This houses an integration test that will:
- Create a BYOVPC with an AWS Network Firewall blocking quay.io following this architecture: https://docs.aws.amazon.com/network-firewall/latest/developerguide/arch-igw-ngw.html.
- Run osd-network-verifier's egress check. It should run using the pre-pulled AMI and be able to validate that quay.io is blocked even though it cannot pull the desired container image hosted on quay.io.
- Delete the BYOVPC and AWS Network Firewall created in step 1
You can consider this test "passed" if no runtime errors occur and the output contains something along the lines of the following blurb.
printing out failures:
- egressURL error: cdn03.quay.io:443
- egressURL error: cdn01.quay.io:443
- egressURL error: cdn02.quay.io:443
- egressURL error: quay.io:443
It can be run with AWS credentials setup as environment variables beforehand, e.g.
DEV_ACCOUNT_ID=""
REGION=""
PROBE="curl" # or "legacy"
export $(osdctl account cli -i ${DEV_ACCOUNT_ID}-p osd-staging-2 -r ${REGION} -oenv | xargs)
go build .
./integration --region=$REGION --probe=$PROBEOr with a profile:
go build .
./integration --region=$REGION --probe=$PROBE --profile=$PROFILEOther flags include:
--probe: select which Probe to use (e.g., "curl" or "legacy") (mandatory)--debug: enable verbose logging--platform: set the value toPlatformthat's passed intoValidateEgress()(default: "aws")--create-only: only create infrastructure without deleting it or running the egress test--delete-only: delete infrastructure left behind by a failed test (or by the above option) without running the egress test
TODO: Create a minimal IAM policy. The required permissions are laid out in:
pkg/aws/ec2.go, pkg/aws/networkfirewall.go, and pkg/aws/resourcegroupstaggingapi.go.
If this hasn't been run a while, you will probably want to bump the dependency on ONV via
go get -u github.com/openshift/osd-network-verifier