From 87b8a5835dac2e3fe90666bc47f74020d1413892 Mon Sep 17 00:00:00 2001 From: Shaun Date: Wed, 26 Apr 2023 09:58:44 +0100 Subject: [PATCH] Update VirtualServer to ignore CRL for EgressMTLS (#3737) * Update VirtualServer to ignore CRL for EgressMTLS * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Un-comment tests * Fix crt and crl path in test and fix nill slice reference * Update data files for egress MTLS tests * Remove VSR python test * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Add new app.yaml file for EgressMTLS tests * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- internal/configs/virtualserver.go | 5 + internal/configs/virtualserver_test.go | 63 +++++-- tests/data/common/app/secure-ca/app.yaml | 80 ++++++++ .../policies/egress-mtls-invalid.yaml | 12 ++ .../egress-mtls/policies/egress-mtls.yaml | 12 ++ .../route-subroute/virtual-server-mtls.yaml | 18 ++ .../virtual-server-route-mtls.yaml | 18 ++ .../route-subroute/virtual-server-vsr.yaml | 9 + .../secret/egress-mtls-secret-crl.yaml | 8 + .../secret/egress-mtls-secret.yaml | 7 + tests/data/egress-mtls/secret/tls-secret.yaml | 8 + .../spec/virtual-server-mtls-diff-host.yaml | 22 +++ .../egress-mtls/spec/virtual-server-mtls.yaml | 18 ++ .../egress-mtls/standard/virtual-server.yaml | 22 +++ tests/suite/test_egress_mtls.py | 175 ++++++++++++++++++ 15 files changed, 466 insertions(+), 11 deletions(-) create mode 100644 tests/data/common/app/secure-ca/app.yaml create mode 100644 tests/data/egress-mtls/policies/egress-mtls-invalid.yaml create mode 100644 tests/data/egress-mtls/policies/egress-mtls.yaml create mode 100644 tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml create mode 100644 tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml create mode 100644 tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml create mode 100644 tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml create mode 100644 tests/data/egress-mtls/secret/egress-mtls-secret.yaml create mode 100644 tests/data/egress-mtls/secret/tls-secret.yaml create mode 100644 tests/data/egress-mtls/spec/virtual-server-mtls-diff-host.yaml create mode 100644 tests/data/egress-mtls/spec/virtual-server-mtls.yaml create mode 100644 tests/data/egress-mtls/standard/virtual-server.yaml create mode 100644 tests/suite/test_egress_mtls.py diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index 4d2c3e95fb..bd28697689 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -1008,6 +1008,11 @@ func (p *policiesCfg) addEgressMTLSConfig( trustedSecretPath = secretRef.Path } + if len(trustedSecretPath) != 0 { + caFields := strings.Fields(trustedSecretPath) + trustedSecretPath = caFields[0] + } + p.EgressMTLS = &version2.EgressMTLS{ Certificate: tlsSecretPath, CertificateKey: tlsSecretPath, diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index 933d4931d1..2aa856eac9 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -2917,9 +2917,9 @@ func TestGeneratePolicies(t *testing.T) { vsNamespace: "default", vsName: "test", } - ingressMTLSCertPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crt" - ingressMTLSCrlPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crl" - ingressMTLSCertAndCrlPath := fmt.Sprintf("%s %s", ingressMTLSCertPath, ingressMTLSCrlPath) + mTLSCertPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crt" + mTLSCrlPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crl" + mTLSCertAndCrlPath := fmt.Sprintf("%s %s", mTLSCertPath, mTLSCrlPath) policyOpts := policyOptions{ tls: true, secretRefs: map[string]*secrets.SecretReference{ @@ -2927,7 +2927,7 @@ func TestGeneratePolicies(t *testing.T) { Secret: &api_v1.Secret{ Type: secrets.SecretTypeCA, }, - Path: ingressMTLSCertPath, + Path: mTLSCertPath, }, "default/ingress-mtls-secret-crl": { Secret: &api_v1.Secret{ @@ -2936,7 +2936,7 @@ func TestGeneratePolicies(t *testing.T) { "ca.crl": []byte("base64crl"), }, }, - Path: ingressMTLSCertAndCrlPath, + Path: mTLSCertAndCrlPath, }, "default/egress-mtls-secret": { Secret: &api_v1.Secret{ @@ -2950,6 +2950,12 @@ func TestGeneratePolicies(t *testing.T) { }, Path: "/etc/nginx/secrets/default-egress-trusted-ca-secret", }, + "default/egress-trusted-ca-secret-crl": { + Secret: &api_v1.Secret{ + Type: secrets.SecretTypeCA, + }, + Path: mTLSCertAndCrlPath, + }, "default/jwt-secret": { Secret: &api_v1.Secret{ Type: secrets.SecretTypeJWK, @@ -2984,7 +2990,6 @@ func TestGeneratePolicies(t *testing.T) { tests := []struct { policyRefs []conf_v1.PolicyReference policies map[string]*conf_v1.Policy - policyOpts policyOptions context string expected policiesCfg msg string @@ -3315,7 +3320,7 @@ func TestGeneratePolicies(t *testing.T) { context: "spec", expected: policiesCfg{ IngressMTLS: &version2.IngressMTLS{ - ClientCert: ingressMTLSCertPath, + ClientCert: mTLSCertPath, VerifyClient: "off", VerifyDepth: 1, }, @@ -3346,8 +3351,8 @@ func TestGeneratePolicies(t *testing.T) { context: "spec", expected: policiesCfg{ IngressMTLS: &version2.IngressMTLS{ - ClientCert: ingressMTLSCertPath, - ClientCrl: ingressMTLSCrlPath, + ClientCert: mTLSCertPath, + ClientCrl: mTLSCrlPath, VerifyClient: "off", VerifyDepth: 1, }, @@ -3379,8 +3384,8 @@ func TestGeneratePolicies(t *testing.T) { context: "spec", expected: policiesCfg{ IngressMTLS: &version2.IngressMTLS{ - ClientCert: ingressMTLSCertPath, - ClientCrl: ingressMTLSCrlPath, + ClientCert: mTLSCertPath, + ClientCrl: mTLSCrlPath, VerifyClient: "off", VerifyDepth: 1, }, @@ -3423,6 +3428,42 @@ func TestGeneratePolicies(t *testing.T) { }, msg: "egressMTLS reference", }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "egress-mtls-policy", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/egress-mtls-policy": { + Spec: conf_v1.PolicySpec{ + EgressMTLS: &conf_v1.EgressMTLS{ + TLSSecret: "egress-mtls-secret", + ServerName: true, + SessionReuse: createPointerFromBool(false), + TrustedCertSecret: "egress-trusted-ca-secret-crl", + }, + }, + }, + }, + context: "route", + expected: policiesCfg{ + EgressMTLS: &version2.EgressMTLS{ + Certificate: "/etc/nginx/secrets/default-egress-mtls-secret", + CertificateKey: "/etc/nginx/secrets/default-egress-mtls-secret", + Ciphers: "DEFAULT", + Protocols: "TLSv1 TLSv1.1 TLSv1.2", + ServerName: true, + SessionReuse: false, + VerifyDepth: 1, + VerifyServer: false, + TrustedCert: mTLSCertPath, + SSLName: "$proxy_host", + }, + }, + msg: "egressMTLS with crt and crl", + }, { policyRefs: []conf_v1.PolicyReference{ { diff --git a/tests/data/common/app/secure-ca/app.yaml b/tests/data/common/app/secure-ca/app.yaml new file mode 100644 index 0000000000..d0c6e4b033 --- /dev/null +++ b/tests/data/common/app/secure-ca/app.yaml @@ -0,0 +1,80 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: secure-app +spec: + replicas: 1 + selector: + matchLabels: + app: secure-app + template: + metadata: + labels: + app: secure-app + spec: + containers: + - name: secure-app + image: nginxdemos/nginx-hello:plain-text + ports: + - containerPort: 8443 + volumeMounts: + - name: secret + mountPath: /etc/nginx/ssl + readOnly: true + - name: config-volume + mountPath: /etc/nginx/conf.d + volumes: + - name: secret + secret: + secretName: app-tls-secret + - name: config-volume + configMap: + name: secure-config +--- +apiVersion: v1 +kind: Service +metadata: + name: secure-app +spec: + ports: + - port: 8443 + targetPort: 8443 + protocol: TCP + name: https + selector: + app: secure-app +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: secure-config +data: + app.conf: |- + server { + listen 8443 ssl; + listen [::]:8443 ssl; + + server_name secure-app.example.com; + + ssl_certificate /etc/nginx/ssl/tls.crt; + ssl_certificate_key /etc/nginx/ssl/tls.key; + + ssl_verify_client on; + ssl_client_certificate /etc/nginx/ssl/ca.crt; + + default_type text/plain; + + location /backend1 { + return 200 "hello from pod $hostname\n"; + } + } +--- +apiVersion: v1 +kind: Secret +metadata: + name: app-tls-secret +type: Opaque +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVekNDQWpzQ0NRRE5Tc2YvSXpBaEhqQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TXpNd05sb1hEVE13TVRFeE1ESXhNek13Tmxvd2NURUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVI4d0hRWURWUVFEREJaelpXTjFjbVV0WVhCd0xtVjRZVzF3YkdVdVkyOXRNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6ekE0aUhqL0xpWWhlR1JVS0Vha2NTa2MKRHpsWE1kMDUwZStBb3VodXFoOHJEandOaUl0RGU5c05keXNSTW0yWEVZUUxtdkJyNFlTN2dhNmpVQzFUTXhnMgpSeHZmckZFQ1RPNGJkU2gvZ0NKNU8wdjhIYTNEbmNXQW9saFJIdVlSSit1V09iQkwxYkxqUTFLM2hST1h2cjJWCkhvbWRpb09ybnEwQmdQdC9hN09rOVhuSDdZcDU0UjhsYm96bGtvNXlSOFdnZzlqeWZ0aDRoQ2x3U0J3RkJxbmcKeHBBNSs0NllLOUhwU0VNa0FXb1Z5eERrR0E1UXZubTBiSjZQSk0xUi9UQkpFeTA1Uy90ZVlIV3oyeTFNb29INAo4TStoZTR6YjFQLy93NjhWUE9oR1pjTWlGUzBGTWNwVGgzdlFLUTBwQS84S3c2TWErUFdEWWplY3Z2Y0oxd0lECkFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJzditJRzNNWVVNbUdMNUdYTXFhM3NiU0RZdFJxaEhRcXkKMmxWaWQ1OXFEVmVOdG50MXdkYVJrSjQ4S2x1SzBkZUJDanpGaVN2elBZMVlHc09qeEJ4R2Qrd0tYcElMVXQ3YwpsMXFIbGRTNktyOU9oaS9XSUFDV3AxbDN1K1luUXJROHIzNkZqaGZ1ODMyQ1EwVTQ3Z3I0Yjc5NVNBeDRzdVVFClUwZ2F4MnNLMHlUSU9YYUk4VjRQWThrSlZHdXpyR2N1bVBLT1lrSTRvSEhBY0JMMERrWUkyZ0hmZ2F1amZYTFgKYU9yQ0Z4QndPMGh3ekhNam1GNlRYT2dTNVVIYzFsbzhwREpNK1J3SmUxVjA2RGlZRFpUUlErM1lxcEZpSHpSbwozZkFENzBhM3U5c0NWYnM0QjEzU2ZXOUk5R3hNOXhpdEJjL1VNME1ad1BHUytaSVEwRkZzCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBenpBNGlIai9MaVloZUdSVUtFYWtjU2tjRHpsWE1kMDUwZStBb3VodXFoOHJEandOCmlJdERlOXNOZHlzUk1tMlhFWVFMbXZCcjRZUzdnYTZqVUMxVE14ZzJSeHZmckZFQ1RPNGJkU2gvZ0NKNU8wdjgKSGEzRG5jV0FvbGhSSHVZUkordVdPYkJMMWJMalExSzNoUk9YdnIyVkhvbWRpb09ybnEwQmdQdC9hN09rOVhuSAo3WXA1NFI4bGJvemxrbzV5UjhXZ2c5anlmdGg0aENsd1NCd0ZCcW5neHBBNSs0NllLOUhwU0VNa0FXb1Z5eERrCkdBNVF2bm0wYko2UEpNMVIvVEJKRXkwNVMvdGVZSFd6MnkxTW9vSDQ4TStoZTR6YjFQLy93NjhWUE9oR1pjTWkKRlMwRk1jcFRoM3ZRS1EwcEEvOEt3Nk1hK1BXRFlqZWN2dmNKMXdJREFRQUJBb0lCQUFNK1hBUTI4TGZHUFF2bgpkakhUT1V2VU91NDZGWlZnUTBGNElHbHNmaDhIc2VMZEtkRVRiUkVKVXVLa3QvWTBKUU5QTCtkVEVEMU5tS25sCkZBVnpVRFFpa3ViMkZzQlozRkZjQU80S25rUmhSY2laM2U2UkE5ajZlSk1TRXVNSzh3WE8rR0VhMDNVYkFkZlIKK2JHSnB2eURkMHd0RjF4TngyZ0tpVlY5bW5jVEo3RDJtaUZPVTNXR3pUeFlyMVdnVDd6WHVsQnkyQlR6SlEzNQpwcG9hdXQwYlcvVkZDQ1FIc0NRK2tUNlhXbE9vQ2VTWTd5aEhmSzRtMGFCeUNjN1E0dW5CUUZRU24rck1CZUJpCkJxaE9BU0NFQnhYUzhlRUxhOCtCQml3eGo0SmJQa3IzbFlRcTQxbDlMU3FtQTN4dy9ZKzZzK2NCRmdxSGQ5RUgKVmJidTUrRUNnWUVBN2VUeUdXQmxubk9ySzJBMjkrbENYY1RBRHhGdlRoK0hWMlRJTXV3NW9oMlE0MkhCZWkwcgp3L2dTa1FGU1cvK1JaNmpXU2xsWW51ZDNXVkUwRzA3ZkhLaWpZMnBmbFQ3Z3lXYlhoc0NXQmkwRVpOK0JxUUNrCko5UVNaUGZLRXRjamhkTDdtVnBJdEF3ZjM4SHpiNUx0d3pBYTFhTlFjK2h3YVE3eWo2UFhubDhDZ1lFQTN2VUMKcXhURDJ2Y2VkQWZlUGUxQXd1SDRUZ2pVVFJnbU5rMGRPbTBFazlzUnZOelRZemk0bmxNQ1YzMHZiZTVMRWNleQo3VWRJS3pGMUwrQWRpaFFpckcvMHJIQ3N0U21RTHhLWDdhVW5vcVliWHJWNTlYMFVaMndDcFBqZm1DQTNYYmE5CmJ0ZThCRFFCbmp1QjJ6dXVIa21ZY3BSWllNeEdvMjd0aVV2ZlY0a0NnWUJRdFMyVmdtaTNXeEtsUXAwamVsVnoKcm41aUhrNGV1UCtYbks5MjUwR2VTRjJSWnViVzVtQkV1ZkxDa3lvMzMvcWFxbU1aRWpySW5rcVZXTUZPeW5GVApMYnRRelJQa2RGS2F3WE01V2prTG0xWTBTc2VZYUlsSW9lQWp0UlV2VXlIUUV3WWN2czZQbHRWeGVrRjJodWgzCkllall0ZkZqZ1dZeG5rcVloTU53RFFLQmdGTU11UDI1TW10eCthb0c5RVhsQm1hUmZjaXppVUZlYVgxNHBCYUwKWFZVbUdTbGNxSEVoUThQVjc5MWZDRGZPdDYvYnowNkxhdHFNQmJiYnFLVXljdWdBbkFkUHdVV0tRZWNHNmdqZgpxQy94NStnVGVXWjBQUkY1TGxMOVVXeDlNNko0MjM5YVpQSzczSTV3WkNLaHpHNER4QUdLT1BEUnBzNWlGNkU0CjNlemhBb0dBS1lxZ1o4dUtOVGNpZ3A4ekpqSzB4N1RrZmttTVViMTRUYnFZUzJiWVhFTDlwZDM1aU1iclJ1MEYKTGJqOTFlcHVVbE00eG9td2tHM284Qll6OWpOZVhGVnIwQmhvY0E3UjZVL2VRc1FLQ0Fac3VMTThLdGFCN0pRTwpzTFpJRnROZUpMV0lRMUhXZG40KzI3SDIyeGUzMFBVUlpsSnR6b2NrT3hGaVl3UUZ5bzQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpBQ0NRREtXdnJwd2lJeUNEQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TWpnME1sb1hEVE13TVRFeE1ESXhNamcwTWxvd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNcmxLTXFySGZNUjRtZ2FMMnpaRzJEWVlmS0NGVm1JTmpsWXVPZUMKRkRUY1JnUUt0dTJZY0N4WllCQUR3SFp4RWY2TklLdFZzTVdMaFNOUy9OYzBCbXRpUU0vSUV4aGxDaURDNlNsOApPTnJJM3c3cUp6TjZJVUVSQjZ0VmxRdDA3cmdNMFYyNlVUWXUwSWt2MVk4dHJmTFlQWmNrekJrb3JRanBjaXVtCnFvUDJCSmY0eXljOUxxcHh0bFdLeGVsa3VuVkw1aWpNRXpwajlnRUUyNlRFSGJzZEViaG9SOGcwT2VIWnFIN2UKbVhDblNJQlIwQS9vL3M2bm9HTlgrRjE5bFk3VGd3NzdqT3VRUTVZc2krN25oTjJsS3ZjQzgxOVJYN29NcGd2dApWNUIzbkkwbUY2QmF6bmplVHM0eVFjcjFTbTNVVFZCd1g5WnV2TDdSYklYa1VtOENBd0VBQVRBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFnbTA0dzZPSVdHajZ0a2E5Y2NjY25ibEYwb1p6ZUVBSXl3anZSNXNEY1BkdkxJZU0KZWVzSnk2ckZINERCbU15Z3BjSXhKR3JTT3pabEYzTE12dzd6SzRzdHFOdG0xSGlwckY4Ynp4ZlRmZlZZbmNnNgpoVktFckh0WjJGWlJqLzJUTUowMWFSRFpTdVZiTDZVSmlva3BVNnh4VDd5eTBkRlprS3JqVVIzNDlnS3hScUp3CkFtMmFzMGJoaTUxRXFLMUdFeDNtNGMwdW4ydk5oNXFQMmh2NmUvUXplNlA5NnZlZk5hU2s5UU1GZnVCMWtTQWsKZkdwa2lMN2JqbWpuaEt3QW1mOGpEV0RabHRCNlM1NlF5MlFqUFI4Sm9PdXNiWXhhcjRjNkVjSXdWSHY2bWRnUAp5WnhXcVFzZ3RTZkZ4K1B3b245SVBLdXEwalFZZ2VaUFN4Uk1MQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K diff --git a/tests/data/egress-mtls/policies/egress-mtls-invalid.yaml b/tests/data/egress-mtls/policies/egress-mtls-invalid.yaml new file mode 100644 index 0000000000..ee3b0baed8 --- /dev/null +++ b/tests/data/egress-mtls/policies/egress-mtls-invalid.yaml @@ -0,0 +1,12 @@ +apiVersion: k8s.nginx.org/v1 +kind: Policy +metadata: + name: egress-mtls-policy +spec: + egress_MTLS: + tlsSecret: egress-tls-secret + trustedCertSecret: egress-mtls-secret + verifyServer: on + verifyDepth: 2 + serverName: on + sslName: secure-app.example.com diff --git a/tests/data/egress-mtls/policies/egress-mtls.yaml b/tests/data/egress-mtls/policies/egress-mtls.yaml new file mode 100644 index 0000000000..41726d4864 --- /dev/null +++ b/tests/data/egress-mtls/policies/egress-mtls.yaml @@ -0,0 +1,12 @@ +apiVersion: k8s.nginx.org/v1 +kind: Policy +metadata: + name: egress-mtls-policy +spec: + egressMTLS: + tlsSecret: egress-tls-secret + trustedCertSecret: egress-mtls-secret + verifyServer: on + verifyDepth: 2 + serverName: on + sslName: secure-app.example.com diff --git a/tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml b/tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml new file mode 100644 index 0000000000..ba5b5a3dab --- /dev/null +++ b/tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml @@ -0,0 +1,18 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServer +metadata: + name: virtual-server +spec: + host: virtual-server.example.com + upstreams: + - name: secure-app + service: secure-app + port: 8443 + tls: + enable: true + routes: + - path: "/backend1" + policies: + - name: egress-mtls-policy + action: + pass: secure-app diff --git a/tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml b/tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml new file mode 100644 index 0000000000..bfee01e4c9 --- /dev/null +++ b/tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml @@ -0,0 +1,18 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServerRoute +metadata: + name: backends +spec: + host: virtual-server-route.example.com + upstreams: + - name: secure-app + service: secure-app + port: 8443 + tls: + enable: true + subroutes: + - path: "/backends/backend1" + policies: + - name: egress-mtls-policy + action: + pass: secure-app diff --git a/tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml b/tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml new file mode 100644 index 0000000000..b29057e887 --- /dev/null +++ b/tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml @@ -0,0 +1,9 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServer +metadata: + name: virtual-server-route +spec: + host: virtual-server-route.example.com + routes: + - path: "/backends" + route: backends # implicit namespace diff --git a/tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml b/tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml new file mode 100644 index 0000000000..2ac7aae332 --- /dev/null +++ b/tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml @@ -0,0 +1,8 @@ +kind: Secret +metadata: + name: egress-mtls-secret +apiVersion: v1 +type: nginx.org/ca +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpBQ0NRREtXdnJwd2lJeUNEQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TWpnME1sb1hEVE13TVRFeE1ESXhNamcwTWxvd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNcmxLTXFySGZNUjRtZ2FMMnpaRzJEWVlmS0NGVm1JTmpsWXVPZUMKRkRUY1JnUUt0dTJZY0N4WllCQUR3SFp4RWY2TklLdFZzTVdMaFNOUy9OYzBCbXRpUU0vSUV4aGxDaURDNlNsOApPTnJJM3c3cUp6TjZJVUVSQjZ0VmxRdDA3cmdNMFYyNlVUWXUwSWt2MVk4dHJmTFlQWmNrekJrb3JRanBjaXVtCnFvUDJCSmY0eXljOUxxcHh0bFdLeGVsa3VuVkw1aWpNRXpwajlnRUUyNlRFSGJzZEViaG9SOGcwT2VIWnFIN2UKbVhDblNJQlIwQS9vL3M2bm9HTlgrRjE5bFk3VGd3NzdqT3VRUTVZc2krN25oTjJsS3ZjQzgxOVJYN29NcGd2dApWNUIzbkkwbUY2QmF6bmplVHM0eVFjcjFTbTNVVFZCd1g5WnV2TDdSYklYa1VtOENBd0VBQVRBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFnbTA0dzZPSVdHajZ0a2E5Y2NjY25ibEYwb1p6ZUVBSXl3anZSNXNEY1BkdkxJZU0KZWVzSnk2ckZINERCbU15Z3BjSXhKR3JTT3pabEYzTE12dzd6SzRzdHFOdG0xSGlwckY4Ynp4ZlRmZlZZbmNnNgpoVktFckh0WjJGWlJqLzJUTUowMWFSRFpTdVZiTDZVSmlva3BVNnh4VDd5eTBkRlprS3JqVVIzNDlnS3hScUp3CkFtMmFzMGJoaTUxRXFLMUdFeDNtNGMwdW4ydk5oNXFQMmh2NmUvUXplNlA5NnZlZk5hU2s5UU1GZnVCMWtTQWsKZkdwa2lMN2JqbWpuaEt3QW1mOGpEV0RabHRCNlM1NlF5MlFqUFI4Sm9PdXNiWXhhcjRjNkVjSXdWSHY2bWRnUAp5WnhXcVFzZ3RTZkZ4K1B3b245SVBLdXEwalFZZ2VaUFN4Uk1MQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + ca.crl: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSURCRENCN1RBTkJna3Foa2lHOXcwQkFRc0ZBRENCcHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJBZ00KQ0UxaGNubHNZVzVrTVJJd0VBWURWUVFIREFsQ1lXeDBhVzF2Y21VeEdUQVhCZ05WQkFvTUVGUmxjM1FnUTBFcwpJRXhwYldsMFpXUXhJekFoQmdOVkJBc01HbE5sY25abGNpQlNaWE5sWVhKamFDQkVaWEJoY25SdFpXNTBNUkF3CkRnWURWUVFEREFkVVpYTjBJRU5CTVI4d0hRWUpLb1pJaHZjTkFRa0JGaEIwWlhOMFFHVjRZVzF3YkdVdVkyOXQKRncweU16QXpNVE14T0RBeU1qSmFGdzB5TXpBME1USXhPREF5TWpKYU1CUXdFZ0lCQWhjTk1qTXdNekV6TVRndwpNakV5V2pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQVJzQ1B6SVpqUmt1S1BlajRUdTc5a3pFTlcvRTY5NzZjClhrN2g1dEtoTHdONTROVXR0M0pSTHBWUEFwUFhnTzdhdVo5a0liWC9EaStyeks4V3BQZWhUSXg0b1RscktjbFoKT1hsM3RQWUJndmcyRzVxaFR3MlAvTjRDMzVPMWdtWllLWXFYeEd6SjlBVnU5WmNXUlJjelVCOXlaZlR1cERoOAo2SnROd2JCVVpOR2lSMkZFeUovWFNQQjFVeXJBa2IyVk1ON0E1WEZIaSt5WXFrS2xrcFNLaGNPY3lGcXpFMC9xCkQ5V1Y3enJtVDIwdU1Ya2VCVW05WEhqWHRXRTIwb01PRFBHRERBNUg2RlppL05IMXBTa0tUY3g4UjdYNGZlaFYKOUJUTVl5VENWcFVJSUhuZG91NHYxUkl2UHJpRS9PUGx4UDBjRFZCNmV1V0RXb2dJdnIyWTRpenlHdHN0WlpvTgpNZDBRY1hXTVhTUjB3U2hCdEQ1TGI5cjBLOExPS255dVFUVVNHaXZuY2JGajZNUTROU3FNMTRJdzNkOHowemowCjg5b3hBUVhNa29qdm02SWV5WS9hSlVacUlPdk56MXhkaG5kNXNtWkNoQUdTVUx4Z1hsZWFHRjg3Vyt2MThuSlQKOC83c1Vic09RR1ErdVA5dGNXcGYzcmx4MVVENWRnVW9KbHdrUk16Z09vQXYwN3JkcWRsZGQ4QVdWYndMcnlGdgo0RHVMTU5VREQrbE9iV3E0VDdBNE5zb1NadlBuaitOcDgzL3VCWEUvRmZvemJpYzJSOFZJb1NLR2NhWDh0aGZhCmpvUEw1Smt4akZGemZGcnAwMi9XRlNNd3Ezc2xrQkJqSGFkd2pNcTZiQnJ5MTQyYWlOUW44cDRsa3ZXV0RvUSsKaWdrSDNFRGdDVmM9Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0K diff --git a/tests/data/egress-mtls/secret/egress-mtls-secret.yaml b/tests/data/egress-mtls/secret/egress-mtls-secret.yaml new file mode 100644 index 0000000000..690269f658 --- /dev/null +++ b/tests/data/egress-mtls/secret/egress-mtls-secret.yaml @@ -0,0 +1,7 @@ +kind: Secret +metadata: + name: egress-mtls-secret +apiVersion: v1 +type: nginx.org/ca +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpBQ0NRREtXdnJwd2lJeUNEQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TWpnME1sb1hEVE13TVRFeE1ESXhNamcwTWxvd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNcmxLTXFySGZNUjRtZ2FMMnpaRzJEWVlmS0NGVm1JTmpsWXVPZUMKRkRUY1JnUUt0dTJZY0N4WllCQUR3SFp4RWY2TklLdFZzTVdMaFNOUy9OYzBCbXRpUU0vSUV4aGxDaURDNlNsOApPTnJJM3c3cUp6TjZJVUVSQjZ0VmxRdDA3cmdNMFYyNlVUWXUwSWt2MVk4dHJmTFlQWmNrekJrb3JRanBjaXVtCnFvUDJCSmY0eXljOUxxcHh0bFdLeGVsa3VuVkw1aWpNRXpwajlnRUUyNlRFSGJzZEViaG9SOGcwT2VIWnFIN2UKbVhDblNJQlIwQS9vL3M2bm9HTlgrRjE5bFk3VGd3NzdqT3VRUTVZc2krN25oTjJsS3ZjQzgxOVJYN29NcGd2dApWNUIzbkkwbUY2QmF6bmplVHM0eVFjcjFTbTNVVFZCd1g5WnV2TDdSYklYa1VtOENBd0VBQVRBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFnbTA0dzZPSVdHajZ0a2E5Y2NjY25ibEYwb1p6ZUVBSXl3anZSNXNEY1BkdkxJZU0KZWVzSnk2ckZINERCbU15Z3BjSXhKR3JTT3pabEYzTE12dzd6SzRzdHFOdG0xSGlwckY4Ynp4ZlRmZlZZbmNnNgpoVktFckh0WjJGWlJqLzJUTUowMWFSRFpTdVZiTDZVSmlva3BVNnh4VDd5eTBkRlprS3JqVVIzNDlnS3hScUp3CkFtMmFzMGJoaTUxRXFLMUdFeDNtNGMwdW4ydk5oNXFQMmh2NmUvUXplNlA5NnZlZk5hU2s5UU1GZnVCMWtTQWsKZkdwa2lMN2JqbWpuaEt3QW1mOGpEV0RabHRCNlM1NlF5MlFqUFI4Sm9PdXNiWXhhcjRjNkVjSXdWSHY2bWRnUAp5WnhXcVFzZ3RTZkZ4K1B3b245SVBLdXEwalFZZ2VaUFN4Uk1MQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K diff --git a/tests/data/egress-mtls/secret/tls-secret.yaml b/tests/data/egress-mtls/secret/tls-secret.yaml new file mode 100644 index 0000000000..988e849398 --- /dev/null +++ b/tests/data/egress-mtls/secret/tls-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: egress-tls-secret +type: kubernetes.io/tls +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRekNDQWlzQ0NRRE5Tc2YvSXpBaElUQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl5TXpFek9Gb1hEVE13TVRFeE1ESXlNekV6T0Zvd1lURUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVE4d0RRWURWUVFEREFaamJHbGxiblF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBCkE0SUJEd0F3Z2dFS0FvSUJBUUM1M2djYWFXMGo0ZVdWZmV5OWZIYkZtUzMvRWtjMFFYbFVrdUZsSUc4T016blQKQ2hFUmd3a1hyOWNFeTZEY2hxN0FlNjh3SjBHcmdHdjl6elEyTHdyOHJLd1NNWUVmUXIwQ2NJc1ZXUy9ncDNrSAp2VG1FS3RacXdIL1VhWWJHVFVzRlBpaENFeEV1T3pwRWROMmhDZ1Vsclk2Y1RPMGJjRzNGbk1Dbk9IZE0zZ2tsCkFOajRYd0pBSXhVN216bkNSWFkyWGRJVHhZbG0yc0FyWmVxR1JycGVKNTJDejhhME9iN3poUTgwK2d3QjZBczEKL2dXeHVTR2Y4eGhrL1NhVlpQUE4xU2RTeDcwUU5BZnFFU21tQ0lnVEYralFGQkx3bDhnTkZxajYvR2lSdElvWgozMEpEaXhuZVBrUTQ3S2ZoOS96c0xsRy9WV0hyUXA0d29TY1BqTlBkQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMCkJRQURnZ0VCQUZtS05PK0dRQVpFcHBZdXBYNnJ6NktZcUFXUEtkcXRPUjJaNlR0K0ZSNlNPRExSem56RDJuRjkKU3ZhZitaZkJ4SFhtR1FwRkZXTEpINUlmbEgzM21KOFZORlh2Z0F6WnVwNG9tSDJobndHYW9NaklCS2FQSnZUZQpPQ3IwTWpjMjB4Qk82WTdzdU1Eem5VTDRRTjJib3QrM3M2SXZSaHhWeEM3ZS9OSWMzaHVQTjUxUEJUWDRCVkJWCkwweVc5Z2ltMXdibHJOVllaRDB1cnFDZ05wTm8rbWpqZXJsRkxpN0p6YWhNSllIV0JNUDc2Vnp0bk82ZnFhMU8KZXRBd3RYUnNnVnpxUkhWK0lFWk0rNUtZY2RYcEY3bjVBeFFkNUdxVDVhNTBaRnBYS2tJaURFRE91TXFUY0NQWQp2K0szQ1EzaW5wUXg4bXUwckRUL0ZQdDgrVnhpVEpBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdWQ0SEdtbHRJK0hsbFgzc3ZYeDJ4Wmt0L3hKSE5FRjVWSkxoWlNCdkRqTTUwd29SCkVZTUpGNi9YQk11ZzNJYXV3SHV2TUNkQnE0QnIvYzgwTmk4Sy9LeXNFakdCSDBLOUFuQ0xGVmt2NEtkNUI3MDUKaENyV2FzQi8xR21HeGsxTEJUNG9RaE1STGpzNlJIVGRvUW9GSmEyT25FenRHM0J0eFp6QXB6aDNUTjRKSlFEWQorRjhDUUNNVk81czV3a1YyTmwzU0U4V0padHJBSzJYcWhrYTZYaWVkZ3MvR3REbSs4NFVQTlBvTUFlZ0xOZjRGCnNia2huL01ZWlAwbWxXVHp6ZFVuVXNlOUVEUUg2aEVwcGdpSUV4Zm8wQlFTOEpmSURSYW8rdnhva2JTS0dkOUMKUTRzWjNqNUVPT3luNGZmODdDNVJ2MVZoNjBLZU1LRW5ENHpUM1FJREFRQUJBb0lCQUM1enNmekUyblQ4VVArUwprQ2N2UXhQUlc3Q0M1ZTdHYWtkYnloOFhBd3BlZlJZa1R1MjhmUHBCaFJCNnY4STltdEVhV0VkRm1HRC9ZSDMzCldnb3NxYWRLbEZxYnFyU2dYbEtNeEFYYTIxOWZHNTEyaWpoZzZHT1hwcHIwb0sxUXhlNFNnY2M1c3JLR05PTEUKL2xyd0FTZFFmL0xLT3Z2L2xqK3NGRzMyYThKMjBtWVY0dFpsZmJsaUlxNHd0YzVnc0JWUVJ2T3RielQzQzRscwowM1JwbnJPbitxV3NwVkVleU52WjRjM2NKUGJpVTJ4WmkvcE1MZWhnUUhZcDZ0bEpVMFZQRDJaWDJoaDkrRlNDCndOaGNhQVBMTkZrNy9Vc3grdTVhMUM3b3Y0WEw1MExWVE15RjVkdVpCY2ZsUmd3ZWJVc0JqNlRWUDl4Tkp3aTUKb3VmOXJDRUNnWUVBNFJCVE5Oam5LWC9qQVJVZW1tTEpZVFpYNm12bXUzMTJSU1ZuK1ZUV1VzMHVhZVhaS2pmMwpWa3Q0Z3VkdzB1UWh1aFhJbkxVclJhdmVhZHBNc0o0VkZxRHJSRW5LVWlmZWU5QzQraWJOSnk3NHBYcVJpaVpaCjVCT2RKWjNlNVZCbDlTcDJNNExxMUNFNGF5cyt5djAyak9jSjJPallJSW9MU2IxL21WZnVpTmtDZ1lFQTAycHYKTTQyTEljWjFJQW9jMStlTXZIVVpuQ0ltei8vMVBGTTJoaGdlSUs1VXhZM0FRRVg5dzJDWUFKT202Q05WbHhiNAp6dkVrVnVOMnZ0cE5LaWlUQkRGczZtLzBkSE8wTERQdDdjV2ozNDAzbUtwcjBPY2pEVjllYnhpVWJ0R0lKVE84CkpyYzB2OUNUMnFJaFBpTElZdXBpOXg3SFZHUi9pTCswMnJNZm9LVUNnWUVBdktDaERBYktYd2EzSy80V1l4QnUKZFZKRmhzeWVXZjlCODV2eE00LzkvUEhJZDZyVFFzWWJQekVMdExMaTVXMmNNc2oxRlJubVJZTlJhbWd5cEVncApwb2lDQmY3T1dlTGVYZWxHVHluY0FYNGxtUk5NRFh3dEZMRzNvSUpiQU5oTVM1a2w3ZkJJZmpmRmdGU0RVVCs5Cnk0UUx4Y2NJOU9TZHAxVHlMNFA2QUtrQ2dZRUEwQmZVU3I4SWNuOC83QUJvTVkrRmRENGlyZzdqZXhwcVRTMXUKM29CQXIxUkl0b2IyODR5dzRhMWpFRFpGTS9zTGxRTVVkY1RmU3ZMcmY2R3FFRlFObVRQNUM2eVV4a2JZMGlWdgpEUG5iZWdBcStBYk94cm1yUTg5YVNTbTllSEtmZWxhNDNMYTVvZy93YUdQcktwamIrcGpRUG9NNkdmUXRuL0ZxClYxVzJUTTBDZ1lBNXg3aVRLa0lZQlgwR0JhWERZOUlxMVBWeTkxK3pFeDhIWUdDczRNR2ttME42Y3lncm84UmwKMzA3R09ocnhwam1wMTNEb1JtM21XZWhQMmV1WEdhLy9VS2gxaTUvVkQ0R1ltL2psc1plZUx6MURiR2crQVZqegpWVFdueFJCemYwRmdGZkZkTmNIeFlwNTJ3VTZuK2x3MTVTdkNTWmJKQzYzUTBsZ3N1NlhZN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= diff --git a/tests/data/egress-mtls/spec/virtual-server-mtls-diff-host.yaml b/tests/data/egress-mtls/spec/virtual-server-mtls-diff-host.yaml new file mode 100644 index 0000000000..2ee4084f52 --- /dev/null +++ b/tests/data/egress-mtls/spec/virtual-server-mtls-diff-host.yaml @@ -0,0 +1,22 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServer +metadata: + name: virtual-server +spec: + host: virtual-server-2.example.com + policies: + - name: egress-mtls-policy + upstreams: + - name: backend2 + service: backend2-svc + port: 80 + - name: backend1 + service: backend1-svc + port: 80 + routes: + - path: "/backend1" + action: + pass: backend1 + - path: "/backend2" + action: + pass: backend2 diff --git a/tests/data/egress-mtls/spec/virtual-server-mtls.yaml b/tests/data/egress-mtls/spec/virtual-server-mtls.yaml new file mode 100644 index 0000000000..fdb76b5901 --- /dev/null +++ b/tests/data/egress-mtls/spec/virtual-server-mtls.yaml @@ -0,0 +1,18 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServer +metadata: + name: virtual-server +spec: + host: virtual-server.example.com + policies: + - name: egress-mtls-policy + upstreams: + - name: secure-app + service: secure-app + port: 8443 + tls: + enable: true + routes: + - path: "/backend1" + action: + pass: secure-app diff --git a/tests/data/egress-mtls/standard/virtual-server.yaml b/tests/data/egress-mtls/standard/virtual-server.yaml new file mode 100644 index 0000000000..9ac63fba13 --- /dev/null +++ b/tests/data/egress-mtls/standard/virtual-server.yaml @@ -0,0 +1,22 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServer +metadata: + name: virtual-server +spec: + host: virtual-server.example.com + tls: + secret: tls-secret + upstreams: + - name: backend2 + service: backend2-svc + port: 80 + - name: backend1 + service: backend1-svc + port: 80 + routes: + - path: "/backend1" + action: + pass: backend1 + - path: "/backend2" + action: + pass: backend2 diff --git a/tests/suite/test_egress_mtls.py b/tests/suite/test_egress_mtls.py new file mode 100644 index 0000000000..1999886b6b --- /dev/null +++ b/tests/suite/test_egress_mtls.py @@ -0,0 +1,175 @@ +import pytest +import requests +from settings import TEST_DATA +from suite.utils.policy_resources_utils import create_policy_from_yaml, delete_policy +from suite.utils.resources_utils import create_secret_from_yaml, delete_secret, wait_before_test +from suite.utils.ssl_utils import create_sni_session +from suite.utils.vs_vsr_resources_utils import ( + delete_and_create_vs_from_yaml, + patch_v_s_route_from_yaml, + patch_virtual_server_from_yaml, + read_vs, + read_vsr, +) + +std_vs_src = f"{TEST_DATA}/virtual-server/standard/virtual-server.yaml" +std_vsr_src = f"{TEST_DATA}/virtual-server-route/route-multiple.yaml" +std_vs_vsr_src = f"{TEST_DATA}/virtual-server-route/standard/virtual-server.yaml" + +mtls_sec_valid_src = f"{TEST_DATA}/egress-mtls/secret/egress-mtls-secret.yaml" +mtls_sec_valid_crl_src = f"{TEST_DATA}/egress-mtls/secret/egress-mtls-secret-crl.yaml" +tls_sec_valid_src = f"{TEST_DATA}/egress-mtls/secret/tls-secret.yaml" + +mtls_pol_valid_src = f"{TEST_DATA}/egress-mtls/policies/egress-mtls.yaml" +mtls_pol_invalid_src = f"{TEST_DATA}/egress-mtls/policies/egress-mtls-invalid.yaml" + +mtls_vs_spec_src = f"{TEST_DATA}/egress-mtls/spec/virtual-server-mtls.yaml" +mtls_vs_route_src = f"{TEST_DATA}/egress-mtls/route-subroute/virtual-server-mtls.yaml" +mtls_vsr_subroute_src = f"{TEST_DATA}/egress-mtls/route-subroute/virtual-server-route-mtls.yaml" +mtls_vs_vsr_src = f"{TEST_DATA}/egress-mtls/route-subroute/virtual-server-vsr.yaml" + + +def setup_policy(kube_apis, test_namespace, mtls_secret, tls_secret, policy): + print(f"Create egress-mtls secret") + mtls_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, mtls_secret) + + print(f"Create tls secret") + tls_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, tls_secret) + + print(f"Create egress-mtls policy") + pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy, test_namespace) + + return mtls_secret_name, tls_secret_name, pol_name + + +def teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret): + print("Delete policy and related secrets") + delete_secret(kube_apis.v1, tls_secret, test_namespace) + delete_policy(kube_apis.custom_objects, pol_name, test_namespace) + delete_secret(kube_apis.v1, mtls_secret, test_namespace) + + +@pytest.mark.policies +@pytest.mark.parametrize( + "crd_ingress_controller, virtual_server_setup", + [ + ( + { + "type": "complete", + "extra_args": [ + f"-enable-leader-election=false", + ], + }, + { + "example": "virtual-server", + "app_type": "secure-ca", + }, + ) + ], + indirect=True, +) +class TestEgressMtlsPolicyVS: + @pytest.mark.parametrize( + "policy_src, vs_src, mtls_ca_secret, expected_code, expected_text, vs_message, vs_state, test_description", + [ + ( + mtls_pol_valid_src, + mtls_vs_spec_src, + mtls_sec_valid_src, + 200, + "hello from pod secure-app", + "was added or updated", + "Valid", + "Test valid EgressMTLS policy applied to a VirtualServer spec", + ), + ( + mtls_pol_valid_src, + mtls_vs_route_src, + mtls_sec_valid_src, + 200, + "hello from pod secure-app", + "was added or updated", + "Valid", + "Test valid EgressMTLS policy applied to a VirtualServer path", + ), + ( + mtls_pol_valid_src, + mtls_vs_spec_src, + mtls_sec_valid_crl_src, + 200, + "hello from pod secure-app", + "was added or updated", + "Valid", + "Test valid EgressMTLS policy applied to a VirtualServer with a CRL", + ), + ( + mtls_pol_invalid_src, + mtls_vs_spec_src, + mtls_sec_valid_src, + 500, + "Internal Server Error", + "is missing or invalid", + "Warning", + "Test invalid EgressMTLS policy applied to a VirtualServer", + ), + ], + ) + def test_egress_mtls_policy( + self, + kube_apis, + crd_ingress_controller, + virtual_server_setup, + test_namespace, + policy_src, + vs_src, + mtls_ca_secret, + expected_code, + expected_text, + vs_message, + vs_state, + test_description, + ): + """ + Test egress-mtls with valid and invalid policy in vs spec and route contexts. + """ + print("------------------------- {} -----------------------------------".format(test_description)) + session = create_sni_session() + mtls_secret, tls_secret, pol_name = setup_policy( + kube_apis, + test_namespace, + mtls_ca_secret, + tls_sec_valid_src, + policy_src, + ) + + print(f"Patch vs with policy: {policy_src}") + delete_and_create_vs_from_yaml( + kube_apis.custom_objects, + virtual_server_setup.vs_name, + vs_src, + virtual_server_setup.namespace, + ) + wait_before_test() + resp = session.get( + virtual_server_setup.backend_1_url, + headers={"host": virtual_server_setup.vs_host}, + allow_redirects=False, + verify=False, + ) + + vs_events = read_vs(kube_apis.custom_objects, test_namespace, virtual_server_setup.vs_name) + teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret) + + patch_virtual_server_from_yaml( + kube_apis.custom_objects, + virtual_server_setup.vs_name, + std_vs_src, + virtual_server_setup.namespace, + ) + + assert ( + resp.status_code == expected_code + and expected_text in resp.text + and vs_message in vs_events["status"]["message"] + and vs_events["status"]["state"] == vs_state + )