Add auto-encrypt and secure terminating gateway tests (hashicorp#581)

ndhanushkodi · Aug 26, 2020 · 5565d71 · 5565d71
1 parent 9e78e7f
commit 5565d71
Show file tree

Hide file tree

Showing 7 changed files with 242 additions and 118 deletions.
diff --git a/test/acceptance/helpers/helpers.go b/test/acceptance/helpers/helpers.go
@@ -94,7 +94,7 @@ func Deploy(t *testing.T, options *k8s.KubectlOptions, noCleanupOnFailure bool,
 // to be "hello world" in a case of success.
 // If expectSuccess is true, it will expect connection to succeed,
 // otherwise it will expect failure due to intentions.
-func CheckStaticServerConnection(t *testing.T, options *k8s.KubectlOptions, deploymentName string, expectSuccess bool, curlArgs ...string) {
+func CheckStaticServerConnection(t *testing.T, options *k8s.KubectlOptions, expectSuccess bool, deploymentName string, curlArgs ...string) {
 	t.Helper()
 
 	retrier := &retry.Timer{Timeout: 20 * time.Second, Wait: 500 * time.Millisecond}

diff --git a/test/acceptance/tests/basic/basic_test.go b/test/acceptance/tests/basic/basic_test.go
@@ -31,6 +31,15 @@ func TestBasicInstallation(t *testing.T) {
 			},
 			true,
 		},
+		{
+			"Secure installation (with TLS with auto-encrypt and ACLs enabled)",
+			map[string]string{
+				"global.tls.enabled":           "true",
+				"global.tls.enableAutoEncrypt": "true",
+				"global.acls.manageSystemACLs": "true",
+			},
+			true,
+		},
 	}
 
 	for _, c := range cases {

diff --git a/test/acceptance/tests/connect/connect_inject_test.go b/test/acceptance/tests/connect/connect_inject_test.go
@@ -9,6 +9,8 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+const staticClientName = "static-client"
+
 // Test that Connect works in a default installation
 func TestConnectInjectDefault(t *testing.T) {
 	cfg := suite.Config()
@@ -28,43 +30,61 @@ func TestConnectInjectDefault(t *testing.T) {
 	helpers.Deploy(t, ctx.KubectlOptions(), cfg.NoCleanupOnFailure, "fixtures/static-client.yaml")
 
 	t.Log("checking that connection is successful")
-	helpers.CheckStaticServerConnection(t, ctx.KubectlOptions(), "static-client", true, "http://localhost:1234")
+	helpers.CheckStaticServerConnection(t, ctx.KubectlOptions(), true, staticClientName, "http://localhost:1234")
 }
 
 // Test that Connect works in a secure installation,
 // with ACLs and TLS enabled.
 func TestConnectInjectSecure(t *testing.T) {
-	cfg := suite.Config()
-	ctx := suite.Environment().DefaultContext(t)
-
-	helmValues := map[string]string{
-		"connectInject.enabled":        "true",
-		"global.tls.enabled":           "true",
-		"global.acls.manageSystemACLs": "true",
+	cases := []struct {
+		name              string
+		enableAutoEncrypt string
+	}{
+		{
+			"without auto-encrypt",
+			"false",
+		},
+		{
+			"with auto-encrypt",
+			"true",
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			cfg := suite.Config()
+			ctx := suite.Environment().DefaultContext(t)
+
+			helmValues := map[string]string{
+				"connectInject.enabled":        "true",
+				"global.tls.enabled":           "true",
+				"global.tls.enableAutoEncrypt": c.enableAutoEncrypt,
+				"global.acls.manageSystemACLs": "true",
+			}
+
+			releaseName := helpers.RandomName()
+			consulCluster := framework.NewHelmCluster(t, helmValues, ctx, cfg, releaseName)
+
+			consulCluster.Create(t)
+
+			t.Log("creating static-server and static-client deployments")
+			helpers.Deploy(t, ctx.KubectlOptions(), cfg.NoCleanupOnFailure, "fixtures/static-server.yaml")
+			helpers.Deploy(t, ctx.KubectlOptions(), cfg.NoCleanupOnFailure, "fixtures/static-client.yaml")
+
+			t.Log("checking that the connection is not successful because there's no intention")
+			helpers.CheckStaticServerConnection(t, ctx.KubectlOptions(), false, staticClientName, "http://localhost:1234")
+
+			consulClient := consulCluster.SetupConsulClient(t, true)
+
+			t.Log("creating intention")
+			_, _, err := consulClient.Connect().IntentionCreate(&api.Intention{
+				SourceName:      staticClientName,
+				DestinationName: "static-server",
+				Action:          api.IntentionActionAllow,
+			}, nil)
+			require.NoError(t, err)
+
+			t.Log("checking that connection is successful")
+			helpers.CheckStaticServerConnection(t, ctx.KubectlOptions(), true, staticClientName, "http://localhost:1234")
+		})
 	}
-
-	releaseName := helpers.RandomName()
-	consulCluster := framework.NewHelmCluster(t, helmValues, ctx, cfg, releaseName)
-
-	consulCluster.Create(t)
-
-	t.Log("creating static-server and static-client deployments")
-	helpers.Deploy(t, ctx.KubectlOptions(), cfg.NoCleanupOnFailure, "fixtures/static-server.yaml")
-	helpers.Deploy(t, ctx.KubectlOptions(), cfg.NoCleanupOnFailure, "fixtures/static-client.yaml")
-
-	t.Log("checking that the connection is not successful because there's no intention")
-	helpers.CheckStaticServerConnection(t, ctx.KubectlOptions(), "static-client", false, "http://localhost:1234")
-
-	consulClient := consulCluster.SetupConsulClient(t, true)
-
-	t.Log("creating intention")
-	_, _, err := consulClient.Connect().IntentionCreate(&api.Intention{
-		SourceName:      "static-client",
-		DestinationName: "static-server",
-		Action:          api.IntentionActionAllow,
-	}, nil)
-	require.NoError(t, err)
-
-	t.Log("checking that connection is successful")
-	helpers.CheckStaticServerConnection(t, ctx.KubectlOptions(), "static-client", true, "http://localhost:1234")
 }
diff --git a/test/acceptance/tests/ingress-gateway/ingress_gateway_test.go b/test/acceptance/tests/ingress-gateway/ingress_gateway_test.go
@@ -2,6 +2,7 @@ package ingressgateway
 
 import (
 	"fmt"
+	"strconv"
 	"testing"
 
 	"github.com/hashicorp/consul-helm/test/acceptance/framework"
@@ -12,9 +13,26 @@ import (
 
 // Test that ingress gateways work in a default installation and a secure installation.
 func TestIngressGateway(t *testing.T) {
-	for _, secure := range []bool{false, true} {
-		testName := fmt.Sprintf("secure: %t", secure)
-		t.Run(testName, func(t *testing.T) {
+	cases := []struct {
+		secure      bool
+		autoEncrypt bool
+	}{
+		{
+			false,
+			false,
+		},
+		{
+			true,
+			false,
+		},
+		{
+			true,
+			true,
+		},
+	}
+	for _, c := range cases {
+		name := fmt.Sprintf("secure: %t; auto-encrypt: %t", c.secure, c.autoEncrypt)
+		t.Run(name, func(t *testing.T) {
 			ctx := suite.Environment().DefaultContext(t)
 			cfg := suite.Config()
 
@@ -24,9 +42,10 @@ func TestIngressGateway(t *testing.T) {
 				"ingressGateways.gateways[0].name":     "ingress-gateway",
 				"ingressGateways.gateways[0].replicas": "1",
 			}
-			if secure {
+			if c.secure {
 				helmValues["global.acls.manageSystemACLs"] = "true"
 				helmValues["global.tls.enabled"] = "true"
+				helmValues["global.tls.autoEncrypt"] = strconv.FormatBool(c.autoEncrypt)
 			}
 
 			releaseName := helpers.RandomName()
@@ -44,7 +63,7 @@ func TestIngressGateway(t *testing.T) {
 
 			// With the cluster up, we can create our ingress-gateway config entry.
 			t.Log("creating config entry")
-			consulClient := consulCluster.SetupConsulClient(t, secure)
+			consulClient := consulCluster.SetupConsulClient(t, c.secure)
 
 			// Create config entry
 			created, _, err := consulClient.ConfigEntries().Set(&api.IngressGatewayConfigEntry{
@@ -68,17 +87,12 @@ func TestIngressGateway(t *testing.T) {
 			k8sOptions := ctx.KubectlOptions()
 
 			// If ACLs are enabled, test that intentions prevent connections.
-			if secure {
+			if c.secure {
 				// With the ingress gateway up, we test that we can make a call to it
 				// via the bounce pod. It should fail to connect with the
 				// static-server pod because of intentions.
 				t.Log("testing intentions prevent ingress")
-				helpers.CheckStaticServerConnection(t,
-					k8sOptions,
-					"bounce",
-					false,
-					"-H", "Host: static-server.ingress.consul",
-					fmt.Sprintf("http://%s-consul-ingress-gateway:8080/", releaseName))
+				helpers.CheckStaticServerConnection(t, k8sOptions, false, "bounce", "-H", "Host: static-server.ingress.consul", fmt.Sprintf("http://%s-consul-ingress-gateway:8080/", releaseName))
 
 				// Now we create the allow intention.
 				t.Log("creating ingress-gateway => static-server intention")
@@ -93,12 +107,7 @@ func TestIngressGateway(t *testing.T) {
 			// Test that we can make a call to the ingress gateway
 			// via the bounce pod. It should route to the static-server pod.
 			t.Log("trying calls to ingress gateway")
-			helpers.CheckStaticServerConnection(t,
-				k8sOptions,
-				"bounce",
-				true,
-				"-H", "Host: static-server.ingress.consul",
-				fmt.Sprintf("http://%s-consul-ingress-gateway:8080/", releaseName))
+			helpers.CheckStaticServerConnection(t, k8sOptions, true, "bounce", "-H", "Host: static-server.ingress.consul", fmt.Sprintf("http://%s-consul-ingress-gateway:8080/", releaseName))
 		})
 	}
 }
diff --git a/test/acceptance/tests/mesh-gateway/mesh_gateway_test.go b/test/acceptance/tests/mesh-gateway/mesh_gateway_test.go
@@ -11,6 +11,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+const staticClientName = "static-client"
+
 // Test that Connect and wan federation over mesh gateways work in a default installation
 // i.e. without ACLs because TLS is required for WAN federation over mesh gateways
 func TestMeshGatewayDefault(t *testing.T) {
@@ -93,11 +95,7 @@ func TestMeshGatewayDefault(t *testing.T) {
 	helpers.Deploy(t, primaryContext.KubectlOptions(), cfg.NoCleanupOnFailure, "fixtures/static-client.yaml")
 
 	t.Log("checking that connection is successful")
-	helpers.CheckStaticServerConnection(t,
-		primaryContext.KubectlOptions(),
-		"static-client",
-		true,
-		"http://localhost:1234")
+	helpers.CheckStaticServerConnection(t, primaryContext.KubectlOptions(), true, staticClientName, "http://localhost:1234")
 }
 
 // Test that Connect and wan federation over mesh gateways work in a secure installation,
@@ -208,18 +206,14 @@ func TestMeshGatewaySecure(t *testing.T) {
 
 			t.Log("creating intention")
 			_, _, err = consulClient.Connect().IntentionCreate(&api.Intention{
-				SourceName:      "static-client",
+				SourceName:      staticClientName,
 				DestinationName: "static-server",
 				Action:          api.IntentionActionAllow,
 			}, nil)
 			require.NoError(t, err)
 
 			t.Log("checking that connection is successful")
-			helpers.CheckStaticServerConnection(t,
-				primaryContext.KubectlOptions(),
-				"static-client",
-				true,
-				"http://localhost:1234")
+			helpers.CheckStaticServerConnection(t, primaryContext.KubectlOptions(), true, staticClientName, "http://localhost:1234")
 		})
 	}
 }
diff --git a/test/acceptance/tests/sync/sync_catalog_test.go b/test/acceptance/tests/sync/sync_catalog_test.go
@@ -37,6 +37,16 @@ func TestSyncCatalog(t *testing.T) {
 			},
 			true,
 		},
+		{
+			"Secure installation (with TLS with auto-encrypt and ACLs enabled)",
+			map[string]string{
+				"syncCatalog.enabled":          "true",
+				"global.tls.enabled":           "true",
+				"global.tls.enableAutoEncrypt": "true",
+				"global.acls.manageSystemACLs": "true",
+			},
+			true,
+		},
 	}
 
 	for _, c := range cases {