diff --git a/e2e/Makefile b/e2e/Makefile index 3dffb79..e1579fa 100644 --- a/e2e/Makefile +++ b/e2e/Makefile @@ -51,7 +51,7 @@ run-test-pod-%: .PHONY: install-test-pod install-test-pod: $(MAKE) --no-print-directory run-test-pod-self - $(MAKE) --no-print-directory DEPLOYMENT_REPLICAS=2 run-test-pod-l3-ingress-explicit-allow-all + $(MAKE) --no-print-directory run-test-pod-l3-ingress-explicit-allow-all $(MAKE) --no-print-directory run-test-pod-l3-ingress-implicit-deny-all $(MAKE) --no-print-directory run-test-pod-l3-ingress-explicit-deny-all $(MAKE) --no-print-directory run-test-pod-l3-egress-implicit-deny-all @@ -66,6 +66,11 @@ install-test-pod: $(MAKE) --no-print-directory run-test-pod-l4-ingress-all-allow-tcp $(MAKE) --no-print-directory wait-for-workloads + # Cilium-agents on different nodes may simultaneously create multiple CiliumIdentities for a same set of labels. + # To enforce the following test deployment to use a same CiliumIdentity, we first create it with replicas=1 and then upscale. + $(MAKE) --no-print-directory DEPLOYMENT_REPLICAS=2 run-test-pod-l3-ingress-explicit-allow-all + $(MAKE) --no-print-directory wait-for-workloads + kubectl apply -f testdata/policy/l3.yaml kubectl apply -f testdata/policy/l4.yaml diff --git a/e2e/id_test.go b/e2e/id_test.go index 5ccb805..6b0e1b0 100644 --- a/e2e/id_test.go +++ b/e2e/id_test.go @@ -1,6 +1,9 @@ package e2e import ( + "fmt" + "strconv" + . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" ) @@ -37,10 +40,38 @@ func testIdLabel() { } func testIdSummary() { - expected := `{"default":1,"kube-system":2,"local-path-storage":1,"test":12}` + cases := []struct { + Namespace string + Count int + }{ + { + Namespace: "default", + Count: 1, + }, + { + Namespace: "kube-system", + Count: 2, + }, + { + Namespace: "local-path-storage", + Count: 1, + }, + { + Namespace: "test", + Count: 13, + }, + } It("should show ID summary", func() { - result := runViewerSafe(Default, nil, "id", "summary", "-o=json") - result = jqSafe(Default, result, "-c") - Expect(string(result)).To(Equal(expected), "compare failed.\nactual: %s\nexpected: %s", string(result), expected) + for _, c := range cases { + resultData := runViewerSafe(Default, nil, "id", "summary", "-o=json") + resultData = jqSafe(Default, resultData, "-r", fmt.Sprintf(`."%s"`, c.Namespace)) + result, err := strconv.Atoi(string(resultData)) + Expect(err).NotTo(HaveOccurred()) + + expected := c.Count + + // Multiple CiliumIdentities may be generated for a same set of security-relevant labels + Expect(result).To(BeNumerically(">=", expected), "compare failed. namespace: %s\nactual: %d\nexpected: %d", result, expected) + } }) }