From b461281f29def0334cdf0fbe79001c3644b553c8 Mon Sep 17 00:00:00 2001
From: Marcelo Guerrero Viveros <marguerr@redhat.com>
Date: Mon, 20 Feb 2023 11:20:21 +0100
Subject: [PATCH] Add tap plugin test

Test for the following PR:
https://github.com/containernetworking/plugins/pull/832

Signed-off-by: Marcelo Guerrero Viveros <marguerr@redhat.com>
---
 test/extended/networking/tap.go               | 114 ++++++++++++++++++
 .../generated/zz_generated.annotations.go     |   2 +
 test/extended/util/pods.go                    |   4 +-
 3 files changed, 118 insertions(+), 2 deletions(-)
 create mode 100644 test/extended/networking/tap.go

diff --git a/test/extended/networking/tap.go b/test/extended/networking/tap.go
new file mode 100644
index 000000000000..974e4e81bd31
--- /dev/null
+++ b/test/extended/networking/tap.go
@@ -0,0 +1,114 @@
+package networking
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	kapiv1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	e2e "k8s.io/kubernetes/test/e2e/framework"
+
+	nadtypes "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1"
+	g "github.com/onsi/ginkgo/v2"
+	o "github.com/onsi/gomega"
+	exutil "github.com/openshift/origin/test/extended/util"
+)
+
+const nodeLabelSelectorWorker = "node-role.kubernetes.io/worker"
+
+var _ = g.Describe("[sig-network][Feature:tap]", func() {
+	oc := exutil.NewCLI("tap")
+	f := oc.KubeFramework()
+	var worker *corev1.Node
+	var isCUDDisabled bool
+
+	g.BeforeEach(func() {
+		// Fetch worker nodes.
+		workerNodes, err := f.ClientSet.CoreV1().Nodes().List(context.Background(), metav1.ListOptions{
+			LabelSelector: nodeLabelSelectorWorker,
+		})
+		o.Expect(err).NotTo(o.HaveOccurred())
+
+		if len(workerNodes.Items) == 0 {
+			e2e.Failf("cluster should have nodes")
+		}
+		worker = &workerNodes.Items[0]
+
+		// Load tun module.
+		_, err = exutil.ExecCommandOnMachineConfigDaemon(f.ClientSet, oc, worker, []string{
+			"sh", "-c", "nsenter --mount=/proc/1/ns/mnt -- sh -c 'modprobe tun'",
+		})
+		o.Expect(err).NotTo(o.HaveOccurred())
+
+		// Get container_use_devices selinux boolean.
+		cud, err := exutil.ExecCommandOnMachineConfigDaemon(f.ClientSet, oc, worker, []string{
+			"sh", "-c", "nsenter --mount=/proc/1/ns/mnt -- sh -c 'getsebool container_use_devices'",
+		})
+		o.Expect(err).NotTo(o.HaveOccurred())
+
+		isCUDDisabled = strings.Contains(cud, "off")
+
+		if isCUDDisabled {
+			// Enable container_use_devices selinux boolean.
+			_, err = exutil.ExecCommandOnMachineConfigDaemon(f.ClientSet, oc, worker, []string{
+				"sh", "-c", "nsenter --mount=/proc/1/ns/mnt -- sh -c 'setsebool container_use_devices 1'",
+			})
+			o.Expect(err).NotTo(o.HaveOccurred())
+		}
+	})
+
+	g.AfterEach(func() {
+		if isCUDDisabled {
+			// Disable container_use_devices selinux boolean.
+			_, err := exutil.ExecCommandOnMachineConfigDaemon(f.ClientSet, oc, worker, []string{
+				"sh", "-c", "nsenter --mount=/proc/1/ns/mnt -- sh -c 'setsebool container_use_devices 0'",
+			})
+			o.Expect(err).NotTo(o.HaveOccurred())
+		}
+	})
+
+	g.It(fmt.Sprintf("should create a pod with a tap interface [apigroup:k8s.cni.cncf.io]"), func() {
+		ns := f.Namespace.Name
+		podName := "pod1"
+		nadName := "nad-tap"
+		ifName := "tap1"
+		nadConfig := `{
+			"cniVersion":"0.4.0",
+			"name":"%s",
+			"type": "tap",
+			"selinuxcontext": "system_u:system_r:container_t:s0"
+		}`
+
+		g.By("creating a network attachment definition")
+		err := createNetworkAttachmentDefinition(
+			oc.AdminConfig(),
+			ns,
+			nadName,
+			fmt.Sprintf(nadConfig, nadName),
+		)
+		o.Expect(err).NotTo(o.HaveOccurred(), "unable to create tap network-attachment-definition")
+
+		g.By("creating a pod on worker with container_use_devices on")
+		exutil.CreateExecPodOrFail(f.ClientSet, ns, podName, func(pod *kapiv1.Pod) {
+			tapAnnotation := fmt.Sprintf("%s/%s@%s", ns, nadName, ifName)
+			pod.ObjectMeta.Annotations = map[string]string{"k8s.v1.cni.cncf.io/networks": fmt.Sprintf("%s", tapAnnotation)}
+			pod.Spec.NodeSelector = worker.Labels
+		})
+		pod, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get(context.TODO(), podName, metav1.GetOptions{})
+		o.Expect(err).ToNot(o.HaveOccurred())
+
+		g.By("checking annotations")
+		networkStatusString, ok := pod.Annotations["k8s.v1.cni.cncf.io/network-status"]
+		o.Expect(ok).To(o.BeTrue())
+		o.Expect(networkStatusString).ToNot(o.BeNil())
+
+		var networkStatuses []nadtypes.NetworkStatus
+		o.Expect(json.Unmarshal([]byte(networkStatusString), &networkStatuses)).ToNot(o.HaveOccurred())
+		o.Expect(networkStatuses).To(o.HaveLen(2))
+		o.Expect(networkStatuses[1].Interface).To(o.Equal(ifName))
+		o.Expect(networkStatuses[1].Name).To(o.Equal(fmt.Sprintf("%s/%s", ns, nadName)))
+	})
+})
diff --git a/test/extended/util/annotate/generated/zz_generated.annotations.go b/test/extended/util/annotate/generated/zz_generated.annotations.go
index c0a5ee5e7688..e08bba2275d9 100644
--- a/test/extended/util/annotate/generated/zz_generated.annotations.go
+++ b/test/extended/util/annotate/generated/zz_generated.annotations.go
@@ -2673,6 +2673,8 @@ var Annotations = map[string]string{
 
 	"[sig-network][Feature:bond] should create a pod with bond interface [apigroup:k8s.cni.cncf.io]": " [Suite:openshift/conformance/parallel]",
 
+	"[sig-network][Feature:tap] should create a pod with a tap interface [apigroup:k8s.cni.cncf.io]": " [Suite:openshift/conformance/parallel]",
+
 	"[sig-network][Feature:tuning] pod should not start for sysctls not on whitelist [apigroup:k8s.cni.cncf.io] net.ipv4.conf.IFNAME.arp_filter": " [Suite:openshift/conformance/parallel]",
 
 	"[sig-network][Feature:tuning] pod should not start for sysctls not on whitelist [apigroup:k8s.cni.cncf.io] net.ipv4.conf.all.send_redirects": " [Suite:openshift/conformance/parallel]",
diff --git a/test/extended/util/pods.go b/test/extended/util/pods.go
index a88ae4481477..d92c292f9fb2 100644
--- a/test/extended/util/pods.go
+++ b/test/extended/util/pods.go
@@ -2,7 +2,6 @@ package util
 
 import (
 	"context"
-	"fmt"
 	"strings"
 	"time"
 
@@ -17,6 +16,7 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	e2e "k8s.io/kubernetes/test/e2e/framework"
 	podframework "k8s.io/kubernetes/test/e2e/framework/pod"
+	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
 
 	"github.com/openshift/origin/test/extended/util/image"
 )
@@ -103,7 +103,7 @@ func GetMachineConfigDaemonByNode(c clientset.Interface, node *corev1.Node) (*co
 	}
 
 	if len(mcds.Items) < 1 {
-		return nil, fmt.Errorf("failed to get machine-config-daemon pod for the node %q", node.Name)
+		e2eskipper.Skipf("The cluster machines are not managed by machine api operator")
 	}
 	return &mcds.Items[0], nil
 }