Simpler firewall rules

controllers/gce/controller/controller_test.go

@@ -23,6 +23,7 @@ import (
 	"time"
 
 	compute "google.golang.org/api/compute/v1"
+	"k8s.io/contrib/ingress/controllers/gce/firewalls"
 	"k8s.io/contrib/ingress/controllers/gce/loadbalancers"
 	"k8s.io/contrib/ingress/controllers/gce/utils"
 	"k8s.io/kubernetes/pkg/api"
@@ -32,6 +33,7 @@ import (
 	client "k8s.io/kubernetes/pkg/client/unversioned"
 	"k8s.io/kubernetes/pkg/util"
 	"k8s.io/kubernetes/pkg/util/intstr"
+	"k8s.io/kubernetes/pkg/util/sets"
 )
 
 const testClusterName = "testcluster"
@@ -234,11 +236,27 @@ func TestLbCreateDelete(t *testing.T) {
 	// we shouldn't pull shared backends out from existing loadbalancers.
 	unexpected := []int{pm.portMap["foo2svc"], pm.portMap["bar2svc"]}
 	expected := []int{pm.portMap["foo1svc"], pm.portMap["bar1svc"]}
+	firewallPorts := sets.NewString()
+	firewallName := pm.namer.FrName(pm.namer.FrSuffix())
+
+	if firewallRule, err := cm.firewallPool.(*firewalls.FirewallRules).GetFirewall(firewallName); err != nil {
+		t.Fatalf("%v", err)
+	} else {
+		if len(firewallRule.Allowed) != 1 {
+			t.Fatalf("Expected a single firewall rule")
+		}
+		for _, p := range firewallRule.Allowed[0].Ports {
+			firewallPorts.Insert(p)
+		}
+	}
 
 	for _, port := range expected {
 		if _, err := cm.backendPool.Get(int64(port)); err != nil {
 			t.Fatalf("%v", err)
 		}
+		if !firewallPorts.Has(fmt.Sprintf("%v", port)) {
+			t.Fatalf("Expected a firewall rule for port %v", port)
+		}
 	}
 	for _, port := range unexpected {
 		if be, err := cm.backendPool.Get(int64(port)); err == nil {
@@ -263,6 +281,9 @@ func TestLbCreateDelete(t *testing.T) {
 			t.Fatalf("Found unexpected loadbalandcer %+v: %v", l7, err)
 		}
 	}
+	if firewallRule, err := cm.firewallPool.(*firewalls.FirewallRules).GetFirewall(firewallName); err == nil {
+		t.Fatalf("Found unexpected firewall rule %v", firewallRule)
+	}
 }
 
 func TestLbFaultyUpdate(t *testing.T) {