Skip to content

Commit

Permalink
Support specifying kind in ClientIntents (both for spec.service
Browse files Browse the repository at this point in the history 
… and `spec.calls.call`), `ProtectedServices`, and `KafkaServerConfigs` (#409)

Co-authored-by: Ori Shoshan <ori@otterize.com>
  • Loading branch information
@omris94 @orishoshan
omris94 and orishoshan committed May 23, 2024
1 parent ba00b7c commit f9f9c5c
Show file tree
Hide file tree
Showing 54 changed files with 1,361 additions and 648 deletions.
12 changes: 12 additions & 0 deletions .github/workflow-helpers/kind-intents.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: k8s.otterize.com/v1alpha3
kind: ClientIntents
metadata:
name: client
namespace: otterize-tutorial-npol
spec:
service:
kind: Deployment
name: client
calls:
- name: server
kind: Service
129 changes: 129 additions & 0 deletions .github/workflows/netpol-e2e-test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -372,11 +372,140 @@ jobs:




e2e-test-intents-with-kind-after-pods-with-egress:
timeout-minutes: 10
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
with:
submodules: recursive

- name: Start minikube
uses: medyagh/setup-minikube@master
with:
start-args: "--network-plugin=cni --cni=calico"

- name: Load images from GitHub Artifacts
if: github.repository != 'otterize/intents-operator' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != 'otterize/intents-operator')
uses: actions/download-artifact@v3
with:
name: ${{ env.REGISTRY }}_${{ github.actor }}_intents-operator_${{ github.sha }}.tar

- name: Load Docker image
if: github.repository != 'otterize/intents-operator' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != 'otterize/intents-operator')
run: |-
docker image load -i intents-operator.tar
minikube image load ${{ env.REGISTRY }}/${{ github.actor }}/intents-operator:${{ github.sha }}
- name: Login to GCR
if: (github.event_name == 'push' && github.repository == 'otterize/intents-operator') || github.event.pull_request.head.repo.full_name == 'otterize/intents-operator'
uses: docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: _json_key_base64
password: ${{ secrets.B64_GCLOUD_SERVICE_ACCOUNT_JSON}}

- name: Load Docker images from GCR
if: (github.event_name == 'push' && github.repository == 'otterize/intents-operator') || github.event.pull_request.head.repo.full_name == 'otterize/intents-operator'
run: |-
docker pull ${{ env.REGISTRY }}/intents-operator:${{ inputs.operator-tag }}
minikube image load ${{ env.REGISTRY }}/intents-operator:${{ inputs.operator-tag }}
- name: Set up Helm
uses: azure/setup-helm@v3

- name: Wait for Calico startup
run: |-
kubectl wait pods -n kube-system -l k8s-app=calico-kube-controllers --for condition=Ready --timeout=90s
kubectl wait pods -n kube-system -l k8s-app=calico-node --for condition=Ready --timeout=90s
kubectl wait pods -n kube-system -l k8s-app=calico-kube-controllers --for condition=Ready --timeout=90s
- name: Install Otterize
run: |-
OPERATOR_FLAGS="--set-string intentsOperator.operator.repository=${{ env.REGISTRY }} --set-string intentsOperator.operator.image=${{ inputs.operator-image }} --set-string intentsOperator.operator.tag=${{ inputs.operator-tag }} --set-string intentsOperator.operator.pullPolicy=Never"
TELEMETRY_FLAG="--set global.telemetry.enabled=false"
EGRESS_FLAG="--set intentsOperator.operator.enableEgressNetworkPolicyCreation=true"
helm dep up ./helm-charts/otterize-kubernetes
helm install otterize ./helm-charts/otterize-kubernetes -n otterize-system --create-namespace $OPERATOR_FLAGS $TELEMETRY_FLAG $EGRESS_FLAG
- name: Deploy Tutorial services
run: |-
kubectl apply -f https://docs.otterize.com/code-examples/automate-network-policies/all.yaml
- name: Wait for Otterize
run: |-
kubectl wait pods -n otterize-system -l app=intents-operator --for condition=Ready --timeout=360s
# wait for webhook to be ready
POD_IP=`kubectl get pod -l app=intents-operator -n otterize-system -o=jsonpath='{.items[0].status.podIP}'`
kubectl wait -n otterize-system --for=jsonpath='{.subsets[0].addresses[0].ip}'=$POD_IP endpoints/intents-operator-webhook-service
# wait for CRD update
kubectl wait --for=jsonpath='{.spec.conversion.webhook.clientConfig.service.namespace}'=otterize-system customresourcedefinitions/clientintents.k8s.otterize.com
- name: Wait for Tutorial services
run: |-
kubectl wait pods -n otterize-tutorial-npol -l app=client --for condition=Ready --timeout=180s
kubectl wait pods -n otterize-tutorial-npol -l app=client-other --for condition=Ready --timeout=180s
kubectl wait pods -n otterize-tutorial-npol -l app=server --for condition=Ready --timeout=180s
- name: Before apply intents
run: |-
CLI1_POD=`kubectl get pod --selector app=client -n otterize-tutorial-npol -o json | jq -r ".items[0].metadata.name"`
CLI2_POD=`kubectl get pod --selector app=client-other -n otterize-tutorial-npol -o json | jq -r ".items[0].metadata.name"`
echo Client: $CLI1_POD client_other: $CLI2_POD
source .github/workflows/test-bashrc.sh
# using 14 because the log repeat itself every 14 lines
echo check client log
wait_for_log $CLI1_POD 10 "Hi, I am the server, you called, may I help you?"
echo check client other log
wait_for_log $CLI2_POD 10 "Hi, I am the server, you called, may I help you?"
- name: Apply intents and test connectivity
run: |-
CLI1_POD=`kubectl get pod --selector app=client -n otterize-tutorial-npol -o json | jq -r ".items[0].metadata.name"`
CLI2_POD=`kubectl get pod --selector app=client-other -n otterize-tutorial-npol -o json | jq -r ".items[0].metadata.name"`
echo Client: $CLI1_POD client_other: $CLI2_POD
source .github/workflows/test-bashrc.sh
echo "Apply intents"
apply_intents_and_wait_for_webhook ./.github/workflow-helpers/kind-intents.yaml
echo "Intents applied"
# should not work at first because there is no allow DNS netpol
echo "check client log - should get timed out because it is missing DNS allow netpol"
wait_for_log $CLI1_POD 10 "curl timed out"
# should be blocked (using 3 because the log should repeat itself every 3 lines)
echo "check client other log - should get timed out because it does not have an applied intent"
wait_for_log $CLI2_POD 10 "curl timed out"
echo "apply allow DNS netpol"
kubectl apply -f .github/workflow-helpers/allowDNS.yaml -n otterize-tutorial-npol
# should work because there is an applied intent and allowDNS netpol
echo "check client log - should work because there is an applied intent and allowDNS netpol"
wait_for_log $CLI1_POD 10 "Hi, I am the server, you called, may I help you?"
# should be blocked (using 3 because the log should repeat itself every 3 lines)
echo "check client other log - should get timed out because it does not have an applied intent"
wait_for_log $CLI2_POD 10 "curl timed out"





e2e-test:
needs:
- e2e-test-intents-after-pods
- e2e-test-intents-before-pods
- e2e-test-intents-after-pods-with-egress
- e2e-test-intents-with-kind-after-pods-with-egress
runs-on: ubuntu-latest
steps:
- run: |-
Expand Down
3 changes: 2 additions & 1 deletion src/operator/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,8 @@ deploy: manifests copy-manifests-to-helm helm-dependency
deploy-local: manifests copy-manifests-to-helm helm-dependency ## Deploy images built locally into the cluster.
helm upgrade --install -n otterize-system --create-namespace otterize $(OTTERIZE_HELM_CHART_DIR) \
--set intentsOperator.operator.tag=$(LOCAL_IMAGE_TAG) \
--set intentsOperator.operator.pullPolicy=Never
--set intentsOperator.operator.pullPolicy=Never \
--set global.telemetry.enabled=false

.PHONY: undeploy
undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
Expand Down

0 comments on commit f9f9c5c

Please sign in to comment.