test(transparentproxy): add transparent proxy tests

These tests are using real docker containers. For now existing
tests will test if tproxy installation in a container succeeds,
and then compare golden files generated from iptables-save.

Signed-off-by: Bart Smykla <bartek@smykla.com>

.github/workflows/_test.yaml

@@ -34,6 +34,45 @@ jobs:
           make dev/tools
       - run: |
           make test
+  # just for tests, will be probably run periodically
+  test_transparentproxy:
+    timeout-minutes: 20
+    if: ${{ !contains(github.event.pull_request.labels.*.name, 'ci/skip-test-transparentproxy') }}
+    runs-on: ubuntu-latest
+    env:
+      IPV6: "true"
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        with:
+          go-version-file: go.mod
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        with:
+          path: |
+            ${{ env.CI_TOOLS_DIR }}
+          key: ${{ runner.os }}-${{ runner.arch }}-devtools-${{ hashFiles('mk/dependencies/deps.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ runner.arch }}-devtools
+      - run: |
+          make dev/tools
+      - name: "Enable IPv6 for Docker and enable necessary kernel modules for ip6tables"
+        run: |
+          cat <<'EOF' | sudo tee /etc/docker/daemon.json
+          {
+            "ipv6": true,
+            "fixed-cidr-v6": "2001:db8:1::/64",
+            "dns": ["8.8.8.8"],
+            "dns-search": ["."]
+          }
+          EOF
+          sudo service docker restart
+          sudo modprobe ip6table_nat
+          sudo modprobe ip6table_raw
+      - run: |
+          echo $IPV6
+          make test/transparentproxy
   gen_e2e_matrix:
     timeout-minutes: 2
     runs-on: ubuntu-latest

mk/test.mk

@@ -1,6 +1,9 @@
 UPDATE_GOLDEN_FILES ?=
 TEST_PKG_LIST ?= ./...
 REPORTS_DIR ?= build/reports
+# Path to the kumactl binary for Linux. This binary will be uploaded to Docker
+# containers during transparent proxy tests.
+KUMACTL_LINUX_BIN ?= $(BUILD_DIR)/artifacts-linux-$(GOARCH)/kumactl/kumactl
 
 GINKGO_UNIT_TEST_FLAGS ?= \
 	--skip-package ./test --race
@@ -25,7 +28,7 @@ ifndef TEST_REPORTS
 ifdef CI
 	go clean -testcache
 endif
-	$(UNIT_TEST_ENV) go test $(GOFLAGS) $(call LD_FLAGS,$(GOOS),$(GOARCH)) -race $$(go list $(TEST_PKG_LIST) | grep -E -v "test/e2e" | grep -E -v "test/blackbox_network_tests")
+	$(UNIT_TEST_ENV) go test $(GOFLAGS) $(call LD_FLAGS,$(GOOS),$(GOARCH)) -race $$(go list $(TEST_PKG_LIST) | grep -E -v "test/e2e" | grep -E -v "test/blackbox_network_tests" | grep -E -v "test/transparentproxy")
 endif
 
 $(REPORTS_DIR):
@@ -46,3 +49,8 @@ test/kumactl: test ## Dev: Run `kumactl` tests only
 .PHONY: test/cni
 test/cni: TEST_PKG_LIST=./app/cni/...
 test/cni: test ## Dev: Run `cni` tests only
+
+.PHONY: test/transparentproxy
+test/transparentproxy:
+	GOOS=linux $(MAKE) build/kumactl
+	KUMACTL_LINUX_BIN=$(KUMACTL_LINUX_BIN) $(UNIT_TEST_ENV) $(GINKGO_TEST) ./test/transparentproxy/...

test/framework/config_transparentproxy.go

@@ -0,0 +1,96 @@
+package framework
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+
+	"github.com/pkg/errors"
+
+	"github.com/kumahq/kuma/pkg/config"
+)
+
+var _ config.Config = TransparentProxyConfig{}
+
+type TransparentProxyConfig struct {
+	config.BaseConfig
+
+	KumactlLinuxBin          string            `json:"kumactlLinuxBin,omitempty" envconfig:"KUMACTL_LINUX_BIN"`
+	DockerImagesToTest       map[string]string `json:"dockerImagesToTest,omitempty" envconfig:"DOCKER_IMAGES_TO_TEST"`
+	DockerImagesToTestPaused map[string]string `json:"dockerImagesToTestPaused,omitempty" envconfig:"DOCKER_IMAGES_TO_TEST_PAUSED"`
+	InstallFlagsToTest       []string          `json:"additionalFlagsToTest,omitempty" envconfig:"ADDITIONAL_FLAGS_TO_TEST"`
+	IPV6                     bool              `json:"ipv6,omitempty" envconfig:"IPV6"`
+}
+
+func (c TransparentProxyConfig) Validate() error {
+	if TProxyConfig.KumactlLinuxBin != "" {
+		_, err := os.Stat(TProxyConfig.KumactlLinuxBin)
+		if os.IsNotExist(err) {
+			return errors.Wrapf(
+				err,
+				"unable to find kumactl for linux at: %s",
+				TProxyConfig.KumactlLinuxBin,
+			)
+		}
+
+		return err
+	}
+
+	return nil
+}
+
+func (c TransparentProxyConfig) AutoConfigure() error {
+	absoluteKumactlPath, err := filepath.Abs(TProxyConfig.KumactlLinuxBin)
+	if err != nil {
+		return err
+	}
+
+	TProxyConfig.KumactlLinuxBin = absoluteKumactlPath
+
+	return nil
+}
+
+var TProxyConfig TransparentProxyConfig
+
+var defaultTProxyConf = TransparentProxyConfig{
+	KumactlLinuxBin: fmt.Sprintf(
+		"../../../build/artifacts-linux-%s/kumactl/kumactl",
+		runtime.GOARCH,
+	),
+	DockerImagesToTest: map[string]string{
+		"Ubuntu 24.04":      "ubuntu:noble-20240605",
+		"Ubuntu 22.04":      "ubuntu:jammy-20240530",
+		"Ubuntu 20.04":      "ubuntu:focal-20240530",
+		"Debian 12":         "debian:bookworm-20240612",
+		"Debian 11":         "debian:bullseye-20240612",
+		"Debian 10":         "debian:buster-20240612",
+		"RHEL 9":            "redhat/ubi9:9.4-1123",
+		"Alpine 3":          "alpine:3.20.1",
+		"Amazon Linux 2023": "amazonlinux:2023.4.20240611.0",
+		"Amazon Linux 2":    "amazonlinux:2.0.20240610.1",
+	},
+	DockerImagesToTestPaused: map[string]string{
+		// Skipping RHEL 8 as our transparent proxy currently relies on
+		// iptables-nft or iptables-legacy binaries. RHEL 8 only provides the
+		// base iptables binary. Unpause these entries to include RHEL 8 once
+		// out transparent proxy is fixed to support base iptables binaries.
+		"RHEL 8": "redhat/ubi8:8.10-901.1717584420",
+	},
+	InstallFlagsToTest: []string{
+		"--redirect-all-dns-traffic",
+	},
+	IPV6: false,
+}
+
+func init() {
+	TProxyConfig = defaultTProxyConf
+
+	if err := config.Load(os.Getenv("TPROXY_TESTS_CONFIG_FILE"), &TProxyConfig); err != nil {
+		panic(err)
+	}
+
+	if err := TProxyConfig.AutoConfigure(); err != nil {
+		panic(err)
+	}
+}