func TestPodUsesNonExistingService(t *testing.T) {
	kube := mocks.NewKubeClient()

	client := new(contrail_mocks.ApiClient)
	client.Init()

	client.AddInterceptor("virtual-machine-interface", &VmiInterceptor{})
	client.AddInterceptor("virtual-network", &NetworkInterceptor{})

	allocator := new(mocks.AddressAllocator)

	controller := NewTestController(kube, client, allocator, nil)

	pod1 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-xz1",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"name": "testpod",
				"uses": "nonexisting",
			},
		},
	}

	netnsProject := new(types.Project)
	netnsProject.SetFQName("", []string{"default-domain", "testns"})
	client.Create(netnsProject)

	allocator.On("LocateIpAddress", string(pod1.ObjectMeta.UID)).Return("10.0.0.1", nil)
	allocator.On("ReleaseIpAddress", string(pod1.ObjectMeta.UID)).Return()
	kube.PodInterface.On("Update", pod1).Return(pod1, nil)

	shutdown := make(chan struct{})
	go controller.Run(shutdown)

	controller.AddPod(pod1)
	time.Sleep(100 * time.Millisecond)

	_, err := types.NetworkPolicyByName(client, "default-domain:testns:nonexisting")
	assert.NoError(t, err)

	_, err = types.VirtualNetworkByName(client, "default-domain:testns:testpod")
	assert.NoError(t, err)

	controller.DeletePod(pod1)
	time.Sleep(100 * time.Millisecond)
	type shutdownMsg struct {
	}
	shutdown <- shutdownMsg{}

	_, err = types.VirtualNetworkByName(client, "default-domain:testns:testpod")
	assert.Error(t, err)

	_, err = types.NetworkPolicyByName(client, "default-domain:testns:nonexisting")
	assert.Error(t, err)

	allocator.AssertExpectations(t)
}
func (c *consistencyChecker) globalNetworkCheckPolicyAttachment(network *types.VirtualNetwork) bool {
	policyName := makeGlobalNetworkPolicyName(c.config, network.GetFQName())
	policy, err := types.NetworkPolicyByName(c.client, strings.Join(policyName, ":"))
	if err != nil {
		glog.V(3).Infof("No network policy for %s", network.GetName())
		return true
	}
	policyRefs, err := network.GetNetworkPolicyRefs()
	if err != nil {
		glog.Error(err)
		return true
	}

	for _, ref := range policyRefs {
		if ref.Uuid == policy.GetUuid() {
			glog.V(5).Infof("Network %s attached to %s", network.GetName(), policy.GetUuid())
			return true
		}
	}

	err = policyAttach(c.client, network, policy)
	if err != nil {
		glog.Error(err)
	} else {
		glog.Infof("attached global network %s to policy", strings.Join(network.GetFQName(), ":"))
	}
	return false
}
func (m *NetworkManagerImpl) locatePolicy(targetName []string) (*types.NetworkPolicy, error) {
	policyName := makeGlobalNetworkPolicyName(m.config, targetName)
	policy, err := types.NetworkPolicyByName(m.client, strings.Join(policyName, ":"))
	if err != nil {
		policy = new(types.NetworkPolicy)
		policy.SetFQName("project", policyName)
		err = m.client.Create(policy)
	}
	return policy, err
}
Beispiel #4
0
func (m *ServiceManagerImpl) releasePolicyIfEmpty(tenant, serviceName string) (*types.NetworkPolicy, error) {
	policyName := makeServicePolicyName(m.config, tenant, serviceName)
	policy, err := types.NetworkPolicyByName(m.client, strings.Join(policyName, ":"))
	if err != nil {
		return nil, nil
	}
	refs, err := policy.GetVirtualNetworkBackRefs()
	if err == nil && len(refs) == 0 {
		// Delete policy
		err = m.client.Delete(policy)
		if err == nil {
			return nil, nil
		}
	} else if err != nil {
		glog.Errorf("Release policy %s: %v", serviceName, err)
	}

	return policy, err
}
func TestGlobalNetworkConsistencyConfigChange(t *testing.T) {
	env := new(TestFramework)
	env.SetUp("192.0.2.0/24")

	config := env.config
	config.GlobalNetworks = []string{"default-domain:cluster:global"}

	pod1 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-xz1",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"Name":            "server",
				config.NetworkTag: "backend",
			},
		},
	}
	pod2 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-xz2",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"Name":                  "client",
				config.NetworkTag:       "client",
				config.NetworkAccessTag: "svc",
			},
		},
	}
	pod3 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "gPod",
			Namespace: "cluster",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"Name":            "global",
				config.NetworkTag: "global",
			},
		},
	}

	service := &api.Service{
		ObjectMeta: api.ObjectMeta{
			Name:      "s1",
			Namespace: "testns",
			Labels: map[string]string{
				config.NetworkTag: "svc",
			},
		},
		Spec: api.ServiceSpec{
			Selector: map[string]string{
				"Name": "server",
			},
			ClusterIP: "10.254.42.42",
		},
	}

	clusterProject := new(types.Project)
	clusterProject.SetFQName("", []string{"default-domain", "cluster"})
	require.NoError(t, env.client.Create(clusterProject))

	netnsProject := new(types.Project)
	netnsProject.SetFQName("", []string{"default-domain", "testns"})
	require.NoError(t, env.client.Create(netnsProject))

	env.Start()

	env.AddPod(pod3)
	env.AddPod(pod1)
	env.AddPod(pod2)
	env.AddService(service, "server")
	env.SyncBarrier()

	assert.True(t, env.checker.Check())

	config.GlobalNetworks = []string{}
	for i := 0; i < 2; i++ {
		assert.False(t, env.checker.Check())
	}

	assert.True(t, env.checker.Check())

	policyName := makeGlobalNetworkPolicyName(config, []string{"default-domain", "cluster", "global"})
	_, err := types.NetworkPolicyByName(env.client, strings.Join(policyName, ":"))
	require.Error(t, err)

	env.DeletePod(pod1)
	env.DeletePod(pod2)
	env.DeletePod(pod3)
	env.DeleteService(service, "server")
	env.SyncBarrier()

	env.Shutdown()

	assert.True(t, env.checker.Check())
}
func TestGlobalNetworkConsistencyUpdateNetwork(t *testing.T) {
	env := new(TestFramework)
	env.SetUp("192.0.2.0/24")

	config := env.config
	config.GlobalNetworks = []string{"default-domain:cluster:global"}

	pod1 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-xz1",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"Name":            "server",
				config.NetworkTag: "backend",
			},
		},
	}
	pod2 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-xz2",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"Name":                  "client",
				config.NetworkTag:       "client",
				config.NetworkAccessTag: "svc",
			},
		},
	}
	pod3 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "gPod",
			Namespace: "cluster",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"Name":            "global",
				config.NetworkTag: "global",
			},
		},
	}

	service := &api.Service{
		ObjectMeta: api.ObjectMeta{
			Name:      "s1",
			Namespace: "testns",
			Labels: map[string]string{
				config.NetworkTag: "svc",
			},
		},
		Spec: api.ServiceSpec{
			Selector: map[string]string{
				"Name": "server",
			},
			ClusterIP: "10.254.42.42",
		},
	}

	clusterProject := new(types.Project)
	clusterProject.SetFQName("", []string{"default-domain", "cluster"})
	require.NoError(t, env.client.Create(clusterProject))

	netnsProject := new(types.Project)
	netnsProject.SetFQName("", []string{"default-domain", "testns"})
	require.NoError(t, env.client.Create(netnsProject))

	env.Start()

	env.AddPod(pod1)
	env.AddPod(pod2)
	env.AddPod(pod3)
	env.AddService(service, "server")
	env.SyncBarrier()

	// This connects the global-network policy with the respective network which is created after
	// the policy.
	assert.False(t, env.checker.Check())
	// It should be ok now.
	assert.True(t, env.checker.Check())

	policyName := makeGlobalNetworkPolicyName(config, []string{"default-domain", "cluster", "global"})
	policy, err := types.NetworkPolicyByName(env.client, strings.Join(policyName, ":"))
	require.NoError(t, err)

	netRefs, err := policy.GetVirtualNetworkBackRefs()
	require.NoError(t, err)
	assert.Len(t, netRefs, 3)
	assert.Len(t, policy.GetNetworkPolicyEntries().PolicyRule, 2)

	env.DeletePod(pod1)
	env.DeletePod(pod2)
	env.DeleteService(service, "server")
	env.SyncBarrier()

	_, err = types.NetworkPolicyByName(env.client, strings.Join(policyName, ":"))
	assert.Error(t, err)

	assert.True(t, env.checker.Check())

	env.Shutdown()
}
func TestConsistencyPodUpdateRemovePrev(t *testing.T) {
	env := new(TestFramework)
	env.SetUp("192.0.2.0/24")
	client := env.client
	config := env.config

	pod1 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "x-1",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"Name":                  "client",
				config.NetworkTag:       "client",
				config.NetworkAccessTag: "red",
			},
		},
	}

	pod2 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "x-2",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"Name":                  "client",
				config.NetworkTag:       "client",
				config.NetworkAccessTag: "red",
			},
		},
	}

	pod3 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "redPod",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"Name":            "red",
				config.NetworkTag: "redPrivate",
			},
		},
	}

	pod4 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "bluePod",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"Name":            "blue",
				config.NetworkTag: "bluePrivate",
			},
		},
	}

	redService := &api.Service{
		ObjectMeta: api.ObjectMeta{
			Name:      "red",
			Namespace: "testns",
			Labels: map[string]string{
				config.NetworkTag: "red",
			},
		},
		Spec: api.ServiceSpec{
			Selector: map[string]string{
				"Name": "red",
			},
			ClusterIP: "10.254.42.42",
		},
	}

	blueService := &api.Service{
		ObjectMeta: api.ObjectMeta{
			Name:      "blue",
			Namespace: "testns",
			Labels: map[string]string{
				config.NetworkTag: "blue",
			},
		},
		Spec: api.ServiceSpec{
			Selector: map[string]string{
				"Name": "blue",
			},
			ClusterIP: "10.254.42.43",
		},
	}

	netnsProject := new(types.Project)
	netnsProject.SetFQName("", []string{"default-domain", "testns"})
	client.Create(netnsProject)

	env.Start()

	env.AddPod(pod1)
	env.AddService(redService, "red")
	env.AddPod(pod2)
	env.AddPod(pod3)
	env.AddPod(pod4)
	env.AddService(blueService, "blue")
	env.SyncBarrier()

	serviceConnections := getNetworkServiceConnections(t, client, config, "testns", "client")
	assert.EqualValues(t, []string{"default", "red"}, serviceConnections)
	assert.True(t, env.checker.Check())
	policyName := makeServicePolicyName(config, "testns", "red")
	_, err := types.NetworkPolicyByName(client, strings.Join(policyName, ":"))
	assert.NoError(t, err)

	clonePodAndUpdateAccessTag := func(pod *api.Pod, color string) *api.Pod {
		newPod := new(api.Pod)
		*newPod = *pod
		newPod.Labels = make(map[string]string, 0)
		for k, v := range pod.Labels {
			newPod.Labels[k] = v
		}
		newPod.Labels[config.NetworkAccessTag] = color
		return newPod
	}

	// Update connections on pod1
	nPod1 := clonePodAndUpdateAccessTag(pod1, "blue")
	env.UpdatePod(pod1, nPod1)
	env.SyncBarrier()

	serviceConnections = getNetworkServiceConnections(t, client, config, "testns", "client")
	assert.EqualValues(t, []string{"default", "red", "blue"}, serviceConnections)
	assert.True(t, env.checker.Check(), "red and blue present")

	// Update connections on pod2
	// This will leave a stale connection to network red.
	nPod2 := clonePodAndUpdateAccessTag(pod2, "blue")
	env.UpdatePod(pod2, nPod2)
	env.SyncBarrier()

	serviceConnections = getNetworkServiceConnections(t, client, config, "testns", "client")
	assert.EqualValues(t, []string{"default", "red", "blue"}, serviceConnections)

	assert.False(t, env.checker.Check())

	env.DeleteService(redService, "red")
	env.SyncBarrier()

	// The second pass will delete the connection to network red.
	assert.False(t, env.checker.Check())
	serviceConnections = getNetworkServiceConnections(t, client, config, "testns", "client")
	assert.EqualValues(t, []string{"default", "blue"}, serviceConnections)

	assert.True(t, env.checker.Check())

	env.Shutdown()

	_, err = types.NetworkPolicyByName(client, strings.Join(policyName, ":"))
	assert.Error(t, err)
}
func TestServiceWithMultipleUsers(t *testing.T) {
	kube := mocks.NewKubeClient()

	client := new(contrail_mocks.ApiClient)
	client.Init()

	client.AddInterceptor("virtual-machine-interface", &VmiInterceptor{})
	client.AddInterceptor("virtual-network", &NetworkInterceptor{})

	allocator := new(mocks.AddressAllocator)

	controller := NewTestController(kube, client, allocator, nil)

	pod1 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-server",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"name": "server",
			},
		},
	}
	pod2 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-xz1",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"name": "client1",
				"uses": "x1",
			},
		},
	}
	pod3 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-xz2",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"name": "client1",
				"uses": "x1",
			},
		},
	}
	pod4 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-xz3",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"name": "client2",
				"uses": "x1",
			},
		},
	}
	service := &api.Service{
		ObjectMeta: api.ObjectMeta{
			Name:      "s1",
			Namespace: "testns",
			Labels: map[string]string{
				"name": "x1",
			},
		},
		Spec: api.ServiceSpec{
			Selector: map[string]string{
				"name": "server",
			},
			ClusterIP: "10.254.42.42",
		},
	}

	netnsProject := new(types.Project)
	netnsProject.SetFQName("", []string{"default-domain", "testns"})
	client.Create(netnsProject)

	allocator.On("LocateIpAddress", string(pod1.ObjectMeta.UID)).Return("10.0.0.1", nil)
	allocator.On("LocateIpAddress", string(pod2.ObjectMeta.UID)).Return("10.0.0.2", nil)
	allocator.On("LocateIpAddress", string(pod3.ObjectMeta.UID)).Return("10.0.0.3", nil)
	allocator.On("LocateIpAddress", string(pod4.ObjectMeta.UID)).Return("10.0.0.4", nil)
	allocator.On("ReleaseIpAddress", string(pod1.ObjectMeta.UID)).Return()
	allocator.On("ReleaseIpAddress", string(pod2.ObjectMeta.UID)).Return()
	allocator.On("ReleaseIpAddress", string(pod3.ObjectMeta.UID)).Return()
	allocator.On("ReleaseIpAddress", string(pod4.ObjectMeta.UID)).Return()

	kube.PodInterface.On("Update", pod1).Return(pod1, nil)
	kube.PodInterface.On("Update", pod2).Return(pod2, nil)
	kube.PodInterface.On("Update", pod3).Return(pod3, nil)
	kube.PodInterface.On("Update", pod4).Return(pod4, nil)
	kube.PodInterface.On("List", mock.Anything, mock.Anything).Return(&api.PodList{Items: []api.Pod{*pod1}}, nil)

	shutdown := make(chan struct{})
	go controller.Run(shutdown)

	controller.AddPod(pod1)
	controller.AddService(service)
	controller.AddPod(pod2)
	controller.AddPod(pod3)
	controller.AddPod(pod4)

	time.Sleep(100 * time.Millisecond)

	policy, err := types.NetworkPolicyByName(client, "default-domain:testns:x1")
	assert.NoError(t, err)
	if err == nil {
		assert.Len(t, policy.GetNetworkPolicyEntries().PolicyRule, 2)
		assert.True(t, policyHasRule(policy, "default-domain:testns:client1", "default-domain:testns:service-x1"))
		assert.True(t, policyHasRule(policy, "default-domain:testns:client2", "default-domain:testns:service-x1"))
	}

	_, err = types.VirtualNetworkByName(client, "default-domain:testns:client2")
	assert.NoError(t, err)

	controller.DeletePod(pod3)
	time.Sleep(100 * time.Millisecond)

	policy, err = types.NetworkPolicyByName(client, "default-domain:testns:x1")
	assert.NoError(t, err)
	if err == nil {
		assert.Len(t, policy.GetNetworkPolicyEntries().PolicyRule, 2)
	}

	controller.DeletePod(pod4)
	time.Sleep(100 * time.Millisecond)

	_, err = types.VirtualNetworkByName(client, "default-domain:testns:client2")
	assert.Error(t, err)

	policy, err = types.NetworkPolicyByName(client, "default-domain:testns:x1")
	assert.NoError(t, err)
	if err == nil {
		assert.Len(t, policy.GetNetworkPolicyEntries().PolicyRule, 1)
		assert.True(t, policyHasRule(policy, "default-domain:testns:client1", "default-domain:testns:service-x1"))
	}

	controller.DeletePod(pod2)
	time.Sleep(100 * time.Millisecond)

	policy, err = types.NetworkPolicyByName(client, "default-domain:testns:x1")
	assert.NoError(t, err)
	if err == nil {
		assert.Len(t, policy.GetNetworkPolicyEntries().PolicyRule, 0)
	}

	controller.DeletePod(pod1)
	controller.DeleteService(service)
	time.Sleep(100 * time.Millisecond)

	type shutdownMsg struct {
	}
	shutdown <- shutdownMsg{}

	policy, err = types.NetworkPolicyByName(client, "default-domain:testns:x1")
	assert.Error(t, err)
}
func TestServiceAddWithPod(t *testing.T) {
	kube := mocks.NewKubeClient()

	client := new(contrail_mocks.ApiClient)
	client.Init()

	client.AddInterceptor("virtual-machine-interface", &VmiInterceptor{})
	client.AddInterceptor("virtual-network", &NetworkInterceptor{})

	netnsProject := new(types.Project)
	netnsProject.SetFQName("domain", []string{"default-domain", "testns"})
	assert.NoError(t, client.Create(netnsProject))

	allocator := new(mocks.AddressAllocator)

	controller := NewTestController(kube, client, allocator, nil)

	pod := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"name": "testpod",
			},
		},
	}
	service := &api.Service{
		ObjectMeta: api.ObjectMeta{
			Name:      "s1",
			Namespace: "testns",
			Labels: map[string]string{
				"name": "x1",
			},
		},
		Spec: api.ServiceSpec{
			Selector: map[string]string{
				"name": "testpod",
			},
			ClusterIP: "10.254.42.42",
		},
	}

	allocator.On("LocateIpAddress", string(pod.ObjectMeta.UID)).Return("10.0.0.1", nil)

	kube.PodInterface.On("Update", pod).Return(pod, nil)
	kube.PodInterface.On("List", mock.Anything, mock.Anything).Return(&api.PodList{Items: []api.Pod{*pod}}, nil)

	shutdown := make(chan struct{})
	go controller.Run(shutdown)

	controller.AddPod(pod)
	controller.AddService(service)

	time.Sleep(100 * time.Millisecond)

	type shutdownMsg struct {
	}
	shutdown <- shutdownMsg{}

	time.Sleep(100 * time.Millisecond)

	obj, err := client.FindByName("virtual-network", "default-domain:testns:service-x1")
	require.NoError(t, err)
	serviceNet := obj.(*types.VirtualNetwork)
	sip, err := controller.networkMgr.LocateFloatingIp(serviceNet, service.Name, service.Spec.ClusterIP)
	assert.NoError(t, err)
	refList, err := sip.GetVirtualMachineInterfaceRefs()
	assert.Nil(t, err)
	assert.NotEmpty(t, refList)

	policy, err := types.NetworkPolicyByName(client, "default-domain:testns:x1")
	assert.NoError(t, err)
	if err == nil {
		assert.Len(t, policy.GetNetworkPolicyEntries().PolicyRule, 0)
	}
}
func TestServiceUpdatePublicIp(t *testing.T) {
	kube := mocks.NewKubeClient()

	client := new(contrail_mocks.ApiClient)
	client.Init()

	client.AddInterceptor("virtual-machine-interface", &VmiInterceptor{})
	client.AddInterceptor("virtual-network", &NetworkInterceptor{})
	client.AddInterceptor("instance-ip", &IpInterceptor{})
	client.AddInterceptor("floating-ip", &FloatingIpInterceptor{})

	controller := NewTestController(kube, client, nil, nil)

	pod1 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-sv1",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"name": "service",
			},
		},
	}

	pod2 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-sv2",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"name": "service",
			},
		},
	}

	pod3 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-xz3",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"name": "client",
				"uses": "svc",
			},
		},
	}

	service := &api.Service{
		ObjectMeta: api.ObjectMeta{
			Name:      "service",
			Namespace: "testns",
			Labels: map[string]string{
				"name": "svc",
			},
		},
		Spec: api.ServiceSpec{
			Selector: map[string]string{
				"name": "service",
			},
			ClusterIP: "10.254.42.42",
			Type:      api.ServiceTypeLoadBalancer,
		},
	}

	netnsProject := new(types.Project)
	netnsProject.SetFQName("", []string{"default-domain", "testns"})
	client.Create(netnsProject)

	kube.PodInterface.On("Update", pod1).Return(pod1, nil)
	kube.PodInterface.On("Update", pod2).Return(pod2, nil)
	kube.PodInterface.On("Update", pod3).Return(pod3, nil)
	selectPods := labels.Set(map[string]string{"name": "service"}).AsSelector()
	kube.PodInterface.On("List", selectPods, mock.Anything).Return(&api.PodList{Items: []api.Pod{*pod1, *pod2}}, nil)
	kube.ServiceInterface.On("Update", service).Return(service, nil)

	shutdown := make(chan struct{})
	go controller.Run(shutdown)

	controller.AddPod(pod1)
	controller.AddPod(pod2)
	controller.AddPod(pod3)
	controller.AddService(service)
	time.Sleep(100 * time.Millisecond)

	fqn := strings.Split(controller.config.PublicNetwork, ":")
	fqn = append(fqn, fqn[len(fqn)-1])
	fqn = append(fqn, service.Name)
	fip, err := types.FloatingIpByName(client, strings.Join(fqn, ":"))
	assert.NoError(t, err)
	if err == nil {
		vmList, err := getFloatingIpToInstanceList(client, fip)
		assert.NoError(t, err)
		assert.Len(t, vmList, 2)
		assert.Contains(t, vmList, string(pod1.UID))
		assert.Contains(t, vmList, string(pod2.UID))
	}

	nService := new(api.Service)
	*nService = *service
	nService.Spec.Type = api.ServiceTypeClusterIP

	controller.UpdateService(service, nService)
	time.Sleep(100 * time.Millisecond)

	_, err = types.FloatingIpByName(client, strings.Join(fqn, ":"))
	assert.Error(t, err)

	controller.UpdateService(nService, service)
	time.Sleep(100 * time.Millisecond)

	type shutdownMsg struct {
	}
	shutdown <- shutdownMsg{}

	fip, err = types.FloatingIpByName(client, strings.Join(fqn, ":"))
	assert.NoError(t, err)
	if err == nil {
		vmList, err := getFloatingIpToInstanceList(client, fip)
		assert.NoError(t, err)
		assert.Len(t, vmList, 2)
		assert.Contains(t, vmList, string(pod1.UID))
		assert.Contains(t, vmList, string(pod2.UID))
	}

	policy, err := types.NetworkPolicyByName(client, "default-domain:testns:svc")
	assert.NoError(t, err)
	if err == nil {
		assert.Len(t, policy.GetNetworkPolicyEntries().PolicyRule, 1)
		assert.True(t, policyHasRule(policy, "default-domain:testns:client", "default-domain:testns:service-svc"))
	}

}
func TestServiceUpdateLabel(t *testing.T) {
	kube := mocks.NewKubeClient()

	client := new(contrail_mocks.ApiClient)
	client.Init()

	client.AddInterceptor("virtual-machine-interface", &VmiInterceptor{})
	client.AddInterceptor("virtual-network", &NetworkInterceptor{})
	client.AddInterceptor("instance-ip", &IpInterceptor{})
	client.AddInterceptor("floating-ip", &FloatingIpInterceptor{})

	controller := NewTestController(kube, client, nil, nil)

	pod1 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-sv1",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"name": "server",
			},
		},
	}

	pod2 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-xz2",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"name": "client1",
				"uses": "red",
			},
		},
	}

	pod3 := &api.Pod{
		ObjectMeta: api.ObjectMeta{
			Name:      "test-xz3",
			Namespace: "testns",
			UID:       kubetypes.UID(uuid.New()),
			Labels: map[string]string{
				"name": "client2",
				"uses": "blue",
			},
		},
	}

	service := &api.Service{
		ObjectMeta: api.ObjectMeta{
			Name:      "service",
			Namespace: "testns",
			Labels: map[string]string{
				"name": "red",
			},
		},
		Spec: api.ServiceSpec{
			Selector: map[string]string{
				"name": "server",
			},
			ClusterIP: "10.254.42.42",
			Type:      api.ServiceTypeLoadBalancer,
		},
	}

	netnsProject := new(types.Project)
	netnsProject.SetFQName("", []string{"default-domain", "testns"})
	client.Create(netnsProject)

	kube.PodInterface.On("Update", pod1).Return(pod1, nil)
	kube.PodInterface.On("Update", pod2).Return(pod2, nil)
	kube.PodInterface.On("Update", pod3).Return(pod3, nil)
	selectServer := labels.Set(map[string]string{"name": "server"}).AsSelector()
	kube.PodInterface.On("List", selectServer, mock.Anything).Return(&api.PodList{Items: []api.Pod{*pod1}}, nil)
	kube.ServiceInterface.On("Update", service).Return(service, nil)

	shutdown := make(chan struct{})
	go controller.Run(shutdown)

	controller.AddPod(pod1)
	controller.AddPod(pod2)
	controller.AddPod(pod3)
	controller.AddService(service)
	time.Sleep(100 * time.Millisecond)

	redPolicy, err := types.NetworkPolicyByName(client, "default-domain:testns:red")
	assert.NoError(t, err)
	if err == nil {
		assert.Len(t, redPolicy.GetNetworkPolicyEntries().PolicyRule, 1)
		assert.True(t, policyHasRule(redPolicy, "default-domain:testns:client1", "default-domain:testns:service-red"))
		refs, err := redPolicy.GetVirtualNetworkBackRefs()
		assert.NoError(t, err)
		nameList := getReferenceListNames(refs)
		assert.Contains(t, nameList, "default-domain:testns:client1")
		assert.Contains(t, nameList, "default-domain:testns:service-red")
	}

	bluePolicy, err := types.NetworkPolicyByName(client, "default-domain:testns:blue")
	assert.NoError(t, err)
	if err == nil {
		assert.Len(t, bluePolicy.GetNetworkPolicyEntries().PolicyRule, 0)
		refs, err := bluePolicy.GetVirtualNetworkBackRefs()
		assert.NoError(t, err)
		assert.Len(t, refs, 1)
	}

	nService := new(api.Service)
	*nService = *service
	nService.Labels = map[string]string{
		"name": "blue",
	}
	// The service will receive a different PublicIP because this is translated into a service delete operation,
	// followed by an add.
	kube.ServiceInterface.On("Update", nService).Return(nService, nil)

	controller.UpdateService(service, nService)
	time.Sleep(100 * time.Millisecond)

	type shutdownMsg struct {
	}
	shutdown <- shutdownMsg{}

	bluePolicy, err = types.NetworkPolicyByName(client, "default-domain:testns:blue")
	assert.NoError(t, err)
	if err == nil {
		assert.Len(t, bluePolicy.GetNetworkPolicyEntries().PolicyRule, 1)
		assert.True(t, policyHasRule(bluePolicy, "default-domain:testns:client2", "default-domain:testns:service-blue"))
		refs, err := bluePolicy.GetVirtualNetworkBackRefs()
		assert.NoError(t, err)
		nameList := getReferenceListNames(refs)
		assert.Contains(t, nameList, "default-domain:testns:client2")
		assert.Contains(t, nameList, "default-domain:testns:service-blue")
	}

	redPolicy, err = types.NetworkPolicyByName(client, "default-domain:testns:red")
	assert.NoError(t, err)
	if err == nil {
		assert.Len(t, redPolicy.GetNetworkPolicyEntries().PolicyRule, 0)
		refs, err := redPolicy.GetVirtualNetworkBackRefs()
		assert.NoError(t, err)
		assert.Len(t, refs, 1)
	}

	fip, err := types.FloatingIpByName(client, "default-domain:testns:service-blue:service-blue:service")
	assert.NoError(t, err)
	if err == nil {
		vmList, err := getFloatingIpToInstanceList(client, fip)
		assert.NoError(t, err)
		assert.Len(t, vmList, 1)
		assert.Contains(t, vmList, string(pod1.UID))
	}

}