test,e2e: CUDN CRD CEL validation tests

Introduce tests for CUDN CRD  CEL validations, consist of two tests:
1. Positive test verifies various valid CRs created successfully.
   Apply the YAMLs defined in "test/e2e/testdata/cudn"
   Expect no error to have occurred.
2. Negative test verifies invalid CRs get rejected by the API server.
   Apply the YAMLs defined in "test/e2e/testdata/cudn"
   Expect failure with the expected error.

Signed-off-by: Or Mergi <[email protected]>

Author: ormergi

test/e2e/network_segmentation_api_validations.go

@@ -0,0 +1,62 @@
+package e2e
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl"
+
+	"github.com/ovn-org/ovn-kubernetes/test/e2e/testdata"
+	testdatacudn "github.com/ovn-org/ovn-kubernetes/test/e2e/testdata/cudn"
+)
+
+var _ = Describe("Network Segmentation: API validations", func() {
+	DescribeTable("api-server should reject invalid CRs",
+		func(scenarios []testdata.ValidateCRScenario) {
+			DeferCleanup(func() {
+				cleanupValidateCRsTest(scenarios)
+			})
+			for _, s := range scenarios {
+				By(s.Description)
+				_, stderr, err := runKubectlInputWithFullOutput("", s.Manifest, "create", "-f", "-")
+				Expect(err).To(HaveOccurred(), "should fail to create invalid CR")
+				Expect(stderr).To(ContainSubstring(s.ExpectedErr))
+			}
+		},
+		Entry("ClusterUserDefinedNetwork, mismatch topology and config", testdatacudn.MismatchTopologyConfig),
+		Entry("ClusterUserDefinedNetwork, localnet, invalid role", testdatacudn.LocalnetInvalidRole),
+		Entry("ClusterUserDefinedNetwork, localnet, invalid physicalNetworkName", testdatacudn.LocalnetInvalidPhyNetName),
+		Entry("ClusterUserDefinedNetwork, localnet, invalid subnets", testdatacudn.LocalnetInvalidSubnets),
+		Entry("ClusterUserDefinedNetwork, localnet, invalid mtu", testdatacudn.LocalnetInvalidMTU),
+		Entry("ClusterUserDefinedNetwork, localnet, invalid vlan", testdatacudn.LocalnetInvalidVLAN),
+	)
+
+	DescribeTable("api-server should accept valid CRs",
+		func(scenarios []testdata.ValidateCRScenario) {
+			DeferCleanup(func() {
+				cleanupValidateCRsTest(scenarios)
+			})
+			for _, s := range scenarios {
+				By(s.Description)
+				_, err := e2ekubectl.RunKubectlInput("", s.Manifest, "apply", "-f", "-")
+				Expect(err).NotTo(HaveOccurred(), "should create valid CR successfully")
+			}
+		},
+		Entry("ClusterUserDefinedNetwork, localnet", testdatacudn.LocalnetValid),
+	)
+})
+
+// runKubectlInputWithFullOutput is a convenience wrapper over kubectlBuilder that takes input to stdin
+// It will also return the command's stderr.
+func runKubectlInputWithFullOutput(namespace string, data string, args ...string) (string, string, error) {
+	return e2ekubectl.NewKubectlCommand(namespace, args...).WithStdinData(data).ExecWithFullOutput()
+}
+
+func cleanupValidateCRsTest(scenarios []testdata.ValidateCRScenario) {
+	for _, s := range scenarios {
+		e2ekubectl.RunKubectlInput("", s.Manifest, "delete", "-f", "-")
+	}
+	_, stderr, err := e2ekubectl.RunKubectlWithFullOutput("", "get", "clusteruserdefinednetworks")
+	Expect(err).NotTo(HaveOccurred())
+	Expect(stderr).To(Equal("No resources found\n"))
+}

test/e2e/testdata/cudn/invalid-scenarios-localnet-mtu.go

@@ -0,0 +1,82 @@
+package cudn
+
+import "github.com/ovn-org/ovn-kubernetes/test/e2e/testdata"
+
+var LocalnetInvalidMTU = []testdata.ValidateCRScenario{
+	{
+		Description: "invalid MTU - higher than 65536",
+		ExpectedErr: `spec.network.localnet.mtu in body should be less than or equal to 65536`,
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-mtu-exceed-max-ipam-disabled-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      role: Secondary
+      physicalNetworkName: test
+      mtu: 65537
+      ipam: {mode: Disabled}
+`,
+	},
+	{
+		Description: "invalid MTU - lower than 576",
+		ExpectedErr: `spec.network.localnet.mtu in body should be greater than or equal to 576`,
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-ipv4-mtu-below-min-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      role: Secondary
+      physicalNetworkName: test
+      subnets: [10.0.0.0/24]
+      mtu: 575
+`,
+	},
+	{
+		Description: "invalid MTU - when IPv6 subnet is set, should be at least 1280",
+		ExpectedErr: `MTU should be greater than or equal to 1280 when an IPv6 subnet is used`,
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-ipv6-mtu-below-min-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      role: Secondary
+      physicalNetworkName: test
+      subnets: [2001:dbb::/64]
+      mtu: 1279
+`,
+	},
+	{
+		Description: "invalid MTU - when dualstack subnet is set, should be at least 1280",
+		ExpectedErr: `MTU should be greater than or equal to 1280 when an IPv6 subnet is used`,
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-dualstack-mtu-below-min-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      role: Secondary
+      physicalNetworkName: test
+      subnets: [192.168.0.0/16, 2001:dbb::/64]
+      mtu: 1279
+`,
+	},
+}

test/e2e/testdata/cudn/invalid-scenarios-localnet-phynetname.go

@@ -0,0 +1,161 @@
+package cudn
+
+import "github.com/ovn-org/ovn-kubernetes/test/e2e/testdata"
+
+var LocalnetInvalidPhyNetName = []testdata.ValidateCRScenario{
+	{
+		Description: "unset PhysicalNetworkName",
+		ExpectedErr: `spec.network.localnet.physicalNetworkName: Required value`,
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-phynetname-unset-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      role: Secondary
+      subnets: [10.0.0.0/24]`,
+	},
+	{
+		Description: "invalid PhysicalNetworkName - empty string",
+		ExpectedErr: `spec.network.localnet.physicalNetworkName in body should be at least 1 chars long`,
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-invalid-phynetname-empty-string-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      role: Secondary
+      physicalNetworkName: ""
+      subnets: [10.0.0.0/24]`,
+	},
+	{
+		Description: "invalid PhysicalNetworkName - too long",
+		ExpectedErr: `spec.network.localnet.physicalNetworkName: Too long: may not be more than 253 bytes`,
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-invalid-phynetname-exceed-253-chars-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      role: Secondary
+      physicalNetworkName: "ycx7b6dhkhytzva3wrma0cu6mjhqpo2ty20cmpdg9ptvmt1mo9dfnrs56nr0bvg6z6zha5y208js6e2iwk6xb97sp2sojg48lu9d5vxbzzq40rwj1wchae3ju3dpj6qfsjbzjzmc0k489bloe49z4857kds43rqpeca3p5z2dfz562qu59qqb8qa3vo6pmwuaume581dqhlsz57yvbvgu5hmmmzremac7w7l4rmuirkk91767llw0vskanlc33"
+      subnets: [10.0.0.0/24]`,
+	},
+	{
+		Description: "invalid PhysicalNetworkName - contain `:` chars",
+		ExpectedErr: "physicalNetworkName cannot contain `,` or `:` characters",
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-invalid-phynetname-has-colon-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      role: Secondary
+      physicalNetworkName: "t:est"
+      subnets: [10.0.0.0/24]`,
+	},
+	{
+		Description: "invalid PhysicalNetworkName - contain `,` chars",
+		ExpectedErr: "physicalNetworkName cannot contain `,` or `:` characters",
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-invalid-phynetname-has-comma-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      role: Secondary
+      physicalNetworkName: "tes,t"
+      subnets: [10.0.0.0/24]
+`,
+	},
+	{
+		Description: "invalid PhysicalNetworkName - start with `:` char",
+		ExpectedErr: "physicalNetworkName cannot contain `,` or `:` characters",
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-invalid-phynetname-start-with-colon-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      role: Secondary
+      physicalNetworkName: ":test"
+      subnets: [10.0.0.0/24]
+`,
+	},
+	{
+		Description: "invalid PhysicalNetworkName - start with `,` char",
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-invalid-phynetname-start-with-comma-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      role: Secondary
+      physicalNetworkName: ",test"
+      subnets: [10.0.0.0/24]
+`,
+		ExpectedErr: "physicalNetworkName cannot contain `,` or `:` characters",
+	},
+	{
+		Description: "invalid PhysicalNetworkName - ends with `:` char",
+		ExpectedErr: "physicalNetworkName cannot contain `,` or `:` characters",
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-invalid-phynetname-end-with-colon-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      role: Secondary
+      physicalNetworkName: "test:"
+      subnets: [10.0.0.0/24]`,
+	},
+	{
+		Description: "invalid PhysicalNetworkName - ends with `,` char",
+		ExpectedErr: "physicalNetworkName cannot contain `,` or `:` characters",
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-invalid-phynetname-end-with-comma-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      role: Secondary
+      physicalNetworkName: "test,"
+      subnets: [10.0.0.0/24]`,
+	},
+}

test/e2e/testdata/cudn/invalid-scenarios-localnet-role.go

@@ -0,0 +1,40 @@
+package cudn
+
+import "github.com/ovn-org/ovn-kubernetes/test/e2e/testdata"
+
+var LocalnetInvalidRole = []testdata.ValidateCRScenario{
+	{
+		Description: "role unset",
+		ExpectedErr: `spec.network.localnet.role: Required value`,
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-role-unset-should-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      physicalNetworkName: test
+      subnets: [10.0.0.0/24]`,
+	},
+	{
+		Description: "role is primary",
+		ExpectedErr: `spec.network.localnet.role: Unsupported value: "Primary": supported values: "Secondary"`,
+		Manifest: `
+---
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: localnet-role-primary-should-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Localnet
+    localnet:
+      role: Primary
+      physicalNetworkName: test
+      subnets: [10.0.0.0/24]`,
+	},
+}