From 91f374bfdabb1a68d2d5d5b15ce5c4dcfc656030 Mon Sep 17 00:00:00 2001 From: Hongliang Liu <75655411+hongliangl@users.noreply.github.com> Date: Tue, 26 Mar 2024 06:50:14 +0800 Subject: [PATCH] Fix L7 NetworkPolicy e2e test failure (#6138) After switching from `wait.PollImmediate` to `assert.Eventually` in #5843, the probe used to validate L7 NP enforcement was no longer correct. We improve the validation logic so that each iteration of the condition function in `assert.Eventually` only sends an HTTP probe once, instead of using a probe with its own retry mechanism. This fixes the issue. Fixes #6129 Signed-off-by: Hongliang Liu --- test/e2e/l7networkpolicy_test.go | 11 +++++++---- test/e2e/proxy_test.go | 6 ------ 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/test/e2e/l7networkpolicy_test.go b/test/e2e/l7networkpolicy_test.go index 730a968070f..4a21ff4e9c6 100644 --- a/test/e2e/l7networkpolicy_test.go +++ b/test/e2e/l7networkpolicy_test.go @@ -129,7 +129,8 @@ func probeL7NetworkPolicyHTTP(t *testing.T, data *TestData, serverPodName, clien // Verify that access to path /clientip is as expected. assert.Eventually(t, func() bool { - _, err := probeClientIPFromPod(data, clientPodName, agnhostContainerName, baseURL) + cmd := []string{"wget", "-O", "-", fmt.Sprintf("%s/%s", baseURL, "clientip"), "-T", "1"} + _, _, err := data.RunCommandFromPod(data.testNamespace, clientPodName, agnhostContainerName, cmd) if (allowHTTPPathClientIP && err != nil) || (!allowHTTPPathClientIP && err == nil) { return false } @@ -138,7 +139,8 @@ func probeL7NetworkPolicyHTTP(t *testing.T, data *TestData, serverPodName, clien // Verify that access to path /hostname is as expected. assert.Eventually(t, func() bool { - hostname, err := probeHostnameFromPod(data, clientPodName, agnhostContainerName, baseURL) + cmd := []string{"wget", "-O", "-", fmt.Sprintf("%s/%s", baseURL, "hostname"), "-T", "1"} + hostname, _, err := data.RunCommandFromPod(data.testNamespace, clientPodName, agnhostContainerName, cmd) if (allowHTTPPathHostname && err != nil) || (!allowHTTPPathHostname && err == nil) { return false } @@ -171,7 +173,8 @@ func probeL7NetworkPolicyHTTP(t *testing.T, data *TestData, serverPodName, clien func probeL7NetworkPolicyTLS(t *testing.T, data *TestData, clientPodName string, serverName string, canAccess bool) { url := fmt.Sprintf("https://%s", serverName) assert.Eventually(t, func() bool { - stdout, stderr, err := data.runWgetCommandFromTestPodWithRetry(clientPodName, data.testNamespace, agnhostContainerName, url, 5) + cmd := []string{"wget", "-O", "-", url, "-T", "5"} + stdout, stderr, err := data.RunCommandFromPod(data.testNamespace, clientPodName, agnhostContainerName, cmd) if canAccess && err != nil { t.Logf("Failed to access %s: %v\nStdout: %s\nStderr: %s\n", url, err, stdout, stderr) return false @@ -180,7 +183,7 @@ func probeL7NetworkPolicyTLS(t *testing.T, data *TestData, clientPodName string, return false } return true - }, 5*time.Second, time.Second) + }, 10*time.Second, time.Second) } func testL7NetworkPolicyHTTP(t *testing.T, data *TestData) { diff --git a/test/e2e/proxy_test.go b/test/e2e/proxy_test.go index 58dd59c61b8..e354ac4e8d3 100644 --- a/test/e2e/proxy_test.go +++ b/test/e2e/proxy_test.go @@ -113,12 +113,6 @@ func probeFromPod(data *TestData, pod, container string, url string) error { return err } -func probeHostnameFromPod(data *TestData, pod, container string, baseUrl string) (string, error) { - url := fmt.Sprintf("%s/%s", baseUrl, "hostname") - hostname, _, err := data.runWgetCommandFromTestPodWithRetry(pod, data.testNamespace, container, url, 5) - return hostname, err -} - func probeClientIPFromPod(data *TestData, pod, container string, baseUrl string) (string, error) { url := fmt.Sprintf("%s/%s", baseUrl, "clientip") hostPort, _, err := data.runWgetCommandFromTestPodWithRetry(pod, data.testNamespace, container, url, 5)