From c8e0131c58d2ee5d6f853a6f99663184906e90d9 Mon Sep 17 00:00:00 2001 From: Simone Magnani Date: Thu, 12 Sep 2024 13:33:30 +0200 Subject: [PATCH] ipsec: add `UnsetTestIPSecKey` API for testing purpose This commit introduces the `UnsetTestIPSecKey` API for testing purpose only. This function is used to reset the current state of IPSec global variables during testing. In particular, it helps to prevent loading two IPSec keys with the same SPI in `node_linux_test`, which would cause the tests to fail after the previous commit. With this function, it is easy to reset the internal state of the IPSec-related variables either while executing a test or when tearing down a test suite. This function is also used in the local `ipsec_linux_test.go`, to expect a coherent behavior while tearing down a test suite. Signed-off-by: Simone Magnani --- pkg/datapath/linux/ipsec/ipsec_linux.go | 8 ++++++++ pkg/datapath/linux/ipsec/ipsec_linux_test.go | 2 +- pkg/datapath/linux/node_linux_test.go | 4 ++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/pkg/datapath/linux/ipsec/ipsec_linux.go b/pkg/datapath/linux/ipsec/ipsec_linux.go index 3f0947d496e79..d5959eff4adaa 100644 --- a/pkg/datapath/linux/ipsec/ipsec_linux.go +++ b/pkg/datapath/linux/ipsec/ipsec_linux.go @@ -1416,3 +1416,11 @@ func (skr staleKeyReclaimer) onTimer(ctx context.Context) error { return nil } + +// UnsetTestIPSecKey reinitialize the IPSec key-related variables. +// This function is for testing purpose only and **must not** be used elsewhere. +func UnsetTestIPSecKey() { + ipSecCurrentKeySPI = 0 + ipSecKeysGlobal = make(map[string]*ipSecKey) + ipSecKeysRemovalTime = make(map[uint8]time.Time) +} diff --git a/pkg/datapath/linux/ipsec/ipsec_linux_test.go b/pkg/datapath/linux/ipsec/ipsec_linux_test.go index 5b2b62860b99c..33ea4f341fd9f 100644 --- a/pkg/datapath/linux/ipsec/ipsec_linux_test.go +++ b/pkg/datapath/linux/ipsec/ipsec_linux_test.go @@ -28,7 +28,7 @@ func setupIPSecSuitePrivileged(tb testing.TB) *slog.Logger { log := hivetest.Logger(tb) tb.Cleanup(func() { - ipSecKeysGlobal = make(map[string]*ipSecKey) + UnsetTestIPSecKey() node.UnsetTestLocalNodeStore() err := DeleteXFRM(log, AllReqID) if err != nil { diff --git a/pkg/datapath/linux/node_linux_test.go b/pkg/datapath/linux/node_linux_test.go index 622035c95f820..fbe695474a737 100644 --- a/pkg/datapath/linux/node_linux_test.go +++ b/pkg/datapath/linux/node_linux_test.go @@ -201,6 +201,7 @@ func setupLinuxPrivilegedIPv4AndIPv6TestSuite(tb testing.TB) *linuxPrivilegedIPv } func tearDownTest(tb testing.TB) { + ipsec.UnsetTestIPSecKey() ipsec.DeleteXFRM(hivetest.Logger(tb), ipsec.AllReqID) node.UnsetTestLocalNodeStore() removeDevice(dummyHostDeviceName) @@ -828,6 +829,9 @@ func TestNodeChurnXFRMLeaks(t *testing.T) { option.Config.EncryptInterface = []string{externalNodeDevice} option.Config.RoutingMode = option.RoutingModeNative + // Same test suite, remove previous IPSec key. + ipsec.UnsetTestIPSecKey() + // Cover the XFRM configuration for subnet encryption: IPAM modes AKS and EKS. ipv4PodSubnets, err := cidr.ParseCIDR("4.4.0.0/16") require.NoError(t, err)