Add E2E testcase for childGroup creation after parent

Signed-off-by: Yang Ding <dingyang@vmware.com>
antrea-io · Jul 30, 2021 · d0b5321 · d0b5321
1 parent a8a8cd4
commit d0b5321
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 32 deletions.
diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
@@ -2246,28 +2246,32 @@ func testACNPClusterGroupServiceRefCreateAndUpdate(t *testing.T, data *TestData)
 
 func testACNPNestedClusterGroupCreateAndUpdate(t *testing.T, data *TestData) {
 	svc1 := k8sUtils.BuildService("svc1", "x", 80, 80, map[string]string{"app": "a"}, nil)
-	cg1Name, cg2Name := "cg-svc-x-a", "cg-select-y-b"
+	cg1Name, cg2Name, cg3Name := "cg-svc-x-a", "cg-select-y-b", "cg-select-y-c"
 	cgBuilder1 := &ClusterGroupV1Alpha3SpecBuilder{}
 	cgBuilder1 = cgBuilder1.SetName(cg1Name).SetServiceReference("x", "svc1")
 	cgBuilder2 := &ClusterGroupV1Alpha3SpecBuilder{}
 	cgBuilder2 = cgBuilder2.SetName(cg2Name).
 		SetNamespaceSelector(map[string]string{"ns": "y"}, nil).
 		SetPodSelector(map[string]string{"pod": "b"}, nil)
+	cgBuilder3 := &ClusterGroupV1Alpha3SpecBuilder{}
+	cgBuilder3 = cgBuilder3.SetName(cg3Name).
+		SetNamespaceSelector(map[string]string{"ns": "y"}, nil).
+		SetPodSelector(map[string]string{"pod": "c"}, nil)
 	cgNestedName := "cg-nested"
 	cgBuilderNested := &ClusterGroupV1Alpha3SpecBuilder{}
-	cgBuilderNested = cgBuilderNested.SetName(cgNestedName).SetChildGroups([]string{cg1Name})
+	cgBuilderNested = cgBuilderNested.SetName(cgNestedName).SetChildGroups([]string{cg1Name, cg3Name})
 
 	builder := &ClusterNetworkPolicySpecBuilder{}
 	builder = builder.SetName("cnp-nested-cg").SetPriority(1.0).
 		SetAppliedToGroup([]ACNPAppliedToSpec{{NSSelector: map[string]string{"ns": "z"}}}).
 		AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil,
 			false, nil, crdv1alpha1.RuleActionDrop, cgNestedName, "")
 
-	// Pods in Namespace z should not allow ingress from Pods backing svc1 (label pod=a) in Namespace x.
+	// Pods in Namespace z should not allow traffic from Pods backing svc1 (label pod=a) in Namespace x.
+	// Note that in this testStep cg3 will not be created yet, so even though cg-nested selects cg1 and
+	// cg3 as childGroups, only members of cg1 will be included as this time.
 	reachability := NewReachability(allPods, Connected)
-	reachability.Expect(Pod("x/a"), Pod("z/a"), Dropped)
-	reachability.Expect(Pod("x/a"), Pod("z/b"), Dropped)
-	reachability.Expect(Pod("x/a"), Pod("z/c"), Dropped)
+	reachability.ExpectEgressToNamespace("x/a", "z", Dropped)
 
 	testStep1 := &TestStep{
 		"Port 80",
@@ -2281,15 +2285,11 @@ func testACNPNestedClusterGroupCreateAndUpdate(t *testing.T, data *TestData) {
 	}
 
 	// Test update "cg-nested" to include "cg-select-y-b" as well.
-	cgBuilderNested = cgBuilderNested.SetChildGroups([]string{cg1Name, cg2Name})
+	cgBuilderNested = cgBuilderNested.SetChildGroups([]string{cg1Name, cg2Name, cg3Name})
 	// In addition to x/a, all traffic from y/b to Namespace z should also be denied.
 	reachability2 := NewReachability(allPods, Connected)
-	reachability2.Expect(Pod("x/a"), Pod("z/a"), Dropped)
-	reachability2.Expect(Pod("x/a"), Pod("z/b"), Dropped)
-	reachability2.Expect(Pod("x/a"), Pod("z/c"), Dropped)
-	reachability2.Expect(Pod("y/b"), Pod("z/a"), Dropped)
-	reachability2.Expect(Pod("y/b"), Pod("z/b"), Dropped)
-	reachability2.Expect(Pod("y/b"), Pod("z/c"), Dropped)
+	reachability2.ExpectEgressToNamespace("x/a", "z", Dropped)
+	reachability2.ExpectEgressToNamespace("y/b", "z", Dropped)
 	// New member in cg-svc-x-a should be reflected in cg-nested as well.
 	cp := []*CustomProbe{
 		{
@@ -2316,7 +2316,24 @@ func testACNPNestedClusterGroupCreateAndUpdate(t *testing.T, data *TestData) {
 		cp,
 	}
 
-	testSteps := []*TestStep{testStep1, testStep2}
+	// In this testStep cg3 is created. It's members should reflect in cg-nested
+	// and as a result, all traffic from y/c to Namespace z should be denied as well.
+	reachability3 := NewReachability(allPods, Connected)
+	reachability3.ExpectEgressToNamespace("x/a", "z", Dropped)
+	reachability3.ExpectEgressToNamespace("y/b", "z", Dropped)
+	reachability3.ExpectEgressToNamespace("y/c", "z", Dropped)
+	testStep3 := &TestStep{
+		"Port 80 updated",
+		reachability3,
+		nil,
+		[]metav1.Object{cgBuilder3.Get()},
+		[]int32{80},
+		v1.ProtocolTCP,
+		0,
+		nil,
+	}
+
+	testSteps := []*TestStep{testStep1, testStep2, testStep3}
 	testCase := []*TestCase{
 		{"ACNP nested ClusterGroup create and update", testSteps},
 	}

diff --git a/test/e2e/legacyclustergroup_test.go b/test/e2e/legacyclustergroup_test.go
@@ -137,23 +137,6 @@ func testLegacyInvalidCGServiceRefWithIPBlock(t *testing.T) {
 	}
 }
 
-func testLegacyInvalidCGChildGroupDoesNotExist(t *testing.T) {
-	invalidErr := fmt.Errorf("clustergroup childGroup does not exist")
-	cgName := "child-group-not-exist"
-	cg := &legacycorev1alpha2.ClusterGroup{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: cgName,
-		},
-		Spec: crdv1alpha2.GroupSpec{
-			ChildGroups: []crdv1alpha2.ClusterGroupReference{crdv1alpha2.ClusterGroupReference("some-non-existing-cg")},
-		},
-	}
-	if _, err := k8sUtils.CreateOrUpdateLegacyCG(cg); err == nil {
-		// Above creation of CG must fail as it is an invalid spec.
-		failOnError(invalidErr, t)
-	}
-}
-
 func createLegacyChildCGForTest(t *testing.T) {
 	cg := &legacycorev1alpha2.ClusterGroup{
 		ObjectMeta: metav1.ObjectMeta{
@@ -261,7 +244,6 @@ func TestLegacyClusterGroup(t *testing.T) {
 		t.Run("Case=LegacyServiceRefWithPodSelectorDenied", func(t *testing.T) { testLegacyInvalidCGServiceRefWithPodSelector(t) })
 		t.Run("Case=LegacyServiceRefWithNamespaceSelectorDenied", func(t *testing.T) { testLegacyInvalidCGServiceRefWithNSSelector(t) })
 		t.Run("Case=LegacyServiceRefWithIPBlockDenied", func(t *testing.T) { testLegacyInvalidCGServiceRefWithIPBlock(t) })
-		t.Run("Case=LegacyInvalidChildGroupName", func(t *testing.T) { testLegacyInvalidCGChildGroupDoesNotExist(t) })
 	})
 
 	t.Run("TestLegacyGroupClusterGroupValidateChildGroup", func(t *testing.T) {