test: egress destination tests (#1383)

acceptance/tests/fixtures/bases/static-server-https/anyuid-scc-rolebinding.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: static-server-openshift-anyuid
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:anyuid
+subjects:
+  - kind: ServiceAccount
+    name: static-server

acceptance/tests/fixtures/bases/static-server-https/configmap.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: static-server-config
+data:
+  config: |
+    {
+      local_certs
+      skip_install_trust
+      auto_https disable_redirects
+    }
+    static-server.default {
+      log
+      respond  "hello world"
+    }
+    :80 {
+      log
+      respond  "hello world"
+    }

acceptance/tests/fixtures/bases/static-server-https/deployment.yaml

@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: static-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: static-server
+  template:
+    metadata:
+      labels:
+        app: static-server
+    spec:
+      containers:
+        - name: caddy
+          image: caddy:latest
+          ports:
+            - name: https-port
+              containerPort: 443
+            - name: http-port
+              containerPort: 80
+          volumeMounts:
+            - name: data
+              mountPath: "/data"
+            - name: config
+              mountPath: /etc/caddy/
+              readOnly: true
+      volumes:
+        - name: data
+          emptyDir: {}
+        - name: config
+          configMap:
+            name: static-server-config
+            items:
+              - key: "config"
+                path: "Caddyfile"

acceptance/tests/fixtures/bases/static-server-https/kustomization.yaml

@@ -0,0 +1,8 @@
+resources:
+  - deployment.yaml
+  - configmap.yaml
+  - service.yaml
+  - serviceaccount.yaml
+  - psp-rolebinding.yaml
+  - anyuid-scc-rolebinding.yaml
+  - privileged-scc-rolebinding.yaml

acceptance/tests/fixtures/bases/static-server-https/privileged-scc-rolebinding.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: static-server-openshift-privileged
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:privileged
+subjects:
+  - kind: ServiceAccount
+    name: static-server

acceptance/tests/fixtures/bases/static-server-https/psp-rolebinding.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: static-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: test-psp
+subjects:
+  - kind: ServiceAccount
+    name: static-server

acceptance/tests/fixtures/bases/static-server-https/service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: static-server
+  labels:
+    app: static-server
+spec:
+  ports:
+    - name: https-port
+      port: 443
+      targetPort: https-port
+      protocol: TCP
+    - name: http-port
+      port: 80
+      targetPort: http-port
+      protocol: TCP
+  selector:
+    app: static-server

acceptance/tests/fixtures/bases/static-server-https/serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: static-server

acceptance/tests/terminating-gateway/common.go

@@ -0,0 +1,96 @@
+package terminatinggateway
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/consul-k8s/acceptance/framework/logger"
+	"github.com/hashicorp/consul/api"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	staticClientName         = "static-client"
+	staticServerName         = "static-server"
+	staticServerLocalAddress = "http://localhost:1234"
+)
+
+func addIntention(t *testing.T, consulClient *api.Client, sourceNS, sourceService, destinationNS, destinationsService string) {
+	t.Helper()
+
+	logger.Log(t, fmt.Sprintf("creating %s => %s intention", sourceService, destinationsService))
+	_, _, err := consulClient.ConfigEntries().Set(&api.ServiceIntentionsConfigEntry{
+		Kind:      api.ServiceIntentions,
+		Name:      destinationsService,
+		Namespace: destinationNS,
+		Sources: []*api.SourceIntention{
+			{
+				Name:      sourceService,
+				Namespace: sourceNS,
+				Action:    api.IntentionActionAllow,
+			},
+		},
+	}, nil)
+	require.NoError(t, err)
+}
+
+func createTerminatingGatewayConfigEntry(t *testing.T, consulClient *api.Client, gwNamespace, serviceNamespace string, serviceNames ...string) {
+	t.Helper()
+
+	logger.Log(t, "creating config entry")
+
+	if serviceNamespace != "" {
+		logger.Logf(t, "creating the %s namespace in Consul", serviceNamespace)
+		_, _, err := consulClient.Namespaces().Create(&api.Namespace{
+			Name: serviceNamespace,
+		}, nil)
+		require.NoError(t, err)
+	}
+
+	var gatewayServices []api.LinkedService
+	for _, serviceName := range serviceNames {
+		linkedService := api.LinkedService{Name: serviceName, Namespace: serviceNamespace}
+		gatewayServices = append(gatewayServices, linkedService)
+	}
+
+	configEntry := &api.TerminatingGatewayConfigEntry{
+		Kind:      api.TerminatingGateway,
+		Name:      "terminating-gateway",
+		Namespace: gwNamespace,
+		Services:  gatewayServices,
+	}
+
+	created, _, err := consulClient.ConfigEntries().Set(configEntry, nil)
+	require.NoError(t, err)
+	require.True(t, created, "failed to create config entry")
+}
+
+func updateTerminatingGatewayRole(t *testing.T, consulClient *api.Client, rules string) {
+	t.Helper()
+
+	logger.Log(t, "creating a write policy for the static-server")
+	_, _, err := consulClient.ACL().PolicyCreate(&api.ACLPolicy{
+		Name:  "static-server-write-policy",
+		Rules: rules,
+	}, nil)
+	require.NoError(t, err)
+
+	logger.Log(t, "getting the terminating gateway role")
+	roles, _, err := consulClient.ACL().RoleList(nil)
+	require.NoError(t, err)
+	terminatingGatewayRoleID := ""
+	for _, role := range roles {
+		if strings.Contains(role.Name, "terminating-gateway") {
+			terminatingGatewayRoleID = role.ID
+			break
+		}
+	}
+
+	logger.Log(t, "update role with policy")
+	termGwRole, _, err := consulClient.ACL().RoleRead(terminatingGatewayRoleID, nil)
+	require.NoError(t, err)
+	termGwRole.Policies = append(termGwRole.Policies, &api.ACLTokenPolicyLink{Name: "static-server-write-policy"})
+	_, _, err = consulClient.ACL().RoleUpdate(termGwRole, nil)
+	require.NoError(t, err)
+}