consul/test/integration/connect/envoy/case-ingress-gateway-sds/verify.bats

67 lines
2.3 KiB
Bash

#!/usr/bin/env bats
load helpers
@test "ingress proxy admin is up on :20000" {
retry_default curl -f -s localhost:20000/stats -o /dev/null
}
@test "s1 proxy admin is up on :19000" {
retry_default curl -f -s localhost:19000/stats -o /dev/null
}
@test "s2 proxy admin is up on :19001" {
retry_default curl -f -s localhost:19001/stats -o /dev/null
}
@test "s1 proxy listener should be up and have right cert" {
assert_proxy_presents_cert_uri localhost:21000 s1
}
@test "s2 proxy listener should be up and have right cert" {
assert_proxy_presents_cert_uri localhost:21001 s2
}
@test "ingress-gateway should have healthy endpoints for s1" {
assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
}
@test "ingress-gateway should have healthy endpoints for s2" {
assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s2 HEALTHY 1
}
@test "ingress should be able to connect to s1 using Host header" {
assert_expected_fortio_name s1 https://s1.ingress.consul 9999
}
@test "ingress should be able to connect to s2 using Host header" {
assert_expected_fortio_name s2 https://s2.ingress.consul 9999
}
@test "ingress should be able to connect to s1 using a user-specified Host" {
assert_expected_fortio_name s1 https://foo.example.com 9998
}
@test "ingress should serve SDS-supplied cert for wildcard service" {
# Make sure the Cert was the one SDS served and didn't just happen to have the
# right domain from Connect.
assert_cert_signed_by_ca /workdir/test-sds-server/certs/ca-root.crt \
localhost:9999 '*.ingress.consul'
}
@test "ingress should serve SDS-supplied cert for specific service" {
# Make sure the Cert was the one SDS served and didn't just happen to have the
# right domain from Connect.
assert_cert_signed_by_ca /workdir/test-sds-server/certs/ca-root.crt \
localhost:9998 foo.example.com
}
@test "ingress should serve SDS-supplied cert for second specific service on same http listener" {
# Make sure the Cert was the one SDS served and didn't just happen to have the
# right domain from Connect. This also ensures that listeners work when we've
# had to split their routing tables due to different certs for different
# hostnames.
assert_cert_signed_by_ca /workdir/test-sds-server/certs/ca-root.crt \
localhost:9998 www.example.com
}