test: add an integration test for tcpproxy forwarding (projectcontour…

…#2505)

This test creates a proxy that terminates TLS then forwards the TCP
stream to a backend service.

Signed-off-by: James Peach <jpeach@vmware.com>

Co-authored-by: Steve Sloka <slokas@vmware.com>

_integration/testsuite/httpproxy/008-tcproute-https-termination.yaml

@@ -0,0 +1,156 @@
+# Copyright 2020 VMware, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.  You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import data.contour.resources
+
+# Ensure that cert-manager is installed.
+# Version check the certificates resource.
+
+Group := "cert-manager.io"
+Version := "v1alpha2"
+
+have_certmanager_version {
+  v := resources.versions["certificates"]
+  v[_].Group == Group
+  v[_].Version == Version
+}
+
+skip[msg] {
+  not resources.is_supported("certificates")
+  msg := "cert-manager is not installed"
+}
+
+skip[msg] {
+  not have_certmanager_version
+
+  avail := resources.versions["certificates"]
+
+  msg := concat("\n", [
+    sprintf("cert-manager version %s/%s is not installed", [Group, Version]),
+    "available versions:",
+    yaml.marshal(avail)
+  ])
+}
+
+---
+
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
+
+---
+
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: echo-cert
+spec:
+  dnsNames:
+  - echo-tcpproxy.projectcontour.io
+  secretName: echo-tcpproxy
+  issuerRef:
+    name: selfsigned
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ingress-conformance-echo
+$apply:
+  fixture:
+    as: echo-tcpproxy
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingress-conformance-echo
+$apply:
+  fixture:
+    as: echo-tcpproxy
+
+---
+
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: echo-tcpproxy
+spec:
+  virtualhost:
+    fqdn: echo-tcpproxy.projectcontour.io
+    tls:
+      secretName: echo-tcpproxy
+  tcpproxy:
+    services:
+    - name: echo-tcpproxy
+      port: 80
+
+---
+
+import data.contour.resources
+
+fatal_proxy_is_not_valid[msg] {
+  name := "echo-tcpproxy"
+  proxy := resources.get("httpproxies", name)
+  status := object.get(proxy, "status", {})
+
+  object.get(status, "currentStatus", "") != "valid"
+
+  msg := sprintf("HTTP '%s' is not valid\n%s", [
+    name, yaml.marshal(status)
+  ])
+}
+
+---
+
+import data.contour.http.client
+import data.contour.http.response
+import data.contour.resources
+
+Secret := resources.get("secrets", "echo-tcpproxy")
+
+Response := client.Get({
+  "url": sprintf("https://%s/echo-tcpproxy/%d", [
+    client.target_addr, time.now_ns()
+  ]),
+  "headers": {
+    "Host": "echo-tcpproxy.projectcontour.io",
+    "User-Agent": client.ua("echo-tcpproxy"),
+  },
+  "tls_ca_cert": base64.decode(Secret.data["ca.crt"]),
+})
+
+error_non_200_response [msg] {
+  not Response
+  msg := "no response"
+}
+
+error_non_200_response [msg] {
+  status := object.get(Response, "status_code", 000)
+  status != 200
+  msg := sprintf("got status %d, wanted %d", [status, 200])
+}
+
+
+error_wrong_routing[msg] {
+  wanted := "echo-tcpproxy"
+  testid := response.testid(Response)
+  testid != wanted
+  msg := sprintf("got test ID %q, wanted %q", [testid, wanted])
+}