mirror of
https://github.com/status-im/consul.git
synced 2025-01-10 22:06:20 +00:00
Add TLS integration test for ingress gateway
- Pull Consul Root CA from API in order to verify certificate chain - Assert on the DNSSAN as well to ensure it is correct
This commit is contained in:
Kyle Havlovitz
Chris Piraino
parent
0b9ba9660d
commit
d452769d92
@ -5,10 +5,6 @@ config_entries {
|
|||||||
kind = "ingress-gateway"
|
kind = "ingress-gateway"
|
||||||
name = "ingress-gateway"
|
name = "ingress-gateway"
|
||||||
|
|
||||||
tls {
|
|
||||||
enabled = true
|
|
||||||
}
|
|
||||||
|
|
||||||
listeners = [
|
listeners = [
|
||||||
{
|
{
|
||||||
port = 9999
|
port = 9999
|
||||||
|
|||||||
@ -23,8 +23,6 @@ load helpers
|
|||||||
}
|
}
|
||||||
|
|
||||||
@test "ingress should be able to connect to s1 via configured port" {
|
@test "ingress should be able to connect to s1 via configured port" {
|
||||||
sleep 10000
|
|
||||||
openssl s_client -connect localhost:9999 | openssl x509 -noout -text >&3
|
|
||||||
run retry_default curl -s -f -d hello localhost:9999
|
run retry_default curl -s -f -d hello localhost:9999
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
[ "$output" = "hello" ]
|
[ "$output" = "hello" ]
|
||||||
|
|||||||
@ -0,0 +1,3 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
snapshot_envoy_admin localhost:20000 ingress-gateway primary || true
|
||||||
@ -0,0 +1,24 @@
|
|||||||
|
enable_central_service_config = true
|
||||||
|
|
||||||
|
config_entries {
|
||||||
|
bootstrap {
|
||||||
|
kind = "ingress-gateway"
|
||||||
|
name = "ingress-gateway"
|
||||||
|
|
||||||
|
tls {
|
||||||
|
enabled = true
|
||||||
|
}
|
||||||
|
|
||||||
|
listeners = [
|
||||||
|
{
|
||||||
|
port = 9999
|
||||||
|
protocol = "tcp"
|
||||||
|
services = [
|
||||||
|
{
|
||||||
|
name = "s1"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -0,0 +1,4 @@
|
|||||||
|
services {
|
||||||
|
name = "ingress-gateway"
|
||||||
|
kind = "ingress-gateway"
|
||||||
|
}
|
||||||
@ -0,0 +1,10 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
# wait for bootstrap to apply config entries
|
||||||
|
wait_for_config_entry ingress-gateway ingress-gateway
|
||||||
|
|
||||||
|
gen_envoy_bootstrap ingress-gateway 20000 primary true
|
||||||
|
gen_envoy_bootstrap s1 19000
|
||||||
|
gen_envoy_bootstrap s2 19001
|
||||||
@ -0,0 +1,3 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
export REQUIRED_SERVICES="$DEFAULT_REQUIRED_SERVICES ingress-gateway-primary"
|
||||||
@ -0,0 +1,34 @@
|
|||||||
|
#!/usr/bin/env bats
|
||||||
|
|
||||||
|
load helpers
|
||||||
|
|
||||||
|
@test "ingress proxy admin is up on :20000" {
|
||||||
|
retry_default curl -f -s localhost:20000/stats -o /dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "s1 proxy admin is up on :19000" {
|
||||||
|
retry_default curl -f -s localhost:19000/stats -o /dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "s2 proxy admin is up on :19001" {
|
||||||
|
retry_default curl -f -s localhost:19001/stats -o /dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "s1 proxy listener should be up and have right cert" {
|
||||||
|
assert_proxy_presents_cert_uri localhost:21000 s1
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "ingress-gateway should have healthy endpoints for s1" {
|
||||||
|
assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "should be able to connect to s1 through the TLS-enabled ingress port" {
|
||||||
|
assert_dnssan_in_cert localhost:9999 '\*.ingress.consul'
|
||||||
|
# Use the --resolve argument to fake dns resolution for now so we can use the
|
||||||
|
# s1.ingress.consul domain to validate the cert
|
||||||
|
run retry_default curl --cacert <(get_ca_root) -s -f -d hello \
|
||||||
|
--resolve s1.ingress.consul:9999:127.0.0.1 \
|
||||||
|
https://s1.ingress.consul:9999
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
|
[ "$output" = "hello" ]
|
||||||
|
}
|
||||||
@ -100,7 +100,7 @@ function is_set {
|
|||||||
|
|
||||||
function get_cert {
|
function get_cert {
|
||||||
local HOSTPORT=$1
|
local HOSTPORT=$1
|
||||||
CERT=$(openssl s_client -connect $HOSTPORT -showcerts )
|
CERT=$(openssl s_client -connect $HOSTPORT -showcerts </dev/null)
|
||||||
openssl x509 -noout -text <<< "$CERT"
|
openssl x509 -noout -text <<< "$CERT"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -120,6 +120,19 @@ function assert_proxy_presents_cert_uri {
|
|||||||
echo "$CERT" | grep -Eo "URI:spiffe://([a-zA-Z0-9-]+).consul/ns/${NS}/dc/${DC}/svc/$SERVICENAME"
|
echo "$CERT" | grep -Eo "URI:spiffe://([a-zA-Z0-9-]+).consul/ns/${NS}/dc/${DC}/svc/$SERVICENAME"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function assert_dnssan_in_cert {
|
||||||
|
local HOSTPORT=$1
|
||||||
|
local DNSSAN=$2
|
||||||
|
|
||||||
|
CERT=$(retry_default get_cert $HOSTPORT)
|
||||||
|
|
||||||
|
echo "WANT DNSSAN: ${DNSSAN}"
|
||||||
|
echo "GOT CERT:"
|
||||||
|
echo "$CERT"
|
||||||
|
|
||||||
|
echo "$CERT" | grep -Eo "DNS:${DNSSAN}"
|
||||||
|
}
|
||||||
|
|
||||||
function assert_envoy_version {
|
function assert_envoy_version {
|
||||||
local ADMINPORT=$1
|
local ADMINPORT=$1
|
||||||
run retry_default curl -f -s localhost:$ADMINPORT/server_info
|
run retry_default curl -f -s localhost:$ADMINPORT/server_info
|
||||||
@ -619,6 +632,10 @@ function update_intention {
|
|||||||
return $?
|
return $?
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function get_ca_root {
|
||||||
|
curl -s -f "http://localhost:8500/v1/connect/ca/roots" | jq -r ".Roots[0].RootCert"
|
||||||
|
}
|
||||||
|
|
||||||
function wait_for_agent_service_register {
|
function wait_for_agent_service_register {
|
||||||
local SERVICE_ID=$1
|
local SERVICE_ID=$1
|
||||||
local DC=${2:-primary}
|
local DC=${2:-primary}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user