Add TLS integration test for ingress gateway

- Pull Consul Root CA from API in order to verify certificate chain
- Assert on the DNSSAN as well to ensure it is correct
This commit is contained in:
Kyle Havlovitz 2020-04-29 02:58:35 -07:00 committed by Chris Piraino
parent 0b9ba9660d
commit d452769d92
9 changed files with 96 additions and 7 deletions

View File

@ -5,10 +5,6 @@ config_entries {
kind = "ingress-gateway" kind = "ingress-gateway"
name = "ingress-gateway" name = "ingress-gateway"
tls {
enabled = true
}
listeners = [ listeners = [
{ {
port = 9999 port = 9999

View File

@ -23,8 +23,6 @@ load helpers
} }
@test "ingress should be able to connect to s1 via configured port" { @test "ingress should be able to connect to s1 via configured port" {
sleep 10000
openssl s_client -connect localhost:9999 | openssl x509 -noout -text >&3
run retry_default curl -s -f -d hello localhost:9999 run retry_default curl -s -f -d hello localhost:9999
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
[ "$output" = "hello" ] [ "$output" = "hello" ]

View File

@ -0,0 +1,3 @@
#!/bin/bash
snapshot_envoy_admin localhost:20000 ingress-gateway primary || true

View File

@ -0,0 +1,24 @@
enable_central_service_config = true
config_entries {
bootstrap {
kind = "ingress-gateway"
name = "ingress-gateway"
tls {
enabled = true
}
listeners = [
{
port = 9999
protocol = "tcp"
services = [
{
name = "s1"
}
]
}
]
}
}

View File

@ -0,0 +1,4 @@
services {
name = "ingress-gateway"
kind = "ingress-gateway"
}

View File

@ -0,0 +1,10 @@
#!/bin/bash
set -euo pipefail
# wait for bootstrap to apply config entries
wait_for_config_entry ingress-gateway ingress-gateway
gen_envoy_bootstrap ingress-gateway 20000 primary true
gen_envoy_bootstrap s1 19000
gen_envoy_bootstrap s2 19001

View File

@ -0,0 +1,3 @@
#!/bin/bash
export REQUIRED_SERVICES="$DEFAULT_REQUIRED_SERVICES ingress-gateway-primary"

View File

@ -0,0 +1,34 @@
#!/usr/bin/env bats
load helpers
@test "ingress proxy admin is up on :20000" {
retry_default curl -f -s localhost:20000/stats -o /dev/null
}
@test "s1 proxy admin is up on :19000" {
retry_default curl -f -s localhost:19000/stats -o /dev/null
}
@test "s2 proxy admin is up on :19001" {
retry_default curl -f -s localhost:19001/stats -o /dev/null
}
@test "s1 proxy listener should be up and have right cert" {
assert_proxy_presents_cert_uri localhost:21000 s1
}
@test "ingress-gateway should have healthy endpoints for s1" {
assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
}
@test "should be able to connect to s1 through the TLS-enabled ingress port" {
assert_dnssan_in_cert localhost:9999 '\*.ingress.consul'
# Use the --resolve argument to fake dns resolution for now so we can use the
# s1.ingress.consul domain to validate the cert
run retry_default curl --cacert <(get_ca_root) -s -f -d hello \
--resolve s1.ingress.consul:9999:127.0.0.1 \
https://s1.ingress.consul:9999
[ "$status" -eq 0 ]
[ "$output" = "hello" ]
}

View File

@ -100,7 +100,7 @@ function is_set {
function get_cert { function get_cert {
local HOSTPORT=$1 local HOSTPORT=$1
CERT=$(openssl s_client -connect $HOSTPORT -showcerts ) CERT=$(openssl s_client -connect $HOSTPORT -showcerts </dev/null)
openssl x509 -noout -text <<< "$CERT" openssl x509 -noout -text <<< "$CERT"
} }
@ -120,6 +120,19 @@ function assert_proxy_presents_cert_uri {
echo "$CERT" | grep -Eo "URI:spiffe://([a-zA-Z0-9-]+).consul/ns/${NS}/dc/${DC}/svc/$SERVICENAME" echo "$CERT" | grep -Eo "URI:spiffe://([a-zA-Z0-9-]+).consul/ns/${NS}/dc/${DC}/svc/$SERVICENAME"
} }
function assert_dnssan_in_cert {
local HOSTPORT=$1
local DNSSAN=$2
CERT=$(retry_default get_cert $HOSTPORT)
echo "WANT DNSSAN: ${DNSSAN}"
echo "GOT CERT:"
echo "$CERT"
echo "$CERT" | grep -Eo "DNS:${DNSSAN}"
}
function assert_envoy_version { function assert_envoy_version {
local ADMINPORT=$1 local ADMINPORT=$1
run retry_default curl -f -s localhost:$ADMINPORT/server_info run retry_default curl -f -s localhost:$ADMINPORT/server_info
@ -619,6 +632,10 @@ function update_intention {
return $? return $?
} }
function get_ca_root {
curl -s -f "http://localhost:8500/v1/connect/ca/roots" | jq -r ".Roots[0].RootCert"
}
function wait_for_agent_service_register { function wait_for_agent_service_register {
local SERVICE_ID=$1 local SERVICE_ID=$1
local DC=${2:-primary} local DC=${2:-primary}