Skip to content

Commit

Permalink
Cilium reconciler to use provider namespace in generating network pol…
Browse files Browse the repository at this point in the history
…icy (#7746)

* Cilium reconciler to use provider namespace in generating network policy (#7705)

* Unskip cilium policy enforcement tests (#7714)
  • Loading branch information
vignesh-goutham authored Feb 29, 2024
1 parent c3e1baa commit b18f385
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 26 deletions.
37 changes: 29 additions & 8 deletions controllers/factory.go
Original file line number Diff line number Diff line change
Expand Up @@ -250,7 +250,7 @@ func (f *Factory) WithNutanixDatacenterReconciler() *Factory {
// withNutanixClusterReconciler adds the NutanixClusterReconciler to the controller factory.
func (f *Factory) withNutanixClusterReconciler() *Factory {
f.dependencyFactory.WithNutanixDefaulter().WithNutanixValidator()
f.withTracker().withCNIReconciler().withIPValidator()
f.withTracker().withCNIReconciler(f.getProviderNamespace(constants.NutanixProviderName)).withIPValidator()
f.buildSteps = append(f.buildSteps, func(ctx context.Context) error {
if f.nutanixClusterReconciler != nil {
return nil
Expand Down Expand Up @@ -345,7 +345,7 @@ func (f *Factory) WithProviderClusterReconcilerRegistry(capiProviders []clusterc
}

func (f *Factory) withDockerClusterReconciler() *Factory {
f.withCNIReconciler().withTracker()
f.withCNIReconciler(f.getProviderNamespace(constants.DockerProviderName)).withTracker()
f.buildSteps = append(f.buildSteps, func(ctx context.Context) error {
if f.dockerClusterReconciler != nil {
return nil
Expand All @@ -366,7 +366,7 @@ func (f *Factory) withDockerClusterReconciler() *Factory {

func (f *Factory) withVSphereClusterReconciler() *Factory {
f.dependencyFactory.WithVSphereDefaulter().WithVSphereValidator()
f.withTracker().withCNIReconciler().withIPValidator()
f.withTracker().withCNIReconciler(f.getProviderNamespace(constants.VSphereProviderName)).withIPValidator()
f.buildSteps = append(f.buildSteps, func(ctx context.Context) error {
if f.vsphereClusterReconciler != nil {
return nil
Expand All @@ -389,7 +389,7 @@ func (f *Factory) withVSphereClusterReconciler() *Factory {
}

func (f *Factory) withSnowClusterReconciler() *Factory {
f.withCNIReconciler().withTracker().withIPValidator()
f.withCNIReconciler(f.getProviderNamespace(constants.SnowProviderName)).withTracker().withIPValidator()

f.buildSteps = append(f.buildSteps, func(ctx context.Context) error {
if f.snowClusterReconciler != nil {
Expand All @@ -411,7 +411,7 @@ func (f *Factory) withSnowClusterReconciler() *Factory {
}

func (f *Factory) withTinkerbellClusterReconciler() *Factory {
f.withCNIReconciler().withTracker().withIPValidator()
f.withCNIReconciler(f.getProviderNamespace(constants.TinkerbellProviderName)).withTracker().withIPValidator()

f.buildSteps = append(f.buildSteps, func(ctx context.Context) error {
if f.tinkerbellClusterReconciler != nil {
Expand All @@ -433,7 +433,7 @@ func (f *Factory) withTinkerbellClusterReconciler() *Factory {
}

func (f *Factory) withCloudStackClusterReconciler() *Factory {
f.withCNIReconciler().withTracker().withIPValidator().withCloudStackValidatorRegistry()
f.withCNIReconciler(f.getProviderNamespace(constants.CloudStackProviderName)).withTracker().withIPValidator().withCloudStackValidatorRegistry()

f.buildSteps = append(f.buildSteps, func(ctx context.Context) error {
if f.cloudstackClusterReconciler != nil {
Expand Down Expand Up @@ -504,15 +504,15 @@ func (f *Factory) withCiliumTemplater() *Factory {
return f
}

func (f *Factory) withCNIReconciler() *Factory {
func (f *Factory) withCNIReconciler(providerNamespace string) *Factory {
f.withCiliumTemplater()

f.buildSteps = append(f.buildSteps, func(ctx context.Context) error {
if f.cniReconciler != nil {
return nil
}

f.cniReconciler = cnireconciler.New(ciliumreconciler.New(f.ciliumTemplater))
f.cniReconciler = cnireconciler.New(ciliumreconciler.New(f.ciliumTemplater, []string{providerNamespace}))

return nil
})
Expand Down Expand Up @@ -681,3 +681,24 @@ func (f *Factory) WithNodeUpgradeReconciler() *Factory {

return f
}

func (f *Factory) getProviderNamespace(providerName string) string {
var providerNamespace string
switch providerName {
case snowProviderName:
providerNamespace = constants.CapasSystemNamespace
case vSphereProviderName:
providerNamespace = constants.CapvSystemNamespace
case tinkerbellProviderName:
providerNamespace = constants.CaptSystemNamespace
case cloudstackProviderName:
providerNamespace = constants.CapcSystemNamespace
case nutanixProviderName:
providerNamespace = constants.CapxSystemNamespace
case dockerProviderName:
providerNamespace = constants.CapdSystemNamespace
default:
f.logger.Info("Found unknown CAPI provider, ignoring", "providerName", providerName)
}
return providerNamespace
}
12 changes: 8 additions & 4 deletions pkg/networking/cilium/reconciler/reconciler.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,15 @@ type Templater interface {

// Reconciler allows to reconcile a Cilium CNI.
type Reconciler struct {
templater Templater
templater Templater
providerNamespaces []string
}

func New(templater Templater) *Reconciler {
// New creates a new cilium reconciler object with a templater and providerNamespaces to generate manifests.
func New(templater Templater, providerNamespaces []string) *Reconciler {
return &Reconciler{
templater: templater,
templater: templater,
providerNamespaces: providerNamespaces,
}
}

Expand Down Expand Up @@ -205,6 +208,7 @@ func (r *Reconciler) upgrade(ctx context.Context, logger logr.Logger, client cli

upgradeManifest, err := r.templater.GenerateManifest(ctx, spec,
cilium.WithUpgradeFromVersion(*previousCiliumVersion),
cilium.WithPolicyAllowedNamespaces(r.providerNamespaces),
)
if err != nil {
return controller.Result{}, err
Expand Down Expand Up @@ -238,7 +242,7 @@ func (r *Reconciler) updateConfig(ctx context.Context, client client.Client, spe
}

func (r *Reconciler) applyFullManifest(ctx context.Context, client client.Client, spec *cluster.Spec) error {
upgradeManifest, err := r.templater.GenerateManifest(ctx, spec)
upgradeManifest, err := r.templater.GenerateManifest(ctx, spec, cilium.WithPolicyAllowedNamespaces(r.providerNamespaces))
if err != nil {
return err
}
Expand Down
16 changes: 7 additions & 9 deletions pkg/networking/cilium/reconciler/reconciler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,14 @@ import (
"github.com/aws/eks-anywhere/pkg/utils/ptr"
)

var providerNamespaces = []string{"test-system"}

func TestReconcilerReconcileInstall(t *testing.T) {
tt := newReconcileTest(t)
ds := ciliumDaemonSet()
operator := ciliumOperator()
manifest := buildManifest(tt.WithT, ds, operator)
tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec).Return(manifest, nil)
tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec, gomock.Not(gomock.Nil())).Return(manifest, nil)

tt.Expect(
tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec),
Expand All @@ -51,7 +53,7 @@ func TestReconcilerReconcileInstall(t *testing.T) {

func TestReconcilerReconcileInstallErrorGeneratingManifest(t *testing.T) {
tt := newReconcileTest(t)
tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec).Return(nil, errors.New("generating manifest"))
tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec, gomock.Not(gomock.Nil())).Return(nil, errors.New("generating manifest"))

result, err := tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec)
tt.Expect(result).To(Equal(controller.Result{}))
Expand All @@ -60,7 +62,7 @@ func TestReconcilerReconcileInstallErrorGeneratingManifest(t *testing.T) {

func TestReconcilerReconcileErrorYamlReconcile(t *testing.T) {
tt := newReconcileTest(t)
tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec).Return([]byte("invalid yaml"), nil)
tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec, gomock.Not(gomock.Nil())).Return([]byte("invalid yaml"), nil)

result, err := tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec)
tt.Expect(result).To(Equal(controller.Result{}))
Expand All @@ -72,7 +74,6 @@ func TestReconcilerReconcileAlreadyUpToDate(t *testing.T) {
operator := ciliumOperator()
cm := ciliumConfigMap()
tt := newReconcileTest(t).withObjects(ds, operator, cm)

tt.Expect(tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec)).To(
Equal(controller.Result{}),
)
Expand All @@ -95,7 +96,6 @@ func TestReconcilerReconcileAlreadyInDesiredVersionWithPreflight(t *testing.T) {
tt.templater.EXPECT().GenerateUpgradePreflightManifest(tt.ctx, tt.spec).Return(preflightManifest, nil)

tt.withObjects(ds, operator, preflightDS, preflightDeployment, cm)

tt.Expect(tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec)).To(
Equal(controller.Result{}),
)
Expand All @@ -119,7 +119,6 @@ func TestReconcilerReconcileAlreadyInDesiredVersionWithPreflightErrorFromTemplat
tt.templater.EXPECT().GenerateUpgradePreflightManifest(tt.ctx, tt.spec).Return(nil, errors.New("generating preflight"))

tt.withObjects(ds, operator, cm, preflightDS, preflightDeployment)

result, err := tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec)
tt.Expect(result).To(Equal(controller.Result{}))
tt.Expect(err).To(MatchError(ContainSubstring("generating preflight")))
Expand All @@ -137,7 +136,6 @@ func TestReconcilerReconcileAlreadyInDesiredVersionWithPreflightErrorDeletingYam
tt.templater.EXPECT().GenerateUpgradePreflightManifest(tt.ctx, tt.spec).Return([]byte("invalid yaml"), nil)

tt.withObjects(ds, operator, cm, preflightDS, preflightDeployment)

result, err := tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec)
tt.Expect(result).To(Equal(controller.Result{}))
tt.Expect(err).To(MatchError(ContainSubstring("error unmarshaling JSON")))
Expand Down Expand Up @@ -455,7 +453,7 @@ func TestReconcilerReconcileSkipUpgradeWithoutCiliumInstalled(t *testing.T) {
}
})

tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec).Return(upgradeManifest, nil)
tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec, gomock.Not(gomock.Nil())).Return(upgradeManifest, nil)

tt.Expect(tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec)).To(
Equal(controller.Result{}),
Expand Down Expand Up @@ -572,7 +570,7 @@ func newReconcileTest(t *testing.T) *reconcileTest {
client: env.Client(),
env: env,
templater: templater,
reconciler: reconciler.New(templater),
reconciler: reconciler.New(templater, providerNamespaces),
}

t.Cleanup(tt.cleanup)
Expand Down
5 changes: 0 additions & 5 deletions test/e2e/SKIPPED_TESTS.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,6 @@ skipped_tests:
- TestCloudStackKubernetes129WithOIDCManagementClusterUpgradeFromLatestSideEffects

# Temporary disables to stabilize tests. Owners should work on fixes and enable these test along with their fix's PR
- TestCloudStackKubernetes126CiliumAlwaysPolicyEnforcementModeSimpleFlow
- TestCloudStackKubernetes125CiliumAlwaysPolicyEnforcementModeSimpleFlow
- TestCloudStackKubernetes127CiliumAlwaysPolicyEnforcementModeSimpleFlow
- TestCloudStackKubernetes128CiliumAlwaysPolicyEnforcementModeSimpleFlow
- TestVSphereKubernetes128CiliumAlwaysPolicyEnforcementModeSimpleFlow
- TestTinkerbellAirgappedKubernetes129UbuntuProxyConfigFlow

# Nutanix
Expand Down

0 comments on commit b18f385

Please sign in to comment.