-
Notifications
You must be signed in to change notification settings - Fork 4.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This adds relevant ipsec e2e tests to validate both control plane and dataplane for both east west and north south traffic scenarios. Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
- Loading branch information
1 parent
f2cc4d0
commit cf28de5
Showing
910 changed files
with
67,183 additions
and
28,941 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,220 @@ | ||
package networking | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"time" | ||
|
||
configv1 "github.com/openshift/api/config/v1" | ||
mcfgv1 "github.com/openshift/api/machineconfiguration/v1" | ||
v1 "github.com/openshift/api/operator/v1" | ||
exutil "github.com/openshift/origin/test/extended/util" | ||
apierrors "k8s.io/apimachinery/pkg/api/errors" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/apimachinery/pkg/labels" | ||
"k8s.io/apimachinery/pkg/util/sets" | ||
"k8s.io/client-go/util/retry" | ||
"k8s.io/kubernetes/test/e2e/framework" | ||
admissionapi "k8s.io/pod-security-admission/api" | ||
|
||
g "github.com/onsi/ginkgo/v2" | ||
m "github.com/onsi/gomega" | ||
) | ||
|
||
func configureIPsec(oc *exutil.CLI, ipsecMode v1.IPsecMode) error { | ||
return retry.RetryOnConflict(retry.DefaultRetry, func() error { | ||
network, err := oc.AdminOperatorClient().OperatorV1().Networks().Get(context.Background(), "cluster", metav1.GetOptions{}) | ||
if err != nil { | ||
return err | ||
} | ||
if network.Spec.DefaultNetwork.OVNKubernetesConfig.IPsecConfig == nil { | ||
network.Spec.DefaultNetwork.OVNKubernetesConfig.IPsecConfig = &v1.IPsecConfig{Mode: ipsecMode} | ||
} else if network.Spec.DefaultNetwork.OVNKubernetesConfig.IPsecConfig.Mode != ipsecMode { | ||
network.Spec.DefaultNetwork.OVNKubernetesConfig.IPsecConfig.Mode = ipsecMode | ||
} | ||
_, err = oc.AdminOperatorClient().OperatorV1().Networks().Update(context.Background(), network, metav1.UpdateOptions{}) | ||
return err | ||
}) | ||
} | ||
|
||
func isIPsecRolloutComplete(oc *exutil.CLI) (bool, error) { | ||
for { | ||
done, err := isMachineConfigPoolReadyWithIPsec(oc) | ||
if err != nil { | ||
return false, err | ||
} | ||
if done { | ||
ready, err := ensureClusterOperatorsReady((oc)) | ||
if err != nil { | ||
return false, err | ||
} | ||
if ready { | ||
return true, nil | ||
} | ||
} | ||
time.Sleep(180 * time.Second) | ||
} | ||
} | ||
|
||
func ensureIPsecDisabled(oc *exutil.CLI) (bool, error) { | ||
for { | ||
running, err := isIPsecDaemonSetRunning(oc) | ||
if err != nil { | ||
return false, err | ||
} | ||
if !running { | ||
ready, err := ensureClusterOperatorsReady((oc)) | ||
if err != nil { | ||
return false, err | ||
} | ||
if ready { | ||
return true, nil | ||
} | ||
} | ||
time.Sleep(180 * time.Second) | ||
} | ||
} | ||
|
||
func isMachineConfigPoolReadyWithIPsec(oc *exutil.CLI) (bool, error) { | ||
masterIPsecMachineConfigs, err := findIPsecMachineConfigsWithLabel(oc, "machineconfiguration.openshift.io/role=master") | ||
if err != nil { | ||
return false, fmt.Errorf("failed to get ipsec machine configs for master: %v", err) | ||
} | ||
masterMCPool, err := oc.MachineConfigurationClient().MachineconfigurationV1().MachineConfigPools().Get(context.Background(), | ||
"master", metav1.GetOptions{}) | ||
if err != nil { | ||
return false, fmt.Errorf("failed to get ipsec machine config pool for master: %v", err) | ||
} | ||
if !hasSourceInMachineConfigStatus(masterMCPool.Status, masterIPsecMachineConfigs) { | ||
return false, nil | ||
} | ||
|
||
workerIPsecMachineConfigs, err := findIPsecMachineConfigsWithLabel(oc, "machineconfiguration.openshift.io/role=worker") | ||
if err != nil { | ||
return false, fmt.Errorf("failed to get ipsec machine configs for worker: %v", err) | ||
} | ||
workerMCPool, err := oc.MachineConfigurationClient().MachineconfigurationV1().MachineConfigPools().Get(context.Background(), | ||
"worker", metav1.GetOptions{}) | ||
if err != nil { | ||
return false, fmt.Errorf("failed to get ipsec machine config pool for worker: %v", err) | ||
} | ||
if !hasSourceInMachineConfigStatus(workerMCPool.Status, workerIPsecMachineConfigs) { | ||
return false, nil | ||
} | ||
return true, nil | ||
} | ||
|
||
func findIPsecMachineConfigsWithLabel(oc *exutil.CLI, selector string) ([]*mcfgv1.MachineConfig, error) { | ||
lSelector, err := labels.Parse(selector) | ||
if err != nil { | ||
return nil, err | ||
} | ||
machineConfigs, err := oc.MachineConfigurationClient().MachineconfigurationV1().MachineConfigs().List(context.Background(), | ||
metav1.ListOptions{LabelSelector: lSelector.String()}) | ||
if err != nil { | ||
return nil, err | ||
} | ||
var ipsecMachineConfigs []*mcfgv1.MachineConfig | ||
for i, machineConfig := range machineConfigs.Items { | ||
if sets.New(machineConfig.Spec.Extensions...).Has("ipsec") { | ||
ipsecMachineConfigs = append(ipsecMachineConfigs, &machineConfigs.Items[i]) | ||
} | ||
} | ||
return ipsecMachineConfigs, nil | ||
} | ||
|
||
func hasSourceInMachineConfigStatus(machineConfigStatus mcfgv1.MachineConfigPoolStatus, machineConfigs []*mcfgv1.MachineConfig) bool { | ||
sourceNames := sets.New[string]() | ||
for _, machineConfig := range machineConfigs { | ||
sourceNames.Insert(machineConfig.Name) | ||
} | ||
for _, source := range machineConfigStatus.Configuration.Source { | ||
if sourceNames.Has(source.Name) { | ||
return true | ||
} | ||
} | ||
return false | ||
} | ||
|
||
func ensureClusterOperatorsReady(oc *exutil.CLI) (bool, error) { | ||
cos, err := oc.AdminConfigClient().ConfigV1().ClusterOperators().List(context.Background(), metav1.ListOptions{}) | ||
if err != nil { | ||
return false, err | ||
} | ||
for _, co := range cos.Items { | ||
available, degraded, progressing := false, true, true | ||
for _, condition := range co.Status.Conditions { | ||
isConditionTrue := condition.Status == configv1.ConditionTrue | ||
switch condition.Type { | ||
case configv1.OperatorAvailable: | ||
available = isConditionTrue | ||
case configv1.OperatorDegraded: | ||
degraded = isConditionTrue | ||
case configv1.OperatorProgressing: | ||
progressing = isConditionTrue | ||
} | ||
} | ||
isCOReady := available && !degraded && !progressing | ||
if !isCOReady { | ||
return false, nil | ||
} | ||
} | ||
return true, nil | ||
} | ||
|
||
func isIPsecDaemonSetRunning(oc *exutil.CLI) (bool, error) { | ||
ipsecDS, err := oc.KubeClient().AppsV1().DaemonSets("openshift-ovn-kubernetes").Get(context.Background(), "ovn-ipsec-host", metav1.GetOptions{}) | ||
if err != nil && apierrors.IsNotFound(err) { | ||
return false, nil | ||
} else if err != nil { | ||
return false, err | ||
} | ||
ready := ipsecDS.Status.DesiredNumberScheduled == ipsecDS.Status.NumberReady | ||
return ready, nil | ||
} | ||
|
||
var _ = g.Describe("[sig-network][Feature:IPsec]", func() { | ||
|
||
oc := exutil.NewCLIWithPodSecurityLevel("ipsec-e2e", admissionapi.LevelBaseline) | ||
|
||
InOVNKubernetesContext(func() { | ||
g.BeforeAll(func() { | ||
ready, err := ensureClusterOperatorsReady((oc)) | ||
framework.ExpectNoError(err) | ||
m.Expect(ready).Should(m.Equal(true)) | ||
|
||
err = configureIPsec(oc, v1.IPsecModeFull) | ||
framework.ExpectNoError(err) | ||
|
||
ready, err = isIPsecRolloutComplete(oc) | ||
framework.ExpectNoError(err) | ||
m.Expect(ready).Should(m.Equal(true)) | ||
}) | ||
|
||
g.AfterAll(func() { | ||
ready, err := ensureClusterOperatorsReady((oc)) | ||
framework.ExpectNoError(err) | ||
m.Expect(ready).Should(m.Equal(true)) | ||
|
||
err = configureIPsec(oc, v1.IPsecModeDisabled) | ||
framework.ExpectNoError(err) | ||
|
||
disabled, err := ensureIPsecDisabled(oc) | ||
framework.ExpectNoError(err) | ||
m.Expect(disabled).Should(m.Equal(true)) | ||
}) | ||
|
||
g.It("ensure traffic between local pod to a remote pod is IPsec encrypted [apigroup:config.openshift.io] [Serial]", func() { | ||
// TODO | ||
}) | ||
|
||
g.It("ensure traffic between local pod to a ClusterIP service is IPsec encrypted [apigroup:config.openshift.io] [Serial]", func() { | ||
// TODO | ||
}) | ||
|
||
g.It("ensure external traffic to the cluster is IPsec encrypted [apigroup:config.openshift.io] [Serial]", func() { | ||
// TODO | ||
}) | ||
|
||
}) | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.