[ExternalNode] Add ANP e2e tests for ExternalNode (#4053)

Signed-off-by: wenyingd <wenyingd@vmware.com>
antrea-io · Aug 12, 2022 · e73b3c3 · e73b3c3
1 parent 0a43658
commit e73b3c3
Show file tree

Hide file tree

Showing 6 changed files with 544 additions and 120 deletions.
diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
diff --git a/test/e2e/flowaggregator_test.go b/test/e2e/flowaggregator_test.go
@@ -1167,8 +1167,8 @@ func deployAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, dstPod st
 	builder1 = builder1.SetName(data.testNamespace, ingressAntreaNetworkPolicyName).
 		SetPriority(2.0).
 		SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": dstPod}}})
-	builder1 = builder1.AddIngress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{},
-		nil, nil, nil, secv1alpha1.RuleActionAllow, "", testIngressRuleName)
+	builder1 = builder1.AddIngress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{}, nil,
+		nil, nil, nil, nil, secv1alpha1.RuleActionAllow, "", testIngressRuleName)
 	anp1 = builder1.Get()
 	anp1, err1 := k8sUtils.CreateOrUpdateANP(anp1)
 	if err1 != nil {
@@ -1180,8 +1180,8 @@ func deployAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, dstPod st
 	builder2 = builder2.SetName(data.testNamespace, egressAntreaNetworkPolicyName).
 		SetPriority(2.0).
 		SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": srcPod}}})
-	builder2 = builder2.AddEgress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": dstPod}, map[string]string{},
-		nil, nil, nil, secv1alpha1.RuleActionAllow, "", testEgressRuleName)
+	builder2 = builder2.AddEgress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": dstPod}, map[string]string{}, nil,
+		nil, nil, nil, nil, secv1alpha1.RuleActionAllow, "", testEgressRuleName)
 	anp2 = builder2.Get()
 	anp2, err2 := k8sUtils.CreateOrUpdateANP(anp2)
 	if err2 != nil {
@@ -1211,13 +1211,13 @@ func deployDenyAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, podRe
 		builder1 = builder1.SetName(data.testNamespace, ingressRejectANPName).
 			SetPriority(2.0).
 			SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": podReject}}})
-		builder1 = builder1.AddIngress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{},
-			nil, nil, nil, secv1alpha1.RuleActionReject, "", testIngressRuleName)
+		builder1 = builder1.AddIngress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{}, nil,
+			nil, nil, nil, nil, secv1alpha1.RuleActionReject, "", testIngressRuleName)
 		builder2 = builder2.SetName(data.testNamespace, ingressDropANPName).
 			SetPriority(2.0).
 			SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": podDrop}}})
-		builder2 = builder2.AddIngress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{},
-			nil, nil, nil, secv1alpha1.RuleActionDrop, "", testIngressRuleName)
+		builder2 = builder2.AddIngress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{}, nil,
+			nil, nil, nil, nil, secv1alpha1.RuleActionDrop, "", testIngressRuleName)
 		table = openflow.AntreaPolicyIngressRuleTable
 		flowCount = antreaIngressTableInitFlowCount + 2
 		nodeName = dstNode
@@ -1226,13 +1226,13 @@ func deployDenyAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, podRe
 		builder1 = builder1.SetName(data.testNamespace, egressRejectANPName).
 			SetPriority(2.0).
 			SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": srcPod}}})
-		builder1 = builder1.AddEgress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": podReject}, map[string]string{},
-			nil, nil, nil, secv1alpha1.RuleActionReject, "", testEgressRuleName)
+		builder1 = builder1.AddEgress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": podReject}, map[string]string{}, nil,
+			nil, nil, nil, nil, secv1alpha1.RuleActionReject, "", testEgressRuleName)
 		builder2 = builder2.SetName(data.testNamespace, egressDropANPName).
 			SetPriority(2.0).
 			SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": srcPod}}})
-		builder2 = builder2.AddEgress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": podDrop}, map[string]string{},
-			nil, nil, nil, secv1alpha1.RuleActionDrop, "", testEgressRuleName)
+		builder2 = builder2.AddEgress(utils.ProtocolTCP, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"antrea-e2e": podDrop}, map[string]string{}, nil,
+			nil, nil, nil, nil, secv1alpha1.RuleActionDrop, "", testEgressRuleName)
 		table = openflow.AntreaPolicyEgressRuleTable
 		flowCount = antreaEgressTableInitFlowCount + 2
 		nodeName = srcNode

diff --git a/test/e2e/framework.go b/test/e2e/framework.go
@@ -1972,25 +1972,17 @@ func parseArpingStdout(out string) (sent uint32, received uint32, loss float32,
 }
 
 func (data *TestData) runPingCommandFromTestPod(podInfo podInfo, ns string, targetPodIPs *PodIPs, ctrName string, count int, size int) error {
-	countOption, sizeOption := "-c", "-s"
-	if podInfo.os == "windows" {
-		countOption = "-n"
-		sizeOption = "-l"
-	} else if podInfo.os != "linux" {
+	if podInfo.os != "windows" && podInfo.os != "linux" {
 		return fmt.Errorf("OS of Pod '%s' is not clear", podInfo.name)
 	}
-	cmd := []string{"ping", countOption, strconv.Itoa(count)}
-	if size != 0 {
-		cmd = append(cmd, sizeOption, strconv.Itoa(size))
-	}
 	if targetPodIPs.ipv4 != nil {
-		cmdV4 := append(cmd, "-4", targetPodIPs.ipv4.String())
+		cmdV4 := getPingCommand(count, size, podInfo.os, targetPodIPs.ipv4)
 		if stdout, stderr, err := data.RunCommandFromPod(ns, podInfo.name, ctrName, cmdV4); err != nil {
 			return fmt.Errorf("error when running ping command '%s': %v - stdout: %s - stderr: %s", strings.Join(cmdV4, " "), err, stdout, stderr)
 		}
 	}
 	if targetPodIPs.ipv6 != nil {
-		cmdV6 := append(cmd, "-6", targetPodIPs.ipv6.String())
+		cmdV6 := getPingCommand(count, size, podInfo.os, targetPodIPs.ipv6)
 		if stdout, stderr, err := data.RunCommandFromPod(ns, podInfo.name, ctrName, cmdV6); err != nil {
 			return fmt.Errorf("error when running ping command '%s': %v - stdout: %s - stderr: %s", strings.Join(cmdV6, " "), err, stdout, stderr)
 		}
@@ -2753,3 +2745,21 @@ func (data *TestData) checkAntreaAgentInfo(interval time.Duration, timeout time.
 	})
 	return err
 }
+
+func getPingCommand(count int, size int, os string, ip *net.IP) []string {
+	countOption, sizeOption := "-c", "-s"
+	if os == "windows" {
+		countOption = "-n"
+		sizeOption = "-l"
+	}
+	cmd := []string{"ping", countOption, strconv.Itoa(count)}
+	if size != 0 {
+		cmd = append(cmd, sizeOption, strconv.Itoa(size))
+	}
+	if ip.To4() != nil {
+		cmd = append(cmd, "-4", ip.String())
+	} else {
+		cmd = append(cmd, "-6", ip.String())
+	}
+	return cmd
+}
diff --git a/test/e2e/utils/anp_spec_builder.go b/test/e2e/utils/anp_spec_builder.go
@@ -27,9 +27,11 @@ type AntreaNetworkPolicySpecBuilder struct {
 }
 
 type ANPAppliedToSpec struct {
-	PodSelector         map[string]string
-	PodSelectorMatchExp []metav1.LabelSelectorRequirement
-	Group               string
+	ExternalEntitySelector         map[string]string
+	ExternalEntitySelectorMatchExp []metav1.LabelSelectorRequirement
+	PodSelector                    map[string]string
+	PodSelectorMatchExp            []metav1.LabelSelectorRequirement
+	Group                          string
 }
 
 func (b *AntreaNetworkPolicySpecBuilder) Get() *crdv1alpha1.NetworkPolicy {
@@ -66,23 +68,33 @@ func (b *AntreaNetworkPolicySpecBuilder) SetTier(tier string) *AntreaNetworkPoli
 
 func (b *AntreaNetworkPolicySpecBuilder) SetAppliedToGroup(specs []ANPAppliedToSpec) *AntreaNetworkPolicySpecBuilder {
 	for _, spec := range specs {
-		appliedToPeer := b.GetAppliedToPeer(spec.PodSelector, spec.PodSelectorMatchExp, spec.Group)
+		appliedToPeer := b.GetAppliedToPeer(spec.PodSelector, spec.PodSelectorMatchExp, spec.ExternalEntitySelector, spec.ExternalEntitySelectorMatchExp, spec.Group)
 		b.Spec.AppliedTo = append(b.Spec.AppliedTo, appliedToPeer)
 	}
 	return b
 }
 
 func (b *AntreaNetworkPolicySpecBuilder) GetAppliedToPeer(podSelector map[string]string,
-	podSelectorMatchExp []metav1.LabelSelectorRequirement, appliedToGrp string) crdv1alpha1.NetworkPolicyPeer {
-	var ps *metav1.LabelSelector
+	podSelectorMatchExp []metav1.LabelSelectorRequirement,
+	entitySelector map[string]string,
+	entitySelectorMatchExp []metav1.LabelSelectorRequirement,
+	appliedToGrp string) crdv1alpha1.NetworkPolicyPeer {
+	var ps, ees *metav1.LabelSelector
+	if len(entitySelector) > 0 || len(entitySelectorMatchExp) > 0 {
+		ees = &metav1.LabelSelector{
+			MatchLabels:      entitySelector,
+			MatchExpressions: entitySelectorMatchExp,
+		}
+	}
 	if len(podSelector) > 0 || len(podSelectorMatchExp) > 0 {
 		ps = &metav1.LabelSelector{
 			MatchLabels:      podSelector,
 			MatchExpressions: podSelectorMatchExp,
 		}
 	}
 	peer := crdv1alpha1.NetworkPolicyPeer{
-		PodSelector: ps,
+		PodSelector:            ps,
+		ExternalEntitySelector: ees,
 	}
 	if appliedToGrp != "" {
 		peer.Group = appliedToGrp
@@ -92,11 +104,10 @@ func (b *AntreaNetworkPolicySpecBuilder) GetAppliedToPeer(podSelector map[string
 
 func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol,
 	port *int32, portName *string, endPort, icmpType, icmpCode, igmpType *int32,
-	groupAddress, cidr *string, podSelector map[string]string, nsSelector map[string]string,
-	podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement,
+	groupAddress, cidr *string, podSelector map[string]string, nsSelector map[string]string, eeSelector map[string]string,
+	podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, eeSelectorMatchExp []metav1.LabelSelectorRequirement,
 	ruleAppliedToSpecs []ANPAppliedToSpec, action crdv1alpha1.RuleAction, ruleGroup, name string) *AntreaNetworkPolicySpecBuilder {
-
-	var ps, ns *metav1.LabelSelector
+	var ps, ns, ees *metav1.LabelSelector
 	var appliedTos []crdv1alpha1.NetworkPolicyPeer
 	if b.Spec.Ingress == nil {
 		b.Spec.Ingress = []crdv1alpha1.Rule{}
@@ -114,23 +125,30 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol,
 			MatchExpressions: nsSelectorMatchExp,
 		}
 	}
+	if len(eeSelector) > 0 || len(eeSelectorMatchExp) > 0 {
+		ees = &metav1.LabelSelector{
+			MatchLabels:      eeSelector,
+			MatchExpressions: eeSelectorMatchExp,
+		}
+	}
 	var ipBlock *crdv1alpha1.IPBlock
 	if cidr != nil {
 		ipBlock = &crdv1alpha1.IPBlock{
 			CIDR: *cidr,
 		}
 	}
 	for _, at := range ruleAppliedToSpecs {
-		appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.PodSelectorMatchExp, at.Group))
+		appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.PodSelectorMatchExp, at.ExternalEntitySelector, at.ExternalEntitySelectorMatchExp, at.Group))
 	}
 	// An empty From/To in ANP rules evaluates to match all addresses.
 	policyPeer := make([]crdv1alpha1.NetworkPolicyPeer, 0)
-	if ps != nil || ns != nil || ipBlock != nil || ruleGroup != "" {
+	if ps != nil || ns != nil || ipBlock != nil || ruleGroup != "" || ees != nil {
 		policyPeer = []crdv1alpha1.NetworkPolicyPeer{{
-			PodSelector:       ps,
-			NamespaceSelector: ns,
-			IPBlock:           ipBlock,
-			Group:             ruleGroup,
+			PodSelector:            ps,
+			NamespaceSelector:      ns,
+			ExternalEntitySelector: ees,
+			IPBlock:                ipBlock,
+			Group:                  ruleGroup,
 		}}
 	}
 	ports, protocols := GenPortsOrProtocols(protoc, port, portName, endPort, icmpType, icmpCode, igmpType, groupAddress)
@@ -148,15 +166,15 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc AntreaPolicyProtocol,
 
 func (b *AntreaNetworkPolicySpecBuilder) AddEgress(protoc AntreaPolicyProtocol,
 	port *int32, portName *string, endPort, icmpType, icmpCode, igmpType *int32,
-	groupAddress, cidr *string, podSelector map[string]string, nsSelector map[string]string,
-	podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement,
+	groupAddress, cidr *string, podSelector map[string]string, nsSelector map[string]string, eeSelector map[string]string,
+	podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement, eeSelectorMatchExp []metav1.LabelSelectorRequirement,
 	ruleAppliedToSpecs []ANPAppliedToSpec, action crdv1alpha1.RuleAction, ruleGroup, name string) *AntreaNetworkPolicySpecBuilder {
 
 	// For simplicity, we just reuse the Ingress code here.  The underlying data model for ingress/egress is identical
 	// With the exception of calling the rule `To` vs. `From`.
 	c := &AntreaNetworkPolicySpecBuilder{}
-	c.AddIngress(protoc, port, portName, endPort, icmpType, icmpCode, igmpType, groupAddress, cidr, podSelector, nsSelector,
-		podSelectorMatchExp, nsSelectorMatchExp, ruleAppliedToSpecs, action, ruleGroup, name)
+	c.AddIngress(protoc, port, portName, endPort, icmpType, icmpCode, igmpType, groupAddress, cidr, podSelector, nsSelector, eeSelector,
+		podSelectorMatchExp, nsSelectorMatchExp, eeSelectorMatchExp, ruleAppliedToSpecs, action, ruleGroup, name)
 	theRule := c.Get().Spec.Ingress[0]
 
 	b.Spec.Egress = append(b.Spec.Egress, crdv1alpha1.Rule{
@@ -173,7 +191,7 @@ func (b *AntreaNetworkPolicySpecBuilder) AddToServicesRule(svcRefs []crdv1alpha1
 	name string, ruleAppliedToSpecs []ANPAppliedToSpec, action crdv1alpha1.RuleAction) *AntreaNetworkPolicySpecBuilder {
 	var appliedTos []crdv1alpha1.NetworkPolicyPeer
 	for _, at := range ruleAppliedToSpecs {
-		appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.PodSelectorMatchExp, at.Group))
+		appliedTos = append(appliedTos, b.GetAppliedToPeer(at.PodSelector, at.PodSelectorMatchExp, at.ExternalEntitySelector, at.ExternalEntitySelectorMatchExp, at.Group))
 	}
 	newRule := crdv1alpha1.Rule{
 		To:         make([]crdv1alpha1.NetworkPolicyPeer, 0),

diff --git a/test/e2e/utils/externalnode_spec_builder.go b/test/e2e/utils/externalnode_spec_builder.go
@@ -21,31 +21,43 @@ import (
 )
 
 type ExternalNodeSpecBuilder struct {
-	Spec      crdv1alpha1.ExternalNodeSpec
-	Name      string
-	Namespace string
+	spec      crdv1alpha1.ExternalNodeSpec
+	name      string
+	namespace string
+	labels    map[string]string
 }
 
 func (t *ExternalNodeSpecBuilder) SetName(namespace string, name string) *ExternalNodeSpecBuilder {
-	t.Namespace = namespace
-	t.Name = name
+	t.namespace = namespace
+	t.name = name
 	return t
 }
 
 func (t *ExternalNodeSpecBuilder) AddInterface(name string, ips []string) *ExternalNodeSpecBuilder {
-	t.Spec.Interfaces = append(t.Spec.Interfaces, crdv1alpha1.NetworkInterface{
+	t.spec.Interfaces = append(t.spec.Interfaces, crdv1alpha1.NetworkInterface{
 		Name: name,
 		IPs:  ips,
 	})
 	return t
 }
 
+func (t *ExternalNodeSpecBuilder) AddLabels(labels map[string]string) *ExternalNodeSpecBuilder {
+	if t.labels == nil {
+		t.labels = make(map[string]string)
+	}
+	for k, v := range labels {
+		t.labels[k] = v
+	}
+	return t
+}
+
 func (t *ExternalNodeSpecBuilder) Get() *crdv1alpha1.ExternalNode {
 	return &crdv1alpha1.ExternalNode{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      t.Name,
-			Namespace: t.Namespace,
+			Name:      t.name,
+			Namespace: t.namespace,
+			Labels:    t.labels,
 		},
-		Spec: t.Spec,
+		Spec: t.spec,
 	}
 }