def cleanup_td_for_gke(project, network, resource_prefix, resource_suffix): gcp_api_manager = gcp.api.GcpApiManager() plain_td = traffic_director.TrafficDirectorManager( gcp_api_manager, project=project, network=network, resource_prefix=resource_prefix, resource_suffix=resource_suffix) security_td = traffic_director.TrafficDirectorSecureManager( gcp_api_manager, project=project, network=network, resource_prefix=resource_prefix, resource_suffix=resource_suffix) # TODO: cleanup appnet resources. # appnet_td = traffic_director.TrafficDirectorAppNetManager( # gcp_api_manager, # project=project, # network=network, # resource_prefix=resource_prefix, # resource_suffix=resource_suffix) logger.info( '----- Removing traffic director for gke, prefix %s, suffix %s', resource_prefix, resource_suffix) security_td.cleanup(force=True) # appnet_td.cleanup(force=True) plain_td.cleanup(force=True)
def setUp(self): super().setUp() # Traffic Director Configuration self.td = traffic_director.TrafficDirectorSecureManager( self.gcp_api_manager, project=self.project, resource_prefix=self.namespace, network=self.network) # Test Server Runner self.server_runner = server_app.KubernetesServerRunner( k8s.KubernetesNamespace(self.k8s_api_manager, self.server_namespace), deployment_name=self.server_name, image_name=self.server_image, gcp_service_account=self.gcp_service_account, network=self.network, td_bootstrap_image=self.td_bootstrap_image, deployment_template='server-secure.deployment.yaml', debug_use_port_forwarding=self.debug_use_port_forwarding) # Test Client Runner self.client_runner = client_app.KubernetesClientRunner( k8s.KubernetesNamespace(self.k8s_api_manager, self.client_namespace), deployment_name=self.client_name, image_name=self.client_image, gcp_service_account=self.gcp_service_account, network=self.network, td_bootstrap_image=self.td_bootstrap_image, deployment_template='client-secure.deployment.yaml', stats_port=self.client_port, reuse_namespace=self.server_namespace == self.client_namespace, debug_use_port_forwarding=self.debug_use_port_forwarding)
def main(argv): if len(argv) > 1: raise app.UsageError('Too many command-line arguments.') command = _CMD.value security_mode = _SECURITY.value project: str = xds_flags.PROJECT.value network: str = xds_flags.NETWORK.value namespace = xds_flags.NAMESPACE.value # Test server server_name = xds_flags.SERVER_NAME.value server_port = xds_flags.SERVER_PORT.value server_maintenance_port = xds_flags.SERVER_MAINTENANCE_PORT.value server_xds_host = xds_flags.SERVER_XDS_HOST.value server_xds_port = xds_flags.SERVER_XDS_PORT.value gcp_api_manager = gcp.api.GcpApiManager() if security_mode is None: td = traffic_director.TrafficDirectorManager(gcp_api_manager, project=project, resource_prefix=namespace, network=network) else: td = traffic_director.TrafficDirectorSecureManager( gcp_api_manager, project=project, resource_prefix=namespace, network=network) if server_maintenance_port is None: server_maintenance_port = _DEFAULT_SECURE_MODE_MAINTENANCE_PORT try: if command in ('create', 'cycle'): logger.info('Create mode') if security_mode is None: logger.info('No security') td.setup_for_grpc(server_xds_host, server_xds_port, health_check_port=server_maintenance_port) elif security_mode == 'mtls': logger.info('Setting up mtls') td.setup_for_grpc(server_xds_host, server_xds_port, health_check_port=server_maintenance_port) td.setup_server_security(server_namespace=namespace, server_name=server_name, server_port=server_port, tls=True, mtls=True) td.setup_client_security(server_namespace=namespace, server_name=server_name, tls=True, mtls=True) elif security_mode == 'tls': logger.info('Setting up tls') td.setup_for_grpc(server_xds_host, server_xds_port, health_check_port=server_maintenance_port) td.setup_server_security(server_namespace=namespace, server_name=server_name, server_port=server_port, tls=True, mtls=False) td.setup_client_security(server_namespace=namespace, server_name=server_name, tls=True, mtls=False) elif security_mode == 'plaintext': logger.info('Setting up plaintext') td.setup_for_grpc(server_xds_host, server_xds_port, health_check_port=server_maintenance_port) td.setup_server_security(server_namespace=namespace, server_name=server_name, server_port=server_port, tls=False, mtls=False) td.setup_client_security(server_namespace=namespace, server_name=server_name, tls=False, mtls=False) elif security_mode == 'mtls_error': # Error case: server expects client mTLS cert, # but client configured only for TLS logger.info('Setting up mtls_error') td.setup_for_grpc(server_xds_host, server_xds_port, health_check_port=server_maintenance_port) td.setup_server_security(server_namespace=namespace, server_name=server_name, server_port=server_port, tls=True, mtls=True) td.setup_client_security(server_namespace=namespace, server_name=server_name, tls=True, mtls=False) elif security_mode == 'server_authz_error': # Error case: client does not authorize server # because of mismatched SAN name. logger.info('Setting up mtls_error') td.setup_for_grpc(server_xds_host, server_xds_port, health_check_port=server_maintenance_port) # Regular TLS setup, but with client policy configured using # intentionality incorrect server_namespace. td.setup_server_security(server_namespace=namespace, server_name=server_name, server_port=server_port, tls=True, mtls=False) incorrect_namespace = f'incorrect-namespace-{uuid.uuid4().hex}' td.setup_client_security(server_namespace=incorrect_namespace, server_name=server_name, tls=True, mtls=False) logger.info('Works!') except Exception: # noqa pylint: disable=broad-except logger.exception('Got error during creation') if command in ('cleanup', 'cycle'): logger.info('Cleaning up') td.cleanup(force=True) if command == 'backends-add': logger.info('Adding backends') k8s_api_manager = k8s.KubernetesApiManager( xds_k8s_flags.KUBE_CONTEXT.value) k8s_namespace = k8s.KubernetesNamespace(k8s_api_manager, namespace) neg_name, neg_zones = k8s_namespace.get_service_neg( server_name, server_port) td.load_backend_service() td.backend_service_add_neg_backends(neg_name, neg_zones) td.wait_for_backends_healthy_status() # TODO(sergiitk): wait until client reports rpc health elif command == 'backends-cleanup': td.load_backend_service() td.backend_service_remove_all_backends()
def main(argv): # pylint: disable=too-many-locals,too-many-branches,too-many-statements if len(argv) > 1: raise app.UsageError('Too many command-line arguments.') # Must be called before KubernetesApiManager or GcpApiManager init. xds_flags.set_socket_default_timeout_from_flag() command = _CMD.value security_mode = _SECURITY.value project: str = xds_flags.PROJECT.value network: str = xds_flags.NETWORK.value # Resource names. resource_prefix: str = xds_flags.RESOURCE_PREFIX.value resource_suffix: str = xds_flags.RESOURCE_SUFFIX.value # Test server server_name = xds_flags.SERVER_NAME.value server_port = xds_flags.SERVER_PORT.value server_maintenance_port = xds_flags.SERVER_MAINTENANCE_PORT.value server_xds_host = xds_flags.SERVER_XDS_HOST.value server_xds_port = xds_flags.SERVER_XDS_PORT.value server_namespace = _KubernetesServerRunner.make_namespace_name( resource_prefix, resource_suffix) gcp_api_manager = gcp.api.GcpApiManager() if security_mode is None: td = traffic_director.TrafficDirectorManager( gcp_api_manager, project=project, network=network, resource_prefix=resource_prefix, resource_suffix=resource_suffix) else: td = traffic_director.TrafficDirectorSecureManager( gcp_api_manager, project=project, network=network, resource_prefix=resource_prefix, resource_suffix=resource_suffix) if server_maintenance_port is None: server_maintenance_port = \ _KubernetesServerRunner.DEFAULT_SECURE_MODE_MAINTENANCE_PORT try: if command in ('create', 'cycle'): logger.info('Create mode') if security_mode is None: logger.info('No security') td.setup_for_grpc(server_xds_host, server_xds_port, health_check_port=server_maintenance_port) elif security_mode == 'mtls': logger.info('Setting up mtls') td.setup_for_grpc(server_xds_host, server_xds_port, health_check_port=server_maintenance_port) td.setup_server_security(server_namespace=server_namespace, server_name=server_name, server_port=server_port, tls=True, mtls=True) td.setup_client_security(server_namespace=server_namespace, server_name=server_name, tls=True, mtls=True) elif security_mode == 'tls': logger.info('Setting up tls') td.setup_for_grpc(server_xds_host, server_xds_port, health_check_port=server_maintenance_port) td.setup_server_security(server_namespace=server_namespace, server_name=server_name, server_port=server_port, tls=True, mtls=False) td.setup_client_security(server_namespace=server_namespace, server_name=server_name, tls=True, mtls=False) elif security_mode == 'plaintext': logger.info('Setting up plaintext') td.setup_for_grpc(server_xds_host, server_xds_port, health_check_port=server_maintenance_port) td.setup_server_security(server_namespace=server_namespace, server_name=server_name, server_port=server_port, tls=False, mtls=False) td.setup_client_security(server_namespace=server_namespace, server_name=server_name, tls=False, mtls=False) elif security_mode == 'mtls_error': # Error case: server expects client mTLS cert, # but client configured only for TLS logger.info('Setting up mtls_error') td.setup_for_grpc(server_xds_host, server_xds_port, health_check_port=server_maintenance_port) td.setup_server_security(server_namespace=server_namespace, server_name=server_name, server_port=server_port, tls=True, mtls=True) td.setup_client_security(server_namespace=server_namespace, server_name=server_name, tls=True, mtls=False) elif security_mode == 'server_authz_error': # Error case: client does not authorize server # because of mismatched SAN name. logger.info('Setting up mtls_error') td.setup_for_grpc(server_xds_host, server_xds_port, health_check_port=server_maintenance_port) # Regular TLS setup, but with client policy configured using # intentionality incorrect server_namespace. td.setup_server_security(server_namespace=server_namespace, server_name=server_name, server_port=server_port, tls=True, mtls=False) td.setup_client_security( server_namespace=f'incorrect-namespace-{rand.rand_string()}', server_name=server_name, tls=True, mtls=False) logger.info('Works!') except Exception: # noqa pylint: disable=broad-except logger.exception('Got error during creation') if command in ('cleanup', 'cycle'): logger.info('Cleaning up') td.cleanup(force=True) if command == 'backends-add': logger.info('Adding backends') k8s_api_manager = k8s.KubernetesApiManager( xds_k8s_flags.KUBE_CONTEXT.value) k8s_namespace = k8s.KubernetesNamespace(k8s_api_manager, server_namespace) neg_name, neg_zones = k8s_namespace.get_service_neg( server_name, server_port) td.load_backend_service() td.backend_service_add_neg_backends(neg_name, neg_zones) td.wait_for_backends_healthy_status() elif command == 'backends-cleanup': td.load_backend_service() td.backend_service_remove_all_backends() elif command == 'unused-xds-port': try: unused_xds_port = td.find_unused_forwarding_rule_port() logger.info('Found unused forwarding rule port: %s', unused_xds_port) except Exception: # noqa pylint: disable=broad-except logger.exception("Couldn't find unused forwarding rule port")
def main(argv): if len(argv) > 1: raise app.UsageError('Too many command-line arguments.') command = _CMD.value security_mode = _SECURITY.value project: str = xds_flags.PROJECT.value network: str = xds_flags.NETWORK.value namespace = xds_flags.NAMESPACE.value # Test server server_name = xds_flags.SERVER_NAME.value server_port = xds_flags.SERVER_PORT.value server_xds_host = xds_flags.SERVER_XDS_HOST.value server_xds_port = xds_flags.SERVER_XDS_PORT.value gcp_api_manager = gcp.api.GcpApiManager() if security_mode is None: td = traffic_director.TrafficDirectorManager(gcp_api_manager, project=project, resource_prefix=namespace, network=network) else: td = traffic_director.TrafficDirectorSecureManager( gcp_api_manager, project=project, resource_prefix=namespace, network=network) # noinspection PyBroadException try: if command == 'create' or command == 'cycle': logger.info('Create-only mode') if security_mode is None: logger.info('No security') td.setup_for_grpc(server_xds_host, server_xds_port) elif security_mode == 'mtls': logger.info('Setting up mtls') td.setup_for_grpc(server_xds_host, server_xds_port) td.setup_server_security(server_namespace=namespace, server_name=server_name, server_port=server_port, tls=True, mtls=True) td.setup_client_security(server_namespace=namespace, server_name=server_name, tls=True, mtls=True) elif security_mode == 'tls': logger.info('Setting up tls') td.setup_for_grpc(server_xds_host, server_xds_port) td.setup_server_security(server_namespace=namespace, server_name=server_name, server_port=server_port, tls=True, mtls=False) td.setup_client_security(server_namespace=namespace, server_name=server_name, tls=True, mtls=False) elif security_mode == 'plaintext': logger.info('Setting up plaintext') td.setup_for_grpc(server_xds_host, server_xds_port) td.setup_server_security(server_namespace=namespace, server_name=server_name, server_port=server_port, tls=False, mtls=False) td.setup_client_security(server_namespace=namespace, server_name=server_name, tls=False, mtls=False) logger.info('Works!') except Exception: logger.exception('Got error during creation') if command == 'cleanup' or command == 'cycle': logger.info('Cleaning up') td.cleanup(force=True) if command == 'backends-add': logger.info('Adding backends') k8s_api_manager = k8s.KubernetesApiManager( xds_k8s_flags.KUBE_CONTEXT.value) k8s_namespace = k8s.KubernetesNamespace(k8s_api_manager, namespace) neg_name, neg_zones = k8s_namespace.get_service_neg( server_name, server_port) td.load_backend_service() td.backend_service_add_neg_backends(neg_name, neg_zones) # TODO(sergiitk): wait until client reports rpc health elif command == 'backends-cleanup': td.load_backend_service() td.backend_service_remove_all_backends()