1
// Copyright (c) 2022 Gitpod GmbH. All rights reserved.
2
// Licensed under the GNU Affero General Public License (AGPL).
3
// See License.AGPL.txt in the project root for license information.
4

5
package wsdaemon
6

7
import (
8
	"context"
9
	"os"
10
	"testing"
11
	"time"
12

13
	"github.com/gitpod-io/gitpod/common-go/kubernetes"
14
	daemon "github.com/gitpod-io/gitpod/test/pkg/agent/daemon/api"
15
	"github.com/gitpod-io/gitpod/test/pkg/integration"
16
	corev1 "k8s.io/api/core/v1"
17
	"sigs.k8s.io/e2e-framework/pkg/envconf"
18
	"sigs.k8s.io/e2e-framework/pkg/features"
19
)
20

21
func TestNetworkLimiting(t *testing.T) {
22
	userToken, _ := os.LookupEnv("USER_TOKEN")
23
	integration.SkipWithoutUsername(t, username)
24
	integration.SkipWithoutUserToken(t, userToken)
25

26
	f := features.New("network limiting").
27
		WithLabel("component", "ws-daemon").
28
		Assess("verify if network limiting works fine", func(testCtx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
29
			t.Parallel()
30

31
			ctx, cancel := context.WithTimeout(testCtx, 5*time.Minute)
32
			defer cancel()
33

34
			api := integration.NewComponentAPI(ctx, cfg.Namespace(), kubeconfig, cfg.Client())
35
			t.Cleanup(func() {
36
				api.Done(t)
37
			})
38

39
			_, err := api.CreateUser(username, userToken)
40
			if err != nil {
41
				t.Fatal(err)
42
			}
43

44
			ws, stopWs, err := integration.LaunchWorkspaceFromContextURL(t, ctx, "https://github.com/gitpod-io/empty", username, api, integration.WithGitpodUser(username))
45
			if err != nil {
46
				t.Fatal(err)
47
			}
48
			t.Cleanup(func() {
49
				sctx, scancel := context.WithTimeout(context.Background(), 5*time.Minute)
50
				defer scancel()
51

52
				sapi := integration.NewComponentAPI(sctx, cfg.Namespace(), kubeconfig, cfg.Client())
53
				defer sapi.Done(t)
54

55
				_, err = stopWs(true, sapi)
56
				if err != nil {
57
					t.Fatal(err)
58
				}
59
			})
60

61
			daemonClient, daemonCloser, err := integration.Instrument(integration.ComponentWorkspaceDaemon, "daemon", cfg.Namespace(), kubeconfig, cfg.Client(),
62
				integration.WithWorkspacekitLift(false),
63
				integration.WithContainer("ws-daemon"),
64
			)
65
			if err != nil {
66
				t.Fatalf("unexpected error instrumenting daemon: %v", err)
67
			}
68
			defer daemonClient.Close()
69
			integration.DeferCloser(t, daemonCloser)
70

71
			t.Logf("checking if workspace pod has network limit annotation")
72
			var pod corev1.Pod
73
			if err := cfg.Client().Resources().Get(ctx, "ws-"+ws.LatestInstance.ID, cfg.Namespace(), &pod); err != nil {
74
				t.Fatal(err)
75
			}
76
			annotation, ok := pod.Annotations[kubernetes.WorkspaceNetConnLimitAnnotation]
77
			if !ok {
78
				t.Fatalf("expected annotation %s to be present on workspace pod but wasn't", kubernetes.WorkspaceNetConnLimitAnnotation)
79
			}
80
			if annotation != "true" {
81
				t.Fatalf("expected annotation %s to be true but was %s", kubernetes.WorkspaceNetConnLimitAnnotation, annotation)
82
			}
83

84
			t.Logf("checking nftable rules for rate limiting")
85
			containerId := getCalicoContainerId(&pod)
86
			var resp daemon.VerifyRateLimitingRuleResponse
87
			err = daemonClient.Call("DaemonAgent.VerifyRateLimitingRule", daemon.VerifyRateLimitingRuleRequest{
88
				ContainerId: containerId,
89
			}, &resp)
90
			if err != nil {
91
				t.Errorf("error verifying rate limiting rule for container %s: %v", containerId, err)
92
			}
93

94
			t.Logf("verified rate limiting rule")
95

96
			return testCtx
97
		}).Feature()
98

99
	testEnv.Test(t, f)
100
}
101

102
func getCalicoContainerId(pod *corev1.Pod) string {
103
	return pod.Annotations["cni.projectcalico.org/containerID"]
104
}
105

106