Merge pull request #170 from sawsa307/ingress-cloudarmor-test

Add test for ingress-cloudarmor.
GoogleCloudPlatform · Oct 26, 2023 · 3bbe0f8 · 3bbe0f8
2 parents cb4af2d + c3b73ea
commit 3bbe0f8
Show file tree

Hide file tree

Showing 3 changed files with 126 additions and 0 deletions.
diff --git a/ingress/single-cluster/ingress-cloudarmor/cleanup.sh b/ingress/single-cluster/ingress-cloudarmor/cleanup.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+test_name="ingress-cloudarmor"
+context=$(get_context "${test_name}")
+
+if [[ ! -z "${context}" ]]; then
+    ingress_name="cloudarmor-test"
+    fr=$(get_forwarding_rule "${ingress_name}" "${test_name}" "${context}")
+    thp=$(get_target_http_proxy "${ingress_name}" "${test_name}" "${context}")
+    thsp=$(get_target_https_proxy "${ingress_name}" "${test_name}" "${context}")
+    um=$(get_url_map "${ingress_name}" "${test_name}" "${context}")
+    backends=$(get_backends "${ingress_name}" "${test_name}" "${context}")
+    negs=$(get_negs "${context}")
+
+    resource_yaml="ingress/single-cluster/ingress-cloudarmor/cloudarmor-ingress.yaml"
+    kubectl --context "${context}" delete -f "${resource_yaml}" -n "${test_name}" || true
+    sed -i'.bak' "s/allow-my-ip/\$POLICY_NAME/g" "${resource_yaml}"
+    rm -f "${resource_yaml}".bak
+    wait_for_glbc_deletion "${fr}" "${thp}" "${thsp}" "${um}" "${backends}" "${negs}"
+    kubectl --context "${context}" delete namespace "${test_name}" || true
+fi
+
+gcloud compute security-policies delete allow-my-ip --quiet || true
+
+cleanup_gke_basic "${test_name}" "${ZONE}" "${REGION}"
diff --git a/ingress/single-cluster/ingress-cloudarmor/run-test.sh b/ingress/single-cluster/ingress-cloudarmor/run-test.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+test_name="ingress-cloudarmor"
+context=$(get_context "${test_name}")
+
+if [[ -z "${context}" ]]; then
+    exit 1
+fi
+
+vip=$(wait_for_ingress_ip "cloudarmor-test" "${test_name}" "${context}")
+
+check_http_status "${vip}/whereami" 200
+check_http_status "${vip}" 404
+check_http_status "${vip}/whereami" 502 "" "${test_name}" "${ZONE}"
+check_http_status "${vip}" 404 "" "${test_name}" "${ZONE}"
diff --git a/ingress/single-cluster/ingress-cloudarmor/setup.sh b/ingress/single-cluster/ingress-cloudarmor/setup.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+test_name="ingress-cloudarmor"
+setup_gke_basic "${test_name}" "${ZONE}" "${REGION}"
+context=$(get_context "${test_name}")
+
+if [[ -z "${context}" ]]; then
+    exit 1
+fi
+
+kubectl --context "${context}" create namespace "${test_name}"
+
+currentIP=$(curl -s ifconfig.me)
+policy_name="allow-my-ip"
+gcloud compute security-policies create "${policy_name}"
+gcloud compute security-policies rules update 2147483647 \
+    --security-policy "${policy_name}" \
+    --action "deny-502" # Update the default policy(2147483647 is the priority value for default rule).
+gcloud compute security-policies rules create 1000 \
+    --security-policy "${policy_name}" \
+    --src-ip-ranges "${currentIP}" \
+    --action "allow"
+
+resource_yaml="ingress/single-cluster/ingress-cloudarmor/cloudarmor-ingress.yaml"
+sed -i'.bak' "s/\$POLICY_NAME/${policy_name}/g" "${resource_yaml}"
+kubectl --context "${context}" apply -f "${resource_yaml}" -n "${test_name}"