Add Envoy integration test for split-route SDS case

2021-09-23 10:17:03 +01:00 · 2021-09-23 10:17:03 +01:00 · e0efb420f7
parent ab27214a10
commit e0efb420f7
3 changed files with 22 additions and 2 deletions
--- a/test/integration/connect/envoy/case-ingress-gateway-sds/config_entries.hcl
+++ b/test/integration/connect/envoy/case-ingress-gateway-sds/config_entries.hcl
@ -40,6 +40,17 @@ config_entries {
                  cert_resource = "foo.example.com"
                }
              }
+            },
+            {
+              # Route to s2 on a differet domain with different cert
+              name  = "s2"
+              hosts = ["www.example.com"]
+                tls {
+                sds {
+                  cluster_name = "sds-cluster"
+                  cert_resource = "www.example.com"
+                }
+              }
            }
          ]
        }
--- a/test/integration/connect/envoy/case-ingress-gateway-sds/service_gateway.hcl
+++ b/test/integration/connect/envoy/case-ingress-gateway-sds/service_gateway.hcl
@ -13,7 +13,7 @@ services {
      #           http2_protocol_options:
      #
      # But that breaks 1.15 and 1.16. For now use this which is supported by
-      # all our supported versions# to avoid needing to setup different
+      # all our supported versions to avoid needing to setup different
      # bootstrap based on the envoy version.
      envoy_extra_static_clusters_json = <<EOF
 {
--- a/test/integration/connect/envoy/case-ingress-gateway-sds/verify.bats
+++ b/test/integration/connect/envoy/case-ingress-gateway-sds/verify.bats
@ -46,7 +46,7 @@ load helpers
  # Make sure the Cert was the one SDS served and didn't just happen to have the
  # right domain from Connect.
  assert_cert_signed_by_ca /workdir/test-sds-server/certs/ca-root.crt \
-    localhost:9999 *.ingress.consul
+    localhost:9999 '*.ingress.consul'
 }

@test "ingress should serve SDS-supplied cert for specific service" {
@ -55,3 +55,12 @@ load helpers
  assert_cert_signed_by_ca /workdir/test-sds-server/certs/ca-root.crt \
    localhost:9998 foo.example.com
 }
+
+@test "ingress should serve SDS-supplied cert for second specific service on same http listener" {
+  # Make sure the Cert was the one SDS served and didn't just happen to have the
+  # right domain from Connect. This also ensures that listeners work when we've
+  # had to split their routing tables due to different certs for different
+  # hostnames.
+  assert_cert_signed_by_ca /workdir/test-sds-server/certs/ca-root.crt \
+    localhost:9998 www.example.com
+}