diff --git a/test/e2e/annotations/authtls.go b/test/e2e/annotations/authtls.go index cb693f36e..86c5d9ec5 100644 --- a/test/e2e/annotations/authtls.go +++ b/test/e2e/annotations/authtls.go @@ -149,6 +149,66 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { Expect(). Status(http.StatusOK) }) + + ginkgo.It("should validate auth-tls-verify-client", func() { + host := "authtls.foo.com" + nameSpace := f.Namespace + + clientConfig, err := framework.CreateIngressMASecret( + f.KubeClientSet, + host, + host, + nameSpace) + assert.Nil(ginkgo.GinkgoT(), err) + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host, + "nginx.ingress.kubernetes.io/auth-tls-verify-client": "on", + } + + ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations)) + + assertSslClientCertificateConfig(f, host, "on", "1") + + f.HTTPTestClientWithTLSConfig(clientConfig). + GET("/"). + WithURL(f.GetURL(framework.HTTPS)). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + + f.HTTPTestClient(). + GET("/"). + WithURL(f.GetURL(framework.HTTPS)). + WithHeader("Host", host). + Expect(). + Status(http.StatusBadRequest) + + annotations = map[string]string{ + "nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host, + "nginx.ingress.kubernetes.io/auth-tls-verify-client": "off", + } + + ing.SetAnnotations(annotations) + f.UpdateIngress(ing) + + assertSslClientCertificateConfig(f, host, "off", "1") + + f.HTTPTestClientWithTLSConfig(clientConfig). + GET("/"). + WithURL(f.GetURL(framework.HTTPS)). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + + f.HTTPTestClient(). + GET("/"). + WithURL(f.GetURL(framework.HTTPS)). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + + }) }) func assertSslClientCertificateConfig(f *framework.Framework, host string, verifyClient string, verifyDepth string) {