Update network policy test executed in osh-infra job

This updates the network policy test that gets executed at the conclusion of the network-policy job. As long as nsenter is used, we need to account for situations where nsenter executing wget fails due to invalid credentials. Since this validates the policy successfully allows ingress traffic while still exiting with an error code (6 for invalid credentials vs 4 for connection timeouts), we should consider those scenarios successes. This also updates the flags used for wget. Instead of using spider mode, this enables flags for: recursive mode, not creating directories, and deleting results after execution. This allows for the testing of exporter endpoint paths explicitly. Change-Id: I2d51e8ed5a153c2a6796e0df9b3fe5f710a947f9
2019-02-11 13:34:41 -06:00 · 2019-02-11 13:34:41 -06:00 · a03d047e07
commit a03d047e07
parent ef3adc4d0e
1 changed files with 15 additions and 5 deletions
--- a/tools/deployment/network-policy/901-test-networkpolicy.sh
+++ b/tools/deployment/network-policy/901-test-networkpolicy.sh
@ -27,13 +27,25 @@ function test_netpol {
  POD=$(kubectl -n $NS get pod -l application=$APPLICATION,component=$COMPONENT | grep Running | cut -f 1 -d " " | head -n 1)
  PID=$(sudo docker inspect --format '{{ .State.Pid }}' $(kubectl get pods --namespace $NS $POD -o jsonpath='{.status.containerStatuses[0].containerID}' | cut -c 10-21))
  if [ "x${STATUS}" == "xfail" ]; then
-    if ! sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST ; then
-      echo "Connection timed out; as expected by policy."
+    if ! sudo nsenter -t $PID -n wget -r -nd --delete-after --timeout=5 --tries=1 $HOST ; then
+      if [[ "$?" == 6 ]]; then
+        exit 1
+      else
+        echo "Connection timed out; as expected by policy."
+      fi
    else
      exit 1
    fi
  else
-    sudo nsenter -t $PID -n wget --spider --timeout=10 --tries=1 $HOST
+    if sudo nsenter -t $PID -n wget -r -nd --delete-after --timeout=10 --tries=1 $HOST; then
+      echo "Connection successful; as expected by policy"
+    # NOTE(srwilkers): If wget returns error code 6 (invalid credentials), we should consider it
+    # a success
+    elif [[ "$?" == 6 ]]; then
+      echo "Connection successful; as expected by policy"
+    else
+      exit 1
+    fi
  fi
 }
 # Doing negative tests
@ -43,5 +55,3 @@ test_netpol osh-infra mariadb server prometheus.osh-infra.svc.cluster.local fail

 # Doing positive tests
 test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success
-
-echo Test successfully