Add TLS integration test for ingress gateway

- Pull Consul Root CA from API in order to verify certificate chain - Assert on the DNSSAN as well to ensure it is correct
2020-04-29 02:58:35 -07:00 · 2020-04-29 02:58:35 -07:00 · c194e707e6
parent 91586b9228
commit c194e707e6
9 changed files with 96 additions and 7 deletions
--- a/test/integration/connect/envoy/case-ingress-gateway-simple/config_entries.hcl
+++ b/test/integration/connect/envoy/case-ingress-gateway-simple/config_entries.hcl
@ -5,10 +5,6 @@ config_entries {
    kind = "ingress-gateway"
    name = "ingress-gateway"

-    tls {
-      enabled = true
-    }
-
    listeners = [
      {
        port = 9999
--- a/test/integration/connect/envoy/case-ingress-gateway-simple/verify.bats
+++ b/test/integration/connect/envoy/case-ingress-gateway-simple/verify.bats
@ -23,8 +23,6 @@ load helpers
 }

@test "ingress should be able to connect to s1 via configured port" {
-  sleep 10000
-  openssl s_client -connect localhost:9999 | openssl x509 -noout -text >&3
  run retry_default curl -s -f -d hello localhost:9999
  [ "$status" -eq 0 ]
  [ "$output" = "hello" ]
--- a/test/integration/connect/envoy/case-ingress-gateway-tls/capture.sh
+++ b/test/integration/connect/envoy/case-ingress-gateway-tls/capture.sh
@ -0,0 +1,3 @@
+#!/bin/bash
+
+snapshot_envoy_admin localhost:20000 ingress-gateway primary || true
--- a/test/integration/connect/envoy/case-ingress-gateway-tls/config_entries.hcl
+++ b/test/integration/connect/envoy/case-ingress-gateway-tls/config_entries.hcl
@ -0,0 +1,24 @@
+enable_central_service_config = true
+
+config_entries {
+  bootstrap {
+    kind = "ingress-gateway"
+    name = "ingress-gateway"
+
+    tls {
+      enabled = true
+    }
+
+    listeners = [
+      {
+        port = 9999
+        protocol = "tcp"
+        services = [
+          {
+            name = "s1"
+          }
+        ]
+      }
+    ]
+  }
+}
--- a/test/integration/connect/envoy/case-ingress-gateway-tls/gateway.hcl
+++ b/test/integration/connect/envoy/case-ingress-gateway-tls/gateway.hcl
@ -0,0 +1,4 @@
+services {
+  name = "ingress-gateway"
+  kind = "ingress-gateway"
+}
--- a/test/integration/connect/envoy/case-ingress-gateway-tls/setup.sh
+++ b/test/integration/connect/envoy/case-ingress-gateway-tls/setup.sh
@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# wait for bootstrap to apply config entries
+wait_for_config_entry ingress-gateway ingress-gateway
+
+gen_envoy_bootstrap ingress-gateway 20000 primary true
+gen_envoy_bootstrap s1 19000
+gen_envoy_bootstrap s2 19001
--- a/test/integration/connect/envoy/case-ingress-gateway-tls/vars.sh
+++ b/test/integration/connect/envoy/case-ingress-gateway-tls/vars.sh
@ -0,0 +1,3 @@
+#!/bin/bash
+
+export REQUIRED_SERVICES="$DEFAULT_REQUIRED_SERVICES ingress-gateway-primary"
--- a/test/integration/connect/envoy/case-ingress-gateway-tls/verify.bats
+++ b/test/integration/connect/envoy/case-ingress-gateway-tls/verify.bats
@ -0,0 +1,34 @@
+#!/usr/bin/env bats
+
+load helpers
+
+@test "ingress proxy admin is up on :20000" {
+  retry_default curl -f -s localhost:20000/stats -o /dev/null
+}
+
+@test "s1 proxy admin is up on :19000" {
+  retry_default curl -f -s localhost:19000/stats -o /dev/null
+}
+
+@test "s2 proxy admin is up on :19001" {
+  retry_default curl -f -s localhost:19001/stats -o /dev/null
+}
+
+@test "s1 proxy listener should be up and have right cert" {
+  assert_proxy_presents_cert_uri localhost:21000 s1
+}
+
+@test "ingress-gateway should have healthy endpoints for s1" {
+   assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
+}
+
+@test "should be able to connect to s1 through the TLS-enabled ingress port" {
+  assert_dnssan_in_cert localhost:9999 '\*.ingress.consul'
+  # Use the --resolve argument to fake dns resolution for now so we can use the
+  # s1.ingress.consul domain to validate the cert
+  run retry_default curl --cacert <(get_ca_root) -s -f -d hello \
+    --resolve s1.ingress.consul:9999:127.0.0.1 \
+    https://s1.ingress.consul:9999
+  [ "$status" -eq 0 ]
+  [ "$output" = "hello" ]
+}
--- a/test/integration/connect/envoy/helpers.bash
+++ b/test/integration/connect/envoy/helpers.bash
@ -100,7 +100,7 @@ function is_set {

 function get_cert {
  local HOSTPORT=$1
-  CERT=$(openssl s_client -connect $HOSTPORT -showcerts )
+  CERT=$(openssl s_client -connect $HOSTPORT -showcerts </dev/null)
  openssl x509 -noout -text <<< "$CERT"
 }

@ -120,6 +120,19 @@ function assert_proxy_presents_cert_uri {
  echo "$CERT" | grep -Eo "URI:spiffe://([a-zA-Z0-9-]+).consul/ns/${NS}/dc/${DC}/svc/$SERVICENAME"
 }

+function assert_dnssan_in_cert {
+  local HOSTPORT=$1
+  local DNSSAN=$2
+
+  CERT=$(retry_default get_cert $HOSTPORT)
+
+  echo "WANT DNSSAN: ${DNSSAN}"
+  echo "GOT CERT:"
+  echo "$CERT"
+
+  echo "$CERT" | grep -Eo "DNS:${DNSSAN}"
+}
+
 function assert_envoy_version {
  local ADMINPORT=$1
  run retry_default curl -f -s localhost:$ADMINPORT/server_info
@ -619,6 +632,10 @@ function update_intention {
  return $?
 }

+function get_ca_root {
+  curl -s -f "http://localhost:8500/v1/connect/ca/roots" | jq -r ".Roots[0].RootCert"
+}
+
 function wait_for_agent_service_register {
  local SERVICE_ID=$1
  local DC=${2:-primary}