From 682b985ba6148481a82271c2930452a3ec234687 Mon Sep 17 00:00:00 2001 From: Akshay Havile Date: Thu, 24 Oct 2024 13:43:42 +0530 Subject: [PATCH] AV-220793: Fix: Restricting FQDN functionality is not working as per expectation in openshift route update scenario (#1560) * AV-220793: Fix: Restricting FQDN functionality is not working as per expectation in openshift route update scenario * Changing docker registry address --- Makefile | 2 +- internal/k8s/controller.go | 13 +++- .../oshift_secure_route_test.go | 63 +++++++++++++++++++ 3 files changed, 74 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index a60b332c1..8d378b1a7 100755 --- a/Makefile +++ b/Makefile @@ -334,7 +334,7 @@ helmtests: -u root:root \ -v $(PWD)/helm/ako:/apps \ -v $(PWD)/tests/helmtests:/apps/tests \ - avi-buildops-docker-registry-02.eng.vmware.com:5000/avi-buildops/helmunittest/helm-unittest:3.11.1-0.3.0 . + avi-buildops-docker-registry-02.avilb.broadcom.net:5000/avi-buildops/helmunittest/helm-unittest:3.11.1-0.3.0 . .PHONY: gatewayapitests gatewayapitests: diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index 2df8b3405..8dfb1d6c9 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -606,15 +606,22 @@ func AddRouteEventHandler(numWorkers uint32, c *AviController) cache.ResourceEve } if oldRoute.Spec.Host == newRoute.Spec.Host { // same hosts - isAccepted := isRouteAcceptedWithFQDNRestriction(key, newRoute) + isAccepted := true + if lib.AKOControlConfig().GetAKOFQDNReusePolicy() == lib.FQDNReusePolicyStrict { + isAccepted = isRouteAcceptedWithFQDNRestriction(key, newRoute) + } if isAccepted { c.workqueue[bkt].AddRateLimited(key) lib.IncrementQueueCounter(utils.ObjectIngestionLayer) utils.AviLog.Debugf("key: %s, msg: UPDATE", key) } } else { - isOldAccepted := isRouteAcceptedWithFQDNRestriction(key, oldRoute) - isNewAccepted := isRouteAcceptedWithFQDNRestriction(key, newRoute) + isOldAccepted := true + isNewAccepted := true + if lib.AKOControlConfig().GetAKOFQDNReusePolicy() == lib.FQDNReusePolicyStrict { + isOldAccepted = isRouteAcceptedWithFQDNRestriction(key, oldRoute) + isNewAccepted = isRouteAcceptedWithFQDNRestriction(key, newRoute) + } if !isOldAccepted && !isNewAccepted { // set status // update the status - already host claimed diff --git a/tests/oshiftroutetests/oshift_secure_route_test.go b/tests/oshiftroutetests/oshift_secure_route_test.go index 1c7c5dc6f..2692da3b5 100644 --- a/tests/oshiftroutetests/oshift_secure_route_test.go +++ b/tests/oshiftroutetests/oshift_secure_route_test.go @@ -20,6 +20,7 @@ import ( "time" "github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/internal/cache" + "github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/internal/lib" avinodes "github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/internal/nodes" "github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/pkg/utils" "github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/tests/integrationtest" @@ -1164,3 +1165,65 @@ func TestUpdateSecureRouteNoKeyCertToKeyCert(t *testing.T) { VerifySecureRouteDeletion(t, g, defaultModelName, 0, 0) TearDownTestForRoute(t, defaultModelName) } + +func TestSecureRouteMultiNamespaceWithStrictRestrictFqdn(t *testing.T) { + g := gomega.NewGomegaWithT(t) + lib.AKOControlConfig().SetAKOFQDNReusePolicy("strict") + integrationtest.DeleteNamespace("test") + SetUpTestForRoute(t, defaultModelName) + route1 := FakeRoute{Path: "/foo"}.SecureRoute() + _, err := OshiftClient.RouteV1().Routes(defaultNamespace).Create(context.TODO(), route1, metav1.CreateOptions{}) + if err != nil { + t.Fatalf("error in adding route: %v", err) + } + defer integrationtest.DeleteNamespace("test") + + integrationtest.CreateSVC(t, "test", "avisvc", corev1.ProtocolTCP, corev1.ServiceTypeClusterIP, false) + integrationtest.CreateEPorEPS(t, "test", "avisvc", false, false, "1.1.1") + route2 := FakeRoute{Namespace: "test", Path: "/bar"}.SecureRoute() + _, err = OshiftClient.RouteV1().Routes("test").Create(context.TODO(), route2, metav1.CreateOptions{}) + if err != nil { + t.Fatalf("error in adding route: %v", err) + } + + aviModel := ValidateSniModel(t, g, defaultModelName) + + g.Expect(aviModel.(*avinodes.AviObjectGraph).GetAviVS()[0].SniNodes).To(gomega.HaveLen(1)) + sniVS := aviModel.(*avinodes.AviObjectGraph).GetAviVS()[0].SniNodes[0] + g.Eventually(func() string { + sniVS = aviModel.(*avinodes.AviObjectGraph).GetAviVS()[0].SniNodes[0] + return sniVS.VHDomainNames[0] + }, 40*time.Second).Should(gomega.Equal(defaultHostname)) + + g.Expect(sniVS.CACertRefs).To(gomega.HaveLen(1)) + g.Expect(sniVS.SSLKeyCertRefs).To(gomega.HaveLen(1)) + + g.Eventually(func() int { + sniVS = aviModel.(*avinodes.AviObjectGraph).GetAviVS()[0].SniNodes[0] + return len(sniVS.PoolRefs) + }, 40*time.Second).Should(gomega.Equal(1)) + g.Expect(sniVS.HttpPolicyRefs).To(gomega.HaveLen(1)) + g.Expect(sniVS.HttpPolicyRefs[0].HppMap).To(gomega.HaveLen(1)) + g.Expect(sniVS.PoolGroupRefs).To(gomega.HaveLen(1)) + + for _, pool := range sniVS.PoolRefs { + if pool.Name != "cluster--default-foo.com_foo-foo-avisvc" { + t.Fatalf("Unexpected poolName found: %s", pool.Name) + } + } + for _, httpps := range sniVS.HttpPolicyRefs { + if httpps.Name != "cluster--default-foo.com" { + t.Fatalf("Unexpected http policyset found: %s", httpps.Name) + } + } + + err = OshiftClient.RouteV1().Routes("test").Delete(context.TODO(), defaultRouteName, metav1.DeleteOptions{}) + if err != nil { + t.Fatalf("Couldn't DELETE the route %v", err) + } + lib.AKOControlConfig().SetAKOFQDNReusePolicy("internamespaceallowed") + VerifySecureRouteDeletion(t, g, defaultModelName, 0, 0) + TearDownTestForRoute(t, defaultModelName) + integrationtest.DelSVC(t, "test", "avisvc") + integrationtest.DelEPorEPS(t, "test", "avisvc") +}