From d452769d922cd396fe9ec0e5023709fe09131f41 Mon Sep 17 00:00:00 2001 From: Kyle Havlovitz Date: Wed, 29 Apr 2020 02:58:35 -0700 Subject: [PATCH] Add TLS integration test for ingress gateway - Pull Consul Root CA from API in order to verify certificate chain - Assert on the DNSSAN as well to ensure it is correct --- .../config_entries.hcl | 4 --- .../case-ingress-gateway-simple/verify.bats | 2 -- .../envoy/case-ingress-gateway-tls/capture.sh | 3 ++ .../config_entries.hcl | 24 +++++++++++++ .../case-ingress-gateway-tls/gateway.hcl | 4 +++ .../envoy/case-ingress-gateway-tls/setup.sh | 10 ++++++ .../envoy/case-ingress-gateway-tls/vars.sh | 3 ++ .../case-ingress-gateway-tls/verify.bats | 34 +++++++++++++++++++ test/integration/connect/envoy/helpers.bash | 19 ++++++++++- 9 files changed, 96 insertions(+), 7 deletions(-) create mode 100644 test/integration/connect/envoy/case-ingress-gateway-tls/capture.sh create mode 100644 test/integration/connect/envoy/case-ingress-gateway-tls/config_entries.hcl create mode 100644 test/integration/connect/envoy/case-ingress-gateway-tls/gateway.hcl create mode 100644 test/integration/connect/envoy/case-ingress-gateway-tls/setup.sh create mode 100644 test/integration/connect/envoy/case-ingress-gateway-tls/vars.sh create mode 100644 test/integration/connect/envoy/case-ingress-gateway-tls/verify.bats diff --git a/test/integration/connect/envoy/case-ingress-gateway-simple/config_entries.hcl b/test/integration/connect/envoy/case-ingress-gateway-simple/config_entries.hcl index 98261eef11..94f0973a67 100644 --- a/test/integration/connect/envoy/case-ingress-gateway-simple/config_entries.hcl +++ b/test/integration/connect/envoy/case-ingress-gateway-simple/config_entries.hcl @@ -5,10 +5,6 @@ config_entries { kind = "ingress-gateway" name = "ingress-gateway" - tls { - enabled = true - } - listeners = [ { port = 9999 diff --git a/test/integration/connect/envoy/case-ingress-gateway-simple/verify.bats b/test/integration/connect/envoy/case-ingress-gateway-simple/verify.bats index 69078e9cce..73c09773d5 100644 --- a/test/integration/connect/envoy/case-ingress-gateway-simple/verify.bats +++ b/test/integration/connect/envoy/case-ingress-gateway-simple/verify.bats @@ -23,8 +23,6 @@ load helpers } @test "ingress should be able to connect to s1 via configured port" { - sleep 10000 - openssl s_client -connect localhost:9999 | openssl x509 -noout -text >&3 run retry_default curl -s -f -d hello localhost:9999 [ "$status" -eq 0 ] [ "$output" = "hello" ] diff --git a/test/integration/connect/envoy/case-ingress-gateway-tls/capture.sh b/test/integration/connect/envoy/case-ingress-gateway-tls/capture.sh new file mode 100644 index 0000000000..41ea5cb24f --- /dev/null +++ b/test/integration/connect/envoy/case-ingress-gateway-tls/capture.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +snapshot_envoy_admin localhost:20000 ingress-gateway primary || true \ No newline at end of file diff --git a/test/integration/connect/envoy/case-ingress-gateway-tls/config_entries.hcl b/test/integration/connect/envoy/case-ingress-gateway-tls/config_entries.hcl new file mode 100644 index 0000000000..98261eef11 --- /dev/null +++ b/test/integration/connect/envoy/case-ingress-gateway-tls/config_entries.hcl @@ -0,0 +1,24 @@ +enable_central_service_config = true + +config_entries { + bootstrap { + kind = "ingress-gateway" + name = "ingress-gateway" + + tls { + enabled = true + } + + listeners = [ + { + port = 9999 + protocol = "tcp" + services = [ + { + name = "s1" + } + ] + } + ] + } +} diff --git a/test/integration/connect/envoy/case-ingress-gateway-tls/gateway.hcl b/test/integration/connect/envoy/case-ingress-gateway-tls/gateway.hcl new file mode 100644 index 0000000000..781ef1851b --- /dev/null +++ b/test/integration/connect/envoy/case-ingress-gateway-tls/gateway.hcl @@ -0,0 +1,4 @@ +services { + name = "ingress-gateway" + kind = "ingress-gateway" +} diff --git a/test/integration/connect/envoy/case-ingress-gateway-tls/setup.sh b/test/integration/connect/envoy/case-ingress-gateway-tls/setup.sh new file mode 100644 index 0000000000..7aa6018976 --- /dev/null +++ b/test/integration/connect/envoy/case-ingress-gateway-tls/setup.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +set -euo pipefail + +# wait for bootstrap to apply config entries +wait_for_config_entry ingress-gateway ingress-gateway + +gen_envoy_bootstrap ingress-gateway 20000 primary true +gen_envoy_bootstrap s1 19000 +gen_envoy_bootstrap s2 19001 diff --git a/test/integration/connect/envoy/case-ingress-gateway-tls/vars.sh b/test/integration/connect/envoy/case-ingress-gateway-tls/vars.sh new file mode 100644 index 0000000000..c97ad2ea54 --- /dev/null +++ b/test/integration/connect/envoy/case-ingress-gateway-tls/vars.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +export REQUIRED_SERVICES="$DEFAULT_REQUIRED_SERVICES ingress-gateway-primary" diff --git a/test/integration/connect/envoy/case-ingress-gateway-tls/verify.bats b/test/integration/connect/envoy/case-ingress-gateway-tls/verify.bats new file mode 100644 index 0000000000..f8a22abf57 --- /dev/null +++ b/test/integration/connect/envoy/case-ingress-gateway-tls/verify.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats + +load helpers + +@test "ingress proxy admin is up on :20000" { + retry_default curl -f -s localhost:20000/stats -o /dev/null +} + +@test "s1 proxy admin is up on :19000" { + retry_default curl -f -s localhost:19000/stats -o /dev/null +} + +@test "s2 proxy admin is up on :19001" { + retry_default curl -f -s localhost:19001/stats -o /dev/null +} + +@test "s1 proxy listener should be up and have right cert" { + assert_proxy_presents_cert_uri localhost:21000 s1 +} + +@test "ingress-gateway should have healthy endpoints for s1" { + assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1 +} + +@test "should be able to connect to s1 through the TLS-enabled ingress port" { + assert_dnssan_in_cert localhost:9999 '\*.ingress.consul' + # Use the --resolve argument to fake dns resolution for now so we can use the + # s1.ingress.consul domain to validate the cert + run retry_default curl --cacert <(get_ca_root) -s -f -d hello \ + --resolve s1.ingress.consul:9999:127.0.0.1 \ + https://s1.ingress.consul:9999 + [ "$status" -eq 0 ] + [ "$output" = "hello" ] +} diff --git a/test/integration/connect/envoy/helpers.bash b/test/integration/connect/envoy/helpers.bash index 94f4ca59f1..f14fd89272 100755 --- a/test/integration/connect/envoy/helpers.bash +++ b/test/integration/connect/envoy/helpers.bash @@ -100,7 +100,7 @@ function is_set { function get_cert { local HOSTPORT=$1 - CERT=$(openssl s_client -connect $HOSTPORT -showcerts ) + CERT=$(openssl s_client -connect $HOSTPORT -showcerts