connectivity: Add Port Range Tests

Add port range tests for all port based
connectivity tests.

Signed-off-by: Nate Sweet <[email protected]>

Author: nathanjsweet

connectivity/builder/builder.go

@@ -57,15 +57,24 @@ var (
 	//go:embed manifests/client-egress-l7-http.yaml
 	clientEgressL7HTTPPolicyYAML string
 
+	//go:embed manifests/client-egress-l7-http-port-range.yaml
+	clientEgressL7HTTPPolicyPortRangeYAML string
+
 	//go:embed manifests/client-egress-l7-http-named-port.yaml
 	clientEgressL7HTTPNamedPortPolicyYAML string
 
 	//go:embed manifests/client-egress-l7-tls.yaml
 	clientEgressL7TLSPolicyYAML string
 
+	//go:embed manifests/client-egress-l7-tls-port-range.yaml
+	clientEgressL7TLSPolicyPortRangeYAML string
+
 	//go:embed manifests/client-egress-l7-http-matchheader-secret.yaml
 	clientEgressL7HTTPMatchheaderSecretYAML string
 
+	//go:embed manifests/client-egress-l7-http-matchheader-secret-port-range.yaml
+	clientEgressL7HTTPMatchheaderSecretPortRangeYAML string
+
 	//go:embed manifests/echo-ingress-from-cidr.yaml
 	echoIngressFromCIDRYAML string
 )
@@ -259,17 +268,20 @@ func finalTests(ct *check.ConnectivityTest) error {
 
 func renderTemplates(param check.Parameters) (map[string]string, error) {
 	templates := map[string]string{
-		"clientEgressToCIDRExternalPolicyYAML":     clientEgressToCIDRExternalPolicyYAML,
-		"clientEgressToCIDRExternalPolicyKNPYAML":  clientEgressToCIDRExternalPolicyKNPYAML,
-		"clientEgressToCIDRNodeKNPYAML":            clientEgressToCIDRNodeKNPYAML,
-		"clientEgressToCIDRExternalDenyPolicyYAML": clientEgressToCIDRExternalDenyPolicyYAML,
-		"clientEgressL7HTTPPolicyYAML":             clientEgressL7HTTPPolicyYAML,
-		"clientEgressL7HTTPNamedPortPolicyYAML":    clientEgressL7HTTPNamedPortPolicyYAML,
-		"clientEgressToFQDNsPolicyYAML":            clientEgressToFQDNsPolicyYAML,
-		"clientEgressL7TLSPolicyYAML":              clientEgressL7TLSPolicyYAML,
-		"clientEgressL7HTTPMatchheaderSecretYAML":  clientEgressL7HTTPMatchheaderSecretYAML,
-		"echoIngressFromCIDRYAML":                  echoIngressFromCIDRYAML,
-		"denyCIDRPolicyYAML":                       denyCIDRPolicyYAML,
+		"clientEgressToCIDRExternalPolicyYAML":             clientEgressToCIDRExternalPolicyYAML,
+		"clientEgressToCIDRExternalPolicyKNPYAML":          clientEgressToCIDRExternalPolicyKNPYAML,
+		"clientEgressToCIDRNodeKNPYAML":                    clientEgressToCIDRNodeKNPYAML,
+		"clientEgressToCIDRExternalDenyPolicyYAML":         clientEgressToCIDRExternalDenyPolicyYAML,
+		"clientEgressL7HTTPPolicyYAML":                     clientEgressL7HTTPPolicyYAML,
+		"clientEgressL7HTTPPolicyPortRangeYAML":            clientEgressL7HTTPPolicyPortRangeYAML,
+		"clientEgressL7HTTPNamedPortPolicyYAML":            clientEgressL7HTTPNamedPortPolicyYAML,
+		"clientEgressToFQDNsPolicyYAML":                    clientEgressToFQDNsPolicyYAML,
+		"clientEgressL7TLSPolicyYAML":                      clientEgressL7TLSPolicyYAML,
+		"clientEgressL7TLSPolicyPortRangeYAML":             clientEgressL7TLSPolicyPortRangeYAML,
+		"clientEgressL7HTTPMatchheaderSecretYAML":          clientEgressL7HTTPMatchheaderSecretYAML,
+		"clientEgressL7HTTPMatchheaderSecretPortRangeYAML": clientEgressL7HTTPMatchheaderSecretPortRangeYAML,
+		"echoIngressFromCIDRYAML":                          echoIngressFromCIDRYAML,
+		"denyCIDRPolicyYAML":                               denyCIDRPolicyYAML,
 	}
 	if param.K8sLocalHostTest {
 		templates["clientEgressToCIDRCPHostPolicyYAML"] = clientEgressToCIDRCPHostPolicyYAML

connectivity/builder/client_egress_expression.go

@@ -8,16 +8,33 @@ import (
 
 	"github.com/cilium/cilium-cli/connectivity/check"
 	"github.com/cilium/cilium-cli/connectivity/tests"
+	"github.com/cilium/cilium-cli/utils/features"
 )
 
 //go:embed manifests/client-egress-to-echo-expression.yaml
 var clientEgressToEchoExpressionPolicyYAML string
 
+//go:embed manifests/client-egress-to-echo-expression-port-range.yaml
+var clientEgressToEchoExpressionPolicyPortRangeYAML string
+
 type clientEgressExpression struct{}
 
 func (t clientEgressExpression) build(ct *check.ConnectivityTest, _ map[string]string) {
+	clientEgressExpressionTest(ct, false)
+	if ct.Features[features.PortRanges].Enabled {
+		clientEgressExpressionTest(ct, true)
+	}
+}
+
+func clientEgressExpressionTest(ct *check.ConnectivityTest, portRanges bool) {
+	testName := "client-egress-expression"
+	policyYAML := clientEgressToEchoExpressionPolicyYAML
+	if portRanges {
+		testName = "client-egress-expression-port-range"
+		policyYAML = clientEgressToEchoExpressionPolicyPortRangeYAML
+	}
 	// This policy allows port 8080 from client to echo (using label match expression, so this should succeed
-	newTest("client-egress-expression", ct).
-		WithCiliumPolicy(clientEgressToEchoExpressionPolicyYAML).
+	newTest(testName, ct).
+		WithCiliumPolicy(policyYAML).
 		WithScenarios(tests.PodToPod())
 }

connectivity/builder/client_egress_expression_knp.go

@@ -8,16 +8,33 @@ import (
 
 	"github.com/cilium/cilium-cli/connectivity/check"
 	"github.com/cilium/cilium-cli/connectivity/tests"
+	"github.com/cilium/cilium-cli/utils/features"
 )
 
 //go:embed manifests/client-egress-to-echo-expression-knp.yaml
 var clientEgressToEchoExpressionPolicyKNPYAML string
 
+//go:embed manifests/client-egress-to-echo-expression-knp-port-range.yaml
+var clientEgressToEchoExpressionPolicyKNPPortRangeYAML string
+
 type clientEgressExpressionKnp struct{}
 
 func (t clientEgressExpressionKnp) build(ct *check.ConnectivityTest, _ map[string]string) {
+	clientEgressExpressionKnpTest(ct, false)
+	if ct.Features[features.PortRanges].Enabled {
+		clientEgressExpressionKnpTest(ct, true)
+	}
+}
+
+func clientEgressExpressionKnpTest(ct *check.ConnectivityTest, portRanges bool) {
+	testName := "client-egress-expression-knp"
+	policyYAML := clientEgressToEchoExpressionPolicyKNPYAML
+	if portRanges {
+		testName = "client-egress-expression-knp-port-range"
+		policyYAML = clientEgressToEchoExpressionPolicyKNPPortRangeYAML
+	}
 	// This policy allows port 8080 from client to echo (using label match expression, so this should succeed
-	newTest("client-egress-expression-knp", ct).
-		WithK8SPolicy(clientEgressToEchoExpressionPolicyKNPYAML).
+	newTest(testName, ct).
+		WithK8SPolicy(policyYAML).
 		WithScenarios(tests.PodToPod())
 }

connectivity/builder/client_egress_l7.go

@@ -12,11 +12,24 @@ import (
 type clientEgressL7 struct{}
 
 func (t clientEgressL7) build(ct *check.ConnectivityTest, templates map[string]string) {
+	clientEgressL7Test(ct, templates, false)
+	if ct.Features[features.PortRanges].Enabled {
+		clientEgressL7Test(ct, templates, true)
+	}
+}
+
+func clientEgressL7Test(ct *check.ConnectivityTest, templates map[string]string, portRanges bool) {
+	testName := "client-egress-l7"
+	templateName := "clientEgressL7HTTPPolicyYAML"
+	if portRanges {
+		testName = "client-egress-l7-port-range"
+		templateName = "clientEgressL7HTTPPolicyPortRangeYAML"
+	}
 	// Test L7 HTTP introspection using an egress policy on the clients.
-	newTest("client-egress-l7", ct).
+	newTest(testName, ct).
 		WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)).
-		WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML).             // DNS resolution only
-		WithCiliumPolicy(templates["clientEgressL7HTTPPolicyYAML"]). // L7 allow policy with HTTP introspection
+		WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML). // DNS resolution only
+		WithCiliumPolicy(templates[templateName]).       // L7 allow policy with HTTP introspection
 		WithScenarios(
 			tests.PodToPod(),
 			tests.PodToWorld(tests.WithRetryDestPort(80), tests.WithRetryPodLabel("other", "client")),

connectivity/builder/client_egress_l7_method.go

@@ -14,14 +14,30 @@ import (
 //go:embed manifests/client-egress-l7-http-method.yaml
 var clientEgressL7HTTPMethodPolicyYAML string
 
+//go:embed manifests/client-egress-l7-http-method-port-range.yaml
+var clientEgressL7HTTPMethodPolicyPortRangeYAML string
+
 type clientEgressL7Method struct{}
 
 func (t clientEgressL7Method) build(ct *check.ConnectivityTest, _ map[string]string) {
+	clientEgressL7MethodTest(ct, false)
+	if ct.Features[features.PortRanges].Enabled {
+		clientEgressL7MethodTest(ct, true)
+	}
+}
+
+func clientEgressL7MethodTest(ct *check.ConnectivityTest, portRanges bool) {
+	testName := "client-egress-l7-method"
+	yamlFile := clientEgressL7HTTPMethodPolicyYAML
+	if portRanges {
+		testName = "client-egress-l7-method-port-range"
+		yamlFile = clientEgressL7HTTPMethodPolicyPortRangeYAML
+	}
 	// Test L7 HTTP with different methods introspection using an egress policy on the clients.
-	newTest("client-egress-l7-method", ct).
+	newTest(testName, ct).
 		WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)).
-		WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML).      // DNS resolution only
-		WithCiliumPolicy(clientEgressL7HTTPMethodPolicyYAML). // L7 allow policy with HTTP introspection (POST only)
+		WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML). // DNS resolution only
+		WithCiliumPolicy(yamlFile).                      // L7 allow policy with HTTP introspection (POST only)
 		WithScenarios(
 			tests.PodToPodWithEndpoints(tests.WithMethod("POST"), tests.WithDestinationLabelsOption(map[string]string{"other": "echo"})),
 			tests.PodToPodWithEndpoints(tests.WithDestinationLabelsOption(map[string]string{"first": "echo"})),

connectivity/builder/client_egress_l7_set_header.go

@@ -15,8 +15,21 @@ import (
 type clientEgressL7SetHeader struct{}
 
 func (t clientEgressL7SetHeader) build(ct *check.ConnectivityTest, templates map[string]string) {
+	clientEgressL7SetHeaderTest(ct, templates, false)
+	if ct.Features[features.PortRanges].Enabled {
+		clientEgressL7SetHeaderTest(ct, templates, true)
+	}
+}
+
+func clientEgressL7SetHeaderTest(ct *check.ConnectivityTest, templates map[string]string, portRanges bool) {
+	testName := "client-egress-l7-set-header"
+	templateName := "clientEgressL7HTTPMatchheaderSecretYAML"
+	if portRanges {
+		testName = "client-egress-l7-set-header-port-range"
+		templateName = "clientEgressL7HTTPMatchheaderSecretPortRangeYAML"
+	}
 	// Test L7 HTTP with a header replace set in the policy
-	newTest("client-egress-l7-set-header", ct).
+	newTest(testName, ct).
 		WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)).
 		WithFeatureRequirements(features.RequireEnabled(features.SecretBackendK8s)).
 		WithSecret(&corev1.Secret{
@@ -27,7 +40,7 @@ func (t clientEgressL7SetHeader) build(ct *check.ConnectivityTest, templates map
 				"value": []byte("Bearer 123456"),
 			},
 		}).
-		WithCiliumPolicy(templates["clientEgressL7HTTPMatchheaderSecretYAML"]). // L7 allow policy with HTTP introspection (POST only)
+		WithCiliumPolicy(templates[templateName]). // L7 allow policy with HTTP introspection (POST only)
 		WithScenarios(
 			tests.PodToPodWithEndpoints(tests.WithMethod("POST"), tests.WithPath("auth-header-required"), tests.WithDestinationLabelsOption(map[string]string{"other": "echo"})),
 			tests.PodToPodWithEndpoints(tests.WithMethod("POST"), tests.WithPath("auth-header-required"), tests.WithDestinationLabelsOption(map[string]string{"first": "echo"})),

connectivity/builder/client_egress_l7_tls_headers.go

@@ -12,13 +12,26 @@ import (
 type clientEgressL7TlsHeaders struct{}
 
 func (t clientEgressL7TlsHeaders) build(ct *check.ConnectivityTest, templates map[string]string) {
+	clientEgressL7TlsHeadersTest(ct, templates, false)
+	if ct.Features[features.PortRanges].Enabled {
+		clientEgressL7TlsHeadersTest(ct, templates, true)
+	}
+}
+
+func clientEgressL7TlsHeadersTest(ct *check.ConnectivityTest, templates map[string]string, portRanges bool) {
+	testName := "client-egress-l7-tls-headers"
+	yamlFile := templates["clientEgressL7TLSPolicyYAML"]
+	if portRanges {
+		testName = "client-egress-l7-tls-headers-port-range"
+		yamlFile = templates["clientEgressL7TLSPolicyPortRangeYAML"]
+	}
 	// Test L7 HTTPS interception using an egress policy on the clients.
-	newTest("client-egress-l7-tls-headers", ct).
+	newTest(testName, ct).
 		WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)).
 		WithFeatureRequirements(features.RequireEnabled(features.SecretBackendK8s)).
 		WithCABundleSecret().
 		WithCertificate("externaltarget-tls", ct.Params().ExternalTarget).
-		WithCiliumPolicy(templates["clientEgressL7TLSPolicyYAML"]). // L7 allow policy with TLS interception
+		WithCiliumPolicy(yamlFile). // L7 allow policy with TLS interception
 		WithScenarios(tests.PodToWorldWithTLSIntercept("-H", "X-Very-Secret-Token: 42")).
 		WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
 			return check.ResultOK, check.ResultNone

connectivity/builder/client_egress_to_echo_deny.go

@@ -8,19 +8,36 @@ import (
 
 	"github.com/cilium/cilium-cli/connectivity/check"
 	"github.com/cilium/cilium-cli/connectivity/tests"
+	"github.com/cilium/cilium-cli/utils/features"
 )
 
 //go:embed manifests/client-egress-to-echo-deny.yaml
 var clientEgressToEchoDenyPolicyYAML string
 
+//go:embed manifests/client-egress-to-echo-deny-port-range.yaml
+var clientEgressToEchoDenyPolicyPortRangeYAML string
+
 type clientEgressToEchoDeny struct{}
 
 func (t clientEgressToEchoDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
+	clientEgressToEchoDenyTest(ct, false)
+	if ct.Features[features.PortRanges].Enabled {
+		clientEgressToEchoDenyTest(ct, true)
+	}
+}
+
+func clientEgressToEchoDenyTest(ct *check.ConnectivityTest, portRanges bool) {
+	testName := "client-egress-to-echo-deny"
+	policyYAML := clientEgressToEchoDenyPolicyYAML
+	if portRanges {
+		testName = "client-egress-to-echo-deny-port-range"
+		policyYAML = clientEgressToEchoDenyPolicyPortRangeYAML
+	}
 	// This policy denies port 8080 from client to echo
-	newTest("client-egress-to-echo-deny", ct).
-		WithCiliumPolicy(allowAllEgressPolicyYAML).         // Allow all egress traffic
-		WithCiliumPolicy(allowAllIngressPolicyYAML).        // Allow all ingress traffic
-		WithCiliumPolicy(clientEgressToEchoDenyPolicyYAML). // Deny client to echo traffic via port 8080
+	newTest(testName, ct).
+		WithCiliumPolicy(allowAllEgressPolicyYAML).  // Allow all egress traffic
+		WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic
+		WithCiliumPolicy(policyYAML).                // Deny client to echo traffic via port 8080
 		WithScenarios(
 			tests.ClientToClient(), // Client to client traffic should be allowed
 			tests.PodToPod(),       // Client to echo traffic should be denied

connectivity/builder/client_egress_to_echo_expression_deny.go

@@ -8,19 +8,36 @@ import (
 
 	"github.com/cilium/cilium-cli/connectivity/check"
 	"github.com/cilium/cilium-cli/connectivity/tests"
+	"github.com/cilium/cilium-cli/utils/features"
 )
 
 //go:embed manifests/client-egress-to-echo-expression-deny.yaml
 var clientEgressToEchoExpressionDenyPolicyYAML string
 
+//go:embed manifests/client-egress-to-echo-expression-deny-port-range.yaml
+var clientEgressToEchoExpressionDenyPolicyPortRangeYAML string
+
 type clientEgressToEchoExpressionDeny struct{}
 
 func (t clientEgressToEchoExpressionDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
+	clientEgressToEchoExpressionDenyTest(ct, false)
+	if ct.Features[features.PortRanges].Enabled {
+		clientEgressToEchoExpressionDenyTest(ct, true)
+	}
+}
+
+func clientEgressToEchoExpressionDenyTest(ct *check.ConnectivityTest, portRanges bool) {
+	testName := "client-egress-to-echo-expression-deny"
+	policyYAML := clientEgressToEchoExpressionDenyPolicyYAML
+	if portRanges {
+		testName = "client-egress-to-echo-expression-deny-port-range"
+		policyYAML = clientEgressToEchoExpressionDenyPolicyPortRangeYAML
+	}
 	// This policy denies port 8080 from client to echo (using label match expression), but allows traffic from client2
-	newTest("client-egress-to-echo-expression-deny", ct).
+	newTest(testName, ct).
 		WithCiliumPolicy(allowAllEgressPolicyYAML).  // Allow all egress traffic
 		WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic
-		WithCiliumPolicy(clientEgressToEchoExpressionDenyPolicyYAML).
+		WithCiliumPolicy(policyYAML).
 		WithScenarios(
 			tests.PodToPod(tests.WithSourceLabelsOption(clientLabel)),  // Client to echo should be denied
 			tests.PodToPod(tests.WithSourceLabelsOption(client2Label)), // Client2 to echo should be allowed

connectivity/builder/client_egress_to_echo_service_account.go

@@ -8,17 +8,34 @@ import (
 
 	"github.com/cilium/cilium-cli/connectivity/check"
 	"github.com/cilium/cilium-cli/connectivity/tests"
+	"github.com/cilium/cilium-cli/utils/features"
 )
 
 //go:embed manifests/client-egress-to-echo-service-account.yaml
 var clientEgressToEchoServiceAccountPolicyYAML string
 
+//go:embed manifests/client-egress-to-echo-service-account-port-range.yaml
+var clientEgressToEchoServiceAccountPolicyPortRangeYAML string
+
 type clientEgressToEchoServiceAccount struct{}
 
 func (t clientEgressToEchoServiceAccount) build(ct *check.ConnectivityTest, _ map[string]string) {
+	clientEgressToEchoServiceAccountTest(ct, false)
+	if ct.Features[features.PortRanges].Enabled {
+		clientEgressToEchoServiceAccountTest(ct, true)
+	}
+}
+
+func clientEgressToEchoServiceAccountTest(ct *check.ConnectivityTest, portRanges bool) {
+	testName := "client-egress-to-echo-service-account"
+	policyYAML := clientEgressToEchoServiceAccountPolicyYAML
+	if portRanges {
+		testName = "client-egress-to-echo-service-account-port-range"
+		policyYAML = clientEgressToEchoServiceAccountPolicyPortRangeYAML
+	}
 	// This policy allows port 8080 from client to endpoint with service account label as echo-same-node
-	newTest("client-egress-to-echo-service-account", ct).
-		WithCiliumPolicy(clientEgressToEchoServiceAccountPolicyYAML).
+	newTest(testName, ct).
+		WithCiliumPolicy(policyYAML).
 		WithScenarios(
 			tests.PodToPod(tests.WithSourceLabelsOption(map[string]string{"kind": "client"})),
 		).