CFE-853: e2e test case for DNSNameResolver and EgressFirewall integra…

…tion

test/extended/networking/egress_firewall.go

@@ -22,9 +22,11 @@ import (
 const (
 	egressFWTestPod      = "egressfirewall"
 	egressFWE2E          = "egress-firewall-e2e"
+	wcEgressFWE2E        = "wildcard-egress-firewall-e2e"
 	noEgressFWE2E        = "no-egress-firewall-e2e"
 	egressFWTestImage    = "registry.k8s.io/e2e-test-images/agnhost:2.47"
 	oVNKManifest         = "ovnk-egressfirewall-test.yaml"
+	oVNKWCManifest       = "ovnk-egressfirewall-wildcard-test.yaml"
 	openShiftSDNManifest = "sdn-egressnetworkpolicy-test.yaml"
 )
 
@@ -37,18 +39,38 @@ var _ = g.Describe("[sig-network][Feature:EgressFirewall]", func() {
 	InOVNKubernetesContext(
 		func() {
 			g.It("should ensure egressfirewall is created", func() {
-				doEgressFwTest(egFwf, egFwoc, oVNKManifest, true)
+				doEgressFwTest(egFwf, egFwoc, oVNKManifest, true, false)
 			})
 		},
 	)
 	// For Openshift SDN its supports EgressNetworkPolicy objects
 	InOpenShiftSDNContext(
 		func() {
 			g.It("should ensure egressnetworkpolicy is created [apigroup:network.openshift.io]", func() {
-				doEgressFwTest(egFwf, egFwoc, openShiftSDNManifest, false)
+				doEgressFwTest(egFwf, egFwoc, openShiftSDNManifest, false, false)
 			})
 		},
 	)
+
+	// When OVNKubernetes subnet and coredns-ocp-dnsnameresolver plugins are enabled.
+	// coredns-ocp-dnsnameresolver plugin is a TechPreview feature.
+	// TODO:
+	// - Remove TechPreview check when feature is GA.
+	// - Merge oVNKManifest & oVNKWCManifest contents.
+	// - Update doEgressFwTest and sendEgressFwTraffic functions.
+	wcEgFwOc := exutil.NewCLIWithPodSecurityLevel(wcEgressFWE2E, admissionapi.LevelPrivileged)
+	wcEgFwF := wcEgFwOc.KubeFramework()
+	InOVNKubernetesContext(
+		func() {
+			g.It("should ensure egressfirewall with wildcard dns rules is created", func() {
+				if !exutil.IsTechPreviewNoUpgrade(wcEgFwOc) {
+					g.Skip("the test is not expected to work within Tech Preview disabled clusters")
+				}
+				doEgressFwTest(wcEgFwF, wcEgFwOc, oVNKWCManifest, true, true)
+			})
+		},
+	)
+
 	noegFwoc := exutil.NewCLIWithPodSecurityLevel(noEgressFWE2E, admissionapi.LevelBaseline)
 	noegFwf := noegFwoc.KubeFramework()
 	g.It("egressFirewall should have no impact outside its namespace", func() {
@@ -81,7 +103,7 @@ var _ = g.Describe("[sig-network][Feature:EgressFirewall]", func() {
 	})
 })
 
-func doEgressFwTest(f *e2e.Framework, oc *exutil.CLI, manifest string, nodeSelectorSupport bool) error {
+func doEgressFwTest(f *e2e.Framework, oc *exutil.CLI, manifest string, nodeSelectorSupport, checkWildcard bool) error {
 	g.By("creating test pod")
 	o.Expect(createTestEgressFw(f, egressFWTestPod)).To(o.Succeed())
 
@@ -98,14 +120,14 @@ func doEgressFwTest(f *e2e.Framework, oc *exutil.CLI, manifest string, nodeSelec
 	err := oc.AsAdmin().Run("create").Args("-f", egFwYaml).Execute()
 	o.Expect(err).NotTo(o.HaveOccurred(), "created egress-firewall object")
 
-	o.Expect(sendEgressFwTraffic(f, oc, egressFWTestPod, nodeSelectorSupport)).To(o.Succeed())
+	o.Expect(sendEgressFwTraffic(f, oc, egressFWTestPod, nodeSelectorSupport, checkWildcard)).To(o.Succeed())
 
 	g.By("deleting test pod")
 	deleteTestEgressFw(f)
 	return err
 }
 
-func sendEgressFwTraffic(f *e2e.Framework, oc *exutil.CLI, pod string, nodeSelectorSupport bool) error {
+func sendEgressFwTraffic(f *e2e.Framework, oc *exutil.CLI, pod string, nodeSelectorSupport, checkWildcard bool) error {
 	infra, err := oc.AdminConfigClient().ConfigV1().Infrastructures().Get(context.Background(), "cluster", metav1.GetOptions{})
 	o.Expect(err).NotTo(o.HaveOccurred(), "failed to get cluster-wide infrastructure")
 
@@ -128,10 +150,22 @@ func sendEgressFwTraffic(f *e2e.Framework, oc *exutil.CLI, pod string, nodeSelec
 	_, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m3", "https://docs.openshift.com").Output()
 	expectNoError(err)
 
-	// Test curl to www.google.com:80 should fail
-	// because we don't have allow dns rule for www.google.com:80
+	if checkWildcard {
+		// Test curl to `www.google.com` and `translate.google.com` should pass
+		// because we have allow dns rule for `*.google.com`.
+		g.By("sending traffic to `www.google.com` that matches allow dns rule for `*.google.com`")
+		_, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m3", "https://www.google.com").Output()
+		expectNoError(err)
+
+		g.By("sending traffic to `translate.google.com` that matches allow dns rule for `*.google.com`")
+		_, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m3", "https://translate.google.com").Output()
+		expectNoError(err)
+	}
+
+	// Test curl to www.redhat.com should fail
+	// because we don't have allow dns rule for www.redhat.com
 	g.By("sending traffic that does not match allow dns rule")
-	_, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m3", "http://www.google.com:80").Output()
+	_, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m3", "http://www.redhat.com").Output()
 	expectError(err)
 
 	if nodeSelectorSupport {

test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml

@@ -0,0 +1,23 @@
+apiVersion: k8s.ovn.org/v1
+kind: EgressFirewall
+metadata:
+  name: default
+spec:
+  egress:
+  - type: Allow
+    to:
+      dnsName: docs.openshift.com
+  - type: Allow
+    to:
+      dnsName: "*.google.com"
+  - type: Allow
+    to:
+      cidrSelector: 8.8.8.8/32
+  - type: Allow
+    to:
+      nodeSelector:
+        matchLabels:
+          node-role.kubernetes.io/control-plane: ''
+  - type: Deny
+    to:
+      cidrSelector: 0.0.0.0/0