Adding test to validate network isolation. (fybrik#2066)

* Adding test to validate network isolation.

Signed-off-by: mohammad-nassar10 <mohammad.nassar@ibm.com>

---------

Signed-off-by: mohammad-nassar10 <mohammad.nassar@ibm.com>

.github/workflows/build.yml

@@ -227,7 +227,7 @@ jobs:
       run: make install-tools
     - name: Write flow notebook tests
       run: make run-notebook-writeflow-tests
-    - name: Update env vars to use existsing cluster
+    - name: Update env vars to use existing cluster
       run: |
         # The step that creates or updates the environment variable does
         # not have access to the new value, but all subsequent steps 
@@ -264,6 +264,12 @@ jobs:
     - name: Read flow notebook tests with katalog
       if: ${{ ! github.event.pull_request.draft }}
       run: make run-notebook-readflow-tests-katalog
+    - name: Update env vars to create a new cluster
+      run: |
+        echo "USE_EXISTING_CLUSTER=0" >> $GITHUB_ENV
+    - name: Isolation tests with katalog
+      if: ${{ ! github.event.pull_request.draft }}
+      run: make run-network-policy-readflow-tests-katalog
 
 
   tekton-pipelines:

Makefile

@@ -24,6 +24,8 @@ export DEPLOY_OPENMETADATA_SERVER ?= 1
 export USE_OPENMETADATA_CATALOG ?= 1
 # If true, avoid creating a new cluster.
 export USE_EXISTING_CLUSTER ?= 0
+# If true, run the isolation scenario
+export RUN_ISOLATION ?= 0
 
 DOCKER_PUBLIC_HOSTNAME ?= ghcr.io
 DOCKER_PUBLIC_NAMESPACE ?= fybrik
@@ -173,6 +175,17 @@ run-notebook-readflow-tests-katalog:
 	$(MAKE) setup-cluster
 	$(MAKE) -C manager run-notebook-readflow-tests
 
+.PHONY: run-network-policy-readflow-tests-katalog
+run-network-policy-readflow-tests-katalog: export HELM_SETTINGS=--set "coordinator.catalog=katalog" --set "worker.npIsolation.enabled=true"
+run-network-policy-readflow-tests-katalog: export VALUES_FILE=test/charts/notebook-test-readflow.values.yaml
+run-network-policy-readflow-tests-katalog: export CATALOGED_ASSET=fybrik-notebook-sample/data-csv
+run-network-policy-readflow-tests-katalog: export DEPLOY_OPENMETADATA_SERVER=0
+run-network-policy-readflow-tests-katalog: export USE_OPENMETADATA_CATALOG=0
+run-network-policy-readflow-tests-katalog: export RUN_ISOLATION=1
+run-network-policy-readflow-tests-katalog:
+	$(MAKE) setup-cluster
+	$(MAKE) -C manager run-network-policy-readflow-tests
+
 .PHONY: run-notebook-readflow-tls-tests
 run-notebook-readflow-tls-tests: export VALUES_FILE=test/charts/notebook-test-readflow.tls.values.yaml
 run-notebook-readflow-tls-tests: export DEPLOY_TLS_TEST_CERTS=1
@@ -220,7 +233,11 @@ setup-cluster: export DOCKER_HOSTNAME?=localhost:5000
 setup-cluster: export DOCKER_NAMESPACE?=fybrik-system
 setup-cluster:
 ifeq ($(USE_EXISTING_CLUSTER),0)
+ifeq ($(RUN_ISOLATION),0)
 	$(MAKE) kind
+else
+	$(MAKE) kind-calico
+endif
 endif
 	$(MAKE) cluster-prepare
 	$(MAKE) docker-build docker-push

hack/make-rules/cluster.mk

@@ -6,6 +6,10 @@ export KUBECONFIG:=${KUBECONFIG}
 kind-setup: $(TOOLBIN)/kind $(TOOLBIN)/kubectl
 	cd $(TOOLS_DIR); ./create_kind.sh
 
+.PHONY: kind-calico-setup
+kind-calico-setup: $(TOOLBIN)/kind $(TOOLBIN)/kubectl
+	cd $(TOOLS_DIR); ./create_kind.sh calico
+
 .PHONY: kind-setup-multi
 kind-setup-multi: $(TOOLBIN)/kind $(TOOLBIN)/kubectl
 	cd $(TOOLS_DIR); ./create_kind.sh multi
@@ -16,3 +20,6 @@ kind-cleanup: $(TOOLBIN)/kind $(TOOLBIN)/kubectl
 
 .PHONY: kind
 kind: kind-cleanup kind-setup
+
+.PHONY: kind-calico
+kind-calico: kind-cleanup kind-calico-setup

hack/tools/create_kind.sh

@@ -87,6 +87,10 @@ install_nginx_ingress() {
         kubectl apply -f ingress-nginx.yaml -n "$KUBE_NAMESPACE"
 }
 
+install_calico() {
+  kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/calico.yaml
+}
+
 case "$op" in
 cleanup)
   header_text "Uninstalling kind cluster"
@@ -102,6 +106,12 @@ multi)
   registry_create
   install_nginx_ingress control &
   ;;
+calico)
+  header_text "Installing kind cluster with calico"
+  kind_create kind kind-calico-config.yaml
+  install_calico
+  registry_create
+  ;;
 *)
   header_text "Installing kind cluster"
   kind_create kind kind-config.yaml

hack/tools/kind-calico-config.yaml

@@ -0,0 +1,15 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+networking:
+  disableDefaultCNI: true # disable kindnet
+  podSubnet: 192.168.0.0/16 # set to Calico's default subnet
+containerdConfigPatches:
+- |-
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."kind-registry:5000"]
+    endpoint = ["http://kind-registry:5000"]
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"]
+    endpoint = ["http://kind-registry:5000"]
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
+    endpoint = ["http://kind-registry-proxy:5001"]
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry-1.docker.io"]
+    endpoint = ["http://kind-registry-proxy:5001"]

hack/tools/requirements.env

@@ -30,3 +30,4 @@ BASE_IMAGE_TAG=8.7
 INGINX_INGRESS_CONTROLLER=1.7.0
 LOCALSTACK_VERSION=1.2.0
 LOCALSTACK_CHART_VERSION=0.4.3
+CALICO_VERSION=3.25.0

manager/Makefile

@@ -45,12 +45,16 @@ prep-test: wait_for_manager
 run-integration-tests: prep-test
 	NO_SIMULATED_PROGRESS=true USE_EXISTING_CONTROLLER=true USE_EXISTING_CLUSTER=true go test ./... $(TEST_OPTIONS) -run TestAPIs -count 1
 
-
 .PHONY: run-notebook-readflow-tests
 run-notebook-readflow-tests: prep-test
 	cd testdata/notebook/read-flow && ./setup.sh
 	NO_SIMULATED_PROGRESS=true USE_EXISTING_CONTROLLER=true USE_EXISTING_CLUSTER=true go test ./... $(TEST_OPTIONS) -run TestS3NotebookReadFlow -count 1
 
+.PHONY: run-network-policy-readflow-tests
+run-network-policy-readflow-tests: prep-test
+	cd testdata/notebook/read-flow && ./setup.sh
+	NO_SIMULATED_PROGRESS=true USE_EXISTING_CONTROLLER=true USE_EXISTING_CLUSTER=true go test ./... $(TEST_OPTIONS) -run TestNetworkPolicyReadFlow -count 1
+
 .PHONY: run-notebook-writeflow-tests
 run-notebook-writeflow-tests: prep-test
 	cd testdata/notebook/write-flow && ./setup.sh