Merge pull request #3195 from diazjf/auth-tls-e2e

Add e2e Tests for AuthTLS
kubernetes · Oct 19, 2018 · ad89a93 · ad89a93
2 parents 12fba87 + b503c6b
commit ad89a93
Show file tree

Hide file tree

Showing 4 changed files with 395 additions and 12 deletions.
diff --git a/internal/ingress/resolver/main.go b/internal/ingress/resolver/main.go
@@ -18,7 +18,6 @@ package resolver
 
 import (
 	apiv1 "k8s.io/api/core/v1"
-
 	"k8s.io/ingress-nginx/internal/ingress/defaults"
 )
 
@@ -27,15 +26,18 @@ type Resolver interface {
 	// GetDefaultBackend returns the backend that must be used as default
 	GetDefaultBackend() defaults.Backend
 
-	// GetSecret searches for secrets contenating the namespace and name using a the character /
+	// GetSecret searches for secrets containing the namespace and name using a the character /
 	GetSecret(string) (*apiv1.Secret, error)
 
 	// GetAuthCertificate resolves a given secret name into an SSL certificate.
 	// The secret must contain 3 keys named:
+
 	//   ca.crt: contains the certificate chain used for authentication
+	//   tls.crt: contains the server certificate
+	//   tls.key: contains the server key
 	GetAuthCertificate(string) (*AuthSSLCert, error)
 
-	// GetService searches for services contenating the namespace and name using a the character /
+	// GetService searches for services containing the namespace and name using a the character /
 	GetService(string) (*apiv1.Service, error)
 }
 

diff --git a/test/e2e/annotations/authtls.go b/test/e2e/annotations/authtls.go
@@ -0,0 +1,208 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package annotations
+
+import (
+	"crypto/tls"
+	"fmt"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/parnurzeal/gorequest"
+	"k8s.io/ingress-nginx/test/e2e/framework"
+	"net/http"
+	"strings"
+)
+
+var _ = framework.IngressNginxDescribe("Annotations - AuthTLS", func() {
+	f := framework.NewDefaultFramework("authtls")
+
+	BeforeEach(func() {
+		err := f.NewEchoDeploymentWithReplicas(2)
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	AfterEach(func() {
+	})
+
+	It("should set valid auth-tls-secret", func() {
+		host := "authtls.foo.com"
+		nameSpace := f.IngressController.Namespace
+
+		clientConfig, err := framework.CreateIngressMASecret(
+			f.KubeClientSet,
+			host,
+			host,
+			nameSpace)
+		Expect(err).ToNot(HaveOccurred())
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
+		}
+
+		ing := framework.NewSingleIngressWithTLS(host, "/", host, nameSpace, "http-svc", 80, &annotations)
+		_, err = f.EnsureIngress(ing)
+
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ing).NotTo(BeNil())
+
+		// Since we can use the same certificate-chain for tls as well as mutual-auth, we will check all values
+		sslCertDirective := fmt.Sprintf("ssl_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
+		sslKeyDirective := fmt.Sprintf("ssl_certificate_key /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
+		sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
+
+		sslVerify := "ssl_verify_client on;"
+		sslVerifyDepth := "ssl_verify_depth 1;"
+
+		err = f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, sslCertDirective) && strings.Contains(server, sslKeyDirective) && strings.Contains(server, sslClientCertDirective) && strings.Contains(server, sslVerify) && strings.Contains(server, sslVerifyDepth)
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		// Send Request without Client Certs
+		req := gorequest.New()
+		uri := "/"
+		resp, _, errs := req.
+			Get(f.IngressController.HTTPSURL+uri).
+			TLSClientConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}).
+			Set("Host", host).
+			End()
+		Expect(len(errs)).Should(BeNumerically("==", 0))
+		Expect(resp.StatusCode).Should(Equal(http.StatusBadRequest))
+
+		// Send Request Passing the Client Certs
+		resp, _, errs = req.
+			Get(f.IngressController.HTTPSURL+uri).
+			TLSClientConfig(clientConfig).
+			Set("Host", host).
+			End()
+		Expect(len(errs)).Should(BeNumerically("==", 0))
+		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+	})
+
+	It("should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2", func() {
+		host := "authtls.foo.com"
+		nameSpace := f.IngressController.Namespace
+
+		_, err := framework.CreateIngressMASecret(
+			f.KubeClientSet,
+			host,
+			host,
+			nameSpace)
+		Expect(err).ToNot(HaveOccurred())
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/auth-tls-secret":        nameSpace + "/" + host,
+			"nginx.ingress.kubernetes.io/auth-tls-verify-client": "off",
+			"nginx.ingress.kubernetes.io/auth-tls-verify-depth":  "2",
+		}
+
+		ing := framework.NewSingleIngressWithTLS(host, "/", host, nameSpace, "http-svc", 80, &annotations)
+		_, err = f.EnsureIngress(ing)
+
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ing).NotTo(BeNil())
+
+		// Since we can use the same certificate-chain for tls as well as mutual-auth, we will check all values
+		sslCertDirective := fmt.Sprintf("ssl_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
+		sslKeyDirective := fmt.Sprintf("ssl_certificate_key /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
+		sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
+
+		sslVerify := "ssl_verify_client off;"
+		sslVerifyDepth := "ssl_verify_depth 2;"
+
+		err = f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, sslCertDirective) && strings.Contains(server, sslKeyDirective) && strings.Contains(server, sslClientCertDirective) && strings.Contains(server, sslVerify) && strings.Contains(server, sslVerifyDepth)
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		// Send Request without Client Certs
+		req := gorequest.New()
+		uri := "/"
+		resp, _, errs := req.
+			Get(f.IngressController.HTTPSURL+uri).
+			TLSClientConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}).
+			Set("Host", host).
+			End()
+		Expect(len(errs)).Should(BeNumerically("==", 0))
+		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+	})
+
+	It("should set valid auth-tls-secret, pass certificate to upstream, and error page", func() {
+		host := "authtls.foo.com"
+		nameSpace := f.IngressController.Namespace
+
+		errorPath := "/error"
+
+		clientConfig, err := framework.CreateIngressMASecret(
+			f.KubeClientSet,
+			host,
+			host,
+			nameSpace)
+		Expect(err).ToNot(HaveOccurred())
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/auth-tls-secret":                       nameSpace + "/" + host,
+			"nginx.ingress.kubernetes.io/auth-tls-error-page":                   f.IngressController.HTTPURL + errorPath,
+			"nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream": "true",
+		}
+
+		ing := framework.NewSingleIngressWithTLS(host, "/", host, nameSpace, "http-svc", 80, &annotations)
+		_, err = f.EnsureIngress(ing)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ing).NotTo(BeNil())
+
+		// Since we can use the same certificate-chain for tls as well as mutual-auth, we will check all values
+		sslCertDirective := fmt.Sprintf("ssl_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
+		sslKeyDirective := fmt.Sprintf("ssl_certificate_key /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
+		sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
+
+		sslVerify := "ssl_verify_client on;"
+		sslVerifyDepth := "ssl_verify_depth 1;"
+		sslErrorPage := fmt.Sprintf("error_page 495 496 = %s;", f.IngressController.HTTPURL+errorPath)
+		sslUpstreamClientCert := "proxy_set_header ssl-client-cert $ssl_client_escaped_cert;"
+
+		err = f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, sslCertDirective) && strings.Contains(server, sslKeyDirective) && strings.Contains(server, sslClientCertDirective) && strings.Contains(server, sslVerify) && strings.Contains(server, sslVerifyDepth) && strings.Contains(server, sslErrorPage) && strings.Contains(server, sslUpstreamClientCert)
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		// Send Request without Client Certs
+		req := gorequest.New()
+		uri := "/"
+		resp, _, errs := req.
+			Get(f.IngressController.HTTPSURL+uri).
+			TLSClientConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}).
+			Set("Host", host).
+			RedirectPolicy(noRedirectPolicyFunc).
+			End()
+		Expect(len(errs)).Should(BeNumerically("==", 0))
+		Expect(resp.StatusCode).Should(Equal(http.StatusFound))
+		Expect(resp.Header.Get("Location")).Should(Equal(f.IngressController.HTTPURL + errorPath))
+
+		// Send Request Passing the Client Certs
+		resp, _, errs = req.
+			Get(f.IngressController.HTTPSURL+uri).
+			TLSClientConfig(clientConfig).
+			Set("Host", host).
+			End()
+		Expect(len(errs)).Should(BeNumerically("==", 0))
+		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+	})
+})
diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go
@@ -263,6 +263,7 @@ func (f *Framework) matchNginxConditions(name string, matcher func(cfg string) b
 				glog.Infof("nginx.conf:\n%v", o)
 			}
 
+			// passes the nginx config to the passed function
 			if matcher(strings.Join(strings.Fields(o), " ")) {
 				match = true
 			}