diff --git a/.openshift-ci/e2e-runtime/Dockerfile b/.openshift-ci/e2e-runtime/Dockerfile index 5900e4b402..5a788851a2 100644 --- a/.openshift-ci/e2e-runtime/Dockerfile +++ b/.openshift-ci/e2e-runtime/Dockerfile @@ -35,6 +35,11 @@ RUN curl -L --retry 10 --silent --show-error --fail -o "/usr/local/bin/ocm" \ "https://github.com/openshift-online/ocm-cli/releases/download/v${OCM_VERSION}/ocm-linux-amd64" && \ chmod +x /usr/local/bin/ocm +RUN curl -L --retry 10 --silent --show-error --fail -o /usr/local/bin/helm \ + "https://mirror.openshift.com/pub/openshift-v4/clients/helm/latest/helm-linux-amd64" && \ + chmod +x /usr/local/bin/helm && \ + helm version + RUN mkdir /src $GOPATH WORKDIR /src diff --git a/.openshift-ci/tests/e2e.sh b/.openshift-ci/tests/e2e.sh index 0103ebff1d..99aee580a4 100755 --- a/.openshift-ci/tests/e2e.sh +++ b/.openshift-ci/tests/e2e.sh @@ -115,6 +115,10 @@ if [[ "$SPAWN_LOGGER" == "true" ]]; then fi FAIL=0 +if ! "${GITROOT}/.openshift-ci/tests/netpol-test.sh"; then + FAIL=1 +fi + if ! "${GITROOT}/.openshift-ci/tests/e2e-test.sh"; then FAIL=1 fi diff --git a/.openshift-ci/tests/netpol-test.sh b/.openshift-ci/tests/netpol-test.sh new file mode 100755 index 0000000000..a58cbccf9f --- /dev/null +++ b/.openshift-ci/tests/netpol-test.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash +set -eo pipefail + +GITROOT="$(git rev-parse --show-toplevel)" +export GITROOT +# shellcheck source=/dev/null +source "${GITROOT}/dev/env/scripts/lib.sh" + +CENTRAL_NS="rhacs-fake-service" +SCANNER_NS="rhacs-fake-client" + +helm install fake-central "${GITROOT}/test/network-policy/fake-service" --namespace "${CENTRAL_NS}" --create-namespace +$KUBECTL -n "${CENTRAL_NS}" wait --for=condition=Available deployment/central + +helm install fake-scanner "${GITROOT}/test/network-policy/fake-client" --namespace "${SCANNER_NS}" --create-namespace +$KUBECTL -n "${SCANNER_NS}" wait --for=condition=Available deployment/scanner + +helm install scanner-netpol "${GITROOT}/fleetshard/pkg/central/charts/data/tenant-resources" --namespace "${SCANNER_NS}" --set secureTenantNetwork=true +$KUBECTL -n "${SCANNER_NS}" wait --for=condition=Available=false deployment/scanner + +helm uninstall scanner-netpol --namespace "${SCANNER_NS}" +$KUBECTL -n "${SCANNER_NS}" wait --for=condition=Available deployment/scanner + +helm install central-netpol "${GITROOT}/fleetshard/pkg/central/charts/data/tenant-resources" --namespace "${CENTRAL_NS}" --set secureTenantNetwork=true +$KUBECTL -n "${SCANNER_NS}" wait --for=condition=Available=false deployment/scanner + +$KUBECTL delete ns "${CENTRAL_NS}" +$KUBECTL delete ns "${SCANNER_NS}" diff --git a/test/network-policy/fake-client/Chart.yaml b/test/network-policy/fake-client/Chart.yaml new file mode 100644 index 0000000000..162ff1e4a2 --- /dev/null +++ b/test/network-policy/fake-client/Chart.yaml @@ -0,0 +1,6 @@ +# Chart.yaml +apiVersion: v2 +name: fake-client +description: A Helm chart for deploying a configurable client deployment, for testing connectivity +version: 0.1.0 +appVersion: "1.0" diff --git a/test/network-policy/fake-client/templates/deployment.yaml b/test/network-policy/fake-client/templates/deployment.yaml new file mode 100644 index 0000000000..334d1082f5 --- /dev/null +++ b/test/network-policy/fake-client/templates/deployment.yaml @@ -0,0 +1,41 @@ +# templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.name }} + namespace: {{ .Release.namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Values.name }} + template: + metadata: + labels: + app: {{ .Values.name }} + spec: + containers: + - name: {{ .Values.name }} + image: curlimages/curl + command: ["sh", "-c"] + args: [ + "while true; do \ + response=$(curl --connect-timeout 10 -sf -w '%{http_code}' {{ .Values.service.host }}:{{ .Values.service.port }} -o /dev/null); \ + status=$?; \ + if [ $status -ne 0 ]; then \ + echo \"Connection failed with error $status, retrying in 1 second...\"; \ + rm -rf /tmp/ready; \ + sleep 1; \ + continue; \ + fi; \ + echo 'Connection successful'; \ + touch /tmp/ready; \ + sleep 1; \ + done" + ] + readinessProbe: + exec: + command: + - cat + - /tmp/ready + periodSeconds: 1 diff --git a/test/network-policy/fake-client/values.yaml b/test/network-policy/fake-client/values.yaml new file mode 100644 index 0000000000..0197bc186d --- /dev/null +++ b/test/network-policy/fake-client/values.yaml @@ -0,0 +1,5 @@ +# values.yaml +name: scanner +service: + host: central-service.rhacs-fake-service.svc.cluster.local + port: 8443 diff --git a/test/network-policy/fake-service/Chart.yaml b/test/network-policy/fake-service/Chart.yaml new file mode 100644 index 0000000000..c2ef3cb0e0 --- /dev/null +++ b/test/network-policy/fake-service/Chart.yaml @@ -0,0 +1,6 @@ +# Chart.yaml +apiVersion: v2 +name: fake-service +description: A Helm chart for deploying a fake service with nginx +version: 0.1.0 +appVersion: "1.0" diff --git a/test/network-policy/fake-service/templates/configmap.yaml b/test/network-policy/fake-service/templates/configmap.yaml new file mode 100644 index 0000000000..bb21d26ab8 --- /dev/null +++ b/test/network-policy/fake-service/templates/configmap.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.name }}-nginx-config + namespace: {{ .Release.namespace }} +data: + nginx.conf: ' +worker_processes auto; +pid /tmp/nginx.pid; + +events { + worker_connections 1024; +} + +http { + default_type application/octet-stream; + + server { + listen 8443; + server_name localhost; + + location / { + return 200 "rhacs-fake-service reply"; + } + } +} +' diff --git a/test/network-policy/fake-service/templates/deployment.yaml b/test/network-policy/fake-service/templates/deployment.yaml new file mode 100644 index 0000000000..ff1060df78 --- /dev/null +++ b/test/network-policy/fake-service/templates/deployment.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.name }} + namespace: {{ .Release.namespace }} + labels: + app: {{ .Values.name }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Values.name }} + template: + metadata: + labels: + app: {{ .Values.name }} + spec: + containers: + - image: nginx:latest + name: nginx + ports: + - containerPort: {{ .Values.port }} + name: web + volumeMounts: + - name: config-vol + mountPath: /etc/nginx/ + - name: cache-volume + mountPath: /var/cache/nginx + volumes: + - name: config-vol + configMap: + name: {{ .Values.name }}-nginx-config + items: + - key: nginx.conf + path: nginx.conf + - name: cache-volume + emptyDir: {} diff --git a/test/network-policy/fake-service/templates/service.yaml b/test/network-policy/fake-service/templates/service.yaml new file mode 100644 index 0000000000..f224a053e8 --- /dev/null +++ b/test/network-policy/fake-service/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.name }}-service + namespace: {{ .Release.namespace }} + labels: + app: {{ .Values.name }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.port }} + targetPort: {{ .Values.port }} + protocol: TCP + selector: + app: {{ .Values.name }} diff --git a/test/network-policy/fake-service/values.yaml b/test/network-policy/fake-service/values.yaml new file mode 100644 index 0000000000..650c5bfa8f --- /dev/null +++ b/test/network-policy/fake-service/values.yaml @@ -0,0 +1,5 @@ +# values.yaml +name: central +labels: + app: central +port: 8443