diff --git a/policy-test/src/lib.rs b/policy-test/src/lib.rs index 0b2b21ae72189..7b0385e46c0c8 100644 --- a/policy-test/src/lib.rs +++ b/policy-test/src/lib.rs @@ -8,9 +8,10 @@ pub mod grpc; pub mod outbound_api; pub mod web; +use kube::runtime::wait::Condition; use linkerd_policy_controller_k8s_api::{ self as k8s, - policy::{httproute::ParentReference, EgressNetwork}, + policy::{httproute::ParentReference, EgressNetwork, TrafficPolicy}, ResourceExt, }; use maplit::{btreemap, convert_args}; @@ -349,6 +350,17 @@ pub fn endpoints_ready(obj: Option<&k8s::Endpoints>) -> bool { false } +pub fn egress_network_traffic_policy_is( + policy: TrafficPolicy, +) -> impl Condition + 'static { + move |egress_net: Option<&EgressNetwork>| { + if let Some(egress_net) = &egress_net { + return egress_net.spec.traffic_policy == policy; + } + false + } +} + #[tracing::instrument(skip_all, fields(%pod, %container))] pub async fn logs(client: &kube::Client, ns: &str, pod: &str, container: &str) { let params = kube::api::LogParams { diff --git a/policy-test/tests/e2e_egress_network.rs b/policy-test/tests/e2e_egress_network.rs index 0cdf7410b171e..7892dd0230189 100644 --- a/policy-test/tests/e2e_egress_network.rs +++ b/policy-test/tests/e2e_egress_network.rs @@ -1,7 +1,9 @@ +use k8s::policy::TrafficPolicy; use linkerd_policy_controller_k8s_api as k8s; use linkerd_policy_test::{ - await_condition, await_gateway_route_status, await_tcp_route_status, await_tls_route_status, - create, create_ready_pod, curl, endpoints_ready, update, web, with_temp_ns, LinkerdInject, + await_condition, await_egress_net_status, await_gateway_route_status, await_tcp_route_status, + await_tls_route_status, create, create_ready_pod, curl, egress_network_traffic_policy_is, + endpoints_ready, update, web, with_temp_ns, LinkerdInject, }; #[tokio::test(flavor = "current_thread")] @@ -23,6 +25,7 @@ async fn default_traffic_policy_http() { }, ) .await; + await_egress_net_status(&client, &ns, "egress").await; let curl = curl::Runner::init(&client, &ns).await; let allowed = curl @@ -39,6 +42,13 @@ async fn default_traffic_policy_http() { // now modify the default traffic policy egress.spec.traffic_policy = k8s::policy::TrafficPolicy::Deny; update(&client, egress).await; + await_condition( + &client, + &ns, + "egress", + egress_network_traffic_policy_is(TrafficPolicy::Deny), + ) + .await; let not_allowed = curl .run( @@ -73,6 +83,7 @@ async fn default_traffic_policy_opaque() { }, ) .await; + await_egress_net_status(&client, &ns, "egress").await; let curl = curl::Runner::init(&client, &ns).await; let allowed = curl @@ -89,6 +100,13 @@ async fn default_traffic_policy_opaque() { // now modify the default traffic policy egress.spec.traffic_policy = k8s::policy::TrafficPolicy::Deny; update(&client, egress).await; + await_condition( + &client, + &ns, + "egress", + egress_network_traffic_policy_is(TrafficPolicy::Deny), + ) + .await; let not_allowed = curl .run( @@ -123,6 +141,7 @@ async fn explicit_allow_http_route() { }, ) .await; + await_egress_net_status(&client, &ns, "egress").await; let curl = curl::Runner::init(&client, &ns).await; let not_allowed_get = curl @@ -220,6 +239,7 @@ async fn explicit_allow_tls_route() { }, ) .await; + await_egress_net_status(&client, &ns, "egress").await; let curl = curl::Runner::init(&client, &ns).await; let not_allowed_httpbin = curl @@ -325,6 +345,7 @@ async fn explicit_allow_tcp_route() { }, ) .await; + await_egress_net_status(&client, &ns, "egress").await; let curl = curl::Runner::init(&client, &ns).await; let not_allowed_httpbin = curl @@ -429,6 +450,7 @@ async fn routing_back_to_cluster_http_route() { }, ) .await; + await_egress_net_status(&client, &ns, "egress").await; // Create the web pod and wait for it to be ready. tokio::join!( @@ -534,6 +556,7 @@ async fn routing_back_to_cluster_tls_route() { }, ) .await; + await_egress_net_status(&client, &ns, "egress").await; // Create the web pod and wait for it to be ready. tokio::join!( @@ -626,6 +649,7 @@ async fn routing_back_to_cluster_tcp_route() { }, ) .await; + await_egress_net_status(&client, &ns, "egress").await; // Create the web pod and wait for it to be ready. tokio::join!(