From 4e6978ffef2c6f7da5acff8dcd991c86b4510e4b Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 7 Apr 2023 18:18:05 +0100 Subject: [PATCH 1/9] Update VirtualServer to ignore CRL for EgressMTLS --- internal/configs/virtualserver.go | 4 +- internal/configs/virtualserver_test.go | 989 +++++++++--------- .../policies/egress-mtls-invalid.yaml | 12 + .../egress-mtls/policies/egress-mtls.yaml | 12 + .../route-subroute/virtual-server-mtls.yaml | 22 + .../virtual-server-route-mtls.yaml | 22 + .../route-subroute/virtual-server-vsr.yaml | 11 + .../secret/egress-mtls-secret-crl.yaml | 8 + .../secret/egress-mtls-secret.yaml | 7 + tests/data/egress-mtls/secret/tls-secret.yaml | 8 + .../spec/virtual-server-mtls-diff-host.yaml | 22 + .../egress-mtls/spec/virtual-server-mtls.yaml | 22 + .../egress-mtls/standard/virtual-server.yaml | 22 + tests/suite/test_egress_mtls.py | 309 ++++++ 14 files changed, 995 insertions(+), 475 deletions(-) create mode 100644 tests/data/egress-mtls/policies/egress-mtls-invalid.yaml create mode 100644 tests/data/egress-mtls/policies/egress-mtls.yaml create mode 100644 tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml create mode 100644 tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml create mode 100644 tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml create mode 100644 tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml create mode 100644 tests/data/egress-mtls/secret/egress-mtls-secret.yaml create mode 100644 tests/data/egress-mtls/secret/tls-secret.yaml create mode 100644 tests/data/egress-mtls/spec/virtual-server-mtls-diff-host.yaml create mode 100644 tests/data/egress-mtls/spec/virtual-server-mtls.yaml create mode 100644 tests/data/egress-mtls/standard/virtual-server.yaml create mode 100644 tests/suite/test_egress_mtls.py diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index fc41497d87..bc4be274d0 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -998,6 +998,8 @@ func (p *policiesCfg) addEgressMTLSConfig( trustedSecretPath = secretRef.Path } + caFields := strings.Fields(trustedSecretPath) + p.EgressMTLS = &version2.EgressMTLS{ Certificate: tlsSecretPath, CertificateKey: tlsSecretPath, @@ -1007,7 +1009,7 @@ func (p *policiesCfg) addEgressMTLSConfig( VerifyDepth: generateIntFromPointer(egressMTLS.VerifyDepth, 1), SessionReuse: generateBool(egressMTLS.SessionReuse, true), ServerName: egressMTLS.ServerName, - TrustedCert: trustedSecretPath, + TrustedCert: caFields[0], SSLName: generateString(egressMTLS.SSLName, "$proxy_host"), } return res diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index d42f538d8f..7390a110eb 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -2691,9 +2691,9 @@ func TestGeneratePolicies(t *testing.T) { vsNamespace: "default", vsName: "test", } - ingressMTLSCertPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crt" - ingressMTLSCrlPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crl" - ingressMTLSCertAndCrlPath := fmt.Sprintf("%s %s", ingressMTLSCertPath, ingressMTLSCrlPath) + mTLSCertPath := "/etc/nginx/secrets/default-mtls-secret-ca.crt" + mTLSCrlPath := "/etc/nginx/secrets/default-mtls-secret-ca.crl" + mTLSCertAndCrlPath := fmt.Sprintf("%s %s", mTLSCertPath, mTLSCrlPath) policyOpts := policyOptions{ tls: true, secretRefs: map[string]*secrets.SecretReference{ @@ -2701,7 +2701,7 @@ func TestGeneratePolicies(t *testing.T) { Secret: &api_v1.Secret{ Type: secrets.SecretTypeCA, }, - Path: ingressMTLSCertPath, + Path: mTLSCertPath, }, "default/ingress-mtls-secret-crl": { Secret: &api_v1.Secret{ @@ -2710,7 +2710,7 @@ func TestGeneratePolicies(t *testing.T) { "ca.crl": []byte("base64crl"), }, }, - Path: ingressMTLSCertAndCrlPath, + Path: mTLSCertAndCrlPath, }, "default/egress-mtls-secret": { Secret: &api_v1.Secret{ @@ -2724,6 +2724,12 @@ func TestGeneratePolicies(t *testing.T) { }, Path: "/etc/nginx/secrets/default-egress-trusted-ca-secret", }, + "default/egress-trusted-ca-secret-crl": { + Secret: &api_v1.Secret{ + Type: secrets.SecretTypeCA, + }, + Path: mTLSCertAndCrlPath, + }, "default/jwt-secret": { Secret: &api_v1.Secret{ Type: secrets.SecretTypeJWK, @@ -2758,409 +2764,444 @@ func TestGeneratePolicies(t *testing.T) { tests := []struct { policyRefs []conf_v1.PolicyReference policies map[string]*conf_v1.Policy - policyOpts policyOptions context string expected policiesCfg msg string }{ - { - policyRefs: []conf_v1.PolicyReference{ - { - Name: "allow-policy", - Namespace: "default", - }, - }, - policies: map[string]*conf_v1.Policy{ - "default/allow-policy": { - Spec: conf_v1.PolicySpec{ - AccessControl: &conf_v1.AccessControl{ - Allow: []string{"127.0.0.1"}, - }, - }, - }, - }, - expected: policiesCfg{ - Allow: []string{"127.0.0.1"}, - }, - msg: "explicit reference", - }, - { - policyRefs: []conf_v1.PolicyReference{ - { - Name: "allow-policy", - }, - }, - policies: map[string]*conf_v1.Policy{ - "default/allow-policy": { - Spec: conf_v1.PolicySpec{ - AccessControl: &conf_v1.AccessControl{ - Allow: []string{"127.0.0.1"}, - }, - }, - }, - }, - expected: policiesCfg{ - Allow: []string{"127.0.0.1"}, - }, - msg: "implicit reference", - }, - { - policyRefs: []conf_v1.PolicyReference{ - { - Name: "allow-policy-1", - }, - { - Name: "allow-policy-2", - }, - }, - policies: map[string]*conf_v1.Policy{ - "default/allow-policy-1": { - Spec: conf_v1.PolicySpec{ - AccessControl: &conf_v1.AccessControl{ - Allow: []string{"127.0.0.1"}, - }, - }, - }, - "default/allow-policy-2": { - Spec: conf_v1.PolicySpec{ - AccessControl: &conf_v1.AccessControl{ - Allow: []string{"127.0.0.2"}, - }, - }, - }, - }, - expected: policiesCfg{ - Allow: []string{"127.0.0.1", "127.0.0.2"}, - }, - msg: "merging", - }, - { - policyRefs: []conf_v1.PolicyReference{ - { - Name: "rateLimit-policy", - Namespace: "default", - }, - }, - policies: map[string]*conf_v1.Policy{ - "default/rateLimit-policy": { - Spec: conf_v1.PolicySpec{ - RateLimit: &conf_v1.RateLimit{ - Key: "test", - ZoneSize: "10M", - Rate: "10r/s", - LogLevel: "notice", - }, - }, - }, - }, - expected: policiesCfg{ - LimitReqZones: []version2.LimitReqZone{ - { - Key: "test", - ZoneSize: "10M", - Rate: "10r/s", - ZoneName: "pol_rl_default_rateLimit-policy_default_test", - }, - }, - LimitReqOptions: version2.LimitReqOptions{ - LogLevel: "notice", - RejectCode: 503, - }, - LimitReqs: []version2.LimitReq{ - { - ZoneName: "pol_rl_default_rateLimit-policy_default_test", - }, - }, - }, - msg: "rate limit reference", - }, - { - policyRefs: []conf_v1.PolicyReference{ - { - Name: "rateLimit-policy", - Namespace: "default", - }, - { - Name: "rateLimit-policy2", - Namespace: "default", - }, - }, - policies: map[string]*conf_v1.Policy{ - "default/rateLimit-policy": { - Spec: conf_v1.PolicySpec{ - RateLimit: &conf_v1.RateLimit{ - Key: "test", - ZoneSize: "10M", - Rate: "10r/s", - }, - }, - }, - "default/rateLimit-policy2": { - Spec: conf_v1.PolicySpec{ - RateLimit: &conf_v1.RateLimit{ - Key: "test2", - ZoneSize: "20M", - Rate: "20r/s", - }, - }, - }, - }, - expected: policiesCfg{ - LimitReqZones: []version2.LimitReqZone{ - { - Key: "test", - ZoneSize: "10M", - Rate: "10r/s", - ZoneName: "pol_rl_default_rateLimit-policy_default_test", - }, - { - Key: "test2", - ZoneSize: "20M", - Rate: "20r/s", - ZoneName: "pol_rl_default_rateLimit-policy2_default_test", - }, - }, - LimitReqOptions: version2.LimitReqOptions{ - LogLevel: "error", - RejectCode: 503, - }, - LimitReqs: []version2.LimitReq{ - { - ZoneName: "pol_rl_default_rateLimit-policy_default_test", - }, - { - ZoneName: "pol_rl_default_rateLimit-policy2_default_test", - }, - }, - }, - msg: "multi rate limit reference", - }, - { - policyRefs: []conf_v1.PolicyReference{ - { - Name: "jwt-policy", - Namespace: "default", - }, - }, - policies: map[string]*conf_v1.Policy{ - "default/jwt-policy": { - ObjectMeta: meta_v1.ObjectMeta{ - Name: "jwt-policy", - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - JWTAuth: &conf_v1.JWTAuth{ - Realm: "My Test API", - Secret: "jwt-secret", - }, - }, - }, - }, - expected: policiesCfg{ - JWTAuth: &version2.JWTAuth{ - Secret: "/etc/nginx/secrets/default-jwt-secret", - Realm: "My Test API", - }, - }, - msg: "jwt reference", - }, - { - policyRefs: []conf_v1.PolicyReference{ - { - Name: "jwt-policy-2", - Namespace: "default", - }, - }, - policies: map[string]*conf_v1.Policy{ - "default/jwt-policy-2": { - ObjectMeta: meta_v1.ObjectMeta{ - Name: "jwt-policy", - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - JWTAuth: &conf_v1.JWTAuth{ - Realm: "My Test API", - JwksURI: "https://idp.example.com:443/keys", - KeyCache: "1h", - }, - }, - }, - }, - expected: policiesCfg{ - JWTAuth: &version2.JWTAuth{ - Realm: "My Test API", - JwksURI: version2.JwksURI{ - JwksScheme: "https", - JwksHost: "idp.example.com", - JwksPort: "443", - JwksPath: "/keys", - }, - KeyCache: "1h", - }, - }, - msg: "Basic jwks example", - }, - { - policyRefs: []conf_v1.PolicyReference{ - { - Name: "jwt-policy-2", - Namespace: "default", - }, - }, - policies: map[string]*conf_v1.Policy{ - "default/jwt-policy-2": { - ObjectMeta: meta_v1.ObjectMeta{ - Name: "jwt-policy", - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - JWTAuth: &conf_v1.JWTAuth{ - Realm: "My Test API", - JwksURI: "https://idp.example.com/keys", - KeyCache: "1h", - }, - }, - }, - }, - expected: policiesCfg{ - JWTAuth: &version2.JWTAuth{ - Realm: "My Test API", - JwksURI: version2.JwksURI{ - JwksScheme: "https", - JwksHost: "idp.example.com", - JwksPort: "", - JwksPath: "/keys", - }, - KeyCache: "1h", - }, - }, - msg: "Basic jwks example, no port in JwksURI", - }, - { - policyRefs: []conf_v1.PolicyReference{ - { - Name: "basic-auth-policy", - Namespace: "default", - }, - }, - policies: map[string]*conf_v1.Policy{ - "default/basic-auth-policy": { - ObjectMeta: meta_v1.ObjectMeta{ - Name: "basic-auth-policy", - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - BasicAuth: &conf_v1.BasicAuth{ - Realm: "My Test API", - Secret: "htpasswd-secret", - }, - }, - }, - }, - expected: policiesCfg{ - BasicAuth: &version2.BasicAuth{ - Secret: "/etc/nginx/secrets/default-htpasswd-secret", - Realm: "My Test API", - }, - }, - msg: "basic auth reference", - }, - { - policyRefs: []conf_v1.PolicyReference{ - { - Name: "ingress-mtls-policy", - Namespace: "default", - }, - }, - policies: map[string]*conf_v1.Policy{ - "default/ingress-mtls-policy": { - ObjectMeta: meta_v1.ObjectMeta{ - Name: "ingress-mtls-policy", - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - IngressMTLS: &conf_v1.IngressMTLS{ - ClientCertSecret: "ingress-mtls-secret", - VerifyClient: "off", - }, - }, - }, - }, - context: "spec", - expected: policiesCfg{ - IngressMTLS: &version2.IngressMTLS{ - ClientCert: ingressMTLSCertPath, - VerifyClient: "off", - VerifyDepth: 1, - }, - }, - msg: "ingressMTLS reference", - }, - { - policyRefs: []conf_v1.PolicyReference{ - { - Name: "ingress-mtls-policy-crl", - Namespace: "default", - }, - }, - policies: map[string]*conf_v1.Policy{ - "default/ingress-mtls-policy-crl": { - ObjectMeta: meta_v1.ObjectMeta{ - Name: "ingress-mtls-policy-crl", - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - IngressMTLS: &conf_v1.IngressMTLS{ - ClientCertSecret: "ingress-mtls-secret-crl", - VerifyClient: "off", - }, - }, - }, - }, - context: "spec", - expected: policiesCfg{ - IngressMTLS: &version2.IngressMTLS{ - ClientCert: ingressMTLSCertPath, - ClientCrl: ingressMTLSCrlPath, - VerifyClient: "off", - VerifyDepth: 1, - }, - }, - msg: "ingressMTLS reference with ca.crl field in secret", - }, - { - policyRefs: []conf_v1.PolicyReference{ - { - Name: "ingress-mtls-policy-crl", - Namespace: "default", - }, - }, - policies: map[string]*conf_v1.Policy{ - "default/ingress-mtls-policy-crl": { - ObjectMeta: meta_v1.ObjectMeta{ - Name: "ingress-mtls-policy-crl", - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - IngressMTLS: &conf_v1.IngressMTLS{ - ClientCertSecret: "ingress-mtls-secret", - CrlFileName: "default-ingress-mtls-secret-ca.crl", - VerifyClient: "off", - }, - }, - }, - }, - context: "spec", - expected: policiesCfg{ - IngressMTLS: &version2.IngressMTLS{ - ClientCert: ingressMTLSCertPath, - ClientCrl: ingressMTLSCrlPath, - VerifyClient: "off", - VerifyDepth: 1, - }, - }, - msg: "ingressMTLS reference with crl field in policy", - }, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "allow-policy", + // Namespace: "default", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/allow-policy": { + // Spec: conf_v1.PolicySpec{ + // AccessControl: &conf_v1.AccessControl{ + // Allow: []string{"127.0.0.1"}, + // }, + // }, + // }, + // }, + // expected: policiesCfg{ + // Allow: []string{"127.0.0.1"}, + // }, + // msg: "explicit reference", + //}, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "allow-policy", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/allow-policy": { + // Spec: conf_v1.PolicySpec{ + // AccessControl: &conf_v1.AccessControl{ + // Allow: []string{"127.0.0.1"}, + // }, + // }, + // }, + // }, + // expected: policiesCfg{ + // Allow: []string{"127.0.0.1"}, + // }, + // msg: "implicit reference", + //}, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "allow-policy-1", + // }, + // { + // Name: "allow-policy-2", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/allow-policy-1": { + // Spec: conf_v1.PolicySpec{ + // AccessControl: &conf_v1.AccessControl{ + // Allow: []string{"127.0.0.1"}, + // }, + // }, + // }, + // "default/allow-policy-2": { + // Spec: conf_v1.PolicySpec{ + // AccessControl: &conf_v1.AccessControl{ + // Allow: []string{"127.0.0.2"}, + // }, + // }, + // }, + // }, + // expected: policiesCfg{ + // Allow: []string{"127.0.0.1", "127.0.0.2"}, + // }, + // msg: "merging", + //}, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "rateLimit-policy", + // Namespace: "default", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/rateLimit-policy": { + // Spec: conf_v1.PolicySpec{ + // RateLimit: &conf_v1.RateLimit{ + // Key: "test", + // ZoneSize: "10M", + // Rate: "10r/s", + // LogLevel: "notice", + // }, + // }, + // }, + // }, + // expected: policiesCfg{ + // LimitReqZones: []version2.LimitReqZone{ + // { + // Key: "test", + // ZoneSize: "10M", + // Rate: "10r/s", + // ZoneName: "pol_rl_default_rateLimit-policy_default_test", + // }, + // }, + // LimitReqOptions: version2.LimitReqOptions{ + // LogLevel: "notice", + // RejectCode: 503, + // }, + // LimitReqs: []version2.LimitReq{ + // { + // ZoneName: "pol_rl_default_rateLimit-policy_default_test", + // }, + // }, + // }, + // msg: "rate limit reference", + //}, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "rateLimit-policy", + // Namespace: "default", + // }, + // { + // Name: "rateLimit-policy2", + // Namespace: "default", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/rateLimit-policy": { + // Spec: conf_v1.PolicySpec{ + // RateLimit: &conf_v1.RateLimit{ + // Key: "test", + // ZoneSize: "10M", + // Rate: "10r/s", + // }, + // }, + // }, + // "default/rateLimit-policy2": { + // Spec: conf_v1.PolicySpec{ + // RateLimit: &conf_v1.RateLimit{ + // Key: "test2", + // ZoneSize: "20M", + // Rate: "20r/s", + // }, + // }, + // }, + // }, + // expected: policiesCfg{ + // LimitReqZones: []version2.LimitReqZone{ + // { + // Key: "test", + // ZoneSize: "10M", + // Rate: "10r/s", + // ZoneName: "pol_rl_default_rateLimit-policy_default_test", + // }, + // { + // Key: "test2", + // ZoneSize: "20M", + // Rate: "20r/s", + // ZoneName: "pol_rl_default_rateLimit-policy2_default_test", + // }, + // }, + // LimitReqOptions: version2.LimitReqOptions{ + // LogLevel: "error", + // RejectCode: 503, + // }, + // LimitReqs: []version2.LimitReq{ + // { + // ZoneName: "pol_rl_default_rateLimit-policy_default_test", + // }, + // { + // ZoneName: "pol_rl_default_rateLimit-policy2_default_test", + // }, + // }, + // }, + // msg: "multi rate limit reference", + //}, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "jwt-policy", + // Namespace: "default", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/jwt-policy": { + // ObjectMeta: meta_v1.ObjectMeta{ + // Name: "jwt-policy", + // Namespace: "default", + // }, + // Spec: conf_v1.PolicySpec{ + // JWTAuth: &conf_v1.JWTAuth{ + // Realm: "My Test API", + // Secret: "jwt-secret", + // }, + // }, + // }, + // }, + // expected: policiesCfg{ + // JWTAuth: &version2.JWTAuth{ + // Secret: "/etc/nginx/secrets/default-jwt-secret", + // Realm: "My Test API", + // }, + // }, + // msg: "jwt reference", + //}, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "jwt-policy-2", + // Namespace: "default", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/jwt-policy-2": { + // ObjectMeta: meta_v1.ObjectMeta{ + // Name: "jwt-policy", + // Namespace: "default", + // }, + // Spec: conf_v1.PolicySpec{ + // JWTAuth: &conf_v1.JWTAuth{ + // Realm: "My Test API", + // JwksURI: "https://idp.example.com:443/keys", + // KeyCache: "1h", + // }, + // }, + // }, + // }, + // expected: policiesCfg{ + // JWTAuth: &version2.JWTAuth{ + // Realm: "My Test API", + // JwksURI: version2.JwksURI{ + // JwksScheme: "https", + // JwksHost: "idp.example.com", + // JwksPort: "443", + // JwksPath: "/keys", + // }, + // KeyCache: "1h", + // }, + // }, + // msg: "Basic jwks example", + //}, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "jwt-policy-2", + // Namespace: "default", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/jwt-policy-2": { + // ObjectMeta: meta_v1.ObjectMeta{ + // Name: "jwt-policy", + // Namespace: "default", + // }, + // Spec: conf_v1.PolicySpec{ + // JWTAuth: &conf_v1.JWTAuth{ + // Realm: "My Test API", + // JwksURI: "https://idp.example.com/keys", + // KeyCache: "1h", + // }, + // }, + // }, + // }, + // expected: policiesCfg{ + // JWTAuth: &version2.JWTAuth{ + // Realm: "My Test API", + // JwksURI: version2.JwksURI{ + // JwksScheme: "https", + // JwksHost: "idp.example.com", + // JwksPort: "", + // JwksPath: "/keys", + // }, + // KeyCache: "1h", + // }, + // }, + // msg: "Basic jwks example, no port in JwksURI", + //}, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "basic-auth-policy", + // Namespace: "default", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/basic-auth-policy": { + // ObjectMeta: meta_v1.ObjectMeta{ + // Name: "basic-auth-policy", + // Namespace: "default", + // }, + // Spec: conf_v1.PolicySpec{ + // BasicAuth: &conf_v1.BasicAuth{ + // Realm: "My Test API", + // Secret: "htpasswd-secret", + // }, + // }, + // }, + // }, + // expected: policiesCfg{ + // BasicAuth: &version2.BasicAuth{ + // Secret: "/etc/nginx/secrets/default-htpasswd-secret", + // Realm: "My Test API", + // }, + // }, + // msg: "basic auth reference", + //}, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "ingress-mtls-policy", + // Namespace: "default", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/ingress-mtls-policy": { + // ObjectMeta: meta_v1.ObjectMeta{ + // Name: "ingress-mtls-policy", + // Namespace: "default", + // }, + // Spec: conf_v1.PolicySpec{ + // IngressMTLS: &conf_v1.IngressMTLS{ + // ClientCertSecret: "ingress-mtls-secret", + // VerifyClient: "off", + // }, + // }, + // }, + // }, + // context: "spec", + // expected: policiesCfg{ + // IngressMTLS: &version2.IngressMTLS{ + // ClientCert: mTLSCertPath, + // VerifyClient: "off", + // VerifyDepth: 1, + // }, + // }, + // msg: "ingressMTLS reference", + //}, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "ingress-mtls-policy-crl", + // Namespace: "default", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/ingress-mtls-policy-crl": { + // ObjectMeta: meta_v1.ObjectMeta{ + // Name: "ingress-mtls-policy-crl", + // Namespace: "default", + // }, + // Spec: conf_v1.PolicySpec{ + // IngressMTLS: &conf_v1.IngressMTLS{ + // ClientCertSecret: "ingress-mtls-secret-crl", + // VerifyClient: "off", + // }, + // }, + // }, + // }, + // context: "spec", + // expected: policiesCfg{ + // IngressMTLS: &version2.IngressMTLS{ + // ClientCert: mTLSCertPath, + // ClientCrl: mTLSCrlPath, + // VerifyClient: "off", + // VerifyDepth: 1, + // }, + // }, + // msg: "ingressMTLS reference with ca.crl field in secret", + //}, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "ingress-mtls-policy-crl", + // Namespace: "default", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/ingress-mtls-policy-crl": { + // ObjectMeta: meta_v1.ObjectMeta{ + // Name: "ingress-mtls-policy-crl", + // Namespace: "default", + // }, + // Spec: conf_v1.PolicySpec{ + // IngressMTLS: &conf_v1.IngressMTLS{ + // ClientCertSecret: "ingress-mtls-secret", + // CrlFileName: "default-ingress-mtls-secret-ca.crl", + // VerifyClient: "off", + // }, + // }, + // }, + // }, + // context: "spec", + // expected: policiesCfg{ + // IngressMTLS: &version2.IngressMTLS{ + // ClientCert: mTLSCertPath, + // ClientCrl: mTLSCrlPath, + // VerifyClient: "off", + // VerifyDepth: 1, + // }, + // }, + // msg: "ingressMTLS reference with crl field in policy", + //}, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "egress-mtls-policy", + // Namespace: "default", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/egress-mtls-policy": { + // Spec: conf_v1.PolicySpec{ + // EgressMTLS: &conf_v1.EgressMTLS{ + // TLSSecret: "egress-mtls-secret", + // ServerName: true, + // SessionReuse: createPointerFromBool(false), + // TrustedCertSecret: "egress-trusted-ca-secret", + // }, + // }, + // }, + // }, + // context: "route", + // expected: policiesCfg{ + // EgressMTLS: &version2.EgressMTLS{ + // Certificate: "/etc/nginx/secrets/default-egress-mtls-secret", + // CertificateKey: "/etc/nginx/secrets/default-egress-mtls-secret", + // Ciphers: "DEFAULT", + // Protocols: "TLSv1 TLSv1.1 TLSv1.2", + // ServerName: true, + // SessionReuse: false, + // VerifyDepth: 1, + // VerifyServer: false, + // TrustedCert: "/etc/nginx/secrets/default-egress-trusted-ca-secret", + // SSLName: "$proxy_host", + // }, + // }, + // msg: "egressMTLS reference", + //}, { policyRefs: []conf_v1.PolicyReference{ { @@ -3175,7 +3216,7 @@ func TestGeneratePolicies(t *testing.T) { TLSSecret: "egress-mtls-secret", ServerName: true, SessionReuse: createPointerFromBool(false), - TrustedCertSecret: "egress-trusted-ca-secret", + TrustedCertSecret: "egress-trusted-ca-secret-crl", }, }, }, @@ -3191,78 +3232,78 @@ func TestGeneratePolicies(t *testing.T) { SessionReuse: false, VerifyDepth: 1, VerifyServer: false, - TrustedCert: "/etc/nginx/secrets/default-egress-trusted-ca-secret", + TrustedCert: mTLSCertPath, SSLName: "$proxy_host", }, }, - msg: "egressMTLS reference", - }, - { - policyRefs: []conf_v1.PolicyReference{ - { - Name: "oidc-policy", - Namespace: "default", - }, - }, - policies: map[string]*conf_v1.Policy{ - "default/oidc-policy": { - ObjectMeta: meta_v1.ObjectMeta{ - Name: "oidc-policy", - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - OIDC: &conf_v1.OIDC{ - AuthEndpoint: "http://example.com/auth", - TokenEndpoint: "http://example.com/token", - JWKSURI: "http://example.com/jwks", - ClientID: "client-id", - ClientSecret: "oidc-secret", - Scope: "scope", - RedirectURI: "/redirect", - ZoneSyncLeeway: createPointerFromInt(20), - AccessTokenEnable: true, - }, - }, - }, - }, - expected: policiesCfg{ - OIDC: true, - }, - msg: "oidc reference", - }, - { - policyRefs: []conf_v1.PolicyReference{ - { - Name: "waf-policy", - Namespace: "default", - }, - }, - policies: map[string]*conf_v1.Policy{ - "default/waf-policy": { - Spec: conf_v1.PolicySpec{ - WAF: &conf_v1.WAF{ - Enable: true, - ApPolicy: "default/dataguard-alarm", - SecurityLog: &conf_v1.SecurityLog{ - Enable: true, - ApLogConf: "default/logconf", - LogDest: "syslog:server=127.0.0.1:514", - }, - }, - }, - }, - }, - context: "route", - expected: policiesCfg{ - WAF: &version2.WAF{ - Enable: "on", - ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", - ApSecurityLogEnable: true, - ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf syslog:server=127.0.0.1:514"}, - }, - }, - msg: "WAF reference", - }, + msg: "egressMTLS with crt and crl", + }, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "oidc-policy", + // Namespace: "default", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/oidc-policy": { + // ObjectMeta: meta_v1.ObjectMeta{ + // Name: "oidc-policy", + // Namespace: "default", + // }, + // Spec: conf_v1.PolicySpec{ + // OIDC: &conf_v1.OIDC{ + // AuthEndpoint: "http://example.com/auth", + // TokenEndpoint: "http://example.com/token", + // JWKSURI: "http://example.com/jwks", + // ClientID: "client-id", + // ClientSecret: "oidc-secret", + // Scope: "scope", + // RedirectURI: "/redirect", + // ZoneSyncLeeway: createPointerFromInt(20), + // AccessTokenEnable: true, + // }, + // }, + // }, + // }, + // expected: policiesCfg{ + // OIDC: true, + // }, + // msg: "oidc reference", + //}, + //{ + // policyRefs: []conf_v1.PolicyReference{ + // { + // Name: "waf-policy", + // Namespace: "default", + // }, + // }, + // policies: map[string]*conf_v1.Policy{ + // "default/waf-policy": { + // Spec: conf_v1.PolicySpec{ + // WAF: &conf_v1.WAF{ + // Enable: true, + // ApPolicy: "default/dataguard-alarm", + // SecurityLog: &conf_v1.SecurityLog{ + // Enable: true, + // ApLogConf: "default/logconf", + // LogDest: "syslog:server=127.0.0.1:514", + // }, + // }, + // }, + // }, + // }, + // context: "route", + // expected: policiesCfg{ + // WAF: &version2.WAF{ + // Enable: "on", + // ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", + // ApSecurityLogEnable: true, + // ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf syslog:server=127.0.0.1:514"}, + // }, + // }, + // msg: "WAF reference", + //}, } vsc := newVirtualServerConfigurator(&ConfigParams{}, false, false, &StaticConfigParams{}, false) diff --git a/tests/data/egress-mtls/policies/egress-mtls-invalid.yaml b/tests/data/egress-mtls/policies/egress-mtls-invalid.yaml new file mode 100644 index 0000000000..59e5a06250 --- /dev/null +++ b/tests/data/egress-mtls/policies/egress-mtls-invalid.yaml @@ -0,0 +1,12 @@ +apiVersion: k8s.nginx.org/v1 +kind: Policy +metadata: + name: egress-mtls-policy +spec: + egress_MTLS: + tlsSecret: egress-tks-secret + trustedCertSecret: egress-mtls-secret + verifyServer: on + verifyDepth: 2 + serverName: on + sslName: secure-app.example.com diff --git a/tests/data/egress-mtls/policies/egress-mtls.yaml b/tests/data/egress-mtls/policies/egress-mtls.yaml new file mode 100644 index 0000000000..8a94645254 --- /dev/null +++ b/tests/data/egress-mtls/policies/egress-mtls.yaml @@ -0,0 +1,12 @@ +apiVersion: k8s.nginx.org/v1 +kind: Policy +metadata: + name: egress-mtls-policy +spec: + egressMTLS: + tlsSecret: egress-tls-secret + trustedCertSecret: egress-mtls-secret + verifyServer: on + verifyDepth: 2 + serverName: on + sslName: virtual-server.example.com diff --git a/tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml b/tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml new file mode 100644 index 0000000000..f020b39f96 --- /dev/null +++ b/tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml @@ -0,0 +1,22 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServer +metadata: + name: virtual-server +spec: + host: virtual-server.example.com + upstreams: + - name: backend2 + service: backend2-svc + port: 80 + - name: backend1 + service: backend1-svc + port: 80 + routes: + - path: "/backend1" + policies: + - name: egress-mtls-policy + action: + pass: backend1 + - path: "/backend2" + action: + pass: backend2 diff --git a/tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml b/tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml new file mode 100644 index 0000000000..d6d26b1a0d --- /dev/null +++ b/tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml @@ -0,0 +1,22 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServerRoute +metadata: + name: backends +spec: + host: virtual-server-route.example.com + upstreams: + - name: backend1 + service: backend1-svc + port: 80 + - name: backend3 + service: backend3-svc + port: 80 + subroutes: + - path: "/backends/backend1" + policies: + - name: egress-mtls-policy + action: + pass: backend1 + - path: "/backends/backend3" + action: + pass: backend3 diff --git a/tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml b/tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml new file mode 100644 index 0000000000..f56b65d83d --- /dev/null +++ b/tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml @@ -0,0 +1,11 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServer +metadata: + name: virtual-server-route +spec: + host: virtual-server-route.example.com + routes: + - path: "/backends" + route: backends # implicit namespace + - path: "/backend2" + route: backend2-namespace/backend2 diff --git a/tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml b/tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml new file mode 100644 index 0000000000..6d21943fd2 --- /dev/null +++ b/tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml @@ -0,0 +1,8 @@ +kind: Secret +metadata: + name: egress-mtls-secret +apiVersion: v1 +type: nginx.org/ca +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdNekNDQkJ1Z0F3SUJBZ0lKQU51ZlJyMkJoLzliTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUduTVFzd0NRWUQKVlFRR0V3SlZVekVSTUE4R0ExVUVDQXdJVFdGeWVXeGhibVF4RWpBUUJnTlZCQWNNQ1VKaGJIUnBiVzl5WlRFWgpNQmNHQTFVRUNnd1FWR1Z6ZENCRFFTd2dUR2x0YVhSbFpERWpNQ0VHQTFVRUN3d2FVMlZ5ZG1WeUlGSmxjMlZoCmNtTm9JRVJsY0dGeWRHMWxiblF4RURBT0JnTlZCQU1NQjFSbGMzUWdRMEV4SHpBZEJna3Foa2lHOXcwQkNRRVcKRUhSbGMzUkFaWGhoYlhCc1pTNWpiMjB3SGhjTk1qTXdNekV6TVRjMU5UQTJXaGNOTWpRd016RXlNVGMxTlRBMgpXakNCcHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJBZ01DRTFoY25sc1lXNWtNUkl3RUFZRFZRUUhEQWxDCllXeDBhVzF2Y21VeEdUQVhCZ05WQkFvTUVGUmxjM1FnUTBFc0lFeHBiV2wwWldReEl6QWhCZ05WQkFzTUdsTmwKY25abGNpQlNaWE5sWVhKamFDQkVaWEJoY25SdFpXNTBNUkF3RGdZRFZRUUREQWRVWlhOMElFTkJNUjh3SFFZSgpLb1pJaHZjTkFRa0JGaEIwWlhOMFFHVjRZVzF3YkdVdVkyOXRNSUlDSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFnOEFNSUlDQ2dLQ0FnRUEyeU5QNHRoWjBzY1V0cDZ5SVArUGdXU3lucEIybWE3WkRlNzBobDY3OFdvRkZITXkKbUNyczJPNzhwV2wxZVFNcTBoZDA4UUNJTGErY1V4bmMwS3BQWkw4Um1BUUo3SnZHN3BuN1Mwb2tnMVBiTU82Zwo1ZWVldDBJdEh4Tkt1YWVGTTVKS0pLdFhmN0p6TWkwMTdDZTBXZ3V5ZHZWVUxENXFkM2ZLdW5UNlRTOUZ5blpLCjlmSE5MdGdBaFZnMHg2bWJGUlFBYXBUejFMaGhUaEt4eDRNbHI1WGpBS01la1d5T0d4am9WbUZubFNocXdqTWsKMVAyaCtiWlRrZnRxQWh4VzVwaGlGRmRrTW15dnIvYUQyRW9aU2xGa1RtSmtnQnhJaysvRzhZQWtjZXFOelo5eQpMLzRvWWU1VTdrV0lYZTlPT0k5djFpZW02ODE5bVNOU3dpVFZhOFRQcWR0elcwUHplYW1QZG9TckVWV0JlL3hZCk9ZWDhaaWF1NlVCU3U2bGQ1VUxBTGJYUlp6RHUxYzVvelZzdkN0cE1HV1oxZWtDVDhVNEdwRzhQUyszcUJkUGwKWUhxeWR0TnhGeFZ5OE1odU1IWnhacVY4dXpMTlRlakpram03V3dERHpBd1RIbm1uMVREdHZrVlBCQWZGenhuTgoreGRKdmZvQ21EUEsraHZmMUVRRGF4RU5sSHVYYnZpclNqL2FDaXJqTTdhb0UxR2VRSXo2MEk5QWpuTHc1a29tCmFCcjZadU1ET1ZFSmhBMnRnZXJOOGYzMFJHOGtBTWZTRUYwdUExWTVteEw2b0hueWw5SStmNlBmc2diSlIzMnQKM2s1S2RNQ2xSTTc1YmpaUDNIeVpWdGZVQ09iRnJPMlRVT2NUd29zUUlScXh5dVFJd0JYWHVFdTNBdEVDQXdFQQpBYU5nTUY0d0hRWURWUjBPQkJZRUZKQ3ErRUsyaEFFSkdEbDJvVm0vR1NrRWxHd3JNQjhHQTFVZEl3UVlNQmFBCkZKQ3ErRUsyaEFFSkdEbDJvVm0vR1NrRWxHd3JNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdDd1lEVlIwUEJBUUQKQWdFR01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQzhLRWg5ZVZFSmFneFU2dS9BcTJPR3dhQVlwc2hDdU1vTwpTRVhiRkhDWWI1VEIyUnUzOXJPQ21TTmljZVlUMnJTenZLenF2bzM4aW9Pc3ZsdUFxTUF5VzRJVG53R1FPZ2ZPCitpUG1FS1V0RERjQ2VOQWY0OTZacjR4R25XS2l3RE9SVEI5N001SndaTnRpTGRReTU3S05wUC9nM3BXVHo4Y3QKODA3VEJ0T25kVFhhWkhBV0RaU0lCMXFaUEZWMHhvRUtPdS9TWXh5c2U4ZDBaNGhtZDE0TWVrQzFCZ2w4Y1NRagowajhrdUhXb2pIaUdVcW1ZRTdYd0hMMzRkeGxzb3RIVWhiNHhkREdGYTJlKzBZUVpzSlhFQW9pclcxbkRVektyCk5uOUlpUlR4eHUraXBYR0ZqLzVFbFFGTjRlUmE4dFZrYzJjODlUZUtBYjVkZ2ZCM0tNTUlKM0NwMExKQ2hva2wKdWhLbXptL0xuZ3FYL0dSQXFSWDRIaE82ZmZKbldDb2NsUGVFeFA0MnQ3a21EMXRlZzkrRGhVbGxnRk1RS3JnYwpaUUlMZW9CNWw2NlBPeVFVdWZjUzRJN2VzaHNlWXI4bWtSelRJTDM3cmxURWR1bWtpYmNXYVE5TjhGdFBHbUVxCnhuVFZBeEQ5TlE0WWJkUjNub1RIbkREYm1XUWJIbmc4ZWtzeGpUTHcrdDVsWGxtQ09Mb2VWZ3VxZnVnSzhMTUsKTSs4MWNUNHp6bkhkU0pxcVBSYitBUlFDZ3ArZzYwRGtpTUx1NzdCbzZQQ2o5NzRtYnZwQnpPaVlIdThkak52Sgp0L1dMcWdPU25reithUGRwVGE5M0Q5YUlBS3V6WURPbmp3OW9TUytnZUd0TmRoWUdPeWxLdDE4ZndZMGsrUTJ2CkNMT1pYZEYrWmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + ca.crl: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSURCRENCN1RBTkJna3Foa2lHOXcwQkFRc0ZBRENCcHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJBZ00KQ0UxaGNubHNZVzVrTVJJd0VBWURWUVFIREFsQ1lXeDBhVzF2Y21VeEdUQVhCZ05WQkFvTUVGUmxjM1FnUTBFcwpJRXhwYldsMFpXUXhJekFoQmdOVkJBc01HbE5sY25abGNpQlNaWE5sWVhKamFDQkVaWEJoY25SdFpXNTBNUkF3CkRnWURWUVFEREFkVVpYTjBJRU5CTVI4d0hRWUpLb1pJaHZjTkFRa0JGaEIwWlhOMFFHVjRZVzF3YkdVdVkyOXQKRncweU16QXpNVE14T0RBeU1qSmFGdzB5TXpBME1USXhPREF5TWpKYU1CUXdFZ0lCQWhjTk1qTXdNekV6TVRndwpNakV5V2pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQVJzQ1B6SVpqUmt1S1BlajRUdTc5a3pFTlcvRTY5NzZjClhrN2g1dEtoTHdONTROVXR0M0pSTHBWUEFwUFhnTzdhdVo5a0liWC9EaStyeks4V3BQZWhUSXg0b1RscktjbFoKT1hsM3RQWUJndmcyRzVxaFR3MlAvTjRDMzVPMWdtWllLWXFYeEd6SjlBVnU5WmNXUlJjelVCOXlaZlR1cERoOAo2SnROd2JCVVpOR2lSMkZFeUovWFNQQjFVeXJBa2IyVk1ON0E1WEZIaSt5WXFrS2xrcFNLaGNPY3lGcXpFMC9xCkQ5V1Y3enJtVDIwdU1Ya2VCVW05WEhqWHRXRTIwb01PRFBHRERBNUg2RlppL05IMXBTa0tUY3g4UjdYNGZlaFYKOUJUTVl5VENWcFVJSUhuZG91NHYxUkl2UHJpRS9PUGx4UDBjRFZCNmV1V0RXb2dJdnIyWTRpenlHdHN0WlpvTgpNZDBRY1hXTVhTUjB3U2hCdEQ1TGI5cjBLOExPS255dVFUVVNHaXZuY2JGajZNUTROU3FNMTRJdzNkOHowemowCjg5b3hBUVhNa29qdm02SWV5WS9hSlVacUlPdk56MXhkaG5kNXNtWkNoQUdTVUx4Z1hsZWFHRjg3Vyt2MThuSlQKOC83c1Vic09RR1ErdVA5dGNXcGYzcmx4MVVENWRnVW9KbHdrUk16Z09vQXYwN3JkcWRsZGQ4QVdWYndMcnlGdgo0RHVMTU5VREQrbE9iV3E0VDdBNE5zb1NadlBuaitOcDgzL3VCWEUvRmZvemJpYzJSOFZJb1NLR2NhWDh0aGZhCmpvUEw1Smt4akZGemZGcnAwMi9XRlNNd3Ezc2xrQkJqSGFkd2pNcTZiQnJ5MTQyYWlOUW44cDRsa3ZXV0RvUSsKaWdrSDNFRGdDVmM9Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0K diff --git a/tests/data/egress-mtls/secret/egress-mtls-secret.yaml b/tests/data/egress-mtls/secret/egress-mtls-secret.yaml new file mode 100644 index 0000000000..9b6a46ad69 --- /dev/null +++ b/tests/data/egress-mtls/secret/egress-mtls-secret.yaml @@ -0,0 +1,7 @@ +kind: Secret +metadata: + name: egress-mtls-secret +apiVersion: v1 +type: nginx.org/ca +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== diff --git a/tests/data/egress-mtls/secret/tls-secret.yaml b/tests/data/egress-mtls/secret/tls-secret.yaml new file mode 100644 index 0000000000..031238b87d --- /dev/null +++ b/tests/data/egress-mtls/secret/tls-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: egress-tls-secret +type: kubernetes.io/tls +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN4akNDQWE0Q0NRREZadlNlYVF3b3dEQU5CZ2txaGtpRzl3MEJBUXNGQURBbE1TTXdJUVlEVlFRRERCcDIKYVhKMGRXRnNMWE5sY25abGNpNWxlR0Z0Y0d4bExtTnZiVEFlRncweU1UQTBNVFl4TkRNeU5EZGFGdzB6TVRBMApNVFF4TkRNeU5EZGFNQ1V4SXpBaEJnTlZCQU1NR25acGNuUjFZV3d0YzJWeWRtVnlMbVY0WVcxd2JHVXVZMjl0Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBcUROMmRjamdRaWd2UmpGODFSbWcKck9kNEdHbzhUdEx6WmU2RDVLUXdEYjFneXhHVEI5TUNEM0trMHg1YW8zUjRHSnFJSkdjL1hHbVQvQzdlZzc0agprYUVIOHFtbFdUREU3Vm0zcDhuc053aGtMYXBReGtXbHVsMDFjSlBrcmpRNEN4QW1VZ0w2L0FPUWhjSEtlUUsxCmhjUEJSOFJKbkJTNDlJb0lEOEpFdXhVeFp4TW1MMFRBSlhBQzNVNW50dXVPTGtYaGhsNVNhSnQzRkhUUjR1WXIKMHZpYndNbTBKMmkwUitkanZzYnRwT0FFbW5ZN2xjc3cyMU1rY1o4UkZSRVhiOHlsRVo2UUNIOEdFcEF0Nkh0OApWMUJBblpuZFJXWlNhUWRlOEd0WUUydFk1ZFVZMkdFemNTT014VHRueWEzc3puWEJOV0k1WjluV1RtMFQ2SERrCmN3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBeDZ0TThObmRXVlhBdlBEWWw4VUg0ZHlqZEg3S3YKMnhueCtRRXR6eDd2VEV0aVBEd04wbmFkTWZSbjRTZjl0U0huTmZSZUhWcXNxZVVRNklGbUdrdERDR0ZCUWtscQp4V1p0aTUzd2c3blJxZncrWnltOW1nWDEyUTdpaGM3Y3d1cUVBSzRWYWVVNXZIcEhvcktFSjBYTkFFM1M2N0d0CmlpdWk4VTIxdHkraUNBd3ZnTUZiSnI2bEEwdlM0VUY0cTl4aTNHZ1JHSFdDdjlsNTFZY2JRSWVnVXQxVXVUNlUKNTRaZ0lBSGJJUENzQ2Z5NTkreEc3Q1VQOUwvb09Vc1IzZWxYVTJES2F4MFJCT29PalJXY3QyVGZlQWx0V0hTOApBNnJ6SUl0VThTK2w1dWNiZVhiVzh0djBRUE5vMU1UMEVvN0lDQ0tqSkZuVlA2eGNtWFV1dkRoVgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcUROMmRjamdRaWd2UmpGODFSbWdyT2Q0R0dvOFR0THpaZTZENUtRd0RiMWd5eEdUCkI5TUNEM0trMHg1YW8zUjRHSnFJSkdjL1hHbVQvQzdlZzc0amthRUg4cW1sV1RERTdWbTNwOG5zTndoa0xhcFEKeGtXbHVsMDFjSlBrcmpRNEN4QW1VZ0w2L0FPUWhjSEtlUUsxaGNQQlI4UkpuQlM0OUlvSUQ4SkV1eFV4WnhNbQpMMFRBSlhBQzNVNW50dXVPTGtYaGhsNVNhSnQzRkhUUjR1WXIwdmlid01tMEoyaTBSK2RqdnNidHBPQUVtblk3Cmxjc3cyMU1rY1o4UkZSRVhiOHlsRVo2UUNIOEdFcEF0Nkh0OFYxQkFuWm5kUldaU2FRZGU4R3RZRTJ0WTVkVVkKMkdFemNTT014VHRueWEzc3puWEJOV0k1WjluV1RtMFQ2SERrY3dJREFRQUJBb0lCQUNtTFJIZ0ZISGJhckFwLwpVS0RseW96S1F4eHNxT2FqTGVFQVQyMWFyRS9JZGE3U2NXbGVVY1QxQVFid0dWMEQrR0hEVVZzRWNWN202TmxCCnprM2wyYTB2ZytJSXlzRkR6Vy8rVitGR2UyU0FXeFg0V2lrT3JNZGlIRC9wRjNON2pGZ1hMZy9Wa3A1S1Z4amkKYTVzRjgwWE51dUI1OStCb01lS2NjUzlMUVdTZmliUFUzSDlidm8vWXZRem41ZTc1Y2pVcFA3V2FmY2Y4UzZVKwo0VkJwaC9mQmtCL2lOQk9rOHdZWTJMWkJaTkNaTmVsMy9kVldzNEJwdjY5ODNRU3BLVTdUam9OQ2N4eU9ReFZpCnI0YW9mbmRTQ2ZVN3d1L05oczZGOWQxYmVJVHhmR3RpWTFWYURlQ3BVZGZId0dCSGNjRGlEK1V3UklPZzJQN2YKY0ZSTzZERUNnWUVBM1RqZFZlTU4yZ0tUQVB5aHlETm5IdzEyL0RRRmd5MWc0aExQZmNCUEtxdjBZendhaU9IVQpSZXUyS3dBdWVKeEF1T09vSWVTZjFYYzdUSTZLUlBRVEc1SVNJa294NHVwSHBFeVZXN0JIeWlENmpYa0R5MTh6CmQ0MGRWc1JlMkZXd0pFOTNubkFIVWdvTk11dWdaaE8wa2x0M0EybGViR1JuY1N4TUg3NW94SHNDZ1lFQXdxVEEKY2JRcDVuRnhyL0hsMkVyTVU3SHZ5eG83UnNsVHE3VmNhWE1IT1EzdzZZL2NRampWRnJZMjFzeXpjOWtBblRzQgphbkJsMkE5aUdBdWZaTGlYNmM0dk5KK1dNM093L1lyZHlUTVB5elFBZjhWZUdPMlR0by85UWN3bi9Oa3JwVDJsCktDeERYek55bTlBLzFHNTUva29CVHBTc3ptd3paTFh5TjM1S2lta0NnWUJId0JISnNZTGttc0VqS00wd0tidmcKam5WeEIwNWlaVzF1NWJyMmhsRW0vZTZkNFBpYVBPU2thUGNFcTJKbkxBYXg4T1N2V1grZHRMWSs5bHhTVVBlQgprYmJmK0VDRjRJYXIrMHJXR2k2dW1GT3JYdnlrRVpTWHllVWlKejY3Mjg3dGQvak1Jbm05V2hVOTFyNkhYUXpNCkMyNW1aTjZET1cxemYzS1JPU2l4MFFLQmdHQmJwMW1pMDB0ZHhlWlFYblRoTXA0TWJLV2phc3owUmhPdlNQeDcKRVl4Uk5uNnAxV1NETmhwMFFsbThKT3FvOXdEZmdTZnNWTDdOZnNaZ21wd0dOazVzNERtdzkyNnBTMmw1SWFyRgpPSUJrVWdydTdsSnc2cnRxTlBvcDAzSDlJUHBBdGs1WSsxRlo2dGJ3RldsWTk5UEhWelpMcS9EVTUreG5sbTJhCmU5UmhBb0dCQU1STlFzYk00OGNVTlNQRnh1Y3ZnY3QySFVjRkoweXl1Z3V0cnhvUmZXUEtzWnZwZjA5NnlBS1UKMURLbXdpRStOS0F0S2VHVjlqdHNIZWdocVp5MHkzbkIzc0pkNlZxdnoxSFNGQzNCNStodGMraG4xdU4wOTlDRwpVSElXNnM3ZGI0eW1ULzFCaEJDd1RCYkIxRTQ0Y2FYQzdUa0xmVlJFSjRWbXBkUEpTcFh4Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== diff --git a/tests/data/egress-mtls/spec/virtual-server-mtls-diff-host.yaml b/tests/data/egress-mtls/spec/virtual-server-mtls-diff-host.yaml new file mode 100644 index 0000000000..2ee4084f52 --- /dev/null +++ b/tests/data/egress-mtls/spec/virtual-server-mtls-diff-host.yaml @@ -0,0 +1,22 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServer +metadata: + name: virtual-server +spec: + host: virtual-server-2.example.com + policies: + - name: egress-mtls-policy + upstreams: + - name: backend2 + service: backend2-svc + port: 80 + - name: backend1 + service: backend1-svc + port: 80 + routes: + - path: "/backend1" + action: + pass: backend1 + - path: "/backend2" + action: + pass: backend2 diff --git a/tests/data/egress-mtls/spec/virtual-server-mtls.yaml b/tests/data/egress-mtls/spec/virtual-server-mtls.yaml new file mode 100644 index 0000000000..146a8e86e1 --- /dev/null +++ b/tests/data/egress-mtls/spec/virtual-server-mtls.yaml @@ -0,0 +1,22 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServer +metadata: + name: virtual-server +spec: + host: virtual-server.example.com + policies: + - name: egress-mtls-policy + upstreams: + - name: backend2 + service: backend2-svc + port: 80 + - name: backend1 + service: backend1-svc + port: 80 + routes: + - path: "/backend1" + action: + pass: backend1 + - path: "/backend2" + action: + pass: backend2 diff --git a/tests/data/egress-mtls/standard/virtual-server.yaml b/tests/data/egress-mtls/standard/virtual-server.yaml new file mode 100644 index 0000000000..9ac63fba13 --- /dev/null +++ b/tests/data/egress-mtls/standard/virtual-server.yaml @@ -0,0 +1,22 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServer +metadata: + name: virtual-server +spec: + host: virtual-server.example.com + tls: + secret: tls-secret + upstreams: + - name: backend2 + service: backend2-svc + port: 80 + - name: backend1 + service: backend1-svc + port: 80 + routes: + - path: "/backend1" + action: + pass: backend1 + - path: "/backend2" + action: + pass: backend2 diff --git a/tests/suite/test_egress_mtls.py b/tests/suite/test_egress_mtls.py new file mode 100644 index 0000000000..dab86f2e90 --- /dev/null +++ b/tests/suite/test_egress_mtls.py @@ -0,0 +1,309 @@ +import pytest +import requests +from settings import TEST_DATA +from suite.utils.policy_resources_utils import create_policy_from_yaml, delete_policy +from suite.utils.resources_utils import create_secret_from_yaml, delete_secret, wait_before_test +from suite.utils.ssl_utils import create_sni_session +from suite.utils.vs_vsr_resources_utils import ( + delete_and_create_vs_from_yaml, + patch_v_s_route_from_yaml, + patch_virtual_server_from_yaml, + read_vs, + read_vsr, +) + +std_vs_src = f"{TEST_DATA}/virtual-server/standard/virtual-server.yaml" +std_vsr_src = f"{TEST_DATA}/virtual-server-route/route-multiple.yaml" +std_vs_vsr_src = f"{TEST_DATA}/virtual-server-route/standard/virtual-server.yaml" + +mtls_sec_valid_src = f"{TEST_DATA}/egress-mtls/secret/egress-mtls-secret.yaml" +mtls_sec_valid_crl_src = f"{TEST_DATA}/egress-mtls/secret/egress-mtls-secret-crl.yaml" +tls_sec_valid_src = f"{TEST_DATA}/egress-mtls/secret/tls-secret.yaml" + +mtls_pol_valid_src = f"{TEST_DATA}/egress-mtls/policies/egress-mtls.yaml" +mtls_pol_invalid_src = f"{TEST_DATA}/egress-mtls/policies/egress-mtls-invalid.yaml" + +mtls_vs_spec_src = f"{TEST_DATA}/egress-mtls/spec/virtual-server-mtls.yaml" +mtls_vs_route_src = f"{TEST_DATA}/egress-mtls/route-subroute/virtual-server-mtls.yaml" +mtls_vsr_subroute_src = f"{TEST_DATA}/egress-mtls/route-subroute/virtual-server-route-mtls.yaml" +mtls_vs_vsr_src = f"{TEST_DATA}/egress-mtls/route-subroute/virtual-server-vsr.yaml" + +def setup_policy(kube_apis, test_namespace, mtls_secret, tls_secret, policy): + print(f"Create egress-mtls secret") + mtls_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, mtls_secret) + + print(f"Create tls secret") + tls_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, tls_secret) + + print(f"Create egress-mtls policy") + pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy, test_namespace) + + return mtls_secret_name, tls_secret_name, pol_name + +def teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret): + print("Delete policy and related secrets") + delete_secret(kube_apis.v1, tls_secret, test_namespace) + delete_policy(kube_apis.custom_objects, pol_name, test_namespace) + delete_secret(kube_apis.v1, mtls_secret, test_namespace) + +@pytest.mark.policies +@pytest.mark.parametrize( + "crd_ingress_controller, virtual_server_setup", + [ + ( + { + "type": "complete", + "extra_args": [ + f"-enable-leader-election=false", + ], + }, + { + "example": "virtual-server", + "app_type": "simple", + }, + ) + ], + indirect=True, +) +class TestEgressMtlsPolicyVS: + @pytest.mark.parametrize( + "policy_src, vs_src, mtls_ca_secret, expected_code, expected_text, vs_message, vs_state, test_description", + [ + ( + mtls_pol_valid_src, + mtls_vs_spec_src, + mtls_sec_valid_src, + 200, + "Server address:", + "was added or updated", + "Valid", + "Test valid EgressMTLS policy applied to a VirtualServer spec", + ), + ( + mtls_pol_valid_src, + mtls_vs_route_src, + mtls_sec_valid_src, + 200, + "Server address:", + "was added or updated", + "Valid", + "Test valid EgressMTLS policy applied to a VirtualServer path", + ), + ( + mtls_pol_valid_src, + mtls_vs_spec_src, + mtls_sec_valid_crl_src, + 200, + "Server address:", + "was added or updated", + "Valid", + "Test valid EgressMTLS policy applied to a VirtualServer with a CRL", + ), + ( + mtls_pol_invalid_src, + mtls_vs_spec_src, + mtls_sec_valid_src, + 500, + "Internal Server Error", + "is missing or invalid", + "Warning", + "Test invalid EgressMTLS policy applied to a VirtualServer", + ), + ] + ) + def test_egress_mtls_policy( + self, + kube_apis, + crd_ingress_controller, + virtual_server_setup, + test_namespace, + policy_src, + vs_src, + mtls_ca_secret, + expected_code, + expected_text, + vs_message, + vs_state, + test_description, + ): + """ + Test egress-mtls with valid and invalid policy in vs spec and route contexts. + """ + print("------------------------- {} -----------------------------------".format(test_description)) + session = create_sni_session() + mtls_secret, tls_secret, pol_name = setup_policy( + kube_apis, + test_namespace, + mtls_ca_secret, + tls_sec_valid_src, + policy_src, + ) + + print(f"Patch vs with policy: {policy_src}") + delete_and_create_vs_from_yaml( + kube_apis.custom_objects, + virtual_server_setup.vs_name, + vs_src, + virtual_server_setup.namespace, + ) + wait_before_test() + resp = session.get( + virtual_server_setup.backend_1_url, + headers={"host": virtual_server_setup.vs_host}, + allow_redirects=False, + verify=False, + ) + + vs_events = read_vs(kube_apis.custom_objects, test_namespace, virtual_server_setup.vs_name) + teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret) + + patch_virtual_server_from_yaml( + kube_apis.custom_objects, + virtual_server_setup.vs_name, + std_vs_src, + virtual_server_setup.namespace, + ) + + assert ( + resp.status_code == expected_code + and expected_text in resp.text + and vs_message in vs_events["status"]["message"] + and vs_events["status"]["state"] == vs_state + ) + + +@pytest.mark.policies +@pytest.mark.parametrize( + "crd_ingress_controller, v_s_route_setup", + [ + ( + { + "type": "complete", + "extra_args": [ + f"-enable-leader-election=false", + ], + }, + { + "example": "virtual-server-route", + }, + ) + ], + indirect=True, +) +class TestEgressMtlsPolicyVSR: + @pytest.mark.parametrize( + "policy_src, vs_src, vsr_src, mtls_ca_secret, expected_code, expected_text, vsr_message, vsr_state, test_description", + [ + ( + mtls_pol_valid_src, + mtls_vs_vsr_src, + mtls_vsr_subroute_src, + mtls_sec_valid_src, + 200, + "Server address:", + "was added or updated", + "Valid", + "Test valid EgressMTLS policy applied to a VirtualServerRoute", + ), + ( + mtls_pol_valid_src, + mtls_vs_vsr_src, + mtls_vsr_subroute_src, + mtls_sec_valid_crl_src, + 200, + "Server address:", + "was added or updated", + "Valid", + "Test valid EgressMTLS policy applied to VirtualServerRoute with a CRL", + ), + ( + mtls_pol_invalid_src, + mtls_vs_vsr_src, + mtls_vsr_subroute_src, + mtls_sec_valid_src, + 500, + "Internal Server Error", + "is missing or invalid", + "Warning", + "Test invalid EgressMTLS policy applied to VirtualServerRoute", + ), + ] + ) + def test_egress_mtls_policy( + self, + kube_apis, + crd_ingress_controller, + v_s_route_app_setup, + v_s_route_setup, + test_namespace, + policy_src, + vs_src, + vsr_src, + mtls_ca_secret, + expected_code, + expected_text, + vsr_message, + vsr_state, + test_description, + ): + """ + Test egress-mtls with valid and invalid policy in vsr subroutes. + """ + print("------------------------- {} -----------------------------------".format(test_description)) + req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" + session = create_sni_session() + mtls_secret, tls_secret, pol_name = setup_policy( + kube_apis, + v_s_route_setup.namespace, + mtls_ca_secret, + tls_sec_valid_src, + policy_src, + ) + + print(f"Patch vsr with policy: {vsr_src} and vs with tls secret: {tls_secret}") + patch_virtual_server_from_yaml( + kube_apis.custom_objects, + v_s_route_setup.vs_name, + vs_src, + v_s_route_setup.namespace, + ) + patch_v_s_route_from_yaml( + kube_apis.custom_objects, + v_s_route_setup.route_m.name, + vsr_src, + v_s_route_setup.route_m.namespace, + ) + wait_before_test() + resp = session.get( + f"{req_url}{v_s_route_setup.route_m.paths[0]}", + headers={"host": v_s_route_setup.vs_host}, + allow_redirects=False, + verify=False, + ) + + vsr_events = read_vsr( + kube_apis.custom_objects, + v_s_route_setup.route_m.namespace, + v_s_route_setup.route_m.name, + ) + teardown_policy(kube_apis, v_s_route_setup.namespace, tls_secret, pol_name, mtls_secret) + + patch_v_s_route_from_yaml( + kube_apis.custom_objects, + v_s_route_setup.route_m.name, + std_vsr_src, + v_s_route_setup.route_m.namespace, + ) + patch_virtual_server_from_yaml( + kube_apis.custom_objects, + v_s_route_setup.vs_name, + std_vs_vsr_src, + v_s_route_setup.namespace, + ) + + assert ( + resp.status_code == expected_code + and expected_text in resp.text + and vsr_message in vsr_events["status"]["message"] + and vsr_events["status"]["state"] == vsr_state + ) \ No newline at end of file From 16f792adde938b23772f1f9a120be5b8debbcadf Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Fri, 7 Apr 2023 17:21:28 +0000 Subject: [PATCH 2/9] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- tests/suite/test_egress_mtls.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tests/suite/test_egress_mtls.py b/tests/suite/test_egress_mtls.py index dab86f2e90..66c568a98e 100644 --- a/tests/suite/test_egress_mtls.py +++ b/tests/suite/test_egress_mtls.py @@ -28,6 +28,7 @@ mtls_vsr_subroute_src = f"{TEST_DATA}/egress-mtls/route-subroute/virtual-server-route-mtls.yaml" mtls_vs_vsr_src = f"{TEST_DATA}/egress-mtls/route-subroute/virtual-server-vsr.yaml" + def setup_policy(kube_apis, test_namespace, mtls_secret, tls_secret, policy): print(f"Create egress-mtls secret") mtls_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, mtls_secret) @@ -40,12 +41,14 @@ def setup_policy(kube_apis, test_namespace, mtls_secret, tls_secret, policy): return mtls_secret_name, tls_secret_name, pol_name + def teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret): print("Delete policy and related secrets") delete_secret(kube_apis.v1, tls_secret, test_namespace) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) delete_secret(kube_apis.v1, mtls_secret, test_namespace) + @pytest.mark.policies @pytest.mark.parametrize( "crd_ingress_controller, virtual_server_setup", @@ -109,7 +112,7 @@ class TestEgressMtlsPolicyVS: "Warning", "Test invalid EgressMTLS policy applied to a VirtualServer", ), - ] + ], ) def test_egress_mtls_policy( self, @@ -227,7 +230,7 @@ class TestEgressMtlsPolicyVSR: "Warning", "Test invalid EgressMTLS policy applied to VirtualServerRoute", ), - ] + ], ) def test_egress_mtls_policy( self, @@ -306,4 +309,4 @@ def test_egress_mtls_policy( and expected_text in resp.text and vsr_message in vsr_events["status"]["message"] and vsr_events["status"]["state"] == vsr_state - ) \ No newline at end of file + ) From c6bb0bf3b09c21effcdf68c8df8b9dc7702d3b90 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 11 Apr 2023 10:42:05 +0100 Subject: [PATCH 3/9] Un-comment tests --- internal/configs/virtualserver_test.go | 1000 ++++++++++++------------ 1 file changed, 500 insertions(+), 500 deletions(-) diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index 7390a110eb..ab1ef5b65a 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -2768,440 +2768,440 @@ func TestGeneratePolicies(t *testing.T) { expected policiesCfg msg string }{ - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "allow-policy", - // Namespace: "default", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/allow-policy": { - // Spec: conf_v1.PolicySpec{ - // AccessControl: &conf_v1.AccessControl{ - // Allow: []string{"127.0.0.1"}, - // }, - // }, - // }, - // }, - // expected: policiesCfg{ - // Allow: []string{"127.0.0.1"}, - // }, - // msg: "explicit reference", - //}, - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "allow-policy", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/allow-policy": { - // Spec: conf_v1.PolicySpec{ - // AccessControl: &conf_v1.AccessControl{ - // Allow: []string{"127.0.0.1"}, - // }, - // }, - // }, - // }, - // expected: policiesCfg{ - // Allow: []string{"127.0.0.1"}, - // }, - // msg: "implicit reference", - //}, - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "allow-policy-1", - // }, - // { - // Name: "allow-policy-2", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/allow-policy-1": { - // Spec: conf_v1.PolicySpec{ - // AccessControl: &conf_v1.AccessControl{ - // Allow: []string{"127.0.0.1"}, - // }, - // }, - // }, - // "default/allow-policy-2": { - // Spec: conf_v1.PolicySpec{ - // AccessControl: &conf_v1.AccessControl{ - // Allow: []string{"127.0.0.2"}, - // }, - // }, - // }, - // }, - // expected: policiesCfg{ - // Allow: []string{"127.0.0.1", "127.0.0.2"}, - // }, - // msg: "merging", - //}, - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "rateLimit-policy", - // Namespace: "default", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/rateLimit-policy": { - // Spec: conf_v1.PolicySpec{ - // RateLimit: &conf_v1.RateLimit{ - // Key: "test", - // ZoneSize: "10M", - // Rate: "10r/s", - // LogLevel: "notice", - // }, - // }, - // }, - // }, - // expected: policiesCfg{ - // LimitReqZones: []version2.LimitReqZone{ - // { - // Key: "test", - // ZoneSize: "10M", - // Rate: "10r/s", - // ZoneName: "pol_rl_default_rateLimit-policy_default_test", - // }, - // }, - // LimitReqOptions: version2.LimitReqOptions{ - // LogLevel: "notice", - // RejectCode: 503, - // }, - // LimitReqs: []version2.LimitReq{ - // { - // ZoneName: "pol_rl_default_rateLimit-policy_default_test", - // }, - // }, - // }, - // msg: "rate limit reference", - //}, - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "rateLimit-policy", - // Namespace: "default", - // }, - // { - // Name: "rateLimit-policy2", - // Namespace: "default", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/rateLimit-policy": { - // Spec: conf_v1.PolicySpec{ - // RateLimit: &conf_v1.RateLimit{ - // Key: "test", - // ZoneSize: "10M", - // Rate: "10r/s", - // }, - // }, - // }, - // "default/rateLimit-policy2": { - // Spec: conf_v1.PolicySpec{ - // RateLimit: &conf_v1.RateLimit{ - // Key: "test2", - // ZoneSize: "20M", - // Rate: "20r/s", - // }, - // }, - // }, - // }, - // expected: policiesCfg{ - // LimitReqZones: []version2.LimitReqZone{ - // { - // Key: "test", - // ZoneSize: "10M", - // Rate: "10r/s", - // ZoneName: "pol_rl_default_rateLimit-policy_default_test", - // }, - // { - // Key: "test2", - // ZoneSize: "20M", - // Rate: "20r/s", - // ZoneName: "pol_rl_default_rateLimit-policy2_default_test", - // }, - // }, - // LimitReqOptions: version2.LimitReqOptions{ - // LogLevel: "error", - // RejectCode: 503, - // }, - // LimitReqs: []version2.LimitReq{ - // { - // ZoneName: "pol_rl_default_rateLimit-policy_default_test", - // }, - // { - // ZoneName: "pol_rl_default_rateLimit-policy2_default_test", - // }, - // }, - // }, - // msg: "multi rate limit reference", - //}, - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "jwt-policy", - // Namespace: "default", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/jwt-policy": { - // ObjectMeta: meta_v1.ObjectMeta{ - // Name: "jwt-policy", - // Namespace: "default", - // }, - // Spec: conf_v1.PolicySpec{ - // JWTAuth: &conf_v1.JWTAuth{ - // Realm: "My Test API", - // Secret: "jwt-secret", - // }, - // }, - // }, - // }, - // expected: policiesCfg{ - // JWTAuth: &version2.JWTAuth{ - // Secret: "/etc/nginx/secrets/default-jwt-secret", - // Realm: "My Test API", - // }, - // }, - // msg: "jwt reference", - //}, - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "jwt-policy-2", - // Namespace: "default", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/jwt-policy-2": { - // ObjectMeta: meta_v1.ObjectMeta{ - // Name: "jwt-policy", - // Namespace: "default", - // }, - // Spec: conf_v1.PolicySpec{ - // JWTAuth: &conf_v1.JWTAuth{ - // Realm: "My Test API", - // JwksURI: "https://idp.example.com:443/keys", - // KeyCache: "1h", - // }, - // }, - // }, - // }, - // expected: policiesCfg{ - // JWTAuth: &version2.JWTAuth{ - // Realm: "My Test API", - // JwksURI: version2.JwksURI{ - // JwksScheme: "https", - // JwksHost: "idp.example.com", - // JwksPort: "443", - // JwksPath: "/keys", - // }, - // KeyCache: "1h", - // }, - // }, - // msg: "Basic jwks example", - //}, - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "jwt-policy-2", - // Namespace: "default", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/jwt-policy-2": { - // ObjectMeta: meta_v1.ObjectMeta{ - // Name: "jwt-policy", - // Namespace: "default", - // }, - // Spec: conf_v1.PolicySpec{ - // JWTAuth: &conf_v1.JWTAuth{ - // Realm: "My Test API", - // JwksURI: "https://idp.example.com/keys", - // KeyCache: "1h", - // }, - // }, - // }, - // }, - // expected: policiesCfg{ - // JWTAuth: &version2.JWTAuth{ - // Realm: "My Test API", - // JwksURI: version2.JwksURI{ - // JwksScheme: "https", - // JwksHost: "idp.example.com", - // JwksPort: "", - // JwksPath: "/keys", - // }, - // KeyCache: "1h", - // }, - // }, - // msg: "Basic jwks example, no port in JwksURI", - //}, - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "basic-auth-policy", - // Namespace: "default", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/basic-auth-policy": { - // ObjectMeta: meta_v1.ObjectMeta{ - // Name: "basic-auth-policy", - // Namespace: "default", - // }, - // Spec: conf_v1.PolicySpec{ - // BasicAuth: &conf_v1.BasicAuth{ - // Realm: "My Test API", - // Secret: "htpasswd-secret", - // }, - // }, - // }, - // }, - // expected: policiesCfg{ - // BasicAuth: &version2.BasicAuth{ - // Secret: "/etc/nginx/secrets/default-htpasswd-secret", - // Realm: "My Test API", - // }, - // }, - // msg: "basic auth reference", - //}, - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "ingress-mtls-policy", - // Namespace: "default", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/ingress-mtls-policy": { - // ObjectMeta: meta_v1.ObjectMeta{ - // Name: "ingress-mtls-policy", - // Namespace: "default", - // }, - // Spec: conf_v1.PolicySpec{ - // IngressMTLS: &conf_v1.IngressMTLS{ - // ClientCertSecret: "ingress-mtls-secret", - // VerifyClient: "off", - // }, - // }, - // }, - // }, - // context: "spec", - // expected: policiesCfg{ - // IngressMTLS: &version2.IngressMTLS{ - // ClientCert: mTLSCertPath, - // VerifyClient: "off", - // VerifyDepth: 1, - // }, - // }, - // msg: "ingressMTLS reference", - //}, - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "ingress-mtls-policy-crl", - // Namespace: "default", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/ingress-mtls-policy-crl": { - // ObjectMeta: meta_v1.ObjectMeta{ - // Name: "ingress-mtls-policy-crl", - // Namespace: "default", - // }, - // Spec: conf_v1.PolicySpec{ - // IngressMTLS: &conf_v1.IngressMTLS{ - // ClientCertSecret: "ingress-mtls-secret-crl", - // VerifyClient: "off", - // }, - // }, - // }, - // }, - // context: "spec", - // expected: policiesCfg{ - // IngressMTLS: &version2.IngressMTLS{ - // ClientCert: mTLSCertPath, - // ClientCrl: mTLSCrlPath, - // VerifyClient: "off", - // VerifyDepth: 1, - // }, - // }, - // msg: "ingressMTLS reference with ca.crl field in secret", - //}, - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "ingress-mtls-policy-crl", - // Namespace: "default", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/ingress-mtls-policy-crl": { - // ObjectMeta: meta_v1.ObjectMeta{ - // Name: "ingress-mtls-policy-crl", - // Namespace: "default", - // }, - // Spec: conf_v1.PolicySpec{ - // IngressMTLS: &conf_v1.IngressMTLS{ - // ClientCertSecret: "ingress-mtls-secret", - // CrlFileName: "default-ingress-mtls-secret-ca.crl", - // VerifyClient: "off", - // }, - // }, - // }, - // }, - // context: "spec", - // expected: policiesCfg{ - // IngressMTLS: &version2.IngressMTLS{ - // ClientCert: mTLSCertPath, - // ClientCrl: mTLSCrlPath, - // VerifyClient: "off", - // VerifyDepth: 1, - // }, - // }, - // msg: "ingressMTLS reference with crl field in policy", - //}, - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "egress-mtls-policy", - // Namespace: "default", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/egress-mtls-policy": { - // Spec: conf_v1.PolicySpec{ - // EgressMTLS: &conf_v1.EgressMTLS{ - // TLSSecret: "egress-mtls-secret", - // ServerName: true, - // SessionReuse: createPointerFromBool(false), - // TrustedCertSecret: "egress-trusted-ca-secret", - // }, - // }, - // }, - // }, - // context: "route", - // expected: policiesCfg{ - // EgressMTLS: &version2.EgressMTLS{ - // Certificate: "/etc/nginx/secrets/default-egress-mtls-secret", - // CertificateKey: "/etc/nginx/secrets/default-egress-mtls-secret", - // Ciphers: "DEFAULT", - // Protocols: "TLSv1 TLSv1.1 TLSv1.2", - // ServerName: true, - // SessionReuse: false, - // VerifyDepth: 1, - // VerifyServer: false, - // TrustedCert: "/etc/nginx/secrets/default-egress-trusted-ca-secret", - // SSLName: "$proxy_host", - // }, - // }, - // msg: "egressMTLS reference", - //}, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "allow-policy", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/allow-policy": { + Spec: conf_v1.PolicySpec{ + AccessControl: &conf_v1.AccessControl{ + Allow: []string{"127.0.0.1"}, + }, + }, + }, + }, + expected: policiesCfg{ + Allow: []string{"127.0.0.1"}, + }, + msg: "explicit reference", + }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "allow-policy", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/allow-policy": { + Spec: conf_v1.PolicySpec{ + AccessControl: &conf_v1.AccessControl{ + Allow: []string{"127.0.0.1"}, + }, + }, + }, + }, + expected: policiesCfg{ + Allow: []string{"127.0.0.1"}, + }, + msg: "implicit reference", + }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "allow-policy-1", + }, + { + Name: "allow-policy-2", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/allow-policy-1": { + Spec: conf_v1.PolicySpec{ + AccessControl: &conf_v1.AccessControl{ + Allow: []string{"127.0.0.1"}, + }, + }, + }, + "default/allow-policy-2": { + Spec: conf_v1.PolicySpec{ + AccessControl: &conf_v1.AccessControl{ + Allow: []string{"127.0.0.2"}, + }, + }, + }, + }, + expected: policiesCfg{ + Allow: []string{"127.0.0.1", "127.0.0.2"}, + }, + msg: "merging", + }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "rateLimit-policy", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/rateLimit-policy": { + Spec: conf_v1.PolicySpec{ + RateLimit: &conf_v1.RateLimit{ + Key: "test", + ZoneSize: "10M", + Rate: "10r/s", + LogLevel: "notice", + }, + }, + }, + }, + expected: policiesCfg{ + LimitReqZones: []version2.LimitReqZone{ + { + Key: "test", + ZoneSize: "10M", + Rate: "10r/s", + ZoneName: "pol_rl_default_rateLimit-policy_default_test", + }, + }, + LimitReqOptions: version2.LimitReqOptions{ + LogLevel: "notice", + RejectCode: 503, + }, + LimitReqs: []version2.LimitReq{ + { + ZoneName: "pol_rl_default_rateLimit-policy_default_test", + }, + }, + }, + msg: "rate limit reference", + }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "rateLimit-policy", + Namespace: "default", + }, + { + Name: "rateLimit-policy2", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/rateLimit-policy": { + Spec: conf_v1.PolicySpec{ + RateLimit: &conf_v1.RateLimit{ + Key: "test", + ZoneSize: "10M", + Rate: "10r/s", + }, + }, + }, + "default/rateLimit-policy2": { + Spec: conf_v1.PolicySpec{ + RateLimit: &conf_v1.RateLimit{ + Key: "test2", + ZoneSize: "20M", + Rate: "20r/s", + }, + }, + }, + }, + expected: policiesCfg{ + LimitReqZones: []version2.LimitReqZone{ + { + Key: "test", + ZoneSize: "10M", + Rate: "10r/s", + ZoneName: "pol_rl_default_rateLimit-policy_default_test", + }, + { + Key: "test2", + ZoneSize: "20M", + Rate: "20r/s", + ZoneName: "pol_rl_default_rateLimit-policy2_default_test", + }, + }, + LimitReqOptions: version2.LimitReqOptions{ + LogLevel: "error", + RejectCode: 503, + }, + LimitReqs: []version2.LimitReq{ + { + ZoneName: "pol_rl_default_rateLimit-policy_default_test", + }, + { + ZoneName: "pol_rl_default_rateLimit-policy2_default_test", + }, + }, + }, + msg: "multi rate limit reference", + }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "jwt-policy", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/jwt-policy": { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "jwt-policy", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + JWTAuth: &conf_v1.JWTAuth{ + Realm: "My Test API", + Secret: "jwt-secret", + }, + }, + }, + }, + expected: policiesCfg{ + JWTAuth: &version2.JWTAuth{ + Secret: "/etc/nginx/secrets/default-jwt-secret", + Realm: "My Test API", + }, + }, + msg: "jwt reference", + }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "jwt-policy-2", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/jwt-policy-2": { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "jwt-policy", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + JWTAuth: &conf_v1.JWTAuth{ + Realm: "My Test API", + JwksURI: "https://idp.example.com:443/keys", + KeyCache: "1h", + }, + }, + }, + }, + expected: policiesCfg{ + JWTAuth: &version2.JWTAuth{ + Realm: "My Test API", + JwksURI: version2.JwksURI{ + JwksScheme: "https", + JwksHost: "idp.example.com", + JwksPort: "443", + JwksPath: "/keys", + }, + KeyCache: "1h", + }, + }, + msg: "Basic jwks example", + }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "jwt-policy-2", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/jwt-policy-2": { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "jwt-policy", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + JWTAuth: &conf_v1.JWTAuth{ + Realm: "My Test API", + JwksURI: "https://idp.example.com/keys", + KeyCache: "1h", + }, + }, + }, + }, + expected: policiesCfg{ + JWTAuth: &version2.JWTAuth{ + Realm: "My Test API", + JwksURI: version2.JwksURI{ + JwksScheme: "https", + JwksHost: "idp.example.com", + JwksPort: "", + JwksPath: "/keys", + }, + KeyCache: "1h", + }, + }, + msg: "Basic jwks example, no port in JwksURI", + }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "basic-auth-policy", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/basic-auth-policy": { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "basic-auth-policy", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + BasicAuth: &conf_v1.BasicAuth{ + Realm: "My Test API", + Secret: "htpasswd-secret", + }, + }, + }, + }, + expected: policiesCfg{ + BasicAuth: &version2.BasicAuth{ + Secret: "/etc/nginx/secrets/default-htpasswd-secret", + Realm: "My Test API", + }, + }, + msg: "basic auth reference", + }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "ingress-mtls-policy", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/ingress-mtls-policy": { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "ingress-mtls-policy", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + IngressMTLS: &conf_v1.IngressMTLS{ + ClientCertSecret: "ingress-mtls-secret", + VerifyClient: "off", + }, + }, + }, + }, + context: "spec", + expected: policiesCfg{ + IngressMTLS: &version2.IngressMTLS{ + ClientCert: mTLSCertPath, + VerifyClient: "off", + VerifyDepth: 1, + }, + }, + msg: "ingressMTLS reference", + }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "ingress-mtls-policy-crl", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/ingress-mtls-policy-crl": { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "ingress-mtls-policy-crl", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + IngressMTLS: &conf_v1.IngressMTLS{ + ClientCertSecret: "ingress-mtls-secret-crl", + VerifyClient: "off", + }, + }, + }, + }, + context: "spec", + expected: policiesCfg{ + IngressMTLS: &version2.IngressMTLS{ + ClientCert: mTLSCertPath, + ClientCrl: mTLSCrlPath, + VerifyClient: "off", + VerifyDepth: 1, + }, + }, + msg: "ingressMTLS reference with ca.crl field in secret", + }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "ingress-mtls-policy-crl", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/ingress-mtls-policy-crl": { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "ingress-mtls-policy-crl", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + IngressMTLS: &conf_v1.IngressMTLS{ + ClientCertSecret: "ingress-mtls-secret", + CrlFileName: "default-ingress-mtls-secret-ca.crl", + VerifyClient: "off", + }, + }, + }, + }, + context: "spec", + expected: policiesCfg{ + IngressMTLS: &version2.IngressMTLS{ + ClientCert: mTLSCertPath, + ClientCrl: mTLSCrlPath, + VerifyClient: "off", + VerifyDepth: 1, + }, + }, + msg: "ingressMTLS reference with crl field in policy", + }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "egress-mtls-policy", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/egress-mtls-policy": { + Spec: conf_v1.PolicySpec{ + EgressMTLS: &conf_v1.EgressMTLS{ + TLSSecret: "egress-mtls-secret", + ServerName: true, + SessionReuse: createPointerFromBool(false), + TrustedCertSecret: "egress-trusted-ca-secret", + }, + }, + }, + }, + context: "route", + expected: policiesCfg{ + EgressMTLS: &version2.EgressMTLS{ + Certificate: "/etc/nginx/secrets/default-egress-mtls-secret", + CertificateKey: "/etc/nginx/secrets/default-egress-mtls-secret", + Ciphers: "DEFAULT", + Protocols: "TLSv1 TLSv1.1 TLSv1.2", + ServerName: true, + SessionReuse: false, + VerifyDepth: 1, + VerifyServer: false, + TrustedCert: "/etc/nginx/secrets/default-egress-trusted-ca-secret", + SSLName: "$proxy_host", + }, + }, + msg: "egressMTLS reference", + }, { policyRefs: []conf_v1.PolicyReference{ { @@ -3238,72 +3238,72 @@ func TestGeneratePolicies(t *testing.T) { }, msg: "egressMTLS with crt and crl", }, - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "oidc-policy", - // Namespace: "default", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/oidc-policy": { - // ObjectMeta: meta_v1.ObjectMeta{ - // Name: "oidc-policy", - // Namespace: "default", - // }, - // Spec: conf_v1.PolicySpec{ - // OIDC: &conf_v1.OIDC{ - // AuthEndpoint: "http://example.com/auth", - // TokenEndpoint: "http://example.com/token", - // JWKSURI: "http://example.com/jwks", - // ClientID: "client-id", - // ClientSecret: "oidc-secret", - // Scope: "scope", - // RedirectURI: "/redirect", - // ZoneSyncLeeway: createPointerFromInt(20), - // AccessTokenEnable: true, - // }, - // }, - // }, - // }, - // expected: policiesCfg{ - // OIDC: true, - // }, - // msg: "oidc reference", - //}, - //{ - // policyRefs: []conf_v1.PolicyReference{ - // { - // Name: "waf-policy", - // Namespace: "default", - // }, - // }, - // policies: map[string]*conf_v1.Policy{ - // "default/waf-policy": { - // Spec: conf_v1.PolicySpec{ - // WAF: &conf_v1.WAF{ - // Enable: true, - // ApPolicy: "default/dataguard-alarm", - // SecurityLog: &conf_v1.SecurityLog{ - // Enable: true, - // ApLogConf: "default/logconf", - // LogDest: "syslog:server=127.0.0.1:514", - // }, - // }, - // }, - // }, - // }, - // context: "route", - // expected: policiesCfg{ - // WAF: &version2.WAF{ - // Enable: "on", - // ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", - // ApSecurityLogEnable: true, - // ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf syslog:server=127.0.0.1:514"}, - // }, - // }, - // msg: "WAF reference", - //}, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "oidc-policy", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/oidc-policy": { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "oidc-policy", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + OIDC: &conf_v1.OIDC{ + AuthEndpoint: "http://example.com/auth", + TokenEndpoint: "http://example.com/token", + JWKSURI: "http://example.com/jwks", + ClientID: "client-id", + ClientSecret: "oidc-secret", + Scope: "scope", + RedirectURI: "/redirect", + ZoneSyncLeeway: createPointerFromInt(20), + AccessTokenEnable: true, + }, + }, + }, + }, + expected: policiesCfg{ + OIDC: true, + }, + msg: "oidc reference", + }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "waf-policy", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/waf-policy": { + Spec: conf_v1.PolicySpec{ + WAF: &conf_v1.WAF{ + Enable: true, + ApPolicy: "default/dataguard-alarm", + SecurityLog: &conf_v1.SecurityLog{ + Enable: true, + ApLogConf: "default/logconf", + LogDest: "syslog:server=127.0.0.1:514", + }, + }, + }, + }, + }, + context: "route", + expected: policiesCfg{ + WAF: &version2.WAF{ + Enable: "on", + ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", + ApSecurityLogEnable: true, + ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf syslog:server=127.0.0.1:514"}, + }, + }, + msg: "WAF reference", + }, } vsc := newVirtualServerConfigurator(&ConfigParams{}, false, false, &StaticConfigParams{}, false) From cd8adf6ec6935bf124b2812e5bc9a96bfe2e5a2d Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 11 Apr 2023 10:51:21 +0100 Subject: [PATCH 4/9] Fix crt and crl path in test and fix nill slice reference --- internal/configs/virtualserver.go | 7 +++++-- internal/configs/virtualserver_test.go | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index bc4be274d0..be5c0486c0 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -998,7 +998,10 @@ func (p *policiesCfg) addEgressMTLSConfig( trustedSecretPath = secretRef.Path } - caFields := strings.Fields(trustedSecretPath) + if len(trustedSecretPath) != 0 { + caFields := strings.Fields(trustedSecretPath) + trustedSecretPath = caFields[0] + } p.EgressMTLS = &version2.EgressMTLS{ Certificate: tlsSecretPath, @@ -1009,7 +1012,7 @@ func (p *policiesCfg) addEgressMTLSConfig( VerifyDepth: generateIntFromPointer(egressMTLS.VerifyDepth, 1), SessionReuse: generateBool(egressMTLS.SessionReuse, true), ServerName: egressMTLS.ServerName, - TrustedCert: caFields[0], + TrustedCert: trustedSecretPath, SSLName: generateString(egressMTLS.SSLName, "$proxy_host"), } return res diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index ab1ef5b65a..b3c0fc23e3 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -2691,8 +2691,8 @@ func TestGeneratePolicies(t *testing.T) { vsNamespace: "default", vsName: "test", } - mTLSCertPath := "/etc/nginx/secrets/default-mtls-secret-ca.crt" - mTLSCrlPath := "/etc/nginx/secrets/default-mtls-secret-ca.crl" + mTLSCertPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crt" + mTLSCrlPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crl" mTLSCertAndCrlPath := fmt.Sprintf("%s %s", mTLSCertPath, mTLSCrlPath) policyOpts := policyOptions{ tls: true, From cb24e3a06ceb63b9869e4e16b65b7c00756d2166 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 14 Apr 2023 15:33:23 +0100 Subject: [PATCH 5/9] Update data files for egress MTLS tests --- .../policies/egress-mtls-invalid.yaml | 2 +- tests/data/egress-mtls/policies/egress-mtls.yaml | 2 +- .../route-subroute/virtual-server-mtls.yaml | 16 ++++++---------- .../virtual-server-route-mtls.yaml | 16 ++++++---------- .../route-subroute/virtual-server-vsr.yaml | 2 -- .../secret/egress-mtls-secret-crl.yaml | 2 +- .../egress-mtls/secret/egress-mtls-secret.yaml | 2 +- tests/data/egress-mtls/secret/tls-secret.yaml | 4 ++-- .../egress-mtls/spec/virtual-server-mtls.yaml | 16 ++++++---------- tests/suite/test_egress_mtls.py | 9 +++++---- 10 files changed, 29 insertions(+), 42 deletions(-) diff --git a/tests/data/egress-mtls/policies/egress-mtls-invalid.yaml b/tests/data/egress-mtls/policies/egress-mtls-invalid.yaml index 59e5a06250..ee3b0baed8 100644 --- a/tests/data/egress-mtls/policies/egress-mtls-invalid.yaml +++ b/tests/data/egress-mtls/policies/egress-mtls-invalid.yaml @@ -4,7 +4,7 @@ metadata: name: egress-mtls-policy spec: egress_MTLS: - tlsSecret: egress-tks-secret + tlsSecret: egress-tls-secret trustedCertSecret: egress-mtls-secret verifyServer: on verifyDepth: 2 diff --git a/tests/data/egress-mtls/policies/egress-mtls.yaml b/tests/data/egress-mtls/policies/egress-mtls.yaml index 8a94645254..41726d4864 100644 --- a/tests/data/egress-mtls/policies/egress-mtls.yaml +++ b/tests/data/egress-mtls/policies/egress-mtls.yaml @@ -9,4 +9,4 @@ spec: verifyServer: on verifyDepth: 2 serverName: on - sslName: virtual-server.example.com + sslName: secure-app.example.com diff --git a/tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml b/tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml index f020b39f96..ba5b5a3dab 100644 --- a/tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml +++ b/tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml @@ -5,18 +5,14 @@ metadata: spec: host: virtual-server.example.com upstreams: - - name: backend2 - service: backend2-svc - port: 80 - - name: backend1 - service: backend1-svc - port: 80 + - name: secure-app + service: secure-app + port: 8443 + tls: + enable: true routes: - path: "/backend1" policies: - name: egress-mtls-policy action: - pass: backend1 - - path: "/backend2" - action: - pass: backend2 + pass: secure-app diff --git a/tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml b/tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml index d6d26b1a0d..bfee01e4c9 100644 --- a/tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml +++ b/tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml @@ -5,18 +5,14 @@ metadata: spec: host: virtual-server-route.example.com upstreams: - - name: backend1 - service: backend1-svc - port: 80 - - name: backend3 - service: backend3-svc - port: 80 + - name: secure-app + service: secure-app + port: 8443 + tls: + enable: true subroutes: - path: "/backends/backend1" policies: - name: egress-mtls-policy action: - pass: backend1 - - path: "/backends/backend3" - action: - pass: backend3 + pass: secure-app diff --git a/tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml b/tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml index f56b65d83d..b29057e887 100644 --- a/tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml +++ b/tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml @@ -7,5 +7,3 @@ spec: routes: - path: "/backends" route: backends # implicit namespace - - path: "/backend2" - route: backend2-namespace/backend2 diff --git a/tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml b/tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml index 6d21943fd2..2ac7aae332 100644 --- a/tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml +++ b/tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml @@ -4,5 +4,5 @@ metadata: apiVersion: v1 type: nginx.org/ca data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdNekNDQkJ1Z0F3SUJBZ0lKQU51ZlJyMkJoLzliTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUduTVFzd0NRWUQKVlFRR0V3SlZVekVSTUE4R0ExVUVDQXdJVFdGeWVXeGhibVF4RWpBUUJnTlZCQWNNQ1VKaGJIUnBiVzl5WlRFWgpNQmNHQTFVRUNnd1FWR1Z6ZENCRFFTd2dUR2x0YVhSbFpERWpNQ0VHQTFVRUN3d2FVMlZ5ZG1WeUlGSmxjMlZoCmNtTm9JRVJsY0dGeWRHMWxiblF4RURBT0JnTlZCQU1NQjFSbGMzUWdRMEV4SHpBZEJna3Foa2lHOXcwQkNRRVcKRUhSbGMzUkFaWGhoYlhCc1pTNWpiMjB3SGhjTk1qTXdNekV6TVRjMU5UQTJXaGNOTWpRd016RXlNVGMxTlRBMgpXakNCcHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJBZ01DRTFoY25sc1lXNWtNUkl3RUFZRFZRUUhEQWxDCllXeDBhVzF2Y21VeEdUQVhCZ05WQkFvTUVGUmxjM1FnUTBFc0lFeHBiV2wwWldReEl6QWhCZ05WQkFzTUdsTmwKY25abGNpQlNaWE5sWVhKamFDQkVaWEJoY25SdFpXNTBNUkF3RGdZRFZRUUREQWRVWlhOMElFTkJNUjh3SFFZSgpLb1pJaHZjTkFRa0JGaEIwWlhOMFFHVjRZVzF3YkdVdVkyOXRNSUlDSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFnOEFNSUlDQ2dLQ0FnRUEyeU5QNHRoWjBzY1V0cDZ5SVArUGdXU3lucEIybWE3WkRlNzBobDY3OFdvRkZITXkKbUNyczJPNzhwV2wxZVFNcTBoZDA4UUNJTGErY1V4bmMwS3BQWkw4Um1BUUo3SnZHN3BuN1Mwb2tnMVBiTU82Zwo1ZWVldDBJdEh4Tkt1YWVGTTVKS0pLdFhmN0p6TWkwMTdDZTBXZ3V5ZHZWVUxENXFkM2ZLdW5UNlRTOUZ5blpLCjlmSE5MdGdBaFZnMHg2bWJGUlFBYXBUejFMaGhUaEt4eDRNbHI1WGpBS01la1d5T0d4am9WbUZubFNocXdqTWsKMVAyaCtiWlRrZnRxQWh4VzVwaGlGRmRrTW15dnIvYUQyRW9aU2xGa1RtSmtnQnhJaysvRzhZQWtjZXFOelo5eQpMLzRvWWU1VTdrV0lYZTlPT0k5djFpZW02ODE5bVNOU3dpVFZhOFRQcWR0elcwUHplYW1QZG9TckVWV0JlL3hZCk9ZWDhaaWF1NlVCU3U2bGQ1VUxBTGJYUlp6RHUxYzVvelZzdkN0cE1HV1oxZWtDVDhVNEdwRzhQUyszcUJkUGwKWUhxeWR0TnhGeFZ5OE1odU1IWnhacVY4dXpMTlRlakpram03V3dERHpBd1RIbm1uMVREdHZrVlBCQWZGenhuTgoreGRKdmZvQ21EUEsraHZmMUVRRGF4RU5sSHVYYnZpclNqL2FDaXJqTTdhb0UxR2VRSXo2MEk5QWpuTHc1a29tCmFCcjZadU1ET1ZFSmhBMnRnZXJOOGYzMFJHOGtBTWZTRUYwdUExWTVteEw2b0hueWw5SStmNlBmc2diSlIzMnQKM2s1S2RNQ2xSTTc1YmpaUDNIeVpWdGZVQ09iRnJPMlRVT2NUd29zUUlScXh5dVFJd0JYWHVFdTNBdEVDQXdFQQpBYU5nTUY0d0hRWURWUjBPQkJZRUZKQ3ErRUsyaEFFSkdEbDJvVm0vR1NrRWxHd3JNQjhHQTFVZEl3UVlNQmFBCkZKQ3ErRUsyaEFFSkdEbDJvVm0vR1NrRWxHd3JNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdDd1lEVlIwUEJBUUQKQWdFR01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQzhLRWg5ZVZFSmFneFU2dS9BcTJPR3dhQVlwc2hDdU1vTwpTRVhiRkhDWWI1VEIyUnUzOXJPQ21TTmljZVlUMnJTenZLenF2bzM4aW9Pc3ZsdUFxTUF5VzRJVG53R1FPZ2ZPCitpUG1FS1V0RERjQ2VOQWY0OTZacjR4R25XS2l3RE9SVEI5N001SndaTnRpTGRReTU3S05wUC9nM3BXVHo4Y3QKODA3VEJ0T25kVFhhWkhBV0RaU0lCMXFaUEZWMHhvRUtPdS9TWXh5c2U4ZDBaNGhtZDE0TWVrQzFCZ2w4Y1NRagowajhrdUhXb2pIaUdVcW1ZRTdYd0hMMzRkeGxzb3RIVWhiNHhkREdGYTJlKzBZUVpzSlhFQW9pclcxbkRVektyCk5uOUlpUlR4eHUraXBYR0ZqLzVFbFFGTjRlUmE4dFZrYzJjODlUZUtBYjVkZ2ZCM0tNTUlKM0NwMExKQ2hva2wKdWhLbXptL0xuZ3FYL0dSQXFSWDRIaE82ZmZKbldDb2NsUGVFeFA0MnQ3a21EMXRlZzkrRGhVbGxnRk1RS3JnYwpaUUlMZW9CNWw2NlBPeVFVdWZjUzRJN2VzaHNlWXI4bWtSelRJTDM3cmxURWR1bWtpYmNXYVE5TjhGdFBHbUVxCnhuVFZBeEQ5TlE0WWJkUjNub1RIbkREYm1XUWJIbmc4ZWtzeGpUTHcrdDVsWGxtQ09Mb2VWZ3VxZnVnSzhMTUsKTSs4MWNUNHp6bkhkU0pxcVBSYitBUlFDZ3ArZzYwRGtpTUx1NzdCbzZQQ2o5NzRtYnZwQnpPaVlIdThkak52Sgp0L1dMcWdPU25reithUGRwVGE5M0Q5YUlBS3V6WURPbmp3OW9TUytnZUd0TmRoWUdPeWxLdDE4ZndZMGsrUTJ2CkNMT1pYZEYrWmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpBQ0NRREtXdnJwd2lJeUNEQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TWpnME1sb1hEVE13TVRFeE1ESXhNamcwTWxvd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNcmxLTXFySGZNUjRtZ2FMMnpaRzJEWVlmS0NGVm1JTmpsWXVPZUMKRkRUY1JnUUt0dTJZY0N4WllCQUR3SFp4RWY2TklLdFZzTVdMaFNOUy9OYzBCbXRpUU0vSUV4aGxDaURDNlNsOApPTnJJM3c3cUp6TjZJVUVSQjZ0VmxRdDA3cmdNMFYyNlVUWXUwSWt2MVk4dHJmTFlQWmNrekJrb3JRanBjaXVtCnFvUDJCSmY0eXljOUxxcHh0bFdLeGVsa3VuVkw1aWpNRXpwajlnRUUyNlRFSGJzZEViaG9SOGcwT2VIWnFIN2UKbVhDblNJQlIwQS9vL3M2bm9HTlgrRjE5bFk3VGd3NzdqT3VRUTVZc2krN25oTjJsS3ZjQzgxOVJYN29NcGd2dApWNUIzbkkwbUY2QmF6bmplVHM0eVFjcjFTbTNVVFZCd1g5WnV2TDdSYklYa1VtOENBd0VBQVRBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFnbTA0dzZPSVdHajZ0a2E5Y2NjY25ibEYwb1p6ZUVBSXl3anZSNXNEY1BkdkxJZU0KZWVzSnk2ckZINERCbU15Z3BjSXhKR3JTT3pabEYzTE12dzd6SzRzdHFOdG0xSGlwckY4Ynp4ZlRmZlZZbmNnNgpoVktFckh0WjJGWlJqLzJUTUowMWFSRFpTdVZiTDZVSmlva3BVNnh4VDd5eTBkRlprS3JqVVIzNDlnS3hScUp3CkFtMmFzMGJoaTUxRXFLMUdFeDNtNGMwdW4ydk5oNXFQMmh2NmUvUXplNlA5NnZlZk5hU2s5UU1GZnVCMWtTQWsKZkdwa2lMN2JqbWpuaEt3QW1mOGpEV0RabHRCNlM1NlF5MlFqUFI4Sm9PdXNiWXhhcjRjNkVjSXdWSHY2bWRnUAp5WnhXcVFzZ3RTZkZ4K1B3b245SVBLdXEwalFZZ2VaUFN4Uk1MQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K ca.crl: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSURCRENCN1RBTkJna3Foa2lHOXcwQkFRc0ZBRENCcHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJBZ00KQ0UxaGNubHNZVzVrTVJJd0VBWURWUVFIREFsQ1lXeDBhVzF2Y21VeEdUQVhCZ05WQkFvTUVGUmxjM1FnUTBFcwpJRXhwYldsMFpXUXhJekFoQmdOVkJBc01HbE5sY25abGNpQlNaWE5sWVhKamFDQkVaWEJoY25SdFpXNTBNUkF3CkRnWURWUVFEREFkVVpYTjBJRU5CTVI4d0hRWUpLb1pJaHZjTkFRa0JGaEIwWlhOMFFHVjRZVzF3YkdVdVkyOXQKRncweU16QXpNVE14T0RBeU1qSmFGdzB5TXpBME1USXhPREF5TWpKYU1CUXdFZ0lCQWhjTk1qTXdNekV6TVRndwpNakV5V2pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQVJzQ1B6SVpqUmt1S1BlajRUdTc5a3pFTlcvRTY5NzZjClhrN2g1dEtoTHdONTROVXR0M0pSTHBWUEFwUFhnTzdhdVo5a0liWC9EaStyeks4V3BQZWhUSXg0b1RscktjbFoKT1hsM3RQWUJndmcyRzVxaFR3MlAvTjRDMzVPMWdtWllLWXFYeEd6SjlBVnU5WmNXUlJjelVCOXlaZlR1cERoOAo2SnROd2JCVVpOR2lSMkZFeUovWFNQQjFVeXJBa2IyVk1ON0E1WEZIaSt5WXFrS2xrcFNLaGNPY3lGcXpFMC9xCkQ5V1Y3enJtVDIwdU1Ya2VCVW05WEhqWHRXRTIwb01PRFBHRERBNUg2RlppL05IMXBTa0tUY3g4UjdYNGZlaFYKOUJUTVl5VENWcFVJSUhuZG91NHYxUkl2UHJpRS9PUGx4UDBjRFZCNmV1V0RXb2dJdnIyWTRpenlHdHN0WlpvTgpNZDBRY1hXTVhTUjB3U2hCdEQ1TGI5cjBLOExPS255dVFUVVNHaXZuY2JGajZNUTROU3FNMTRJdzNkOHowemowCjg5b3hBUVhNa29qdm02SWV5WS9hSlVacUlPdk56MXhkaG5kNXNtWkNoQUdTVUx4Z1hsZWFHRjg3Vyt2MThuSlQKOC83c1Vic09RR1ErdVA5dGNXcGYzcmx4MVVENWRnVW9KbHdrUk16Z09vQXYwN3JkcWRsZGQ4QVdWYndMcnlGdgo0RHVMTU5VREQrbE9iV3E0VDdBNE5zb1NadlBuaitOcDgzL3VCWEUvRmZvemJpYzJSOFZJb1NLR2NhWDh0aGZhCmpvUEw1Smt4akZGemZGcnAwMi9XRlNNd3Ezc2xrQkJqSGFkd2pNcTZiQnJ5MTQyYWlOUW44cDRsa3ZXV0RvUSsKaWdrSDNFRGdDVmM9Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0K diff --git a/tests/data/egress-mtls/secret/egress-mtls-secret.yaml b/tests/data/egress-mtls/secret/egress-mtls-secret.yaml index 9b6a46ad69..827e30abdd 100644 --- a/tests/data/egress-mtls/secret/egress-mtls-secret.yaml +++ b/tests/data/egress-mtls/secret/egress-mtls-secret.yaml @@ -4,4 +4,4 @@ metadata: apiVersion: v1 type: nginx.org/ca data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpBQ0NRREtXdnJwd2lJeUNEQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TWpnME1sb1hEVE13TVRFeE1ESXhNamcwTWxvd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNcmxLTXFySGZNUjRtZ2FMMnpaRzJEWVlmS0NGVm1JTmpsWXVPZUMKRkRUY1JnUUt0dTJZY0N4WllCQUR3SFp4RWY2TklLdFZzTVdMaFNOUy9OYzBCbXRpUU0vSUV4aGxDaURDNlNsOApPTnJJM3c3cUp6TjZJVUVSQjZ0VmxRdDA3cmdNMFYyNlVUWXUwSWt2MVk4dHJmTFlQWmNrekJrb3JRanBjaXVtCnFvUDJCSmY0eXljOUxxcHh0bFdLeGVsa3VuVkw1aWpNRXpwajlnRUUyNlRFSGJzZEViaG9SOGcwT2VIWnFIN2UKbVhDblNJQlIwQS9vL3M2bm9HTlgrRjE5bFk3VGd3NzdqT3VRUTVZc2krN25oTjJsS3ZjQzgxOVJYN29NcGd2dApWNUIzbkkwbUY2QmF6bmplVHM0eVFjcjFTbTNVVFZCd1g5WnV2TDdSYklYa1VtOENBd0VBQVRBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFnbTA0dzZPSVdHajZ0a2E5Y2NjY25ibEYwb1p6ZUVBSXl3anZSNXNEY1BkdkxJZU0KZWVzSnk2ckZINERCbU15Z3BjSXhKR3JTT3pabEYzTE12dzd6SzRzdHFOdG0xSGlwckY4Ynp4ZlRmZlZZbmNnNgpoVktFckh0WjJGWlJqLzJUTUowMWFSRFpTdVZiTDZVSmlva3BVNnh4VDd5eTBkRlprS3JqVVIzNDlnS3hScUp3CkFtMmFzMGJoaTUxRXFLMUdFeDNtNGMwdW4ydk5oNXFQMmh2NmUvUXplNlA5NnZlZk5hU2s5UU1GZnVCMWtTQWsKZkdwa2lMN2JqbWpuaEt3QW1mOGpEV0RabHRCNlM1NlF5MlFqUFI4Sm9PdXNiWXhhcjRjNkVjSXdWSHY2bWRnUAp5WnhXcVFzZ3RTZkZ4K1B3b245SVBLdXEwalFZZ2VaUFN4Uk1MQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K \ No newline at end of file diff --git a/tests/data/egress-mtls/secret/tls-secret.yaml b/tests/data/egress-mtls/secret/tls-secret.yaml index 031238b87d..d10edab330 100644 --- a/tests/data/egress-mtls/secret/tls-secret.yaml +++ b/tests/data/egress-mtls/secret/tls-secret.yaml @@ -4,5 +4,5 @@ metadata: name: egress-tls-secret type: kubernetes.io/tls data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN4akNDQWE0Q0NRREZadlNlYVF3b3dEQU5CZ2txaGtpRzl3MEJBUXNGQURBbE1TTXdJUVlEVlFRRERCcDIKYVhKMGRXRnNMWE5sY25abGNpNWxlR0Z0Y0d4bExtTnZiVEFlRncweU1UQTBNVFl4TkRNeU5EZGFGdzB6TVRBMApNVFF4TkRNeU5EZGFNQ1V4SXpBaEJnTlZCQU1NR25acGNuUjFZV3d0YzJWeWRtVnlMbVY0WVcxd2JHVXVZMjl0Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBcUROMmRjamdRaWd2UmpGODFSbWcKck9kNEdHbzhUdEx6WmU2RDVLUXdEYjFneXhHVEI5TUNEM0trMHg1YW8zUjRHSnFJSkdjL1hHbVQvQzdlZzc0agprYUVIOHFtbFdUREU3Vm0zcDhuc053aGtMYXBReGtXbHVsMDFjSlBrcmpRNEN4QW1VZ0w2L0FPUWhjSEtlUUsxCmhjUEJSOFJKbkJTNDlJb0lEOEpFdXhVeFp4TW1MMFRBSlhBQzNVNW50dXVPTGtYaGhsNVNhSnQzRkhUUjR1WXIKMHZpYndNbTBKMmkwUitkanZzYnRwT0FFbW5ZN2xjc3cyMU1rY1o4UkZSRVhiOHlsRVo2UUNIOEdFcEF0Nkh0OApWMUJBblpuZFJXWlNhUWRlOEd0WUUydFk1ZFVZMkdFemNTT014VHRueWEzc3puWEJOV0k1WjluV1RtMFQ2SERrCmN3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBeDZ0TThObmRXVlhBdlBEWWw4VUg0ZHlqZEg3S3YKMnhueCtRRXR6eDd2VEV0aVBEd04wbmFkTWZSbjRTZjl0U0huTmZSZUhWcXNxZVVRNklGbUdrdERDR0ZCUWtscQp4V1p0aTUzd2c3blJxZncrWnltOW1nWDEyUTdpaGM3Y3d1cUVBSzRWYWVVNXZIcEhvcktFSjBYTkFFM1M2N0d0CmlpdWk4VTIxdHkraUNBd3ZnTUZiSnI2bEEwdlM0VUY0cTl4aTNHZ1JHSFdDdjlsNTFZY2JRSWVnVXQxVXVUNlUKNTRaZ0lBSGJJUENzQ2Z5NTkreEc3Q1VQOUwvb09Vc1IzZWxYVTJES2F4MFJCT29PalJXY3QyVGZlQWx0V0hTOApBNnJ6SUl0VThTK2w1dWNiZVhiVzh0djBRUE5vMU1UMEVvN0lDQ0tqSkZuVlA2eGNtWFV1dkRoVgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcUROMmRjamdRaWd2UmpGODFSbWdyT2Q0R0dvOFR0THpaZTZENUtRd0RiMWd5eEdUCkI5TUNEM0trMHg1YW8zUjRHSnFJSkdjL1hHbVQvQzdlZzc0amthRUg4cW1sV1RERTdWbTNwOG5zTndoa0xhcFEKeGtXbHVsMDFjSlBrcmpRNEN4QW1VZ0w2L0FPUWhjSEtlUUsxaGNQQlI4UkpuQlM0OUlvSUQ4SkV1eFV4WnhNbQpMMFRBSlhBQzNVNW50dXVPTGtYaGhsNVNhSnQzRkhUUjR1WXIwdmlid01tMEoyaTBSK2RqdnNidHBPQUVtblk3Cmxjc3cyMU1rY1o4UkZSRVhiOHlsRVo2UUNIOEdFcEF0Nkh0OFYxQkFuWm5kUldaU2FRZGU4R3RZRTJ0WTVkVVkKMkdFemNTT014VHRueWEzc3puWEJOV0k1WjluV1RtMFQ2SERrY3dJREFRQUJBb0lCQUNtTFJIZ0ZISGJhckFwLwpVS0RseW96S1F4eHNxT2FqTGVFQVQyMWFyRS9JZGE3U2NXbGVVY1QxQVFid0dWMEQrR0hEVVZzRWNWN202TmxCCnprM2wyYTB2ZytJSXlzRkR6Vy8rVitGR2UyU0FXeFg0V2lrT3JNZGlIRC9wRjNON2pGZ1hMZy9Wa3A1S1Z4amkKYTVzRjgwWE51dUI1OStCb01lS2NjUzlMUVdTZmliUFUzSDlidm8vWXZRem41ZTc1Y2pVcFA3V2FmY2Y4UzZVKwo0VkJwaC9mQmtCL2lOQk9rOHdZWTJMWkJaTkNaTmVsMy9kVldzNEJwdjY5ODNRU3BLVTdUam9OQ2N4eU9ReFZpCnI0YW9mbmRTQ2ZVN3d1L05oczZGOWQxYmVJVHhmR3RpWTFWYURlQ3BVZGZId0dCSGNjRGlEK1V3UklPZzJQN2YKY0ZSTzZERUNnWUVBM1RqZFZlTU4yZ0tUQVB5aHlETm5IdzEyL0RRRmd5MWc0aExQZmNCUEtxdjBZendhaU9IVQpSZXUyS3dBdWVKeEF1T09vSWVTZjFYYzdUSTZLUlBRVEc1SVNJa294NHVwSHBFeVZXN0JIeWlENmpYa0R5MTh6CmQ0MGRWc1JlMkZXd0pFOTNubkFIVWdvTk11dWdaaE8wa2x0M0EybGViR1JuY1N4TUg3NW94SHNDZ1lFQXdxVEEKY2JRcDVuRnhyL0hsMkVyTVU3SHZ5eG83UnNsVHE3VmNhWE1IT1EzdzZZL2NRampWRnJZMjFzeXpjOWtBblRzQgphbkJsMkE5aUdBdWZaTGlYNmM0dk5KK1dNM093L1lyZHlUTVB5elFBZjhWZUdPMlR0by85UWN3bi9Oa3JwVDJsCktDeERYek55bTlBLzFHNTUva29CVHBTc3ptd3paTFh5TjM1S2lta0NnWUJId0JISnNZTGttc0VqS00wd0tidmcKam5WeEIwNWlaVzF1NWJyMmhsRW0vZTZkNFBpYVBPU2thUGNFcTJKbkxBYXg4T1N2V1grZHRMWSs5bHhTVVBlQgprYmJmK0VDRjRJYXIrMHJXR2k2dW1GT3JYdnlrRVpTWHllVWlKejY3Mjg3dGQvak1Jbm05V2hVOTFyNkhYUXpNCkMyNW1aTjZET1cxemYzS1JPU2l4MFFLQmdHQmJwMW1pMDB0ZHhlWlFYblRoTXA0TWJLV2phc3owUmhPdlNQeDcKRVl4Uk5uNnAxV1NETmhwMFFsbThKT3FvOXdEZmdTZnNWTDdOZnNaZ21wd0dOazVzNERtdzkyNnBTMmw1SWFyRgpPSUJrVWdydTdsSnc2cnRxTlBvcDAzSDlJUHBBdGs1WSsxRlo2dGJ3RldsWTk5UEhWelpMcS9EVTUreG5sbTJhCmU5UmhBb0dCQU1STlFzYk00OGNVTlNQRnh1Y3ZnY3QySFVjRkoweXl1Z3V0cnhvUmZXUEtzWnZwZjA5NnlBS1UKMURLbXdpRStOS0F0S2VHVjlqdHNIZWdocVp5MHkzbkIzc0pkNlZxdnoxSFNGQzNCNStodGMraG4xdU4wOTlDRwpVSElXNnM3ZGI0eW1ULzFCaEJDd1RCYkIxRTQ0Y2FYQzdUa0xmVlJFSjRWbXBkUEpTcFh4Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRekNDQWlzQ0NRRE5Tc2YvSXpBaElUQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl5TXpFek9Gb1hEVE13TVRFeE1ESXlNekV6T0Zvd1lURUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVE4d0RRWURWUVFEREFaamJHbGxiblF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBCkE0SUJEd0F3Z2dFS0FvSUJBUUM1M2djYWFXMGo0ZVdWZmV5OWZIYkZtUzMvRWtjMFFYbFVrdUZsSUc4T016blQKQ2hFUmd3a1hyOWNFeTZEY2hxN0FlNjh3SjBHcmdHdjl6elEyTHdyOHJLd1NNWUVmUXIwQ2NJc1ZXUy9ncDNrSAp2VG1FS3RacXdIL1VhWWJHVFVzRlBpaENFeEV1T3pwRWROMmhDZ1Vsclk2Y1RPMGJjRzNGbk1Dbk9IZE0zZ2tsCkFOajRYd0pBSXhVN216bkNSWFkyWGRJVHhZbG0yc0FyWmVxR1JycGVKNTJDejhhME9iN3poUTgwK2d3QjZBczEKL2dXeHVTR2Y4eGhrL1NhVlpQUE4xU2RTeDcwUU5BZnFFU21tQ0lnVEYralFGQkx3bDhnTkZxajYvR2lSdElvWgozMEpEaXhuZVBrUTQ3S2ZoOS96c0xsRy9WV0hyUXA0d29TY1BqTlBkQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMCkJRQURnZ0VCQUZtS05PK0dRQVpFcHBZdXBYNnJ6NktZcUFXUEtkcXRPUjJaNlR0K0ZSNlNPRExSem56RDJuRjkKU3ZhZitaZkJ4SFhtR1FwRkZXTEpINUlmbEgzM21KOFZORlh2Z0F6WnVwNG9tSDJobndHYW9NaklCS2FQSnZUZQpPQ3IwTWpjMjB4Qk82WTdzdU1Eem5VTDRRTjJib3QrM3M2SXZSaHhWeEM3ZS9OSWMzaHVQTjUxUEJUWDRCVkJWCkwweVc5Z2ltMXdibHJOVllaRDB1cnFDZ05wTm8rbWpqZXJsRkxpN0p6YWhNSllIV0JNUDc2Vnp0bk82ZnFhMU8KZXRBd3RYUnNnVnpxUkhWK0lFWk0rNUtZY2RYcEY3bjVBeFFkNUdxVDVhNTBaRnBYS2tJaURFRE91TXFUY0NQWQp2K0szQ1EzaW5wUXg4bXUwckRUL0ZQdDgrVnhpVEpBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdWQ0SEdtbHRJK0hsbFgzc3ZYeDJ4Wmt0L3hKSE5FRjVWSkxoWlNCdkRqTTUwd29SCkVZTUpGNi9YQk11ZzNJYXV3SHV2TUNkQnE0QnIvYzgwTmk4Sy9LeXNFakdCSDBLOUFuQ0xGVmt2NEtkNUI3MDUKaENyV2FzQi8xR21HeGsxTEJUNG9RaE1STGpzNlJIVGRvUW9GSmEyT25FenRHM0J0eFp6QXB6aDNUTjRKSlFEWQorRjhDUUNNVk81czV3a1YyTmwzU0U4V0padHJBSzJYcWhrYTZYaWVkZ3MvR3REbSs4NFVQTlBvTUFlZ0xOZjRGCnNia2huL01ZWlAwbWxXVHp6ZFVuVXNlOUVEUUg2aEVwcGdpSUV4Zm8wQlFTOEpmSURSYW8rdnhva2JTS0dkOUMKUTRzWjNqNUVPT3luNGZmODdDNVJ2MVZoNjBLZU1LRW5ENHpUM1FJREFRQUJBb0lCQUM1enNmekUyblQ4VVArUwprQ2N2UXhQUlc3Q0M1ZTdHYWtkYnloOFhBd3BlZlJZa1R1MjhmUHBCaFJCNnY4STltdEVhV0VkRm1HRC9ZSDMzCldnb3NxYWRLbEZxYnFyU2dYbEtNeEFYYTIxOWZHNTEyaWpoZzZHT1hwcHIwb0sxUXhlNFNnY2M1c3JLR05PTEUKL2xyd0FTZFFmL0xLT3Z2L2xqK3NGRzMyYThKMjBtWVY0dFpsZmJsaUlxNHd0YzVnc0JWUVJ2T3RielQzQzRscwowM1JwbnJPbitxV3NwVkVleU52WjRjM2NKUGJpVTJ4WmkvcE1MZWhnUUhZcDZ0bEpVMFZQRDJaWDJoaDkrRlNDCndOaGNhQVBMTkZrNy9Vc3grdTVhMUM3b3Y0WEw1MExWVE15RjVkdVpCY2ZsUmd3ZWJVc0JqNlRWUDl4Tkp3aTUKb3VmOXJDRUNnWUVBNFJCVE5Oam5LWC9qQVJVZW1tTEpZVFpYNm12bXUzMTJSU1ZuK1ZUV1VzMHVhZVhaS2pmMwpWa3Q0Z3VkdzB1UWh1aFhJbkxVclJhdmVhZHBNc0o0VkZxRHJSRW5LVWlmZWU5QzQraWJOSnk3NHBYcVJpaVpaCjVCT2RKWjNlNVZCbDlTcDJNNExxMUNFNGF5cyt5djAyak9jSjJPallJSW9MU2IxL21WZnVpTmtDZ1lFQTAycHYKTTQyTEljWjFJQW9jMStlTXZIVVpuQ0ltei8vMVBGTTJoaGdlSUs1VXhZM0FRRVg5dzJDWUFKT202Q05WbHhiNAp6dkVrVnVOMnZ0cE5LaWlUQkRGczZtLzBkSE8wTERQdDdjV2ozNDAzbUtwcjBPY2pEVjllYnhpVWJ0R0lKVE84CkpyYzB2OUNUMnFJaFBpTElZdXBpOXg3SFZHUi9pTCswMnJNZm9LVUNnWUVBdktDaERBYktYd2EzSy80V1l4QnUKZFZKRmhzeWVXZjlCODV2eE00LzkvUEhJZDZyVFFzWWJQekVMdExMaTVXMmNNc2oxRlJubVJZTlJhbWd5cEVncApwb2lDQmY3T1dlTGVYZWxHVHluY0FYNGxtUk5NRFh3dEZMRzNvSUpiQU5oTVM1a2w3ZkJJZmpmRmdGU0RVVCs5Cnk0UUx4Y2NJOU9TZHAxVHlMNFA2QUtrQ2dZRUEwQmZVU3I4SWNuOC83QUJvTVkrRmRENGlyZzdqZXhwcVRTMXUKM29CQXIxUkl0b2IyODR5dzRhMWpFRFpGTS9zTGxRTVVkY1RmU3ZMcmY2R3FFRlFObVRQNUM2eVV4a2JZMGlWdgpEUG5iZWdBcStBYk94cm1yUTg5YVNTbTllSEtmZWxhNDNMYTVvZy93YUdQcktwamIrcGpRUG9NNkdmUXRuL0ZxClYxVzJUTTBDZ1lBNXg3aVRLa0lZQlgwR0JhWERZOUlxMVBWeTkxK3pFeDhIWUdDczRNR2ttME42Y3lncm84UmwKMzA3R09ocnhwam1wMTNEb1JtM21XZWhQMmV1WEdhLy9VS2gxaTUvVkQ0R1ltL2psc1plZUx6MURiR2crQVZqegpWVFdueFJCemYwRmdGZkZkTmNIeFlwNTJ3VTZuK2x3MTVTdkNTWmJKQzYzUTBsZ3N1NlhZN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= \ No newline at end of file diff --git a/tests/data/egress-mtls/spec/virtual-server-mtls.yaml b/tests/data/egress-mtls/spec/virtual-server-mtls.yaml index 146a8e86e1..72d9c6846c 100644 --- a/tests/data/egress-mtls/spec/virtual-server-mtls.yaml +++ b/tests/data/egress-mtls/spec/virtual-server-mtls.yaml @@ -7,16 +7,12 @@ spec: policies: - name: egress-mtls-policy upstreams: - - name: backend2 - service: backend2-svc - port: 80 - - name: backend1 - service: backend1-svc - port: 80 + - name: secure-app + service: secure-app + port: 8443 + tls: + enable: true routes: - path: "/backend1" action: - pass: backend1 - - path: "/backend2" - action: - pass: backend2 + pass: secure-app \ No newline at end of file diff --git a/tests/suite/test_egress_mtls.py b/tests/suite/test_egress_mtls.py index 66c568a98e..ae7614ea93 100644 --- a/tests/suite/test_egress_mtls.py +++ b/tests/suite/test_egress_mtls.py @@ -62,13 +62,14 @@ def teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret }, { "example": "virtual-server", - "app_type": "simple", + "app_type": "secure-ca", }, ) ], indirect=True, ) class TestEgressMtlsPolicyVS: + @pytest.mark.egressmtls @pytest.mark.parametrize( "policy_src, vs_src, mtls_ca_secret, expected_code, expected_text, vs_message, vs_state, test_description", [ @@ -77,7 +78,7 @@ class TestEgressMtlsPolicyVS: mtls_vs_spec_src, mtls_sec_valid_src, 200, - "Server address:", + "hello from pod secure-app", "was added or updated", "Valid", "Test valid EgressMTLS policy applied to a VirtualServer spec", @@ -87,7 +88,7 @@ class TestEgressMtlsPolicyVS: mtls_vs_route_src, mtls_sec_valid_src, 200, - "Server address:", + "hello from pod secure-app", "was added or updated", "Valid", "Test valid EgressMTLS policy applied to a VirtualServer path", @@ -97,7 +98,7 @@ class TestEgressMtlsPolicyVS: mtls_vs_spec_src, mtls_sec_valid_crl_src, 200, - "Server address:", + "hello from pod secure-app", "was added or updated", "Valid", "Test valid EgressMTLS policy applied to a VirtualServer with a CRL", From 407ffc4aa79153cf3ff459ee96106632407dc224 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 19 Apr 2023 15:29:16 +0100 Subject: [PATCH 6/9] Remove VSR python test --- tests/suite/test_egress_mtls.py | 138 -------------------------------- 1 file changed, 138 deletions(-) diff --git a/tests/suite/test_egress_mtls.py b/tests/suite/test_egress_mtls.py index ae7614ea93..1999886b6b 100644 --- a/tests/suite/test_egress_mtls.py +++ b/tests/suite/test_egress_mtls.py @@ -69,7 +69,6 @@ def teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret indirect=True, ) class TestEgressMtlsPolicyVS: - @pytest.mark.egressmtls @pytest.mark.parametrize( "policy_src, vs_src, mtls_ca_secret, expected_code, expected_text, vs_message, vs_state, test_description", [ @@ -174,140 +173,3 @@ def test_egress_mtls_policy( and vs_message in vs_events["status"]["message"] and vs_events["status"]["state"] == vs_state ) - - -@pytest.mark.policies -@pytest.mark.parametrize( - "crd_ingress_controller, v_s_route_setup", - [ - ( - { - "type": "complete", - "extra_args": [ - f"-enable-leader-election=false", - ], - }, - { - "example": "virtual-server-route", - }, - ) - ], - indirect=True, -) -class TestEgressMtlsPolicyVSR: - @pytest.mark.parametrize( - "policy_src, vs_src, vsr_src, mtls_ca_secret, expected_code, expected_text, vsr_message, vsr_state, test_description", - [ - ( - mtls_pol_valid_src, - mtls_vs_vsr_src, - mtls_vsr_subroute_src, - mtls_sec_valid_src, - 200, - "Server address:", - "was added or updated", - "Valid", - "Test valid EgressMTLS policy applied to a VirtualServerRoute", - ), - ( - mtls_pol_valid_src, - mtls_vs_vsr_src, - mtls_vsr_subroute_src, - mtls_sec_valid_crl_src, - 200, - "Server address:", - "was added or updated", - "Valid", - "Test valid EgressMTLS policy applied to VirtualServerRoute with a CRL", - ), - ( - mtls_pol_invalid_src, - mtls_vs_vsr_src, - mtls_vsr_subroute_src, - mtls_sec_valid_src, - 500, - "Internal Server Error", - "is missing or invalid", - "Warning", - "Test invalid EgressMTLS policy applied to VirtualServerRoute", - ), - ], - ) - def test_egress_mtls_policy( - self, - kube_apis, - crd_ingress_controller, - v_s_route_app_setup, - v_s_route_setup, - test_namespace, - policy_src, - vs_src, - vsr_src, - mtls_ca_secret, - expected_code, - expected_text, - vsr_message, - vsr_state, - test_description, - ): - """ - Test egress-mtls with valid and invalid policy in vsr subroutes. - """ - print("------------------------- {} -----------------------------------".format(test_description)) - req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" - session = create_sni_session() - mtls_secret, tls_secret, pol_name = setup_policy( - kube_apis, - v_s_route_setup.namespace, - mtls_ca_secret, - tls_sec_valid_src, - policy_src, - ) - - print(f"Patch vsr with policy: {vsr_src} and vs with tls secret: {tls_secret}") - patch_virtual_server_from_yaml( - kube_apis.custom_objects, - v_s_route_setup.vs_name, - vs_src, - v_s_route_setup.namespace, - ) - patch_v_s_route_from_yaml( - kube_apis.custom_objects, - v_s_route_setup.route_m.name, - vsr_src, - v_s_route_setup.route_m.namespace, - ) - wait_before_test() - resp = session.get( - f"{req_url}{v_s_route_setup.route_m.paths[0]}", - headers={"host": v_s_route_setup.vs_host}, - allow_redirects=False, - verify=False, - ) - - vsr_events = read_vsr( - kube_apis.custom_objects, - v_s_route_setup.route_m.namespace, - v_s_route_setup.route_m.name, - ) - teardown_policy(kube_apis, v_s_route_setup.namespace, tls_secret, pol_name, mtls_secret) - - patch_v_s_route_from_yaml( - kube_apis.custom_objects, - v_s_route_setup.route_m.name, - std_vsr_src, - v_s_route_setup.route_m.namespace, - ) - patch_virtual_server_from_yaml( - kube_apis.custom_objects, - v_s_route_setup.vs_name, - std_vs_vsr_src, - v_s_route_setup.namespace, - ) - - assert ( - resp.status_code == expected_code - and expected_text in resp.text - and vsr_message in vsr_events["status"]["message"] - and vsr_events["status"]["state"] == vsr_state - ) From 4384373b6c2dec4b228ab161d1ea0d4b666229da Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 25 Apr 2023 05:12:44 +0000 Subject: [PATCH 7/9] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- tests/data/egress-mtls/secret/egress-mtls-secret.yaml | 2 +- tests/data/egress-mtls/secret/tls-secret.yaml | 2 +- tests/data/egress-mtls/spec/virtual-server-mtls.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/data/egress-mtls/secret/egress-mtls-secret.yaml b/tests/data/egress-mtls/secret/egress-mtls-secret.yaml index 827e30abdd..690269f658 100644 --- a/tests/data/egress-mtls/secret/egress-mtls-secret.yaml +++ b/tests/data/egress-mtls/secret/egress-mtls-secret.yaml @@ -4,4 +4,4 @@ metadata: apiVersion: v1 type: nginx.org/ca data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpBQ0NRREtXdnJwd2lJeUNEQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TWpnME1sb1hEVE13TVRFeE1ESXhNamcwTWxvd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNcmxLTXFySGZNUjRtZ2FMMnpaRzJEWVlmS0NGVm1JTmpsWXVPZUMKRkRUY1JnUUt0dTJZY0N4WllCQUR3SFp4RWY2TklLdFZzTVdMaFNOUy9OYzBCbXRpUU0vSUV4aGxDaURDNlNsOApPTnJJM3c3cUp6TjZJVUVSQjZ0VmxRdDA3cmdNMFYyNlVUWXUwSWt2MVk4dHJmTFlQWmNrekJrb3JRanBjaXVtCnFvUDJCSmY0eXljOUxxcHh0bFdLeGVsa3VuVkw1aWpNRXpwajlnRUUyNlRFSGJzZEViaG9SOGcwT2VIWnFIN2UKbVhDblNJQlIwQS9vL3M2bm9HTlgrRjE5bFk3VGd3NzdqT3VRUTVZc2krN25oTjJsS3ZjQzgxOVJYN29NcGd2dApWNUIzbkkwbUY2QmF6bmplVHM0eVFjcjFTbTNVVFZCd1g5WnV2TDdSYklYa1VtOENBd0VBQVRBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFnbTA0dzZPSVdHajZ0a2E5Y2NjY25ibEYwb1p6ZUVBSXl3anZSNXNEY1BkdkxJZU0KZWVzSnk2ckZINERCbU15Z3BjSXhKR3JTT3pabEYzTE12dzd6SzRzdHFOdG0xSGlwckY4Ynp4ZlRmZlZZbmNnNgpoVktFckh0WjJGWlJqLzJUTUowMWFSRFpTdVZiTDZVSmlva3BVNnh4VDd5eTBkRlprS3JqVVIzNDlnS3hScUp3CkFtMmFzMGJoaTUxRXFLMUdFeDNtNGMwdW4ydk5oNXFQMmh2NmUvUXplNlA5NnZlZk5hU2s5UU1GZnVCMWtTQWsKZkdwa2lMN2JqbWpuaEt3QW1mOGpEV0RabHRCNlM1NlF5MlFqUFI4Sm9PdXNiWXhhcjRjNkVjSXdWSHY2bWRnUAp5WnhXcVFzZ3RTZkZ4K1B3b245SVBLdXEwalFZZ2VaUFN4Uk1MQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K \ No newline at end of file + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpBQ0NRREtXdnJwd2lJeUNEQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TWpnME1sb1hEVE13TVRFeE1ESXhNamcwTWxvd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNcmxLTXFySGZNUjRtZ2FMMnpaRzJEWVlmS0NGVm1JTmpsWXVPZUMKRkRUY1JnUUt0dTJZY0N4WllCQUR3SFp4RWY2TklLdFZzTVdMaFNOUy9OYzBCbXRpUU0vSUV4aGxDaURDNlNsOApPTnJJM3c3cUp6TjZJVUVSQjZ0VmxRdDA3cmdNMFYyNlVUWXUwSWt2MVk4dHJmTFlQWmNrekJrb3JRanBjaXVtCnFvUDJCSmY0eXljOUxxcHh0bFdLeGVsa3VuVkw1aWpNRXpwajlnRUUyNlRFSGJzZEViaG9SOGcwT2VIWnFIN2UKbVhDblNJQlIwQS9vL3M2bm9HTlgrRjE5bFk3VGd3NzdqT3VRUTVZc2krN25oTjJsS3ZjQzgxOVJYN29NcGd2dApWNUIzbkkwbUY2QmF6bmplVHM0eVFjcjFTbTNVVFZCd1g5WnV2TDdSYklYa1VtOENBd0VBQVRBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFnbTA0dzZPSVdHajZ0a2E5Y2NjY25ibEYwb1p6ZUVBSXl3anZSNXNEY1BkdkxJZU0KZWVzSnk2ckZINERCbU15Z3BjSXhKR3JTT3pabEYzTE12dzd6SzRzdHFOdG0xSGlwckY4Ynp4ZlRmZlZZbmNnNgpoVktFckh0WjJGWlJqLzJUTUowMWFSRFpTdVZiTDZVSmlva3BVNnh4VDd5eTBkRlprS3JqVVIzNDlnS3hScUp3CkFtMmFzMGJoaTUxRXFLMUdFeDNtNGMwdW4ydk5oNXFQMmh2NmUvUXplNlA5NnZlZk5hU2s5UU1GZnVCMWtTQWsKZkdwa2lMN2JqbWpuaEt3QW1mOGpEV0RabHRCNlM1NlF5MlFqUFI4Sm9PdXNiWXhhcjRjNkVjSXdWSHY2bWRnUAp5WnhXcVFzZ3RTZkZ4K1B3b245SVBLdXEwalFZZ2VaUFN4Uk1MQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K diff --git a/tests/data/egress-mtls/secret/tls-secret.yaml b/tests/data/egress-mtls/secret/tls-secret.yaml index d10edab330..988e849398 100644 --- a/tests/data/egress-mtls/secret/tls-secret.yaml +++ b/tests/data/egress-mtls/secret/tls-secret.yaml @@ -5,4 +5,4 @@ metadata: type: kubernetes.io/tls data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRekNDQWlzQ0NRRE5Tc2YvSXpBaElUQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl5TXpFek9Gb1hEVE13TVRFeE1ESXlNekV6T0Zvd1lURUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVE4d0RRWURWUVFEREFaamJHbGxiblF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBCkE0SUJEd0F3Z2dFS0FvSUJBUUM1M2djYWFXMGo0ZVdWZmV5OWZIYkZtUzMvRWtjMFFYbFVrdUZsSUc4T016blQKQ2hFUmd3a1hyOWNFeTZEY2hxN0FlNjh3SjBHcmdHdjl6elEyTHdyOHJLd1NNWUVmUXIwQ2NJc1ZXUy9ncDNrSAp2VG1FS3RacXdIL1VhWWJHVFVzRlBpaENFeEV1T3pwRWROMmhDZ1Vsclk2Y1RPMGJjRzNGbk1Dbk9IZE0zZ2tsCkFOajRYd0pBSXhVN216bkNSWFkyWGRJVHhZbG0yc0FyWmVxR1JycGVKNTJDejhhME9iN3poUTgwK2d3QjZBczEKL2dXeHVTR2Y4eGhrL1NhVlpQUE4xU2RTeDcwUU5BZnFFU21tQ0lnVEYralFGQkx3bDhnTkZxajYvR2lSdElvWgozMEpEaXhuZVBrUTQ3S2ZoOS96c0xsRy9WV0hyUXA0d29TY1BqTlBkQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMCkJRQURnZ0VCQUZtS05PK0dRQVpFcHBZdXBYNnJ6NktZcUFXUEtkcXRPUjJaNlR0K0ZSNlNPRExSem56RDJuRjkKU3ZhZitaZkJ4SFhtR1FwRkZXTEpINUlmbEgzM21KOFZORlh2Z0F6WnVwNG9tSDJobndHYW9NaklCS2FQSnZUZQpPQ3IwTWpjMjB4Qk82WTdzdU1Eem5VTDRRTjJib3QrM3M2SXZSaHhWeEM3ZS9OSWMzaHVQTjUxUEJUWDRCVkJWCkwweVc5Z2ltMXdibHJOVllaRDB1cnFDZ05wTm8rbWpqZXJsRkxpN0p6YWhNSllIV0JNUDc2Vnp0bk82ZnFhMU8KZXRBd3RYUnNnVnpxUkhWK0lFWk0rNUtZY2RYcEY3bjVBeFFkNUdxVDVhNTBaRnBYS2tJaURFRE91TXFUY0NQWQp2K0szQ1EzaW5wUXg4bXUwckRUL0ZQdDgrVnhpVEpBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdWQ0SEdtbHRJK0hsbFgzc3ZYeDJ4Wmt0L3hKSE5FRjVWSkxoWlNCdkRqTTUwd29SCkVZTUpGNi9YQk11ZzNJYXV3SHV2TUNkQnE0QnIvYzgwTmk4Sy9LeXNFakdCSDBLOUFuQ0xGVmt2NEtkNUI3MDUKaENyV2FzQi8xR21HeGsxTEJUNG9RaE1STGpzNlJIVGRvUW9GSmEyT25FenRHM0J0eFp6QXB6aDNUTjRKSlFEWQorRjhDUUNNVk81czV3a1YyTmwzU0U4V0padHJBSzJYcWhrYTZYaWVkZ3MvR3REbSs4NFVQTlBvTUFlZ0xOZjRGCnNia2huL01ZWlAwbWxXVHp6ZFVuVXNlOUVEUUg2aEVwcGdpSUV4Zm8wQlFTOEpmSURSYW8rdnhva2JTS0dkOUMKUTRzWjNqNUVPT3luNGZmODdDNVJ2MVZoNjBLZU1LRW5ENHpUM1FJREFRQUJBb0lCQUM1enNmekUyblQ4VVArUwprQ2N2UXhQUlc3Q0M1ZTdHYWtkYnloOFhBd3BlZlJZa1R1MjhmUHBCaFJCNnY4STltdEVhV0VkRm1HRC9ZSDMzCldnb3NxYWRLbEZxYnFyU2dYbEtNeEFYYTIxOWZHNTEyaWpoZzZHT1hwcHIwb0sxUXhlNFNnY2M1c3JLR05PTEUKL2xyd0FTZFFmL0xLT3Z2L2xqK3NGRzMyYThKMjBtWVY0dFpsZmJsaUlxNHd0YzVnc0JWUVJ2T3RielQzQzRscwowM1JwbnJPbitxV3NwVkVleU52WjRjM2NKUGJpVTJ4WmkvcE1MZWhnUUhZcDZ0bEpVMFZQRDJaWDJoaDkrRlNDCndOaGNhQVBMTkZrNy9Vc3grdTVhMUM3b3Y0WEw1MExWVE15RjVkdVpCY2ZsUmd3ZWJVc0JqNlRWUDl4Tkp3aTUKb3VmOXJDRUNnWUVBNFJCVE5Oam5LWC9qQVJVZW1tTEpZVFpYNm12bXUzMTJSU1ZuK1ZUV1VzMHVhZVhaS2pmMwpWa3Q0Z3VkdzB1UWh1aFhJbkxVclJhdmVhZHBNc0o0VkZxRHJSRW5LVWlmZWU5QzQraWJOSnk3NHBYcVJpaVpaCjVCT2RKWjNlNVZCbDlTcDJNNExxMUNFNGF5cyt5djAyak9jSjJPallJSW9MU2IxL21WZnVpTmtDZ1lFQTAycHYKTTQyTEljWjFJQW9jMStlTXZIVVpuQ0ltei8vMVBGTTJoaGdlSUs1VXhZM0FRRVg5dzJDWUFKT202Q05WbHhiNAp6dkVrVnVOMnZ0cE5LaWlUQkRGczZtLzBkSE8wTERQdDdjV2ozNDAzbUtwcjBPY2pEVjllYnhpVWJ0R0lKVE84CkpyYzB2OUNUMnFJaFBpTElZdXBpOXg3SFZHUi9pTCswMnJNZm9LVUNnWUVBdktDaERBYktYd2EzSy80V1l4QnUKZFZKRmhzeWVXZjlCODV2eE00LzkvUEhJZDZyVFFzWWJQekVMdExMaTVXMmNNc2oxRlJubVJZTlJhbWd5cEVncApwb2lDQmY3T1dlTGVYZWxHVHluY0FYNGxtUk5NRFh3dEZMRzNvSUpiQU5oTVM1a2w3ZkJJZmpmRmdGU0RVVCs5Cnk0UUx4Y2NJOU9TZHAxVHlMNFA2QUtrQ2dZRUEwQmZVU3I4SWNuOC83QUJvTVkrRmRENGlyZzdqZXhwcVRTMXUKM29CQXIxUkl0b2IyODR5dzRhMWpFRFpGTS9zTGxRTVVkY1RmU3ZMcmY2R3FFRlFObVRQNUM2eVV4a2JZMGlWdgpEUG5iZWdBcStBYk94cm1yUTg5YVNTbTllSEtmZWxhNDNMYTVvZy93YUdQcktwamIrcGpRUG9NNkdmUXRuL0ZxClYxVzJUTTBDZ1lBNXg3aVRLa0lZQlgwR0JhWERZOUlxMVBWeTkxK3pFeDhIWUdDczRNR2ttME42Y3lncm84UmwKMzA3R09ocnhwam1wMTNEb1JtM21XZWhQMmV1WEdhLy9VS2gxaTUvVkQ0R1ltL2psc1plZUx6MURiR2crQVZqegpWVFdueFJCemYwRmdGZkZkTmNIeFlwNTJ3VTZuK2x3MTVTdkNTWmJKQzYzUTBsZ3N1NlhZN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= \ No newline at end of file + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdWQ0SEdtbHRJK0hsbFgzc3ZYeDJ4Wmt0L3hKSE5FRjVWSkxoWlNCdkRqTTUwd29SCkVZTUpGNi9YQk11ZzNJYXV3SHV2TUNkQnE0QnIvYzgwTmk4Sy9LeXNFakdCSDBLOUFuQ0xGVmt2NEtkNUI3MDUKaENyV2FzQi8xR21HeGsxTEJUNG9RaE1STGpzNlJIVGRvUW9GSmEyT25FenRHM0J0eFp6QXB6aDNUTjRKSlFEWQorRjhDUUNNVk81czV3a1YyTmwzU0U4V0padHJBSzJYcWhrYTZYaWVkZ3MvR3REbSs4NFVQTlBvTUFlZ0xOZjRGCnNia2huL01ZWlAwbWxXVHp6ZFVuVXNlOUVEUUg2aEVwcGdpSUV4Zm8wQlFTOEpmSURSYW8rdnhva2JTS0dkOUMKUTRzWjNqNUVPT3luNGZmODdDNVJ2MVZoNjBLZU1LRW5ENHpUM1FJREFRQUJBb0lCQUM1enNmekUyblQ4VVArUwprQ2N2UXhQUlc3Q0M1ZTdHYWtkYnloOFhBd3BlZlJZa1R1MjhmUHBCaFJCNnY4STltdEVhV0VkRm1HRC9ZSDMzCldnb3NxYWRLbEZxYnFyU2dYbEtNeEFYYTIxOWZHNTEyaWpoZzZHT1hwcHIwb0sxUXhlNFNnY2M1c3JLR05PTEUKL2xyd0FTZFFmL0xLT3Z2L2xqK3NGRzMyYThKMjBtWVY0dFpsZmJsaUlxNHd0YzVnc0JWUVJ2T3RielQzQzRscwowM1JwbnJPbitxV3NwVkVleU52WjRjM2NKUGJpVTJ4WmkvcE1MZWhnUUhZcDZ0bEpVMFZQRDJaWDJoaDkrRlNDCndOaGNhQVBMTkZrNy9Vc3grdTVhMUM3b3Y0WEw1MExWVE15RjVkdVpCY2ZsUmd3ZWJVc0JqNlRWUDl4Tkp3aTUKb3VmOXJDRUNnWUVBNFJCVE5Oam5LWC9qQVJVZW1tTEpZVFpYNm12bXUzMTJSU1ZuK1ZUV1VzMHVhZVhaS2pmMwpWa3Q0Z3VkdzB1UWh1aFhJbkxVclJhdmVhZHBNc0o0VkZxRHJSRW5LVWlmZWU5QzQraWJOSnk3NHBYcVJpaVpaCjVCT2RKWjNlNVZCbDlTcDJNNExxMUNFNGF5cyt5djAyak9jSjJPallJSW9MU2IxL21WZnVpTmtDZ1lFQTAycHYKTTQyTEljWjFJQW9jMStlTXZIVVpuQ0ltei8vMVBGTTJoaGdlSUs1VXhZM0FRRVg5dzJDWUFKT202Q05WbHhiNAp6dkVrVnVOMnZ0cE5LaWlUQkRGczZtLzBkSE8wTERQdDdjV2ozNDAzbUtwcjBPY2pEVjllYnhpVWJ0R0lKVE84CkpyYzB2OUNUMnFJaFBpTElZdXBpOXg3SFZHUi9pTCswMnJNZm9LVUNnWUVBdktDaERBYktYd2EzSy80V1l4QnUKZFZKRmhzeWVXZjlCODV2eE00LzkvUEhJZDZyVFFzWWJQekVMdExMaTVXMmNNc2oxRlJubVJZTlJhbWd5cEVncApwb2lDQmY3T1dlTGVYZWxHVHluY0FYNGxtUk5NRFh3dEZMRzNvSUpiQU5oTVM1a2w3ZkJJZmpmRmdGU0RVVCs5Cnk0UUx4Y2NJOU9TZHAxVHlMNFA2QUtrQ2dZRUEwQmZVU3I4SWNuOC83QUJvTVkrRmRENGlyZzdqZXhwcVRTMXUKM29CQXIxUkl0b2IyODR5dzRhMWpFRFpGTS9zTGxRTVVkY1RmU3ZMcmY2R3FFRlFObVRQNUM2eVV4a2JZMGlWdgpEUG5iZWdBcStBYk94cm1yUTg5YVNTbTllSEtmZWxhNDNMYTVvZy93YUdQcktwamIrcGpRUG9NNkdmUXRuL0ZxClYxVzJUTTBDZ1lBNXg3aVRLa0lZQlgwR0JhWERZOUlxMVBWeTkxK3pFeDhIWUdDczRNR2ttME42Y3lncm84UmwKMzA3R09ocnhwam1wMTNEb1JtM21XZWhQMmV1WEdhLy9VS2gxaTUvVkQ0R1ltL2psc1plZUx6MURiR2crQVZqegpWVFdueFJCemYwRmdGZkZkTmNIeFlwNTJ3VTZuK2x3MTVTdkNTWmJKQzYzUTBsZ3N1NlhZN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= diff --git a/tests/data/egress-mtls/spec/virtual-server-mtls.yaml b/tests/data/egress-mtls/spec/virtual-server-mtls.yaml index 72d9c6846c..fdb76b5901 100644 --- a/tests/data/egress-mtls/spec/virtual-server-mtls.yaml +++ b/tests/data/egress-mtls/spec/virtual-server-mtls.yaml @@ -15,4 +15,4 @@ spec: routes: - path: "/backend1" action: - pass: secure-app \ No newline at end of file + pass: secure-app From 1e57aed8c37d8df67d12aeb08a5485ad39565ff9 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 25 Apr 2023 08:12:33 +0100 Subject: [PATCH 8/9] Add new app.yaml file for EgressMTLS tests --- tests/data/common/app/secure-ca/app.yaml | 80 ++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 tests/data/common/app/secure-ca/app.yaml diff --git a/tests/data/common/app/secure-ca/app.yaml b/tests/data/common/app/secure-ca/app.yaml new file mode 100644 index 0000000000..fa814e5bcf --- /dev/null +++ b/tests/data/common/app/secure-ca/app.yaml @@ -0,0 +1,80 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: secure-app +spec: + replicas: 1 + selector: + matchLabels: + app: secure-app + template: + metadata: + labels: + app: secure-app + spec: + containers: + - name: secure-app + image: nginxdemos/nginx-hello:plain-text + ports: + - containerPort: 8443 + volumeMounts: + - name: secret + mountPath: /etc/nginx/ssl + readOnly: true + - name: config-volume + mountPath: /etc/nginx/conf.d + volumes: + - name: secret + secret: + secretName: app-tls-secret + - name: config-volume + configMap: + name: secure-config +--- +apiVersion: v1 +kind: Service +metadata: + name: secure-app +spec: + ports: + - port: 8443 + targetPort: 8443 + protocol: TCP + name: https + selector: + app: secure-app +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: secure-config +data: + app.conf: |- + server { + listen 8443 ssl; + listen [::]:8443 ssl; + + server_name secure-app.example.com; + + ssl_certificate /etc/nginx/ssl/tls.crt; + ssl_certificate_key /etc/nginx/ssl/tls.key; + + ssl_verify_client on; + ssl_client_certificate /etc/nginx/ssl/ca.crt; + + default_type text/plain; + + location /backend1 { + return 200 "hello from pod $hostname\n"; + } + } +--- +apiVersion: v1 +kind: Secret +metadata: + name: app-tls-secret +type: Opaque +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVekNDQWpzQ0NRRE5Tc2YvSXpBaEhqQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TXpNd05sb1hEVE13TVRFeE1ESXhNek13Tmxvd2NURUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVI4d0hRWURWUVFEREJaelpXTjFjbVV0WVhCd0xtVjRZVzF3YkdVdVkyOXRNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6ekE0aUhqL0xpWWhlR1JVS0Vha2NTa2MKRHpsWE1kMDUwZStBb3VodXFoOHJEandOaUl0RGU5c05keXNSTW0yWEVZUUxtdkJyNFlTN2dhNmpVQzFUTXhnMgpSeHZmckZFQ1RPNGJkU2gvZ0NKNU8wdjhIYTNEbmNXQW9saFJIdVlSSit1V09iQkwxYkxqUTFLM2hST1h2cjJWCkhvbWRpb09ybnEwQmdQdC9hN09rOVhuSDdZcDU0UjhsYm96bGtvNXlSOFdnZzlqeWZ0aDRoQ2x3U0J3RkJxbmcKeHBBNSs0NllLOUhwU0VNa0FXb1Z5eERrR0E1UXZubTBiSjZQSk0xUi9UQkpFeTA1Uy90ZVlIV3oyeTFNb29INAo4TStoZTR6YjFQLy93NjhWUE9oR1pjTWlGUzBGTWNwVGgzdlFLUTBwQS84S3c2TWErUFdEWWplY3Z2Y0oxd0lECkFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJzditJRzNNWVVNbUdMNUdYTXFhM3NiU0RZdFJxaEhRcXkKMmxWaWQ1OXFEVmVOdG50MXdkYVJrSjQ4S2x1SzBkZUJDanpGaVN2elBZMVlHc09qeEJ4R2Qrd0tYcElMVXQ3YwpsMXFIbGRTNktyOU9oaS9XSUFDV3AxbDN1K1luUXJROHIzNkZqaGZ1ODMyQ1EwVTQ3Z3I0Yjc5NVNBeDRzdVVFClUwZ2F4MnNLMHlUSU9YYUk4VjRQWThrSlZHdXpyR2N1bVBLT1lrSTRvSEhBY0JMMERrWUkyZ0hmZ2F1amZYTFgKYU9yQ0Z4QndPMGh3ekhNam1GNlRYT2dTNVVIYzFsbzhwREpNK1J3SmUxVjA2RGlZRFpUUlErM1lxcEZpSHpSbwozZkFENzBhM3U5c0NWYnM0QjEzU2ZXOUk5R3hNOXhpdEJjL1VNME1ad1BHUytaSVEwRkZzCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBenpBNGlIai9MaVloZUdSVUtFYWtjU2tjRHpsWE1kMDUwZStBb3VodXFoOHJEandOCmlJdERlOXNOZHlzUk1tMlhFWVFMbXZCcjRZUzdnYTZqVUMxVE14ZzJSeHZmckZFQ1RPNGJkU2gvZ0NKNU8wdjgKSGEzRG5jV0FvbGhSSHVZUkordVdPYkJMMWJMalExSzNoUk9YdnIyVkhvbWRpb09ybnEwQmdQdC9hN09rOVhuSAo3WXA1NFI4bGJvemxrbzV5UjhXZ2c5anlmdGg0aENsd1NCd0ZCcW5neHBBNSs0NllLOUhwU0VNa0FXb1Z5eERrCkdBNVF2bm0wYko2UEpNMVIvVEJKRXkwNVMvdGVZSFd6MnkxTW9vSDQ4TStoZTR6YjFQLy93NjhWUE9oR1pjTWkKRlMwRk1jcFRoM3ZRS1EwcEEvOEt3Nk1hK1BXRFlqZWN2dmNKMXdJREFRQUJBb0lCQUFNK1hBUTI4TGZHUFF2bgpkakhUT1V2VU91NDZGWlZnUTBGNElHbHNmaDhIc2VMZEtkRVRiUkVKVXVLa3QvWTBKUU5QTCtkVEVEMU5tS25sCkZBVnpVRFFpa3ViMkZzQlozRkZjQU80S25rUmhSY2laM2U2UkE5ajZlSk1TRXVNSzh3WE8rR0VhMDNVYkFkZlIKK2JHSnB2eURkMHd0RjF4TngyZ0tpVlY5bW5jVEo3RDJtaUZPVTNXR3pUeFlyMVdnVDd6WHVsQnkyQlR6SlEzNQpwcG9hdXQwYlcvVkZDQ1FIc0NRK2tUNlhXbE9vQ2VTWTd5aEhmSzRtMGFCeUNjN1E0dW5CUUZRU24rck1CZUJpCkJxaE9BU0NFQnhYUzhlRUxhOCtCQml3eGo0SmJQa3IzbFlRcTQxbDlMU3FtQTN4dy9ZKzZzK2NCRmdxSGQ5RUgKVmJidTUrRUNnWUVBN2VUeUdXQmxubk9ySzJBMjkrbENYY1RBRHhGdlRoK0hWMlRJTXV3NW9oMlE0MkhCZWkwcgp3L2dTa1FGU1cvK1JaNmpXU2xsWW51ZDNXVkUwRzA3ZkhLaWpZMnBmbFQ3Z3lXYlhoc0NXQmkwRVpOK0JxUUNrCko5UVNaUGZLRXRjamhkTDdtVnBJdEF3ZjM4SHpiNUx0d3pBYTFhTlFjK2h3YVE3eWo2UFhubDhDZ1lFQTN2VUMKcXhURDJ2Y2VkQWZlUGUxQXd1SDRUZ2pVVFJnbU5rMGRPbTBFazlzUnZOelRZemk0bmxNQ1YzMHZiZTVMRWNleQo3VWRJS3pGMUwrQWRpaFFpckcvMHJIQ3N0U21RTHhLWDdhVW5vcVliWHJWNTlYMFVaMndDcFBqZm1DQTNYYmE5CmJ0ZThCRFFCbmp1QjJ6dXVIa21ZY3BSWllNeEdvMjd0aVV2ZlY0a0NnWUJRdFMyVmdtaTNXeEtsUXAwamVsVnoKcm41aUhrNGV1UCtYbks5MjUwR2VTRjJSWnViVzVtQkV1ZkxDa3lvMzMvcWFxbU1aRWpySW5rcVZXTUZPeW5GVApMYnRRelJQa2RGS2F3WE01V2prTG0xWTBTc2VZYUlsSW9lQWp0UlV2VXlIUUV3WWN2czZQbHRWeGVrRjJodWgzCkllall0ZkZqZ1dZeG5rcVloTU53RFFLQmdGTU11UDI1TW10eCthb0c5RVhsQm1hUmZjaXppVUZlYVgxNHBCYUwKWFZVbUdTbGNxSEVoUThQVjc5MWZDRGZPdDYvYnowNkxhdHFNQmJiYnFLVXljdWdBbkFkUHdVV0tRZWNHNmdqZgpxQy94NStnVGVXWjBQUkY1TGxMOVVXeDlNNko0MjM5YVpQSzczSTV3WkNLaHpHNER4QUdLT1BEUnBzNWlGNkU0CjNlemhBb0dBS1lxZ1o4dUtOVGNpZ3A4ekpqSzB4N1RrZmttTVViMTRUYnFZUzJiWVhFTDlwZDM1aU1iclJ1MEYKTGJqOTFlcHVVbE00eG9td2tHM284Qll6OWpOZVhGVnIwQmhvY0E3UjZVL2VRc1FLQ0Fac3VMTThLdGFCN0pRTwpzTFpJRnROZUpMV0lRMUhXZG40KzI3SDIyeGUzMFBVUlpsSnR6b2NrT3hGaVl3UUZ5bzQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpBQ0NRREtXdnJwd2lJeUNEQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TWpnME1sb1hEVE13TVRFeE1ESXhNamcwTWxvd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNcmxLTXFySGZNUjRtZ2FMMnpaRzJEWVlmS0NGVm1JTmpsWXVPZUMKRkRUY1JnUUt0dTJZY0N4WllCQUR3SFp4RWY2TklLdFZzTVdMaFNOUy9OYzBCbXRpUU0vSUV4aGxDaURDNlNsOApPTnJJM3c3cUp6TjZJVUVSQjZ0VmxRdDA3cmdNMFYyNlVUWXUwSWt2MVk4dHJmTFlQWmNrekJrb3JRanBjaXVtCnFvUDJCSmY0eXljOUxxcHh0bFdLeGVsa3VuVkw1aWpNRXpwajlnRUUyNlRFSGJzZEViaG9SOGcwT2VIWnFIN2UKbVhDblNJQlIwQS9vL3M2bm9HTlgrRjE5bFk3VGd3NzdqT3VRUTVZc2krN25oTjJsS3ZjQzgxOVJYN29NcGd2dApWNUIzbkkwbUY2QmF6bmplVHM0eVFjcjFTbTNVVFZCd1g5WnV2TDdSYklYa1VtOENBd0VBQVRBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFnbTA0dzZPSVdHajZ0a2E5Y2NjY25ibEYwb1p6ZUVBSXl3anZSNXNEY1BkdkxJZU0KZWVzSnk2ckZINERCbU15Z3BjSXhKR3JTT3pabEYzTE12dzd6SzRzdHFOdG0xSGlwckY4Ynp4ZlRmZlZZbmNnNgpoVktFckh0WjJGWlJqLzJUTUowMWFSRFpTdVZiTDZVSmlva3BVNnh4VDd5eTBkRlprS3JqVVIzNDlnS3hScUp3CkFtMmFzMGJoaTUxRXFLMUdFeDNtNGMwdW4ydk5oNXFQMmh2NmUvUXplNlA5NnZlZk5hU2s5UU1GZnVCMWtTQWsKZkdwa2lMN2JqbWpuaEt3QW1mOGpEV0RabHRCNlM1NlF5MlFqUFI4Sm9PdXNiWXhhcjRjNkVjSXdWSHY2bWRnUAp5WnhXcVFzZ3RTZkZ4K1B3b245SVBLdXEwalFZZ2VaUFN4Uk1MQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K \ No newline at end of file From 8d0cd90f17ce0ecf139422f935346cda3a3703bf Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 25 Apr 2023 07:13:28 +0000 Subject: [PATCH 9/9] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- tests/data/common/app/secure-ca/app.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data/common/app/secure-ca/app.yaml b/tests/data/common/app/secure-ca/app.yaml index fa814e5bcf..d0c6e4b033 100644 --- a/tests/data/common/app/secure-ca/app.yaml +++ b/tests/data/common/app/secure-ca/app.yaml @@ -77,4 +77,4 @@ type: Opaque data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVekNDQWpzQ0NRRE5Tc2YvSXpBaEhqQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TXpNd05sb1hEVE13TVRFeE1ESXhNek13Tmxvd2NURUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVI4d0hRWURWUVFEREJaelpXTjFjbVV0WVhCd0xtVjRZVzF3YkdVdVkyOXRNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6ekE0aUhqL0xpWWhlR1JVS0Vha2NTa2MKRHpsWE1kMDUwZStBb3VodXFoOHJEandOaUl0RGU5c05keXNSTW0yWEVZUUxtdkJyNFlTN2dhNmpVQzFUTXhnMgpSeHZmckZFQ1RPNGJkU2gvZ0NKNU8wdjhIYTNEbmNXQW9saFJIdVlSSit1V09iQkwxYkxqUTFLM2hST1h2cjJWCkhvbWRpb09ybnEwQmdQdC9hN09rOVhuSDdZcDU0UjhsYm96bGtvNXlSOFdnZzlqeWZ0aDRoQ2x3U0J3RkJxbmcKeHBBNSs0NllLOUhwU0VNa0FXb1Z5eERrR0E1UXZubTBiSjZQSk0xUi9UQkpFeTA1Uy90ZVlIV3oyeTFNb29INAo4TStoZTR6YjFQLy93NjhWUE9oR1pjTWlGUzBGTWNwVGgzdlFLUTBwQS84S3c2TWErUFdEWWplY3Z2Y0oxd0lECkFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJzditJRzNNWVVNbUdMNUdYTXFhM3NiU0RZdFJxaEhRcXkKMmxWaWQ1OXFEVmVOdG50MXdkYVJrSjQ4S2x1SzBkZUJDanpGaVN2elBZMVlHc09qeEJ4R2Qrd0tYcElMVXQ3YwpsMXFIbGRTNktyOU9oaS9XSUFDV3AxbDN1K1luUXJROHIzNkZqaGZ1ODMyQ1EwVTQ3Z3I0Yjc5NVNBeDRzdVVFClUwZ2F4MnNLMHlUSU9YYUk4VjRQWThrSlZHdXpyR2N1bVBLT1lrSTRvSEhBY0JMMERrWUkyZ0hmZ2F1amZYTFgKYU9yQ0Z4QndPMGh3ekhNam1GNlRYT2dTNVVIYzFsbzhwREpNK1J3SmUxVjA2RGlZRFpUUlErM1lxcEZpSHpSbwozZkFENzBhM3U5c0NWYnM0QjEzU2ZXOUk5R3hNOXhpdEJjL1VNME1ad1BHUytaSVEwRkZzCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBenpBNGlIai9MaVloZUdSVUtFYWtjU2tjRHpsWE1kMDUwZStBb3VodXFoOHJEandOCmlJdERlOXNOZHlzUk1tMlhFWVFMbXZCcjRZUzdnYTZqVUMxVE14ZzJSeHZmckZFQ1RPNGJkU2gvZ0NKNU8wdjgKSGEzRG5jV0FvbGhSSHVZUkordVdPYkJMMWJMalExSzNoUk9YdnIyVkhvbWRpb09ybnEwQmdQdC9hN09rOVhuSAo3WXA1NFI4bGJvemxrbzV5UjhXZ2c5anlmdGg0aENsd1NCd0ZCcW5neHBBNSs0NllLOUhwU0VNa0FXb1Z5eERrCkdBNVF2bm0wYko2UEpNMVIvVEJKRXkwNVMvdGVZSFd6MnkxTW9vSDQ4TStoZTR6YjFQLy93NjhWUE9oR1pjTWkKRlMwRk1jcFRoM3ZRS1EwcEEvOEt3Nk1hK1BXRFlqZWN2dmNKMXdJREFRQUJBb0lCQUFNK1hBUTI4TGZHUFF2bgpkakhUT1V2VU91NDZGWlZnUTBGNElHbHNmaDhIc2VMZEtkRVRiUkVKVXVLa3QvWTBKUU5QTCtkVEVEMU5tS25sCkZBVnpVRFFpa3ViMkZzQlozRkZjQU80S25rUmhSY2laM2U2UkE5ajZlSk1TRXVNSzh3WE8rR0VhMDNVYkFkZlIKK2JHSnB2eURkMHd0RjF4TngyZ0tpVlY5bW5jVEo3RDJtaUZPVTNXR3pUeFlyMVdnVDd6WHVsQnkyQlR6SlEzNQpwcG9hdXQwYlcvVkZDQ1FIc0NRK2tUNlhXbE9vQ2VTWTd5aEhmSzRtMGFCeUNjN1E0dW5CUUZRU24rck1CZUJpCkJxaE9BU0NFQnhYUzhlRUxhOCtCQml3eGo0SmJQa3IzbFlRcTQxbDlMU3FtQTN4dy9ZKzZzK2NCRmdxSGQ5RUgKVmJidTUrRUNnWUVBN2VUeUdXQmxubk9ySzJBMjkrbENYY1RBRHhGdlRoK0hWMlRJTXV3NW9oMlE0MkhCZWkwcgp3L2dTa1FGU1cvK1JaNmpXU2xsWW51ZDNXVkUwRzA3ZkhLaWpZMnBmbFQ3Z3lXYlhoc0NXQmkwRVpOK0JxUUNrCko5UVNaUGZLRXRjamhkTDdtVnBJdEF3ZjM4SHpiNUx0d3pBYTFhTlFjK2h3YVE3eWo2UFhubDhDZ1lFQTN2VUMKcXhURDJ2Y2VkQWZlUGUxQXd1SDRUZ2pVVFJnbU5rMGRPbTBFazlzUnZOelRZemk0bmxNQ1YzMHZiZTVMRWNleQo3VWRJS3pGMUwrQWRpaFFpckcvMHJIQ3N0U21RTHhLWDdhVW5vcVliWHJWNTlYMFVaMndDcFBqZm1DQTNYYmE5CmJ0ZThCRFFCbmp1QjJ6dXVIa21ZY3BSWllNeEdvMjd0aVV2ZlY0a0NnWUJRdFMyVmdtaTNXeEtsUXAwamVsVnoKcm41aUhrNGV1UCtYbks5MjUwR2VTRjJSWnViVzVtQkV1ZkxDa3lvMzMvcWFxbU1aRWpySW5rcVZXTUZPeW5GVApMYnRRelJQa2RGS2F3WE01V2prTG0xWTBTc2VZYUlsSW9lQWp0UlV2VXlIUUV3WWN2czZQbHRWeGVrRjJodWgzCkllall0ZkZqZ1dZeG5rcVloTU53RFFLQmdGTU11UDI1TW10eCthb0c5RVhsQm1hUmZjaXppVUZlYVgxNHBCYUwKWFZVbUdTbGNxSEVoUThQVjc5MWZDRGZPdDYvYnowNkxhdHFNQmJiYnFLVXljdWdBbkFkUHdVV0tRZWNHNmdqZgpxQy94NStnVGVXWjBQUkY1TGxMOVVXeDlNNko0MjM5YVpQSzczSTV3WkNLaHpHNER4QUdLT1BEUnBzNWlGNkU0CjNlemhBb0dBS1lxZ1o4dUtOVGNpZ3A4ekpqSzB4N1RrZmttTVViMTRUYnFZUzJiWVhFTDlwZDM1aU1iclJ1MEYKTGJqOTFlcHVVbE00eG9td2tHM284Qll6OWpOZVhGVnIwQmhvY0E3UjZVL2VRc1FLQ0Fac3VMTThLdGFCN0pRTwpzTFpJRnROZUpMV0lRMUhXZG40KzI3SDIyeGUzMFBVUlpsSnR6b2NrT3hGaVl3UUZ5bzQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpBQ0NRREtXdnJwd2lJeUNEQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TWpnME1sb1hEVE13TVRFeE1ESXhNamcwTWxvd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNcmxLTXFySGZNUjRtZ2FMMnpaRzJEWVlmS0NGVm1JTmpsWXVPZUMKRkRUY1JnUUt0dTJZY0N4WllCQUR3SFp4RWY2TklLdFZzTVdMaFNOUy9OYzBCbXRpUU0vSUV4aGxDaURDNlNsOApPTnJJM3c3cUp6TjZJVUVSQjZ0VmxRdDA3cmdNMFYyNlVUWXUwSWt2MVk4dHJmTFlQWmNrekJrb3JRanBjaXVtCnFvUDJCSmY0eXljOUxxcHh0bFdLeGVsa3VuVkw1aWpNRXpwajlnRUUyNlRFSGJzZEViaG9SOGcwT2VIWnFIN2UKbVhDblNJQlIwQS9vL3M2bm9HTlgrRjE5bFk3VGd3NzdqT3VRUTVZc2krN25oTjJsS3ZjQzgxOVJYN29NcGd2dApWNUIzbkkwbUY2QmF6bmplVHM0eVFjcjFTbTNVVFZCd1g5WnV2TDdSYklYa1VtOENBd0VBQVRBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFnbTA0dzZPSVdHajZ0a2E5Y2NjY25ibEYwb1p6ZUVBSXl3anZSNXNEY1BkdkxJZU0KZWVzSnk2ckZINERCbU15Z3BjSXhKR3JTT3pabEYzTE12dzd6SzRzdHFOdG0xSGlwckY4Ynp4ZlRmZlZZbmNnNgpoVktFckh0WjJGWlJqLzJUTUowMWFSRFpTdVZiTDZVSmlva3BVNnh4VDd5eTBkRlprS3JqVVIzNDlnS3hScUp3CkFtMmFzMGJoaTUxRXFLMUdFeDNtNGMwdW4ydk5oNXFQMmh2NmUvUXplNlA5NnZlZk5hU2s5UU1GZnVCMWtTQWsKZkdwa2lMN2JqbWpuaEt3QW1mOGpEV0RabHRCNlM1NlF5MlFqUFI4Sm9PdXNiWXhhcjRjNkVjSXdWSHY2bWRnUAp5WnhXcVFzZ3RTZkZ4K1B3b245SVBLdXEwalFZZ2VaUFN4Uk1MQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K \ No newline at end of file + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpBQ0NRREtXdnJwd2lJeUNEQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl4TWpnME1sb1hEVE13TVRFeE1ESXhNamcwTWxvd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNcmxLTXFySGZNUjRtZ2FMMnpaRzJEWVlmS0NGVm1JTmpsWXVPZUMKRkRUY1JnUUt0dTJZY0N4WllCQUR3SFp4RWY2TklLdFZzTVdMaFNOUy9OYzBCbXRpUU0vSUV4aGxDaURDNlNsOApPTnJJM3c3cUp6TjZJVUVSQjZ0VmxRdDA3cmdNMFYyNlVUWXUwSWt2MVk4dHJmTFlQWmNrekJrb3JRanBjaXVtCnFvUDJCSmY0eXljOUxxcHh0bFdLeGVsa3VuVkw1aWpNRXpwajlnRUUyNlRFSGJzZEViaG9SOGcwT2VIWnFIN2UKbVhDblNJQlIwQS9vL3M2bm9HTlgrRjE5bFk3VGd3NzdqT3VRUTVZc2krN25oTjJsS3ZjQzgxOVJYN29NcGd2dApWNUIzbkkwbUY2QmF6bmplVHM0eVFjcjFTbTNVVFZCd1g5WnV2TDdSYklYa1VtOENBd0VBQVRBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFnbTA0dzZPSVdHajZ0a2E5Y2NjY25ibEYwb1p6ZUVBSXl3anZSNXNEY1BkdkxJZU0KZWVzSnk2ckZINERCbU15Z3BjSXhKR3JTT3pabEYzTE12dzd6SzRzdHFOdG0xSGlwckY4Ynp4ZlRmZlZZbmNnNgpoVktFckh0WjJGWlJqLzJUTUowMWFSRFpTdVZiTDZVSmlva3BVNnh4VDd5eTBkRlprS3JqVVIzNDlnS3hScUp3CkFtMmFzMGJoaTUxRXFLMUdFeDNtNGMwdW4ydk5oNXFQMmh2NmUvUXplNlA5NnZlZk5hU2s5UU1GZnVCMWtTQWsKZkdwa2lMN2JqbWpuaEt3QW1mOGpEV0RabHRCNlM1NlF5MlFqUFI4Sm9PdXNiWXhhcjRjNkVjSXdWSHY2bWRnUAp5WnhXcVFzZ3RTZkZ4K1B3b245SVBLdXEwalFZZ2VaUFN4Uk1MQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K