From 1eaabb7824aa7c3cc489b66fb7933bb298605c73 Mon Sep 17 00:00:00 2001 From: Iryna Shustava Date: Thu, 29 Jul 2021 18:55:38 -0600 Subject: [PATCH] acceptance-tests: disable DNS by default in tests to avoid false positives (#1058) --- .circleci/config.yml | 2 +- .../framework/consul/consul_cluster.go | 4 +++ .../framework/consul/consul_cluster_test.go | 3 ++ .../tests/consul-dns/consul_dns_test.go | 30 +++++++------------ 4 files changed, 18 insertions(+), 21 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 098e8c3db..85f0761c6 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -55,7 +55,7 @@ commands: type: string consul-k8s-image: type: string - default: "docker.mirror.hashicorp.services/hashicorpdev/consul-k8s:latest" + default: "hashicorpdev/consul-k8s:2dfffed" steps: - when: condition: << parameters.failfast >> diff --git a/test/acceptance/framework/consul/consul_cluster.go b/test/acceptance/framework/consul/consul_cluster.go index efaf94a03..00e7e7f77 100644 --- a/test/acceptance/framework/consul/consul_cluster.go +++ b/test/acceptance/framework/consul/consul_cluster.go @@ -77,6 +77,10 @@ func NewHelmCluster( "server.bootstrapExpect": "1", "connectInject.envoyExtraArgs": "--log-level debug", "connectInject.logLevel": "debug", + // Disable DNS since enabling it changes the policy for the anonymous token, + // which could result in tests passing due to that token having privileges to read services + // (false positive). + "dns.enabled": "false", } valuesFromConfig, err := cfg.HelmValuesFromConfig() require.NoError(t, err) diff --git a/test/acceptance/framework/consul/consul_cluster_test.go b/test/acceptance/framework/consul/consul_cluster_test.go index c65f1b5b2..a63fd023a 100644 --- a/test/acceptance/framework/consul/consul_cluster_test.go +++ b/test/acceptance/framework/consul/consul_cluster_test.go @@ -29,6 +29,7 @@ func TestNewHelmCluster(t *testing.T) { "connectInject.envoyExtraArgs": "--log-level debug", "connectInject.logLevel": "debug", "connectInject.transparentProxy.defaultEnabled": "false", + "dns.enabled": "false", }, }, { @@ -40,6 +41,7 @@ func TestNewHelmCluster(t *testing.T) { "connectInject.envoyExtraArgs": "--foo", "connectInject.logLevel": "debug", "connectInject.transparentProxy.defaultEnabled": "true", + "dns.enabled": "true", "feature.enabled": "true", }, want: map[string]string{ @@ -49,6 +51,7 @@ func TestNewHelmCluster(t *testing.T) { "connectInject.envoyExtraArgs": "--foo", "connectInject.logLevel": "debug", "connectInject.transparentProxy.defaultEnabled": "true", + "dns.enabled": "true", "feature.enabled": "true", }, }, diff --git a/test/acceptance/tests/consul-dns/consul_dns_test.go b/test/acceptance/tests/consul-dns/consul_dns_test.go index a2bbdf7cd..2ad2b7e64 100644 --- a/test/acceptance/tests/consul-dns/consul_dns_test.go +++ b/test/acceptance/tests/consul-dns/consul_dns_test.go @@ -3,6 +3,7 @@ package consuldns import ( "context" "fmt" + "strconv" "testing" "github.com/hashicorp/consul-helm/test/acceptance/framework/consul" @@ -16,30 +17,19 @@ import ( const podName = "dns-pod" func TestConsulDNS(t *testing.T) { - cases := []struct { - name string - helmValues map[string]string - }{ - { - "Default installation", - nil, - }, - { - "Secure installation (with TLS and ACLs enabled)", - map[string]string{ - "global.tls.enabled": "true", - "global.acls.manageSystemACLs": "true", - }, - }, - } - - for _, c := range cases { - t.Run(c.name, func(t *testing.T) { + for _, secure := range []bool{false, true} { + name := fmt.Sprintf("secure: %t", secure) + t.Run(name, func(t *testing.T) { env := suite.Environment() ctx := env.DefaultContext(t) releaseName := helpers.RandomName() - cluster := consul.NewHelmCluster(t, c.helmValues, ctx, suite.Config(), releaseName) + helmValues := map[string]string{ + "dns.enabled": "true", + "global.tls.enabled": strconv.FormatBool(secure), + "global.acls.manageSystemACLs": strconv.FormatBool(secure), + } + cluster := consul.NewHelmCluster(t, helmValues, ctx, suite.Config(), releaseName) cluster.Create(t) k8sClient := ctx.KubernetesClient(t)