Andrew Stucki b3ddd4d24e
Inline API Gateway TLS cert code (#16295)
* Include secret type when building resources from config snapshot

* First pass at generating envoy secrets from api-gateway snapshot

* Update comments for xDS update order

* Add secret type + corresponding golden files to existing tests

* Initialize test helpers for testing api-gateway resource generation

* Generate golden files for new api-gateway xDS resource test

* Support ADS for TLS certificates on api-gateway

* Configure TLS on api-gateway listeners

* Inline TLS cert code

* update tests

* Add SNI support so we can have multiple certificates

* Remove commented out section from helper

* regen deep-copy

* Add tcp tls test

---------

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2023-02-17 12:46:03 -05:00

48 lines
1.9 KiB
Bash

#!/usr/bin/env bats
load helpers
@test "api gateway proxy admin is up on :20000" {
retry_default curl -f -s localhost:20000/stats -o /dev/null
}
@test "api gateway should have be accepted and not conflicted" {
assert_config_entry_status Accepted True Accepted primary api-gateway api-gateway
assert_config_entry_status Conflicted False NoConflict primary api-gateway api-gateway
}
@test "api gateway should have healthy endpoints for s1" {
assert_config_entry_status Bound True Bound primary http-route api-gateway-route-one
assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
}
@test "api gateway should have healthy endpoints for s2" {
assert_config_entry_status Bound True Bound primary http-route api-gateway-route-two
assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s2 HEALTHY 1
}
@test "api gateway should be able to connect to s1 via configured port" {
run retry_long curl -sk -f -d hello https://localhost:9999
[[ "$output" == *"hello"* ]]
}
@test "api gateway should be able to serve host.consul.example traffic on listener 1" {
assert_cert_has_cn localhost:9999 host.consul.example host.consul.example
}
@test "api gateway should be able to serve all other traffic with the host.consul.example certificate on listener 1" {
assert_cert_has_cn localhost:9999 host.consul.example other.consul.example
}
@test "api gateway should get an intentions error connecting to s2 via configured port" {
run retry_default sh -c "curl -sk https://localhost:9998 | grep RBAC"
[[ "$output" == "RBAC: access denied" ]]
}
@test "api gateway should be able to serve listener 2 with the other.consul.example certificate" {
assert_cert_has_cn localhost:9998 other.consul.example other.consul.example
}
@test "api gateway should fall back to a connect certificate on conflicted SNI on listener 2" {
assert_cert_has_cn localhost:9998 pri host.consul.example
}