test for permissive mode

Signed-off-by: Shashank Ram <shashank08@gmail.com>
openservicemesh · Nov 5, 2020 · 0a73c30 · 0a73c30
1 parent c3deb52
commit 0a73c30
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/pkg/envoy/sds/response.go b/pkg/envoy/sds/response.go
@@ -232,7 +232,8 @@ func (s *sdsImpl) getRootCert(cert certificate.Certificater, sdscert envoy.SDSCe
 		log.Trace().Msgf("Proxy for service %s will only allow %s SANs exactly matching: %v", proxyService, directionMap[sdscert.CertType], matchingCerts)
 
 		// Ensure the Subject Alternate Names (SAN) added by CertificateManager.IssueCertificate()
-		// matches what is allowed to connect to the downstream service as defined in TrafficPolicy.
+		// matches what is allowed to connect to or accept connections from, as defined in the SMI
+		// TrafficTarget policy.
 		secret.GetValidationContext().MatchSubjectAltNames = matchSANs
 	default:
 		log.Debug().Msgf("SAN matching not needed for cert type %s", sdscert.CertType.String())

diff --git a/pkg/envoy/sds/response_test.go b/pkg/envoy/sds/response_test.go
@@ -98,6 +98,33 @@ func TestGetRootCert(t *testing.T) {
 			expectError:  false,
 		},
 		// Test case 2 end -------------------------------
+
+		// Test case 3: tests SDS secret for permissive mode -------------------------------
+		{
+			s: &sdsImpl{
+				proxyServices: []service.MeshService{
+					{Name: "service-1", Namespace: "ns-1"},
+				},
+				svcAccount:  service.K8sServiceAccount{Name: "sa-1", Namespace: "ns-1"},
+				proxy:       envoy.NewProxy(certificate.CommonName(fmt.Sprintf("%s.%s.%s", uuid.New().String(), "sa-1", "ns-1")), nil),
+				meshCatalog: mockCatalog,
+				certManager: mockCertManager,
+				cfg:         mockConfigurator,
+			},
+			certCN: certificate.CommonName("sa-1.ns-1.cluster.local"),
+			sdsCert: envoy.SDSCert{
+				MeshService: service.MeshService{Name: "service-1", Namespace: "ns-1"},
+				CertType:    envoy.RootCertTypeForMTLSOutbound,
+			},
+			proxyService:                  service.MeshService{Name: "service-1", Namespace: "ns-1"},
+			allowedDirectionalSvcAccounts: []service.K8sServiceAccount{},
+			permissiveMode:                true,
+
+			// expectations
+			expectedSANs: []string{}, // no SAN matching in permissive mode
+			expectError:  false,
+		},
+		// Test case 2 end -------------------------------
 	}
 
 	for i, tc := range testCases {