Refactor e2e framework for TLS tests
This commit is contained in:
Antoine Cotten
parent
c93f39f019
commit
553df8a0cc
7 changed files with 80 additions and 30 deletions
|
|
@ -304,7 +304,7 @@ func TestStore(t *testing.T) {
|
||||||
storer.Run(stopCh)
|
storer.Run(stopCh)
|
||||||
|
|
||||||
secretName := "not-referenced"
|
secretName := "not-referenced"
|
||||||
_, _, _, err = framework.CreateIngressTLSSecret(clientSet, []string{"foo"}, secretName, ns)
|
_, err = framework.CreateIngressTLSSecret(clientSet, []string{"foo"}, secretName, ns)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("unexpected error creating secret: %v", err)
|
t.Errorf("unexpected error creating secret: %v", err)
|
||||||
}
|
}
|
||||||
|
|
@ -418,7 +418,7 @@ func TestStore(t *testing.T) {
|
||||||
t.Errorf("unexpected error waiting for secret: %v", err)
|
t.Errorf("unexpected error waiting for secret: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
_, _, _, err = framework.CreateIngressTLSSecret(clientSet, []string{"foo"}, secretName, ns)
|
_, err = framework.CreateIngressTLSSecret(clientSet, []string{"foo"}, secretName, ns)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("unexpected error creating secret: %v", err)
|
t.Errorf("unexpected error creating secret: %v", err)
|
||||||
}
|
}
|
||||||
|
|
@ -558,7 +558,7 @@ func TestStore(t *testing.T) {
|
||||||
t.Errorf("expected 0 events of type Delete but %v occurred", del)
|
t.Errorf("expected 0 events of type Delete but %v occurred", del)
|
||||||
}
|
}
|
||||||
|
|
||||||
_, _, _, err = framework.CreateIngressTLSSecret(clientSet, secretHosts, name, ns)
|
_, err = framework.CreateIngressTLSSecret(clientSet, secretHosts, name, ns)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("unexpected error creating secret: %v", err)
|
t.Errorf("unexpected error creating secret: %v", err)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,7 @@ import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"crypto/rsa"
|
"crypto/rsa"
|
||||||
|
"crypto/tls"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"crypto/x509/pkix"
|
"crypto/x509/pkix"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
|
|
@ -27,11 +28,13 @@ import (
|
||||||
"io"
|
"io"
|
||||||
"math/big"
|
"math/big"
|
||||||
"net"
|
"net"
|
||||||
|
net_url "net/url"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"k8s.io/api/core/v1"
|
"k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
"k8s.io/apimachinery/pkg/util/wait"
|
||||||
"k8s.io/client-go/kubernetes"
|
"k8s.io/client-go/kubernetes"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -40,18 +43,22 @@ const (
|
||||||
validFor = 365 * 24 * time.Hour
|
validFor = 365 * 24 * time.Hour
|
||||||
)
|
)
|
||||||
|
|
||||||
// CreateIngressTLSSecret creates a secret containing TLS certificates for the given Ingress.
|
// CreateIngressTLSSecret creates or updates a Secret containing a TLS
|
||||||
// If a secret with the same name already pathExists in the namespace of the
|
// certificate for the given Ingress and returns a TLS configuration suitable
|
||||||
// Ingress, it's updated.
|
// for HTTP clients to use against that particular Ingress.
|
||||||
func CreateIngressTLSSecret(client kubernetes.Interface, hosts []string, secretName, namespace string) (host string, rootCA, privKey []byte, err error) {
|
func CreateIngressTLSSecret(client kubernetes.Interface, hosts []string, secretName, namespace string) (*tls.Config, error) {
|
||||||
var k, c bytes.Buffer
|
if len(hosts) == 0 {
|
||||||
host = strings.Join(hosts, ",")
|
return nil, fmt.Errorf("require a non-empty host for client hello")
|
||||||
if err = generateRSACerts(host, true, &k, &c); err != nil {
|
|
||||||
return
|
|
||||||
}
|
}
|
||||||
cert := c.Bytes()
|
|
||||||
key := k.Bytes()
|
var k, c bytes.Buffer
|
||||||
secret := &v1.Secret{
|
host := strings.Join(hosts, ",")
|
||||||
|
if err := generateRSACert(host, true, &k, &c); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
cert, key := c.Bytes(), k.Bytes()
|
||||||
|
newSecret := &v1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: secretName,
|
Name: secretName,
|
||||||
},
|
},
|
||||||
|
|
@ -60,22 +67,31 @@ func CreateIngressTLSSecret(client kubernetes.Interface, hosts []string, secretN
|
||||||
v1.TLSPrivateKeyKey: key,
|
v1.TLSPrivateKeyKey: key,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
var s *v1.Secret
|
|
||||||
if s, err = client.CoreV1().Secrets(namespace).Get(secretName, metav1.GetOptions{}); err == nil {
|
var apierr error
|
||||||
s.Data = secret.Data
|
curSecret, err := client.CoreV1().Secrets(namespace).Get(secretName, metav1.GetOptions{})
|
||||||
_, err = client.CoreV1().Secrets(namespace).Update(s)
|
if err == nil && curSecret != nil {
|
||||||
|
curSecret.Data = newSecret.Data
|
||||||
|
_, apierr = client.CoreV1().Secrets(namespace).Update(curSecret)
|
||||||
} else {
|
} else {
|
||||||
_, err = client.CoreV1().Secrets(namespace).Create(secret)
|
_, apierr = client.CoreV1().Secrets(namespace).Create(newSecret)
|
||||||
}
|
}
|
||||||
return host, cert, key, err
|
if apierr != nil {
|
||||||
|
return nil, apierr
|
||||||
|
}
|
||||||
|
|
||||||
|
serverName := hosts[0]
|
||||||
|
return tlsConfig(serverName, cert)
|
||||||
}
|
}
|
||||||
|
|
||||||
// generateRSACerts generates a basic self signed certificate using a key length
|
// WaitForTLS waits until the TLS handshake with a given server completes successfully.
|
||||||
|
func WaitForTLS(url string, tlsConfig *tls.Config) error {
|
||||||
|
return wait.Poll(Poll, 30*time.Second, matchTLSServerName(url, tlsConfig))
|
||||||
|
}
|
||||||
|
|
||||||
|
// generateRSACert generates a basic self signed certificate using a key length
|
||||||
// of rsaBits, valid for validFor time.
|
// of rsaBits, valid for validFor time.
|
||||||
func generateRSACerts(host string, isCA bool, keyOut, certOut io.Writer) error {
|
func generateRSACert(host string, isCA bool, keyOut, certOut io.Writer) error {
|
||||||
if len(host) == 0 {
|
|
||||||
return fmt.Errorf("require a non-empty host for client hello")
|
|
||||||
}
|
|
||||||
priv, err := rsa.GenerateKey(rand.Reader, rsaBits)
|
priv, err := rsa.GenerateKey(rand.Reader, rsaBits)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to generate key: %v", err)
|
return fmt.Errorf("failed to generate key: %v", err)
|
||||||
|
|
@ -129,3 +145,37 @@ func generateRSACerts(host string, isCA bool, keyOut, certOut io.Writer) error {
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// tlsConfig returns a client TLS configuration for the given server name and
|
||||||
|
// CA certificate (PEM).
|
||||||
|
func tlsConfig(serverName string, pemCA []byte) (*tls.Config, error) {
|
||||||
|
rootCAPool := x509.NewCertPool()
|
||||||
|
if !rootCAPool.AppendCertsFromPEM(pemCA) {
|
||||||
|
return nil, fmt.Errorf("error creating CA certificate pool (%s)", serverName)
|
||||||
|
}
|
||||||
|
return &tls.Config{
|
||||||
|
ServerName: serverName,
|
||||||
|
RootCAs: rootCAPool,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// matchTLSServerName connects to the network address corresponding to the
|
||||||
|
// given URL using the given TLS configuration and returns whether the TLS
|
||||||
|
// handshake completed successfully.
|
||||||
|
func matchTLSServerName(url string, tlsConfig *tls.Config) wait.ConditionFunc {
|
||||||
|
return func() (ready bool, err error) {
|
||||||
|
u, err := net_url.Parse(url)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
conn, err := tls.Dial("tcp", u.Host, tlsConfig)
|
||||||
|
if err != nil {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
conn.Close()
|
||||||
|
|
||||||
|
ready = true
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -184,7 +184,7 @@ var _ = framework.IngressNginxDescribe("Dynamic Configuration", func() {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
_, _, _, err = framework.CreateIngressTLSSecret(f.KubeClientSet,
|
_, err = framework.CreateIngressTLSSecret(f.KubeClientSet,
|
||||||
ingress.Spec.TLS[0].Hosts,
|
ingress.Spec.TLS[0].Hosts,
|
||||||
ingress.Spec.TLS[0].SecretName,
|
ingress.Spec.TLS[0].SecretName,
|
||||||
ingress.Namespace)
|
ingress.Namespace)
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
package setting
|
package settings
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
package setting
|
package settings
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
package setting
|
package settings
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"strings"
|
"strings"
|
||||||
|
|
|
||||||
|
|
@ -58,7 +58,7 @@ var _ = framework.IngressNginxDescribe("SSL", func() {
|
||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
Expect(ing).ToNot(BeNil())
|
Expect(ing).ToNot(BeNil())
|
||||||
|
|
||||||
_, _, _, err = framework.CreateIngressTLSSecret(f.KubeClientSet,
|
_, err = framework.CreateIngressTLSSecret(f.KubeClientSet,
|
||||||
ing.Spec.TLS[0].Hosts,
|
ing.Spec.TLS[0].Hosts,
|
||||||
ing.Spec.TLS[0].SecretName,
|
ing.Spec.TLS[0].SecretName,
|
||||||
ing.Namespace)
|
ing.Namespace)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue