304 lines
10 KiB
Go
304 lines
10 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
//go:build !plan9
|
|
|
|
package main
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"testing"
|
|
|
|
"github.com/AlekSi/pointer"
|
|
"github.com/google/go-cmp/cmp"
|
|
"go.uber.org/zap"
|
|
corev1 "k8s.io/api/core/v1"
|
|
discoveryv1 "k8s.io/api/discovery/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/types"
|
|
"sigs.k8s.io/controller-runtime/pkg/client"
|
|
"sigs.k8s.io/controller-runtime/pkg/client/fake"
|
|
tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
|
|
"tailscale.com/kube/egressservices"
|
|
"tailscale.com/tstest"
|
|
"tailscale.com/tstime"
|
|
)
|
|
|
|
func TestTailscaleEgressServices(t *testing.T) {
|
|
pg := &tsapi.ProxyGroup{
|
|
TypeMeta: metav1.TypeMeta{Kind: "ProxyGroup", APIVersion: "tailscale.com/v1alpha1"},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "foo",
|
|
UID: types.UID("1234-UID"),
|
|
},
|
|
Spec: tsapi.ProxyGroupSpec{
|
|
Replicas: pointer.To[int32](3),
|
|
Type: tsapi.ProxyGroupTypeEgress,
|
|
},
|
|
}
|
|
cm := &corev1.ConfigMap{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: pgEgressCMName("foo"),
|
|
Namespace: "operator-ns",
|
|
},
|
|
}
|
|
fc := fake.NewClientBuilder().
|
|
WithScheme(tsapi.GlobalScheme).
|
|
WithObjects(pg, cm).
|
|
WithStatusSubresource(pg).
|
|
Build()
|
|
zl, err := zap.NewDevelopment()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
clock := tstest.NewClock(tstest.ClockOpts{})
|
|
|
|
esr := &egressSvcsReconciler{
|
|
Client: fc,
|
|
logger: zl.Sugar(),
|
|
clock: clock,
|
|
tsNamespace: "operator-ns",
|
|
}
|
|
tailnetTargetFQDN := "foo.bar.ts.net."
|
|
svc := &corev1.Service{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "test",
|
|
Namespace: "default",
|
|
UID: types.UID("1234-UID"),
|
|
Annotations: map[string]string{
|
|
AnnotationTailnetTargetFQDN: tailnetTargetFQDN,
|
|
AnnotationProxyGroup: "foo",
|
|
},
|
|
},
|
|
Spec: corev1.ServiceSpec{
|
|
ExternalName: "placeholder",
|
|
Type: corev1.ServiceTypeExternalName,
|
|
Selector: nil,
|
|
Ports: []corev1.ServicePort{
|
|
{
|
|
Name: "http",
|
|
Protocol: "TCP",
|
|
Port: 80,
|
|
},
|
|
{
|
|
Name: "https",
|
|
Protocol: "TCP",
|
|
Port: 443,
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
t.Run("proxy_group_not_ready", func(t *testing.T) {
|
|
mustCreate(t, fc, svc)
|
|
expectReconciled(t, esr, "default", "test")
|
|
// Service should have EgressSvcValid condition set to Unknown.
|
|
svc.Status.Conditions = []metav1.Condition{condition(tsapi.EgressSvcValid, metav1.ConditionUnknown, reasonProxyGroupNotReady, reasonProxyGroupNotReady, clock)}
|
|
expectEqual(t, fc, svc, nil)
|
|
})
|
|
|
|
t.Run("proxy_group_ready", func(t *testing.T) {
|
|
mustUpdateStatus(t, fc, "", "foo", func(pg *tsapi.ProxyGroup) {
|
|
pg.Status.Conditions = []metav1.Condition{
|
|
condition(tsapi.ProxyGroupReady, metav1.ConditionTrue, "", "", clock),
|
|
}
|
|
})
|
|
expectReconciled(t, esr, "default", "test")
|
|
validateReadyService(t, fc, esr, svc, clock, zl, cm)
|
|
})
|
|
t.Run("service_retain_one_unnamed_port", func(t *testing.T) {
|
|
svc.Spec.Ports = []corev1.ServicePort{{Protocol: "TCP", Port: 80}}
|
|
mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
|
|
s.Spec.Ports = svc.Spec.Ports
|
|
})
|
|
expectReconciled(t, esr, "default", "test")
|
|
validateReadyService(t, fc, esr, svc, clock, zl, cm)
|
|
})
|
|
t.Run("service_add_two_named_ports", func(t *testing.T) {
|
|
svc.Spec.Ports = []corev1.ServicePort{{Protocol: "TCP", Port: 80, Name: "http"}, {Protocol: "TCP", Port: 443, Name: "https"}}
|
|
mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
|
|
s.Spec.Ports = svc.Spec.Ports
|
|
})
|
|
expectReconciled(t, esr, "default", "test")
|
|
validateReadyService(t, fc, esr, svc, clock, zl, cm)
|
|
})
|
|
t.Run("service_add_udp_port", func(t *testing.T) {
|
|
svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{Port: 53, Protocol: "UDP", Name: "dns"})
|
|
mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
|
|
s.Spec.Ports = svc.Spec.Ports
|
|
})
|
|
expectReconciled(t, esr, "default", "test")
|
|
validateReadyService(t, fc, esr, svc, clock, zl, cm)
|
|
})
|
|
t.Run("service_change_protocol", func(t *testing.T) {
|
|
svc.Spec.Ports = []corev1.ServicePort{{Protocol: "TCP", Port: 80, Name: "http"}, {Protocol: "TCP", Port: 443, Name: "https"}, {Port: 53, Protocol: "TCP", Name: "tcp_dns"}}
|
|
mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
|
|
s.Spec.Ports = svc.Spec.Ports
|
|
})
|
|
expectReconciled(t, esr, "default", "test")
|
|
validateReadyService(t, fc, esr, svc, clock, zl, cm)
|
|
})
|
|
|
|
t.Run("delete_external_name_service", func(t *testing.T) {
|
|
name := findGenNameForEgressSvcResources(t, fc, svc)
|
|
if err := fc.Delete(context.Background(), svc); err != nil {
|
|
t.Fatalf("error deleting ExternalName Service: %v", err)
|
|
}
|
|
expectReconciled(t, esr, "default", "test")
|
|
// Verify that ClusterIP Service and EndpointSlice have been deleted.
|
|
expectMissing[corev1.Service](t, fc, "operator-ns", name)
|
|
expectMissing[discoveryv1.EndpointSlice](t, fc, "operator-ns", fmt.Sprintf("%s-ipv4", name))
|
|
// Verify that service config has been deleted from the ConfigMap.
|
|
mustNotHaveConfigForSvc(t, fc, svc, cm)
|
|
})
|
|
}
|
|
|
|
func validateReadyService(t *testing.T, fc client.WithWatch, esr *egressSvcsReconciler, svc *corev1.Service, clock *tstest.Clock, zl *zap.Logger, cm *corev1.ConfigMap) {
|
|
expectReconciled(t, esr, "default", "test")
|
|
// Verify that a ClusterIP Service has been created.
|
|
name := findGenNameForEgressSvcResources(t, fc, svc)
|
|
expectEqual(t, fc, clusterIPSvc(name, svc), removeTargetPortsFromSvc)
|
|
clusterSvc := mustGetClusterIPSvc(t, fc, name)
|
|
// Verify that an EndpointSlice has been created.
|
|
expectEqual(t, fc, endpointSlice(name, svc, clusterSvc), nil)
|
|
// Verify that ConfigMap contains configuration for the new egress service.
|
|
mustHaveConfigForSvc(t, fc, svc, clusterSvc, cm)
|
|
r := svcConfiguredReason(svc, true, zl.Sugar())
|
|
// Verify that the user-created ExternalName Service has Configured set to true and ExternalName pointing to the
|
|
// CluterIP Service.
|
|
svc.Status.Conditions = []metav1.Condition{
|
|
condition(tsapi.EgressSvcValid, metav1.ConditionTrue, "EgressSvcValid", "EgressSvcValid", clock),
|
|
condition(tsapi.EgressSvcConfigured, metav1.ConditionTrue, r, r, clock),
|
|
}
|
|
svc.ObjectMeta.Finalizers = []string{"tailscale.com/finalizer"}
|
|
svc.Spec.ExternalName = fmt.Sprintf("%s.operator-ns.svc.cluster.local", name)
|
|
expectEqual(t, fc, svc, nil)
|
|
|
|
}
|
|
|
|
func condition(typ tsapi.ConditionType, st metav1.ConditionStatus, r, msg string, clock tstime.Clock) metav1.Condition {
|
|
return metav1.Condition{
|
|
Type: string(typ),
|
|
Status: st,
|
|
LastTransitionTime: conditionTime(clock),
|
|
Reason: r,
|
|
Message: msg,
|
|
}
|
|
}
|
|
|
|
func findGenNameForEgressSvcResources(t *testing.T, client client.Client, svc *corev1.Service) string {
|
|
t.Helper()
|
|
labels := egressSvcChildResourceLabels(svc)
|
|
s, err := getSingleObject[corev1.Service](context.Background(), client, "operator-ns", labels)
|
|
if err != nil {
|
|
t.Fatalf("finding ClusterIP Service for ExternalName Service %s: %v", svc.Name, err)
|
|
}
|
|
if s == nil {
|
|
t.Fatalf("no ClusterIP Service found for ExternalName Service %q", svc.Name)
|
|
}
|
|
return s.GetName()
|
|
}
|
|
|
|
func clusterIPSvc(name string, extNSvc *corev1.Service) *corev1.Service {
|
|
labels := egressSvcChildResourceLabels(extNSvc)
|
|
return &corev1.Service{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: name,
|
|
Namespace: "operator-ns",
|
|
GenerateName: fmt.Sprintf("ts-%s-", extNSvc.Name),
|
|
Labels: labels,
|
|
},
|
|
Spec: corev1.ServiceSpec{
|
|
Type: corev1.ServiceTypeClusterIP,
|
|
Ports: extNSvc.Spec.Ports,
|
|
},
|
|
}
|
|
}
|
|
|
|
func mustGetClusterIPSvc(t *testing.T, cl client.Client, name string) *corev1.Service {
|
|
svc := &corev1.Service{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: name,
|
|
Namespace: "operator-ns",
|
|
},
|
|
}
|
|
if err := cl.Get(context.Background(), client.ObjectKeyFromObject(svc), svc); err != nil {
|
|
t.Fatalf("error retrieving Service")
|
|
}
|
|
return svc
|
|
}
|
|
|
|
func endpointSlice(name string, extNSvc, clusterIPSvc *corev1.Service) *discoveryv1.EndpointSlice {
|
|
labels := egressSvcChildResourceLabels(extNSvc)
|
|
labels[discoveryv1.LabelManagedBy] = "tailscale.com"
|
|
labels[discoveryv1.LabelServiceName] = name
|
|
return &discoveryv1.EndpointSlice{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: fmt.Sprintf("%s-ipv4", name),
|
|
Namespace: "operator-ns",
|
|
Labels: labels,
|
|
},
|
|
Ports: portsForEndpointSlice(clusterIPSvc),
|
|
AddressType: discoveryv1.AddressTypeIPv4,
|
|
}
|
|
}
|
|
|
|
func portsForEndpointSlice(svc *corev1.Service) []discoveryv1.EndpointPort {
|
|
ports := make([]discoveryv1.EndpointPort, 0)
|
|
for _, p := range svc.Spec.Ports {
|
|
ports = append(ports, discoveryv1.EndpointPort{
|
|
Name: &p.Name,
|
|
Protocol: &p.Protocol,
|
|
Port: pointer.ToInt32(p.TargetPort.IntVal),
|
|
})
|
|
}
|
|
return ports
|
|
}
|
|
|
|
func mustHaveConfigForSvc(t *testing.T, cl client.Client, extNSvc, clusterIPSvc *corev1.Service, cm *corev1.ConfigMap) {
|
|
t.Helper()
|
|
wantsCfg := egressSvcCfg(extNSvc, clusterIPSvc)
|
|
if err := cl.Get(context.Background(), client.ObjectKeyFromObject(cm), cm); err != nil {
|
|
t.Fatalf("Error retrieving ConfigMap: %v", err)
|
|
}
|
|
name := tailnetSvcName(extNSvc)
|
|
gotCfg := configFromCM(t, cm, name)
|
|
if gotCfg == nil {
|
|
t.Fatalf("No config found for service %q", name)
|
|
}
|
|
if diff := cmp.Diff(*gotCfg, wantsCfg); diff != "" {
|
|
t.Fatalf("unexpected config for service %q (-got +want):\n%s", name, diff)
|
|
}
|
|
}
|
|
|
|
func mustNotHaveConfigForSvc(t *testing.T, cl client.Client, extNSvc *corev1.Service, cm *corev1.ConfigMap) {
|
|
t.Helper()
|
|
if err := cl.Get(context.Background(), client.ObjectKeyFromObject(cm), cm); err != nil {
|
|
t.Fatalf("Error retrieving ConfigMap: %v", err)
|
|
}
|
|
name := tailnetSvcName(extNSvc)
|
|
gotCfg := configFromCM(t, cm, name)
|
|
if gotCfg != nil {
|
|
t.Fatalf("Config %#+v for service %q found when it should not be present", gotCfg, name)
|
|
}
|
|
}
|
|
|
|
func configFromCM(t *testing.T, cm *corev1.ConfigMap, svcName string) *egressservices.Config {
|
|
t.Helper()
|
|
cfgBs, ok := cm.BinaryData[egressservices.KeyEgressServices]
|
|
if !ok {
|
|
return nil
|
|
}
|
|
cfgs := &egressservices.Configs{}
|
|
if err := json.Unmarshal(cfgBs, cfgs); err != nil {
|
|
t.Fatalf("error unmarshalling config: %v", err)
|
|
}
|
|
cfg, ok := (*cfgs)[svcName]
|
|
if ok {
|
|
return &cfg
|
|
}
|
|
return nil
|
|
}
|