Revert "Collapse not shared NSG rules with multiple source ranges"
This commit is contained in:
Pengfei Ni
@@ -23,7 +23,6 @@ import (
|
||||
"math"
|
||||
"net"
|
||||
"net/http"
|
||||
"sort"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
@@ -853,26 +852,6 @@ func TestReconcileSecurityWithSourceRanges(t *testing.T) {
|
||||
}
|
||||
|
||||
validateSecurityGroup(t, sg, svc)
|
||||
|
||||
expectedRuleCount := 2
|
||||
if len(*sg.SecurityRules) != expectedRuleCount {
|
||||
t.Errorf("Expected security group to have %d rules but it had %d", expectedRuleCount, len(*sg.SecurityRules))
|
||||
}
|
||||
expectedRuleName := "aservicea-TCP-80"
|
||||
_, securityRule, ruleFound := findSecurityRuleByName(*sg.SecurityRules, expectedRuleName)
|
||||
if !ruleFound {
|
||||
t.Fatalf("Expected security rule %q but it was not present", expectedRuleName)
|
||||
}
|
||||
|
||||
expectedSourceAddressPrefixesCount := 2
|
||||
if securityRule.SourceAddressPrefixes == nil || len(*securityRule.SourceAddressPrefixes) != expectedSourceAddressPrefixesCount {
|
||||
t.Errorf("Shared rule %s should have had %d source addresses but had %d", expectedRuleName, expectedSourceAddressPrefixesCount, len(*securityRule.SourceAddressPrefixes))
|
||||
}
|
||||
|
||||
err = securityRuleMatches("10.0.0.0/32,192.168.0.0/24", v1.ServicePort{Port: 80}, lbStatus.Ingress[0].IP, securityRule)
|
||||
if err != nil {
|
||||
t.Errorf("Shared rule %s did not match service IP: %v", expectedRuleName, err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestReconcilePublicIPWithNewService(t *testing.T) {
|
||||
@@ -1176,7 +1155,8 @@ func getServiceSourceRanges(service *v1.Service) []string {
|
||||
|
||||
return service.Spec.LoadBalancerSourceRanges
|
||||
}
|
||||
func getTestSecurityGroupBackwardCompat(az *Cloud, services ...v1.Service) *network.SecurityGroup {
|
||||
|
||||
func getTestSecurityGroup(az *Cloud, services ...v1.Service) *network.SecurityGroup {
|
||||
rules := []network.SecurityRule{}
|
||||
|
||||
for _, service := range services {
|
||||
@@ -1213,55 +1193,6 @@ func getTestSecurityGroupBackwardCompat(az *Cloud, services ...v1.Service) *netw
|
||||
return &sg
|
||||
}
|
||||
|
||||
func getTestSecurityGroup(az *Cloud, services ...v1.Service) *network.SecurityGroup {
|
||||
rules := []network.SecurityRule{}
|
||||
|
||||
for _, service := range services {
|
||||
for _, port := range service.Spec.Ports {
|
||||
sources := getServiceSourceRanges(&service)
|
||||
if useSharedSecurityRule(&service) {
|
||||
for _, src := range sources {
|
||||
ruleName := az.getSecurityRuleName(&service, port, src)
|
||||
rules = append(rules, network.SecurityRule{
|
||||
Name: to.StringPtr(ruleName),
|
||||
SecurityRulePropertiesFormat: &network.SecurityRulePropertiesFormat{
|
||||
SourceAddressPrefix: to.StringPtr(src),
|
||||
DestinationPortRange: to.StringPtr(fmt.Sprintf("%d", port.Port)),
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
} else {
|
||||
ruleName := az.getSecurityRuleName(&service, port, "")
|
||||
rules = append(rules, network.SecurityRule{
|
||||
Name: to.StringPtr(ruleName),
|
||||
SecurityRulePropertiesFormat: &network.SecurityRulePropertiesFormat{
|
||||
SourceAddressPrefixes: &sources,
|
||||
DestinationPortRange: to.StringPtr(fmt.Sprintf("%d", port.Port)),
|
||||
},
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sg := network.SecurityGroup{
|
||||
Name: &az.SecurityGroupName,
|
||||
SecurityGroupPropertiesFormat: &network.SecurityGroupPropertiesFormat{
|
||||
SecurityRules: &rules,
|
||||
},
|
||||
}
|
||||
|
||||
ctx, cancel := getContextWithCancel()
|
||||
defer cancel()
|
||||
az.SecurityGroupsClient.CreateOrUpdate(
|
||||
ctx,
|
||||
az.ResourceGroup,
|
||||
az.SecurityGroupName,
|
||||
sg)
|
||||
|
||||
return &sg
|
||||
}
|
||||
|
||||
func validateLoadBalancer(t *testing.T, loadBalancer *network.LoadBalancer, services ...v1.Service) {
|
||||
az := getTestCloud()
|
||||
expectedRuleCount := 0
|
||||
@@ -1435,6 +1366,7 @@ func securityRuleMatches(serviceSourceRange string, servicePort v1.ServicePort,
|
||||
ruleSource = &[]string{*securityRule.SourceAddressPrefix}
|
||||
}
|
||||
}
|
||||
|
||||
rulePorts := securityRule.DestinationPortRanges
|
||||
if rulePorts == nil || len(*rulePorts) == 0 {
|
||||
if securityRule.DestinationPortRange == nil {
|
||||
@@ -1452,11 +1384,9 @@ func securityRuleMatches(serviceSourceRange string, servicePort v1.ServicePort,
|
||||
ruleDestination = &[]string{*securityRule.DestinationAddressPrefix}
|
||||
}
|
||||
}
|
||||
sort.Strings(*ruleSource)
|
||||
ruleSourceRange := strings.Join(*ruleSource, ",")
|
||||
// both serviceSourceRange and ruleSourceRange should have been sorted in ascending order
|
||||
if ruleSourceRange != serviceSourceRange {
|
||||
return fmt.Errorf("Rule %s does not equal to service %s", ruleSourceRange, serviceSourceRange)
|
||||
|
||||
if !contains(*ruleSource, serviceSourceRange) {
|
||||
return fmt.Errorf("Rule does not contain source %s", serviceSourceRange)
|
||||
}
|
||||
|
||||
if !contains(*rulePorts, fmt.Sprintf("%d", servicePort.Port)) {
|
||||
@@ -1474,48 +1404,24 @@ func validateSecurityGroup(t *testing.T, securityGroup *network.SecurityGroup, s
|
||||
az := getTestCloud()
|
||||
seenRules := make(map[string]string)
|
||||
for _, svc := range services {
|
||||
for _, port := range svc.Spec.Ports {
|
||||
for _, wantedRule := range svc.Spec.Ports {
|
||||
sources := getServiceSourceRanges(&svc)
|
||||
if len(sources) > 0 {
|
||||
if useSharedSecurityRule(&svc) {
|
||||
for _, source := range sources {
|
||||
wantedRuleName := az.getSecurityRuleName(&svc, port, source)
|
||||
seenRules[wantedRuleName] = wantedRuleName
|
||||
foundRule := false
|
||||
for _, actualRule := range *securityGroup.SecurityRules {
|
||||
if strings.EqualFold(*actualRule.Name, wantedRuleName) {
|
||||
err := securityRuleMatches(source, port, svc.Spec.LoadBalancerIP, actualRule)
|
||||
if err != nil {
|
||||
t.Errorf("Found matching security rule %q but properties were incorrect: %v", wantedRuleName, err)
|
||||
}
|
||||
foundRule = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !foundRule {
|
||||
t.Errorf("Expected security group rule but didn't find it: %q", wantedRuleName)
|
||||
for _, source := range sources {
|
||||
wantedRuleName := az.getSecurityRuleName(&svc, wantedRule, source)
|
||||
seenRules[wantedRuleName] = wantedRuleName
|
||||
foundRule := false
|
||||
for _, actualRule := range *securityGroup.SecurityRules {
|
||||
if strings.EqualFold(*actualRule.Name, wantedRuleName) {
|
||||
err := securityRuleMatches(source, wantedRule, svc.Spec.LoadBalancerIP, actualRule)
|
||||
if err != nil {
|
||||
t.Errorf("Found matching security rule %q but properties were incorrect: %v", wantedRuleName, err)
|
||||
}
|
||||
foundRule = true
|
||||
break
|
||||
}
|
||||
} else {
|
||||
// not shared
|
||||
wantedRuleName := az.getSecurityRuleName(&svc, port, "")
|
||||
seenRules[wantedRuleName] = wantedRuleName
|
||||
foundRule := false
|
||||
for _, actualRule := range *securityGroup.SecurityRules {
|
||||
if strings.EqualFold(*actualRule.Name, wantedRuleName) {
|
||||
sort.Strings(sources)
|
||||
svcSources := strings.Join(sources, ",")
|
||||
err := securityRuleMatches(svcSources, port, svc.Spec.LoadBalancerIP, actualRule)
|
||||
if err != nil {
|
||||
t.Errorf("Found matching security rule %q but properties were incorrect: %v", wantedRuleName, err)
|
||||
}
|
||||
foundRule = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !foundRule {
|
||||
t.Errorf("Expected security group rule but didn't find it: %q", wantedRuleName)
|
||||
}
|
||||
}
|
||||
if !foundRule {
|
||||
t.Errorf("Expected security group rule but didn't find it: %q", wantedRuleName)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1966,7 +1872,7 @@ func TestIfServiceSpecifiesSharedRuleAndRuleExistsThenTheServicesPortAndAddressA
|
||||
SecurityRulePropertiesFormat: &network.SecurityRulePropertiesFormat{
|
||||
Protocol: network.SecurityRuleProtocolTCP,
|
||||
SourcePortRange: to.StringPtr("*"),
|
||||
SourceAddressPrefixes: &[]string{"Internet"},
|
||||
SourceAddressPrefix: to.StringPtr("Internet"),
|
||||
DestinationPortRange: to.StringPtr("80"),
|
||||
DestinationAddressPrefix: to.StringPtr("192.168.33.44"),
|
||||
Access: network.SecurityRuleAccessAllow,
|
||||
@@ -2144,7 +2050,7 @@ func TestIfServicesSpecifySharedRuleButDifferentSourceAddressesThenSeparateRules
|
||||
|
||||
svc1 := getTestService("servicesr1", v1.ProtocolTCP, 80)
|
||||
svc1.Spec.LoadBalancerIP = "192.168.77.88"
|
||||
svc1.Spec.LoadBalancerSourceRanges = []string{"192.168.12.0/24", "192.10.10.0/24"}
|
||||
svc1.Spec.LoadBalancerSourceRanges = []string{"192.168.12.0/24"}
|
||||
svc1.Annotations[ServiceAnnotationSharedSecurityRule] = "true"
|
||||
|
||||
svc2 := getTestService("servicesr2", v1.ProtocolTCP, 80)
|
||||
@@ -2152,10 +2058,7 @@ func TestIfServicesSpecifySharedRuleButDifferentSourceAddressesThenSeparateRules
|
||||
svc2.Spec.LoadBalancerSourceRanges = []string{"192.168.34.0/24"}
|
||||
svc2.Annotations[ServiceAnnotationSharedSecurityRule] = "true"
|
||||
|
||||
// shared service should create separate rules for each source address
|
||||
expectedRuleName11 := "shared-TCP-80-192.168.12.0_24"
|
||||
expectedRuleName12 := "shared-TCP-80-192.10.10.0_24"
|
||||
// only share outbound when source range match
|
||||
expectedRuleName1 := "shared-TCP-80-192.168.12.0_24"
|
||||
expectedRuleName2 := "shared-TCP-80-192.168.34.0_24"
|
||||
|
||||
sg := getTestSecurityGroup(az)
|
||||
@@ -2172,14 +2075,9 @@ func TestIfServicesSpecifySharedRuleButDifferentSourceAddressesThenSeparateRules
|
||||
|
||||
validateSecurityGroup(t, sg, svc1, svc2)
|
||||
|
||||
_, securityRule11, rule1Found := findSecurityRuleByName(*sg.SecurityRules, expectedRuleName11)
|
||||
_, securityRule1, rule1Found := findSecurityRuleByName(*sg.SecurityRules, expectedRuleName1)
|
||||
if !rule1Found {
|
||||
t.Fatalf("Expected security rule %q but it was not present", expectedRuleName11)
|
||||
}
|
||||
|
||||
_, securityRule12, rule1Found := findSecurityRuleByName(*sg.SecurityRules, expectedRuleName12)
|
||||
if !rule1Found {
|
||||
t.Fatalf("Expected security rule %q but it was not present", expectedRuleName12)
|
||||
t.Fatalf("Expected security rule %q but it was not present", expectedRuleName1)
|
||||
}
|
||||
|
||||
_, securityRule2, rule2Found := findSecurityRuleByName(*sg.SecurityRules, expectedRuleName2)
|
||||
@@ -2187,26 +2085,35 @@ func TestIfServicesSpecifySharedRuleButDifferentSourceAddressesThenSeparateRules
|
||||
t.Fatalf("Expected security rule %q but it was not present", expectedRuleName2)
|
||||
}
|
||||
|
||||
expectedDestinationIPCount11 := 1
|
||||
if len(*securityRule11.DestinationAddressPrefixes) != expectedDestinationIPCount11 {
|
||||
t.Errorf("Shared rule %s should have had %d destination IP addresses but had %d", expectedRuleName11, expectedDestinationIPCount11, len(*securityRule11.DestinationAddressPrefixes))
|
||||
expectedDestinationIPCount1 := 1
|
||||
if len(*securityRule1.DestinationAddressPrefixes) != expectedDestinationIPCount1 {
|
||||
t.Errorf("Shared rule %s should have had %d destination IP addresses but had %d", expectedRuleName1, expectedDestinationIPCount1, len(*securityRule1.DestinationAddressPrefixes))
|
||||
}
|
||||
|
||||
err = securityRuleMatches(svc1.Spec.LoadBalancerSourceRanges[0], v1.ServicePort{Port: 80}, "192.168.77.88", securityRule11)
|
||||
err = securityRuleMatches(svc1.Spec.LoadBalancerSourceRanges[0], v1.ServicePort{Port: 80}, "192.168.77.88", securityRule1)
|
||||
if err != nil {
|
||||
t.Errorf("Shared rule %s did not match service: %v", expectedRuleName11, err)
|
||||
t.Errorf("Shared rule %s did not match service IP: %v", expectedRuleName1, err)
|
||||
}
|
||||
|
||||
err = securityRuleMatches(svc1.Spec.LoadBalancerSourceRanges[1], v1.ServicePort{Port: 80}, "192.168.77.88", securityRule12)
|
||||
if err != nil {
|
||||
t.Errorf("Shared rule %s did not match service: %v", expectedRuleName12, err)
|
||||
err = securityRuleMatches(svc2.Spec.LoadBalancerSourceRanges[0], v1.ServicePort{Port: 80}, "192.168.33.44", securityRule1)
|
||||
if err == nil {
|
||||
t.Errorf("Shared rule %s matched wrong service's port and IP", expectedRuleName1)
|
||||
}
|
||||
|
||||
expectedDestinationIPCount2 := 1
|
||||
if len(*securityRule2.DestinationAddressPrefixes) != expectedDestinationIPCount2 {
|
||||
t.Errorf("Shared rule %s should have had %d destination IP addresses but had %d", expectedRuleName2, expectedDestinationIPCount2, len(*securityRule2.DestinationAddressPrefixes))
|
||||
}
|
||||
|
||||
err = securityRuleMatches(svc2.Spec.LoadBalancerSourceRanges[0], v1.ServicePort{Port: 80}, "192.168.33.44", securityRule2)
|
||||
if err != nil {
|
||||
t.Errorf("Shared rule %s did not match service: %v", expectedRuleName12, err)
|
||||
t.Errorf("Shared rule %s did not match service IP: %v", expectedRuleName2, err)
|
||||
}
|
||||
|
||||
err = securityRuleMatches(svc1.Spec.LoadBalancerSourceRanges[0], v1.ServicePort{Port: 80}, "192.168.77.88", securityRule2)
|
||||
if err == nil {
|
||||
t.Errorf("Shared rule %s matched wrong service's port and IP", expectedRuleName2)
|
||||
}
|
||||
}
|
||||
|
||||
func TestIfServicesSpecifySharedRuleButSomeAreOnDifferentPortsThenRulesAreSeparatedOrConsoliatedByPort(t *testing.T) {
|
||||
@@ -2401,16 +2308,6 @@ func TestIfSomeServicesShareARuleAndOneIsDeletedItIsRemovedFromTheRightRule(t *t
|
||||
|
||||
validateSecurityGroup(t, sg, svc1, svc2, svc3)
|
||||
|
||||
_, securityRule13, rule13Found := findSecurityRuleByName(*sg.SecurityRules, expectedRuleName13)
|
||||
if !rule13Found {
|
||||
t.Fatalf("Expected security rule %q but it was not present", expectedRuleName13)
|
||||
}
|
||||
|
||||
expectedDestinationIPCount13 := 2
|
||||
if len(*securityRule13.DestinationAddressPrefixes) != expectedDestinationIPCount13 {
|
||||
t.Errorf("Shared rule %s should have had %d destination IP addresses but had %d", expectedRuleName13, expectedDestinationIPCount13, len(*securityRule13.DestinationAddressPrefixes))
|
||||
}
|
||||
|
||||
sg, err = az.reconcileSecurityGroup(testClusterName, &svc1, to.StringPtr(svc1.Spec.LoadBalancerIP), false)
|
||||
if err != nil {
|
||||
t.Errorf("Unexpected error removing svc1: %q", err)
|
||||
@@ -2418,7 +2315,7 @@ func TestIfSomeServicesShareARuleAndOneIsDeletedItIsRemovedFromTheRightRule(t *t
|
||||
|
||||
validateSecurityGroup(t, sg, svc2, svc3)
|
||||
|
||||
_, securityRule13, rule13Found = findSecurityRuleByName(*sg.SecurityRules, expectedRuleName13)
|
||||
_, securityRule13, rule13Found := findSecurityRuleByName(*sg.SecurityRules, expectedRuleName13)
|
||||
if !rule13Found {
|
||||
t.Fatalf("Expected security rule %q but it was not present", expectedRuleName13)
|
||||
}
|
||||
@@ -2428,7 +2325,7 @@ func TestIfSomeServicesShareARuleAndOneIsDeletedItIsRemovedFromTheRightRule(t *t
|
||||
t.Fatalf("Expected security rule %q but it was not present", expectedRuleName2)
|
||||
}
|
||||
|
||||
expectedDestinationIPCount13 = 1
|
||||
expectedDestinationIPCount13 := 1
|
||||
if len(*securityRule13.DestinationAddressPrefixes) != expectedDestinationIPCount13 {
|
||||
t.Errorf("Shared rule %s should have had %d destination IP addresses but had %d", expectedRuleName13, expectedDestinationIPCount13, len(*securityRule13.DestinationAddressPrefixes))
|
||||
}
|
||||
@@ -2578,17 +2475,16 @@ func TestCanCombineSharedAndPrivateRulesInSameGroup(t *testing.T) {
|
||||
|
||||
svc4 := getTestService("servicesr4", v1.ProtocolTCP, 4444)
|
||||
svc4.Spec.LoadBalancerIP = "192.168.22.33"
|
||||
svc4.Spec.LoadBalancerSourceRanges = []string{"192.168.12.0/24", "192.10.10.0/24"}
|
||||
svc4.Annotations[ServiceAnnotationSharedSecurityRule] = "false"
|
||||
|
||||
svc5 := getTestService("servicesr5", v1.ProtocolTCP, 8888)
|
||||
svc5.Spec.LoadBalancerIP = "192.168.22.55"
|
||||
svc5.Spec.LoadBalancerIP = "192.168.22.33"
|
||||
svc5.Annotations[ServiceAnnotationSharedSecurityRule] = "false"
|
||||
|
||||
expectedRuleName13 := "shared-TCP-4444-Internet"
|
||||
expectedRuleName2 := "shared-TCP-8888-Internet"
|
||||
expectedRuleName4 := az.getSecurityRuleName(&svc4, v1.ServicePort{Port: 4444, Protocol: v1.ProtocolTCP}, "")
|
||||
expectedRuleName5 := az.getSecurityRuleName(&svc5, v1.ServicePort{Port: 8888, Protocol: v1.ProtocolTCP}, "")
|
||||
expectedRuleName4 := az.getSecurityRuleName(&svc4, v1.ServicePort{Port: 4444, Protocol: v1.ProtocolTCP}, "Internet")
|
||||
expectedRuleName5 := az.getSecurityRuleName(&svc5, v1.ServicePort{Port: 8888, Protocol: v1.ProtocolTCP}, "Internet")
|
||||
|
||||
sg := getTestSecurityGroup(az)
|
||||
|
||||
@@ -2614,7 +2510,7 @@ func TestCanCombineSharedAndPrivateRulesInSameGroup(t *testing.T) {
|
||||
|
||||
sg, err = az.reconcileSecurityGroup(testClusterName, &svc5, to.StringPtr(svc5.Spec.LoadBalancerIP), true)
|
||||
if err != nil {
|
||||
t.Errorf("Unexpected error adding svc5: %q", err)
|
||||
t.Errorf("Unexpected error adding svc4: %q", err)
|
||||
}
|
||||
|
||||
validateSecurityGroup(t, sg, svc1, svc2, svc3, svc4, svc5)
|
||||
@@ -2679,11 +2575,6 @@ func TestCanCombineSharedAndPrivateRulesInSameGroup(t *testing.T) {
|
||||
t.Errorf("Shared rule %s matched wrong (unshared) service's port and IP", expectedRuleName2)
|
||||
}
|
||||
|
||||
expectedSourceIPCount4 := 2
|
||||
if len(*securityRule4.SourceAddressPrefixes) != expectedSourceIPCount4 {
|
||||
t.Errorf("Shared rule %s should have had %d destination IP addresses but had %d", expectedRuleName4, expectedSourceIPCount4, len(*securityRule4.SourceAddressPrefixes))
|
||||
}
|
||||
|
||||
if securityRule4.DestinationAddressPrefixes != nil {
|
||||
t.Errorf("Expected unshared rule %s to use single destination IP address but used collection", expectedRuleName4)
|
||||
}
|
||||
@@ -2696,11 +2587,6 @@ func TestCanCombineSharedAndPrivateRulesInSameGroup(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
expectedSourceAddressCount4 := 2
|
||||
if len(*securityRule4.SourceAddressPrefixes) != expectedSourceAddressCount4 {
|
||||
t.Errorf("Expected rule %s should have had %d source IP addresses but had %d", expectedRuleName4, expectedSourceAddressCount4, len(*securityRule4.SourceAddressPrefixes))
|
||||
}
|
||||
|
||||
if securityRule5.DestinationAddressPrefixes != nil {
|
||||
t.Errorf("Expected unshared rule %s to use single destination IP address but used collection", expectedRuleName5)
|
||||
}
|
||||
@@ -2747,67 +2633,6 @@ func TestCanCombineSharedAndPrivateRulesInSameGroup(t *testing.T) {
|
||||
if len(*securityRule13.DestinationAddressPrefixes) != expectedDestinationIPCount13 {
|
||||
t.Errorf("Shared rule %s should have had %d destination IP addresses but had %d", expectedRuleName13, expectedDestinationIPCount13, len(*securityRule13.DestinationAddressPrefixes))
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
func TestNotSharedServiceUpdate(t *testing.T) {
|
||||
az := getTestCloud()
|
||||
|
||||
svc1 := getTestService("servicesr1", v1.ProtocolTCP, 9000)
|
||||
svc1.Spec.LoadBalancerIP = "192.168.77.88"
|
||||
svc1.Spec.LoadBalancerSourceRanges = []string{"192.168.12.0/24", "192.10.10.0/24"}
|
||||
svc1.Annotations[ServiceAnnotationSharedSecurityRule] = "false"
|
||||
|
||||
expectedRuleName1 := az.getSecurityRuleName(&svc1, v1.ServicePort{Port: 9000, Protocol: v1.ProtocolTCP}, "")
|
||||
|
||||
sg := getTestSecurityGroup(az)
|
||||
|
||||
sg, err := az.reconcileSecurityGroup(testClusterName, &svc1, to.StringPtr(svc1.Spec.LoadBalancerIP), true)
|
||||
if err != nil {
|
||||
t.Errorf("Unexpected error adding svc1: %q", err)
|
||||
}
|
||||
|
||||
validateSecurityGroup(t, sg, svc1)
|
||||
|
||||
expectedRuleCount := 1
|
||||
if len(*sg.SecurityRules) != expectedRuleCount {
|
||||
t.Errorf("Expected security group to have %d rules but it had %d", expectedRuleCount, len(*sg.SecurityRules))
|
||||
}
|
||||
_, securityRule1, rule1Found := findSecurityRuleByName(*sg.SecurityRules, expectedRuleName1)
|
||||
if !rule1Found {
|
||||
t.Fatalf("Expected security rule %q but it was not present", expectedRuleName1)
|
||||
}
|
||||
if securityRule1.DestinationAddressPrefixes != nil {
|
||||
t.Errorf("Expected unshared rule %s to use single destination IP address but used collection", expectedRuleName1)
|
||||
}
|
||||
expectedSourceAddressCount := 2
|
||||
if len(*securityRule1.SourceAddressPrefixes) != expectedSourceAddressCount {
|
||||
t.Errorf("Expected unshared rule %s to have %d source addresses but it has %d", expectedRuleName1, expectedSourceAddressCount, len(*securityRule1.SourceAddressPrefixes))
|
||||
}
|
||||
|
||||
existingPriority := securityRule1.Priority
|
||||
|
||||
svc1.Spec.LoadBalancerSourceRanges = []string{"192.168.12.0/24"}
|
||||
|
||||
sg, err = az.reconcileSecurityGroup(testClusterName, &svc1, to.StringPtr(svc1.Spec.LoadBalancerIP), true)
|
||||
if err != nil {
|
||||
t.Errorf("Unexpected error adding svc1: %q", err)
|
||||
}
|
||||
|
||||
validateSecurityGroup(t, sg, svc1)
|
||||
|
||||
_, securityRule1, rule1Found = findSecurityRuleByName(*sg.SecurityRules, expectedRuleName1)
|
||||
if !rule1Found {
|
||||
t.Fatalf("Expected security rule %q but it was not present", expectedRuleName1)
|
||||
}
|
||||
expectedSourceAddressCount = 1
|
||||
if len(*securityRule1.SourceAddressPrefixes) != expectedSourceAddressCount {
|
||||
t.Errorf("Expected unshared rule %s to have %d source addresses but it has %d", expectedRuleName1, expectedSourceAddressCount, len(*securityRule1.SourceAddressPrefixes))
|
||||
}
|
||||
|
||||
if securityRule1.Priority != existingPriority {
|
||||
t.Errorf("Expected unshared rule %s to have priority %d but it has %d", expectedRuleName1, existingPriority, securityRule1.Priority)
|
||||
}
|
||||
}
|
||||
|
||||
// TODO: sanity check if the same IP address incorrectly gets put in twice?
|
||||
|
||||
Reference in New Issue
Block a user