blob: 76e76401866127399f5da49b7171fb5a0d155828 [file] [log] [blame]
# Copyright 2017 Mirantis, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import json
import requests
from devops.helpers import helpers
from k8sclient.client import rest
from tcp_tests import logger
from tcp_tests.helpers import utils
LOG = logger.logger
NETCHECKER_SERVICE_NAME = "netchecker-service"
NETCHECKER_CONTAINER_PORT = NETCHECKER_SERVICE_PORT = 8081
NETCHECKER_NODE_PORT = 31081
NETCHECKER_REPORT_INTERVAL = 30
NETCHECKER_SERVER_REPLICAS = 1
NETCHECKER_PROBEURLS = "http://ipinfo.io"
NETCHECKER_SVC_CFG = {
"apiVersion": "v1",
"kind": "Service",
"metadata": {
"name": NETCHECKER_SERVICE_NAME
},
"spec": {
"ports": [
{
"nodePort": NETCHECKER_NODE_PORT,
"port": NETCHECKER_SERVICE_PORT,
"protocol": "TCP",
"targetPort": NETCHECKER_CONTAINER_PORT
}
],
"selector": {
"app": "netchecker-server"
},
"type": "NodePort"
}
}
NETCHECKER_DEPLOYMENT_CFG = {
"kind": "Deployment",
"spec": {
"template": {
"spec": {
"containers": [
{
"name": "netchecker-server",
"env": None,
"imagePullPolicy": "IfNotPresent",
"image": "mirantis/k8s-netchecker-server:latest",
"args": [
"-v=5",
"-logtostderr",
"-kubeproxyinit",
"-endpoint=0.0.0.0:{0}".format(
NETCHECKER_CONTAINER_PORT)
],
"ports": [
{
"containerPort": NETCHECKER_CONTAINER_PORT,
"hostPort": NETCHECKER_NODE_PORT
}
]
}
]
},
"metadata": {
"labels": {
"app": "netchecker-server"
},
"name": "netchecker-server"
}
},
"replicas": NETCHECKER_SERVER_REPLICAS
},
"apiVersion": "extensions/v1beta1",
"metadata": {
"name": "netchecker-server"
}
}
NETCHECKER_DS_CFG = [
{
"apiVersion": "extensions/v1beta1",
"kind": "DaemonSet",
"metadata": {
"labels": {
"app": "netchecker-agent"
},
"name": "netchecker-agent"
},
"spec": {
"template": {
"metadata": {
"labels": {
"app": "netchecker-agent"
},
"name": "netchecker-agent"
},
"spec": {
"tolerations": [
{
"key": "node-role.kubernetes.io/master",
"effect": "NoSchedule"
}
],
"containers": [
{
"env": [
{
"name": "MY_POD_NAME",
"valueFrom": {
"fieldRef": {
"fieldPath": "metadata.name"
}
}
},
{
"name": "MY_NODE_NAME",
"valueFrom": {
"fieldRef": {
"fieldPath": "spec.nodeName"
}
}
},
{
"name": "REPORT_INTERVAL",
"value": str(NETCHECKER_REPORT_INTERVAL)
},
],
"image": "mirantis/k8s-netchecker-agent:latest",
"imagePullPolicy": "IfNotPresent",
"name": "netchecker-agent",
"command": ["netchecker-agent"],
"args": [
"-v=5",
"-logtostderr",
"-probeurls={0}".format(NETCHECKER_PROBEURLS)
]
}
],
}
},
"updateStrategy": {
"type": "RollingUpdate"
}
}
},
{
"apiVersion": "extensions/v1beta1",
"kind": "DaemonSet",
"metadata": {
"labels": {
"app": "netchecker-agent-hostnet"
},
"name": "netchecker-agent-hostnet"
},
"spec": {
"template": {
"metadata": {
"labels": {
"app": "netchecker-agent-hostnet"
},
"name": "netchecker-agent-hostnet"
},
"spec": {
"tolerations": [
{
"key": "node-role.kubernetes.io/master",
"effect": "NoSchedule"
}
],
"containers": [
{
"env": [
{
"name": "MY_POD_NAME",
"valueFrom": {
"fieldRef": {
"fieldPath": "metadata.name"
}
}
},
{
"name": "MY_NODE_NAME",
"valueFrom": {
"fieldRef": {
"fieldPath": "spec.nodeName"
}
}
},
{
"name": "REPORT_INTERVAL",
"value": str(NETCHECKER_REPORT_INTERVAL)
},
],
"image": "mirantis/k8s-netchecker-agent:latest",
"imagePullPolicy": "IfNotPresent",
"name": "netchecker-agent",
"command": ["netchecker-agent"],
"args": [
"-v=5",
"-logtostderr",
"-probeurls={0}".format(NETCHECKER_PROBEURLS)
]
}
],
"hostNetwork": True,
"dnsPolicy": "ClusterFirstWithHostNet",
"updateStrategy": {
"type": "RollingUpdate"
}
}
},
"updateStrategy": {
"type": "RollingUpdate"
}
}
}
]
NETCHECKER_BLOCK_POLICY = {
"kind": "policy",
"spec": {
"ingress": [
{
"action": "allow"
},
{
"action": "deny",
"destination": {
"ports": [
NETCHECKER_SERVICE_PORT
]
},
"protocol": "tcp"
}
]
},
"apiVersion": "v1",
"metadata": {
"name": "deny-netchecker"
}
}
def start_server(k8s, config, namespace=None,
deploy_spec=NETCHECKER_DEPLOYMENT_CFG,
svc_spec=NETCHECKER_SVC_CFG):
"""Start netchecker server in k8s cluster
:param k8s: K8SManager
:param config: fixture provides oslo.config
:param namespace: str
:param deploy_spec: dict
:param svc_spec: dict
:return: None
"""
for container in deploy_spec['spec']['template']['spec']['containers']:
if container['name'] == 'netchecker-server':
container['image'] = \
config.k8s_deploy.kubernetes_netchecker_server_image
try:
if k8s.api.deployments.get(name=deploy_spec['metadata']['name'],
namespace=namespace):
LOG.debug('Network checker server deployment "{}" '
'already exists! Skipping resource '
'creation'.format(deploy_spec['metadata']['name']))
except rest.ApiException as e:
if e.status == 404:
n = k8s.check_deploy_create(body=deploy_spec, namespace=namespace)
k8s.wait_deploy_ready(n.name, namespace=namespace)
else:
raise e
try:
if k8s.api.services.get(name=svc_spec['metadata']['name']):
LOG.debug('Network checker server service {} is '
'already running! Skipping resource creation'
'.'.format(svc_spec['metadata']['name']))
except rest.ApiException as e:
if e.status == 404:
k8s.check_service_create(body=svc_spec, namespace=namespace)
else:
raise e
def start_agent(k8s, config, namespace=None, ds_spec=NETCHECKER_DS_CFG,
service_namespace=None):
"""Start netchecker agent in k8s cluster
:param k8s: K8SManager
:param config: fixture provides oslo.config
:param namespace: str
:param ds_spec: str
:return: None
"""
for ds in ds_spec:
for container in ds['spec']['template']['spec']['containers']:
if container['name'] == 'netchecker-agent':
container['image'] = \
config.k8s_deploy.kubernetes_netchecker_agent_image
if service_namespace is not None:
container['args'].append(
"-serverendpoint={0}.{1}.svc.cluster.local:{2}".format(
NETCHECKER_SERVICE_NAME,
service_namespace,
NETCHECKER_SERVICE_PORT))
k8s.check_ds_create(body=ds, namespace=namespace)
k8s.wait_ds_ready(dsname=ds['metadata']['name'], namespace=namespace)
k8s.wait_pods_phase(pods=[pod for pod in k8s.api.pods.list()
if 'netchecker-agent' in pod.name],
phase='Running',
timeout=600)
@utils.retry(3, requests.exceptions.RequestException)
def get_connectivity_status(k8sclient, netchecker_pod_port=NETCHECKER_NODE_PORT,
pod_name='netchecker-server', namespace='default'):
netchecker_srv_pod_names = [pod.name for pod in
k8sclient.pods.list(namespace=namespace)
if pod_name in pod.name]
assert len(netchecker_srv_pod_names) > 0, \
"No netchecker-server pods found!"
netchecker_srv_pod = k8sclient.pods.get(name=netchecker_srv_pod_names[0],
namespace=namespace)
kube_host_ip = netchecker_srv_pod.status.host_ip
net_status_url = 'http://{0}:{1}/api/v1/connectivity_check'.format(
kube_host_ip, netchecker_pod_port)
response = requests.get(net_status_url, timeout=5)
LOG.debug('Connectivity check status: [{0}] {1}'.format(
response.status_code, response.text.strip()))
return response
@utils.retry(3, requests.exceptions.RequestException)
def get_netchecker_pod_status(k8s,
pod_name='netchecker-server',
namespace='default'):
k8s.wait_pods_phase(
pods=[pod for pod in k8s.api.pods.list(namespace=namespace)
if pod_name in pod.name], phase='Running', timeout=600)
def check_network(k8sclient, netchecker_pod_port,
namespace='default', works=True):
if works:
assert get_connectivity_status(
k8sclient, namespace=namespace,
netchecker_pod_port=netchecker_pod_port).status_code in (200, 204)
else:
assert get_connectivity_status(
k8sclient, namespace=namespace,
netchecker_pod_port=netchecker_pod_port).status_code == 400
def wait_check_network(k8sclient, namespace='default', works=True, timeout=120,
interval=5, netchecker_pod_port=NETCHECKER_NODE_PORT):
helpers.wait_pass(lambda: check_network(k8sclient,
netchecker_pod_port=netchecker_pod_port,
namespace=namespace,
works=works),
timeout=timeout, interval=interval)
def calico_block_traffic_on_node(underlay, target_node):
cmd = "echo '{0}' | calicoctl create -f -".format(NETCHECKER_BLOCK_POLICY)
underlay.sudo_check_call(cmd, node_name=target_node)
LOG.info('Blocked traffic to the network checker service from '
'containers on node "{}".'.format(target_node))
def calico_unblock_traffic_on_node(underlay, target_node):
cmd = "echo '{0}' | calicoctl delete -f -".format(NETCHECKER_BLOCK_POLICY)
underlay.sudo_check_call(cmd, node_name=target_node)
LOG.info('Unblocked traffic to the network checker service from '
'containers on node "{}".'.format(target_node))
def calico_get_version(underlay, target_node):
raw_version = underlay.sudo_check_call('calicoctl version',
node_name=target_node)
assert raw_version['exit_code'] == 0 and len(raw_version['stdout']) > 0, \
"Unable to get calico version!"
if len(raw_version['stdout']) > 1:
ctl_version = raw_version['stdout'][0].split()[1].strip()
else:
ctl_version = raw_version['stdout'][0].strip()
LOG.debug("Calico (calicoctl) version on '{0}': '{1}'".format(target_node,
ctl_version))
return ctl_version
def kubernetes_block_traffic_namespace(underlay, kube_host_ip, namespace):
# TODO(apanchenko): do annotation using kubernetes API
cmd = ('kubectl annotate ns {0} \'net.beta.kubernetes.io/'
'network-policy={{"ingress": {{"isolation":'
' "DefaultDeny"}}}}\'').format(namespace)
underlay.sudo_check_call(cmd=cmd, host=kube_host_ip)
def calico_allow_netchecker_connections(underlay, kube_ssh_ip, kube_host_ip,
namespace):
calico_policy = {"kind": "policy",
"spec": {
"ingress": [
{
"action": "allow",
"source": {
"net": "{0}/24".format(kube_host_ip)
},
"destination": {
"selector": ("calico/k8s_ns =="
" \"{0}\"").format(namespace)
},
"protocol": "tcp"
}
],
"order": 500,
"selector": "has(calico/k8s_ns)"
},
"apiVersion": "v1",
"metadata": {
"name": "netchecker.allow-host-connections"}
}
cmd = "echo '{0}' | calicoctl apply -f -".format(
json.dumps(calico_policy))
underlay.sudo_check_call(cmd=cmd, host=kube_ssh_ip)
def kubernetes_allow_traffic_from_agents(underlay, kube_host_ip, namespace):
# TODO(apanchenko): add network policies using kubernetes API
label_namespace_cmd = "kubectl label namespace default name=default"
underlay.sudo_check_call(cmd=label_namespace_cmd, host=kube_host_ip)
kubernetes_policy = {
"apiVersion": "extensions/v1beta1",
"kind": "NetworkPolicy",
"metadata": {
"name": "access-netchecker",
"namespace": namespace,
},
"spec": {
"ingress": [
{
"from": [
{
"namespaceSelector": {
"matchLabels": {
"name": "default"
}
}
},
{
"podSelector": {
"matchLabels": {
"app": "netchecker-agent"
}
}
}
]
}
],
"podSelector": {
"matchLabels": {
"app": "netchecker-server"
}
}
}
}
kubernetes_policy_hostnet = {
"apiVersion": "extensions/v1beta1",
"kind": "NetworkPolicy",
"metadata": {
"name": "access-netchecker-hostnet",
"namespace": namespace,
},
"spec": {
"ingress": [
{
"from": [
{
"namespaceSelector": {
"matchLabels": {
"name": "default"
}
}
},
{
"podSelector": {
"matchLabels": {
"app": "netchecker-agent-hostnet"
}
}
}
]
}
],
"podSelector": {
"matchLabels": {
"app": "netchecker-server"
}
}
}
}
cmd_add_policy = "echo '{0}' | kubectl create -f -".format(
json.dumps(kubernetes_policy))
underlay.sudo_check_call(cmd=cmd_add_policy, host=kube_host_ip)
cmd_add_policy_hostnet = "echo '{0}' | kubectl create -f -".format(
json.dumps(kubernetes_policy_hostnet))
underlay.sudo_check_call(cmd=cmd_add_policy_hostnet, host=kube_host_ip)
@utils.retry(3, requests.exceptions.RequestException)
def get_metric(k8sclient, netchecker_pod_port,
pod_name='netchecker-server', namespace='default'):
netchecker_srv_pod_names = [pod.name for pod in
k8sclient.pods.list(namespace=namespace)
if pod_name in pod.name]
assert len(netchecker_srv_pod_names) > 0, \
"No netchecker-server pods found!"
netchecker_srv_pod = k8sclient.pods.get(name=netchecker_srv_pod_names[0],
namespace=namespace)
kube_host_ip = netchecker_srv_pod.status.host_ip
metrics_url = 'http://{0}:{1}/metrics'.format(
kube_host_ip, netchecker_pod_port)
response = requests.get(metrics_url, timeout=30)
LOG.debug('Metrics: [{0}] {1}'.format(
response.status_code, response.text.strip()))
return response
def get_service_port(k8sclient, service_name='netchecker',
namespace='netchecker'):
full_service_name = [service.name for service
in k8sclient.services.list(namespace=namespace)
if service_name in service.name]
assert len(full_service_name) > 0, "No netchecker service run"
service_details = k8sclient.services.get(name=full_service_name[0],
namespace=namespace)
LOG.debug('Necthcecker service details {0}'.format(service_details))
netchecker_port = service_details.spec.ports[0].node_port
return netchecker_port