diff --git a/proxy-init/cmd/root.go b/proxy-init/cmd/root.go index 47faf2b3b..0775a25aa 100644 --- a/proxy-init/cmd/root.go +++ b/proxy-init/cmd/root.go @@ -34,10 +34,8 @@ func NewRootCmd() *cobra.Command { cmd := &cobra.Command{ Use: "proxy-init", - Short: "Adds a Kubernetes pod to the Conduit Service Mesh", - Long: `proxy-init Adds a Kubernetes pod to the Conduit Service Mesh. - -Find more information at https://conduit.io/.`, + Short: "proxy-init adds a Kubernetes pod to the Linkerd service mesh", + Long: "proxy-init adds a Kubernetes pod to the Linkerd service mesh.", RunE: func(cmd *cobra.Command, args []string) error { config, err := buildFirewallConfiguration(options) if err != nil { diff --git a/proxy-init/integration_test/iptables/Dockerfile-tester b/proxy-init/integration_test/iptables/Dockerfile-tester index a15e56611..23f88f2ca 100644 --- a/proxy-init/integration_test/iptables/Dockerfile-tester +++ b/proxy-init/integration_test/iptables/Dockerfile-tester @@ -4,4 +4,4 @@ ADD iptables/ /go # Kubernetes Jobs will be retried until they return status 0, # so we need to output the status for processing but make sure # that the container exits with 0 -ENTRYPOINT cd /go && (go test -v ; echo "status:$?") +ENTRYPOINT cd /go && (go test -v -integration-tests; echo "status:$?") diff --git a/proxy-init/integration_test/iptables/http_test.go b/proxy-init/integration_test/iptables/http_test.go index ea448fe6a..bd1f1b755 100644 --- a/proxy-init/integration_test/iptables/http_test.go +++ b/proxy-init/integration_test/iptables/http_test.go @@ -1,6 +1,7 @@ package iptablestest import ( + "flag" "fmt" "io/ioutil" "net/http" @@ -11,35 +12,44 @@ import ( ) const ( - ignoredContainerPort = "7070" - proxyContainerPort = "8080" - notTheProxyContainerPort = "9090" - integrationTestsEnvironmentVariable = "CONDUIT_INTEGRATION_TESTS_ENABLED" + ignoredContainerPort = "7070" + proxyContainerPort = "8080" + notTheProxyContainerPort = "9090" ) +func TestMain(m *testing.M) { + runTests := flag.Bool("integration-tests", false, "must be provided to run the integration tests") + flag.Parse() + + if !*runTests { + fmt.Fprintln(os.Stderr, "integration tests not enabled: enable with -integration-tests") + os.Exit(0) + } + + os.Exit(m.Run()) +} + func TestPodWithNoRules(t *testing.T) { + t.Parallel() + podWithNoRulesIp := os.Getenv("POD_WITH_NO_RULES_IP") svcName := "svc-pod-with-no-rules" t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) expectSuccessfulGetRequestTo(t, podWithNoRulesIp, proxyContainerPort) }) t.Run("fails to connect to pod directly through any port that isn't the container's exposed port", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) expectCannotConnectGetRequestTo(t, podWithNoRulesIp, "8088") expectCannotConnectGetRequestTo(t, podWithNoRulesIp, "8888") expectCannotConnectGetRequestTo(t, podWithNoRulesIp, "8988") }) t.Run("succeeds connecting to pod via a service through container's exposed port", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) expectSuccessfulGetRequestTo(t, svcName, proxyContainerPort) }) t.Run("fails to connect to pod via a service through any port that isn't the container's exposed port", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) expectCannotConnectGetRequestTo(t, svcName, "8088") expectCannotConnectGetRequestTo(t, svcName, "8888") expectCannotConnectGetRequestTo(t, svcName, "8988") @@ -47,16 +57,16 @@ func TestPodWithNoRules(t *testing.T) { } func TestPodRedirectsAllPorts(t *testing.T) { + t.Parallel() + podRedirectsAllPortsIp := os.Getenv("POD_REDIRECTS_ALL_PORTS_IP") svcName := "svc-pod-redirects-all-ports" t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIp, proxyContainerPort) }) t.Run("succeeds connecting to pod directly through any port that isn't the container's exposed port", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIp, "8088") expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIp, "8888") expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIp, "8988") @@ -64,12 +74,10 @@ func TestPodRedirectsAllPorts(t *testing.T) { }) t.Run("succeeds connecting to pod via a service through container's exposed port", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) expectSuccessfulGetRequestTo(t, svcName, proxyContainerPort) }) t.Run("fails to connect to pod via a service through any port that isn't the container's exposed port", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) expectCannotConnectGetRequestTo(t, svcName, "8088") expectCannotConnectGetRequestTo(t, svcName, "8888") expectCannotConnectGetRequestTo(t, svcName, "8988") @@ -77,21 +85,20 @@ func TestPodRedirectsAllPorts(t *testing.T) { } func TestPodWithSomePortsRedirected(t *testing.T) { + t.Parallel() + podRedirectsSomePortsIp := os.Getenv("POD_REDIRECTS_WHITELISTED_IP") t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) expectSuccessfulGetRequestTo(t, podRedirectsSomePortsIp, proxyContainerPort) }) t.Run("succeeds connecting to pod directly through ports configured to redirect", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) expectSuccessfulGetRequestTo(t, podRedirectsSomePortsIp, "9090") expectSuccessfulGetRequestTo(t, podRedirectsSomePortsIp, "9099") }) t.Run("fails to connect to pod via through any port that isn't configured to redirect", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) expectCannotConnectGetRequestTo(t, podRedirectsSomePortsIp, "8088") expectCannotConnectGetRequestTo(t, podRedirectsSomePortsIp, "8888") expectCannotConnectGetRequestTo(t, podRedirectsSomePortsIp, "8988") @@ -99,21 +106,20 @@ func TestPodWithSomePortsRedirected(t *testing.T) { } func TestPodWithSomePortsIgnored(t *testing.T) { + t.Parallel() + podIgnoredSomePortsIp := os.Getenv("POD_DOEST_REDIRECT_BLACKLISTED_IP") t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIp, proxyContainerPort) }) t.Run("succeeds connecting to pod directly through ports configured to redirect", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIp, "9090") expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIp, "9099") }) t.Run("doesnt redirect when through port that is ignored", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) response := expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIp, ignoredContainerPort) if response == "proxy" { @@ -127,6 +133,8 @@ func TestPodWithSomePortsIgnored(t *testing.T) { } func TestPodMakesOutboundConnection(t *testing.T) { + t.Parallel() + podIgnoredSomePortsIp := os.Getenv("POD_DOEST_REDIRECT_BLACKLISTED_IP") podWithNoRulesIp := os.Getenv("POD_WITH_NO_RULES_IP") podWithNoRulesName := "pod-with-no-rules" @@ -135,7 +143,6 @@ func TestPodMakesOutboundConnection(t *testing.T) { proxyPodIp := podIgnoredSomePortsIp t.Run("connecting to another pod from non-proxy container gets redirected to proxy", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) portOfContainerToMAkeTheRequest := ignoredContainerPort targetPodIp := podWithNoRulesIp targetPort := ignoredContainerPort @@ -149,7 +156,6 @@ func TestPodMakesOutboundConnection(t *testing.T) { }) t.Run("connecting to another pod from proxy container does not get redirected to proxy", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) targetPodName := podWithNoRulesName targetPodIp := podWithNoRulesIp @@ -162,8 +168,6 @@ func TestPodMakesOutboundConnection(t *testing.T) { }) t.Run("connecting to loopback from non-proxy container does not get redirected to proxy", func(t *testing.T) { - checkIfIntegrationTestsAreEnabled(t) - response := makeCallFromContainerToAnother(t, proxyPodIp, ignoredContainerPort, "127.0.0.1", notTheProxyContainerPort) expectedDownstreamResponse := fmt.Sprintf("me:[%s:%s]downstream:[%s:%s]", proxyPodName, ignoredContainerPort, proxyPodName, notTheProxyContainerPort) @@ -181,15 +185,6 @@ func makeCallFromContainerToAnother(t *testing.T, fromPodNamed string, fromConta return expectSuccessfulGetRequestToUrl(t, targetUrl) } -func checkIfIntegrationTestsAreEnabled(t *testing.T) { - if _, isSet := os.LookupEnv(integrationTestsEnvironmentVariable); !isSet { - fmt.Printf("=> Environment variable [%s] isn't set, skipping this test\n", integrationTestsEnvironmentVariable) - t.SkipNow() - } else { - t.Parallel() - } -} - func expectCannotConnectGetRequestTo(t *testing.T, host string, port string) { targetUrl := fmt.Sprintf("http://%s:%s/", host, port) fmt.Printf("Expecting failed GET to %s\n", targetUrl) diff --git a/proxy-init/integration_test/run_tests.sh b/proxy-init/integration_test/run_tests.sh index a375c5fac..c7d458b4c 100755 --- a/proxy-init/integration_test/run_tests.sh +++ b/proxy-init/integration_test/run_tests.sh @@ -82,8 +82,6 @@ spec: - name: tester image: buoyantio/iptables-tester:v1 env: - - name: CONDUIT_INTEGRATION_TESTS_ENABLED - value: "1" - name: POD_REDIRECTS_ALL_PORTS_IP value: ${POD_REDIRECTS_ALL_PORTS_IP} - name: POD_WITH_NO_RULES_IP diff --git a/proxy-init/iptables/iptables.go b/proxy-init/iptables/iptables.go index 31804888c..a4a4d4ea8 100644 --- a/proxy-init/iptables/iptables.go +++ b/proxy-init/iptables/iptables.go @@ -68,48 +68,48 @@ func ConfigureFirewall(firewallConfiguration FirewallConfiguration) error { //formatComment is used to format iptables comments in such way that it is possible to identify when the rules were added. // This helps debug when iptables has some stale rules from previous runs, something that can happen frequently on minikube. func formatComment(text string) string { - return fmt.Sprintf("conduit/%s/%s", text, ExecutionTraceId) + return fmt.Sprintf("proxy-init/%s/%s", text, ExecutionTraceId) } func addOutgoingTrafficRules(commands []*exec.Cmd, firewallConfiguration FirewallConfiguration) []*exec.Cmd { - ConduitOutputChainName := "CONDUIT_OUTPUT" - executeCommand(firewallConfiguration, makeFlushChain(ConduitOutputChainName)) - executeCommand(firewallConfiguration, makeDeleteChain(ConduitOutputChainName)) + outputChainName := "PROXY_INIT_OUTPUT" + executeCommand(firewallConfiguration, makeFlushChain(outputChainName)) + executeCommand(firewallConfiguration, makeDeleteChain(outputChainName)) - commands = append(commands, makeCreateNewChain(ConduitOutputChainName, "redirect-common-chain")) + commands = append(commands, makeCreateNewChain(outputChainName, "redirect-common-chain")) // Ingore traffic from the proxy if firewallConfiguration.ProxyUid > 0 { log.Printf("Ignoring uid %d", firewallConfiguration.ProxyUid) - commands = append(commands, makeIgnoreUserId(ConduitOutputChainName, firewallConfiguration.ProxyUid, "ignore-proxy-user-id")) + commands = append(commands, makeIgnoreUserId(outputChainName, firewallConfiguration.ProxyUid, "ignore-proxy-user-id")) } else { log.Println("Not ignoring any uid") } // Ignore loopback - commands = append(commands, makeIgnoreLoopback(ConduitOutputChainName, "ignore-loopback")) + commands = append(commands, makeIgnoreLoopback(outputChainName, "ignore-loopback")) // Ignore ports - commands = addRulesForIgnoredPorts(firewallConfiguration.OutboundPortsToIgnore, ConduitOutputChainName, commands) + commands = addRulesForIgnoredPorts(firewallConfiguration.OutboundPortsToIgnore, outputChainName, commands) log.Printf("Redirecting all OUTPUT to %d", firewallConfiguration.ProxyOutgoingPort) - commands = append(commands, makeRedirectChainToPort(ConduitOutputChainName, firewallConfiguration.ProxyOutgoingPort, "redirect-all-outgoing-to-proxy-port")) + commands = append(commands, makeRedirectChainToPort(outputChainName, firewallConfiguration.ProxyOutgoingPort, "redirect-all-outgoing-to-proxy-port")) //Redirect all remaining outbound traffic to the proxy. - commands = append(commands, makeJumpFromChainToAnotherForAllProtocols(IptablesOutputChainName, ConduitOutputChainName, "install-conduit-output")) + commands = append(commands, makeJumpFromChainToAnotherForAllProtocols(IptablesOutputChainName, outputChainName, "install-proxy-init-output")) return commands } func addIncomingTrafficRules(commands []*exec.Cmd, firewallConfiguration FirewallConfiguration) []*exec.Cmd { - ConduitRedirectChainName := "CONDUIT_REDIRECT" - executeCommand(firewallConfiguration, makeFlushChain(ConduitRedirectChainName)) - executeCommand(firewallConfiguration, makeDeleteChain(ConduitRedirectChainName)) + redirectChainName := "PROXY_INIT_REDIRECT" + executeCommand(firewallConfiguration, makeFlushChain(redirectChainName)) + executeCommand(firewallConfiguration, makeDeleteChain(redirectChainName)) - commands = append(commands, makeCreateNewChain(ConduitRedirectChainName, "redirect-common-chain")) - commands = addRulesForIgnoredPorts(firewallConfiguration.InboundPortsToIgnore, ConduitRedirectChainName, commands) - commands = addRulesForInboundPortRedirect(firewallConfiguration, ConduitRedirectChainName, commands) + commands = append(commands, makeCreateNewChain(redirectChainName, "redirect-common-chain")) + commands = addRulesForIgnoredPorts(firewallConfiguration.InboundPortsToIgnore, redirectChainName, commands) + commands = addRulesForInboundPortRedirect(firewallConfiguration, redirectChainName, commands) //Redirect all remaining inbound traffic to the proxy. - commands = append(commands, makeJumpFromChainToAnotherForAllProtocols(IptablesPreroutingChainName, ConduitRedirectChainName, "install-conduit-prerouting")) + commands = append(commands, makeJumpFromChainToAnotherForAllProtocols(IptablesPreroutingChainName, redirectChainName, "install-proxy-init-prerouting")) return commands }