From c3f61ca556e0b8a7922a0e1c3e4704aee73e658a Mon Sep 17 00:00:00 2001 From: Peter Ellis Jones Date: Mon, 26 Sep 2022 11:06:25 +0100 Subject: [PATCH] Make dynamic ASG test endpoint configurable --- README.md | 7 +++++++ helpers/config/config.go | 1 + helpers/config/config_struct.go | 30 +++++++++++++++++++++++++++++- security_groups/dynamic_asgs.go | 17 ++++++++++------- 4 files changed, 47 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 0145c2c89..2f5f90ef7 100644 --- a/README.md +++ b/README.md @@ -196,6 +196,13 @@ include_v3 * `infrastructure`: The name of the infrastructure for the environment that the tests will run against. Must be either "vms" or "kubernetes". Defaults to "vms". +* `dynamic_asg_test_config`: By default the Dynamic ASG test allows and blocks access to the Cloud Controller internal endpoint by toggling access for TCP requests on port 9024 to 10.0.0.0/8. To test dynamic ASGs against another endpoint and/or by toggling a different IP range, include `dynamic_asg_test_config` as an object with the following properties: + * `endpoint_host`: Hostname or IP for test endpoint to allow/block + * `endpoint_port`: Port for test endpoint to allow/block + * `endpoint_path`: HTTP Path for test endpoint to allow/block + * `endpoint_allow_ip_range`: IP range used for allowing and blocking access to the test endpoint. This can be a single IP address, a range like 192.0.2.0-192.0.2.50, or a CIDR block like 10.0.0.0/8. + * `expected_response_regex`: Regex to match expected response body from test endpoint + #### Buildpack Names Many tests specify a buildpack when pushing an app, so that on diego the app staging process completes in less time. The default names for the buildpacks are as follows; if you have buildpacks with different names, you can override them by setting different names: diff --git a/helpers/config/config.go b/helpers/config/config.go index 4f26f18e8..964f20559 100644 --- a/helpers/config/config.go +++ b/helpers/config/config.go @@ -86,6 +86,7 @@ type CatsConfig interface { GetVolumeServiceCreateConfig() string GetReporterConfig() reporterConfig + GetDynamicASGTestConfig() dynamicASGTestConfig AsyncServiceOperationTimeoutDuration() time.Duration BrokerStartTimeoutDuration() time.Duration diff --git a/helpers/config/config_struct.go b/helpers/config/config_struct.go index 7726cc20f..5c6932d47 100644 --- a/helpers/config/config_struct.go +++ b/helpers/config/config_struct.go @@ -114,7 +114,8 @@ type config struct { NamePrefix *string `json:"name_prefix"` - ReporterConfig *reporterConfig `json:"reporter_config"` + ReporterConfig *reporterConfig `json:"reporter_config"` + DynamicASGTestConfig *dynamicASGTestConfig `json:"dynamic_asg_test_config"` Infrastructure *string `json:"infrastructure"` } @@ -125,6 +126,14 @@ type reporterConfig struct { CustomTags map[string]interface{} `json:"custom_tags"` } +type dynamicASGTestConfig struct { + EndpointHost string `json:"endpoint_host"` + EndpointPort int `json:"endpoint_port"` + EndpointPath string `json:"endpoint_path"` + EndpointAllowIPRange string `json:"endpoint_allow_ip_range"` + ExpectedResponseRegex string `json:"expected_response_regex"` +} + var defaults = config{} func ptrToString(str string) *string { @@ -198,6 +207,15 @@ func getDefaults() config { defaults.VolumeServiceCreateConfig = ptrToString("") defaults.ReporterConfig = &reporterConfig{} + defaults.DynamicASGTestConfig = &dynamicASGTestConfig{ + // By default run dynamic ASG test against internal + // Cloud Controller endpoint (port 9024) + ExpectedResponseRegex: "api_version", + EndpointAllowIPRange: "10.0.0.0/0", + EndpointHost: "cloud-controller-ng.service.cf.internal", + EndpointPath: "/v2/info", + EndpointPort: 9024, + } defaults.UseHttp = ptrToBool(false) defaults.UseExistingUser = ptrToBool(false) @@ -1097,6 +1115,16 @@ func (c *config) GetReporterConfig() reporterConfig { return reporterConfig{} } +func (c *config) GetDynamicASGTestConfig() dynamicASGTestConfig { + dynamicASGTestConfigFromConfig := c.DynamicASGTestConfig + + if dynamicASGTestConfigFromConfig != nil { + return *dynamicASGTestConfigFromConfig + } + + return dynamicASGTestConfig{} +} + func (c *config) RunningOnK8s() bool { return *c.Infrastructure == "kubernetes" } diff --git a/security_groups/dynamic_asgs.go b/security_groups/dynamic_asgs.go index 9555bd1d1..324639303 100644 --- a/security_groups/dynamic_asgs.go +++ b/security_groups/dynamic_asgs.go @@ -5,6 +5,7 @@ import ( "fmt" "io/ioutil" "net/http" + "strconv" "time" . "github.com/cloudfoundry/cf-acceptance-tests/cats_suite_helpers" @@ -51,7 +52,9 @@ var _ = Describe("Dynamic ASGs", func() { }) It("applies ASGs wihout app restart", func() { - proxyRequestURL := fmt.Sprintf("%s%s.%s/https_proxy/cloud-controller-ng.service.cf.internal:9024/v2/info", Config.Protocol(), appName, Config.GetAppsDomain()) + endpointHostPortPath := fmt.Sprintf("%s:%d%s", Config.GetDynamicASGTestConfig().EndpointHost, Config.GetDynamicASGTestConfig().EndpointPort, Config.GetDynamicASGTestConfig().EndpointPath) + + proxyRequestURL := fmt.Sprintf("%s%s.%s/https_proxy/%s", Config.Protocol(), appName, Config.GetAppsDomain(), endpointHostPortPath) client := &http.Client{ Transport: &http.Transport{ @@ -61,7 +64,7 @@ var _ = Describe("Dynamic ASGs", func() { }, } - By("checking that our app can't initially reach cloud controller over internal address") + By(fmt.Sprintf("checking that our app can't initially reach %s", endpointHostPortPath)) resp, err := client.Get(proxyRequestURL) Expect(err).NotTo(HaveOccurred()) @@ -72,14 +75,14 @@ var _ = Describe("Dynamic ASGs", func() { By("binding a new security group") dest := Destination{ - IP: "10.0.0.0/0", - Ports: "9024", // internal cc port + IP: Config.GetDynamicASGTestConfig().EndpointAllowIPRange, + Ports: strconv.Itoa(Config.GetDynamicASGTestConfig().EndpointPort), Protocol: "tcp", } securityGroupName = createSecurityGroup(dest) bindSecurityGroup(securityGroupName, orgName, spaceName) - By("checking that our app can now reach cloud controller over internal address") + By(fmt.Sprintf("checking that our app can now reach %s", endpointHostPortPath)) Eventually(func() []byte { resp, err = client.Get(proxyRequestURL) Expect(err).NotTo(HaveOccurred()) @@ -88,12 +91,12 @@ var _ = Describe("Dynamic ASGs", func() { Expect(err).ToNot(HaveOccurred()) resp.Body.Close() return respBytes - }, 3*time.Minute).Should(MatchRegexp("api_version")) + }, 3*time.Minute).Should(MatchRegexp(Config.GetDynamicASGTestConfig().ExpectedResponseRegex)) By("unbinding the security group") unbindSecurityGroup(securityGroupName, orgName, spaceName) - By("checking that our app can no longer reach cloud controller over internal address") + By(fmt.Sprintf("checking that our app can no longer reach %s", endpointHostPortPath)) Eventually(func() []byte { resp, err = client.Get(proxyRequestURL) Expect(err).NotTo(HaveOccurred())