From a5fceca0062002b31f1bd6753278f06f138ac1fe Mon Sep 17 00:00:00 2001 From: Lin Sun Date: Wed, 27 May 2020 14:38:07 -0400 Subject: [PATCH] add a test for ingress SNI passthrough (#7380) * add a test * fix path * fix lint 1 * fix lint 2 * hope to get lint pass now * Update content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md Co-authored-by: Frank Budinsky * Update content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md Co-authored-by: Frank Budinsky * Update tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh Co-authored-by: Frank Budinsky * Update tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh Co-authored-by: Frank Budinsky * Update tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh Co-authored-by: Frank Budinsky * Update tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh Co-authored-by: Frank Budinsky * Update tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh Co-authored-by: Frank Budinsky * add fix from frank * fix name * update output * mark test: yes Co-authored-by: Frank Budinsky --- .../ingress/ingress-sni-passthrough/index.md | 30 +-- .../ingress/ingress-sni-passthrough/snips.sh | 227 ++++++++++++++++++ .../ingress/ingress_sni_passthrough_test.go | 44 ++++ .../scripts/ingress_sni_passthrough.sh | 51 ++++ 4 files changed, 335 insertions(+), 17 deletions(-) create mode 100644 content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh create mode 100644 tests/trafficmanagement/ingress/ingress_sni_passthrough_test.go create mode 100644 tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh diff --git a/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md b/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md index 4dfb1afba2..b348134ab8 100644 --- a/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md +++ b/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md @@ -5,7 +5,7 @@ weight: 30 keywords: [traffic-management,ingress,https] aliases: - /docs/examples/advanced-gateways/ingress-sni-passthrough/ -test: no +test: yes --- The [Securing Gateways with HTTPS](/docs/tasks/traffic-management/ingress/secure-ingress/) task describes how to configure HTTPS @@ -46,7 +46,7 @@ For this task you can use your favorite tool to generate certificates and keys. 1. Create a configuration file for the NGINX server: {{< text bash >}} - $ cat < ./nginx.conf + $ cat <<\EOF > ./nginx.conf events { } @@ -133,31 +133,27 @@ to hold the configuration of the NGINX server: 1. To test that the NGINX server was deployed successfully, send a request to the server from its sidecar proxy without checking the server's certificate (use the `-k` option of `curl`). Ensure that the server's certificate is - printed correctly, i.e., `common name` is equal to `nginx.example.com`. + printed correctly, i.e., `common name (CN)` is equal to `nginx.example.com`. {{< text bash >}} - $ kubectl exec -it $(kubectl get pod -l run=my-nginx -o jsonpath={.items..metadata.name}) -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com + $ kubectl exec -it "$(kubectl get pod -l run=my-nginx -o jsonpath={.items..metadata.name})" -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com ... - SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 - server certificate verification SKIPPED - server certificate status verification SKIPPED - common name: nginx.example.com (matched) - server certificate expiration date OK - server certificate activation date OK - certificate public key: RSA - certificate version: #3 + SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 + ALPN, server accepted to use http/1.1 + Server certificate: subject: CN=nginx.example.com; O=some organization - start date: Wed, 15 Aug 2018 07:29:07 GMT - expire date: Sun, 25 Aug 2019 07:29:07 GMT + start date: May 27 14:18:47 2020 GMT + expire date: May 27 14:18:47 2021 GMT issuer: O=example Inc.; CN=example.com + SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. > GET / HTTP/1.1 - > User-Agent: curl/7.35.0 + > User-Agent: curl/7.58.0 > Host: nginx.example.com ... < HTTP/1.1 200 OK - < Server: nginx/1.15.2 + < Server: nginx/1.17.10 ... @@ -226,7 +222,7 @@ to hold the configuration of the NGINX server: it is successfully verified (_SSL certificate verify ok_ is printed). {{< text bash >}} - $ curl -v --resolve nginx.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST --cacert example.com.crt https://nginx.example.com:$SECURE_INGRESS_PORT + $ curl -v --resolve "nginx.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT" Server certificate: subject: CN=nginx.example.com; O=some organization start date: Wed, 15 Aug 2018 07:29:07 GMT diff --git a/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh b/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh new file mode 100644 index 0000000000..a837290e03 --- /dev/null +++ b/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh @@ -0,0 +1,227 @@ +#!/bin/bash +# shellcheck disable=SC2034,SC2153,SC2155 + +# Copyright Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#################################################################################################### +# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE: +# docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md +#################################################################################################### + +snip_generate_client_and_server_certificates_and_keys_1() { +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt +} + +snip_generate_client_and_server_certificates_and_keys_2() { +openssl req -out nginx.example.com.csr -newkey rsa:2048 -nodes -keyout nginx.example.com.key -subj "/CN=nginx.example.com/O=some organization" +openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in nginx.example.com.csr -out nginx.example.com.crt +} + +snip_deploy_an_nginx_server_1() { +kubectl create secret tls nginx-server-certs --key nginx.example.com.key --cert nginx.example.com.crt +} + +snip_deploy_an_nginx_server_2() { +cat <<\EOF > ./nginx.conf +events { +} + +http { + log_format main '$remote_addr - $remote_user [$time_local] $status ' + '"$request" $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log; + + server { + listen 443 ssl; + + root /usr/share/nginx/html; + index index.html; + + server_name nginx.example.com; + ssl_certificate /etc/nginx-server-certs/tls.crt; + ssl_certificate_key /etc/nginx-server-certs/tls.key; + } +} +EOF +} + +snip_deploy_an_nginx_server_3() { +kubectl create configmap nginx-configmap --from-file=nginx.conf=./nginx.conf +} + +snip_deploy_an_nginx_server_4() { +cat < GET / HTTP/1.1 +> User-Agent: curl/7.58.0 +> Host: nginx.example.com +... +< HTTP/1.1 200 OK + +< Server: nginx/1.17.10 +... + + + +Welcome to nginx! +... +ENDSNIP + +snip_configure_an_ingress_gateway_1() { +kubectl apply -f - < + + Welcome to nginx! +ENDSNIP + +snip_cleanup_1() { +kubectl delete secret nginx-server-certs +kubectl delete configmap nginx-configmap +kubectl delete service my-nginx +kubectl delete deployment my-nginx +kubectl delete gateway mygateway +kubectl delete virtualservice nginx +} + +snip_cleanup_2() { +rm example.com.crt example.com.key nginx.example.com.crt nginx.example.com.key nginx.example.com.csr +} + +snip_cleanup_3() { +rm ./nginx.conf +} diff --git a/tests/trafficmanagement/ingress/ingress_sni_passthrough_test.go b/tests/trafficmanagement/ingress/ingress_sni_passthrough_test.go new file mode 100644 index 0000000000..1982884ebd --- /dev/null +++ b/tests/trafficmanagement/ingress/ingress_sni_passthrough_test.go @@ -0,0 +1,44 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ingress + +import ( + "testing" + + "istio.io/istio/pkg/test/framework" + + "istio.io/istio.io/pkg/test/istioio" +) + +func TestIngressSNIPassthrough(t *testing.T) { + framework. + NewTest(t). + Run(istioio.NewBuilder("tasks__traffic_management__ingress_sni_passthrough"). + Add(istioio.Script{ + Input: istioio.Path("scripts/ingress_sni_passthrough.sh"), + }). + Defer(istioio.Script{ + Input: istioio.Inline{ + FileName: "cleanup.sh", + Value: ` +set +e # ignore cleanup errors +source ${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh +snip_cleanup_1 +snip_cleanup_2 +snip_cleanup_3`, + }, + }). + Build()) +} diff --git a/tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh b/tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh new file mode 100644 index 0000000000..6b54ed71de --- /dev/null +++ b/tests/trafficmanagement/ingress/scripts/ingress_sni_passthrough.sh @@ -0,0 +1,51 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC2154 + +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e +set -u +set -o pipefail + +source "${REPO_ROOT}/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh" +source "${REPO_ROOT}/tests/util/samples.sh" + +kubectl label namespace default istio-injection=enabled --overwrite + +# Generate client and server certificates and keys +snip_generate_client_and_server_certificates_and_keys_1 +snip_generate_client_and_server_certificates_and_keys_2 + +# Deploy an NGINX server +snip_deploy_an_nginx_server_1 + +snip_deploy_an_nginx_server_2 + +snip_deploy_an_nginx_server_3 + +snip_deploy_an_nginx_server_4 + +# waiting for nginx deployment to start +sample_wait_for_deployment default my-nginx + +# validate NGINX server was deployed successfully +_run_and_verify_contains snip_deploy_an_nginx_server_5 "subject: CN=nginx.example.com" + +# configure an ingress gateway +snip_configure_an_ingress_gateway_1 +snip_configure_an_ingress_gateway_2 + +# validate the output +_run_and_verify_contains snip_configure_an_ingress_gateway_3 "SSL certificate verify ok."