router: validate ingress compatibility with namespace filtering

Author: marun

test/integration/router/router_http_server.go

@@ -30,10 +30,14 @@ func GetDefaultLocalAddress() string {
 	return addr
 }
 
+func NewTestHttpService() *TestHttpService {
+	return NewTestHttpServiceExtended("")
+}
+
 // NewTestHttpServer creates a new TestHttpService using default locations for listening address
 // as well as default certificates.  New channels will be initialized which can be used by test clients
 // to feed events through the server to anything listening.
-func NewTestHttpService() *TestHttpService {
+func NewTestHttpServiceExtended(namespaceListResponse string) *TestHttpService {
 	endpointChannel := make(chan string)
 	routeChannel := make(chan string)
 	ingressChannel := make(chan string)
@@ -48,21 +52,27 @@ func NewTestHttpService() *TestHttpService {
 	alternatePodHttpAddr := fmt.Sprintf("%s:8889", addr)
 	podHttpsAddr := fmt.Sprintf("%s:8443", addr)
 
+	// Ensure an empty namespace response is valid json
+	if namespaceListResponse == "" {
+		namespaceListResponse = "{}"
+	}
+
 	return &TestHttpService{
-		MasterHttpAddr:       masterHttpAddr,
-		PodHttpAddr:          podHttpAddr,
-		AlternatePodHttpAddr: alternatePodHttpAddr,
-		PodHttpsAddr:         podHttpsAddr,
-		PodTestPath:          "test",
-		PodHttpsCert:         []byte(Example2Cert),
-		PodHttpsKey:          []byte(Example2Key),
-		PodHttpsCaCert:       []byte(ExampleCACert),
-		EndpointChannel:      endpointChannel,
-		RouteChannel:         routeChannel,
-		IngressChannel:       ingressChannel,
-		SecretChannel:        secretChannel,
-		NodeChannel:          nodeChannel,
-		SvcChannel:           svcChannel,
+		MasterHttpAddr:        masterHttpAddr,
+		PodHttpAddr:           podHttpAddr,
+		AlternatePodHttpAddr:  alternatePodHttpAddr,
+		PodHttpsAddr:          podHttpsAddr,
+		PodTestPath:           "test",
+		PodHttpsCert:          []byte(Example2Cert),
+		PodHttpsKey:           []byte(Example2Key),
+		PodHttpsCaCert:        []byte(ExampleCACert),
+		EndpointChannel:       endpointChannel,
+		RouteChannel:          routeChannel,
+		IngressChannel:        ingressChannel,
+		SecretChannel:         secretChannel,
+		NodeChannel:           nodeChannel,
+		SvcChannel:            svcChannel,
+		NamespaceListResponse: namespaceListResponse,
 	}
 }
 
@@ -90,6 +100,8 @@ type TestHttpService struct {
 	NodeChannel          chan string
 	SvcChannel           chan string
 
+	NamespaceListResponse string
+
 	listeners []net.Listener
 }
 
@@ -143,6 +155,14 @@ func (s *TestHttpService) handleHelloPodTestSecure(w http.ResponseWriter, r *htt
 	fmt.Fprint(w, HelloPodPathSecure)
 }
 
+// handleNamespaceList handles calls to /api/v1/namespaces/* and returns a canned response
+func (s *TestHttpService) handleNamespaceList(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	glog.Errorf("Returning response: %s", s.NamespaceListResponse)
+
+	fmt.Fprint(w, s.NamespaceListResponse)
+}
+
 // handleSvcList handles calls to /api/v1beta1/services and always returns empty data
 func (s *TestHttpService) handleSvcList(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
@@ -263,6 +283,7 @@ func (s *TestHttpService) startMaster() error {
 	apis := []string{"v1"}
 
 	for _, version := range apis {
+		masterServer.HandleFunc(fmt.Sprintf("/api/%s/namespaces/", version), s.handleNamespaceList)
 		masterServer.HandleFunc(fmt.Sprintf("/api/%s/endpoints", version), s.handleEndpointList)
 		masterServer.HandleFunc(fmt.Sprintf("/api/%s/watch/endpoints", version), s.handleEndpointWatch)
 		masterServer.HandleFunc(fmt.Sprintf("/oapi/%s/routes", version), s.handleRouteList)

test/integration/router_test.go

@@ -20,8 +20,10 @@ import (
 
 	kapi "k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/unversioned"
+	kv1 "k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/pkg/apis/extensions/v1beta1"
+	"k8s.io/kubernetes/pkg/runtime"
 	"k8s.io/kubernetes/pkg/util/intstr"
 	knet "k8s.io/kubernetes/pkg/util/net"
 	"k8s.io/kubernetes/pkg/util/wait"
@@ -37,6 +39,8 @@ import (
 const (
 	defaultRouterImage = "openshift/origin-haproxy-router"
 
+	defaultNamespace = "router-namespace"
+
 	tcWaitSeconds = 1
 
 	statsPort     = 1936
@@ -1275,13 +1279,20 @@ pgfj+yGLmkUw8JwgGH6xCUbHO+WBUFSlPf+Y50fJeO+OrjqPXAVKeSV3ZCwWjKT4
 u3YLAbyW/lHhOCiZu2iAI8AbmXem9lW6Tr7p/97s0w==
 -----END RSA PRIVATE KEY-----`
 
+// Constants used to default createAndStartRouterContainerExtended
+const (
+	defaultBindPortsAfterSync = false
+	defaultEnableIngress      = false
+	defaultNamespaceLabels    = ""
+)
+
 // createAndStartRouterContainer is responsible for deploying the router image in docker.  It assumes that all router images
 // will use a command line flag that can take --master which points to the master url
 func createAndStartRouterContainer(dockerCli *dockerClient.Client, masterIp string, routerStatsPort int, reloadInterval int) (containerId string, err error) {
-	return createAndStartRouterContainerExtended(dockerCli, masterIp, routerStatsPort, reloadInterval, false, false)
+	return createAndStartRouterContainerExtended(dockerCli, masterIp, routerStatsPort, reloadInterval, defaultBindPortsAfterSync, defaultEnableIngress, defaultNamespaceLabels)
 }
 
-func createAndStartRouterContainerExtended(dockerCli *dockerClient.Client, masterIp string, routerStatsPort int, reloadInterval int, bindPortsAfterSync, enableIngress bool) (containerId string, err error) {
+func createAndStartRouterContainerExtended(dockerCli *dockerClient.Client, masterIp string, routerStatsPort int, reloadInterval int, bindPortsAfterSync, enableIngress bool, namespaceLabels string) (containerId string, err error) {
 	ports := []string{"80", "443"}
 	if routerStatsPort > 0 {
 		ports = append(ports, fmt.Sprintf("%d", routerStatsPort))
@@ -1319,6 +1330,7 @@ func createAndStartRouterContainerExtended(dockerCli *dockerClient.Client, maste
 		fmt.Sprintf("DEFAULT_CERTIFICATE=%s\n%s", defaultCert, defaultKey),
 		fmt.Sprintf("ROUTER_BIND_PORTS_AFTER_SYNC=%s", strconv.FormatBool(bindPortsAfterSync)),
 		fmt.Sprintf("ROUTER_ENABLE_INGRESS=%s", strconv.FormatBool(enableIngress)),
+		fmt.Sprintf("NAMESPACE_LABELS=%s", namespaceLabels),
 	}
 
 	reloadIntVar := fmt.Sprintf("RELOAD_INTERVAL=%ds", reloadInterval)
@@ -1635,7 +1647,7 @@ func TestRouterBindsPortsAfterSync(t *testing.T) {
 
 	bindPortsAfterSync := true
 	reloadInterval := 1
-	routerId, err := createAndStartRouterContainerExtended(dockerCli, fakeMasterAndPod.MasterHttpAddr, statsPort, reloadInterval, bindPortsAfterSync, false)
+	routerId, err := createAndStartRouterContainerExtended(dockerCli, fakeMasterAndPod.MasterHttpAddr, statsPort, reloadInterval, bindPortsAfterSync, defaultEnableIngress, defaultNamespaceLabels)
 	if err != nil {
 		t.Fatalf("Error starting container %s : %v", getRouterImage(), err)
 	}
@@ -1696,10 +1708,12 @@ func TestRouterBindsPortsAfterSync(t *testing.T) {
 
 type routerIntegrationTest func(*testing.T, *tr.TestHttpService)
 
-func runRouterTest(t *testing.T, rit routerIntegrationTest) {
+func runRouterTest(t *testing.T, rit routerIntegrationTest, enableIngress bool, namespaceNames *[]string) {
+	namespaceLabels, namespaceListResponse := getNamespaceConfig(t, namespaceNames)
+
 	//create a server which will act as a user deployed application that
 	//serves http and https as well as act as a master to simulate watches
-	fakeMasterAndPod := tr.NewTestHttpService()
+	fakeMasterAndPod := tr.NewTestHttpServiceExtended(namespaceListResponse)
 	defer fakeMasterAndPod.Stop()
 
 	err := fakeMasterAndPod.Start()
@@ -1717,10 +1731,8 @@ func runRouterTest(t *testing.T, rit routerIntegrationTest) {
 	}
 
 	reloadInterval := 1
-	bindPortsAfterSync := false
-	enableIngress := true
 	routerId, err := createAndStartRouterContainerExtended(
-		dockerCli, fakeMasterAndPod.MasterHttpAddr, statsPort, reloadInterval, bindPortsAfterSync, enableIngress)
+		dockerCli, fakeMasterAndPod.MasterHttpAddr, statsPort, reloadInterval, defaultBindPortsAfterSync, enableIngress, namespaceLabels)
 
 	if err != nil {
 		t.Fatalf("Error starting container %s : %v", getRouterImage(), err)
@@ -1731,6 +1743,43 @@ func runRouterTest(t *testing.T, rit routerIntegrationTest) {
 	rit(t, fakeMasterAndPod)
 }
 
+func getNamespaceConfig(t *testing.T, namespaceNames *[]string) (namespaceLabels, namespaceListResponse string) {
+	if namespaceNames == nil {
+		return
+	}
+
+	key := "env"
+	value := "testing"
+
+	// If namespace names are provided (event an empty set), ensure
+	// namespace filtering is exercised by adding namespaces for the
+	// provided names with labels that the router will filter on.
+	namespaceLabels = fmt.Sprintf("%s=%s", key, value)
+
+	namespaceList := &kapi.NamespaceList{
+		ListMeta: unversioned.ListMeta{
+			ResourceVersion: fmt.Sprintf("%d", len(*namespaceNames)),
+		},
+		Items: []kapi.Namespace{},
+	}
+	for _, name := range *namespaceNames {
+		namespaceList.Items = append(namespaceList.Items, kapi.Namespace{
+			ObjectMeta: kapi.ObjectMeta{
+				Name:   name,
+				Labels: map[string]string{key: value},
+			},
+		})
+	}
+
+	obj, err := runtime.Encode(kapi.Codecs.LegacyCodec(kv1.SchemeGroupVersion), namespaceList)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	namespaceListResponse = string(obj)
+
+	return
+}
+
 // eventString marshals ingress events into a string.  A separate
 // method is required because ingress uses a different schema version
 // (v1beta1) than routes (v1).
@@ -1748,7 +1797,6 @@ func ingressConfiguredRouter(t *testing.T, fakeMasterAndPod *tr.TestHttpService)
 
 	routeAddress := getRouteAddress()
 
-	namespace := "my-namespace"
 	serviceName := "my-service"
 	host := "my.host"
 	path := fmt.Sprintf("/%s", fakeMasterAndPod.PodTestPath)
@@ -1758,7 +1806,7 @@ func ingressConfiguredRouter(t *testing.T, fakeMasterAndPod *tr.TestHttpService)
 		Object: &kapi.Endpoints{
 			ObjectMeta: kapi.ObjectMeta{
 				Name:      serviceName,
-				Namespace: namespace,
+				Namespace: defaultNamespace,
 			},
 			Subsets: []kapi.EndpointSubset{httpEndpoint},
 		},
@@ -1776,7 +1824,7 @@ func ingressConfiguredRouter(t *testing.T, fakeMasterAndPod *tr.TestHttpService)
 		Object: &kapi.Secret{
 			ObjectMeta: kapi.ObjectMeta{
 				Name:      secretName,
-				Namespace: namespace,
+				Namespace: defaultNamespace,
 			},
 			Data: map[string][]byte{
 				"tls.crt": []byte(defaultCert),
@@ -1791,7 +1839,7 @@ func ingressConfiguredRouter(t *testing.T, fakeMasterAndPod *tr.TestHttpService)
 		Object: &extensions.Ingress{
 			ObjectMeta: kapi.ObjectMeta{
 				Name:      "foo",
-				Namespace: namespace,
+				Namespace: defaultNamespace,
 			},
 			Spec: extensions.IngressSpec{
 				TLS: []extensions.IngressTLS{
@@ -1838,9 +1886,15 @@ func ingressConfiguredRouter(t *testing.T, fakeMasterAndPod *tr.TestHttpService)
 	if err := waitForRoute(url, host, "https", nil, tr.HelloPodPath); err != nil {
 		t.Fatalf("Error accessing secured ingress configured route: %v", err)
 	}
+
+	// TODO check that an ingress in a namespace not targeted by the router does not
+	// result in exposed routes.
 }
 
 // TestRouterIngress validates that an ingress resource can configure a router to expose a tls route.
 func TestIngressConfiguredRouter(t *testing.T) {
-	runRouterTest(t, ingressConfiguredRouter)
+	enableIngress := true
+	// Enable namespace filtering to allow validation of compatibility with ingress.
+	namespaceNames := []string{defaultNamespace}
+	runRouterTest(t, ingressConfiguredRouter, enableIngress, &namespaceNames)
 }