diff --git a/controllers/factory.go b/controllers/factory.go index 6ccd27584bc8..30e86ca2176e 100644 --- a/controllers/factory.go +++ b/controllers/factory.go @@ -250,7 +250,7 @@ func (f *Factory) WithNutanixDatacenterReconciler() *Factory { // withNutanixClusterReconciler adds the NutanixClusterReconciler to the controller factory. func (f *Factory) withNutanixClusterReconciler() *Factory { f.dependencyFactory.WithNutanixDefaulter().WithNutanixValidator() - f.withTracker().withCNIReconciler().withIPValidator() + f.withTracker().withCNIReconciler(f.getProviderNamespace(constants.NutanixProviderName)).withIPValidator() f.buildSteps = append(f.buildSteps, func(ctx context.Context) error { if f.nutanixClusterReconciler != nil { return nil @@ -345,7 +345,7 @@ func (f *Factory) WithProviderClusterReconcilerRegistry(capiProviders []clusterc } func (f *Factory) withDockerClusterReconciler() *Factory { - f.withCNIReconciler().withTracker() + f.withCNIReconciler(f.getProviderNamespace(constants.DockerProviderName)).withTracker() f.buildSteps = append(f.buildSteps, func(ctx context.Context) error { if f.dockerClusterReconciler != nil { return nil @@ -366,7 +366,7 @@ func (f *Factory) withDockerClusterReconciler() *Factory { func (f *Factory) withVSphereClusterReconciler() *Factory { f.dependencyFactory.WithVSphereDefaulter().WithVSphereValidator() - f.withTracker().withCNIReconciler().withIPValidator() + f.withTracker().withCNIReconciler(f.getProviderNamespace(constants.VSphereProviderName)).withIPValidator() f.buildSteps = append(f.buildSteps, func(ctx context.Context) error { if f.vsphereClusterReconciler != nil { return nil @@ -389,7 +389,7 @@ func (f *Factory) withVSphereClusterReconciler() *Factory { } func (f *Factory) withSnowClusterReconciler() *Factory { - f.withCNIReconciler().withTracker().withIPValidator() + f.withCNIReconciler(f.getProviderNamespace(constants.SnowProviderName)).withTracker().withIPValidator() f.buildSteps = append(f.buildSteps, func(ctx context.Context) error { if f.snowClusterReconciler != nil { @@ -411,7 +411,7 @@ func (f *Factory) withSnowClusterReconciler() *Factory { } func (f *Factory) withTinkerbellClusterReconciler() *Factory { - f.withCNIReconciler().withTracker().withIPValidator() + f.withCNIReconciler(f.getProviderNamespace(constants.TinkerbellProviderName)).withTracker().withIPValidator() f.buildSteps = append(f.buildSteps, func(ctx context.Context) error { if f.tinkerbellClusterReconciler != nil { @@ -433,7 +433,7 @@ func (f *Factory) withTinkerbellClusterReconciler() *Factory { } func (f *Factory) withCloudStackClusterReconciler() *Factory { - f.withCNIReconciler().withTracker().withIPValidator().withCloudStackValidatorRegistry() + f.withCNIReconciler(f.getProviderNamespace(constants.CloudStackProviderName)).withTracker().withIPValidator().withCloudStackValidatorRegistry() f.buildSteps = append(f.buildSteps, func(ctx context.Context) error { if f.cloudstackClusterReconciler != nil { @@ -504,7 +504,7 @@ func (f *Factory) withCiliumTemplater() *Factory { return f } -func (f *Factory) withCNIReconciler() *Factory { +func (f *Factory) withCNIReconciler(providerNamespace string) *Factory { f.withCiliumTemplater() f.buildSteps = append(f.buildSteps, func(ctx context.Context) error { @@ -512,7 +512,7 @@ func (f *Factory) withCNIReconciler() *Factory { return nil } - f.cniReconciler = cnireconciler.New(ciliumreconciler.New(f.ciliumTemplater)) + f.cniReconciler = cnireconciler.New(ciliumreconciler.New(f.ciliumTemplater, []string{providerNamespace})) return nil }) @@ -681,3 +681,24 @@ func (f *Factory) WithNodeUpgradeReconciler() *Factory { return f } + +func (f *Factory) getProviderNamespace(providerName string) string { + var providerNamespace string + switch providerName { + case snowProviderName: + providerNamespace = constants.CapasSystemNamespace + case vSphereProviderName: + providerNamespace = constants.CapvSystemNamespace + case tinkerbellProviderName: + providerNamespace = constants.CaptSystemNamespace + case cloudstackProviderName: + providerNamespace = constants.CapcSystemNamespace + case nutanixProviderName: + providerNamespace = constants.CapxSystemNamespace + case dockerProviderName: + providerNamespace = constants.CapdSystemNamespace + default: + f.logger.Info("Found unknown CAPI provider, ignoring", "providerName", providerName) + } + return providerNamespace +} diff --git a/pkg/networking/cilium/reconciler/reconciler.go b/pkg/networking/cilium/reconciler/reconciler.go index f2997d46216b..cf3527fd6ab2 100644 --- a/pkg/networking/cilium/reconciler/reconciler.go +++ b/pkg/networking/cilium/reconciler/reconciler.go @@ -42,12 +42,15 @@ type Templater interface { // Reconciler allows to reconcile a Cilium CNI. type Reconciler struct { - templater Templater + templater Templater + providerNamespaces []string } -func New(templater Templater) *Reconciler { +// New creates a new cilium reconciler object with a templater and providerNamespaces to generate manifests. +func New(templater Templater, providerNamespaces []string) *Reconciler { return &Reconciler{ - templater: templater, + templater: templater, + providerNamespaces: providerNamespaces, } } @@ -205,6 +208,7 @@ func (r *Reconciler) upgrade(ctx context.Context, logger logr.Logger, client cli upgradeManifest, err := r.templater.GenerateManifest(ctx, spec, cilium.WithUpgradeFromVersion(*previousCiliumVersion), + cilium.WithPolicyAllowedNamespaces(r.providerNamespaces), ) if err != nil { return controller.Result{}, err @@ -238,7 +242,7 @@ func (r *Reconciler) updateConfig(ctx context.Context, client client.Client, spe } func (r *Reconciler) applyFullManifest(ctx context.Context, client client.Client, spec *cluster.Spec) error { - upgradeManifest, err := r.templater.GenerateManifest(ctx, spec) + upgradeManifest, err := r.templater.GenerateManifest(ctx, spec, cilium.WithPolicyAllowedNamespaces(r.providerNamespaces)) if err != nil { return err } diff --git a/pkg/networking/cilium/reconciler/reconciler_test.go b/pkg/networking/cilium/reconciler/reconciler_test.go index 20a6ce7622fa..d500727a58ce 100644 --- a/pkg/networking/cilium/reconciler/reconciler_test.go +++ b/pkg/networking/cilium/reconciler/reconciler_test.go @@ -33,12 +33,14 @@ import ( "github.com/aws/eks-anywhere/pkg/utils/ptr" ) +var providerNamespaces = []string{"test-system"} + func TestReconcilerReconcileInstall(t *testing.T) { tt := newReconcileTest(t) ds := ciliumDaemonSet() operator := ciliumOperator() manifest := buildManifest(tt.WithT, ds, operator) - tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec).Return(manifest, nil) + tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec, gomock.Not(gomock.Nil())).Return(manifest, nil) tt.Expect( tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec), @@ -51,7 +53,7 @@ func TestReconcilerReconcileInstall(t *testing.T) { func TestReconcilerReconcileInstallErrorGeneratingManifest(t *testing.T) { tt := newReconcileTest(t) - tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec).Return(nil, errors.New("generating manifest")) + tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec, gomock.Not(gomock.Nil())).Return(nil, errors.New("generating manifest")) result, err := tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec) tt.Expect(result).To(Equal(controller.Result{})) @@ -60,7 +62,7 @@ func TestReconcilerReconcileInstallErrorGeneratingManifest(t *testing.T) { func TestReconcilerReconcileErrorYamlReconcile(t *testing.T) { tt := newReconcileTest(t) - tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec).Return([]byte("invalid yaml"), nil) + tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec, gomock.Not(gomock.Nil())).Return([]byte("invalid yaml"), nil) result, err := tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec) tt.Expect(result).To(Equal(controller.Result{})) @@ -72,7 +74,6 @@ func TestReconcilerReconcileAlreadyUpToDate(t *testing.T) { operator := ciliumOperator() cm := ciliumConfigMap() tt := newReconcileTest(t).withObjects(ds, operator, cm) - tt.Expect(tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec)).To( Equal(controller.Result{}), ) @@ -95,7 +96,6 @@ func TestReconcilerReconcileAlreadyInDesiredVersionWithPreflight(t *testing.T) { tt.templater.EXPECT().GenerateUpgradePreflightManifest(tt.ctx, tt.spec).Return(preflightManifest, nil) tt.withObjects(ds, operator, preflightDS, preflightDeployment, cm) - tt.Expect(tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec)).To( Equal(controller.Result{}), ) @@ -119,7 +119,6 @@ func TestReconcilerReconcileAlreadyInDesiredVersionWithPreflightErrorFromTemplat tt.templater.EXPECT().GenerateUpgradePreflightManifest(tt.ctx, tt.spec).Return(nil, errors.New("generating preflight")) tt.withObjects(ds, operator, cm, preflightDS, preflightDeployment) - result, err := tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec) tt.Expect(result).To(Equal(controller.Result{})) tt.Expect(err).To(MatchError(ContainSubstring("generating preflight"))) @@ -137,7 +136,6 @@ func TestReconcilerReconcileAlreadyInDesiredVersionWithPreflightErrorDeletingYam tt.templater.EXPECT().GenerateUpgradePreflightManifest(tt.ctx, tt.spec).Return([]byte("invalid yaml"), nil) tt.withObjects(ds, operator, cm, preflightDS, preflightDeployment) - result, err := tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec) tt.Expect(result).To(Equal(controller.Result{})) tt.Expect(err).To(MatchError(ContainSubstring("error unmarshaling JSON"))) @@ -455,7 +453,7 @@ func TestReconcilerReconcileSkipUpgradeWithoutCiliumInstalled(t *testing.T) { } }) - tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec).Return(upgradeManifest, nil) + tt.templater.EXPECT().GenerateManifest(tt.ctx, tt.spec, gomock.Not(gomock.Nil())).Return(upgradeManifest, nil) tt.Expect(tt.reconciler.Reconcile(tt.ctx, test.NewNullLogger(), tt.client, tt.spec)).To( Equal(controller.Result{}), @@ -572,7 +570,7 @@ func newReconcileTest(t *testing.T) *reconcileTest { client: env.Client(), env: env, templater: templater, - reconciler: reconciler.New(templater), + reconciler: reconciler.New(templater, providerNamespaces), } t.Cleanup(tt.cleanup) diff --git a/test/e2e/SKIPPED_TESTS.yaml b/test/e2e/SKIPPED_TESTS.yaml index af3e9638385f..869f4df94866 100644 --- a/test/e2e/SKIPPED_TESTS.yaml +++ b/test/e2e/SKIPPED_TESTS.yaml @@ -21,11 +21,6 @@ skipped_tests: - TestCloudStackKubernetes129WithOIDCManagementClusterUpgradeFromLatestSideEffects # Temporary disables to stabilize tests. Owners should work on fixes and enable these test along with their fix's PR -- TestCloudStackKubernetes126CiliumAlwaysPolicyEnforcementModeSimpleFlow -- TestCloudStackKubernetes125CiliumAlwaysPolicyEnforcementModeSimpleFlow -- TestCloudStackKubernetes127CiliumAlwaysPolicyEnforcementModeSimpleFlow -- TestCloudStackKubernetes128CiliumAlwaysPolicyEnforcementModeSimpleFlow -- TestVSphereKubernetes128CiliumAlwaysPolicyEnforcementModeSimpleFlow - TestTinkerbellAirgappedKubernetes129UbuntuProxyConfigFlow # Nutanix