diff --git a/test/e2e/ssl/secret_update.go b/test/e2e/ssl/secret_update.go index ed77c6b6c..628d45869 100644 --- a/test/e2e/ssl/secret_update.go +++ b/test/e2e/ssl/secret_update.go @@ -17,12 +17,15 @@ limitations under the License. package ssl import ( + "crypto/tls" "fmt" + "net/http" "strings" "time" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" + "github.com/parnurzeal/gorequest" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -77,4 +80,45 @@ var _ = framework.IngressNginxDescribe("SSL", func() { Expect(log).ToNot(ContainSubstring(fmt.Sprintf("starting syncing of secret %v/dummy", f.Namespace))) Expect(log).ToNot(ContainSubstring(fmt.Sprintf("error obtaining PEM from secret %v/dummy", f.Namespace))) }) + + It("should return the fake SSL certificate if the secret is invalid", func() { + host := "invalid-ssl" + + // create a secret without cert or key + f.EnsureSecret(&v1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: host, + Namespace: f.Namespace, + }, + }) + + f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, "http-svc", 80, nil)) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "server_name invalid-ssl") && + strings.Contains(server, "listen 443") + }) + + req := gorequest.New() + resp, _, errs := req. + Get(f.GetURL(framework.HTTPS)). + TLSClientConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). + Set("Host", host). + End() + Expect(errs).Should(BeEmpty()) + Expect(resp.StatusCode).Should(Equal(http.StatusOK)) + + // check the returned secret is the fake one + cert := resp.TLS.PeerCertificates[0] + Expect(cert.DNSNames[0]).Should(Equal("ingress.local")) + Expect(cert.Subject.Organization[0]).Should(Equal("Acme Co")) + Expect(cert.Subject.CommonName).Should(Equal("Kubernetes Ingress Controller Fake Certificate")) + + // verify the log contains a warning about invalid certificate + log, err := f.NginxLogs() + Expect(err).ToNot(HaveOccurred()) + Expect(log).ToNot(BeEmpty()) + Expect(log).To(ContainSubstring(fmt.Sprintf("%v/invalid-ssl\" contains no keypair or CA certificate", f.Namespace))) + }) })