Add E2E tests for basic functionality and port launching to Go
This adds a new E2E test suite replacing the old log-parsing
based one. It also moves launching and controlling Smalltown VMs into
a Go package and command and exposes the '//:launch' alias.
The new E2E test suite covers basic conditions (IP assigned, Data
available) and Kubernetes Node, Deployment and StatefulSet tests.
Test Plan: This consists of E2E tests
X-Origin-Diff: phab/D544
GitOrigin-RevId: 7c624c667c849068bafa544a3a6c635d6d406e1c
diff --git a/core/internal/common/setup.go b/core/internal/common/setup.go
index 7a268ae..db00692 100644
--- a/core/internal/common/setup.go
+++ b/core/internal/common/setup.go
@@ -27,6 +27,7 @@
MasterServicePort = 7833
ExternalServicePort = 7836
DebugServicePort = 7837
+ KubernetesAPIPort = 6443
)
const (
diff --git a/core/internal/consensus/BUILD.bazel b/core/internal/consensus/BUILD.bazel
index c8b2f25..f0246f7 100644
--- a/core/internal/consensus/BUILD.bazel
+++ b/core/internal/consensus/BUILD.bazel
@@ -18,6 +18,7 @@
"@io_etcd_go_etcd//pkg/types:go_default_library",
"@io_etcd_go_etcd//proxy/grpcproxy/adapter:go_default_library",
"@org_golang_x_sys//unix:go_default_library",
+ "@org_uber_go_atomic//:go_default_library",
"@org_uber_go_zap//:go_default_library",
"@org_uber_go_zap//zapcore:go_default_library",
],
diff --git a/core/internal/consensus/consensus.go b/core/internal/consensus/consensus.go
index 67bac1c..d401c1a 100644
--- a/core/internal/consensus/consensus.go
+++ b/core/internal/consensus/consensus.go
@@ -33,11 +33,6 @@
"strings"
"time"
- "git.monogon.dev/source/nexantic.git/core/internal/common"
- "git.monogon.dev/source/nexantic.git/core/internal/common/service"
-
- "git.monogon.dev/source/nexantic.git/core/generated/api"
-
"github.com/pkg/errors"
"go.etcd.io/etcd/clientv3"
"go.etcd.io/etcd/clientv3/namespace"
@@ -45,10 +40,14 @@
"go.etcd.io/etcd/etcdserver/api/membership"
"go.etcd.io/etcd/pkg/types"
"go.etcd.io/etcd/proxy/grpcproxy/adapter"
+ "go.uber.org/atomic"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
"golang.org/x/sys/unix"
+ "git.monogon.dev/source/nexantic.git/core/generated/api"
+ "git.monogon.dev/source/nexantic.git/core/internal/common"
+ "git.monogon.dev/source/nexantic.git/core/internal/common/service"
"git.monogon.dev/source/nexantic.git/core/internal/consensus/ca"
)
@@ -75,7 +74,7 @@
etcd *embed.Etcd
kv clientv3.KV
- ready bool
+ ready atomic.Bool
// bootstrapCA and bootstrapCert cache the etcd cluster CA data during bootstrap.
bootstrapCA *ca.CA
@@ -192,6 +191,7 @@
go func() {
s.Logger.Info("waiting for etcd to become ready")
<-s.etcd.Server.ReadyNotify()
+ s.ready.Store(true)
s.Logger.Info("etcd is now ready")
}()
@@ -432,7 +432,7 @@
// IsReady returns whether etcd is ready and synced
func (s *Service) IsReady() bool {
- return s.ready
+ return s.ready.Load()
}
// AddMember adds a new etcd member to the cluster
diff --git a/core/internal/kubernetes/BUILD.bazel b/core/internal/kubernetes/BUILD.bazel
index 6778845..f3304cc 100644
--- a/core/internal/kubernetes/BUILD.bazel
+++ b/core/internal/kubernetes/BUILD.bazel
@@ -16,6 +16,7 @@
visibility = ["//core:__subpackages__"],
deps = [
"//core/api/api:go_default_library",
+ "//core/internal/common:go_default_library",
"//core/internal/common/supervisor:go_default_library",
"//core/internal/consensus:go_default_library",
"//core/internal/kubernetes/reconciler:go_default_library",
diff --git a/core/internal/kubernetes/apiserver.go b/core/internal/kubernetes/apiserver.go
index dc48b96..9bc32f3 100644
--- a/core/internal/kubernetes/apiserver.go
+++ b/core/internal/kubernetes/apiserver.go
@@ -26,6 +26,8 @@
"os/exec"
"path"
+ "git.monogon.dev/source/nexantic.git/core/internal/common"
+
"go.etcd.io/etcd/clientv3"
"git.monogon.dev/source/nexantic.git/core/internal/common/supervisor"
@@ -81,6 +83,7 @@
"--enable-admission-plugins=NodeRestriction,PodSecurityPolicy",
"--enable-aggregator-routing=true",
"--insecure-port=0",
+ fmt.Sprintf("--secure-port=%v", common.KubernetesAPIPort),
// Due to the magic of GRPC this really needs four slashes and a :0
fmt.Sprintf("--etcd-servers=%v", "unix:////consensus/listener.sock:0"),
args.FileOpt("--kubelet-client-certificate", "kubelet-client-cert.pem",
diff --git a/core/internal/kubernetes/auth.go b/core/internal/kubernetes/auth.go
index 25e2e4b..fe2fe59 100644
--- a/core/internal/kubernetes/auth.go
+++ b/core/internal/kubernetes/auth.go
@@ -34,6 +34,8 @@
"path"
"time"
+ "git.monogon.dev/source/nexantic.git/core/internal/common"
+
"go.etcd.io/etcd/clientv3"
"k8s.io/client-go/tools/clientcmd"
configapi "k8s.io/client-go/tools/clientcmd/api"
@@ -381,7 +383,7 @@
func makeLocalKubeconfig(ca, cert, key []byte) ([]byte, error) {
kubeconfig := configapi.NewConfig()
cluster := configapi.NewCluster()
- cluster.Server = "https://127.0.0.1:6443"
+ cluster.Server = fmt.Sprintf("https://127.0.0.1:%v", common.KubernetesAPIPort)
cluster.CertificateAuthorityData = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: ca})
kubeconfig.Clusters["default"] = cluster
authInfo := configapi.NewAuthInfo()
diff --git a/core/internal/kubernetes/service.go b/core/internal/kubernetes/service.go
index f95f03e..b2d340e 100644
--- a/core/internal/kubernetes/service.go
+++ b/core/internal/kubernetes/service.go
@@ -95,6 +95,9 @@
// GetDebugKubeconfig issues a kubeconfig for an arbitrary given identity. Useful for debugging and testing.
func (s *Service) GetDebugKubeconfig(ctx context.Context, request *schema.GetDebugKubeconfigRequest) (*schema.GetDebugKubeconfigResponse, error) {
+ if !s.consensusService.IsReady() {
+ return nil, status.Error(codes.Unavailable, "Consensus not ready yet")
+ }
idCA, idKeyRaw, err := getCert(s.getKV(), "id-ca")
idKey := ed25519.PrivateKey(idKeyRaw)
if err != nil {
diff --git a/core/internal/launch/BUILD.bazel b/core/internal/launch/BUILD.bazel
new file mode 100644
index 0000000..887932b
--- /dev/null
+++ b/core/internal/launch/BUILD.bazel
@@ -0,0 +1,12 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+ name = "go_default_library",
+ srcs = ["launch.go"],
+ importpath = "git.monogon.dev/source/nexantic.git/core/internal/launch",
+ visibility = ["//core:__subpackages__"],
+ deps = [
+ "//core/internal/common:go_default_library",
+ "@org_golang_google_grpc//:go_default_library",
+ ],
+)
diff --git a/core/internal/launch/launch.go b/core/internal/launch/launch.go
new file mode 100644
index 0000000..9aa277c
--- /dev/null
+++ b/core/internal/launch/launch.go
@@ -0,0 +1,227 @@
+// Copyright 2020 The Monogon Project Authors.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package launch
+
+import (
+ "context"
+ "fmt"
+ "io"
+ "io/ioutil"
+ "net"
+ "os"
+ "os/exec"
+ "path/filepath"
+ "strings"
+
+ "google.golang.org/grpc"
+
+ "git.monogon.dev/source/nexantic.git/core/internal/common"
+)
+
+// This is more of a best-effort solution and not guaranteed to give us unused ports (since we're not immediately using
+// them), but AFAIK qemu cannot dynamically select hostfwd ports
+func getFreePort() (uint16, io.Closer, error) {
+ addr, err := net.ResolveTCPAddr("tcp", "localhost:0")
+ if err != nil {
+ return 0, nil, err
+ }
+
+ l, err := net.ListenTCP("tcp", addr)
+ if err != nil {
+ return 0, nil, err
+ }
+ return uint16(l.Addr().(*net.TCPAddr).Port), l, nil
+}
+
+type qemuValue map[string][]string
+
+// qemuValueToOption encodes structured data into a QEMU option.
+// Example: "test", {"key1": {"val1"}, "key2": {"val2", "val3"}} returns "test,key1=val1,key2=val2,key2=val3"
+func qemuValueToOption(name string, value qemuValue) string {
+ var optionValues []string
+ optionValues = append(optionValues, name)
+ for name, values := range value {
+ if len(values) == 0 {
+ optionValues = append(optionValues, name)
+ }
+ for _, val := range values {
+ optionValues = append(optionValues, fmt.Sprintf("%v=%v", name, val))
+ }
+ }
+ return strings.Join(optionValues, ",")
+}
+
+func copyFile(src, dst string) error {
+ in, err := os.Open(src)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ out, err := os.Create(dst)
+ if err != nil {
+ return err
+ }
+ defer out.Close()
+
+ _, err = io.Copy(out, in)
+ if err != nil {
+ return err
+ }
+ return out.Close()
+}
+
+// PortMap represents where VM ports are mapped to on the host. It maps from the VM port number to the host port number.
+type PortMap map[uint16]uint16
+
+// toQemuForwards generates QEMU hostfwd values (https://qemu.weilnetz.de/doc/qemu-doc.html#:~:text=hostfwd=) for all
+// mapped ports.
+func (p PortMap) toQemuForwards() []string {
+ var hostfwdOptions []string
+ for vmPort, hostPort := range p {
+ hostfwdOptions = append(hostfwdOptions, fmt.Sprintf("tcp::%v-:%v", hostPort, vmPort))
+ }
+ return hostfwdOptions
+}
+
+// DialGRPC creates a gRPC client for a VM port that's forwarded/mapped to the host. The given port is automatically
+// resolved to the host-mapped port.
+func (p PortMap) DialGRPC(port uint16, opts ...grpc.DialOption) (*grpc.ClientConn, error) {
+ mappedPort, ok := p[port]
+ if !ok {
+ return nil, fmt.Errorf("cannot dial port: port %v is not mapped/forwarded", port)
+ }
+ grpcClient, err := grpc.Dial(fmt.Sprintf("localhost:%v", mappedPort), opts...)
+ if err != nil {
+ return nil, fmt.Errorf("failed to dial port %v: %w", port, err)
+ }
+ return grpcClient, nil
+}
+
+// Options contains all options that can be passed to Launch()
+type Options struct {
+ // Ports contains the port mapping where to expose the internal ports of the VM to the host. See IdentityPortMap()
+ // and ConflictFreePortMap()
+ Ports PortMap
+
+ // If set to true, reboots are honored. Otherwise all reboots exit the Launch() command. Smalltown generally restarts
+ // on almost all errors, so unless you want to test reboot behavior this should be false.
+ AllowReboot bool
+}
+
+var requiredPorts = []uint16{common.ConsensusPort, common.NodeServicePort, common.MasterServicePort,
+ common.ExternalServicePort, common.DebugServicePort, common.KubernetesAPIPort}
+
+// IdentityPortMap returns a port map where each VM port is mapped onto itself on the host. This is mainly useful
+// for development against Smalltown. The dbg command requires this mapping.
+func IdentityPortMap() PortMap {
+ portMap := make(PortMap)
+ for _, port := range requiredPorts {
+ portMap[port] = port
+ }
+ return portMap
+}
+
+// ConflictFreePortMap returns a port map where each VM port is mapped onto a random free port on the host. This is
+// intended for automated testing where multiple instances of Smalltown might be running. Please call this function for
+// each Launch command separately and as close to it as possible since it cannot guarantee that the ports will remain
+// free.
+func ConflictFreePortMap() (PortMap, error) {
+ portMap := make(PortMap)
+ for _, port := range requiredPorts {
+ mappedPort, listenCloser, err := getFreePort()
+ if err != nil {
+ return portMap, fmt.Errorf("failed to get free host port: %w", err)
+ }
+ // Defer closing of the listening port until the function is done and all ports are allocated
+ defer listenCloser.Close()
+ portMap[port] = mappedPort
+ }
+ return portMap, nil
+}
+
+// Launch launches a Smalltown instance with the given options. The instance runs mostly paravirtualized but with some
+// emulated hardware similar to how a cloud provider might set up its VMs. The disk is fully writable but is run
+// in snapshot mode meaning that changes are not kept beyond a single invocation.
+func Launch(ctx context.Context, options Options) error {
+ // Pin temp directory to /tmp until we can use abstract socket namespace in QEMU (next release after 5.0,
+ // https://github.com/qemu/qemu/commit/776b97d3605ed0fc94443048fdf988c7725e38a9). swtpm accepts already-open FDs
+ // so we can pass in an abstract socket namespace FD that we open and pass the name of it to QEMU. Not pinning this
+ // crashes both swtpm and qemu because we run into UNIX socket length limitations (for legacy reasons 108 chars).
+ tempDir, err := ioutil.TempDir("/tmp", "launch*")
+ if err != nil {
+ return fmt.Errorf("Failed to create temporary directory: %w", err)
+ }
+ defer os.RemoveAll(tempDir)
+
+ // Copy TPM state into a temporary directory since it's being modified by the emulator
+ tpmTargetDir := filepath.Join(tempDir, "tpm")
+ tpmSrcDir := "core/tpm"
+ if err := os.Mkdir(tpmTargetDir, 0644); err != nil {
+ return fmt.Errorf("Failed to create TPM state directory: %w", err)
+ }
+ tpmFiles, err := ioutil.ReadDir(tpmSrcDir)
+ if err != nil {
+ return fmt.Errorf("Failed to read TPM directory: %w", err)
+ }
+ for _, file := range tpmFiles {
+ name := file.Name()
+ if err := copyFile(filepath.Join(tpmSrcDir, name), filepath.Join(tpmTargetDir, name)); err != nil {
+ return fmt.Errorf("Failed to copy TPM directory: %w", err)
+ }
+ }
+
+ qemuNetConfig := qemuValue{
+ "id": {"net0"},
+ "net": {"10.42.0.0/24"},
+ "dhcpstart": {"10.42.0.10"},
+ "hostfwd": options.Ports.toQemuForwards(),
+ }
+
+ tpmSocketPath := filepath.Join(tempDir, "tpm-socket")
+
+ qemuArgs := []string{"-machine", "q35", "-accel", "kvm", "-nographic", "-nodefaults", "-m", "2048",
+ "-cpu", "host", "-smp", "sockets=1,cpus=1,cores=2,threads=2,maxcpus=4",
+ "-drive", "if=pflash,format=raw,readonly,file=external/edk2/OVMF_CODE.fd",
+ "-drive", "if=pflash,format=raw,snapshot=on,file=external/edk2/OVMF_VARS.fd",
+ "-drive", "if=virtio,format=raw,snapshot=on,cache=unsafe,file=core/smalltown.img",
+ "-netdev", qemuValueToOption("user", qemuNetConfig),
+ "-device", "virtio-net-pci,netdev=net0",
+ "-chardev", "socket,id=chrtpm,path=" + tpmSocketPath,
+ "-tpmdev", "emulator,id=tpm0,chardev=chrtpm",
+ "-device", "tpm-tis,tpmdev=tpm0",
+ "-device", "virtio-rng-pci",
+ "-serial", "stdio"}
+
+ if !options.AllowReboot {
+ qemuArgs = append(qemuArgs, "-no-reboot")
+ }
+
+ tpmCtx, tpmStop := context.WithCancel(
+ ctx)
+ tpmEmuCmd := exec.CommandContext(tpmCtx, "swtpm", "socket", "--tpm2", "--tpmstate", "dir="+tpmTargetDir, "--ctrl", "type=unixio,path="+tpmSocketPath)
+ systemCmd := exec.CommandContext(ctx, "qemu-system-x86_64", qemuArgs...)
+
+ tpmEmuCmd.Stderr = os.Stderr
+ tpmEmuCmd.Stdout = os.Stdout
+ systemCmd.Stderr = os.Stderr
+ systemCmd.Stdout = os.Stdout
+ go tpmEmuCmd.Run()
+ err = systemCmd.Run()
+ tpmStop()
+ return err
+}