Make dynamic ASG test endpoint configurable

cloudfoundry · Sep 26, 2022 · c3f61ca · c3f61ca
1 parent ead15c9
commit c3f61ca
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -196,6 +196,13 @@ include_v3
 
 * `infrastructure`: The name of the infrastructure for the environment that the tests will run against. Must be either "vms" or "kubernetes". Defaults to "vms".
 
+* `dynamic_asg_test_config`: By default the Dynamic ASG test allows and blocks access to the Cloud Controller internal endpoint by toggling access for TCP requests on port 9024 to 10.0.0.0/8. To test dynamic ASGs against another endpoint and/or by toggling a different IP range, include `dynamic_asg_test_config` as an object with the following properties:
+  * `endpoint_host`: Hostname or IP for test endpoint to allow/block
+  * `endpoint_port`: Port for test endpoint to allow/block
+  * `endpoint_path`: HTTP Path for test endpoint to allow/block
+  * `endpoint_allow_ip_range`: IP range used for allowing and blocking access to the test endpoint. This can be a single IP address, a range like 192.0.2.0-192.0.2.50, or a CIDR block like 10.0.0.0/8.
+  * `expected_response_regex`: Regex to match expected response body from test endpoint
+
 #### Buildpack Names
 Many tests specify a buildpack when pushing an app, so that on diego the app staging process completes in less time. The default names for the buildpacks are as follows; if you have buildpacks with different names, you can override them by setting different names:
 

diff --git a/helpers/config/config.go b/helpers/config/config.go
@@ -86,6 +86,7 @@ type CatsConfig interface {
 	GetVolumeServiceCreateConfig() string
 
 	GetReporterConfig() reporterConfig
+	GetDynamicASGTestConfig() dynamicASGTestConfig
 
 	AsyncServiceOperationTimeoutDuration() time.Duration
 	BrokerStartTimeoutDuration() time.Duration

diff --git a/helpers/config/config_struct.go b/helpers/config/config_struct.go
@@ -114,7 +114,8 @@ type config struct {
 
 	NamePrefix *string `json:"name_prefix"`
 
-	ReporterConfig *reporterConfig `json:"reporter_config"`
+	ReporterConfig       *reporterConfig       `json:"reporter_config"`
+	DynamicASGTestConfig *dynamicASGTestConfig `json:"dynamic_asg_test_config"`
 
 	Infrastructure *string `json:"infrastructure"`
 }
@@ -125,6 +126,14 @@ type reporterConfig struct {
 	CustomTags        map[string]interface{} `json:"custom_tags"`
 }
 
+type dynamicASGTestConfig struct {
+	EndpointHost          string `json:"endpoint_host"`
+	EndpointPort          int    `json:"endpoint_port"`
+	EndpointPath          string `json:"endpoint_path"`
+	EndpointAllowIPRange  string `json:"endpoint_allow_ip_range"`
+	ExpectedResponseRegex string `json:"expected_response_regex"`
+}
+
 var defaults = config{}
 
 func ptrToString(str string) *string {
@@ -198,6 +207,15 @@ func getDefaults() config {
 	defaults.VolumeServiceCreateConfig = ptrToString("")
 
 	defaults.ReporterConfig = &reporterConfig{}
+	defaults.DynamicASGTestConfig = &dynamicASGTestConfig{
+		// By default run dynamic ASG test against internal
+		// Cloud Controller endpoint (port 9024)
+		ExpectedResponseRegex: "api_version",
+		EndpointAllowIPRange:  "10.0.0.0/0",
+		EndpointHost:          "cloud-controller-ng.service.cf.internal",
+		EndpointPath:          "/v2/info",
+		EndpointPort:          9024,
+	}
 
 	defaults.UseHttp = ptrToBool(false)
 	defaults.UseExistingUser = ptrToBool(false)
@@ -1097,6 +1115,16 @@ func (c *config) GetReporterConfig() reporterConfig {
 	return reporterConfig{}
 }
 
+func (c *config) GetDynamicASGTestConfig() dynamicASGTestConfig {
+	dynamicASGTestConfigFromConfig := c.DynamicASGTestConfig
+
+	if dynamicASGTestConfigFromConfig != nil {
+		return *dynamicASGTestConfigFromConfig
+	}
+
+	return dynamicASGTestConfig{}
+}
+
 func (c *config) RunningOnK8s() bool {
 	return *c.Infrastructure == "kubernetes"
 }
diff --git a/security_groups/dynamic_asgs.go b/security_groups/dynamic_asgs.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
+	"strconv"
 	"time"
 
 	. "github.com/cloudfoundry/cf-acceptance-tests/cats_suite_helpers"
@@ -51,7 +52,9 @@ var _ = Describe("Dynamic ASGs", func() {
 	})
 
 	It("applies ASGs wihout app restart", func() {
-		proxyRequestURL := fmt.Sprintf("%s%s.%s/https_proxy/cloud-controller-ng.service.cf.internal:9024/v2/info", Config.Protocol(), appName, Config.GetAppsDomain())
+		endpointHostPortPath := fmt.Sprintf("%s:%d%s", Config.GetDynamicASGTestConfig().EndpointHost, Config.GetDynamicASGTestConfig().EndpointPort, Config.GetDynamicASGTestConfig().EndpointPath)
+
+		proxyRequestURL := fmt.Sprintf("%s%s.%s/https_proxy/%s", Config.Protocol(), appName, Config.GetAppsDomain(), endpointHostPortPath)
 
 		client := &http.Client{
 			Transport: &http.Transport{
@@ -61,7 +64,7 @@ var _ = Describe("Dynamic ASGs", func() {
 			},
 		}
 
-		By("checking that our app can't initially reach cloud controller over internal address")
+		By(fmt.Sprintf("checking that our app can't initially reach %s", endpointHostPortPath))
 		resp, err := client.Get(proxyRequestURL)
 		Expect(err).NotTo(HaveOccurred())
 
@@ -72,14 +75,14 @@ var _ = Describe("Dynamic ASGs", func() {
 
 		By("binding a new security group")
 		dest := Destination{
-			IP:       "10.0.0.0/0",
-			Ports:    "9024", // internal cc port
+			IP:       Config.GetDynamicASGTestConfig().EndpointAllowIPRange,
+			Ports:    strconv.Itoa(Config.GetDynamicASGTestConfig().EndpointPort),
 			Protocol: "tcp",
 		}
 		securityGroupName = createSecurityGroup(dest)
 		bindSecurityGroup(securityGroupName, orgName, spaceName)
 
-		By("checking that our app can now reach cloud controller over internal address")
+		By(fmt.Sprintf("checking that our app can now reach %s", endpointHostPortPath))
 		Eventually(func() []byte {
 			resp, err = client.Get(proxyRequestURL)
 			Expect(err).NotTo(HaveOccurred())
@@ -88,12 +91,12 @@ var _ = Describe("Dynamic ASGs", func() {
 			Expect(err).ToNot(HaveOccurred())
 			resp.Body.Close()
 			return respBytes
-		}, 3*time.Minute).Should(MatchRegexp("api_version"))
+		}, 3*time.Minute).Should(MatchRegexp(Config.GetDynamicASGTestConfig().ExpectedResponseRegex))
 
 		By("unbinding the security group")
 		unbindSecurityGroup(securityGroupName, orgName, spaceName)
 
-		By("checking that our app can no longer reach cloud controller over internal address")
+		By(fmt.Sprintf("checking that our app can no longer reach %s", endpointHostPortPath))
 		Eventually(func() []byte {
 			resp, err = client.Get(proxyRequestURL)
 			Expect(err).NotTo(HaveOccurred())