Add testing for networkpolicy metrics at agent in a unit test (#999)

Add testing for networkpolicy metrics at agent in a unit test

- antrea_agent_networkpolicy_count
- antrea_agent_egress_networkpolicy_rule_count
- antrea_agent_ingress_networkpolicy_rule_count

Signed-off-by: Yuki Tsuboi <ytsuboi@vmware.com>

pkg/agent/controller/networkpolicy/networkpolicy_controller_test.go

@@ -15,6 +15,8 @@
 package networkpolicy
 
 import (
+	"fmt"
+	"strings"
 	"sync"
 	"testing"
 	"time"
@@ -25,7 +27,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/watch"
 	k8stesting "k8s.io/client-go/testing"
+	"k8s.io/component-base/metrics/legacyregistry"
+	"k8s.io/component-base/metrics/testutil"
 
+	"github.com/vmware-tanzu/antrea/pkg/agent/metrics"
 	"github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1"
 	"github.com/vmware-tanzu/antrea/pkg/client/clientset/versioned"
 	"github.com/vmware-tanzu/antrea/pkg/client/clientset/versioned/fake"
@@ -118,19 +123,23 @@ func newAppliedToGroup(name string, pods []v1beta1.GroupMemberPod) *v1beta1.Appl
 }
 
 func newNetworkPolicy(uid string, from, to, appliedTo []string, services []v1beta1.Service) *v1beta1.NetworkPolicy {
-	networkPolicyRule1 := v1beta1.NetworkPolicyRule{
-		Direction: v1beta1.DirectionIn,
-		From:      v1beta1.NetworkPolicyPeer{AddressGroups: from},
-		To:        v1beta1.NetworkPolicyPeer{AddressGroups: to},
-		Services:  services,
-	}
+	networkPolicyRule1 := newPolicyRule(v1beta1.DirectionIn, from, to, services)
 	return &v1beta1.NetworkPolicy{
 		ObjectMeta:      v1.ObjectMeta{UID: types.UID(uid), Name: uid, Namespace: testNamespace},
 		Rules:           []v1beta1.NetworkPolicyRule{networkPolicyRule1},
 		AppliedToGroups: appliedTo,
 	}
 }
 
+func newPolicyRule(direction v1beta1.Direction, from []string, to []string, services []v1beta1.Service) v1beta1.NetworkPolicyRule {
+	return v1beta1.NetworkPolicyRule{
+		Direction: direction,
+		From:      v1beta1.NetworkPolicyPeer{AddressGroups: from},
+		To:        v1beta1.NetworkPolicyPeer{AddressGroups: to},
+		Services:  services,
+	}
+}
+
 func getNetworkPolicyWithMultipleRules(uid string, from, to, appliedTo []string, services []v1beta1.Service) *v1beta1.NetworkPolicy {
 	networkPolicyRule1 := v1beta1.NetworkPolicyRule{
 		Direction: v1beta1.DirectionIn,
@@ -436,3 +445,119 @@ func TestAddNetworkPolicyWithMultipleRules(t *testing.T) {
 	assert.Equal(t, 2, controller.GetAddressGroupNum())
 	assert.Equal(t, 1, controller.GetAppliedToGroupNum())
 }
+
+func TestNetworkPolicyMetrics(t *testing.T) {
+	// Initialize NetworkPolicy metrics (prometheus)
+	metrics.InitializeNetworkPolicyMetrics()
+	controller, clientset, reconciler := newTestController()
+
+	// Define functions to wait for a message from reconciler
+	waitForReconcilerUpdated := func() {
+		select {
+		case ruleID := <-reconciler.updated:
+			_, exists := reconciler.getLastRealized(ruleID)
+			if !exists {
+				t.Fatalf("Expected rule %s, got none", ruleID)
+			}
+		case <-time.After(time.Millisecond * 100):
+			t.Fatal("Expected one update, got none")
+		}
+	}
+	waitForReconcilerDeleted := func() {
+		select {
+		case ruleID := <-reconciler.deleted:
+			actualRule, exists := reconciler.getLastRealized(ruleID)
+			if exists {
+				t.Fatalf("Expected no rule, got %v", actualRule)
+			}
+		case <-time.After(time.Millisecond * 100):
+			t.Fatal("Expected one update, got none")
+		}
+	}
+
+	// Define a function to check networkpolicy metrics
+	checkNetworkPolicyMetrics := func() {
+		expectedEgressNetworkPolicyRuleCount := `
+		# HELP antrea_agent_egress_networkpolicy_rule_count [STABLE] Number of egress networkpolicy rules on local node which are managed by the Antrea Agent.
+		# TYPE antrea_agent_egress_networkpolicy_rule_count gauge
+		`
+
+		expectedIngressNetworkPolicyRuleCount := `
+		# HELP antrea_agent_ingress_networkpolicy_rule_count [STABLE] Number of ingress networkpolicy rules on local node which are managed by the Antrea Agent.
+		# TYPE antrea_agent_ingress_networkpolicy_rule_count gauge
+		`
+
+		expectedNetworkPolicyCount := `
+		# HELP antrea_agent_networkpolicy_count [STABLE] Number of networkpolicies on local node which are managed by the Antrea Agent.
+		# TYPE antrea_agent_networkpolicy_count gauge
+		`
+
+		ingressRuleCount := 0
+		egressRuleCount := 0
+
+		// Get networkpolicies in all namespaces
+		networkpolicies := controller.GetNetworkPolicies("")
+		for _, networkpolicy := range networkpolicies {
+			for _, rule := range networkpolicy.Rules {
+				if rule.Direction == v1beta1.DirectionIn {
+					ingressRuleCount++
+				} else {
+					egressRuleCount++
+				}
+			}
+		}
+
+		expectedEgressNetworkPolicyRuleCount = expectedEgressNetworkPolicyRuleCount + fmt.Sprintf("antrea_agent_egress_networkpolicy_rule_count %d\n", egressRuleCount)
+		expectedIngressNetworkPolicyRuleCount = expectedIngressNetworkPolicyRuleCount + fmt.Sprintf("antrea_agent_ingress_networkpolicy_rule_count %d\n", ingressRuleCount)
+		expectedNetworkPolicyCount = expectedNetworkPolicyCount + fmt.Sprintf("antrea_agent_networkpolicy_count %d\n", controller.GetNetworkPolicyNum())
+
+		assert.NoError(t, testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expectedEgressNetworkPolicyRuleCount), "antrea_agent_egress_networkpolicy_rule_count"))
+		assert.NoError(t, testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expectedIngressNetworkPolicyRuleCount), "antrea_agent_ingress_networkpolicy_rule_count"))
+		assert.NoError(t, testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expectedNetworkPolicyCount), "antrea_agent_networkpolicy_count"))
+	}
+
+	addressGroupWatcher := watch.NewFake()
+	appliedToGroupWatcher := watch.NewFake()
+	networkPolicyWatcher := watch.NewFake()
+	clientset.AddWatchReactor("addressgroups", k8stesting.DefaultWatchReactor(addressGroupWatcher, nil))
+	clientset.AddWatchReactor("appliedtogroups", k8stesting.DefaultWatchReactor(appliedToGroupWatcher, nil))
+	clientset.AddWatchReactor("networkpolicies", k8stesting.DefaultWatchReactor(networkPolicyWatcher, nil))
+
+	protocolTCP := v1beta1.ProtocolTCP
+	port := intstr.FromInt(80)
+	services := []v1beta1.Service{{Protocol: &protocolTCP, Port: &port}}
+	stopCh := make(chan struct{})
+	defer close(stopCh)
+	go controller.Run(stopCh)
+
+	// Test adding policy1 with a single rule
+	policy1 := newNetworkPolicy("policy1", []string{"addressGroup1"}, []string{}, []string{"appliedToGroup1"}, services)
+	addressGroupWatcher.Add(newAddressGroup("addressGroup1", []v1beta1.GroupMemberPod{*newAddressGroupMemberPod("1.1.1.1"), *newAddressGroupMemberPod("2.2.2.2")}))
+	addressGroupWatcher.Action(watch.Bookmark, nil)
+	appliedToGroupWatcher.Add(newAppliedToGroup("appliedToGroup1", []v1beta1.GroupMemberPod{*newAppliedToGroupMember("pod1", "ns1")}))
+	appliedToGroupWatcher.Action(watch.Bookmark, nil)
+	networkPolicyWatcher.Add(policy1)
+	networkPolicyWatcher.Action(watch.Bookmark, nil)
+	waitForReconcilerUpdated()
+	checkNetworkPolicyMetrics()
+
+	// Test adding policy2 with multiple rules
+	policy2 := getNetworkPolicyWithMultipleRules("policy2", []string{"addressGroup2"}, []string{"addressGroup2"}, []string{"appliedToGroup2"}, services)
+	addressGroupWatcher.Add(newAddressGroup("addressGroup2", []v1beta1.GroupMemberPod{*newAddressGroupMemberPod("3.3.3.3"), *newAddressGroupMemberPod("4.4.4.4")}))
+	addressGroupWatcher.Action(watch.Bookmark, nil)
+	appliedToGroupWatcher.Add(newAppliedToGroup("appliedToGroup2", []v1beta1.GroupMemberPod{*newAppliedToGroupMember("pod2", "ns2")}))
+	appliedToGroupWatcher.Action(watch.Bookmark, nil)
+	networkPolicyWatcher.Add(policy2)
+	waitForReconcilerUpdated()
+	checkNetworkPolicyMetrics()
+
+	// Test deleting policy1
+	networkPolicyWatcher.Delete(newNetworkPolicy("policy1", []string{}, []string{}, []string{}, nil))
+	waitForReconcilerDeleted()
+	checkNetworkPolicyMetrics()
+
+	// Test deleting policy2
+	networkPolicyWatcher.Delete(newNetworkPolicy("policy2", []string{}, []string{}, []string{}, nil))
+	waitForReconcilerDeleted()
+	checkNetworkPolicyMetrics()
+}