Bundle internal binaries when available and add IT cases (#3627)

jupdec · web-flow · commit 937fc9d0702a · 2026-04-08T22:37:00.000-07:00
* Update flag to bundle internal binarues and add IT cases

* fix format

* update COPY_INTERNAL_PLUGINS default to false

* re-arrange imports

* Remove docker wildcard as it has caused issues with packaging binaries

* fix trailing space

* update test to annotate the pod with bw limits

* remove flag dependency in image build

* Add core plugins test to cni release test suite
diff --git a/scripts/dockerfiles/Dockerfile.init b/scripts/dockerfiles/Dockerfile.init
@@ -18,7 +18,7 @@ FROM $base_image
 WORKDIR /init
 
 COPY --from=builder \
-    /go/src/github.com/aws/amazon-vpc-cni-k8s/core-plugins/* \
+    /go/src/github.com/aws/amazon-vpc-cni-k8s/core-plugins/ \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-cni-support.sh \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-vpc-cni-init /init/
 
diff --git a/scripts/run-cni-release-tests.sh b/scripts/run-cni-release-tests.sh
@@ -49,6 +49,12 @@ function run_integration_test() {
   START=$SECONDS
   cd $INTEGRATION_TEST_DIR/metrics-helper && CGO_ENABLED=0 ginkgo $EXTRA_GINKGO_FLAGS -v -timeout 15m --no-color --fail-on-pending -- --cluster-kubeconfig="$KUBECONFIG" --cluster-name="$CLUSTER_NAME" --aws-region="$REGION" --aws-vpc-id="$VPC_ID" --ng-name-label-key="$NG_LABEL_KEY" --ng-name-label-val="$NG_LABEL_VAL" --cni-metrics-helper-image-repo=$REPO_NAME --cni-metrics-helper-image-tag=$TAG --test-image-registry=$TEST_IMAGE_REGISTRY || TEST_RESULT=fail
   echo "cni-metrics-helper test took $((SECONDS - START)) seconds."
+
+  echo "Running core plugins integration tests"
+  START=$SECONDS
+  cd $INTEGRATION_TEST_DIR/core-plugins && CGO_ENABLED=0 ginkgo $EXTRA_GINKGO_FLAGS -v -timeout 60m --no-color --fail-on-pending -- --cluster-kubeconfig="$KUBECONFIG" --cluster-name="$CLUSTER_NAME" --aws-region="$REGION" --aws-vpc-id="$VPC_ID" --ng-name-label-key="$NG_LABEL_KEY" --ng-name-label-val="$NG_LABEL_VAL" --test-image-registry=$TEST_IMAGE_REGISTRY || TEST_RESULT=fail
+  echo "core plugins test took $((SECONDS - START)) seconds."
+
   if [[ "$TEST_RESULT" == fail ]]; then
       echo "Integration test failed."
       exit 1
diff --git a/test/framework/resources/k8s/manifest/deployment.go b/test/framework/resources/k8s/manifest/deployment.go
@@ -28,6 +28,7 @@ type DeploymentBuilder struct {
 	replicas               int
 	container              corev1.Container
 	labels                 map[string]string
+	annotations            map[string]string
 	nodeSelector           map[string]string
 	terminationGracePeriod int
 	nodeName               string
@@ -111,6 +112,14 @@ func (d *DeploymentBuilder) PodLabel(labelKey string, labelValue string) *Deploy
 	return d
 }
 
+func (d *DeploymentBuilder) PodAnnotation(key string, value string) *DeploymentBuilder {
+	if d.annotations == nil {
+		d.annotations = map[string]string{}
+	}
+	d.annotations[key] = value
+	return d
+}
+
 func (d *DeploymentBuilder) HostNetwork(hostNetwork bool) *DeploymentBuilder {
 	d.hostNetwork = hostNetwork
 	return d
@@ -136,7 +145,8 @@ func (d *DeploymentBuilder) Build() *v1.Deployment {
 			},
 			Template: corev1.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
-					Labels: d.labels,
+					Labels:      d.labels,
+					Annotations: d.annotations,
 				},
 				Spec: corev1.PodSpec{
 					HostNetwork:                   d.hostNetwork,
diff --git a/test/integration/core-plugins/core_plugins_suite_test.go b/test/integration/core-plugins/core_plugins_suite_test.go
@@ -0,0 +1,44 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//     http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package core_plugins
+
+import (
+	"testing"
+
+	"github.com/aws/amazon-vpc-cni-k8s/test/framework"
+	"github.com/aws/amazon-vpc-cni-k8s/test/framework/utils"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var f *framework.Framework
+
+func TestCorePlugins(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "CNI Init Container Core Plugins Suite")
+}
+
+var _ = BeforeSuite(func() {
+	f = framework.New(framework.GlobalOptions)
+
+	By("creating test namespace")
+	f.K8sResourceManagers.NamespaceManager().CreateNamespace(utils.DefaultTestNamespace)
+})
+
+var _ = AfterSuite(func() {
+	By("deleting test namespace")
+	f.K8sResourceManagers.NamespaceManager().
+		DeleteAndWaitTillNamespaceDeleted(utils.DefaultTestNamespace)
+})
diff --git a/test/integration/core-plugins/core_plugins_test.go b/test/integration/core-plugins/core_plugins_test.go
@@ -0,0 +1,128 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//     http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package core_plugins
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/aws/amazon-vpc-cni-k8s/test/framework/resources/k8s/manifest"
+	k8sUtils "github.com/aws/amazon-vpc-cni-k8s/test/framework/resources/k8s/utils"
+	"github.com/aws/amazon-vpc-cni-k8s/test/framework/utils"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+const (
+	awsNodeLabelKey = "k8s-app"
+	cniBinPath      = "/host/opt/cni/bin"
+)
+
+// expectedCorePlugins lists all containernetworking/plugins binaries shipped
+// in the amazon-k8s-cni-init image via core-plugins/binaries/.
+var expectedCorePlugins = []string{
+	"bandwidth",
+	"bridge",
+	"dhcp",
+	"dummy",
+	"firewall",
+	"host-device",
+	"host-local",
+	"ipvlan",
+	"loopback",
+	"macvlan",
+	"portmap",
+	"ptp",
+	"sbr",
+	"static",
+	"tap",
+	"tuning",
+	"vlan",
+	"vrf",
+}
+
+var _ = Describe("CNI init container core plugins", func() {
+	It("all core plugins should be present with executable permissions", func() {
+		By("getting an aws-node pod")
+		podList, err := f.K8sResourceManagers.PodManager().
+			GetPodsWithLabelSelector(awsNodeLabelKey, utils.AwsNodeName)
+		Expect(err).ToNot(HaveOccurred())
+		Expect(podList.Items).ToNot(BeEmpty(), "expected at least one aws-node pod")
+
+		pod := podList.Items[0]
+		By(fmt.Sprintf("checking core plugin executability on node %s via pod %s", pod.Spec.NodeName, pod.Name))
+
+		var failures []string
+		for _, plugin := range expectedCorePlugins {
+			p := fmt.Sprintf("%s/%s", cniBinPath, plugin)
+			// Invoke the binary directly; CNI plugins print version info on
+			// stdin-EOF and exit 0 or 1, but the exec itself will fail with a
+			// clear error if the file is missing or not executable.
+			cmd := []string{p}
+			_, _, err := f.K8sResourceManagers.PodManager().
+				PodExecWithContainer(pod.Namespace, pod.Name, "aws-node", cmd)
+			if err != nil {
+				errMsg := err.Error()
+				if strings.Contains(errMsg, "not found") || strings.Contains(errMsg, "no such file") {
+					failures = append(failures, fmt.Sprintf("MISSING: %s", plugin))
+				} else if strings.Contains(errMsg, "permission denied") {
+					failures = append(failures, fmt.Sprintf("NOT_EXEC: %s", plugin))
+				}
+				// Other errors (e.g. non-zero exit) are expected — the binary
+				// exists and is executable but needs CNI_COMMAND env, so ignore.
+			}
+		}
+		Expect(failures).To(BeEmpty(),
+			fmt.Sprintf("core plugin issues found:\n%s", strings.Join(failures, "\n")))
+	})
+
+	Context("when ENABLE_BANDWIDTH_PLUGIN is enabled", func() {
+		AfterEach(func() {
+			By("disabling ENABLE_BANDWIDTH_PLUGIN")
+			k8sUtils.RemoveVarFromDaemonSetAndWaitTillUpdated(f,
+				utils.AwsNodeName, utils.AwsNodeNamespace, utils.AwsNodeName,
+				map[string]struct{}{
+					"ENABLE_BANDWIDTH_PLUGIN": {},
+				})
+		})
+
+		It("pods should reach Running state", func() {
+			By("enabling ENABLE_BANDWIDTH_PLUGIN on aws-node daemonset")
+			k8sUtils.AddEnvVarToDaemonSetAndWaitTillUpdated(f,
+				utils.AwsNodeName, utils.AwsNodeNamespace, utils.AwsNodeName,
+				map[string]string{
+					"ENABLE_BANDWIDTH_PLUGIN": "true",
+				})
+
+			By("creating a deployment to verify pods can start")
+			deployment := manifest.NewBusyBoxDeploymentBuilder(f.Options.TestImageRegistry).
+				Replicas(3).
+				PodLabel("app", "bandwidth-test").
+				PodAnnotation("kubernetes.io/ingress-bandwidth", "10M").
+				PodAnnotation("kubernetes.io/egress-bandwidth", "10M").
+				Build()
+
+			deployment, err := f.K8sResourceManagers.DeploymentManager().
+				CreateAndWaitTillDeploymentIsReady(deployment, utils.DefaultDeploymentReadyTimeout)
+			Expect(err).ToNot(HaveOccurred(),
+				"pods failed to reach Running state with ENABLE_BANDWIDTH_PLUGIN=true")
+
+			By("deleting the test deployment")
+			err = f.K8sResourceManagers.DeploymentManager().
+				DeleteAndWaitTillDeploymentIsDeleted(deployment)
+			Expect(err).ToNot(HaveOccurred())
+		})
+	})
+})
