-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathegress-IP.sh
More file actions
executable file
·795 lines (752 loc) · 26.2 KB
/
egress-IP.sh
File metadata and controls
executable file
·795 lines (752 loc) · 26.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
#!/bin/bash
source ./color.sh
function set_proxy() {
export http_proxy=file.rdu.redhat.com:3128
export https_proxy=file.rdu.redhat.com:3128
}
function check_ip() {
#check ip
for ip in $EGRESS_IP $EGRESS_IP2 $EGRESS_IP3
do
echo -e "$BBlue Check if the IP is in-use. $NC"
ssh $MASTER_IP "ping -c1 $ip"
if [ $? -ne 1 ]
then
echo -e "$BRed EGRESS IP is being used $NC"
exit 1
fi
# oc get hostsubnet --config admin.kubeconfig | grep $ip
# if [ $? -ne 1 ]
# then
# echo -e "$BRed EGRESS IP is being used! $NC"
# exit 1
# fi
done
}
function clean_node_egressIP() {
nodes=(`oc get node --config admin.kubeconfig -o jsonpath='{.items[*].metadata.name}'`)
for n in ${nodes[@]}
do
oc patch hostsubnet $n -p "{\"egressCIDRs\":[]}" --config admin.kubeconfig
oc patch hostsubnet $n -p "{\"egressIPs\":[]}" --config admin.kubeconfig
done
}
function prepare_user() {
#copy admin kubeconfig
scp root@$MASTER_IP:/etc/origin/master/admin.kubeconfig ./
if [ $? -ne 0 ]
then
echo -e "${BRed}Failed to copy admin kubeconfig${NC}"
exit 1
fi
# login to server
oc login https://$MASTER_IP:8443 -u bmeng -p redhat --insecure-skip-tls-verify=true
if [ $? -ne 0 ]
then
echo -e "${BRed}Failed to login${NC}"
exit 1
fi
oc delete project $PROJECT
echo -e "$BBlue Delete the project if already existed. $NC"
until [ `oc get project | grep $PROJECT | wc -l` -eq 0 ]
do
echo -e "Waiting for project to be deleted on server"
sleep 5
done
oc delete project newegress
echo -e "$BBlue Delete the newegress if already existed. $NC"
until [ `oc get project | grep "newegress" | wc -l` -eq 0 ]
do
echo -e "Waiting for newegress to be deleted on server"
sleep 5
done
oc delete project project2
echo -e "$BBlue Delete the project2 if already existed. $NC"
until [ `oc get project | grep project2 | wc -l` -eq 0 ]
do
echo -e "Waiting for project2 to be deleted on server"
sleep 5
done
sleep 10
# create project
create_project $PROJECT
}
function create_project(){
local project=$1
oc new-project $project
if [ $? -ne 0 ]
then
echo -e "${BRed}Failed to create $project $NC"
exit 1
fi
}
function wait_for_pod_running() {
local POD=$1
local NUM=$2
local project=$3
TRY=20
COUNT=0
while [ $COUNT -lt $TRY ]; do
if [ `oc get po -n ${project:-$PROJECT} | grep $POD | grep Running | wc -l` -eq $NUM ]; then
break
fi
sleep 10
let COUNT=$COUNT+1
done
if [ $COUNT -eq 20 ]
then
echo -e "Pod creation failed"
exit 1
fi
}
function step_pass(){
if [ $? -ne 0 ]
then
echo -e "$BRed FAILED! $NC"
else
echo -e "$BGreen PASS! $NC"
fi
}
function step_fail(){
if [ $? -ne 0 ]
then
echo -e "$BGreen PASS! $NC"
else
echo -e "$BRed FAILED! $NC"
fi
}
function elect_egress_node(){
EGRESS_NODE=`oc get node -l node-role.kubernetes.io/master!=true --config admin.kubeconfig -o jsonpath='{.items[*].metadata.name}' | xargs shuf -n1 -e`
OTHER_NODE=`oc get node -l node-role.kubernetes.io/master!=true --config admin.kubeconfig -o jsonpath='{.items[*].metadata.name}' | sed "s/$EGRESS_NODE//" | cut -d " " -f1 | tr -d " "`
echo "EGRESS_NODE=$EGRESS_NODE"
echo "OTHER_NODE=$OTHER_NODE"
}
function clean_up_egressIPs(){
echo -e "$BBlue Clean up the egressIP on both hostnetwork and netns $NC"
oc patch hostsubnet $EGRESS_NODE -p "{\"egressIPs\":[]}" --config admin.kubeconfig
oc patch netnamespaces $PROJECT -p "{\"egressIPs\":[]}" --config admin.kubeconfig
}
function assign_egressIP_to_node(){
elect_egress_node
echo -e "$BBlue Assign egress IP to the elected node $NC"
oc patch hostsubnet $EGRESS_NODE -p "{\"egressIPs\":[\"$EGRESS_IP\"]}" --config admin.kubeconfig
}
function assign_egressCIDR_to_node(){
elect_egress_node
local egresscidr=$1
echo -e "$BBlue Assign egress IP to the elected node $NC"
set -x
oc patch hostsubnet $EGRESS_NODE -p "{\"egressCIDRs\":[\"${egresscidr:-$EGRESS_CIDR}\"]}" --config admin.kubeconfig
set +x
}
function assign_egressIP_to_netns(){
echo -e "$BBlue Assign egress IP to the project netnamespace $NC"
local netns=$1
local egressip=$2
oc patch netnamespace $netns -p "{\"egressIPs\":[\"${egressip:-$EGRESS_IP}\"]}" --config admin.kubeconfig
}
function access_external_network(){
echo -e "$BBlue Access external network $NC"
local pod=$1
local project=$2
oc exec $pod -n $project -- curl -sS --connect-timeout 5 $external_service
}
function test_only_cluster_admin_can_modify(){
echo -e "$BBlue Test OCP-15465/15466 Only cluster admin can manipulate egressIP. $NC"
elect_egress_node
oc project $PROJECT
oc patch hostsubnet $EGRESS_NODE -p "{\"egressIPs\":[]}"
step_fail
oc patch netnamespaces $PROJECT -p "{\"egressIPs\":[]}"
step_fail
clean_up_egressIPs
sleep 5
}
function test_egressip_to_multi_netns(){
echo -e "$BBlue Test OCP-15467 Pods will lose external access if the same egressIP is set to multiple netnamespaces and error logs in master. $NC"
elect_egress_node
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
wait_for_pod_running test-rc 2
create_project project2
assign_egressIP_to_node
assign_egressIP_to_netns $PROJECT
assign_egressIP_to_netns project2
echo -e "$BBlue Check the node network log $NC"
ssh root@$EGRESS_NODE "docker ps | grep sdn_sdn | cut -f1 -d ' '| xargs docker logs --tail 200 2>&1 | grep egressip.go || crictl ps | grep sdn | awk '{print \$1}' | xargs crictl logs --tail 200 2>&1 | grep egressip"
# sleep sometime to make sure the egressIP ready
sleep 10
pod=$(oc get po -n $PROJECT | grep Running | cut -d' ' -f1)
for p in ${pod}
do
access_external_network $p $PROJECT
step_fail
access_external_network $p $PROJECT
step_fail
done
echo -e "$BRed Bug 1520363 $NC"
clean_up_egressIPs
oc delete project project2
oc delete all --all -n $PROJECT
sleep 10
}
function test_no_node_with_egressip(){
echo -e "$BBlue Test OCP-15469 Pods will lose external access if there is no node can host the egress IP which admin assigned to the netns. $NC"
# assign_egressIP_to_node
assign_egressIP_to_netns $PROJECT
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
wait_for_pod_running test-rc 2
pod=$(oc get po -n $PROJECT | grep Running | cut -d' ' -f1)
for p in ${pod}
do
access_external_network $p $PROJECT
step_fail
access_external_network $p $PROJECT
step_fail
done
clean_up_egressIPs
oc delete all --all -n $PROJECT
sleep 10
}
function test_pods_through_egressip(){
echo -e "$BBlue Test OCP-15471 All the pods egress connection will get out through the egress IP if the egress IP is set to netns and egress node can host the IP $NC"
echo -e "$BRed Needs update for multiple projects $NC"
assign_egressIP_to_node
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
wait_for_pod_running test-rc 2
assign_egressIP_to_netns $PROJECT
oc scale rc test-rc --replicas=4 -n $PROJECT
wait_for_pod_running test-rc 4
pod=$(oc get po -n $PROJECT | grep Running | cut -d' ' -f1)
for p in ${pod}
do
access_external_network $p $PROJECT
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP
step_pass
done
clean_up_egressIPs
oc delete all --all -n $PROJECT
sleep 15
}
function test_node_nic(){
echo -e "$BBlue Test OCP-15472 The egressIPs will be added to the node's primary NIC when it gets set on hostsubnet and will be removed after gets unset $NC"
assign_egressIP_to_netns $PROJECT
assign_egressIP_to_node
ssh root@$EGRESS_NODE "ip a s | grep $EGRESS_IP"
step_pass
clean_up_egressIPs
ssh root@$EGRESS_NODE "ip a s | grep $EGRESS_IP"
step_fail
sleep 10
}
function test_iptables_openflow_rules(){
echo -e "$BBlue Test OCP-15473 iptables/openflow rules add/remove $NC"
assign_egressIP_to_node
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
wait_for_pod_running test-rc 2
assign_egressIP_to_netns $PROJECT
sleep 5
ssh root@$EGRESS_NODE "iptables -S OPENSHIFT-FIREWALL-ALLOW | grep $EGRESS_IP"
step_pass
ssh root@$EGRESS_NODE "iptables -t nat -S OPENSHIFT-MASQUERADE | grep $EGRESS_IP"
step_pass
ssh root@$EGRESS_NODE 'id=$(docker ps | grep openvswitch | awk -F " " "{print \$1}") ; docker exec -t $id ovs-ofctl dump-flows br0 -O openflow13 | grep table=100|| id=$(crictl ps | grep openvswitch | awk "{print \$1}") ; crictl exec $id ovs-ofctl dump-flows br0 -O openflow13 | grep table=100'
echo -e "\n"
ssh root@$OTHER_NODE 'id=$(docker ps | grep openvswitch | awk -F " " "{print \$1}") ; docker exec -t $id ovs-ofctl dump-flows br0 -O openflow13 | grep table=100 || id=$(crictl ps | grep openvswitch | awk "{print \$1}") ; crictl exec $id ovs-ofctl dump-flows br0 -O openflow13 | grep table=100'
echo -e "\n"
clean_up_egressIPs
ssh root@$EGRESS_NODE "iptables -S OPENSHIFT-FIREWALL-ALLOW | grep $EGRESS_IP"
step_fail
ssh root@$EGRESS_NODE "iptables -t nat -S OPENSHIFT-MASQUERADE | grep $EGRESS_IP"
step_fail
ssh root@$EGRESS_NODE 'id=$(docker ps | grep openvswitch | awk -F " " "{print \$1}") ; docker exec -t $id ovs-ofctl dump-flows br0 -O openflow13 | grep table=100 || id=$(crictl ps | grep openvswitch | awk "{print \$1}") ; crictl exec $id ovs-ofctl dump-flows br0 -O openflow13 | grep table=100'
echo -e "\n"
ssh root@$OTHER_NODE 'id=$(docker ps | grep openvswitch | awk -F " " "{print \$1}") ; docker exec -t $id ovs-ofctl dump-flows br0 -O openflow13 | grep table=100 || id=$(crictl ps | grep openvswitch | awk "{print \$1}") ; crictl exec $id ovs-ofctl dump-flows br0 -O openflow13 | grep table=100'
echo -e "\n"
oc delete all --all -n $PROJECT
sleep 10
}
function test_multi_egressip(){
echo -e "$BBlue Test OCP-15474 Only the first element of the EgressIPs array in netNamespace will take effect. $NC"
echo -e "$BRed Need update due to the HA egressIP feature. $NC"
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
wait_for_pod_running test-rc 2
elect_egress_node
oc patch hostsubnet $EGRESS_NODE -p "{\"egressIPs\":[\"$EGRESS_IP\",\"$EGRESS_IP2\"]}" --config admin.kubeconfig
oc patch netnamespace $PROJECT -p "{\"egressIPs\":[\"$EGRESS_IP\",\"$EGRESS_IP2\"]}" --config admin.kubeconfig
# sleep sometime to make sure the egressIP ready
sleep 15
pod=$(oc get po -n $PROJECT | grep Running | cut -d' ' -f1)
for p in ${pod}
do
access_external_network $p $PROJECT | grep $EGRESS_IP
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP
step_pass
done
oc delete all --all -n $PROJECT
clean_up_egressIPs
sleep 10
}
function test_egressip_to_multi_host(){
echo -e "$BBlue Test OCP-15987 The egressIP will be unavailable if it was set to multiple hostsubnets. $NC"
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
wait_for_pod_running test-rc 2
oc patch hostsubnet $OTHER_NODE -p "{\"egressIPs\":[\"$EGRESS_IP\"]}" --config admin.kubeconfig
# sleep sometime to make sure the egressIP ready
sleep 10
pod=$(oc get po -n $PROJECT | grep Running | cut -d' ' -f1)
for p in ${pod}
do
access_external_network $p $PROJECT
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP
step_fail
done
clean_up_egressIPs
oc patch hostsubnet $OTHER_NODE -p "{\"egressIPs\":[]}" --config admin.kubeconfig
sleep 10
}
function test_pods_in_other_project(){
echo -e "$BBlue Test OCP-15989 Pods will not be affected by the egressIP set on other netnamespace. $NC"
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
wait_for_pod_running test-rc 2
assign_egressIP_to_node
assign_egressIP_to_netns $PROJECT
create_project project2
oc project project2
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n project2
wait_for_pod_running test-rc 2 project2
pod=$(oc get po -n project2 | grep Running | cut -d' ' -f1)
for p in ${pod}
do
access_external_network $p project2
step_pass
access_external_network $p project2 | grep $EGRESS_IP
step_fail
done
clean_up_egressIPs
oc delete project project2
oc delete all --all -n $PROJECT
sleep 10
}
function test_egressnetworkpolicy_with_egressip(){
echo -e "$BBlue Test OCP-15992 EgressNetworkPolicy works well with egressIP. $NC"
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
wait_for_pod_running test-rc 2
assign_egressIP_to_node
assign_egressIP_to_netns $PROJECT
cat << EOF | oc create -f - --config admin.kubeconfig -n $PROJECT
{
"kind": "EgressNetworkPolicy",
"apiVersion": "v1",
"metadata": {
"name": "default"
},
"spec": {
"egress": [
{
"type": "Deny",
"to": {
"cidrSelector": "10.66.140.0/23"
}
},
{
"type": "Deny",
"to": {
"cidrSelector": "172.16.120.0/24"
}
},
{
"type": "Deny",
"to": {
"cidrSelector": "10.72.12.0/22"
}
}
]
}
}
EOF
pod=$(oc get po -n $PROJECT | grep Running | cut -d' ' -f1)
for p in ${pod}
do
access_external_network $p $PROJECT
step_fail
access_external_network $p $PROJECT
step_fail
done
oc patch egressnetworkpolicy default -p '{"spec":{"egress":[{"to":{"cidrSelector":"10.66.144.0/23"},"type":"Deny"}]}}' -n $PROJECT --config admin.kubeconfig
# sleep sometime to make sure the egressIP ready
sleep 15
pod=$(oc get po -n $PROJECT | grep Running | cut -d' ' -f1)
for p in ${pod}
do
access_external_network $p $PROJECT
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP
step_pass
done
clean_up_egressIPs
sleep 10
}
function test_access_egressip(){
echo -e "$BBlue Test OCP-15996 Should not be able to access node via egressIP. $NC"
assign_egressIP_to_node
assign_egressIP_to_netns $PROJECT
ssh root@$EGRESS_NODE "hostname"
step_pass
ssh root@$MASTER_IP "ssh root@$EGRESS_IP hostname"
step_fail
clean_up_egressIPs
sleep 10
}
function test_negative_values(){
echo -e "$BBlue Test OCP-Negative values in egressIP. $NC"
elect_egress_node
oc patch hostsubnet $EGRESS_NODE --config admin.kubeconfig -p '{"egressIPs":["abcd"]}'
step_fail
oc patch hostsubnet $EGRESS_NODE --config admin.kubeconfig -p '{"egressIPs":["fe80::5054:ff:fedd:3698"]}'
step_fail
oc patch hostsubnet $EGRESS_NODE --config admin.kubeconfig -p '{"egressIPs":["a.b.c.d"]}'
step_fail
oc patch hostsubnet $EGRESS_NODE --config admin.kubeconfig -p '{"egressIPs":["256.256.256.256"]}'
step_fail
oc patch hostsubnet $EGRESS_NODE --config admin.kubeconfig -p '{"egressIPs":["10.66.140.100/32"]}'
step_fail
oc patch hostsubnet $EGRESS_NODE --config admin.kubeconfig -p '{"egressIPs":["8.8.8.-1"]}'
step_fail
}
function test_add_remove_egressip(){
echo -e "$BBlue Test OCP-18315 [bz1547899] Add the removed egressIP back to the netnamespace would work well. $NC"
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
wait_for_pod_running test-rc 2
pod=$(oc get po -n $PROJECT | grep Running | cut -d' ' -f1)
assign_egressIP_to_node
assign_egressIP_to_netns $PROJECT
# remove the egressIP on netnamespace
echo -e "$BBlue Remove the egressIP from the netnamespace $NC"
oc patch netnamespace $PROJECT -p "{\"egressIPs\":[]}" --config admin.kubeconfig
# sleep some time to wait for the egressIP ready
sleep 15
for p in ${pod}
do
access_external_network $p $PROJECT | grep $EGRESS_IP
step_fail
access_external_network $p $PROJECT
step_pass
done
# add the egressIP back
echo -e "$BBlue Add the egressIP back to the netnamespace $NC"
assign_egressIP_to_netns $PROJECT
# sleep some time to wait for the egressIP ready
sleep 15
for p in ${pod}
do
access_external_network $p $PROJECT
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP
step_pass
done
clean_up_egressIPs
oc delete all --all -n $PROJECT
sleep 15
}
function test_switch_egressip(){
echo -e "$BBlue Test OCP-18434 [bz1553297] Should be able to change the egressIP of the project when there are multiple egressIPs set to nodes. $NC"
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
wait_for_pod_running test-rc 2
pod=$(oc get po -n $PROJECT | grep Running | cut -d' ' -f1)
elect_egress_node
echo -e "$BBlue Add multiple egressIP to different node $NC"
oc patch hostsubnet $EGRESS_NODE -p "{\"egressIPs\":[\"$EGRESS_IP\",\"$EGRESS_IP2\"]}" --config admin.kubeconfig
oc patch hostsubnet $OTHER_NODE -p "{\"egressIPs\":[\"$EGRESS_IP3\"]}" --config admin.kubeconfig
assign_egressIP_to_netns $PROJECT
sleep 15
for p in ${pod}
do
access_external_network $p $PROJECT
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP
step_pass
done
assign_egressIP_to_netns $PROJECT $EGRESS_IP2
sleep 15
for p in ${pod}
do
access_external_network $p $PROJECT
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP2
step_pass
done
assign_egressIP_to_netns $PROJECT $EGRESS_IP3
sleep 15
for p in ${pod}
do
access_external_network $p $PROJECT
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP3
step_pass
done
clean_up_egressIPs
oc delete all --all -n $PROJECT
sleep 15
}
function test_reuse_egressip(){
echo -e "$BBlue Test OCP-18316 [bz1543786] The egressIPs should work well when re-using the egressIP which is holding by a deleted project. $NC"
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
assign_egressIP_to_node
assign_egressIP_to_netns $PROJECT
sleep 15
# delete the project
echo -e "$BBlue Delete the project $NC"
oc delete project $PROJECT
until [ `oc get project | grep $PROJECT | wc -l` -eq 0 ]
do
echo -e "Waiting for project to be deleted on server"
sleep 5
done
echo -e "$BBlue Remove the egressIP from node $NC"
oc patch hostsubnet $EGRESS_NODE -p "{\"egressIPs\":[]}" --config admin.kubeconfig
NEWPROJECT=newegress
create_project $NEWPROJECT
oc project $NEWPROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $NEWPROJECT
wait_for_pod_running test-rc 2 $NEWPROJECT
pod=$(oc get po -n $NEWPROJECT | grep Running | cut -d' ' -f1)
assign_egressIP_to_node
sleep 15
for p in ${pod}
do
access_external_network $p $NEWPROJECT
step_pass
access_external_network $p $NEWPROJECT
step_pass
done
echo -e "$BBlue Delete the project for the 2nd time $NC"
oc delete project $NEWPROJECT
until [ `oc get project | grep $NEWPROJECT | wc -l` -eq 0 ]
do
echo -e "Waiting for project to be deleted on server"
sleep 5
done
echo -e "$BBlue Remove the egressIP from node 2nd time $NC"
oc patch hostsubnet $EGRESS_NODE -p "{\"egressIPs\":[]}" --config admin.kubeconfig
create_project $PROJECT
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
wait_for_pod_running test-rc 2
pod=$(oc get po -n $PROJECT | grep Running | cut -d' ' -f1)
assign_egressIP_to_node
assign_egressIP_to_netns $PROJECT
sleep 15
for p in ${pod}
do
access_external_network $p $PROJECT
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP
step_pass
done
clean_up_egressIPs
oc delete all --all -n $PROJECT
oc delete project $NEWPROJECT
sleep 15
}
function test_single_egressCIDR() {
echo -e "$BBlue Test OCP-18581 The egressIP could be assigned to project automatically once it is defined in hostsubnet egressCIDR. $NC"
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
wait_for_pod_running test-rc 2
assign_egressCIDR_to_node
assign_egressIP_to_netns $PROJECT
sleep 15
pod=$(oc get po -n $PROJECT | grep Running | cut -d' ' -f1)
for p in ${pod}
do
access_external_network $p $PROJECT
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP
step_pass
done
assign_egressIP_to_netns $PROJECT $EGRESS_IP2
for p in ${pod}
do
access_external_network $p $PROJECT
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP2
step_pass
done
assign_egressIP_to_netns $PROJECT $EGRESS_IP3
for p in ${pod}
do
access_external_network $p $PROJECT
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP3
step_pass
done
EGRESS_IP_OOR=10.1.1.100
assign_egressIP_to_netns $PROJECT $EGRESS_IP_OOR
for p in ${pod}
do
access_external_network $p $PROJECT
step_fail
done
clean_up_egressIPs
oc delete all --all -n $PROJECT
sleep 15
}
function test_multiple_egressCIDRs() {
echo -e "$BBlue Test OCP-20011 The egressIP could be assigned to project automatically when the hostsubnet has multiple egressCIDRs specified. $NC"
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
wait_for_pod_running test-rc 2
assign_egressCIDR_to_node "10.66.140.96/28\",\"10.66.140.200/29\",\"10.66.141.250/32"
assign_egressIP_to_netns $PROJECT
sleep 15
pod=$(oc get po -n $PROJECT | grep Running | cut -d' ' -f1)
for p in ${pod}
do
access_external_network $p $PROJECT
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP
step_pass
done
assign_egressIP_to_netns $PROJECT $EGRESS_IP2
for p in ${pod}
do
access_external_network $p $PROJECT
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP2
step_pass
done
assign_egressIP_to_netns $PROJECT $EGRESS_IP3
for p in ${pod}
do
access_external_network $p $PROJECT
step_pass
access_external_network $p $PROJECT | grep $EGRESS_IP3
step_pass
done
EGRESS_IP_OOR=10.66.140.180
assign_egressIP_to_netns $PROJECT $EGRESS_IP_OOR
for p in ${pod}
do
access_external_network $p $PROJECT
step_fail
done
clean_up_egressIPs
oc delete all --all -n $PROJECT
sleep 15
}
function test_egressIP_to_different_project() {
echo -e "$BBlue Test OCP-18586 The same egressIP will not be assigned to different netnamespace. $NC"
oc project $PROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $PROJECT
oc scale rc test-rc --replicas=1 -n $PROJECT
wait_for_pod_running test-rc 1
NEWPROJECT=newegress
create_project $NEWPROJECT
oc project $NEWPROJECT
oc create -f http://fedorabmeng.usersys.redhat.com/testing/list_for_pods.json -n $NEWPROJECT
oc scale rc test-rc --replicas=1 -n $NEWPROJECT
wait_for_pod_running test-rc 1 $NEWPROJECT
assign_egressCIDR_to_node
oc patch hostsubnet $OTHER_NODE -p "{\"egressCIDRs\":[\"$EGRESS_CIDR\"]}" --config admin.kubeconfig
assign_egressIP_to_netns $PROJECT
assign_egressIP_to_netns $NEWPROJECT
oc project $PROJECT
pod=$(oc get po -n $PROJECT | grep Running | cut -d' ' -f1)
for p in ${pod}
do
access_external_network $p $PROJECT
step_fail
done
oc project $NEWPROJECT
pod=$(oc get po -n $NEWPROJECT | grep Running | cut -d' ' -f1)
for p in ${pod}
do
access_external_network $p $NEWPROJECT
step_fail
done
clean_up_egressIPs
oc delete project $NEWPROJECT
oc delete all --all -n $PROJECT
}
function clean_up_resource(){
echo -e "$BBlue Delete all resources in project $NC"
oc delete all --all -n $PROJECT ; sleep 20
}
if [ -z $USE_PROXY ]
then
set_proxy
fi
PROJECT=egressproject
LOCAL_SERVER=`ping fedorabmeng.usersys.redhat.com -c1 | grep ttl | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'`
external_service=$EXTERNAL_SERVICE
prepare_user
clean_node_egressIP
check_ip
oc version
if ( $basicfunction ); then
test_pods_through_egressip
echo -e "\n"
test_multi_egressip
echo -e "\n"
test_egressip_to_multi_host
echo -e "\n"
test_pods_in_other_project
fi
echo -e "\n\n\n\n"
if ( $negativetests ); then
test_only_cluster_admin_can_modify
echo -e "\n"
test_egressip_to_multi_netns
echo -e "\n"
test_no_node_with_egressip
echo -e "\n"
test_negative_values
fi
echo -e "\n\n\n\n"
if ( $nodechecks ); then
test_node_nic
echo -e "\n"
test_iptables_openflow_rules
echo -e "\n"
test_access_egressip
fi
echo -e "\n\n\n\n"
if ( $egressfirewall ); then
test_egressnetworkpolicy_with_egressip
fi
echo -e "\n\n\n\n"
if ( $regressionbugs ); then
test_add_remove_egressip
echo -e "\n"
test_switch_egressip
echo -e "\n"
test_reuse_egressip
fi
echo -e "\n\n\n\n"
if ( $egressCIDR ); then
test_single_egressCIDR
echo -e "\n"
test_multiple_egressCIDRs
echo -e "\n"
test_egressIP_to_different_project
fi
echo -e "\n\n\n\n"
# clean all in the end
oc delete project $PROJECT || true
oc delete project project2 || true
oc delete project newegress || true
oc delete egressnetworkpolicy default -n default --config admin.kubeconfig || true