From a98034bba45fcd7e949ff32a6e8a9c0d593adb35 Mon Sep 17 00:00:00 2001
From: Jacek Ewertowski <jewertow@redhat.com>
Date: Mon, 15 Jul 2024 10:32:39 +0200
Subject: [PATCH] OSSM-6403: Add basic tests for TPROXY interception mode
 (#710)

* OSSM-6403: Add basic tests for TPROXY interception mode

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* Fix typo

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* Remove ID from tproxy test

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

---------

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
---
 pkg/app/httpbin.go                     | 14 +++++++
 pkg/app/sleep.go                       |  8 ++++
 pkg/tests/tasks/traffic/tproxy_test.go | 54 ++++++++++++++++++++++++++
 3 files changed, 76 insertions(+)
 create mode 100644 pkg/tests/tasks/traffic/tproxy_test.go

diff --git a/pkg/app/httpbin.go b/pkg/app/httpbin.go
index a06c2213..0ceee7fb 100644
--- a/pkg/app/httpbin.go
+++ b/pkg/app/httpbin.go
@@ -10,6 +10,7 @@ type httpbin struct {
 	injectSidecar  bool
 	deploymentName string
 	versionLabel   string
+	tproxy         bool
 }
 
 var _ App = &httpbin{}
@@ -50,6 +51,16 @@ func HttpbinV2(ns string) App {
 	}
 }
 
+func HttpbinTproxy(ns string) App {
+	return &httpbin{
+		ns:             ns,
+		injectSidecar:  true,
+		deploymentName: "httpbin",
+		versionLabel:   "v1",
+		tproxy:         true,
+	}
+}
+
 func (a *httpbin) Name() string {
 	return a.deploymentName
 }
@@ -116,6 +127,9 @@ spec:
     metadata:
       annotations:
         sidecar.istio.io/inject: "{{ .InjectSidecar }}"
+      {{ if .Tproxy }}
+        sidecar.istio.io/interceptionMode: TPROXY
+      {{ end }}
       labels:
         app: httpbin
         version: {{ .Version }}
diff --git a/pkg/app/sleep.go b/pkg/app/sleep.go
index bd368530..1eb2cb26 100644
--- a/pkg/app/sleep.go
+++ b/pkg/app/sleep.go
@@ -14,6 +14,7 @@ import (
 type sleep struct {
 	ns            string
 	injectSidecar bool
+	tproxy        bool
 }
 
 var _ App = &sleep{}
@@ -26,6 +27,10 @@ func SleepNoSidecar(ns string) App {
 	return &sleep{ns: ns, injectSidecar: false}
 }
 
+func SleepTroxy(ns string) App {
+	return &sleep{ns: ns, injectSidecar: true, tproxy: true}
+}
+
 func (a *sleep) Name() string {
 	return "sleep"
 }
@@ -163,6 +168,9 @@ spec:
     metadata:
       annotations:
         sidecar.istio.io/inject: "{{ .InjectSidecar }}"
+      {{ if .Tproxy }}
+        sidecar.istio.io/interceptionMode: TPROXY
+      {{ end }}
       labels:
         app: sleep
     spec:
diff --git a/pkg/tests/tasks/traffic/tproxy_test.go b/pkg/tests/tasks/traffic/tproxy_test.go
new file mode 100644
index 00000000..e70cb7c1
--- /dev/null
+++ b/pkg/tests/tasks/traffic/tproxy_test.go
@@ -0,0 +1,54 @@
+package traffic
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/maistra/maistra-test-tool/pkg/app"
+	"github.com/maistra/maistra-test-tool/pkg/tests/ossm"
+	"github.com/maistra/maistra-test-tool/pkg/util/check/assert"
+	"github.com/maistra/maistra-test-tool/pkg/util/curl"
+	"github.com/maistra/maistra-test-tool/pkg/util/env"
+	"github.com/maistra/maistra-test-tool/pkg/util/istio"
+	"github.com/maistra/maistra-test-tool/pkg/util/ns"
+	"github.com/maistra/maistra-test-tool/pkg/util/oc"
+	"github.com/maistra/maistra-test-tool/pkg/util/retry"
+	"github.com/maistra/maistra-test-tool/pkg/util/shell"
+	. "github.com/maistra/maistra-test-tool/pkg/util/test"
+	"github.com/maistra/maistra-test-tool/pkg/util/version"
+)
+
+func TestTproxy(t *testing.T) {
+	NewTest(t).Groups(Full, InterOp, ARM).Run(func(t TestHelper) {
+		if env.GetSMCPVersion().LessThan(version.SMCP_2_5) {
+			t.Skip("TPROXY is only supported in 2.5.3 and newer versions")
+		}
+
+		t.Cleanup(func() {
+			oc.RecreateNamespace(t, ns.Foo)
+		})
+
+		ossm.DeployControlPlane(t)
+
+		t.LogStep("Add privileged SCC to the app namespace")
+		shell.Executef(t, "oc adm policy add-scc-to-group privileged system:serviceaccounts:%s", ns.Foo)
+
+		t.LogStep("Install httpbin and sleep in tproxy mode")
+		app.InstallAndWaitReady(t, app.HttpbinTproxy(ns.Foo), app.SleepTroxy(ns.Foo))
+
+		t.NewSubTest("HTTP request from ingress gateway to httpbin in tproxy mode").Run(func(t TestHelper) {
+			oc.ApplyFile(t, ns.Foo, "https://raw.githubusercontent.com/maistra/istio/maistra-2.6/samples/httpbin/httpbin-gateway.yaml")
+			httpbinURL := fmt.Sprintf("http://%s/headers", istio.GetIngressGatewayHost(t, meshNamespace))
+			retry.UntilSuccess(t, func(t TestHelper) {
+				curl.Request(t, httpbinURL, nil, assert.ResponseStatus(http.StatusOK))
+			})
+		})
+
+		t.NewSubTest("HTTP request from tproxy sleep to tproxy httpbin").Run(func(t TestHelper) {
+			app.ExecInSleepPod(t, ns.Foo,
+				"curl http://httpbin.foo:8000/headers -s -o /dev/null -w %{http_code}",
+				assert.OutputContains("200", "Request succeeded", "Unexpected response"))
+		})
+	})
+}