open-consul/test/integration/connect/envoy/case-ingress-gateway-tls/verify.bats

#!/usr/bin/env bats

load helpers

@test "ingress proxy admin is up on :20000" {
  retry_default curl -f -s localhost:20000/stats -o /dev/null
}

@test "s1 proxy admin is up on :19000" {
  retry_default curl -f -s localhost:19000/stats -o /dev/null
}

@test "s2 proxy admin is up on :19001" {
  retry_default curl -f -s localhost:19001/stats -o /dev/null
}

@test "s1 proxy listener should be up and have right cert" {
  assert_proxy_presents_cert_uri localhost:21000 s1
}

@test "ingress-gateway should have healthy endpoints for s1" {
   assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
}

@test "should be able to connect to s1 through the TLS-enabled ingress port" {
  assert_dnssan_in_cert localhost:9999 '\*.ingress.consul'
  # Use the --resolve argument to fake dns resolution for now so we can use the
  # s1.ingress.consul domain to validate the cert
  run retry_default curl --cacert <(get_ca_root) -s -f -d hello \
    --resolve s1.ingress.consul:9999:127.0.0.1 \
    https://s1.ingress.consul:9999
  [ "$status" -eq 0 ]
  [ "$output" = "hello" ]
}

@test "should be able to connect to s1 through the TLS-enabled ingress port using the custom host" {
  assert_dnssan_in_cert localhost:9999 'test.example.com'
  run retry_default curl --cacert <(get_ca_root) -s -f -d hello \
    --resolve test.example.com:9999:127.0.0.1 \
    https://test.example.com:9999
  [ "$status" -eq 0 ]
  [ "$output" = "hello" ]
}
Add TLS integration test for ingress gateway - Pull Consul Root CA from API in order to verify certificate chain - Assert on the DNSSAN as well to ensure it is correct 2020-04-29 09:58:35 +00:00			`#!/usr/bin/env bats`

			`load helpers`

			`@test "ingress proxy admin is up on :20000" {`
			`retry_default curl -f -s localhost:20000/stats -o /dev/null`
			`}`

			`@test "s1 proxy admin is up on :19000" {`
			`retry_default curl -f -s localhost:19000/stats -o /dev/null`
			`}`

			`@test "s2 proxy admin is up on :19001" {`
			`retry_default curl -f -s localhost:19001/stats -o /dev/null`
			`}`

			`@test "s1 proxy listener should be up and have right cert" {`
			`assert_proxy_presents_cert_uri localhost:21000 s1`
			`}`

			`@test "ingress-gateway should have healthy endpoints for s1" {`
			`assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1`
			`}`

			`@test "should be able to connect to s1 through the TLS-enabled ingress port" {`
			`assert_dnssan_in_cert localhost:9999 '\*.ingress.consul'`
			`# Use the --resolve argument to fake dns resolution for now so we can use the`
			`# s1.ingress.consul domain to validate the cert`
			`run retry_default curl --cacert <(get_ca_root) -s -f -d hello \`
			`--resolve s1.ingress.consul:9999:127.0.0.1 \`
			`https://s1.ingress.consul:9999`
			`[ "$status" -eq 0 ]`
			`[ "$output" = "hello" ]`
			`}`
Add a check for custom host to ingress TLS integration test 2020-05-01 20:55:13 +00:00
			`@test "should be able to connect to s1 through the TLS-enabled ingress port using the custom host" {`
			`assert_dnssan_in_cert localhost:9999 'test.example.com'`
			`run retry_default curl --cacert <(get_ca_root) -s -f -d hello \`
			`--resolve test.example.com:9999:127.0.0.1 \`
			`https://test.example.com:9999`
			`[ "$status" -eq 0 ]`
			`[ "$output" = "hello" ]`
			`}`