From a03d047e0740ef485dfce85d21b5ae2a04940132 Mon Sep 17 00:00:00 2001
From: Steve Wilkerson <wilkers.steve@gmail.com>
Date: Mon, 11 Feb 2019 13:34:41 -0600
Subject: [PATCH] Update network policy test executed in osh-infra job

This updates the network policy test that gets executed at the
conclusion of the network-policy job. As long as nsenter is used,
we need to account for situations where nsenter executing wget
fails due to invalid credentials. Since this validates the policy
successfully allows ingress traffic while still exiting with an
error code (6 for invalid credentials vs 4 for connection
timeouts), we should consider those scenarios successes.

This also updates the flags used for wget. Instead of using spider
mode, this enables flags for: recursive mode, not creating
directories, and deleting results after execution. This allows for
the testing of exporter endpoint paths explicitly.

Change-Id: I2d51e8ed5a153c2a6796e0df9b3fe5f710a947f9
---
 .../network-policy/901-test-networkpolicy.sh  | 20 ++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/tools/deployment/network-policy/901-test-networkpolicy.sh b/tools/deployment/network-policy/901-test-networkpolicy.sh
index 5490c70a57..fcfa15b80c 100755
--- a/tools/deployment/network-policy/901-test-networkpolicy.sh
+++ b/tools/deployment/network-policy/901-test-networkpolicy.sh
@@ -27,13 +27,25 @@ function test_netpol {
   POD=$(kubectl -n $NS get pod -l application=$APPLICATION,component=$COMPONENT | grep Running | cut -f 1 -d " " | head -n 1)
   PID=$(sudo docker inspect --format '{{ .State.Pid }}' $(kubectl get pods --namespace $NS $POD -o jsonpath='{.status.containerStatuses[0].containerID}' | cut -c 10-21))
   if [ "x${STATUS}" == "xfail" ]; then
-    if ! sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST ; then
-      echo "Connection timed out; as expected by policy."
+    if ! sudo nsenter -t $PID -n wget -r -nd --delete-after --timeout=5 --tries=1 $HOST ; then
+      if [[ "$?" == 6 ]]; then
+        exit 1
+      else
+        echo "Connection timed out; as expected by policy."
+      fi
     else
       exit 1
     fi
   else
-    sudo nsenter -t $PID -n wget --spider --timeout=10 --tries=1 $HOST
+    if sudo nsenter -t $PID -n wget -r -nd --delete-after --timeout=10 --tries=1 $HOST; then
+      echo "Connection successful; as expected by policy"
+    # NOTE(srwilkers): If wget returns error code 6 (invalid credentials), we should consider it
+    # a success
+    elif [[ "$?" == 6 ]]; then
+      echo "Connection successful; as expected by policy"
+    else
+      exit 1
+    fi
   fi
 }
 # Doing negative tests
@@ -43,5 +55,3 @@ test_netpol osh-infra mariadb server prometheus.osh-infra.svc.cluster.local fail
 
 # Doing positive tests
 test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success
-
-echo Test successfully