From 7f50d0b86824dd69ed565c6bf98e03fc0165eac5 Mon Sep 17 00:00:00 2001
From: Geoff Franks <geoff.franks@broadcom.com>
Date: Sat, 24 Feb 2024 17:43:04 -0500
Subject: [PATCH] fix(security_groups/dynamic_asgs.go): Update tests to work
 with the NCP/NSX-T CNI (#1067)

NCP configures the NSX-T firewalls to drop by default, rather
than reject, like what silk does. We should allow for both error
cases in our tests.

Additionally, NSX-T firewalls do not support `10.0.0.0/0` as a valid
CIDR block. ASG have been updated to provide 3 sets of internal private
address space to achieve the same goal.
---
 security_groups/dynamic_asgs.go | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/security_groups/dynamic_asgs.go b/security_groups/dynamic_asgs.go
index dff45ea56..4f6548df1 100644
--- a/security_groups/dynamic_asgs.go
+++ b/security_groups/dynamic_asgs.go
@@ -110,7 +110,7 @@ func assertAppCannotConnect(client *http.Client, proxyRequestURL string) {
 	respBytes, err := io.ReadAll(resp.Body)
 	Expect(err).ToNot(HaveOccurred())
 	resp.Body.Close()
-	Expect(string(respBytes)).To(MatchRegexp("refused"))
+	Expect(string(respBytes)).To(MatchRegexp("i/o timeout|connection refused"))
 }
 
 func assertEventuallyAppCannotConnect(client *http.Client, proxyRequestURL string) {
@@ -122,7 +122,7 @@ func assertEventuallyAppCannotConnect(client *http.Client, proxyRequestURL strin
 		Expect(err).ToNot(HaveOccurred())
 		resp.Body.Close()
 		return string(respBytes)
-	}, 3*time.Minute).Should(MatchRegexp("refused"))
+	}, 3*time.Minute).Should(MatchRegexp("i/o timeout|refused"))
 }
 
 func assertAppCanConnect(client *http.Client, proxyRequestURL string) {
@@ -150,12 +150,20 @@ func assertEventuallyAppCanConnect(client *http.Client, proxyRequestURL string)
 }
 
 func bindCCSecurityGroup(orgName, spaceName string) string {
-	dest := Destination{
-		IP:       "10.0.0.0/0",
+	destinations := []Destination{{
+		IP:       "10.0.0.0/8",
 		Ports:    "9024", // internal cc port
 		Protocol: "tcp",
-	}
-	securityGroupName := createSecurityGroup(dest)
+	}, {
+		IP:       "192.168.0.0/16",
+		Ports:    "9024", // internal cc port
+		Protocol: "tcp",
+	}, {
+		IP:       "172.16.0.0/12",
+		Ports:    "9024", // internal cc port
+		Protocol: "tcp",
+	}}
+	securityGroupName := createSecurityGroup(destinations...)
 	bindSecurityGroup(securityGroupName, orgName, spaceName)
 
 	return securityGroupName