Resolve issues with object races.
There were two situations, where we were missing security group, one for LB VIP port, which have security group list empty, and on the request VIF in kuryrport, where we cannot create port, because SG was gone during that process. Closes-Bug: 1903641 Change-Id: I6958ebc4ce888e5d8d68e6458e2a6a270fe6c834
This commit is contained in:
parent
bef15d1bbe
commit
3a02832614
|
@ -227,7 +227,12 @@ class LBaaSv2Driver(base.LBaaSDriver):
|
||||||
if CONF.octavia_defaults.enforce_sg_rules:
|
if CONF.octavia_defaults.enforce_sg_rules:
|
||||||
vip_port = self._get_vip_port(loadbalancer)
|
vip_port = self._get_vip_port(loadbalancer)
|
||||||
if vip_port:
|
if vip_port:
|
||||||
lb_sg = vip_port.security_group_ids[0]
|
try:
|
||||||
|
lb_sg = vip_port.security_group_ids[0]
|
||||||
|
except IndexError:
|
||||||
|
LOG.warning("We still waiting for SG to be created for "
|
||||||
|
"VIP %s", vip_port)
|
||||||
|
raise k_exc.ResourceNotReady(listener_id)
|
||||||
else:
|
else:
|
||||||
LOG.debug("Skipping sg update for lb %s", loadbalancer['name'])
|
LOG.debug("Skipping sg update for lb %s", loadbalancer['name'])
|
||||||
return
|
return
|
||||||
|
|
|
@ -225,8 +225,17 @@ class KuryrPortHandler(k8s_base.ResourceEventHandler):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
# Request the default interface of pod
|
# Request the default interface of pod
|
||||||
main_vif = self._drv_vif_pool.request_vif(
|
try:
|
||||||
pod, project_id, subnets, security_groups)
|
main_vif = self._drv_vif_pool.request_vif(pod, project_id,
|
||||||
|
subnets,
|
||||||
|
security_groups)
|
||||||
|
except os_exc.ResourceNotFound:
|
||||||
|
# NOTE(gryf): It might happen, that between getting security
|
||||||
|
# groups above and requesting VIF, network policy is deleted,
|
||||||
|
# hence we will get 404 from OpenStackSDK. Let's retry, to refresh
|
||||||
|
# information regarding SG.
|
||||||
|
LOG.warning("SG not found during VIF requesting. Retrying.")
|
||||||
|
raise k_exc.ResourceNotReady(pod['metadata']['name'])
|
||||||
|
|
||||||
if not main_vif:
|
if not main_vif:
|
||||||
pod_name = pod['metadata']['name']
|
pod_name = pod['metadata']['name']
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
from openstack.network.v2 import port as os_port
|
from openstack.network.v2 import port as os_port
|
||||||
|
from openstack.network.v2 import security_group_rule as os_sgr
|
||||||
from os_vif import objects as osv_objects
|
from os_vif import objects as osv_objects
|
||||||
from os_vif.objects import vif as osv_vif
|
from os_vif.objects import vif as osv_vif
|
||||||
from oslo_serialization import jsonutils
|
from oslo_serialization import jsonutils
|
||||||
|
@ -140,3 +141,23 @@ def get_port_obj(port_id='07cfe856-11cc-43d9-9200-ff4dc02d3620',
|
||||||
'updated_at': u'2019-12-04T15:06:09Z'}
|
'updated_at': u'2019-12-04T15:06:09Z'}
|
||||||
port_data.update(kwargs)
|
port_data.update(kwargs)
|
||||||
return os_port.Port(**port_data)
|
return os_port.Port(**port_data)
|
||||||
|
|
||||||
|
|
||||||
|
def get_sgr_obj(sgr_id='7621d1e0-a2d2-4496-94eb-ffd375d20877',
|
||||||
|
sg_id='cfb3dfc4-7a43-4ba1-b92d-b8b2650d7f88',
|
||||||
|
protocol='tcp', direction='ingress'):
|
||||||
|
|
||||||
|
sgr_data = {'description': '',
|
||||||
|
'direction': direction,
|
||||||
|
'ether_type': 'IPv4',
|
||||||
|
'id': sgr_id,
|
||||||
|
'port_range_max': 8080,
|
||||||
|
'port_range_min': 8080,
|
||||||
|
'project_id': '5ea46368c7fe436bb8732738c149fbce',
|
||||||
|
'protocol': protocol,
|
||||||
|
'remote_group_id': None,
|
||||||
|
'remote_ip_prefix': None,
|
||||||
|
'security_group_id': sg_id,
|
||||||
|
'tenant_id': '5ea46368c7fe436bb8732738c149fbce'}
|
||||||
|
|
||||||
|
return os_sgr.SecurityGroupRule(**sgr_data)
|
||||||
|
|
|
@ -23,10 +23,12 @@ from openstack.load_balancer.v2 import member as o_mem
|
||||||
from openstack.load_balancer.v2 import pool as o_pool
|
from openstack.load_balancer.v2 import pool as o_pool
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from kuryr_kubernetes import constants as k_const
|
||||||
from kuryr_kubernetes.controller.drivers import lbaasv2 as d_lbaasv2
|
from kuryr_kubernetes.controller.drivers import lbaasv2 as d_lbaasv2
|
||||||
from kuryr_kubernetes import exceptions as k_exc
|
from kuryr_kubernetes import exceptions as k_exc
|
||||||
from kuryr_kubernetes.objects import lbaas as obj_lbaas
|
from kuryr_kubernetes.objects import lbaas as obj_lbaas
|
||||||
from kuryr_kubernetes.tests import base as test_base
|
from kuryr_kubernetes.tests import base as test_base
|
||||||
|
from kuryr_kubernetes.tests import fake
|
||||||
from kuryr_kubernetes.tests.unit import kuryr_fixtures as k_fix
|
from kuryr_kubernetes.tests.unit import kuryr_fixtures as k_fix
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = cfg.CONF
|
||||||
|
@ -1041,3 +1043,505 @@ class TestLBaaSv2Driver(test_base.TestCase):
|
||||||
def test_provisioning_timer(self):
|
def test_provisioning_timer(self):
|
||||||
# REVISIT(ivc): add test if _provisioning_timer is to stay
|
# REVISIT(ivc): add test if _provisioning_timer is to stay
|
||||||
self.skipTest("not implemented")
|
self.skipTest("not implemented")
|
||||||
|
|
||||||
|
|
||||||
|
class TestLBaaSv2AppyMembersSecurityGroup(test_base.TestCase):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super().setUp()
|
||||||
|
self.lb = {'id': 'a4de5f1a-ac03-45b1-951d-39f108d52e7d',
|
||||||
|
'ip': '10.0.0.142',
|
||||||
|
'name': 'default/lb',
|
||||||
|
'port_id': '5be1b3c4-7d44-4597-9294-cadafdf1ec69',
|
||||||
|
'project_id': '7ef23242bb3f4773a58da681421ab26e',
|
||||||
|
'provider': 'amphora',
|
||||||
|
'security_groups': ['328900a2-c328-41cc-946f-56ae8720ec0d'],
|
||||||
|
'subnet_id': 'c85e2e10-1fad-4218-ad10-7de4aa5de7ce'}
|
||||||
|
self.port = 80
|
||||||
|
self.target_port = 8080
|
||||||
|
self.protocol = 'TCP'
|
||||||
|
self.sg_rule_name = 'default/lb:TCP:80'
|
||||||
|
self.listener_id = '858869ec-e4fa-4715-b22f-bd08889c6235'
|
||||||
|
self.new_sgs = ['48cfc812-a442-44bf-989f-8dbaf23a7007']
|
||||||
|
self.vip = fake.get_port_obj()
|
||||||
|
|
||||||
|
@mock.patch('kuryr_kubernetes.clients.get_network_client')
|
||||||
|
def test__apply_members_security_groups_no_enforce(self, gnc):
|
||||||
|
CONF.set_override('enforce_sg_rules', False, group='octavia_defaults')
|
||||||
|
self.addCleanup(CONF.clear_override, 'enforce_sg_rules',
|
||||||
|
group='octavia_defaults')
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = None
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name,
|
||||||
|
self.listener_id, self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_not_called()
|
||||||
|
|
||||||
|
@mock.patch('kuryr_kubernetes.clients.get_network_client')
|
||||||
|
def test__apply_members_security_groups_no_vip(self, gnc):
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = None
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name,
|
||||||
|
self.listener_id, self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
|
||||||
|
@mock.patch('kuryr_kubernetes.clients.get_network_client')
|
||||||
|
def test__apply_members_security_groups_no_sg(self, gnc):
|
||||||
|
self.new_sgs = None
|
||||||
|
self.vip.security_group_ids = []
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
|
||||||
|
self.assertRaises(k_exc.ResourceNotReady,
|
||||||
|
cls._apply_members_security_groups, m_driver,
|
||||||
|
self.lb, self.port, self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name, self.listener_id, self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
|
||||||
|
@mock.patch('kuryr_kubernetes.clients.get_network_client')
|
||||||
|
def test__apply_members_security_groups_conf_with_octavia_acls(self, gnc):
|
||||||
|
self.new_sgs = None
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port = mock.Mock(return_value=self.vip)
|
||||||
|
m_driver._octavia_acls = True
|
||||||
|
m_driver._create_listeners_acls = mock.Mock()
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name, self.listener_id,
|
||||||
|
self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
m_driver._create_listeners_acls.assert_called_once_with(
|
||||||
|
self.lb, self.port, self.target_port, self.protocol,
|
||||||
|
self.vip.security_group_ids[0], self.new_sgs, self.listener_id)
|
||||||
|
|
||||||
|
def test__apply_members_security_groups_new_sgs(self):
|
||||||
|
os_net = self.useFixture(k_fix.MockNetworkClient()).client
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
m_driver._octavia_acls = False
|
||||||
|
os_net.security_group_rules.return_value = []
|
||||||
|
CONF.set_override('pod_security_groups', [], group='neutron_defaults')
|
||||||
|
self.addCleanup(CONF.clear_override, 'pod_security_groups',
|
||||||
|
group='neutron_defaults')
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name, self.listener_id,
|
||||||
|
self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
os_net.security_group_rules.assert_has_calls([
|
||||||
|
mock.call(security_group_id=self.vip.security_group_ids[0],
|
||||||
|
project_id=self.lb['project_id']),
|
||||||
|
mock.call(security_group_id=self.new_sgs[0])])
|
||||||
|
|
||||||
|
def test__apply_members_security_groups_conf_lb_sgs(self):
|
||||||
|
os_net = self.useFixture(k_fix.MockNetworkClient()).client
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
m_driver._octavia_acls = False
|
||||||
|
sgr = fake.get_sgr_obj()
|
||||||
|
os_net.security_group_rules.side_effect = ([], [sgr])
|
||||||
|
self.new_sgs = []
|
||||||
|
CONF.set_override('pod_security_groups', [], group='neutron_defaults')
|
||||||
|
self.addCleanup(CONF.clear_override, 'pod_security_groups',
|
||||||
|
group='neutron_defaults')
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name,
|
||||||
|
self.listener_id, self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
os_net.security_group_rules.assert_has_calls([
|
||||||
|
mock.call(security_group_id=self.vip.security_group_ids[0],
|
||||||
|
project_id=self.lb['project_id']),
|
||||||
|
mock.call(security_group_id=self.lb['security_groups'][0])])
|
||||||
|
os_net.create_security_group_rule.assert_called_once_with(
|
||||||
|
direction='ingress',
|
||||||
|
ether_type=k_const.IPv4,
|
||||||
|
port_range_min=self.port,
|
||||||
|
port_range_max=self.port,
|
||||||
|
protocol=self.protocol,
|
||||||
|
remote_ip_prefix=sgr.remote_ip_prefix,
|
||||||
|
security_group_id=sgr.security_group_id,
|
||||||
|
description=self.sg_rule_name)
|
||||||
|
|
||||||
|
def test__apply_members_security_groups_conf_lb_sgs_conflict(self):
|
||||||
|
os_net = self.useFixture(k_fix.MockNetworkClient()).client
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
m_driver._octavia_acls = False
|
||||||
|
sgr = fake.get_sgr_obj()
|
||||||
|
os_net.security_group_rules.side_effect = ([], [sgr])
|
||||||
|
os_net.create_security_group_rule.side_effect = (os_exc
|
||||||
|
.ConflictException)
|
||||||
|
self.new_sgs = []
|
||||||
|
CONF.set_override('pod_security_groups', [], group='neutron_defaults')
|
||||||
|
self.addCleanup(CONF.clear_override, 'pod_security_groups',
|
||||||
|
group='neutron_defaults')
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name,
|
||||||
|
self.listener_id, self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
os_net.security_group_rules.assert_has_calls([
|
||||||
|
mock.call(security_group_id=self.vip.security_group_ids[0],
|
||||||
|
project_id=self.lb['project_id']),
|
||||||
|
mock.call(security_group_id=self.lb['security_groups'][0])])
|
||||||
|
os_net.create_security_group_rule.assert_called_once_with(
|
||||||
|
direction='ingress',
|
||||||
|
ether_type=k_const.IPv4,
|
||||||
|
port_range_min=self.port,
|
||||||
|
port_range_max=self.port,
|
||||||
|
protocol=self.protocol,
|
||||||
|
remote_ip_prefix=None,
|
||||||
|
security_group_id=self.vip.security_group_ids[0],
|
||||||
|
description=self.sg_rule_name)
|
||||||
|
|
||||||
|
def test__apply_members_security_groups_conf_lb_sgs_sdkexception(self):
|
||||||
|
os_net = self.useFixture(k_fix.MockNetworkClient()).client
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
m_driver._octavia_acls = False
|
||||||
|
sgr = fake.get_sgr_obj()
|
||||||
|
os_net.security_group_rules.side_effect = ([], [sgr])
|
||||||
|
os_net.create_security_group_rule.side_effect = os_exc.SDKException
|
||||||
|
self.new_sgs = []
|
||||||
|
CONF.set_override('pod_security_groups', [], group='neutron_defaults')
|
||||||
|
self.addCleanup(CONF.clear_override, 'pod_security_groups',
|
||||||
|
group='neutron_defaults')
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name,
|
||||||
|
self.listener_id, self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
os_net.security_group_rules.assert_has_calls([
|
||||||
|
mock.call(security_group_id=self.vip.security_group_ids[0],
|
||||||
|
project_id=self.lb['project_id']),
|
||||||
|
mock.call(security_group_id=self.lb['security_groups'][0])])
|
||||||
|
os_net.create_security_group_rule.assert_called_once_with(
|
||||||
|
direction='ingress',
|
||||||
|
ether_type=k_const.IPv4,
|
||||||
|
port_range_min=self.port,
|
||||||
|
port_range_max=self.port,
|
||||||
|
protocol=self.protocol,
|
||||||
|
remote_ip_prefix=None,
|
||||||
|
security_group_id=self.vip.security_group_ids[0],
|
||||||
|
description=self.sg_rule_name)
|
||||||
|
|
||||||
|
@mock.patch("kuryr_kubernetes.utils.get_service_subnet_version",
|
||||||
|
return_value=k_const.IP_VERSION_6)
|
||||||
|
def test__apply_members_security_groups_ipv6_add_default(self, gssv):
|
||||||
|
os_net = self.useFixture(k_fix.MockNetworkClient()).client
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
m_driver._octavia_acls = False
|
||||||
|
os_net.security_group_rules.return_value = []
|
||||||
|
CONF.set_override('pod_security_groups', self.new_sgs,
|
||||||
|
group='neutron_defaults')
|
||||||
|
self.addCleanup(CONF.clear_override, 'pod_security_groups',
|
||||||
|
group='neutron_defaults')
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name, self.listener_id,
|
||||||
|
self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
os_net.security_group_rules.assert_called_once_with(
|
||||||
|
security_group_id=self.vip.security_group_ids[0],
|
||||||
|
project_id=self.lb['project_id'])
|
||||||
|
os_net.create_security_group_rule.assert_called_once_with(
|
||||||
|
direction='ingress',
|
||||||
|
ether_type=k_const.IPv6,
|
||||||
|
port_range_min=self.port,
|
||||||
|
port_range_max=self.port,
|
||||||
|
protocol=self.protocol,
|
||||||
|
security_group_id=self.vip.security_group_ids[0],
|
||||||
|
description=self.sg_rule_name)
|
||||||
|
|
||||||
|
def test__apply_members_security_groups_add_default_conflict(self):
|
||||||
|
os_net = self.useFixture(k_fix.MockNetworkClient()).client
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
m_driver._octavia_acls = False
|
||||||
|
os_net.security_group_rules.return_value = []
|
||||||
|
CONF.set_override('pod_security_groups', self.new_sgs,
|
||||||
|
group='neutron_defaults')
|
||||||
|
self.addCleanup(CONF.clear_override, 'pod_security_groups',
|
||||||
|
group='neutron_defaults')
|
||||||
|
os_net.create_security_group_rule.side_effect = (os_exc
|
||||||
|
.ConflictException)
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name, self.listener_id,
|
||||||
|
self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
os_net.security_group_rules.assert_called_once_with(
|
||||||
|
security_group_id=self.vip.security_group_ids[0],
|
||||||
|
project_id=self.lb['project_id'])
|
||||||
|
os_net.create_security_group_rule.assert_called_once_with(
|
||||||
|
direction='ingress',
|
||||||
|
ether_type=k_const.IPv4,
|
||||||
|
port_range_min=self.port,
|
||||||
|
port_range_max=self.port,
|
||||||
|
protocol=self.protocol,
|
||||||
|
security_group_id=self.vip.security_group_ids[0],
|
||||||
|
description=self.sg_rule_name)
|
||||||
|
|
||||||
|
def test__apply_members_security_groups_add_default_sdk_exception(self):
|
||||||
|
os_net = self.useFixture(k_fix.MockNetworkClient()).client
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
m_driver._octavia_acls = False
|
||||||
|
os_net.security_group_rules.return_value = []
|
||||||
|
CONF.set_override('pod_security_groups', self.new_sgs,
|
||||||
|
group='neutron_defaults')
|
||||||
|
self.addCleanup(CONF.clear_override, 'pod_security_groups',
|
||||||
|
group='neutron_defaults')
|
||||||
|
os_net.create_security_group_rule.side_effect = os_exc.SDKException
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name, self.listener_id,
|
||||||
|
self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
os_net.security_group_rules.assert_called_once_with(
|
||||||
|
security_group_id=self.vip.security_group_ids[0],
|
||||||
|
project_id=self.lb['project_id'])
|
||||||
|
os_net.create_security_group_rule.assert_called_once_with(
|
||||||
|
direction='ingress',
|
||||||
|
ether_type=k_const.IPv4,
|
||||||
|
port_range_min=self.port,
|
||||||
|
port_range_max=self.port,
|
||||||
|
protocol=self.protocol,
|
||||||
|
security_group_id=self.vip.security_group_ids[0],
|
||||||
|
description=self.sg_rule_name)
|
||||||
|
|
||||||
|
def test__apply_members_security_groups_same_sg(self):
|
||||||
|
os_net = self.useFixture(k_fix.MockNetworkClient()).client
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
self.vip.security_group_ids = self.new_sgs
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
m_driver._octavia_acls = False
|
||||||
|
os_net.security_group_rules.return_value = []
|
||||||
|
CONF.set_override('pod_security_groups', [], group='neutron_defaults')
|
||||||
|
self.addCleanup(CONF.clear_override, 'pod_security_groups',
|
||||||
|
group='neutron_defaults')
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name, self.listener_id,
|
||||||
|
self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
os_net.security_group_rules.assert_called_once_with(
|
||||||
|
security_group_id=self.vip.security_group_ids[0],
|
||||||
|
project_id=self.lb['project_id'])
|
||||||
|
|
||||||
|
def test__apply_members_security_groups_unmatched_target_port(self):
|
||||||
|
os_net = self.useFixture(k_fix.MockNetworkClient()).client
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
m_driver._octavia_acls = False
|
||||||
|
sgr = fake.get_sgr_obj()
|
||||||
|
self.target_port = 9090
|
||||||
|
os_net.security_group_rules.side_effect = ([], [sgr])
|
||||||
|
self.new_sgs = []
|
||||||
|
CONF.set_override('pod_security_groups', [], group='neutron_defaults')
|
||||||
|
self.addCleanup(CONF.clear_override, 'pod_security_groups',
|
||||||
|
group='neutron_defaults')
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name,
|
||||||
|
self.listener_id, self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
os_net.security_group_rules.assert_has_calls([
|
||||||
|
mock.call(security_group_id=self.vip.security_group_ids[0],
|
||||||
|
project_id=self.lb['project_id']),
|
||||||
|
mock.call(security_group_id=self.lb['security_groups'][0])])
|
||||||
|
os_net.create_security_group_rule.assert_not_called()
|
||||||
|
|
||||||
|
def test__apply_members_security_groups_egress(self):
|
||||||
|
os_net = self.useFixture(k_fix.MockNetworkClient()).client
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
m_driver._octavia_acls = False
|
||||||
|
sgr = fake.get_sgr_obj(direction='egress')
|
||||||
|
os_net.security_group_rules.side_effect = ([], [sgr])
|
||||||
|
self.new_sgs = []
|
||||||
|
CONF.set_override('pod_security_groups', [], group='neutron_defaults')
|
||||||
|
self.addCleanup(CONF.clear_override, 'pod_security_groups',
|
||||||
|
group='neutron_defaults')
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name,
|
||||||
|
self.listener_id, self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
os_net.security_group_rules.assert_has_calls([
|
||||||
|
mock.call(security_group_id=self.vip.security_group_ids[0],
|
||||||
|
project_id=self.lb['project_id']),
|
||||||
|
mock.call(security_group_id=self.lb['security_groups'][0])])
|
||||||
|
os_net.create_security_group_rule.assert_not_called()
|
||||||
|
|
||||||
|
def test__apply_members_security_groups_no_delete_lbaas_rules(self):
|
||||||
|
os_net = self.useFixture(k_fix.MockNetworkClient()).client
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
m_driver._octavia_acls = False
|
||||||
|
self.lb['security_groups'] = []
|
||||||
|
self.new_sgs = []
|
||||||
|
sgr = fake.get_sgr_obj()
|
||||||
|
os_net.security_group_rules.return_value = [sgr]
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name,
|
||||||
|
self.listener_id, self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
os_net.security_group_rules.assert_called_once_with(
|
||||||
|
security_group_id=self.vip.security_group_ids[0],
|
||||||
|
project_id=self.lb['project_id'])
|
||||||
|
os_net.create_security_group_rule.assert_not_called()
|
||||||
|
|
||||||
|
def test__apply_members_security_groups_delete_matched_lbaas_rules(self):
|
||||||
|
os_net = self.useFixture(k_fix.MockNetworkClient()).client
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
m_driver._octavia_acls = False
|
||||||
|
sgr = fake.get_sgr_obj()
|
||||||
|
os_net.security_group_rules.side_effect = ([sgr], [sgr])
|
||||||
|
self.new_sgs = []
|
||||||
|
CONF.set_override('pod_security_groups', [], group='neutron_defaults')
|
||||||
|
self.addCleanup(CONF.clear_override, 'pod_security_groups',
|
||||||
|
group='neutron_defaults')
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name,
|
||||||
|
self.listener_id, self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
os_net.security_group_rules.assert_has_calls([
|
||||||
|
mock.call(security_group_id=self.vip.security_group_ids[0],
|
||||||
|
project_id=self.lb['project_id']),
|
||||||
|
mock.call(security_group_id=self.lb['security_groups'][0])])
|
||||||
|
os_net.create_security_group_rule.assert_called_once_with(
|
||||||
|
direction='ingress',
|
||||||
|
ether_type=k_const.IPv4,
|
||||||
|
port_range_min=self.port,
|
||||||
|
port_range_max=self.port,
|
||||||
|
protocol=self.protocol,
|
||||||
|
remote_ip_prefix=sgr.remote_ip_prefix,
|
||||||
|
security_group_id=sgr.security_group_id,
|
||||||
|
description=self.sg_rule_name)
|
||||||
|
os_net.delete_security_group_rule.assert_called_once_with(sgr.id)
|
||||||
|
|
||||||
|
def test__apply_members_security_groups_delete_unmatched_lbaas_rules(self):
|
||||||
|
os_net = self.useFixture(k_fix.MockNetworkClient()).client
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
m_driver._octavia_acls = False
|
||||||
|
sgr = fake.get_sgr_obj()
|
||||||
|
os_net.security_group_rules.side_effect = ([sgr], [sgr])
|
||||||
|
self.new_sgs = []
|
||||||
|
CONF.set_override('pod_security_groups', [], group='neutron_defaults')
|
||||||
|
self.addCleanup(CONF.clear_override, 'pod_security_groups',
|
||||||
|
group='neutron_defaults')
|
||||||
|
self.port = 8080
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name,
|
||||||
|
self.listener_id, self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
os_net.security_group_rules.assert_has_calls([
|
||||||
|
mock.call(security_group_id=self.vip.security_group_ids[0],
|
||||||
|
project_id=self.lb['project_id']),
|
||||||
|
mock.call(security_group_id=self.lb['security_groups'][0])])
|
||||||
|
os_net.create_security_group_rule.assert_called_once_with(
|
||||||
|
direction='ingress',
|
||||||
|
ether_type=k_const.IPv4,
|
||||||
|
port_range_min=self.port,
|
||||||
|
port_range_max=self.port,
|
||||||
|
protocol=self.protocol,
|
||||||
|
remote_ip_prefix=sgr.remote_ip_prefix,
|
||||||
|
security_group_id=sgr.security_group_id,
|
||||||
|
description=self.sg_rule_name)
|
||||||
|
m_driver._delete_rule_if_no_match.assert_called_once_with(sgr, [sgr])
|
||||||
|
|
||||||
|
def test__apply_members_security_groups_delete_no_default_lbaas_rules(
|
||||||
|
self):
|
||||||
|
os_net = self.useFixture(k_fix.MockNetworkClient()).client
|
||||||
|
cls = d_lbaasv2.LBaaSv2Driver
|
||||||
|
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
|
||||||
|
m_driver._get_vip_port.return_value = self.vip
|
||||||
|
m_driver._octavia_acls = False
|
||||||
|
sgr = fake.get_sgr_obj()
|
||||||
|
os_net.security_group_rules.side_effect = ([sgr], [sgr])
|
||||||
|
self.new_sgs = []
|
||||||
|
CONF.set_override('pod_security_groups', [], group='neutron_defaults')
|
||||||
|
self.addCleanup(CONF.clear_override, 'pod_security_groups',
|
||||||
|
group='neutron_defaults')
|
||||||
|
m_driver._is_default_rule.return_value = False
|
||||||
|
|
||||||
|
cls._apply_members_security_groups(m_driver, self.lb, self.port,
|
||||||
|
self.target_port, self.protocol,
|
||||||
|
self.sg_rule_name,
|
||||||
|
self.listener_id, self.new_sgs)
|
||||||
|
|
||||||
|
m_driver._get_vip_port.assert_called_once_with(self.lb)
|
||||||
|
os_net.security_group_rules.assert_has_calls([
|
||||||
|
mock.call(security_group_id=self.vip.security_group_ids[0],
|
||||||
|
project_id=self.lb['project_id']),
|
||||||
|
mock.call(security_group_id=self.lb['security_groups'][0])])
|
||||||
|
os_net.create_security_group_rule.assert_called_once_with(
|
||||||
|
direction='ingress',
|
||||||
|
ether_type=k_const.IPv4,
|
||||||
|
port_range_min=self.port,
|
||||||
|
port_range_max=self.port,
|
||||||
|
protocol=self.protocol,
|
||||||
|
remote_ip_prefix=sgr.remote_ip_prefix,
|
||||||
|
security_group_id=sgr.security_group_id,
|
||||||
|
description=self.sg_rule_name)
|
||||||
|
|
|
@ -564,6 +564,37 @@ class TestKuryrPortHandler(test_base.TestCase):
|
||||||
mock.sentinel.subnets,
|
mock.sentinel.subnets,
|
||||||
self._security_groups)
|
self._security_groups)
|
||||||
|
|
||||||
|
@mock.patch('kuryr_kubernetes.controller.drivers.vif_pool.MultiVIFPool.'
|
||||||
|
'request_vif')
|
||||||
|
@mock.patch('kuryr_kubernetes.controller.drivers.default_subnet.'
|
||||||
|
'DefaultPodSubnetDriver.get_subnets')
|
||||||
|
@mock.patch('kuryr_kubernetes.controller.drivers.default_security_groups.'
|
||||||
|
'DefaultPodSecurityGroupsDriver.get_security_groups')
|
||||||
|
@mock.patch('kuryr_kubernetes.controller.drivers.default_project.'
|
||||||
|
'DefaultPodProjectDriver.get_project')
|
||||||
|
@mock.patch('kuryr_kubernetes.clients.get_kubernetes_client')
|
||||||
|
@mock.patch('kuryr_kubernetes.controller.drivers.base.MultiVIFDriver.'
|
||||||
|
'get_enabled_drivers')
|
||||||
|
def test_get_vifs_resource_not_found(self, ged, k8s, get_project, get_sg,
|
||||||
|
get_subnets, request_vif):
|
||||||
|
ged.return_value = [self._driver]
|
||||||
|
kp = kuryrport.KuryrPortHandler()
|
||||||
|
kp.k8s.get.return_value = self._pod
|
||||||
|
get_sg.return_value = self._security_groups
|
||||||
|
get_project.return_value = self._project_id
|
||||||
|
get_subnets.return_value = mock.sentinel.subnets
|
||||||
|
request_vif.side_effect = os_exc.ResourceNotFound()
|
||||||
|
|
||||||
|
self.assertRaises(k_exc.ResourceNotReady, kp.get_vifs, self._kp)
|
||||||
|
|
||||||
|
kp.k8s.get.assert_called_once_with(self._pod_uri)
|
||||||
|
get_project.assert_called_once_with(self._pod)
|
||||||
|
get_sg.assert_called_once_with(self._pod, self._project_id)
|
||||||
|
get_subnets.assert_called_once_with(self._pod, self._project_id)
|
||||||
|
request_vif.assert_called_once_with(self._pod, self._project_id,
|
||||||
|
mock.sentinel.subnets,
|
||||||
|
self._security_groups)
|
||||||
|
|
||||||
@mock.patch('kuryr_kubernetes.controller.handlers.kuryrport.'
|
@mock.patch('kuryr_kubernetes.controller.handlers.kuryrport.'
|
||||||
'KuryrPortHandler._update_kuryrport_crd')
|
'KuryrPortHandler._update_kuryrport_crd')
|
||||||
@mock.patch('kuryr_kubernetes.controller.drivers.vif_pool.MultiVIFPool.'
|
@mock.patch('kuryr_kubernetes.controller.drivers.vif_pool.MultiVIFPool.'
|
||||||
|
|
Loading…
Reference in New Issue