From c3b73ead34a0eb615cf6b3d42875ab8d071eef12 Mon Sep 17 00:00:00 2001
From: David Cheung <cheungdavid@google.com>
Date: Wed, 18 Oct 2023 20:19:46 +0000
Subject: [PATCH] Add test for ingress-cloudarmor.

* Add test for ingress-cloudarmor.
---
 .../ingress-cloudarmor/cleanup.sh             | 45 ++++++++++++++++++
 .../ingress-cloudarmor/run-test.sh            | 35 ++++++++++++++
 .../ingress-cloudarmor/setup.sh               | 46 +++++++++++++++++++
 3 files changed, 126 insertions(+)
 create mode 100755 ingress/single-cluster/ingress-cloudarmor/cleanup.sh
 create mode 100755 ingress/single-cluster/ingress-cloudarmor/run-test.sh
 create mode 100755 ingress/single-cluster/ingress-cloudarmor/setup.sh

diff --git a/ingress/single-cluster/ingress-cloudarmor/cleanup.sh b/ingress/single-cluster/ingress-cloudarmor/cleanup.sh
new file mode 100755
index 00000000..f510fbf3
--- /dev/null
+++ b/ingress/single-cluster/ingress-cloudarmor/cleanup.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+test_name="ingress-cloudarmor"
+context=$(get_context "${test_name}")
+
+if [[ ! -z "${context}" ]]; then
+    ingress_name="cloudarmor-test"
+    fr=$(get_forwarding_rule "${ingress_name}" "${test_name}" "${context}")
+    thp=$(get_target_http_proxy "${ingress_name}" "${test_name}" "${context}")
+    thsp=$(get_target_https_proxy "${ingress_name}" "${test_name}" "${context}")
+    um=$(get_url_map "${ingress_name}" "${test_name}" "${context}")
+    backends=$(get_backends "${ingress_name}" "${test_name}" "${context}")
+    negs=$(get_negs "${context}")
+
+    resource_yaml="ingress/single-cluster/ingress-cloudarmor/cloudarmor-ingress.yaml"
+    kubectl --context "${context}" delete -f "${resource_yaml}" -n "${test_name}" || true
+    sed -i'.bak' "s/allow-my-ip/\$POLICY_NAME/g" "${resource_yaml}"
+    rm -f "${resource_yaml}".bak
+    wait_for_glbc_deletion "${fr}" "${thp}" "${thsp}" "${um}" "${backends}" "${negs}"
+    kubectl --context "${context}" delete namespace "${test_name}" || true
+fi
+
+gcloud compute security-policies delete allow-my-ip --quiet || true
+
+cleanup_gke_basic "${test_name}" "${ZONE}" "${REGION}"
diff --git a/ingress/single-cluster/ingress-cloudarmor/run-test.sh b/ingress/single-cluster/ingress-cloudarmor/run-test.sh
new file mode 100755
index 00000000..b6083af3
--- /dev/null
+++ b/ingress/single-cluster/ingress-cloudarmor/run-test.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+test_name="ingress-cloudarmor"
+context=$(get_context "${test_name}")
+
+if [[ -z "${context}" ]]; then
+    exit 1
+fi
+
+vip=$(wait_for_ingress_ip "cloudarmor-test" "${test_name}" "${context}")
+
+check_http_status "${vip}/whereami" 200
+check_http_status "${vip}" 404
+check_http_status "${vip}/whereami" 502 "" "${test_name}" "${ZONE}"
+check_http_status "${vip}" 404 "" "${test_name}" "${ZONE}"
diff --git a/ingress/single-cluster/ingress-cloudarmor/setup.sh b/ingress/single-cluster/ingress-cloudarmor/setup.sh
new file mode 100755
index 00000000..b81c28ec
--- /dev/null
+++ b/ingress/single-cluster/ingress-cloudarmor/setup.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+test_name="ingress-cloudarmor"
+setup_gke_basic "${test_name}" "${ZONE}" "${REGION}"
+context=$(get_context "${test_name}")
+
+if [[ -z "${context}" ]]; then
+    exit 1
+fi
+
+kubectl --context "${context}" create namespace "${test_name}"
+
+currentIP=$(curl -s ifconfig.me)
+policy_name="allow-my-ip"
+gcloud compute security-policies create "${policy_name}"
+gcloud compute security-policies rules update 2147483647 \
+    --security-policy "${policy_name}" \
+    --action "deny-502" # Update the default policy(2147483647 is the priority value for default rule).
+gcloud compute security-policies rules create 1000 \
+    --security-policy "${policy_name}" \
+    --src-ip-ranges "${currentIP}" \
+    --action "allow"
+
+resource_yaml="ingress/single-cluster/ingress-cloudarmor/cloudarmor-ingress.yaml"
+sed -i'.bak' "s/\$POLICY_NAME/${policy_name}/g" "${resource_yaml}"
+kubectl --context "${context}" apply -f "${resource_yaml}" -n "${test_name}"