-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SDN-4168: Add IPsec e2e tests #28658
SDN-4168: Add IPsec e2e tests #28658
Conversation
cf28de5
to
571f86e
Compare
Job Failure Risk Analysis for sha: 571f86e
|
571f86e
to
8f2cb8c
Compare
Job Failure Risk Analysis for sha: 8f2cb8c
|
8f2cb8c
to
119a4ed
Compare
Job Failure Risk Analysis for sha: 119a4ed
|
119a4ed
to
d10b3a1
Compare
Job Failure Risk Analysis for sha: d10b3a1
|
2583612
to
e079638
Compare
Job Failure Risk Analysis for sha: e079638
|
e079638
to
8a66229
Compare
Job Failure Risk Analysis for sha: 587ab3c
|
d043f01
to
8a66229
Compare
There are two issues to be addressed with latest change.
|
Job Failure Risk Analysis for sha: 8a66229
|
@pperiyasamy: This pull request references SDN-4168 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
8c389e3
to
d0e4f09
Compare
Job Failure Risk Analysis for sha: d0e4f09
|
@@ -862,6 +864,20 @@ func areMachineConfigPoolsReadyWithIPsec(oc *exutil.CLI) (bool, error) { | |||
return masterWithIPsec && workerWithIPsec, nil | |||
} | |||
|
|||
func areMachineConfigPoolsReadyWithoutIPsec(oc *exutil.CLI) (bool, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is something in this code that makes it very difficult to read. Some suggestions:
- Remove method
areWorkerMachineConfigPoolsReady
, just as you don't have aareMasterMachineConfigPoolsReady
- s/
areMachineConfigPoolReadyWithoutMachineConfig
/areMachineConfigPoolsReadyWithoutMachineConfig
- s/
isMachineConfigReadyInPools
/areMachineConfigPoolsReadyWithMachineConfig
- Avoid the
mustExist
flag. Have agetMachineConfigPoolsByLabel(oc *exutil.CLI, mcpSelectorLabel string)
, correctly handle MMatchExpression
there as well and do somethign like
func areMasterMachineConfigPoolsWithIPsec(oc *exutil.CLI) (bool, error) {
pools , err := getMachineConfigPoolsByLabel(...)
if err != nil {
return false, err
}
return areMachineConfigPoolsReadyWithMachineConfig(pools, ...)
}
and so on...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks perfect and clean. Done.
Thanks @jcaamano .
test/extended/networking/ipsec.go
Outdated
@@ -193,22 +193,19 @@ func ensureIPsecDisabled(oc *exutil.CLI) error { | |||
return false, err | |||
} | |||
} | |||
if done { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be good to follow the same order here and in ensureIPsecEnabled
on the machine config and cluster operator checks.
Also, I wouldn't reuse ensureIPsecMachineConfigRolloutComplete
in ensureIPsecEnabled
. Just call areMachineConfigPoolsReadyWithIPsec
directly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, done.
@@ -46,6 +46,7 @@ require ( | |||
golang.org/x/crypto v0.16.0 | |||
golang.org/x/net v0.19.0 | |||
golang.org/x/oauth2 v0.10.0 | |||
golang.org/x/sync v0.5.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am still confused. Why is go mod vendor
bringing in the machineconfig dependency if it is not referred from go.mod
? Ideally, with no changes in go.mod
, go mod vendor
should not bring anything new? I am probably missing something.
I would keep doing the go mod tidyp
afterward however.
3201250
to
125282d
Compare
Job Failure Risk Analysis for sha: 125282d
|
This is needed to consume machine config APIs for IPsec related e2e tests. Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
125282d
to
accf68f
Compare
/lgtm |
/retest-required |
Job Failure Risk Analysis for sha: accf68f
|
Job Failure Risk Analysis for sha: accf68f
|
This adds relevant ipsec e2e tests to validate both control plane and dataplane for east west traffic scenario. Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
This test applies ipsec configuration on two chosen worker nodes via IPsec North South mechanisam and ensure traffic between those two nodes are ESP encrypted. Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
It is appropriate to generate certificates offline with certutil and butane, Then import those certficates into worker nodes via machine config. Hence this commit makes use of such a machine config to import certficates instead of doing it from a pod. Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
This commit adds and updates relevant tests for validating node traffic for both east west and north south IPsec configurations. Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
This commit has fixes for issues found with ipsec tests while testing with a 4.16 cluster running in AWS. Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
accf68f
to
06e240d
Compare
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dgoodwin, jcaamano, pperiyasamy The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test e2e-aws-ovn-serial |
@pperiyasamy: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
539491f
into
openshift:master
This adds relevant ipsec e2e tests to validate both control plane and dataplane for both east west and north south traffic scenarios.
Run IPsec tests with command:
./openshift-tests run openshift/network/ipsec