istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add a test for ingress SNI passthrough (#7380) 

* add a test

* fix path

* fix lint 1

* fix lint 2

* hope to get lint pass now

* Update content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md

Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>

* Update content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md

Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>

* Update tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh

Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>

* Update tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh

Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>

* Update tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh

Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>

* Update tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh

Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>

* Update tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh

Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>

* add fix from frank

* fix name

* update output

* mark test: yes

Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
This commit is contained in:
Lin Sun 2020-05-27 14:38:07 -04:00 committed by GitHub
parent e11cf24f0d
commit a5fceca006
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 335 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md
View File

@ -5,7 +5,7 @@ weight: 30
keywords: [traffic-management,ingress,https]
aliases:
- /docs/examples/advanced-gateways/ingress-sni-passthrough/
test: no
test: yes
---
The [Securing Gateways with HTTPS](/docs/tasks/traffic-management/ingress/secure-ingress/) task describes how to configure HTTPS
@ -46,7 +46,7 @@ For this task you can use your favorite tool to generate certificates and keys.
1. Create a configuration file for the NGINX server:
{{< text bash >}}
$ cat <<EOF > ./nginx.conf
$ cat <<\EOF > ./nginx.conf
events {
}
@ -133,31 +133,27 @@ to hold the configuration of the NGINX server:
1. To test that the NGINX server was deployed successfully, send a request to the server from its sidecar proxy
without checking the server's certificate (use the `-k` option of `curl`). Ensure that the server's certificate is
printed correctly, i.e., `common name` is equal to `nginx.example.com`.
printed correctly, i.e., `common name (CN)` is equal to `nginx.example.com`.
{{< text bash >}}
$ kubectl exec -it $(kubectl get pod -l run=my-nginx -o jsonpath={.items..metadata.name}) -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com
$ kubectl exec -it "$(kubectl get pod -l run=my-nginx -o jsonpath={.items..metadata.name})" -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com
...
SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
server certificate verification SKIPPED
server certificate status verification SKIPPED
common name: nginx.example.com (matched)
server certificate expiration date OK
server certificate activation date OK
certificate public key: RSA
certificate version: #3
SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
ALPN, server accepted to use http/1.1
Server certificate:
subject: CN=nginx.example.com; O=some organization
start date: Wed, 15 Aug 2018 07:29:07 GMT
expire date: Sun, 25 Aug 2019 07:29:07 GMT
start date: May 27 14:18:47 2020 GMT
expire date: May 27 14:18:47 2021 GMT
issuer: O=example Inc.; CN=example.com
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> User-Agent: curl/7.58.0
> Host: nginx.example.com
...
< HTTP/1.1 200 OK
< Server: nginx/1.15.2
< Server: nginx/1.17.10
...
<!DOCTYPE html>
<html>
@ -226,7 +222,7 @@ to hold the configuration of the NGINX server:
it is successfully verified (_SSL certificate verify ok_ is printed).
{{< text bash >}}
$ curl -v --resolve nginx.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST --cacert example.com.crt https://nginx.example.com:$SECURE_INGRESS_PORT
$ curl -v --resolve "nginx.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT"
Server certificate:
subject: CN=nginx.example.com; O=some organization
start date: Wed, 15 Aug 2018 07:29:07 GMT

227
content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh Normal file
View File

@ -0,0 +1,227 @@
#!/bin/bash
# shellcheck disable=SC2034,SC2153,SC2155
# Copyright Istio Authors. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
####################################################################################################
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
# docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md
####################################################################################################
snip_generate_client_and_server_certificates_and_keys_1() {
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
}
snip_generate_client_and_server_certificates_and_keys_2() {
openssl req -out nginx.example.com.csr -newkey rsa:2048 -nodes -keyout nginx.example.com.key -subj "/CN=nginx.example.com/O=some organization"
openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in nginx.example.com.csr -out nginx.example.com.crt
}
snip_deploy_an_nginx_server_1() {
kubectl create secret tls nginx-server-certs --key nginx.example.com.key --cert nginx.example.com.crt
}
snip_deploy_an_nginx_server_2() {
cat <<\EOF > ./nginx.conf
events {
}
http {
log_format main '$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
server {
listen 443 ssl;
root /usr/share/nginx/html;
index index.html;
server_name nginx.example.com;
ssl_certificate /etc/nginx-server-certs/tls.crt;
ssl_certificate_key /etc/nginx-server-certs/tls.key;
}
}
EOF
}
snip_deploy_an_nginx_server_3() {
kubectl create configmap nginx-configmap --from-file=nginx.conf=./nginx.conf
}
snip_deploy_an_nginx_server_4() {
cat <<EOF | istioctl kube-inject -f - | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: my-nginx
labels:
run: my-nginx
spec:
ports:
- port: 443
protocol: TCP
selector:
run: my-nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-nginx
spec:
selector:
matchLabels:
run: my-nginx
replicas: 1
template:
metadata:
labels:
run: my-nginx
spec:
containers:
- name: my-nginx
image: nginx
ports:
- containerPort: 443
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx
readOnly: true
- name: nginx-server-certs
mountPath: /etc/nginx-server-certs
readOnly: true
volumes:
- name: nginx-config
configMap:
name: nginx-configmap
- name: nginx-server-certs
secret:
secretName: nginx-server-certs
EOF
}
snip_deploy_an_nginx_server_5() {
kubectl exec -it "$(kubectl get pod -l run=my-nginx -o jsonpath={.items..metadata.name})" -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com
}
! read -r -d '' snip_deploy_an_nginx_server_5_out <<\ENDSNIP
...
SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
ALPN, server accepted to use http/1.1
Server certificate:
subject: CN=nginx.example.com; O=some organization
start date: May 27 14:18:47 2020 GMT
expire date: May 27 14:18:47 2021 GMT
issuer: O=example Inc.; CN=example.com
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.58.0
> Host: nginx.example.com
...
< HTTP/1.1 200 OK
< Server: nginx/1.17.10
...
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...
ENDSNIP
snip_configure_an_ingress_gateway_1() {
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: PASSTHROUGH
hosts:
- nginx.example.com
EOF
}
snip_configure_an_ingress_gateway_2() {
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginx
spec:
hosts:
- nginx.example.com
gateways:
- mygateway
tls:
- match:
- port: 443
sniHosts:
- nginx.example.com
route:
- destination:
host: my-nginx
port:
number: 443
EOF
}
snip_configure_an_ingress_gateway_3() {
curl -v --resolve "nginx.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT"
}
! read -r -d '' snip_configure_an_ingress_gateway_3_out <<\ENDSNIP
Server certificate:
subject: CN=nginx.example.com; O=some organization
start date: Wed, 15 Aug 2018 07:29:07 GMT
expire date: Sun, 25 Aug 2019 07:29:07 GMT
issuer: O=example Inc.; CN=example.com
SSL certificate verify ok.
< HTTP/1.1 200 OK
< Server: nginx/1.15.2
...
<html>
<head>
<title>Welcome to nginx!</title>
ENDSNIP
snip_cleanup_1() {
kubectl delete secret nginx-server-certs
kubectl delete configmap nginx-configmap
kubectl delete service my-nginx
kubectl delete deployment my-nginx
kubectl delete gateway mygateway
kubectl delete virtualservice nginx
}
snip_cleanup_2() {
rm example.com.crt example.com.key nginx.example.com.crt nginx.example.com.key nginx.example.com.csr
}
snip_cleanup_3() {
rm ./nginx.conf
}

44
tests/trafficmanagement/ingress/ingress_sni_passthrough_test.go Normal file
View File

@ -0,0 +1,44 @@
// Copyright Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package ingress
import (
"testing"
"istio.io/istio/pkg/test/framework"
"istio.io/istio.io/pkg/test/istioio"
)
func TestIngressSNIPassthrough(t *testing.T) {
framework.
NewTest(t).
Run(istioio.NewBuilder("tasks__traffic_management__ingress_sni_passthrough").
Add(istioio.Script{
Input: istioio.Path("scripts/ingress_sni_passthrough.sh"),
}).
Defer(istioio.Script{
Input: istioio.Inline{
FileName: "cleanup.sh",
Value: `
set +e # ignore cleanup errors
source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh
snip_cleanup_1
snip_cleanup_2
snip_cleanup_3`,
},
}).
Build())
}

51
tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh Normal file
View File

@ -0,0 +1,51 @@
#!/usr/bin/env bash
# shellcheck disable=SC1090,SC2154
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -u
set -o pipefail
source "${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh"
source "${REPO_ROOT}/tests/util/samples.sh"
kubectl label namespace default istio-injection=enabled --overwrite
# Generate client and server certificates and keys
snip_generate_client_and_server_certificates_and_keys_1
snip_generate_client_and_server_certificates_and_keys_2
# Deploy an NGINX server
snip_deploy_an_nginx_server_1
snip_deploy_an_nginx_server_2
snip_deploy_an_nginx_server_3
snip_deploy_an_nginx_server_4
# waiting for nginx deployment to start
sample_wait_for_deployment default my-nginx
# validate NGINX server was deployed successfully
_run_and_verify_contains snip_deploy_an_nginx_server_5 "subject: CN=nginx.example.com"
# configure an ingress gateway
snip_configure_an_ingress_gateway_1
snip_configure_an_ingress_gateway_2
# validate the output
_run_and_verify_contains snip_configure_an_ingress_gateway_3 "SSL certificate verify ok."