in agent/engine/serviceconnect/manager_linux_test_common.go [126:294]
func testAgentContainerModificationsForServiceConnect(t *testing.T, privilegedMode bool) {
backupMkdirAllAndChown := mkdirAllAndChown
tempDir := t.TempDir()
if !privilegedMode {
mkdirAllAndChown = mockMkdirAllAndChown
}
defer func() {
mkdirAllAndChown = backupMkdirAllAndChown
os.RemoveAll(tempDir)
}()
scTask, _, serviceConnectContainer := getAWSVPCTask(t)
expectedImage := "container:interface-v1"
expectedBinds := []string{
fmt.Sprintf("%s/status/%s:%s", tempDir, scTask.GetID(), "/some/other/run"),
fmt.Sprintf("%s/relay:%s", tempDir, "/not/var/run"),
fmt.Sprintf("%s/log/%s:%s", tempDir, scTask.GetID(), "/some/other/log"),
}
expectedENVs := map[string]string{
"ReLaYgOeShErE": "unix:///not/var/run/relay_file_of_holiness",
"StAtUsGoEsHeRe": "/some/other/run/status_file_of_holiness",
"APPNET_AGENT_ADMIN_MODE": "uds",
"ENVOY_ENABLE_IAM_AUTH_FOR_XDS": "0",
"APPNET_ENVOY_LOG_DESTINATION": "/some/other/log",
}
type testCase struct {
name string
container *apicontainer.Container
expectedENV map[string]string
expectedBinds []string
expectedBindDirPerm string
expectedBindDirOwner uint32
containerInstanceARN string
}
testcases := []testCase{
{
name: "Service connect container has extra binds/ENV. Commercial region has no /etc/pki mount.",
container: serviceConnectContainer,
expectedENV: copyMap(expectedENVs, "ECS_CONTAINER_INSTANCE_ARN", "arn:aws:ecs:us-west-2:123456789012:container-instance/12345678-test-test-test-123456789012"),
expectedBinds: expectedBinds,
expectedBindDirPerm: fs.FileMode(0700).String(),
expectedBindDirOwner: serviceconnect.AppNetUID,
containerInstanceARN: "arn:aws:ecs:us-west-2:123456789012:container-instance/12345678-test-test-test-123456789012",
},
{
name: "Service connect container has extra binds/ENV. US gov region has no /etc/pki mount.",
container: serviceConnectContainer,
expectedENV: copyMap(expectedENVs, "ECS_CONTAINER_INSTANCE_ARN", "arn:aws:ecs:us-gov-west-1:123456789012:container-instance/12345678-test-test-test-123456789012"),
expectedBinds: expectedBinds,
expectedBindDirPerm: fs.FileMode(0700).String(),
expectedBindDirOwner: serviceconnect.AppNetUID,
containerInstanceARN: "arn:aws:ecs:us-gov-west-1:123456789012:container-instance/12345678-test-test-test-123456789012",
},
{
name: "Service connect container has extra binds/ENV. China region has no /etc/pki mount.",
container: serviceConnectContainer,
expectedENV: copyMap(expectedENVs, "ECS_CONTAINER_INSTANCE_ARN", "arn:aws:ecs:cn-north-1:123456789012:container-instance/12345678-test-test-test-123456789012"),
expectedBinds: expectedBinds,
expectedBindDirPerm: fs.FileMode(0700).String(),
expectedBindDirOwner: serviceconnect.AppNetUID,
containerInstanceARN: "arn:aws:ecs:cn-north-1:123456789012:container-instance/12345678-test-test-test-123456789012",
},
{
name: "Service connect container has extra binds/ENV. Iso region gets extra /etc/pki bind mount.",
container: serviceConnectContainer,
expectedENV: copyMap(expectedENVs, "ECS_CONTAINER_INSTANCE_ARN", "arn:aws:ecs:us-iso-east-1:123456789012:container-instance/12345678-test-test-test-123456789012"),
expectedBinds: append(expectedBinds, "/etc/pki:/etc/pki"),
expectedBindDirPerm: fs.FileMode(0700).String(),
expectedBindDirOwner: serviceconnect.AppNetUID,
containerInstanceARN: "arn:aws:ecs:us-iso-east-1:123456789012:container-instance/12345678-test-test-test-123456789012",
},
{
name: "Service connect container has extra binds/ENV. Iso region gets extra /etc/pki bind mount.",
container: serviceConnectContainer,
expectedENV: copyMap(expectedENVs, "ECS_CONTAINER_INSTANCE_ARN", "arn:aws:ecs:eu-isoe-west-1:123456789012:container-instance/12345678-test-test-test-123456789012"),
expectedBinds: append(expectedBinds, "/etc/pki:/etc/pki"),
expectedBindDirPerm: fs.FileMode(0700).String(),
expectedBindDirOwner: serviceconnect.AppNetUID,
containerInstanceARN: "arn:aws:ecs:eu-isoe-west-1:123456789012:container-instance/12345678-test-test-test-123456789012",
},
{
name: "Service connect container has extra binds/ENV. Iso region gets extra /etc/pki bind mount.",
container: serviceConnectContainer,
expectedENV: copyMap(expectedENVs, "ECS_CONTAINER_INSTANCE_ARN", "arn:aws:ecs:us-isof-south-1:123456789012:container-instance/12345678-test-test-test-123456789012"),
expectedBinds: append(expectedBinds, "/etc/pki:/etc/pki"),
expectedBindDirPerm: fs.FileMode(0700).String(),
expectedBindDirOwner: serviceconnect.AppNetUID,
containerInstanceARN: "arn:aws:ecs:us-isof-south-1:123456789012:container-instance/12345678-test-test-test-123456789012",
},
{
name: "Service connect container has extra binds/ENV. Unknown region gets /etc/pki bind mount.",
container: serviceConnectContainer,
expectedENV: copyMap(expectedENVs, "ECS_CONTAINER_INSTANCE_ARN", "arn:aws:ecs:ap-iso-southeast-1:123456789012:container-instance/12345678-test-test-test-123456789012"),
expectedBinds: append(expectedBinds, "/etc/pki:/etc/pki"),
expectedBindDirPerm: fs.FileMode(0700).String(),
expectedBindDirOwner: serviceconnect.AppNetUID,
containerInstanceARN: "arn:aws:ecs:ap-iso-southeast-1:123456789012:container-instance/12345678-test-test-test-123456789012",
},
{
name: "Service connect container has extra binds/ENV. Invalid region gets /etc/pki bind mount.",
container: serviceConnectContainer,
expectedENV: copyMap(expectedENVs, "ECS_CONTAINER_INSTANCE_ARN", "foo-bar-invalid-arn"),
expectedBinds: append(expectedBinds, "/etc/pki:/etc/pki"),
expectedBindDirPerm: fs.FileMode(0700).String(),
expectedBindDirOwner: serviceconnect.AppNetUID,
containerInstanceARN: "foo-bar-invalid-arn",
},
}
// Add test cases for other containers expecting no modifications
for _, container := range scTask.Containers {
if container != serviceConnectContainer {
testcases = append(testcases, testCase{name: container.Name, container: container, expectedENV: map[string]string{}})
}
}
scManager := &manager{
relayPathContainer: "/not/var/run",
relayPathHost: filepath.Join(tempDir, "relay"),
relayFileName: "relay_file_of_holiness",
endpointENV: "ReLaYgOeShErE",
statusPathContainer: "/some/other/run",
statusPathHostRoot: filepath.Join(tempDir, "status"),
statusFileName: "status_file_of_holiness",
statusENV: "StAtUsGoEsHeRe",
adminStatsRequest: "/give?stats",
adminDrainRequest: "/do?drain",
agentContainerImageName: "container",
appnetInterfaceVersion: "v1",
logPathContainer: "/some/other/log",
logPathHostRoot: filepath.Join(tempDir, "log"),
}
for _, tc := range testcases {
t.Run(tc.name, func(t *testing.T) {
hostConfig := &dockercontainer.HostConfig{}
scManager.containerInstanceARN = tc.containerInstanceARN
err := scManager.AugmentTaskContainer(scTask, tc.container, hostConfig,
ipcompatibility.NewIPv4OnlyCompatibility())
if err != nil {
t.Fatal(err)
}
assert.ElementsMatch(t, tc.expectedBinds, hostConfig.Binds)
assert.Equal(t, tc.expectedENV, tc.container.Environment)
if privilegedMode {
for _, bind := range hostConfig.Binds {
hostDir := strings.Split(bind, ":")[0]
dirStat, err := os.Stat(hostDir)
assert.NoError(t, err)
assert.Equal(t, tc.expectedBindDirPerm, dirStat.Mode().Perm().String(),
fmt.Sprintf("directory %s should have mode %s", hostDir, tc.expectedBindDirPerm))
assert.Equal(t, tc.expectedBindDirOwner, dirStat.Sys().(*syscall.Stat_t).Uid)
}
}
})
}
assert.Equal(t, expectedImage, serviceConnectContainer.Image)
assert.Equal(t, fmt.Sprintf("%s/status/%s/%s", tempDir, scTask.GetID(), "status_file_of_holiness"), scTask.ServiceConnectConfig.RuntimeConfig.AdminSocketPath)
assert.Equal(t, "/give?stats", scTask.ServiceConnectConfig.RuntimeConfig.StatsRequest)
assert.Equal(t, "/do?drain", scTask.ServiceConnectConfig.RuntimeConfig.DrainRequest)
config := scTask.GetServiceConnectRuntimeConfig()
assert.Equal(t, fmt.Sprintf("%s/status/%s/%s", tempDir, scTask.GetID(), "status_file_of_holiness"), config.AdminSocketPath)
assert.Equal(t, "/give?stats", config.StatsRequest)
assert.Equal(t, "/do?drain", config.DrainRequest)
}