mirror of
https://github.com/status-im/consul.git
synced 2025-01-10 22:06:20 +00:00
Add TLS integration test for ingress gateway
- Pull Consul Root CA from API in order to verify certificate chain - Assert on the DNSSAN as well to ensure it is correct
This commit is contained in:
parent
0b9ba9660d
commit
d452769d92
@ -5,10 +5,6 @@ config_entries {
|
||||
kind = "ingress-gateway"
|
||||
name = "ingress-gateway"
|
||||
|
||||
tls {
|
||||
enabled = true
|
||||
}
|
||||
|
||||
listeners = [
|
||||
{
|
||||
port = 9999
|
||||
|
@ -23,8 +23,6 @@ load helpers
|
||||
}
|
||||
|
||||
@test "ingress should be able to connect to s1 via configured port" {
|
||||
sleep 10000
|
||||
openssl s_client -connect localhost:9999 | openssl x509 -noout -text >&3
|
||||
run retry_default curl -s -f -d hello localhost:9999
|
||||
[ "$status" -eq 0 ]
|
||||
[ "$output" = "hello" ]
|
||||
|
@ -0,0 +1,3 @@
|
||||
#!/bin/bash
|
||||
|
||||
snapshot_envoy_admin localhost:20000 ingress-gateway primary || true
|
@ -0,0 +1,24 @@
|
||||
enable_central_service_config = true
|
||||
|
||||
config_entries {
|
||||
bootstrap {
|
||||
kind = "ingress-gateway"
|
||||
name = "ingress-gateway"
|
||||
|
||||
tls {
|
||||
enabled = true
|
||||
}
|
||||
|
||||
listeners = [
|
||||
{
|
||||
port = 9999
|
||||
protocol = "tcp"
|
||||
services = [
|
||||
{
|
||||
name = "s1"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
@ -0,0 +1,4 @@
|
||||
services {
|
||||
name = "ingress-gateway"
|
||||
kind = "ingress-gateway"
|
||||
}
|
@ -0,0 +1,10 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# wait for bootstrap to apply config entries
|
||||
wait_for_config_entry ingress-gateway ingress-gateway
|
||||
|
||||
gen_envoy_bootstrap ingress-gateway 20000 primary true
|
||||
gen_envoy_bootstrap s1 19000
|
||||
gen_envoy_bootstrap s2 19001
|
@ -0,0 +1,3 @@
|
||||
#!/bin/bash
|
||||
|
||||
export REQUIRED_SERVICES="$DEFAULT_REQUIRED_SERVICES ingress-gateway-primary"
|
@ -0,0 +1,34 @@
|
||||
#!/usr/bin/env bats
|
||||
|
||||
load helpers
|
||||
|
||||
@test "ingress proxy admin is up on :20000" {
|
||||
retry_default curl -f -s localhost:20000/stats -o /dev/null
|
||||
}
|
||||
|
||||
@test "s1 proxy admin is up on :19000" {
|
||||
retry_default curl -f -s localhost:19000/stats -o /dev/null
|
||||
}
|
||||
|
||||
@test "s2 proxy admin is up on :19001" {
|
||||
retry_default curl -f -s localhost:19001/stats -o /dev/null
|
||||
}
|
||||
|
||||
@test "s1 proxy listener should be up and have right cert" {
|
||||
assert_proxy_presents_cert_uri localhost:21000 s1
|
||||
}
|
||||
|
||||
@test "ingress-gateway should have healthy endpoints for s1" {
|
||||
assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
|
||||
}
|
||||
|
||||
@test "should be able to connect to s1 through the TLS-enabled ingress port" {
|
||||
assert_dnssan_in_cert localhost:9999 '\*.ingress.consul'
|
||||
# Use the --resolve argument to fake dns resolution for now so we can use the
|
||||
# s1.ingress.consul domain to validate the cert
|
||||
run retry_default curl --cacert <(get_ca_root) -s -f -d hello \
|
||||
--resolve s1.ingress.consul:9999:127.0.0.1 \
|
||||
https://s1.ingress.consul:9999
|
||||
[ "$status" -eq 0 ]
|
||||
[ "$output" = "hello" ]
|
||||
}
|
@ -100,7 +100,7 @@ function is_set {
|
||||
|
||||
function get_cert {
|
||||
local HOSTPORT=$1
|
||||
CERT=$(openssl s_client -connect $HOSTPORT -showcerts )
|
||||
CERT=$(openssl s_client -connect $HOSTPORT -showcerts </dev/null)
|
||||
openssl x509 -noout -text <<< "$CERT"
|
||||
}
|
||||
|
||||
@ -120,6 +120,19 @@ function assert_proxy_presents_cert_uri {
|
||||
echo "$CERT" | grep -Eo "URI:spiffe://([a-zA-Z0-9-]+).consul/ns/${NS}/dc/${DC}/svc/$SERVICENAME"
|
||||
}
|
||||
|
||||
function assert_dnssan_in_cert {
|
||||
local HOSTPORT=$1
|
||||
local DNSSAN=$2
|
||||
|
||||
CERT=$(retry_default get_cert $HOSTPORT)
|
||||
|
||||
echo "WANT DNSSAN: ${DNSSAN}"
|
||||
echo "GOT CERT:"
|
||||
echo "$CERT"
|
||||
|
||||
echo "$CERT" | grep -Eo "DNS:${DNSSAN}"
|
||||
}
|
||||
|
||||
function assert_envoy_version {
|
||||
local ADMINPORT=$1
|
||||
run retry_default curl -f -s localhost:$ADMINPORT/server_info
|
||||
@ -619,6 +632,10 @@ function update_intention {
|
||||
return $?
|
||||
}
|
||||
|
||||
function get_ca_root {
|
||||
curl -s -f "http://localhost:8500/v1/connect/ca/roots" | jq -r ".Roots[0].RootCert"
|
||||
}
|
||||
|
||||
function wait_for_agent_service_register {
|
||||
local SERVICE_ID=$1
|
||||
local DC=${2:-primary}
|
||||
|
Loading…
x
Reference in New Issue
Block a user