fix(security_groups/dynamic_asgs.go): Update tests to work with the N…

…CP/NSX-T CNI (#1067)

NCP configures the NSX-T firewalls to drop by default, rather
than reject, like what silk does. We should allow for both error
cases in our tests.

Additionally, NSX-T firewalls do not support `10.0.0.0/0` as a valid
CIDR block. ASG have been updated to provide 3 sets of internal private
address space to achieve the same goal.

security_groups/dynamic_asgs.go

@@ -110,7 +110,7 @@ func assertAppCannotConnect(client *http.Client, proxyRequestURL string) {
 	respBytes, err := io.ReadAll(resp.Body)
 	Expect(err).ToNot(HaveOccurred())
 	resp.Body.Close()
-	Expect(string(respBytes)).To(MatchRegexp("refused"))
+	Expect(string(respBytes)).To(MatchRegexp("i/o timeout|connection refused"))
 }
 
 func assertEventuallyAppCannotConnect(client *http.Client, proxyRequestURL string) {
@@ -122,7 +122,7 @@ func assertEventuallyAppCannotConnect(client *http.Client, proxyRequestURL strin
 		Expect(err).ToNot(HaveOccurred())
 		resp.Body.Close()
 		return string(respBytes)
-	}, 3*time.Minute).Should(MatchRegexp("refused"))
+	}, 3*time.Minute).Should(MatchRegexp("i/o timeout|refused"))
 }
 
 func assertAppCanConnect(client *http.Client, proxyRequestURL string) {
@@ -150,12 +150,20 @@ func assertEventuallyAppCanConnect(client *http.Client, proxyRequestURL string)
 }
 
 func bindCCSecurityGroup(orgName, spaceName string) string {
-	dest := Destination{
-		IP:       "10.0.0.0/0",
+	destinations := []Destination{{
+		IP:       "10.0.0.0/8",
 		Ports:    "9024", // internal cc port
 		Protocol: "tcp",
-	}
-	securityGroupName := createSecurityGroup(dest)
+	}, {
+		IP:       "192.168.0.0/16",
+		Ports:    "9024", // internal cc port
+		Protocol: "tcp",
+	}, {
+		IP:       "172.16.0.0/12",
+		Ports:    "9024", // internal cc port
+		Protocol: "tcp",
+	}}
+	securityGroupName := createSecurityGroup(destinations...)
 	bindSecurityGroup(securityGroupName, orgName, spaceName)
 
 	return securityGroupName