ref(pkg/catalog): update ListAllowedOutboundServicesForIdentity (open…

…servicemesh#2173) * handles permissive mode Signed-off-by: Michelle Noorali <michellemolu@gmail.com>
eduser25 · Dec 9, 2020 · b64d9a5 · b64d9a5
1 parent 0d40ccb
commit b64d9a5
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 7 deletions.
diff --git a/pkg/catalog/helpers_test.go b/pkg/catalog/helpers_test.go
@@ -24,7 +24,11 @@ import (
 	"github.com/openservicemesh/osm/pkg/tests"
 )
 
-func newFakeMeshCatalogForRoutes(t *testing.T) *MeshCatalog {
+type testParams struct {
+	permissiveMode bool
+}
+
+func newFakeMeshCatalogForRoutes(t *testing.T, testParams testParams) *MeshCatalog {
 	mockCtrl := gomock.NewController(t)
 	kubeClient := testclient.NewSimpleClientset()
 
@@ -125,6 +129,8 @@ func newFakeMeshCatalogForRoutes(t *testing.T) *MeshCatalog {
 	mockKubeController.EXPECT().IsMonitoredNamespace(tests.BookbuyerService.Namespace).Return(true).AnyTimes()
 	mockKubeController.EXPECT().ListMonitoredNamespaces().Return(listExpectedNs, nil).AnyTimes()
 
+	mockConfigurator.EXPECT().IsPermissiveTrafficPolicyMode().Return(testParams.permissiveMode).AnyTimes()
+
 	mockMeshSpec.EXPECT().GetAnnouncementsChannel().Return(announcementsChan).AnyTimes()
 	mockMeshSpec.EXPECT().ListTrafficTargets().Return([]*target.TrafficTarget{&tests.TrafficTarget}).AnyTimes()
 	mockMeshSpec.EXPECT().ListHTTPTrafficSpecs().Return([]*specs.HTTPRouteGroup{&tests.HTTPRouteGroup}).AnyTimes()

diff --git a/pkg/catalog/routes.go b/pkg/catalog/routes.go
@@ -104,6 +104,15 @@ func (mc *MeshCatalog) ListAllowedOutboundServices(sourceService service.MeshSer
 
 // ListAllowedOutboundServicesForIdentity list the services the given service account is allowed to initiate outbound connections to
 func (mc *MeshCatalog) ListAllowedOutboundServicesForIdentity(identity service.K8sServiceAccount) []service.MeshService {
+	allowedServices := []service.MeshService{}
+
+	if mc.configurator.IsPermissiveTrafficPolicyMode() {
+		for _, svc := range mc.kubeController.ListServices() {
+			allowedServices = append(allowedServices, utils.K8sSvcToMeshSvc(svc))
+		}
+		return allowedServices
+	}
+
 	serviceSet := mapset.NewSet()
 	for _, t := range mc.meshSpec.ListTrafficTargets() { // loop through all traffic targets
 		for _, source := range t.Spec.Sources {
@@ -124,11 +133,10 @@ func (mc *MeshCatalog) ListAllowedOutboundServicesForIdentity(identity service.K
 		}
 	}
 
-	serviceSlice := []service.MeshService{}
 	for elem := range serviceSet.Iter() {
-		serviceSlice = append(serviceSlice, elem.(service.MeshService))
+		allowedServices = append(allowedServices, elem.(service.MeshService))
 	}
-	return serviceSlice
+	return allowedServices
 }
 
 //GetWeightedClusterForService returns the weighted cluster for a given service

diff --git a/pkg/catalog/routes_test.go b/pkg/catalog/routes_test.go
@@ -69,7 +69,7 @@ func TestIsValidTrafficTarget(t *testing.T) {
 func TestGetHostnamesForUpstreamService(t *testing.T) {
 	assert := assert.New(t)
 
-	mc := newFakeMeshCatalogForRoutes(t)
+	mc := newFakeMeshCatalogForRoutes(t, testParams{})
 
 	testCases := []struct {
 		name              string
@@ -391,30 +391,41 @@ func TestListAllowedOutboundServices(t *testing.T) {
 
 func TestListAllowedOutboundServicesForIdentity(t *testing.T) {
 	assert := assert.New(t)
-	mc := newFakeMeshCatalog()
 
 	testCases := []struct {
 		name           string
 		serviceAccount service.K8sServiceAccount
 		expectedList   []service.MeshService
+		permissiveMode bool
 	}{
 		{
 			name:           "traffic targets configured for service account",
 			serviceAccount: tests.BookbuyerServiceAccount,
 			expectedList:   []service.MeshService{tests.BookstoreV1Service, tests.BookstoreV2Service, tests.BookstoreApexService},
+			permissiveMode: false,
 		},
 		{
 			name: "traffic targets not configured for service account",
 			serviceAccount: service.K8sServiceAccount{
 				Name:      "some-name",
 				Namespace: "some-ns",
 			},
-			expectedList: nil,
+			expectedList:   nil,
+			permissiveMode: false,
+		},
+		{
+			name:           "permissive mode enabled",
+			serviceAccount: tests.BookstoreServiceAccount,
+			expectedList:   []service.MeshService{tests.BookstoreV1Service, tests.BookstoreV2Service, tests.BookstoreApexService, tests.BookbuyerService},
+			permissiveMode: true,
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			mc := newFakeMeshCatalogForRoutes(t, testParams{
+				permissiveMode: tc.permissiveMode,
+			})
 			actualList := mc.ListAllowedOutboundServicesForIdentity(tc.serviceAccount)
 			assert.ElementsMatch(actualList, tc.expectedList)
 		})