Add an e2e test for a router that does not update status

Verify that a router running in a namespace does update status if it has
permission.

test/extended/router/headers.go

@@ -18,7 +18,7 @@ import (
 	exutil "github.com/openshift/origin/test/extended/util"
 )
 
-var _ = g.Describe("[Conformance][Area:Networking][Feature:Router] router headers", func() {
+var _ = g.Describe("[Conformance][Area:Networking][Feature:Router]", func() {
 	defer g.GinkgoRecover()
 	var (
 		configPath = exutil.FixturePath("testdata", "router-http-echo-server.yaml")

test/extended/router/metrics.go

@@ -23,7 +23,7 @@ import (
 	exutil "github.com/openshift/origin/test/extended/util"
 )
 
-var _ = g.Describe("[Conformance][Area:Networking][Feature:Router] openshift router metrics", func() {
+var _ = g.Describe("[Conformance][Area:Networking][Feature:Router]", func() {
 	defer g.GinkgoRecover()
 	var (
 		oc = exutil.NewCLI("router-metrics", exutil.KubeConfigPath())

test/extended/router/scoped.go

@@ -11,16 +11,18 @@ import (
 	g "github.com/onsi/ginkgo"
 	o "github.com/onsi/gomega"
 
+	routeapi "github.com/openshift/origin/pkg/route/apis/route"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
+	kapi "k8s.io/kubernetes/pkg/apis/core"
 	e2e "k8s.io/kubernetes/test/e2e/framework"
 
 	exutil "github.com/openshift/origin/test/extended/util"
 )
 
 const changeTimeoutSeconds = 3 * 60
 
-var _ = g.Describe("[Conformance][Area:Networking][Feature:Router] openshift routers", func() {
+var _ = g.Describe("[Conformance][Area:Networking][Feature:Router]", func() {
 	defer g.GinkgoRecover()
 	var (
 		configPath = exutil.FixturePath("testdata", "scoped-router.yaml")
@@ -32,19 +34,16 @@ var _ = g.Describe("[Conformance][Area:Networking][Feature:Router] openshift rou
 		if len(imagePrefix) == 0 {
 			imagePrefix = "openshift/origin"
 		}
-		err := oc.AsAdmin().Run("adm").Args("policy", "add-cluster-role-to-user", "system:router", oc.Username()).Execute()
-		o.Expect(err).NotTo(o.HaveOccurred())
-		err = oc.Run("new-app").Args("-f", configPath, "-p", "IMAGE="+imagePrefix+"-haproxy-router").Execute()
+		err := oc.AsAdmin().Run("new-app").Args("-f", configPath, "-p", "IMAGE="+imagePrefix+"-haproxy-router").Execute()
 		o.Expect(err).NotTo(o.HaveOccurred())
 	})
 
 	g.Describe("The HAProxy router", func() {
 		g.It("should serve the correct routes when scoped to a single namespace and label set", func() {
 			defer func() {
-				// This should be done if the test fails but
-				// for now always dump the logs.
-				// if g.CurrentGinkgoTestDescription().Failed
-				dumpScopedRouterLogs(oc, g.CurrentGinkgoTestDescription().FullTestText)
+				if g.CurrentGinkgoTestDescription().Failed {
+					dumpScopedRouterLogs(oc, g.CurrentGinkgoTestDescription().FullTestText)
+				}
 			}()
 			oc.SetOutputDir(exutil.TestContext.OutputDir)
 			ns := oc.KubeFramework().Namespace.Name
@@ -91,10 +90,9 @@ var _ = g.Describe("[Conformance][Area:Networking][Feature:Router] openshift rou
 
 		g.It("should override the route host with a custom value", func() {
 			defer func() {
-				// This should be done if the test fails but
-				// for now always dump the logs.
-				// if g.CurrentGinkgoTestDescription().Failed
-				dumpScopedRouterLogs(oc, g.CurrentGinkgoTestDescription().FullTestText)
+				if g.CurrentGinkgoTestDescription().Failed {
+					dumpScopedRouterLogs(oc, g.CurrentGinkgoTestDescription().FullTestText)
+				}
 			}()
 			oc.SetOutputDir(exutil.TestContext.OutputDir)
 			ns := oc.KubeFramework().Namespace.Name
@@ -142,6 +140,16 @@ var _ = g.Describe("[Conformance][Area:Networking][Feature:Router] openshift rou
 				err = expectRouteStatusCodeExec(ns, execPodName, routerURL+"/Letter", host, http.StatusOK)
 				o.Expect(err).NotTo(o.HaveOccurred())
 			}
+
+			g.By("checking that the router reported the correct ingress and override")
+			r, err := oc.RouteClient().Route().Routes(ns).Get("route-1", metav1.GetOptions{})
+			o.Expect(err).NotTo(o.HaveOccurred())
+			ingress := ingressForName(r, "test-override")
+			o.Expect(ingress).NotTo(o.BeNil())
+			o.Expect(ingress.Host).To(o.Equal(fmt.Sprintf(pattern, "route-1", ns)))
+			status, condition := routeapi.IngressConditionStatus(ingress, routeapi.RouteAdmitted)
+			o.Expect(status).To(o.Equal(kapi.ConditionTrue))
+			o.Expect(condition.LastTransitionTime).NotTo(o.BeNil())
 		})
 	})
 })
@@ -223,3 +231,12 @@ func dumpScopedRouterLogs(oc *exutil.CLI, name string) {
 	log, _ := e2e.GetPodLogs(oc.AdminKubeClient(), oc.KubeFramework().Namespace.Name, "scoped-router", "router")
 	e2e.Logf("Scoped Router test %s logs:\n %s", name, log)
 }
+
+func ingressForName(r *routeapi.Route, name string) *routeapi.RouteIngress {
+	for i, ingress := range r.Status.Ingress {
+		if ingress.RouterName == name {
+			return &r.Status.Ingress[i]
+		}
+	}
+	return nil
+}

test/extended/router/unprivileged.go

@@ -0,0 +1,94 @@
+package images
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+	"time"
+
+	g "github.com/onsi/ginkgo"
+	o "github.com/onsi/gomega"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+
+	exutil "github.com/openshift/origin/test/extended/util"
+)
+
+var _ = g.Describe("[Conformance][Area:Networking][Feature:Router]", func() {
+	defer g.GinkgoRecover()
+	var (
+		configPath = exutil.FixturePath("testdata", "scoped-router.yaml")
+		oc         = exutil.NewCLI("unprivileged-router", exutil.KubeConfigPath())
+	)
+
+	g.BeforeEach(func() {
+		imagePrefix := os.Getenv("OS_IMAGE_PREFIX")
+		if len(imagePrefix) == 0 {
+			imagePrefix = "openshift/origin"
+		}
+		err := oc.AsAdmin().Run("new-app").Args("-f", configPath,
+			`-p=IMAGE=`+imagePrefix+`-haproxy-router`,
+			`-p=SCOPE=["--name=test-unprivileged", "--namespace=$(POD_NAMESPACE)", "--loglevel=4", "--labels=select=first", "--update-status=false"]`,
+		).Execute()
+		o.Expect(err).NotTo(o.HaveOccurred())
+	})
+
+	g.Describe("The HAProxy router", func() {
+		g.It("should run even if it has no access to update status", func() {
+			defer func() {
+				if g.CurrentGinkgoTestDescription().Failed {
+					dumpScopedRouterLogs(oc, g.CurrentGinkgoTestDescription().FullTestText)
+				}
+			}()
+			g.Skip("test temporarily disabled")
+			oc.SetOutputDir(exutil.TestContext.OutputDir)
+			ns := oc.KubeFramework().Namespace.Name
+			execPodName := exutil.CreateExecPodOrFail(oc.AdminKubeClient().CoreV1(), ns, "execpod")
+			defer func() { oc.AdminKubeClient().CoreV1().Pods(ns).Delete(execPodName, metav1.NewDeleteOptions(1)) }()
+
+			g.By(fmt.Sprintf("creating a scoped router from a config file %q", configPath))
+
+			var routerIP string
+			err := wait.Poll(time.Second, changeTimeoutSeconds*time.Second, func() (bool, error) {
+				pod, err := oc.KubeFramework().ClientSet.CoreV1().Pods(oc.KubeFramework().Namespace.Name).Get("scoped-router", metav1.GetOptions{})
+				if err != nil {
+					return false, err
+				}
+				if len(pod.Status.PodIP) == 0 {
+					return false, nil
+				}
+				routerIP = pod.Status.PodIP
+				return true, nil
+			})
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			// router expected to listen on port 80
+			routerURL := fmt.Sprintf("http://%s", routerIP)
+
+			g.By("waiting for the healthz endpoint to respond")
+			healthzURI := fmt.Sprintf("http://%s:1936/healthz", routerIP)
+			err = waitForRouterOKResponseExec(ns, execPodName, healthzURI, routerIP, changeTimeoutSeconds)
+			if err != nil {
+				dumpScopedRouterLogs(oc, fmt.Sprintf("%s - %s", g.CurrentGinkgoTestDescription().TestText, "waiting for the healthz endpoint to respond"))
+			}
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("waiting for the valid route to respond")
+			err = waitForRouterOKResponseExec(ns, execPodName, routerURL+"/Letter", "FIRST.example.com", changeTimeoutSeconds)
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			for _, host := range []string{"second.example.com", "third.example.com"} {
+				g.By(fmt.Sprintf("checking that %s does not match a route", host))
+				err = expectRouteStatusCodeExec(ns, execPodName, routerURL+"/Letter", host, http.StatusServiceUnavailable)
+				o.Expect(err).NotTo(o.HaveOccurred())
+			}
+
+			g.By("checking that the route doesn't have an ingress status")
+			r, err := oc.RouteClient().Route().Routes(ns).Get("route-1", metav1.GetOptions{})
+			o.Expect(err).NotTo(o.HaveOccurred())
+			ingress := ingressForName(r, "test-unprivileged")
+			o.Expect(ingress).To(o.BeNil())
+		})
+	})
+})

test/extended/router/weighted.go

@@ -11,17 +11,15 @@ import (
 
 	g "github.com/onsi/ginkgo"
 	o "github.com/onsi/gomega"
-	"github.com/openshift/origin/pkg/api"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	e2e "k8s.io/kubernetes/test/e2e/framework"
 
 	exutil "github.com/openshift/origin/test/extended/util"
-	testutil "github.com/openshift/origin/test/util"
 )
 
-var _ = g.Describe("[Conformance][Area:Networking][Feature:Router] weighted openshift router", func() {
+var _ = g.Describe("[Conformance][Area:Networking][Feature:Router]", func() {
 	defer g.GinkgoRecover()
 	var (
 		configPath = exutil.FixturePath("testdata", "weighted-router.yaml")
@@ -33,22 +31,16 @@ var _ = g.Describe("[Conformance][Area:Networking][Feature:Router] weighted open
 		if len(imagePrefix) == 0 {
 			imagePrefix = "openshift/origin"
 		}
-		err := oc.AsAdmin().Run("adm").Args("policy", "add-cluster-role-to-user", "system:router", oc.Username()).Execute()
-		o.Expect(err).NotTo(o.HaveOccurred())
-		// Wait for the policy to be propagated
-		testutil.WaitForClusterPolicyUpdate(oc.InternalKubeClient().Authorization(), "get", api.Resource("service"), true)
-		o.Expect(err).NotTo(o.HaveOccurred())
-		err = oc.Run("new-app").Args("-f", configPath, "-p", "IMAGE="+imagePrefix+"-haproxy-router").Execute()
+		err := oc.AsAdmin().Run("new-app").Args("-f", configPath, "-p", "IMAGE="+imagePrefix+"-haproxy-router").Execute()
 		o.Expect(err).NotTo(o.HaveOccurred())
 	})
 
 	g.Describe("The HAProxy router", func() {
-		g.It("should appropriately serve a route that points to two services", func() {
+		g.It("should serve a route that points to two services and respect weights", func() {
 			defer func() {
-				// This should be done if the test fails but
-				// for now always dump the logs.
-				// if g.CurrentGinkgoTestDescription().Failed
-				dumpWeightedRouterLogs(oc, g.CurrentGinkgoTestDescription().FullTestText)
+				if g.CurrentGinkgoTestDescription().Failed {
+					dumpWeightedRouterLogs(oc, g.CurrentGinkgoTestDescription().FullTestText)
+				}
 			}()
 			oc.SetOutputDir(exutil.TestContext.OutputDir)
 			ns := oc.KubeFramework().Namespace.Name

test/extended/testdata/scoped-router.yaml

@@ -3,6 +3,8 @@ kind: Template
 parameters:
 - name: IMAGE
   value: openshift/origin-haproxy-router:latest
+- name: SCOPE
+  value: '["--name=test-scoped", "--namespace=$(POD_NAMESPACE)", "--loglevel=4", "--labels=select=first"]'
 objects:
 # a scoped router
 - apiVersion: v1
@@ -22,7 +24,7 @@ objects:
         valueFrom:
           fieldRef:
             fieldPath: metadata.namespace
-      args: ["--namespace=$(POD_NAMESPACE)", "--loglevel=4", "--labels=select=first"]
+      args: "${{SCOPE}}"
       hostNetwork: false
       ports:
       - containerPort: 80
@@ -50,7 +52,7 @@ objects:
         valueFrom:
           fieldRef:
             fieldPath: metadata.namespace
-      args: ["--namespace=$(POD_NAMESPACE)", "--loglevel=4", "--override-hostname", "--hostname-template=${name}-${namespace}.myapps.mycompany.com"]
+      args: ["--name=test-override", "--namespace=$(POD_NAMESPACE)", "--loglevel=4", "--override-hostname", "--hostname-template=${name}-${namespace}.myapps.mycompany.com"]
       hostNetwork: false
       ports:
       - containerPort: 80