def test_headers(self, kube_apis, hsts_setup,
ingress_controller_prerequisites):
print(
"\nCase 1: TLS enabled, secret is in place, hsts is True, hsts-behind-proxy is False"
)
annotations = {"nginx.org/hsts-behind-proxy": "False"}
new_ing = generate_ingresses_with_annotation(
hsts_setup.ingress_src_file, annotations)
for ing in new_ing:
if ing['metadata']['name'] == hsts_setup.ingress_name:
replace_ingress(kube_apis.networking_v1,
hsts_setup.ingress_name, hsts_setup.namespace,
ing)
wait_before_test(1)
https_headers = {"host": hsts_setup.ingress_host}
http_headers = {"host": hsts_setup.ingress_host}
https_resp = requests.get(f"{hsts_setup.https_url}/backend1",
headers=https_headers,
verify=False)
http_resp = requests.get(f"{hsts_setup.http_url}/backend1",
headers=http_headers,
allow_redirects=False)
assert "'Strict-Transport-Security': 'max-age=2592000; preload'" in str(
https_resp.headers)
assert "'Strict-Transport-Security'" not in str(http_resp.headers)
print(
"Case 3: TLS enabled, secret is in place, hsts is True, hsts-behind-proxy is True"
)
annotations = {"nginx.org/hsts-behind-proxy": "True"}
new_ing = generate_ingresses_with_annotation(
hsts_setup.ingress_src_file, annotations)
for ing in new_ing:
if ing['metadata']['name'] == hsts_setup.ingress_name:
replace_ingress(kube_apis.networking_v1,
hsts_setup.ingress_name, hsts_setup.namespace,
ing)
wait_before_test(1)
xfp_https_headers = {
"host": hsts_setup.ingress_host,
"X-Forwarded-Proto": "https"
}
xfp_http_headers = {
"host": hsts_setup.ingress_host,
"X-Forwarded-Proto": "http"
}
xfp_https_resp = requests.get(f"{hsts_setup.https_url}/backend1",
headers=xfp_https_headers,
verify=False)
xfp_http_resp = requests.get(f"{hsts_setup.https_url}/backend1",
headers=xfp_http_headers,
verify=False)
assert "'Strict-Transport-Security': 'max-age=2592000; preload'" in str(
xfp_https_resp.headers)
assert "'Strict-Transport-Security'" not in str(xfp_http_resp.headers)
def test_grpc_flow(self, kube_apis, annotations_grpc_setup,
ingress_controller_prerequisites, annotations,
expected_strings, unexpected_strings):
initial_events = get_events(kube_apis.v1,
annotations_grpc_setup.namespace)
initial_count = get_event_count(
annotations_grpc_setup.ingress_event_text, initial_events)
print("Case 5: grpc annotations override http ones")
new_ing = generate_ingresses_with_annotation(
annotations_grpc_setup.ingress_src_file, annotations)
for ing in new_ing:
if ing['metadata']['name'] == annotations_grpc_setup.ingress_name:
replace_ingress(kube_apis.extensions_v1_beta1,
annotations_grpc_setup.ingress_name,
annotations_grpc_setup.namespace, ing)
wait_before_test(1)
result_conf = get_ingress_nginx_template_conf(
kube_apis.v1, annotations_grpc_setup.namespace,
annotations_grpc_setup.ingress_name,
annotations_grpc_setup.ingress_pod_name,
ingress_controller_prerequisites.namespace)
new_events = get_events(kube_apis.v1, annotations_grpc_setup.namespace)
assert_event_count_increased(annotations_grpc_setup.ingress_event_text,
initial_count, new_events)
for _ in expected_strings:
assert _ in result_conf
for _ in unexpected_strings:
assert _ not in result_conf
def test_validation(self, kube_apis, annotations_setup,
ingress_controller_prerequisites, annotations,
expected_strings, unexpected_strings):
initial_events = get_events(kube_apis.v1, annotations_setup.namespace)
print("Case 6: IC doesn't validate, only nginx validates")
initial_count = get_event_count(
annotations_setup.ingress_error_event_text, initial_events)
new_ing = generate_ingresses_with_annotation(
annotations_setup.ingress_src_file, annotations)
for ing in new_ing:
# in mergeable case this will update master ingress only
if ing['metadata']['name'] == annotations_setup.ingress_name:
replace_ingress(kube_apis.extensions_v1_beta1,
annotations_setup.ingress_name,
annotations_setup.namespace, ing)
wait_before_test(1)
result_conf = get_ingress_nginx_template_conf(
kube_apis.v1, annotations_setup.namespace,
annotations_setup.ingress_name, annotations_setup.ingress_pod_name,
ingress_controller_prerequisites.namespace)
new_events = get_events(kube_apis.v1, annotations_setup.namespace)
assert_event_count_increased(
annotations_setup.ingress_error_event_text, initial_count,
new_events)
for _ in expected_strings:
assert _ in result_conf
for _ in unexpected_strings:
assert _ not in result_conf
def test_ing_overrides_configmap(self, kube_apis, annotations_setup,
ingress_controller_prerequisites,
annotations, configmap_file,
expected_strings, unexpected_strings):
initial_events = get_events(kube_apis.v1, annotations_setup.namespace)
initial_count = get_event_count(annotations_setup.ingress_event_text,
initial_events)
print("Case 4: keys in ConfigMap, annotations in Ingress")
new_ing = generate_ingresses_with_annotation(
annotations_setup.ingress_src_file, annotations)
for ing in new_ing:
# in mergeable case this will update master ingress only
if ing['metadata']['name'] == annotations_setup.ingress_name:
replace_ingress(kube_apis.extensions_v1_beta1,
annotations_setup.ingress_name,
annotations_setup.namespace, ing)
replace_configmap_from_yaml(
kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace, configmap_file)
wait_before_test(1)
result_conf = get_ingress_nginx_template_conf(
kube_apis.v1, annotations_setup.namespace,
annotations_setup.ingress_name, annotations_setup.ingress_pod_name,
ingress_controller_prerequisites.namespace)
new_events = get_events(kube_apis.v1, annotations_setup.namespace)
assert_event_count_increased(annotations_setup.ingress_event_text,
initial_count, new_events)
for _ in expected_strings:
assert _ in result_conf
for _ in unexpected_strings:
assert _ not in result_conf
def test_upstream_zone_size_0(self, cli_arguments, kube_apis,
annotations_setup,
ingress_controller_prerequisites,
annotations):
initial_events = get_events(kube_apis.v1, annotations_setup.namespace)
initial_count = get_event_count(annotations_setup.ingress_event_text,
initial_events)
print("Edge Case: upstream-zone-size is 0")
new_ing = generate_ingresses_with_annotation(
annotations_setup.ingress_src_file, annotations)
for ing in new_ing:
# in mergeable case this will update master ingress only
if ing['metadata']['name'] == annotations_setup.ingress_name:
replace_ingress(kube_apis.extensions_v1_beta1,
annotations_setup.ingress_name,
annotations_setup.namespace, ing)
wait_before_test(1)
result_conf = get_ingress_nginx_template_conf(
kube_apis.v1, annotations_setup.namespace,
annotations_setup.ingress_name, annotations_setup.ingress_pod_name,
ingress_controller_prerequisites.namespace)
new_events = get_events(kube_apis.v1, annotations_setup.namespace)
assert_event_count_increased(annotations_setup.ingress_event_text,
initial_count, new_events)
if cli_arguments["ic-type"] == "nginx-plus-ingress":
print("Run assertions for Nginx Plus case")
assert "zone " in result_conf
assert " 256k;" in result_conf
elif cli_arguments["ic-type"] == "nginx-ingress":
print("Run assertions for Nginx OSS case")
assert "zone " not in result_conf
assert " 256k;" not in result_conf
def test_validation(self, kube_apis, annotations_setup,
ingress_controller_prerequisites, annotations):
initial_events = get_events(kube_apis.v1, annotations_setup.namespace)
print("Case 6: IC doesn't validate, only nginx validates")
initial_count = get_event_count(
annotations_setup.ingress_error_event_text, initial_events)
new_ing = generate_ingresses_with_annotation(
annotations_setup.ingress_src_file, annotations)
for ing in new_ing:
# in mergeable case this will update master ingress only
if ing['metadata']['name'] == annotations_setup.ingress_name:
replace_ingress(kube_apis.networking_v1,
annotations_setup.ingress_name,
annotations_setup.namespace, ing)
wait_before_test()
result_conf = get_ingress_nginx_template_conf(
kube_apis.v1, annotations_setup.namespace,
annotations_setup.ingress_name, annotations_setup.ingress_pod_name,
ingress_controller_prerequisites.namespace)
new_events = get_events(kube_apis.v1, annotations_setup.namespace)
assert "server {" not in result_conf
assert "No such file or directory" in result_conf
assert_event_count_increased(
annotations_setup.ingress_error_event_text, initial_count,
new_events)
def test_when_annotation_in_ing_only(self, kube_apis, annotations_setup,
ingress_controller_prerequisites,
annotations, expected_strings,
unexpected_strings):
initial_events = get_events(kube_apis.v1, annotations_setup.namespace)
initial_count = get_event_count(annotations_setup.ingress_event_text,
initial_events)
print("Case 2: no ConfigMap keys, annotations in Ingress only")
new_ing = generate_ingresses_with_annotation(
annotations_setup.ingress_src_file, annotations)
for ing in new_ing:
# in mergeable case this will update master ingress only
if ing['metadata']['name'] == annotations_setup.ingress_name:
replace_ingress(kube_apis.networking_v1,
annotations_setup.ingress_name,
annotations_setup.namespace, ing)
wait_before_test(1)
result_conf = get_ingress_nginx_template_conf(
kube_apis.v1, annotations_setup.namespace,
annotations_setup.ingress_name, annotations_setup.ingress_pod_name,
ingress_controller_prerequisites.namespace)
new_events = get_events(kube_apis.v1, annotations_setup.namespace)
assert_event_count_increased(annotations_setup.ingress_event_text,
initial_count, new_events)
for _ in expected_strings:
assert _ in result_conf
for _ in unexpected_strings:
assert _ not in result_conf