collector icon indicating copy to clipboard operation
collector copied to clipboard
verified publisher icon stackrox

ROX-29399: integration tests for external IPs direction config

Open Stringy opened this issue 10 months ago • 2 comments

Description

This adds integration tests for the network direction filtering of external IPs. It uses a prepared tap device to mimick egress and ingress connections, providing the tests (and collector) with both ends of the connection to ensure that aggregation happens in the correct places, with the correct configuration.

Also includes minor adjustments to test code to improve runtime configuration testing in the future.

I've chosen to add netcat to the berserker image rather than adding a new image or modifying a different one. It is likely that we will want to use berserker's network workload in the future, and that will require the same tap device, so the prepare-tap.sh script has been added, and netcat is used here for simplicity.

Checklist

  • [ ] Investigated and inspected CI test results
  • [ ] Updated documentation accordingly

Automated testing

  • [x] Added integration tests

If any of these don't apply, please comment below.

Testing Performed

Tests test the tests.

Stringy avatar May 27 '25 13:05 Stringy

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 28.83%. Comparing base (0fc1c87) to head (f9bad77).

:white_check_mark: All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #2140   +/-   ##
=======================================
  Coverage   28.83%   28.83%           
=======================================
  Files          96       96           
  Lines        5799     5799           
  Branches     2551     2551           
=======================================
  Hits         1672     1672           
  Misses       3408     3408           
  Partials      719      719
Flag Coverage Δ
collector-unit-tests 28.83% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov-commenter avatar May 27 '25 13:05 codecov-commenter

As I understand it, both the containers are in the host network namespace, and thus they both have the tun device. The two netcat instances can bind to the external IP or use their POD's IP depending on the direction we want to simulate. And this all works because the routing table has all the IPs and knows how to route locally. Is this correct ?

If this is the case, then we may have to use the -s netcat parameter on the client to make sure that the client "comes" from the expected address.

ovalenti avatar May 28 '25 16:05 ovalenti