2018-10-06 03:35:56 +00:00
|
|
|
/*
|
|
|
|
|
Copyright 2018 The Kubernetes Authors.
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
package annotations
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
2018-10-29 21:39:04 +00:00
|
|
|
"net/http"
|
|
|
|
|
"strings"
|
|
|
|
|
|
2020-02-19 03:08:56 +00:00
|
|
|
"github.com/onsi/ginkgo"
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
2018-10-06 03:35:56 +00:00
|
|
|
"k8s.io/ingress-nginx/test/e2e/framework"
|
|
|
|
|
)
|
|
|
|
|
|
2020-02-16 18:27:58 +00:00
|
|
|
var _ = framework.DescribeAnnotation("auth-tls-*", func() {
|
2018-10-06 03:35:56 +00:00
|
|
|
f := framework.NewDefaultFramework("authtls")
|
|
|
|
|
|
2020-02-19 03:08:56 +00:00
|
|
|
ginkgo.BeforeEach(func() {
|
2022-02-02 13:12:22 +00:00
|
|
|
f.NewEchoDeployment(framework.WithDeploymentReplicas(2))
|
2018-10-06 03:35:56 +00:00
|
|
|
})
|
|
|
|
|
|
Additional AuthTLS assertions and doc change to demonstrate auth-tls-secret enables the other AuthTLS annotations (#7202)
* Fix indentation of nested list in AuthTLS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for the line on auth-tls-secret (This annotation
expects the Secret name in the form "namespace/secretName"), its
Markdown markup suggests that the author wanted the line to start on its
own line, but currently this gets rendered on the same line. It's nice
for this to be on its own line, since it's kind of a "note" about the
annotation syntax. Format/indent the markup appropriately so that it
shows up on its line.
* Fix indentation of nested list in CORS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for lines noting the allowed characters (This is a
multi-valued field...), its Markdown markup suggests that the author
wanted the line to start on its own line, but currently this gets
rendered on the same line. It's nice for this to be on its own line,
since it's kind of a "note" about the annotation syntax. Format/indent
the markup appropriately so that it shows up on its line.
* Replace f.HTTPTestClientWithTLSConfig() in AuthTLS E2E, the odd one out for requests without client certs
* Demonstrate and document that auth-tls-secret enables the other AuthTLS annotations like verify client, depth
* Split E2E for auth-tls-error-page and *-pass-certificate-to-upstream
2021-09-07 17:35:16 +00:00
|
|
|
ginkgo.It("should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret", func() {
|
2018-10-06 03:35:56 +00:00
|
|
|
host := "authtls.foo.com"
|
2019-02-22 14:03:42 +00:00
|
|
|
nameSpace := f.Namespace
|
2018-10-06 03:35:56 +00:00
|
|
|
|
|
|
|
|
clientConfig, err := framework.CreateIngressMASecret(
|
|
|
|
|
f.KubeClientSet,
|
|
|
|
|
host,
|
|
|
|
|
host,
|
|
|
|
|
nameSpace)
|
2020-02-19 03:08:56 +00:00
|
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
2018-10-06 03:35:56 +00:00
|
|
|
|
Additional AuthTLS assertions and doc change to demonstrate auth-tls-secret enables the other AuthTLS annotations (#7202)
* Fix indentation of nested list in AuthTLS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for the line on auth-tls-secret (This annotation
expects the Secret name in the form "namespace/secretName"), its
Markdown markup suggests that the author wanted the line to start on its
own line, but currently this gets rendered on the same line. It's nice
for this to be on its own line, since it's kind of a "note" about the
annotation syntax. Format/indent the markup appropriately so that it
shows up on its line.
* Fix indentation of nested list in CORS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for lines noting the allowed characters (This is a
multi-valued field...), its Markdown markup suggests that the author
wanted the line to start on its own line, but currently this gets
rendered on the same line. It's nice for this to be on its own line,
since it's kind of a "note" about the annotation syntax. Format/indent
the markup appropriately so that it shows up on its line.
* Replace f.HTTPTestClientWithTLSConfig() in AuthTLS E2E, the odd one out for requests without client certs
* Demonstrate and document that auth-tls-secret enables the other AuthTLS annotations like verify client, depth
* Split E2E for auth-tls-error-page and *-pass-certificate-to-upstream
2021-09-07 17:35:16 +00:00
|
|
|
annotations := map[string]string{}
|
|
|
|
|
|
|
|
|
|
ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
|
|
|
|
|
|
|
|
|
|
f.WaitForNginxServer(host,
|
|
|
|
|
func(server string) bool {
|
|
|
|
|
return !strings.Contains(server, "ssl_client_certificate") &&
|
|
|
|
|
!strings.Contains(server, "ssl_verify_client") &&
|
|
|
|
|
!strings.Contains(server, "ssl_verify_depth")
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
annotations = map[string]string{
|
2018-10-06 03:35:56 +00:00
|
|
|
"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
|
|
|
|
|
}
|
|
|
|
|
|
Additional AuthTLS assertions and doc change to demonstrate auth-tls-secret enables the other AuthTLS annotations (#7202)
* Fix indentation of nested list in AuthTLS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for the line on auth-tls-secret (This annotation
expects the Secret name in the form "namespace/secretName"), its
Markdown markup suggests that the author wanted the line to start on its
own line, but currently this gets rendered on the same line. It's nice
for this to be on its own line, since it's kind of a "note" about the
annotation syntax. Format/indent the markup appropriately so that it
shows up on its line.
* Fix indentation of nested list in CORS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for lines noting the allowed characters (This is a
multi-valued field...), its Markdown markup suggests that the author
wanted the line to start on its own line, but currently this gets
rendered on the same line. It's nice for this to be on its own line,
since it's kind of a "note" about the annotation syntax. Format/indent
the markup appropriately so that it shows up on its line.
* Replace f.HTTPTestClientWithTLSConfig() in AuthTLS E2E, the odd one out for requests without client certs
* Demonstrate and document that auth-tls-secret enables the other AuthTLS annotations like verify client, depth
* Split E2E for auth-tls-error-page and *-pass-certificate-to-upstream
2021-09-07 17:35:16 +00:00
|
|
|
ing.SetAnnotations(annotations)
|
|
|
|
|
f.UpdateIngress(ing)
|
2018-10-06 03:35:56 +00:00
|
|
|
|
2019-02-25 04:22:22 +00:00
|
|
|
assertSslClientCertificateConfig(f, host, "on", "1")
|
2018-10-06 03:35:56 +00:00
|
|
|
|
|
|
|
|
// Send Request without Client Certs
|
Additional AuthTLS assertions and doc change to demonstrate auth-tls-secret enables the other AuthTLS annotations (#7202)
* Fix indentation of nested list in AuthTLS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for the line on auth-tls-secret (This annotation
expects the Secret name in the form "namespace/secretName"), its
Markdown markup suggests that the author wanted the line to start on its
own line, but currently this gets rendered on the same line. It's nice
for this to be on its own line, since it's kind of a "note" about the
annotation syntax. Format/indent the markup appropriately so that it
shows up on its line.
* Fix indentation of nested list in CORS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for lines noting the allowed characters (This is a
multi-valued field...), its Markdown markup suggests that the author
wanted the line to start on its own line, but currently this gets
rendered on the same line. It's nice for this to be on its own line,
since it's kind of a "note" about the annotation syntax. Format/indent
the markup appropriately so that it shows up on its line.
* Replace f.HTTPTestClientWithTLSConfig() in AuthTLS E2E, the odd one out for requests without client certs
* Demonstrate and document that auth-tls-secret enables the other AuthTLS annotations like verify client, depth
* Split E2E for auth-tls-error-page and *-pass-certificate-to-upstream
2021-09-07 17:35:16 +00:00
|
|
|
f.HTTPTestClient().
|
2020-02-19 03:08:56 +00:00
|
|
|
GET("/").
|
|
|
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
|
|
|
WithHeader("Host", host).
|
|
|
|
|
Expect().
|
|
|
|
|
Status(http.StatusBadRequest)
|
2018-10-06 03:35:56 +00:00
|
|
|
|
|
|
|
|
// Send Request Passing the Client Certs
|
2020-02-19 03:08:56 +00:00
|
|
|
f.HTTPTestClientWithTLSConfig(clientConfig).
|
|
|
|
|
GET("/").
|
|
|
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
|
|
|
WithHeader("Host", host).
|
|
|
|
|
Expect().
|
|
|
|
|
Status(http.StatusOK)
|
2018-10-06 03:35:56 +00:00
|
|
|
})
|
|
|
|
|
|
2020-02-19 03:08:56 +00:00
|
|
|
ginkgo.It("should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2", func() {
|
2018-10-06 03:35:56 +00:00
|
|
|
host := "authtls.foo.com"
|
2019-02-22 14:03:42 +00:00
|
|
|
nameSpace := f.Namespace
|
2018-10-06 03:35:56 +00:00
|
|
|
|
|
|
|
|
_, err := framework.CreateIngressMASecret(
|
|
|
|
|
f.KubeClientSet,
|
|
|
|
|
host,
|
|
|
|
|
host,
|
|
|
|
|
nameSpace)
|
2020-02-19 03:08:56 +00:00
|
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
2018-10-06 03:35:56 +00:00
|
|
|
|
|
|
|
|
annotations := map[string]string{
|
|
|
|
|
"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
|
|
|
|
|
"nginx.ingress.kubernetes.io/auth-tls-verify-client": "off",
|
|
|
|
|
"nginx.ingress.kubernetes.io/auth-tls-verify-depth": "2",
|
|
|
|
|
}
|
|
|
|
|
|
2019-12-13 05:47:11 +00:00
|
|
|
f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
|
2018-10-06 03:35:56 +00:00
|
|
|
|
2019-02-25 04:22:22 +00:00
|
|
|
assertSslClientCertificateConfig(f, host, "off", "2")
|
2018-10-06 03:35:56 +00:00
|
|
|
|
|
|
|
|
// Send Request without Client Certs
|
2020-02-19 03:08:56 +00:00
|
|
|
f.HTTPTestClient().
|
|
|
|
|
GET("/").
|
|
|
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
|
|
|
WithHeader("Host", host).
|
|
|
|
|
Expect().
|
|
|
|
|
Status(http.StatusOK)
|
2018-10-06 03:35:56 +00:00
|
|
|
})
|
|
|
|
|
|
Additional AuthTLS assertions and doc change to demonstrate auth-tls-secret enables the other AuthTLS annotations (#7202)
* Fix indentation of nested list in AuthTLS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for the line on auth-tls-secret (This annotation
expects the Secret name in the form "namespace/secretName"), its
Markdown markup suggests that the author wanted the line to start on its
own line, but currently this gets rendered on the same line. It's nice
for this to be on its own line, since it's kind of a "note" about the
annotation syntax. Format/indent the markup appropriately so that it
shows up on its line.
* Fix indentation of nested list in CORS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for lines noting the allowed characters (This is a
multi-valued field...), its Markdown markup suggests that the author
wanted the line to start on its own line, but currently this gets
rendered on the same line. It's nice for this to be on its own line,
since it's kind of a "note" about the annotation syntax. Format/indent
the markup appropriately so that it shows up on its line.
* Replace f.HTTPTestClientWithTLSConfig() in AuthTLS E2E, the odd one out for requests without client certs
* Demonstrate and document that auth-tls-secret enables the other AuthTLS annotations like verify client, depth
* Split E2E for auth-tls-error-page and *-pass-certificate-to-upstream
2021-09-07 17:35:16 +00:00
|
|
|
ginkgo.It("should 302 redirect to error page instead of 400 when auth-tls-error-page is set", func() {
|
2018-10-06 03:35:56 +00:00
|
|
|
host := "authtls.foo.com"
|
2019-02-22 14:03:42 +00:00
|
|
|
nameSpace := f.Namespace
|
2018-10-06 03:35:56 +00:00
|
|
|
|
|
|
|
|
errorPath := "/error"
|
|
|
|
|
|
|
|
|
|
clientConfig, err := framework.CreateIngressMASecret(
|
|
|
|
|
f.KubeClientSet,
|
|
|
|
|
host,
|
|
|
|
|
host,
|
|
|
|
|
nameSpace)
|
2020-02-19 03:08:56 +00:00
|
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
2018-10-06 03:35:56 +00:00
|
|
|
|
|
|
|
|
annotations := map[string]string{
|
Additional AuthTLS assertions and doc change to demonstrate auth-tls-secret enables the other AuthTLS annotations (#7202)
* Fix indentation of nested list in AuthTLS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for the line on auth-tls-secret (This annotation
expects the Secret name in the form "namespace/secretName"), its
Markdown markup suggests that the author wanted the line to start on its
own line, but currently this gets rendered on the same line. It's nice
for this to be on its own line, since it's kind of a "note" about the
annotation syntax. Format/indent the markup appropriately so that it
shows up on its line.
* Fix indentation of nested list in CORS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for lines noting the allowed characters (This is a
multi-valued field...), its Markdown markup suggests that the author
wanted the line to start on its own line, but currently this gets
rendered on the same line. It's nice for this to be on its own line,
since it's kind of a "note" about the annotation syntax. Format/indent
the markup appropriately so that it shows up on its line.
* Replace f.HTTPTestClientWithTLSConfig() in AuthTLS E2E, the odd one out for requests without client certs
* Demonstrate and document that auth-tls-secret enables the other AuthTLS annotations like verify client, depth
* Split E2E for auth-tls-error-page and *-pass-certificate-to-upstream
2021-09-07 17:35:16 +00:00
|
|
|
"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
|
|
|
|
|
"nginx.ingress.kubernetes.io/auth-tls-error-page": f.GetURL(framework.HTTP) + errorPath,
|
2018-10-06 03:35:56 +00:00
|
|
|
}
|
|
|
|
|
|
2019-12-13 05:47:11 +00:00
|
|
|
f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
|
2018-10-06 03:35:56 +00:00
|
|
|
|
2019-02-25 04:22:22 +00:00
|
|
|
assertSslClientCertificateConfig(f, host, "on", "1")
|
2018-10-06 03:35:56 +00:00
|
|
|
|
2019-02-22 14:03:42 +00:00
|
|
|
sslErrorPage := fmt.Sprintf("error_page 495 496 = %s;", f.GetURL(framework.HTTP)+errorPath)
|
2018-10-06 03:35:56 +00:00
|
|
|
|
2018-10-29 21:39:04 +00:00
|
|
|
f.WaitForNginxServer(host,
|
2018-10-06 03:35:56 +00:00
|
|
|
func(server string) bool {
|
Additional AuthTLS assertions and doc change to demonstrate auth-tls-secret enables the other AuthTLS annotations (#7202)
* Fix indentation of nested list in AuthTLS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for the line on auth-tls-secret (This annotation
expects the Secret name in the form "namespace/secretName"), its
Markdown markup suggests that the author wanted the line to start on its
own line, but currently this gets rendered on the same line. It's nice
for this to be on its own line, since it's kind of a "note" about the
annotation syntax. Format/indent the markup appropriately so that it
shows up on its line.
* Fix indentation of nested list in CORS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for lines noting the allowed characters (This is a
multi-valued field...), its Markdown markup suggests that the author
wanted the line to start on its own line, but currently this gets
rendered on the same line. It's nice for this to be on its own line,
since it's kind of a "note" about the annotation syntax. Format/indent
the markup appropriately so that it shows up on its line.
* Replace f.HTTPTestClientWithTLSConfig() in AuthTLS E2E, the odd one out for requests without client certs
* Demonstrate and document that auth-tls-secret enables the other AuthTLS annotations like verify client, depth
* Split E2E for auth-tls-error-page and *-pass-certificate-to-upstream
2021-09-07 17:35:16 +00:00
|
|
|
return strings.Contains(server, sslErrorPage)
|
2018-10-06 03:35:56 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// Send Request without Client Certs
|
2020-02-19 03:08:56 +00:00
|
|
|
f.HTTPTestClient().
|
|
|
|
|
GET("/").
|
|
|
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
|
|
|
WithHeader("Host", host).
|
|
|
|
|
Expect().
|
|
|
|
|
Status(http.StatusFound).
|
|
|
|
|
Header("Location").Equal(f.GetURL(framework.HTTP) + errorPath)
|
2018-10-06 03:35:56 +00:00
|
|
|
|
|
|
|
|
// Send Request Passing the Client Certs
|
2020-02-19 03:08:56 +00:00
|
|
|
f.HTTPTestClientWithTLSConfig(clientConfig).
|
|
|
|
|
GET("/").
|
|
|
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
|
|
|
WithHeader("Host", host).
|
|
|
|
|
Expect().
|
|
|
|
|
Status(http.StatusOK)
|
2018-10-06 03:35:56 +00:00
|
|
|
})
|
2020-04-01 12:45:27 +00:00
|
|
|
|
Additional AuthTLS assertions and doc change to demonstrate auth-tls-secret enables the other AuthTLS annotations (#7202)
* Fix indentation of nested list in AuthTLS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for the line on auth-tls-secret (This annotation
expects the Secret name in the form "namespace/secretName"), its
Markdown markup suggests that the author wanted the line to start on its
own line, but currently this gets rendered on the same line. It's nice
for this to be on its own line, since it's kind of a "note" about the
annotation syntax. Format/indent the markup appropriately so that it
shows up on its line.
* Fix indentation of nested list in CORS annotations
Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.
On the other hand, for lines noting the allowed characters (This is a
multi-valued field...), its Markdown markup suggests that the author
wanted the line to start on its own line, but currently this gets
rendered on the same line. It's nice for this to be on its own line,
since it's kind of a "note" about the annotation syntax. Format/indent
the markup appropriately so that it shows up on its line.
* Replace f.HTTPTestClientWithTLSConfig() in AuthTLS E2E, the odd one out for requests without client certs
* Demonstrate and document that auth-tls-secret enables the other AuthTLS annotations like verify client, depth
* Split E2E for auth-tls-error-page and *-pass-certificate-to-upstream
2021-09-07 17:35:16 +00:00
|
|
|
ginkgo.It("should pass URL-encoded certificate to upstream", func() {
|
|
|
|
|
host := "authtls.foo.com"
|
|
|
|
|
nameSpace := f.Namespace
|
|
|
|
|
|
|
|
|
|
clientConfig, err := framework.CreateIngressMASecret(
|
|
|
|
|
f.KubeClientSet,
|
|
|
|
|
host,
|
|
|
|
|
host,
|
|
|
|
|
nameSpace)
|
|
|
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
|
|
|
|
|
|
annotations := map[string]string{
|
|
|
|
|
"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
|
|
|
|
|
"nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream": "true",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
|
|
|
|
|
|
|
|
|
|
assertSslClientCertificateConfig(f, host, "on", "1")
|
|
|
|
|
|
|
|
|
|
sslUpstreamClientCert := "proxy_set_header ssl-client-cert $ssl_client_escaped_cert;"
|
|
|
|
|
|
|
|
|
|
f.WaitForNginxServer(host,
|
|
|
|
|
func(server string) bool {
|
|
|
|
|
return strings.Contains(server, sslUpstreamClientCert)
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// Send Request without Client Certs
|
|
|
|
|
f.HTTPTestClient().
|
|
|
|
|
GET("/").
|
|
|
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
|
|
|
WithHeader("Host", host).
|
|
|
|
|
Expect().
|
|
|
|
|
Status(http.StatusBadRequest)
|
|
|
|
|
|
|
|
|
|
// Send Request Passing the Client Certs
|
|
|
|
|
f.HTTPTestClientWithTLSConfig(clientConfig).
|
|
|
|
|
GET("/").
|
|
|
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
|
|
|
WithHeader("Host", host).
|
|
|
|
|
Expect().
|
|
|
|
|
Status(http.StatusOK).
|
|
|
|
|
Body().Contains("ssl-client-cert=-----BEGIN%20CERTIFICATE-----%0A")
|
|
|
|
|
})
|
|
|
|
|
|
2020-04-01 12:45:27 +00:00
|
|
|
ginkgo.It("should validate auth-tls-verify-client", func() {
|
|
|
|
|
host := "authtls.foo.com"
|
|
|
|
|
nameSpace := f.Namespace
|
|
|
|
|
|
|
|
|
|
clientConfig, err := framework.CreateIngressMASecret(
|
|
|
|
|
f.KubeClientSet,
|
|
|
|
|
host,
|
|
|
|
|
host,
|
|
|
|
|
nameSpace)
|
|
|
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
|
|
|
|
|
|
annotations := map[string]string{
|
|
|
|
|
"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
|
|
|
|
|
"nginx.ingress.kubernetes.io/auth-tls-verify-client": "on",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
|
|
|
|
|
|
|
|
|
|
assertSslClientCertificateConfig(f, host, "on", "1")
|
|
|
|
|
|
|
|
|
|
f.HTTPTestClientWithTLSConfig(clientConfig).
|
|
|
|
|
GET("/").
|
|
|
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
|
|
|
WithHeader("Host", host).
|
|
|
|
|
Expect().
|
|
|
|
|
Status(http.StatusOK)
|
|
|
|
|
|
|
|
|
|
f.HTTPTestClient().
|
|
|
|
|
GET("/").
|
|
|
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
|
|
|
WithHeader("Host", host).
|
|
|
|
|
Expect().
|
|
|
|
|
Status(http.StatusBadRequest)
|
|
|
|
|
|
|
|
|
|
annotations = map[string]string{
|
|
|
|
|
"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
|
|
|
|
|
"nginx.ingress.kubernetes.io/auth-tls-verify-client": "off",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ing.SetAnnotations(annotations)
|
|
|
|
|
f.UpdateIngress(ing)
|
|
|
|
|
|
|
|
|
|
assertSslClientCertificateConfig(f, host, "off", "1")
|
|
|
|
|
|
|
|
|
|
f.HTTPTestClientWithTLSConfig(clientConfig).
|
|
|
|
|
GET("/").
|
|
|
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
|
|
|
WithHeader("Host", host).
|
|
|
|
|
Expect().
|
|
|
|
|
Status(http.StatusOK)
|
|
|
|
|
|
|
|
|
|
f.HTTPTestClient().
|
|
|
|
|
GET("/").
|
|
|
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
|
|
|
WithHeader("Host", host).
|
|
|
|
|
Expect().
|
|
|
|
|
Status(http.StatusOK)
|
|
|
|
|
|
|
|
|
|
})
|
2018-10-06 03:35:56 +00:00
|
|
|
})
|
2019-02-25 04:22:22 +00:00
|
|
|
|
|
|
|
|
func assertSslClientCertificateConfig(f *framework.Framework, host string, verifyClient string, verifyDepth string) {
|
|
|
|
|
sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", f.Namespace, host)
|
|
|
|
|
sslVerify := fmt.Sprintf("ssl_verify_client %s;", verifyClient)
|
|
|
|
|
sslVerifyDepth := fmt.Sprintf("ssl_verify_depth %s;", verifyDepth)
|
|
|
|
|
|
|
|
|
|
f.WaitForNginxServer(host,
|
|
|
|
|
func(server string) bool {
|
2019-08-13 21:14:55 +00:00
|
|
|
return strings.Contains(server, sslClientCertDirective) &&
|
2019-02-25 04:22:22 +00:00
|
|
|
strings.Contains(server, sslVerify) &&
|
|
|
|
|
strings.Contains(server, sslVerifyDepth)
|
|
|
|
|
})
|
|
|
|
|
}
|