connectivity: Extend pod-to-pod encryption tests

Add L7 policy checks. Only for WG, while IPsec is currently suffering from cilium/cilium#33168. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt>
cilium · Jun 18, 2024 · cf4696f · cf4696f
1 parent da6743c
commit cf4696f
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 0 deletions.
diff --git a/connectivity/builder/manifests/client-egress-l7-http-from-any.yaml b/connectivity/builder/manifests/client-egress-l7-http-from-any.yaml
@@ -0,0 +1,21 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: client-egress-l7-http-from-any
+spec:
+  description: "Allow client to GET on echo"
+  endpointSelector:
+    matchLabels:
+      kind: client
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        kind: echo
+    toPorts:
+    - ports:
+      - port: "8080"
+        protocol: TCP
+      rules:
+        http:
+        - method: "GET"
+          path: "/$"
diff --git a/connectivity/builder/pod_to_pod_encryption.go b/connectivity/builder/pod_to_pod_encryption.go
@@ -4,11 +4,16 @@
 package builder
 
 import (
+	_ "embed"
+
 	"github.com/cilium/cilium-cli/connectivity/check"
 	"github.com/cilium/cilium-cli/connectivity/tests"
 	"github.com/cilium/cilium-cli/utils/features"
 )
 
+//go:embed manifests/client-egress-l7-http-from-any.yaml
+var clientsEgressL7HTTPFromAnyPolicyYAML string
+
 type podToPodEncryption struct{}
 
 func (t podToPodEncryption) build(ct *check.ConnectivityTest, _ map[string]string) {
@@ -19,4 +24,19 @@ func (t podToPodEncryption) build(ct *check.ConnectivityTest, _ map[string]strin
 		WithScenarios(
 			tests.PodToPodEncryption(features.RequireEnabled(features.EncryptionPod)),
 		)
+
+	newTest("pod-to-pod-with-l7-policy-encryption", ct).
+		WithCondition(func() bool { return !ct.Params().SingleNode }).
+		WithFeatureRequirements(
+			features.RequireEnabled(features.L7Proxy),
+			// Once https://github.com/cilium/cilium/issues/33168 is fixed, we
+			// can enable for IPsec too.
+			features.RequireMode(features.EncryptionPod, "wireguard"),
+		).
+		WithCiliumPolicy(clientsEgressL7HTTPFromAnyPolicyYAML).
+		WithCiliumPolicy(echoIngressL7HTTPFromAnywherePolicyYAML).
+		WithScenarios(
+			tests.PodToPodEncryption(features.RequireEnabled(features.EncryptionPod)),
+		)
+
 }