: Luke Shumaker <[email protected]>
@LukeShu
KAT: Flesh out the TCPMapping tests
02a69a9 
Signed-off-by: Luke Shumaker <[email protected]>
@LukeShu LukeShu mentioned this pull request Sep 7, 2022
Merged
5 tasks
@LukeShu LukeShu changed the title Lukeshu/v2.4 tcpmapping [v2.4] Add more tests for TCPMappings Sep 7, 2022
@LukeShu LukeShu force-pushed the lukeshu/v2.4-tcpmapping branch from 863bc86 to ad1e2f2 Compare September 7, 2022 21:16
@LukeShu LukeShu mentioned this pull request Sep 7, 2022
Closed
5 tasks
@LukeShu LukeShu force-pushed the lukeshu/v2.4-tcpmapping branch 3 times, most recently from c250272 to f3d5237 Compare September 12, 2022 02:20
@LukeShu
t_tcpmapping.py: Update for 2.x
0a88cb2 
Signed-off-by: Luke Shumaker <[email protected]>
@LukeShu
pytest-kat: Fix splitting the tests among jobs
2f6c067 
When splitting KAT tests among multiple jobs, we need a listing of all
of the KAT tests; we'll assign each entry in this list to a different
job.

The problem with that right now is that the expressions in that
listing are sometimes ambiguous.  For example, "AuthenticationTest"
shows up as `kat[AuthenticationTest`.  Notice that it doesn't include
a trailing `]`; this causes it to also match the
"AuthenticationTestV1".  If both of those tests were going to be
scheduled on the same job, that's fine; but if they were going to be
scheduled on different jobs, then that "AuthenticationTestV1" test
will run in *both* jobs, potentially overloading the one where it
wasn't supposed to run.

This is probably less of a problem for that one test, and a bigger
problem for common prefixes like "TLS".

Here is a listing of all such ambiguities:

    $ grep -f <(<build-aux/pytest-kat.txt sed -e 's/\[/\\[/g' -e 's/$/./') build-aux/pytest-kat.txt
    kat[AuthenticationTestV1
    kat[ClientCertificateAuthenticationContext
    kat[ClientCertificateAuthenticationContextCRL
    kat[DnsTtlDnsType
    kat[DnsTtlEndpoint
    kat[ErrorResponseMappingBypassAlternate
    kat[ErrorResponseOnStatusCodeMappingCRD
    kat[HostCRDDoubleCrossNamespace
    kat[HostCRDManualContextCRL
    kat[LogicalDnsTypeEndpoint
    kat[RedirectTestsInvalidSecret
    kat[RedirectTestsWithProxyProto
    kat[TLSCoalescing
    kat[TLSContextCipherSuites
    kat[TLSContextIstioSecretTest
    kat[TLSContextProtocolMaxVersion
    kat[TLSContextProtocolMinVersion
    kat[TLSContextTest
    kat[TLSContextsTest
    kat[TLSIngressTest
    kat[TLSInheritFromModule
    kat[TLSInvalidSecret
    kat[TLSOriginationSecret
    kat[TracingTestLongClusterName
    kat[TracingTestSampling
    kat[TracingTestShortTraceId
    kat[TracingTestZipkinV1
    kat[TracingTestZipkinV2

Signed-off-by: Luke Shumaker <[email protected]>
(cherry picked from commit 67279ec)
@LukeShu
builder.mk: Handle pytest-kat.txt being different depending on xDS ver
edc01e7 
Yep, because of the horror that is self.skip_node!  Eradicating skip_node
seems like a bigger task, so just accept the horror as is.

Signed-off-by: Luke Shumaker <[email protected]>
@LukeShu LukeShu force-pushed the lukeshu/v2.4-tcpmapping branch from f3d5237 to edc01e7 Compare September 13, 2022 23:24
@LukeShu LukeShu mentioned this pull request Sep 13, 2022
Merged
5 tasks
@LukeShu LukeShu marked this pull request as ready for review September 13, 2022 23:36
@LanceEa LanceEa requested review from LanceEa and haq204 September 14, 2022 13:43
haq204
haq204 reviewed Sep 14, 2022
View reviewed changes
python/tests/kat/t_tcpmapping.py
def manifests(self) -> str:
return format('''
---
apiVersion: getambassador.io/v3alpha1
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we also be testing with https and port 80 to ensure that v3alpha1 honors the scheme similar to TCPMappingTLSOriginationV2SchemeTest? Seems like that's the intention as extra_ports has two elements but only one is used here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, it was a mistake that I left 6790 in extra_ports.

The difference is that in v2 it didn't support saying "originate TLS by adding https:// to the service; but in v3alpha1 this is the primary way of originating TLS without a client cert (since v3alpha1 doesn't support tls: true, which is how you did that in v2.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a commit removing 6790 from extra_ports.

python/tests/kat/t_tcpmapping.py
ambassador_id: [ {self.ambassador_id} ]
port: 6789
service: {self.target.path.fqdn}:443
tls: true
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mostly just curious what tls==true means since I thought you were supposed to supply a TLSContext to use.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tls: true was how you said "originate TLS without a client cert (and with the default settings)" in v2; in v3alpha1 you do this by adding https:// to the service (since allowing tls to be either a bool or a string is a violation of Kubernetes structural typing, which is something that v3alpha1 was going for).

python/tests/kat/t_tcpmapping.py
ambassador_id: [ {self.ambassador_id} ]
port: 6789
service: {self.target.path.fqdn}:443
tls: {self.name.k8s}-tlsclient
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if you have two TLSContexts with the same name but in different namespaces?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The answer is poorly defined, and I hate it, but it's OK that it's poorly defined since it's always been poorly defined.

Good question though.

@LukeShu LukeShu mentioned this pull request Sep 16, 2022
Open
@LukeShu
fixup! t_tcpmapping.py: Update for 2.x
746a052 
I'd accidentally included an extra `extra_port` in one of the tests
because I'd copied it from a different test.

Thanks to @haq204 for pointing out this mistake.

Signed-off-by: Luke Shumaker <[email protected]>
@LukeShu LukeShu requested review from LanceEa and haq204 September 16, 2022 05:11
ddymko
ddymko approved these changes Sep 16, 2022
View reviewed changes
Copy link
Member

@ddymko ddymko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks fine overall

@LukeShu LukeShu merged commit 0cecbde into release/v2.4 Sep 16, 2022
@LukeShu LukeShu deleted the lukeshu/v2.4-tcpmapping branch September 16, 2022 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haq204 haq204 haq204 approved these changes

@LanceEa LanceEa LanceEa approved these changes

@ddymko ddymko ddymko approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@LukeShu @ddymko @LanceEa @haq204