| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 1 | # Copyright 2017 Mirantis, Inc. |
| 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 4 | # not use this file except in compliance with the License. You may obtain |
| 5 | # a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 12 | # License for the specific language governing permissions and limitations |
| 13 | # under the License. |
| 14 | |
| 15 | import pytest |
| 16 | |
| 17 | from devops.helpers import helpers |
| 18 | |
| 19 | from tcp_tests import logger |
| 20 | from tcp_tests.helpers import netchecker |
| 21 | |
| 22 | LOG = logger.logger |
| 23 | |
| 24 | |
| 25 | class TestMCPCalico(object): |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 26 | """Test class for Calico network provider in k8s. |
| 27 | Common calico tests requirements: |
| 28 | KUBERNETES_NETCHECKER_ENABLED=true |
| 29 | """ |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 30 | |
| 31 | @pytest.mark.fail_snapshot |
| 32 | def test_k8s_netchecker_calico(self, show_step, config, k8s_deployed): |
| 33 | """Test for deploying k8s environment with Calico plugin and check |
| 34 | network connectivity between different pods by k8s-netchecker |
| 35 | |
| 36 | Scenario: |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 37 | 1. Check k8s installation. |
| 38 | 2. Get network verification status. Excepted status is 'OK'. |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 39 | |
| 40 | Duration: 3000 seconds |
| 41 | """ |
| 42 | |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 43 | show_step(1) |
| 44 | k8sclient = k8s_deployed.api |
| 45 | assert k8sclient.nodes.list() is not None, "Can not get nodes list" |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 46 | netchecker_port = netchecker.get_service_port(k8sclient) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 47 | |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 48 | show_step(2) |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 49 | netchecker.wait_check_network(k8sclient, works=True, timeout=300, |
| 50 | netchecker_pod_port=netchecker_port) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 51 | |
| 52 | @pytest.mark.fail_snapshot |
| Artem Panchenko | 0872ec0 | 2017-06-29 17:14:12 +0300 | [diff] [blame] | 53 | @pytest.mark.calico_ci |
| Tatyana Leontovich | 071ce6a | 2017-10-24 18:08:10 +0300 | [diff] [blame] | 54 | @pytest.mark.cz8116 |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 55 | def test_calico_route_recovery(self, show_step, config, underlay, |
| 56 | k8s_deployed): |
| 57 | """Test for deploying k8s environment with Calico plugin and check |
| 58 | that local routes are recovered by felix after removal |
| 59 | |
| 60 | Scenario: |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 61 | 1. Check k8s installation. |
| Dmitry Tyzhnenko | e20367c | 2017-10-27 19:16:45 +0300 | [diff] [blame] | 62 | 2. Check netchecker-server service. |
| 63 | 3. Check netchecker-agent daemon set. |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 64 | 4. Get network verification status. Excepted status is 'OK'. |
| 65 | 5. Get metrics from netchecker. |
| 66 | 6. Remove local route to netchecker-agent pod on the first node. |
| 67 | 7. Check that the route is automatically recovered. |
| 68 | 8. Get network verification status. Excepted status is 'OK'. |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 69 | |
| 70 | Duration: 3000 seconds |
| 71 | """ |
| 72 | |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 73 | show_step(1) |
| 74 | k8sclient = k8s_deployed.api |
| 75 | assert k8sclient.nodes.list() is not None, "Can not get nodes list" |
| Dmitry Tyzhnenko | e20367c | 2017-10-27 19:16:45 +0300 | [diff] [blame] | 76 | netchecker_port = netchecker.get_service_port(k8sclient) |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 77 | |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 78 | show_step(2) |
| Dmitry Tyzhnenko | e20367c | 2017-10-27 19:16:45 +0300 | [diff] [blame] | 79 | netchecker.get_netchecker_pod_status(k8s=k8s_deployed, |
| 80 | namespace='netchecker') |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 81 | |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 82 | show_step(3) |
| Dmitry Tyzhnenko | e20367c | 2017-10-27 19:16:45 +0300 | [diff] [blame] | 83 | netchecker.get_netchecker_pod_status(k8s=k8s_deployed, |
| 84 | pod_name='netchecker-agent', |
| 85 | namespace='netchecker') |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 86 | |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 87 | show_step(4) |
| Dmitry Tyzhnenko | e20367c | 2017-10-27 19:16:45 +0300 | [diff] [blame] | 88 | netchecker.wait_check_network(k8sclient, namespace='netchecker', |
| 89 | netchecker_pod_port=netchecker_port) |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 90 | |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 91 | show_step(5) |
| Dmitry Tyzhnenko | e20367c | 2017-10-27 19:16:45 +0300 | [diff] [blame] | 92 | res = netchecker.get_metric(k8sclient, |
| 93 | netchecker_pod_port=netchecker_port, |
| 94 | namespace='netchecker') |
| 95 | |
| 96 | assert res.status_code == 200, 'Unexpected response code {}'\ |
| 97 | .format(res) |
| 98 | metrics = ['ncagent_error_count_total', 'ncagent_http_probe_code', |
| 99 | 'ncagent_http_probe_connect_time_ms', |
| 100 | 'ncagent_http_probe_connection_result', |
| 101 | 'ncagent_http_probe_content_transfer_time_ms', |
| 102 | 'ncagent_http_probe_dns_lookup_time_ms', |
| 103 | 'ncagent_http_probe_server_processing_time_ms', |
| 104 | 'ncagent_http_probe_tcp_connection_time_ms', |
| 105 | 'ncagent_http_probe_total_time_ms', |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 106 | 'ncagent_report_count_total'] |
| Dmitry Tyzhnenko | e20367c | 2017-10-27 19:16:45 +0300 | [diff] [blame] | 107 | for metric in metrics: |
| 108 | assert metric in res.text.strip(), \ |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 109 | 'Mandatory metric {0} is missing in {1}'.format( |
| Dmitry Tyzhnenko | e20367c | 2017-10-27 19:16:45 +0300 | [diff] [blame] | 110 | metric, res.text) |
| 111 | |
| Dmitry Tyzhnenko | e20367c | 2017-10-27 19:16:45 +0300 | [diff] [blame] | 112 | show_step(6) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 113 | first_node = k8sclient.nodes.list()[0] |
| 114 | first_node_ips = [addr.address for addr in first_node.status.addresses |
| 115 | if 'IP' in addr.type] |
| 116 | assert len(first_node_ips) > 0, "Couldn't find first k8s node IP!" |
| 117 | first_node_names = [name for name in underlay.node_names() |
| 118 | if name.startswith(first_node.name)] |
| 119 | assert len(first_node_names) == 1, "Couldn't find first k8s node " \ |
| 120 | "hostname in SSH config!" |
| 121 | first_node_name = first_node_names.pop() |
| 122 | |
| 123 | target_pod_ip = None |
| 124 | |
| Dmitry Tyzhnenko | e20367c | 2017-10-27 19:16:45 +0300 | [diff] [blame] | 125 | for pod in k8sclient.pods.list(namespace='netchecker'): |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 126 | LOG.debug('NC pod IP: {0}'.format(pod.status.pod_ip)) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 127 | if pod.status.host_ip not in first_node_ips: |
| 128 | continue |
| 129 | # TODO: get pods by daemonset with name 'netchecker-agent' |
| 130 | if 'netchecker-agent-' in pod.name and 'hostnet' not in pod.name: |
| 131 | target_pod_ip = pod.status.pod_ip |
| 132 | |
| 133 | assert target_pod_ip is not None, "Could not find netchecker pod IP!" |
| 134 | |
| 135 | route_del_cmd = 'ip route delete {0}'.format(target_pod_ip) |
| 136 | underlay.sudo_check_call(cmd=route_del_cmd, node_name=first_node_name) |
| 137 | LOG.debug('Removed local route to pod IP {0} on node {1}'.format( |
| 138 | target_pod_ip, first_node.name |
| 139 | )) |
| 140 | |
| Dmitry Tyzhnenko | e20367c | 2017-10-27 19:16:45 +0300 | [diff] [blame] | 141 | show_step(7) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 142 | route_chk_cmd = 'ip route list | grep -q "{0}"'.format(target_pod_ip) |
| 143 | helpers.wait_pass( |
| 144 | lambda: underlay.sudo_check_call(cmd=route_chk_cmd, |
| 145 | node_name=first_node_name), |
| Valentyn Yakovlev | 13a0fc2 | 2017-08-01 11:21:57 +0300 | [diff] [blame] | 146 | timeout=120, |
| 147 | interval=2 |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 148 | ) |
| Dmitry Tyzhnenko | e20367c | 2017-10-27 19:16:45 +0300 | [diff] [blame] | 149 | pod_ping_cmd = 'sleep 120 && ping -q -c 1 -w 3 {0}'.format( |
| 150 | target_pod_ip) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 151 | underlay.sudo_check_call(cmd=pod_ping_cmd, node_name=first_node_name) |
| 152 | LOG.debug('Local route to pod IP {0} on node {1} is ' |
| Dina Belova | e6fdffb | 2017-09-19 13:58:34 -0700 | [diff] [blame] | 153 | 'recovered'.format(target_pod_ip, first_node.name)) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 154 | |
| Dmitry Tyzhnenko | e20367c | 2017-10-27 19:16:45 +0300 | [diff] [blame] | 155 | show_step(8) |
| 156 | netchecker.wait_check_network(k8sclient, namespace='netchecker', |
| 157 | netchecker_pod_port=netchecker_port, |
| 158 | works=True) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 159 | |
| 160 | @pytest.mark.fail_snapshot |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 161 | @pytest.mark.calico_ci |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 162 | def test_calico_network_policies(self, show_step, config, underlay, |
| 163 | k8s_deployed): |
| 164 | """Test for deploying k8s environment with Calico and check |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 165 | that network policies work as expected. |
| 166 | Policy test additional requirement: |
| 167 | KUBERNETES_CALICO_POLICY_ENABLED=true |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 168 | |
| 169 | Scenario: |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 170 | 1. Check k8s installation. |
| 171 | 2. Get network verification status. Excepted status is 'OK'. |
| 172 | 3. Enable network isolation for 'netchecker' namespace. |
| 173 | 4. Allow connections to netchecker-server from tests. |
| 174 | 5. Get network verification status. Excepted status is 'FAIL' |
| 175 | because no netcheker-agent pods should be able to reach |
| 176 | netchecker-service pod. |
| 177 | 6. Add kubernetes network policies which allow connections |
| 178 | from netchecker-agent pods (including ones with host network). |
| 179 | 7. Get network verification status. Excepted status is 'OK'. |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 180 | |
| 181 | Duration: 3000 seconds |
| 182 | """ |
| 183 | |
| 184 | show_step(1) |
| 185 | k8sclient = k8s_deployed.api |
| 186 | assert k8sclient.nodes.list() is not None, "Can not get nodes list" |
| 187 | kube_master_nodes = k8s_deployed.get_k8s_masters() |
| 188 | assert kube_master_nodes, "No k8s masters found in pillars!" |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 189 | netchecker_port = netchecker.get_service_port(k8sclient) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 190 | |
| 191 | show_step(2) |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 192 | netchecker.wait_check_network(k8sclient, namespace='netchecker', |
| 193 | works=True, timeout=300, |
| 194 | netchecker_pod_port=netchecker_port) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 195 | |
| 196 | show_step(3) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 197 | netchecker.kubernetes_block_traffic_namespace(underlay, |
| 198 | kube_master_nodes[0], |
| 199 | 'netchecker') |
| 200 | |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 201 | show_step(4) |
| 202 | netchecker.calico_allow_netchecker_connections(underlay, k8sclient, |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 203 | kube_master_nodes[0], |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 204 | 'netchecker') |
| 205 | |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 206 | show_step(5) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 207 | netchecker.wait_check_network(k8sclient, namespace='netchecker', |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 208 | works=False, timeout=500, |
| 209 | netchecker_pod_port=netchecker_port) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 210 | |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 211 | show_step(6) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 212 | netchecker.kubernetes_allow_traffic_from_agents(underlay, |
| 213 | kube_master_nodes[0], |
| 214 | 'netchecker') |
| 215 | |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 216 | show_step(7) |
| Artem Panchenko | 501e67e | 2017-06-14 14:59:18 +0300 | [diff] [blame] | 217 | netchecker.wait_check_network(k8sclient, namespace='netchecker', |
| Aleksei Kasatkin | 99dd786 | 2018-05-23 17:58:07 +0200 | [diff] [blame] | 218 | works=True, timeout=300, |
| 219 | netchecker_pod_port=netchecker_port) |