add tests for allow and block IP policies

tests/data/access-control/access-control-policy-allow.yaml

@@ -0,0 +1,8 @@
+apiVersion: k8s.nginx.org/v1alpha1
+kind: Policy 
+metadata:
+ name: allow-policy 
+spec:
+ accessControl:
+ allow:
+ - 10.0.0.1

tests/data/access-control/access-control-policy-deny.yaml

@@ -0,0 +1,8 @@
+apiVersion: k8s.nginx.org/v1alpha1
+kind: Policy 
+metadata:
+ name: deny-policy
+spec:
+ accessControl:
+ deny:
+ - 10.0.0.1

tests/data/access-control/access-control-policy-invalid.yaml

@@ -0,0 +1,8 @@
+apiVersion: k8s.nginx.org/v1alpha1
+kind: Policy 
+metadata:
+ name: invalid-policy 
+spec:
+ accessControl:
+ deny:
+ - 192.168.0.0/255

tests/data/access-control/configmap/nginx-config.yaml

@@ -0,0 +1,7 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: nginx-config
+ namespace: nginx-ingress
+data:
+ set-real-ip-from: "0.0.0.0/0"

tests/data/access-control/standard/virtual-server.yaml

@@ -0,0 +1,20 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+ name: virtual-server
+spec:
+ host: virtual-server.example.com
+ upstreams:
+ - name: backend2
+ service: backend2-svc
+ port: 80
+ - name: backend1
+ service: backend1-svc
+ port: 80
+ routes:
+ - path: "/backend1"
+ action:
+ pass: backend1
+ - path: "/backend2"
+ action:
+ pass: backend2

tests/data/access-control/virtual-server-allow.yaml

@@ -0,0 +1,22 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+ name: virtual-server
+spec:
+ host: virtual-server.example.com
+ policies:
+ - name: allow-policy
+ upstreams:
+ - name: backend2
+ service: backend2-svc
+ port: 80
+ - name: backend1
+ service: backend1-svc
+ port: 80
+ routes:
+ - path: "/backend1"
+ action:
+ pass: backend1
+ - path: "/backend2"
+ action:
+ pass: backend2

tests/data/access-control/virtual-server-deny.yaml

@@ -0,0 +1,22 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+ name: virtual-server
+spec:
+ host: virtual-server.example.com
+ policies:
+ - name: deny-policy
+ upstreams:
+ - name: backend2
+ service: backend2-svc
+ port: 80
+ - name: backend1
+ service: backend1-svc
+ port: 80
+ routes:
+ - path: "/backend1"
+ action:
+ pass: backend1
+ - path: "/backend2"
+ action:
+ pass: backend2

tests/data/access-control/virtual-server-invalid.yaml

@@ -0,0 +1,22 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+ name: virtual-server
+spec:
+ host: virtual-server.example.com
+ policies:
+ - name: invalid-policy
+ upstreams:
+ - name: backend2
+ service: backend2-svc
+ port: 80
+ - name: backend1
+ service: backend1-svc
+ port: 80
+ routes:
+ - path: "/backend1"
+ action:
+ pass: backend1
+ - path: "/backend2"
+ action:
+ pass: backend2

tests/data/access-control/virtual-server-override.yaml

@@ -0,0 +1,23 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+ name: virtual-server
+spec:
+ host: virtual-server.example.com
+ policies:
+ - name: deny-policy
+ - name: allow-policy
+ upstreams:
+ - name: backend2
+ service: backend2-svc
+ port: 80
+ - name: backend1
+ service: backend1-svc
+ port: 80
+ routes:
+ - path: "/backend1"
+ action:
+ pass: backend1
+ - path: "/backend2"
+ action:
+ pass: backend2

tests/pytest.ini

@@ -4,6 +4,7 @@ log_cli=true
 markers =
  smoke: marks test as a Smoke test
  vsr: mark test as a VirtualServerRoute test
+ policies: mark test as an AccessControl policy test
  vs: mark test as a VirtualServer test
  ingresses: mark test as an Ingresses test
  skip_for_nginx_oss: mark test as an Nginx Plus only test

tests/suite/custom_resources_utils.py

@@ -88,6 +88,81 @@ def read_crd(custom_objects: CustomObjectsApi, namespace, plural, name) -> objec
  raise
 
 
+def create_policy_from_yaml(
+ custom_objects: CustomObjectsApi, yaml_manifest, namespace
+) -> str:
+ """
+ Create a Policy based on yaml file.
+
+ :param custom_objects: CustomObjectsApi
+ :param yaml_manifest: an absolute path to file
+ :param namespace:
+ :return: str
+ """
+ print("Create a Policy:")
+ with open(yaml_manifest) as f:
+ dep = yaml.safe_load(f)
+ try:
+ custom_objects.create_namespaced_custom_object(
+ "k8s.nginx.org", "v1alpha1", namespace, "policies", dep
+ )
+ print(f"Policy created with name '{dep['metadata']['name']}'")
+ return dep["metadata"]["name"]
+ except ApiException as ex:
+ logging.exception(
+ f"Exception: {ex} occured while creating Policy: {dep['metadata']['name']}"
+ )
+ raise
+
+
+def delete_policy(custom_objects: CustomObjectsApi, name, namespace) -> None:
+ """
+ Delete a Policy.
+
+ :param custom_objects: CustomObjectsApi
+ :param namespace: namespace
+ :param name:
+ :return:
+ """
+ print(f"Delete a Policy: {name}")
+ delete_options = client.V1DeleteOptions()
+
+ custom_objects.delete_namespaced_custom_object(
+ "k8s.nginx.org", "v1alpha1", namespace, "policies", name, delete_options
+ )
+ ensure_item_removal(
+ custom_objects.get_namespaced_custom_object,
+ "k8s.nginx.org",
+ "v1alpha1",
+ namespace,
+ "policies",
+ name,
+ )
+ print(f"Policy was removed with name '{name}'")
+
+
+def read_policy(custom_objects: CustomObjectsApi, namespace, name) -> object:
+ """
+ Get policy information (kubectl describe output)
+
+ :param custom_objects: CustomObjectsApi
+ :param namespace: The policy's namespace 
+ :param name: policy's name
+ :return: object
+ """
+ print(f"Getting info for policy {name} in namespace {namespace}")
+ try:
+ response = custom_objects.get_namespaced_custom_object(
+ "k8s.nginx.org", "v1alpha1", namespace, "policies", name
+ )
+ pprint(response)
+ return response
+
+ except ApiException as ex:
+ logging.exception(f"Exception occured: {ex} while getting reading Policy")
+ raise
+
+
 def create_virtual_server_from_yaml(
  custom_objects: CustomObjectsApi, yaml_manifest, namespace
 ) -> str:

tests/suite/fixtures.py

@@ -304,6 +304,7 @@ def crd_ingress_controller(cli_arguments, kube_apis, ingress_controller_prerequi
  name = "nginx-ingress"
  vs_crd_name = get_name_from_yaml(f"{DEPLOYMENTS}/common/vs-definition.yaml")
  vsr_crd_name = get_name_from_yaml(f"{DEPLOYMENTS}/common/vsr-definition.yaml")
+ pol_crd_name = get_name_from_yaml(f"{DEPLOYMENTS}/common/policy-definition.yaml")
  ts_crd_name = get_name_from_yaml(f"{DEPLOYMENTS}/common/ts-definition.yaml")
  gc_crd_name = get_name_from_yaml(f"{DEPLOYMENTS}/common/gc-definition.yaml")
 
@@ -316,6 +317,8 @@ def crd_ingress_controller(cli_arguments, kube_apis, ingress_controller_prerequi
  f"{DEPLOYMENTS}/common/vs-definition.yaml")
  create_crd_from_yaml(kube_apis.api_extensions_v1_beta1, vsr_crd_name,
  f"{DEPLOYMENTS}/common/vsr-definition.yaml")
+ create_crd_from_yaml(kube_apis.api_extensions_v1_beta1, pol_crd_name,
+ f"{DEPLOYMENTS}/common/policy-definition.yaml")
  create_crd_from_yaml(kube_apis.api_extensions_v1_beta1, ts_crd_name,
  f"{DEPLOYMENTS}/common/ts-definition.yaml")
  create_crd_from_yaml(kube_apis.api_extensions_v1_beta1, gc_crd_name,
@@ -331,6 +334,7 @@ def crd_ingress_controller(cli_arguments, kube_apis, ingress_controller_prerequi
  print(f"Failed to complete CRD IC fixture: {ex}\nClean up the cluster as much as possible.")
  delete_crd(kube_apis.api_extensions_v1_beta1, vs_crd_name)
  delete_crd(kube_apis.api_extensions_v1_beta1, vsr_crd_name)
+ delete_crd(kube_apis.api_extensions_v1_beta1, pol_crd_name)
  delete_crd(kube_apis.api_extensions_v1_beta1, ts_crd_name)
  delete_crd(kube_apis.api_extensions_v1_beta1, gc_crd_name)
  print("Restore the ClusterRole:")
@@ -341,6 +345,7 @@ def crd_ingress_controller(cli_arguments, kube_apis, ingress_controller_prerequi
  def fin():
  delete_crd(kube_apis.api_extensions_v1_beta1, vs_crd_name)
  delete_crd(kube_apis.api_extensions_v1_beta1, vsr_crd_name)
+ delete_crd(kube_apis.api_extensions_v1_beta1, pol_crd_name)
  delete_crd(kube_apis.api_extensions_v1_beta1, ts_crd_name)
  delete_crd(kube_apis.api_extensions_v1_beta1, gc_crd_name)
  print("Restore the ClusterRole:")