Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: auto certs #1911

Merged
merged 3 commits into from
Aug 2, 2023
Merged

ci: auto certs #1911

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d06fbd7
ci: auto certs
tao12345666333 Jul 31, 2023
440f6ad
chore: upgrade APISIX to 3.4.1 version
tao12345666333 Aug 1, 2023
f23ccb3
ci: fix case should be able to use backends and upstreams together
tao12345666333 Aug 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ default: help
VERSION ?= 1.6.0


TARGET_APISIX_VERSION ?= "3.1.0-centos"
TARGET_APISIX_VERSION ?= "3.4.1-centos"
APISIX_ADMIN_API_VERSION ?= "v3"

ifeq ($(APISIX_ADMIN_API_VERSION),"v2")
Expand Down
96 changes: 95 additions & 1 deletion test/e2e/scaffold/ssl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ func (s *Scaffold) GenerateCert(t ginkgo.GinkgoTInterface, dnsNames []string) (c
Organization: []string{"Acme Co"},
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(time.Hour),
NotAfter: time.Now().Add(24 * time.Hour),

KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
Expand All @@ -189,3 +189,97 @@ func (s *Scaffold) GenerateCert(t ginkgo.GinkgoTInterface, dnsNames []string) (c

return
}

// GenerateMACert used for generate MutualAuthCerts
func (s *Scaffold) GenerateMACert(t ginkgo.GinkgoTInterface, dnsNames []string) (caCertBytes, serverCertBytes, serverKeyBytes, clientCertBytes, clientKeyBytes bytes.Buffer) {
// CA cert
caKey, err := rsa.GenerateKey(rand.Reader, 2048)
assert.NoError(t, err)
caPub := caKey.Public()

serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
assert.NoError(t, err)

caTemplate := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
CommonName: dnsNames[0] + "-ca",
Organization: []string{"Acme Co"},
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(24 * time.Hour),

KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
BasicConstraintsValid: true,
}

caTemplate.IsCA = true
caTemplate.KeyUsage |= x509.KeyUsageCertSign

caBytes, err := x509.CreateCertificate(rand.Reader, &caTemplate, &caTemplate, caPub, caKey)
assert.NoError(t, err)
err = pem.Encode(&caCertBytes, &pem.Block{Type: "CERTIFICATE", Bytes: caBytes})
assert.NoError(t, err)

// Server cert
serverKey, err := rsa.GenerateKey(rand.Reader, 2048)
assert.NoError(t, err)

serialNumber, err = rand.Int(rand.Reader, serialNumberLimit)
assert.NoError(t, err)

serverTemplate := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
CommonName: dnsNames[0],
Organization: []string{"Acme Co"},
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(24 * time.Hour),

KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
BasicConstraintsValid: true,
}

serverBytes, err := x509.CreateCertificate(rand.Reader, &serverTemplate, &caTemplate, &serverKey.PublicKey, caKey)
assert.NoError(t, err)
err = pem.Encode(&serverCertBytes, &pem.Block{Type: "CERTIFICATE", Bytes: serverBytes})
assert.NoError(t, err)
serverKeyBytesD, err := x509.MarshalPKCS8PrivateKey(serverKey)
assert.NoError(t, err)
err = pem.Encode(&serverKeyBytes, &pem.Block{Type: "PRIVATE KEY", Bytes: serverKeyBytesD})

// Client cert
clientKey, err := rsa.GenerateKey(rand.Reader, 2048)
assert.NoError(t, err)

serialNumber, err = rand.Int(rand.Reader, serialNumberLimit)
assert.NoError(t, err)

clientTemplate := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
CommonName: dnsNames[0] + "-client",
Organization: []string{"Acme Co"},
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(24 * time.Hour),

KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
BasicConstraintsValid: true,
}

clientBytes, err := x509.CreateCertificate(rand.Reader, &clientTemplate, &caTemplate, &clientKey.PublicKey, caKey)
assert.NoError(t, err)
err = pem.Encode(&clientCertBytes, &pem.Block{Type: "CERTIFICATE", Bytes: clientBytes})
assert.NoError(t, err)
clientKeyBytesD, err := x509.MarshalPKCS8PrivateKey(clientKey)
assert.NoError(t, err)
err = pem.Encode(&clientKeyBytes, &pem.Block{Type: "PRIVATE KEY", Bytes: clientKeyBytesD})

return
}
3 changes: 2 additions & 1 deletion test/e2e/suite-features/external-service.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"fmt"
"net/http"
"reflect"
"strings"
"time"

"github.com/apache/apisix-ingress-controller/pkg/id"
Expand Down Expand Up @@ -385,7 +386,7 @@ spec:
for _, header := range value {
switch vv := header.(type) {
case string:
if vv == "httpbun" {
if strings.HasPrefix(vv, "httpbun") {
hasPoweredBy = true
break forloop
}
Expand Down
221 changes: 7 additions & 214 deletions test/e2e/suite-ingress/suite-ingress-resource/ssl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -246,230 +246,23 @@ var _ = ginkgo.Describe("suite-ingress-resource: ApisixTls mTLS Test", func() {
// RootCA -> UserCert
// These certs come from mTLS practice

rootCA := `-----BEGIN CERTIFICATE-----
MIIF7DCCA9SgAwIBAgIUAhSL3pkpTz4F9pNyis+TD6HUQOAwDQYJKoZIhvcNAQEL
BQAwgZExCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwI
SGFuZ3pob3UxETAPBgNVBAoMCE9SR19OQU1FMQ0wCwYDVQQLDARURVNUMRQwEgYD
VQQDDAtBUElTSVguUk9PVDEkMCIGCSqGSIb3DQEJARYVZGV2QGFwaXNpeC5hcGFj
aGUub3JnMB4XDTIyMDcyMjE3MTUxMloXDTIzMDcyMjE3MTUxMlowgZExCzAJBgNV
BAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwISGFuZ3pob3UxETAP
BgNVBAoMCE9SR19OQU1FMQ0wCwYDVQQLDARURVNUMRQwEgYDVQQDDAtBUElTSVgu
Uk9PVDEkMCIGCSqGSIb3DQEJARYVZGV2QGFwaXNpeC5hcGFjaGUub3JnMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAlVZJ55bAbbWJWsrfrKS96DbtAV1n
qHEFdca0MF9HVGjkDmxht03hnml9xT/v+AQAq8Xy9pghJHgt2XLCISbHmm8UjEK7
L/PMsu0w+Yiy7IzfCwzrxWyFEgdtCEZQQw38QkNFdHvmfyAox88qOTEJJfBBM+Vq
8QQvsUCUcJOlHRbNIcQo2N2/CjipHE+Myp1ygWagaxuVMhsNRLuab5gopySRqZaz
qrr5f2ZLNXRCitIysvhSBt94u3IbysGMQOxubegb+D72jjR7u+5oGCAG8S75bszj
zVLM92gp2V4L9ccL3PDAKvUuY3G8/458X9yfJ37r3dj2s83tEKfIZQAEAAB7ru43
TtnEUJPzVb4l/3rHdqL/vQ6oUzJHrtpgRCMdb1tewZ5zZIbHCP0P1ADt8xXsBBZL
YmVabmaV9en3kjwKJBDYkIvDJKv8BTRM2cZKKszc03EQXmu3cRQVSbjo7NWv0Cy7
cerLgHR31Ao63/32/O7adI7Kqm03vT/rHt5iiD+qDm8DYGuyOXU1zwim76OHANNT
4bjRS2q15J6ZMpWk826b8kyTFjfHl20h0BD5eK2ldI84ThNoov2SMB2y7073Bnun
Vjw3oOgUkXpd/qgVDITsJgMz25qn7WfYQQUuYf7ehNB7/Bz/u5iIg7WqtjfJSyp+
SkV5LJrOsGyIoXcCAwEAAaM6MDgwDAYDVR0TBAUwAwEB/zAoBgNVHREEITAfghJt
dGxzLmh0dHBiaW4ubG9jYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAgEA
a0fIFgRpP4jEdXNE55jt0DBfuiWfaHMNmjChugKX64WHYlig+7591gKcATYkciE2
f9bSWp65UxMex4u1sg7iGS31Muq0ayArDsD+EH+DPnhWECnXarq6R03/XYOpUGsC
Mcqs99bBxjB6GpPFz+C/IFYjSDO9e9xt+Y5JJ88yhlOMslZj873lNOTDHpwq60YR
MU9uIG1FtTuZcaKnnEAxoO+Z/rEdYbMXUp1eukSCRFidjKX2mK45CvzxCxuTouyO
XAp3EXcE5M6jX6gVuPIQGg2t+wL1YW2mQQuokSQhvDGHi62KPnWSRbYZ3sb5163O
RGSQmruQRJzLuQLpck4zF6jU1zuLt3Vqz1jN28GxTdVNOnnV1x9TM/wR5stl/3zX
tGuhKGVkSo6yja5FgYGTRWp/QxaMzXGbUxaZqH3gLp8JmuN+X3mmbQ8VEHkcINdN
kRKIoaIQTjhu8524GO//bsmKEZg+eCJ0RqLi3A0uH/xAq513zejNw6Ij30EGH9Qu
oVUuT4oL/s7yDtDeI5Nkolf+Ue8utKXPEIbNYlo/XUtbYQ4oChunuyKeKgCAN+HI
onTtJIlTwQI0r79pbJ5KpUPcHzKWeX5PHQnYFe0vzFXhRCfof898AMhRT0f7Mvkc
bAupufi5aCbmxOo/CFWHDMsWNv9RueSjwC/8R7n7z8M=
-----END CERTIFICATE-----`

serverCertSecret := `server-secret`
serverCert := `-----BEGIN CERTIFICATE-----
MIIF5jCCA86gAwIBAgIUBigWd84H8JCiKERdO40wSZ1JgP0wDQYJKoZIhvcNAQEL
BQAwgZExCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwI
SGFuZ3pob3UxETAPBgNVBAoMCE9SR19OQU1FMQ0wCwYDVQQLDARURVNUMRQwEgYD
VQQDDAtBUElTSVguUk9PVDEkMCIGCSqGSIb3DQEJARYVZGV2QGFwaXNpeC5hcGFj
aGUub3JnMB4XDTIyMDcyMjE3MTUxMloXDTIzMDcyMjE3MTUxMlowgY4xCzAJBgNV
BAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwISGFuZ3pob3UxETAP
BgNVBAoMCE9SR19OQU1FMQ0wCwYDVQQLDARURVNUMREwDwYDVQQDDAhBUElTSVgu
VTEkMCIGCSqGSIb3DQEJARYVZGV2QGFwaXNpeC5hcGFjaGUub3JnMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv6korMaGhJUZ46YuCXuZ13s+AQC/Y2ut
w/T1/qwQRNzQO/RQ6hFSNTunws2AvYzKzxWyKMK+5rHrkbQ2s9UCtpDd1LLpA0W8
t4dmwe3geDtlwW31tfeR1b0Cikg2YSiDpyS3M/lQPhaKa1mnM66ntJ3QggI3HDZI
lbQslG8L6/Fw6ozPUQTIo+p5elDRpla0srO68+mQzhXTEoIzkDaiUb3RJkoM8g34
H4BXikh73u527iDxKxdHoSrSMMQSkn4KNmJ+lSll2UiAbL87fJhLlhqJ4hn3xzOd
RCxYIC7JgXwBIMHEShsxafvH1p3mZJp33n8K/af7SVr7ge3a50xbNQuiXg3xR1pU
y7BwYK37KMuHGebPS415m4E71X6bN/0pL2M5dqu+Vj4dwSNjPVIHEzPDZL8gibRG
+eBCr3gC3JW+l1AcngltY+GEcbEgTacSRzrHKA+f/WVYBsAkAIvtiBhD8+MB5MLX
lnrXISPIwMTZSYJ8ng2XO1WMt2PudCDRdSOgQ6c1xCNUO6QfAtBIzU7G24iE1WxZ
bBahJiH2JFK6OWPxj+0yv4AQiY9Ng/MQ811qTrXs/M9cEXyu+xft5NPFcIhvwgFH
br5b8ABj+viSDan9MdYdT6OlE0DrCJQZPaCwO8OEpl1+hV9vz63peWK+lJVYGcjA
6gupXLj5rOUCAwEAAaM3MDUwCQYDVR0TBAIwADAoBgNVHREEITAfghJtdGxzLmh0
dHBiaW4ubG9jYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAgEAR2a0tkG0
vjVa1jdF20o/vnp31eQnpPvXGJgHwFQOGaI1CW0o+fnrz3qWBo0HzzkrVCivD5uP
qhpQAs8/d2jv/BRBpyl5LZp3CiwkCjjxEja31jfuRzdTcceH0CS7Hudhp86nx8pg
nN30TEOqFw9gIi3TqGu0je7EVTbEw4lvSDRcllXR48X4R/xSMi2M90MeL9whCvfr
8cM0T6NngvE20YKLtj8TAQ8iuTcO2dvGHjSE7fQX0oq83AM7ulLO/mLOO3siZ/gd
7l0gxwh01ugXzDSjuxgY7O32N24vzgoQefKWDIVUnxMvE0D7cSd8C34DweGUjmrN
JkGU8oMHjXFXIk5etNtqTh2WKjcoyIgbz16kb1MATVg7GYkM8jRTAKYjTe5J6FTA
zRADBSJbSeQZfSyEGES68GU8jBLfxmJkiDBObXmYWLRCPfzH3uS3wKdI+0z2jqWo
OaN81GHwxJeXxY704VbrKVFIW3uf67ACXiKQuVVb8zSIyo5qM8ctQxr0mgzi6uEj
536mKPeRmSd9EIG9Ebk6Xg2I8SZw+Ljfzo60bxlbNsBtBXFLS5IjxYP1y2x/cCzk
AVy9rgsNPVkPSfH0Jy9ZrDJkV4c/yIvelBj/tHL9mL+8kZEmfhffR+PwtRUfonYl
+KFB4CWLG1UPFpkLB22o8CWMnFdn2fji3jk=
-----END CERTIFICATE-----`

serverKey := `-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEAv6korMaGhJUZ46YuCXuZ13s+AQC/Y2utw/T1/qwQRNzQO/RQ
6hFSNTunws2AvYzKzxWyKMK+5rHrkbQ2s9UCtpDd1LLpA0W8t4dmwe3geDtlwW31
tfeR1b0Cikg2YSiDpyS3M/lQPhaKa1mnM66ntJ3QggI3HDZIlbQslG8L6/Fw6ozP
UQTIo+p5elDRpla0srO68+mQzhXTEoIzkDaiUb3RJkoM8g34H4BXikh73u527iDx
KxdHoSrSMMQSkn4KNmJ+lSll2UiAbL87fJhLlhqJ4hn3xzOdRCxYIC7JgXwBIMHE
ShsxafvH1p3mZJp33n8K/af7SVr7ge3a50xbNQuiXg3xR1pUy7BwYK37KMuHGebP
S415m4E71X6bN/0pL2M5dqu+Vj4dwSNjPVIHEzPDZL8gibRG+eBCr3gC3JW+l1Ac
ngltY+GEcbEgTacSRzrHKA+f/WVYBsAkAIvtiBhD8+MB5MLXlnrXISPIwMTZSYJ8
ng2XO1WMt2PudCDRdSOgQ6c1xCNUO6QfAtBIzU7G24iE1WxZbBahJiH2JFK6OWPx
j+0yv4AQiY9Ng/MQ811qTrXs/M9cEXyu+xft5NPFcIhvwgFHbr5b8ABj+viSDan9
MdYdT6OlE0DrCJQZPaCwO8OEpl1+hV9vz63peWK+lJVYGcjA6gupXLj5rOUCAwEA
AQKCAgBHkItOkEZ0RRRIq6lvAwb7rdoGF9he8DsO+23LLUZZ4DWk3WJFNDiFBgRr
Ob7DiEnGL2y5yZXsoCy82BTA6126+7bJEBDvlt+Ti+xzpzX0zwD8y+k+i/WZYJ0N
M0+S0cTu6Ue7EXHD7Ti8Qtqq8qFOUMslcFxRnXdW5tLqjdhevmWSPwe+UdH1Wr0H
ThwqRx/rxi6dmu3l9cI9m/5S8AOGECGDcY0J6OtoH80QJmaSZGpmGkjS9Tta05lu
ehgRORzpF7f6TF3qVycU9AbrTBaVMs2fbmDVsdEcPo6dXbsCLWJib9eycBrwXwJM
geMgV4lAvCFHe6zZxC47YqwlR56aNkzGdsq0RLW8gA0rVCKCTBUCqv8yOuwGneNp
9sxbxYgEKj/MjKOgbclytYZWrGpMMiHqMgNkVEIbGmZ61jKslioAfse+wp9eQto4
eerJDOtjJQTQPAqQpc/ES429IfYlrC58taxERslnYV1HjBAmEvICljQObLxB94mK
90Fm3Uaxtg/H0b4sVnr2XGEIRnOXY3rRuBAGKqdGsE+4Sf0SlbUFCLVHZTg7CJ2R
TJnzQ0yq0OkDsRwc/BYdCIFn1JBbt2tR3IUkpvY3KOvnEo2chA6blJpTSiu3sxBu
LdLLj7GSn3IamtSljsC8we1ZBUWYRn2HAPUscsbcwy6BAjfr1QKCAQEA+t84bB3H
aeaJA5ouYFYGF5dZRaZyo1cR0OSvy5MSUCbDNe5nTFdMHKNyTcxekgC0GUC3rzeG
p1FFy00bWpDIU+y09uYr/sEkGt7gc0CmQ/zK1V1y3e3aeZIN15QwQGqWyF3j2hAR
is01EZv/1985FvUL2qN24gn47XhrK4z1XGRLuSxxbMiAJmcjDOAokgRQjRE+Sm5M
1CnjSEVFlRZELFuNTAv83VxPDJjG9hebO/oiMZcJtUXeff69J4qC/j2nEVgg75dh
qMb8NQRrTbcuOFZN9yuxplL3TluwocIkEHU+/EHDEAOcWcLgqNxOqC+WesBI+IW0
tKotb7tNZ2I+3wKCAQEAw5QYIYwUVEt5ZpeUzecvH/Jm3Enhxi0xPSkWYbZYBF0y
8KYo4iLkv3zK5VqnBmYWKZWI0HS1mS3ol7Wy8rH1Xcw/wqEal2B33hM9p2pkjW/5
3Y/mSnMUHT2jgk01ncwyaOOjAUQoEgmq2iznTjzie5+z8KcRYZvl4MGYbEPuHGaP
kCkWI06qTcIJ659sypj+8pUukrEWXBn4Tr82Q2aMljoSFYIgrr08NWeb06/eeI1F
Fmb07hNRvmmsLj4V469WsPTFrRaBLCBDrbnQOWZU00hBAltp+4PQ3wpfuKTVt3xX
wzDX07jwyb4Ys6q1NSbIjZv2vrRQbaKEDfS7cUJAuwKCAQBnJNms0f2IE+mnWn/Q
ye2NS4O/uDSP5Z+ElFGW0GwKGjXOeats3sODTswTIoCLZNCnRU2AM8MgDbE1agli
Df7fSoYIsQ/LmRtAFPyRRjZV45x9ZwNwLXfS3fLk/J9uDKTb0oZ4xHyB5eb4y3vA
BJ4TS0LJbMXXH6SB9i2R5U2H5BCiHJyxzimqIGNvysXDaxS3OyyyK3FZFbPFpf16
04HJ/wY0CwW2+Vni4vmCeqgvW6MtYlzyc7yLbu3UUQWUhEKpReOcvk+/tbhCEAQS
GstdDFbX1dYffSMCy33us8RiI+J2ko8hiWqCGTaHFrUcPxyOcXpO+6IVWZZ+xrKH
XARfAoIBAAGBzaHMi4eOwVO6DUp84o8TdhlydEvrozp+a467Mfhuo2rZTO1ZKXwU
QRf9V9YjyT3uygwZKiERCn7IxqU6G9LqNP+R8DuEYcgTS+FTX4z7dOhxKGwgcOI8
zFq/r48UuLq4LlRfKxPggTGHMQ0YSQJ8240aLHcdFWti8oK7D0WmwKpytpn1DDjn
Kt5m7xaskSJbZe15cdup05D/xjJEwwaRUfxacVgHW0RqFPhPnZ4+MG8YwgBno7Sc
6de9YLvNaRSZ/j/0MXCemwbmrKUUlci/AMk83Rc0D9L4KH6qvn7YdXCqmq8l+K0F
SvlvclADiX4V2pPjnc8KdowI+7zGrusCggEAQZ8TlrcRZ3RnGUuQ9pVgi1+JFehN
qLmIXu89grekMAdHs+wsJ9L5XSEyI2LQDTo0Kmw396WFOiMHXO+hd4hu55j6KIC4
9kqt8bX1PthAlwuZmThQQ29HJUX+YHZ0G98Zu7FSoHDokHj+E1dnjF/QO6w6nvB9
r2LfnMEchQOHG+fVedkkxy+jckBqA9Qf2tsDYG+KYUj/nVsBQzfRiC4bp/04x16b
j+0ntnGGA9b4ZaWhybh4UKEY9YwUOAvq/Y3gHqwaWDZscd/5s8MHZwKNfKriateP
6tz2gipPdAsLQNaCS1d1OXHgh960gKziQNZM/wNgJQO/7ZeGvMkk6ml+0w==
-----END RSA PRIVATE KEY-----`

clientCASecret := `client-ca-secret`
clientCert := `-----BEGIN CERTIFICATE-----
MIIF5jCCA86gAwIBAgIUBigWd84H8JCiKERdO40wSZ1JgP4wDQYJKoZIhvcNAQEL
BQAwgZExCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwI
SGFuZ3pob3UxETAPBgNVBAoMCE9SR19OQU1FMQ0wCwYDVQQLDARURVNUMRQwEgYD
VQQDDAtBUElTSVguUk9PVDEkMCIGCSqGSIb3DQEJARYVZGV2QGFwaXNpeC5hcGFj
aGUub3JnMB4XDTIyMDcyMjE3MTUxM1oXDTIzMDcyMjE3MTUxM1owgY4xCzAJBgNV
BAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwISGFuZ3pob3UxETAP
BgNVBAoMCE9SR19OQU1FMQ0wCwYDVQQLDARURVNUMREwDwYDVQQDDAhBUElTSVgu
VTEkMCIGCSqGSIb3DQEJARYVZGV2QGFwaXNpeC5hcGFjaGUub3JnMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyo9HShACWpGwzpXbzfhic7jtmnJKT2yw
qKA5p4THMbGpDAkzLrt5Ki3eSWPfn8DafcA2guPAhmHhXM1rKrOPbGaS/p37kN9V
XVuLVQgpkvdBJA1+nPcukwv7HIoyETcs8/UXwfPaACBOBbMnXjbZ5r6y6MdnhCKc
VBLe3G0cPNXcwNuE1Su9zodjwXDUh9Eqpb0viX5FGZNwWwHmrUhfGxrvmej7Ooyw
iZKgiGRZ3XF4NPIeUbNilI9NY5x/HMavkTUOM0gb7LOTItCfk0w5JwKsDWbMWs7N
ytypLMtymK6W03i8KDoztav4wiMUve5uZmkrxC88reSAvTENrendS6/AxwvfcZ3k
fuicaEw/c+jXm9Tf7z4tOUaMzHyXWHq9N/JAUHdJRXk/jHFyN/Kq+Nz+kusNprMi
MvqAcF4ryb1wC4glYCNCeMuY/JCSit7QJik+lLbhqVnrtBcuhsHoZz3KOErhGMOY
6fKIiJrj8OnzY+ZD29Ntcnfu1grHGB0r2qmCGANURsNan0V2Af4yJ5FWCoIsOCXi
Jo/SLOYW/c5XkU0jS6dqqqigt0hmzJ3e9ErL2y+MDDvUMdr695knFW8n4DHCgOoQ
C7VAKP/xsLKn4jqW5tVp1bTeTozBfuop/Aspjf4j3Mo3YFPIBpErcuTo11LgTH13
GPrFvxU7ss0CAwEAAaM3MDUwCQYDVR0TBAIwADAoBgNVHREEITAfghJtdGxzLmh0
dHBiaW4ubG9jYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAgEASCoay2YL
UXXQHpVK81H2XbX3xZl6S61i3IEM4CjVzjVMc6OvknF2yg2qoW7qQ04Rsv1rQOoh
LQkscpSJFmwy0ZyGu2KPOF0xj4WzMw4MuRCr1EHaefYp550OSbHvQxpVVR36C7yB
1slD5s6jM9dCjJXd1usAr8ToBih3j7ruU+k2S82rpvViGjaod3VeQX8IRPZpmrX7
Em9tA3oNAxLBcIm5DWwEvOZteYj7QjeVSTUuBFZpvNCb1OyUmP3EWcwQ4stTUb15
tNnR5lmeeBFteExgcuVzZgEGJqyMpGd07662gpu2tDmjSGSo00vZUebnFg6N7MYj
IDdvOZCnGop0o4Sjr3llBCrzuc4JmQusBh/dSN8UTbsuAnnp8icrzHij7IrgJzft
CNCTHAEdeLyDThpr3u3/xb7YiLrQ7JmKnp7pCOIM3mQVD8CcDd1I98dYwgXowW5Z
ng6CE/96m4HIMjvpxSlLiGKNyjuwxPhfZLpwPGLHu5ZDS689QL3EZR5La3ilXO7B
Kwy0m3Ku3d+8Kb+WDWUvzu+HQGzIwFqHVoyp1nCg/w9Jc6Hl30nM0bA59G4IcRnI
qP64MCb6dqPgEBgR5cEZOs75XNgI8f1thE7S5DQQC2z5vOGPI9FD0sDJNTKnHusX
PLApoDRtuZpYJBY4acuPqyBLs+xn0fZ5pmM=
-----END CERTIFICATE-----`

clientKey := `-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAyo9HShACWpGwzpXbzfhic7jtmnJKT2ywqKA5p4THMbGpDAkz
Lrt5Ki3eSWPfn8DafcA2guPAhmHhXM1rKrOPbGaS/p37kN9VXVuLVQgpkvdBJA1+
nPcukwv7HIoyETcs8/UXwfPaACBOBbMnXjbZ5r6y6MdnhCKcVBLe3G0cPNXcwNuE
1Su9zodjwXDUh9Eqpb0viX5FGZNwWwHmrUhfGxrvmej7OoywiZKgiGRZ3XF4NPIe
UbNilI9NY5x/HMavkTUOM0gb7LOTItCfk0w5JwKsDWbMWs7NytypLMtymK6W03i8
KDoztav4wiMUve5uZmkrxC88reSAvTENrendS6/AxwvfcZ3kfuicaEw/c+jXm9Tf
7z4tOUaMzHyXWHq9N/JAUHdJRXk/jHFyN/Kq+Nz+kusNprMiMvqAcF4ryb1wC4gl
YCNCeMuY/JCSit7QJik+lLbhqVnrtBcuhsHoZz3KOErhGMOY6fKIiJrj8OnzY+ZD
29Ntcnfu1grHGB0r2qmCGANURsNan0V2Af4yJ5FWCoIsOCXiJo/SLOYW/c5XkU0j
S6dqqqigt0hmzJ3e9ErL2y+MDDvUMdr695knFW8n4DHCgOoQC7VAKP/xsLKn4jqW
5tVp1bTeTozBfuop/Aspjf4j3Mo3YFPIBpErcuTo11LgTH13GPrFvxU7ss0CAwEA
AQKCAgALFV/vO4UFc6dbBnQqhwbMEjheFRbf1bCs6Wd+NRO5MmFvmSlFy1hL6Iqb
NW3NDf5mlxfkfZXRRJXSQCM3CPA2HD660+Yp/S5sl0++bV3o/sJ/uIVPDW9s+GDb
JOysaHp7NtP/9tnc2+epBC6JRzMRHyom9pJBdqtbJlUvdoDvCzyzCM/x4hzWqi3Z
LdVTQSy2OO3a9h/N0HV7ZVU78hPSJd0qbMciYwRd4roJ/IO2TDkpnH3wNoKUYmr3
ol6KMoz0wxRt1epBP2ozo3q30pnl+o1zhkZ0SZCVIxHWs6Mnm5YBKEATa2vc6vYH
mWfPJLbBv8t3RqZpVXF96Ks48uz62EwDPDbMNh0IyG1/S3iScpgJ5anAtp3zDwYG
AthOdRkqLylDTz1MbSLDQ633qSiXMfzBvAPzd7hYR25xh+egLF7J7qxaYGLlaIyX
9hRexhD3CgtXB8oiymvVX7ZScmdLt1Bw2ghM3PrCnf58mD6luWnQOdX9QRH80Qt6
7tIC75VxbzdYtDYtrlcLg0RTwaA9I1FqHns9dd+HLdw2kEquDiZm76Lqmwk6quFi
iqu2Ppj6IeiN1quIdmM+BYRquZFpbmIzBRw0+75RzlohBWxZha+lksW3f2aFKGib
OLni+tV8F/t8QrBzVxcYIOpGPrGHUehoJY7n/D84ibGOdpW2+QKCAQEA6I3A0asf
w/tOynyhRa0nAodsJoxPrKZrNC8f3oRlWHs4gQbJe4VzEUz5iYD3eCSbWeNm6O/B
3ZPA33RqJkFSwkZFptIzKmCFPqA1LyBRBDq2/maXffQDeVoy9vNV5EZt+Nr3mNK/
DRxxFOQSDbYnUOyXAFbWxhcm01ufOPwe/ul6QGjZkcIyHDUCzr4AXcU11Es+Dghv
N4zj+GW0QL4BsCcwWuEueLZzn3Wcm+N4DcpL0ZA8+gbkS8MfCgiaIU8ko44bslbO
IWAFE/DgMwBJxu7yjzL33+7jdMtQ7ZLmvYYeDqIF18uX3HzZOJi3Qt4nvML1Sh59
PkJwxVD/BangNwKCAQEA3vtf4BwEZpm9XO0cevHTBvl8OyFWub4VP4yS/5GAGQEV
1ceOqFboE8RJDvm5C5Gek9CE50wMQ6a3zAoZd/C9zIyNqgy2IOmIgdXDDJzbBLjD
npvyJdsLo0W0Rc2rUSh2J/CGn2mqAVQYS1wIavdkOK9NtV28cgyhYOCZ4rdJh+M2
0LMFXTu1PZUhgpSq0kFXtpPnu0npHoVxm+So3l6r0VeQoZl5/b47Bpg6OUYDcXBp
cguFIrfnaHL9WGlIDXbsYkHb9mjWDbLp4kcw2I2IeI9w2moyRSYYu+ELhNTzgCG7
C0P7ErvIdZ8rlc1IGQ/l98QTlJqUDgEO8Xy8DY7bGwKCAQEA0a8e8O5vUfLC9Giz
sXOS/QDGT2usW2witYbYIXcXOlTAefZ4rVuCiVLynT0f5cB8Iuyb2eR01SloexMo
sx2rVWivXN+jKs6k1fb2fWuSIVIftfsjFXpzt3PRCEIYbB/lAMHPBojfox7GB6Qt
cxePE7R/4tpqBWrSozi1tFgASrCSfokLxBVpwW06/tbq1aIAC09cwKJyRZBP7aUm
hknMk9yCCS+JC2bXkiwl7ZmIokaJXofDs12Lc5SX5CAleWs3ChIUfxUt/4HokjZa
sSHNZAYHx36ZadyoUqMQcWZHjxPi/iaxRgZZA4G/Cv0IIM7W3aicKxyaqQyXShLi
H2UwuQKCAQA2Cx71plS6uVBYEW/xrGLFMfqWKkJmyldEC8IlBxLQ/J5aLf+5dTbS
c6RxaL0cvLJ+iO9tT9U5IFMztM7vbv3Rcc90A5iw6WkYbsLTb8D1qAJhktJhsnFj
pSVINczr4q6gh39Za7a0k7k/qpKvuj4kLvjamFlwGveSD128wUelE8DZXEpUioAm
6NoyV+3+/69OpRJpJkTGDPm4GveCzdc+6cY4JIaYpV6Q/pw9/WYgPGqSJZCjFYeU
nSoiH4JDISuxtNynIEmhEFf3a+G+2q7U6Y8koNCGSfF8t9Ke4y4RRBudY2Ca7cBs
IaPirtpmmJ/YKUHFpqFzs3X3uY+qiZE5AoIBAE7PevOHRncpX9jJrLcOdv5QmuI7
zZoWkJKPT+Ih8sBtwHZ89IHpQvhzPAaLJ6zev52QvSyxHW0TQnNWIGh5zdBdeGqX
gCVY/RmHFeDouuVDtesvCi0bfYgDGZsYeV1v83gOmcF+/+QjGT57ifmtnsIvnq5v
A9bsKwgSLrjTJswy2s1oXeoGk5WvZEzbNr9yui9j2DpS9YZX2cpw6B8umIAB4s2M
6pjGUQy6XsCOY8z1rzemk/EiEWN7+CdnaAm9hcOxDNWCBDNiyW3LUSpS0DRi+lKL
jzit3pB5lp13YaVOoUil5Nvrp42M6MgJiVnu4a8s2d4fSoPfBzsKcstIQPU=
-----END RSA PRIVATE KEY-----
`

suites := func(scaffoldFunc func() *scaffold.Scaffold) {
s := scaffoldFunc()
ginkgo.It("create a SSL with client CA", func() {
// create secrets
err := s.NewSecret(serverCertSecret, serverCert, serverKey)
host := "mtls.httpbin.local"
rootCA, serverCert, serverKey, clientCert, clientKey := s.GenerateMACert(ginkgo.GinkgoT(), []string{host})

err := s.NewSecret(serverCertSecret, serverCert.String(), serverKey.String())
assert.Nil(ginkgo.GinkgoT(), err, "create server cert secret error")
err = s.NewClientCASecret(clientCASecret, rootCA, "")
err = s.NewClientCASecret(clientCASecret, rootCA.String(), "")
assert.Nil(ginkgo.GinkgoT(), err, "create client CA cert secret error")

// create ApisixTls resource
tlsName := "tls-with-client-ca"
host := "mtls.httpbin.local"
err = s.NewApisixTlsWithClientCA(tlsName, host, serverCertSecret, clientCASecret)
assert.Nil(ginkgo.GinkgoT(), err, "create ApisixTls with client CA error")
// check ssl in APISIX
Expand Down Expand Up @@ -504,10 +297,10 @@ spec:

// With client cert
caCertPool := x509.NewCertPool()
ok := caCertPool.AppendCertsFromPEM([]byte(rootCA))
ok := caCertPool.AppendCertsFromPEM([]byte(rootCA.String()))
assert.True(ginkgo.GinkgoT(), ok, "Append cert to CA pool")

cert, err := tls.X509KeyPair([]byte(clientCert), []byte(clientKey))
cert, err := tls.X509KeyPair([]byte(clientCert.String()), []byte(clientKey.String()))
assert.Nil(ginkgo.GinkgoT(), err, "generate cert")

s.NewAPISIXHttpsClientWithCertificates(host, true, caCertPool, []tls.Certificate{cert}).
Expand Down