9d92c42c90
A port can be sent in the Host header as defined in the HTTP RFC, so we take any hosts that we want to match traffic to and also add another host with the listener port added. Also fix an issue with envoy integration tests not running the case-ingress-gateway-tls test.
43 lines
1.4 KiB
Bash
43 lines
1.4 KiB
Bash
#!/usr/bin/env bats
|
|
|
|
load helpers
|
|
|
|
@test "ingress proxy admin is up on :20000" {
|
|
retry_default curl -f -s localhost:20000/stats -o /dev/null
|
|
}
|
|
|
|
@test "s1 proxy admin is up on :19000" {
|
|
retry_default curl -f -s localhost:19000/stats -o /dev/null
|
|
}
|
|
|
|
@test "s2 proxy admin is up on :19001" {
|
|
retry_default curl -f -s localhost:19001/stats -o /dev/null
|
|
}
|
|
|
|
@test "s1 proxy listener should be up and have right cert" {
|
|
assert_proxy_presents_cert_uri localhost:21000 s1
|
|
}
|
|
|
|
@test "ingress-gateway should have healthy endpoints for s1" {
|
|
assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
|
|
}
|
|
|
|
@test "should be able to connect to s1 through the TLS-enabled ingress port" {
|
|
assert_dnssan_in_cert localhost:9998 '\*.ingress.consul'
|
|
# Use the --resolve argument to fake dns resolution for now so we can use the
|
|
# s1.ingress.consul domain to validate the cert
|
|
run retry_default curl --cacert <(get_ca_root) -s -f -d hello \
|
|
--resolve s1.ingress.consul:9998:127.0.0.1 \
|
|
https://s1.ingress.consul:9998
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = "hello" ]
|
|
}
|
|
|
|
@test "should be able to connect to s1 through the TLS-enabled ingress port using the custom host" {
|
|
assert_dnssan_in_cert localhost:9999 'test.example.com'
|
|
run retry_default curl --cacert <(get_ca_root) -s -f -d hello \
|
|
--resolve test.example.com:9999:127.0.0.1 \
|
|
https://test.example.com:9999
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = "hello" ]
|
|
} |