daemon: Do not bump policy revision on identity changes.

Identity changes are noted via a separate revision number maintained by the selector cache, so it is no longer necessary to artificially bump the policy revision number when identities have changed. Add unit testing code that exercises the identity change triggering code that is changed to make sure policy computation still works. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
tklauser · Jun 21, 2019 · c2d63aa · c2d63aa
1 parent 192f581
commit c2d63aa
Show file tree

Hide file tree

Showing 2 changed files with 112 additions and 1 deletion.
diff --git a/daemon/policy.go b/daemon/policy.go
@@ -72,7 +72,7 @@ func (d *Daemon) TriggerPolicyUpdates(force bool, reason string) {
 // and also triggers policy updates.
 func (d *Daemon) UpdateIdentities(added, deleted cache.IdentityCache) {
 	d.policy.GetSelectorCache().UpdateIdentities(added, deleted)
-	d.TriggerPolicyUpdates(true, "one or more identities created or deleted")
+	d.TriggerPolicyUpdates(false, "one or more identities created or deleted")
 }
 
 type getPolicyResolve struct {

diff --git a/daemon/policy_test.go b/daemon/policy_test.go
@@ -151,6 +151,15 @@ func (ds *DaemonSuite) prepareEndpoint(c *C, identity *identity.Identity, qa boo
 	return e
 }
 
+func (ds *DaemonSuite) regenerateEndpoint(c *C, e *endpoint.Endpoint) {
+	e.UnconditionalLock()
+	ready := e.SetStateLocked(endpoint.StateWaitingToRegenerate, "test")
+	e.Unlock()
+	c.Assert(ready, Equals, true)
+	buildSuccess := <-e.Regenerate(ds.d, regenerationMetadata)
+	c.Assert(buildSuccess, Equals, true)
+}
+
 func (ds *DaemonSuite) TestUpdateConsumerMap(c *C) {
 	rules := api.Rules{
 		{
@@ -544,3 +553,105 @@ func (ds *DaemonSuite) TestRemovePolicy(c *C) {
 	networkPolicies = ds.getXDSNetworkPolicies(c, nil)
 	c.Assert(networkPolicies, HasLen, 0)
 }
+
+func (ds *DaemonSuite) TestIncrementalPolicy(c *C) {
+	qaBarLbls := labels.Labels{lblBar.Key: lblBar, lblQA.Key: lblQA}
+	qaBarSecLblsCtx, _, err := cache.AllocateIdentity(context.Background(), ds.d, qaBarLbls)
+	c.Assert(err, Equals, nil)
+	defer cache.Release(context.Background(), ds.d, qaBarSecLblsCtx)
+
+	rules := api.Rules{
+		{
+			EndpointSelector: api.NewESFromLabels(lblBar),
+			Ingress: []api.IngressRule{
+				{
+					FromEndpoints: []api.EndpointSelector{
+						api.NewESFromLabels(lblJoe),
+						api.NewESFromLabels(lblPete),
+						api.NewESFromLabels(lblFoo),
+					},
+				},
+				{
+					FromEndpoints: []api.EndpointSelector{
+						api.NewESFromLabels(lblFoo),
+					},
+					ToPorts: []api.PortRule{
+						// Allow Port 80 GET /bar
+						CNPAllowGETbar,
+					},
+				},
+			},
+		},
+		{
+			EndpointSelector: api.NewESFromLabels(lblQA),
+			Ingress: []api.IngressRule{
+				{
+					FromRequires: []api.EndpointSelector{
+						api.NewESFromLabels(lblQA),
+					},
+				},
+			},
+		},
+		{
+			EndpointSelector: api.NewESFromLabels(lblProd),
+			Ingress: []api.IngressRule{
+				{
+					FromRequires: []api.EndpointSelector{
+						api.NewESFromLabels(lblProd),
+					},
+				},
+			},
+		},
+	}
+
+	ds.d.l7Proxy.RemoveAllNetworkPolicies()
+
+	_, err3 := ds.d.PolicyAdd(rules, nil)
+	c.Assert(err3, Equals, nil)
+
+	cleanup, err2 := prepareEndpointDirs()
+	c.Assert(err2, Equals, nil)
+	defer cleanup()
+
+	// Create the endpoint and generate its policy.
+	e := ds.prepareEndpoint(c, qaBarSecLblsCtx, true)
+
+	// Check that the policy has been updated in the xDS cache for the L7
+	// proxies.
+	networkPolicies := ds.getXDSNetworkPolicies(c, nil)
+	c.Assert(networkPolicies, HasLen, 2)
+	qaBarNetworkPolicy := networkPolicies[QAIPv4Addr.String()]
+	c.Assert(qaBarNetworkPolicy, Not(IsNil))
+
+	c.Assert(qaBarNetworkPolicy.IngressPerPortPolicies, HasLen, 0)
+
+	// Allocate identities needed for this test
+	qaFooLbls := labels.Labels{lblFoo.Key: lblFoo, lblQA.Key: lblQA}
+	qaFooID, _, err := cache.AllocateIdentity(context.Background(), ds.d, qaFooLbls)
+	c.Assert(err, Equals, nil)
+	defer cache.Release(context.Background(), ds.d, qaFooID)
+
+	// Regenerate endpoint
+	ds.regenerateEndpoint(c, e)
+
+	// Check that the policy has been updated in the xDS cache for the L7
+	// proxies.
+	networkPolicies = ds.getXDSNetworkPolicies(c, nil)
+	c.Assert(networkPolicies, HasLen, 2)
+	qaBarNetworkPolicy = networkPolicies[QAIPv4Addr.String()]
+	c.Assert(qaBarNetworkPolicy, Not(IsNil))
+
+	c.Assert(qaBarNetworkPolicy.IngressPerPortPolicies, HasLen, 1)
+	c.Assert(qaBarNetworkPolicy.IngressPerPortPolicies[0].Rules, HasLen, 1)
+	c.Assert(qaBarNetworkPolicy.IngressPerPortPolicies[0].Rules[0].RemotePolicies, HasLen, 1)
+	c.Assert(qaBarNetworkPolicy.IngressPerPortPolicies[0].Rules[0].RemotePolicies[0], Equals, uint64(qaFooID.ID))
+
+	// Delete the endpoint.
+	e.UnconditionalLock()
+	e.LeaveLocked(ds.d, nil, endpoint.DeleteConfig{})
+	e.Unlock()
+
+	// Check that the policy has been removed from the xDS cache.
+	networkPolicies = ds.getXDSNetworkPolicies(c, nil)
+	c.Assert(networkPolicies, HasLen, 0)
+}