Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

connectivity: Add echo-ingress-l7-via-hostport-with-encryption testcase #2670

Merged
merged 2 commits into from
Jul 12, 2024
Merged

connectivity: Add echo-ingress-l7-via-hostport-with-encryption testcase #2670

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8a36a6d
connectivity/echo-ingress-l7: Make expectation a function
jschwinger233 Jul 11, 2024
b0afd71
connectivity: Add echo-ingress-l7-via-hostport-with-encryption
jschwinger233 Jul 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 34 additions & 16 deletions connectivity/builder/echo_ingress_l7.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,26 +16,44 @@ var echoIngressL7HTTPPolicyYAML string

type echoIngressL7 struct{}

func expectation(a *check.Action) (egress, ingress check.Result) {
if a.Source().HasLabel("other", "client") { // Only client2 is allowed to make HTTP calls.
// Trying to access private endpoint without "secret" header set
// should lead to a drop.
if a.Destination().Path() == "/private" && !a.Destination().HasLabel("X-Very-Secret-Token", "42") {
return check.ResultDropCurlHTTPError, check.ResultNone
}
egress = check.ResultOK
// Expect all curls from client2 to be proxied and to be GET calls.
egress.HTTP = check.HTTP{
Method: "GET",
}
return egress, check.ResultNone
}
return check.ResultDrop, check.ResultDefaultDenyIngressDrop
}

func (t echoIngressL7) build(ct *check.ConnectivityTest, _ map[string]string) {
// Test L7 HTTP introspection using an ingress policy on echo pods.
newTest("echo-ingress-l7", ct).
WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)).
WithCiliumPolicy(echoIngressL7HTTPPolicyYAML). // L7 allow policy with HTTP introspection
WithScenarios(tests.PodToPodWithEndpoints()).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Source().HasLabel("other", "client") { // Only client2 is allowed to make HTTP calls.
// Trying to access private endpoint without "secret" header set
// should lead to a drop.
if a.Destination().Path() == "/private" && !a.Destination().HasLabel("X-Very-Secret-Token", "42") {
return check.ResultDropCurlHTTPError, check.ResultNone
}
egress = check.ResultOK
// Expect all curls from client2 to be proxied and to be GET calls.
egress.HTTP = check.HTTP{
Method: "GET",
}
return egress, check.ResultNone
}
return check.ResultDrop, check.ResultDefaultDenyIngressDrop
})
WithExpectations(expectation)

newTest("echo-ingress-l7-via-hostport-with-encryption", ct).
WithCondition(func() bool { return !ct.Params().SingleNode }).
WithFeatureRequirements(
features.RequireEnabled(features.L7Proxy),
// Once https://github.com/cilium/cilium/issues/33168 is fixed, we
// can enable for IPsec too.
features.RequireMode(features.EncryptionPod, "wireguard"),
// Otherwise pod->hostport traffic will be policy
// denied on the ingress of dest node when
// routing=vxlan + kpr=1 + bpf_masq=1
features.RequireEnabled(features.EncryptionNode),
).
julianwiedmann marked this conversation as resolved.
Show resolved Hide resolved
WithCiliumPolicy(echoIngressL7HTTPPolicyYAML). // L7 allow policy with HTTP introspection
WithScenarios(tests.PodToHostPort()).
WithExpectations(expectation)
}
Loading