testing: enable external TC tests for NodePort in CI

Add also tests for (external) TC under DSR/SNAT/Hybrid modes to our
CI so they can be performed from the third host. So far we don't seem
to test all of them (only for the metal LB case).

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

test/k8sT/Services.go

@@ -583,6 +583,40 @@ var _ = Describe("K8sServicesTest", func() {
 			}
 		}
 
+		testNodePortExternal := func(checkTCP, checkUDP bool) {
+			var data v1.Service
+
+			err := kubectl.Get(helpers.DefaultNamespace, "service test-nodeport").Unmarshal(&data)
+			Expect(err).Should(BeNil(), "Cannot retrieve service")
+			_, k8s1IP := getNodeInfo(helpers.K8s1)
+
+			httpURL := getHTTPLink(k8s1IP, data.Spec.Ports[0].NodePort)
+			tftpURL := getTFTPLink(k8s1IP, data.Spec.Ports[1].NodePort)
+
+			// Test from external connectivity
+			// Note:
+			//   In case of SNAT checkSourceIP is false here since the HTTP request
+			//   won't have the client IP but the service IP (given the request comes
+			//   from the Cilium node to the backend, not from the client directly).
+			//   Same in case of Hybrid mode for UDP.
+			doRequestsFromThirdHost(httpURL, 10, checkTCP)
+			doRequestsFromThirdHost(tftpURL, 10, checkUDP)
+
+			// Make sure all the rest works as expected as well
+			testNodePort(true)
+
+			// Clear CT tables on both Cilium nodes
+			pod, err := kubectl.GetCiliumPodOnNode(helpers.CiliumNamespace, helpers.K8s1)
+			Expect(err).Should(BeNil(), "Cannot determine cilium pod name")
+			res := kubectl.CiliumExec(pod, "cilium bpf ct flush global")
+			res.ExpectSuccess("Unable to flush CT maps")
+
+			pod, err = kubectl.GetCiliumPodOnNode(helpers.CiliumNamespace, helpers.K8s2)
+			Expect(err).Should(BeNil(), "Cannot determine cilium pod name")
+			res = kubectl.CiliumExec(pod, "cilium bpf ct flush global")
+			res.ExpectSuccess("Unable to flush CT maps")
+		}
+
 		testExternalTrafficPolicyLocal := func() {
 			var (
 				data    v1.Service
@@ -853,36 +887,7 @@ var _ = Describe("K8sServicesTest", func() {
 						"global.tunnel":                "disabled",
 						"global.autoDirectNodeRoutes":  "true",
 					})
-
-					var data v1.Service
-					err := kubectl.Get(helpers.DefaultNamespace, "service test-nodeport").Unmarshal(&data)
-					Expect(err).Should(BeNil(), "Cannot retrieve service")
-					_, k8s1IP := getNodeInfo(helpers.K8s1)
-
-					httpURL := getHTTPLink(k8s1IP, data.Spec.Ports[0].NodePort)
-					tftpURL := getTFTPLink(k8s1IP, data.Spec.Ports[1].NodePort)
-
-					// Test from external connectivity
-					// Note:
-					//   In case of SNAT checkSourceIP is false here since the HTTP request
-					//   won't have the client IP but the service IP (given the request comes
-					//   from the Cilium node to the backend, not from the client directly).
-					//   Same in case of Hybrid mode for UDP.
-					doRequestsFromThirdHost(httpURL, 10, false)
-					doRequestsFromThirdHost(tftpURL, 10, false)
-					// Make sure all the rest works as expected under XDP
-					testNodePort(true)
-
-					// Clear CT tables on both Cilium nodes
-					pod, err := kubectl.GetCiliumPodOnNode(helpers.CiliumNamespace, helpers.K8s1)
-					Expect(err).Should(BeNil(), "Cannot determine cilium pod name")
-					res := kubectl.CiliumExec(pod, "cilium bpf ct flush global")
-					res.ExpectSuccess("Unable to flush CT maps")
-
-					pod, err = kubectl.GetCiliumPodOnNode(helpers.CiliumNamespace, helpers.K8s2)
-					Expect(err).Should(BeNil(), "Cannot determine cilium pod name")
-					res = kubectl.CiliumExec(pod, "cilium bpf ct flush global")
-					res.ExpectSuccess("Unable to flush CT maps")
+					testNodePortExternal(false, false)
 				})
 
 				SkipItIf(helpers.DoesNotExistNodeWithoutCilium, "Tests with XDP, direct routing and Hybrid", func() {
@@ -892,31 +897,7 @@ var _ = Describe("K8sServicesTest", func() {
 						"global.tunnel":                "disabled",
 						"global.autoDirectNodeRoutes":  "true",
 					})
-
-					var data v1.Service
-					err := kubectl.Get(helpers.DefaultNamespace, "service test-nodeport").Unmarshal(&data)
-					Expect(err).Should(BeNil(), "Cannot retrieve service")
-					_, k8s1IP := getNodeInfo(helpers.K8s1)
-
-					httpURL := getHTTPLink(k8s1IP, data.Spec.Ports[0].NodePort)
-					tftpURL := getTFTPLink(k8s1IP, data.Spec.Ports[1].NodePort)
-
-					// Test from external connectivity
-					doRequestsFromThirdHost(httpURL, 10, true)
-					doRequestsFromThirdHost(tftpURL, 10, false)
-					// Make sure all the rest works as expected under XDP
-					testNodePort(true)
-
-					// Clear CT tables on both Cilium nodes
-					pod, err := kubectl.GetCiliumPodOnNode(helpers.CiliumNamespace, helpers.K8s1)
-					Expect(err).Should(BeNil(), "Cannot determine cilium pod name")
-					res := kubectl.CiliumExec(pod, "cilium bpf ct flush global")
-					res.ExpectSuccess("Unable to flush CT maps")
-
-					pod, err = kubectl.GetCiliumPodOnNode(helpers.CiliumNamespace, helpers.K8s2)
-					Expect(err).Should(BeNil(), "Cannot determine cilium pod name")
-					res = kubectl.CiliumExec(pod, "cilium bpf ct flush global")
-					res.ExpectSuccess("Unable to flush CT maps")
+					testNodePortExternal(true, false)
 				})
 
 				SkipItIf(helpers.DoesNotExistNodeWithoutCilium, "Tests with XDP, direct routing and DSR", func() {
@@ -926,31 +907,37 @@ var _ = Describe("K8sServicesTest", func() {
 						"global.tunnel":                "disabled",
 						"global.autoDirectNodeRoutes":  "true",
 					})
+					testNodePortExternal(true, true)
+				})
 
-					var data v1.Service
-					err := kubectl.Get(helpers.DefaultNamespace, "service test-nodeport").Unmarshal(&data)
-					Expect(err).Should(BeNil(), "Cannot retrieve service")
-					_, k8s1IP := getNodeInfo(helpers.K8s1)
-
-					httpURL := getHTTPLink(k8s1IP, data.Spec.Ports[0].NodePort)
-					tftpURL := getTFTPLink(k8s1IP, data.Spec.Ports[1].NodePort)
-
-					// Test from external connectivity
-					doRequestsFromThirdHost(httpURL, 10, true)
-					doRequestsFromThirdHost(tftpURL, 10, true)
-					// Make sure all the rest works as expected under XDP
-					testNodePort(true)
+				SkipItIf(helpers.DoesNotExistNodeWithoutCilium, "Tests with TC, direct routing and SNAT", func() {
+					DeployCiliumOptionsAndDNS(kubectl, ciliumFilename, map[string]string{
+						"global.nodePort.acceleration": "none",
+						"global.nodePort.mode":         "snat",
+						"global.tunnel":                "disabled",
+						"global.autoDirectNodeRoutes":  "true",
+					})
+					testNodePortExternal(false, false)
+				})
 
-					// Clear CT tables on both Cilium nodes
-					pod, err := kubectl.GetCiliumPodOnNode(helpers.CiliumNamespace, helpers.K8s1)
-					Expect(err).Should(BeNil(), "Cannot determine cilium pod name")
-					res := kubectl.CiliumExec(pod, "cilium bpf ct flush global")
-					res.ExpectSuccess("Unable to flush CT maps")
+				SkipItIf(helpers.DoesNotExistNodeWithoutCilium, "Tests with TC, direct routing and Hybrid", func() {
+					DeployCiliumOptionsAndDNS(kubectl, ciliumFilename, map[string]string{
+						"global.nodePort.acceleration": "none",
+						"global.nodePort.mode":         "hybrid",
+						"global.tunnel":                "disabled",
+						"global.autoDirectNodeRoutes":  "true",
+					})
+					testNodePortExternal(true, false)
+				})
 
-					pod, err = kubectl.GetCiliumPodOnNode(helpers.CiliumNamespace, helpers.K8s2)
-					Expect(err).Should(BeNil(), "Cannot determine cilium pod name")
-					res = kubectl.CiliumExec(pod, "cilium bpf ct flush global")
-					res.ExpectSuccess("Unable to flush CT maps")
+				SkipItIf(helpers.DoesNotExistNodeWithoutCilium, "Tests with TC, direct routing and DSR", func() {
+					DeployCiliumOptionsAndDNS(kubectl, ciliumFilename, map[string]string{
+						"global.nodePort.acceleration": "none",
+						"global.nodePort.mode":         "dsr",
+						"global.tunnel":                "disabled",
+						"global.autoDirectNodeRoutes":  "true",
+					})
+					testNodePortExternal(true, true)
 				})
 			})
 	})