def test_jwt_policy_override_spec( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, ): """ Test if policy reference in route takes precedence over policy in spec """ secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies( kube_apis, test_namespace, valid_token, jwk_sec_valid_src, jwt_pol_valid_src, jwt_pol_multi_src, virtual_server_setup.vs_host, ) print( f"Patch vs with invalid policy in route and valid policy in spec") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, jwt_vs_override_spec_route_1, virtual_server_setup.namespace, ) wait_before_test() resp1 = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp1.status_code) print( f"Patch vs with valid policy in route and invalid policy in spec") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, jwt_vs_override_spec_route_2, virtual_server_setup.namespace, ) wait_before_test() resp2 = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp2.status_code) delete_policy(kube_apis.custom_objects, pol_name_1, test_namespace) delete_policy(kube_apis.custom_objects, pol_name_2, test_namespace) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) assert resp1.status_code == 401 # 401 unauthorized, since no token is attached to policy assert resp2.status_code == 200
def teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret): print("Delete policy and related secrets") delete_secret(kube_apis.v1, tls_secret, test_namespace) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) delete_secret(kube_apis.v1, mtls_secret, test_namespace)
def test_policy_matching_ingress_class( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, src, ): """ Test if policy with matching ingress class is applied to vs """ print(f"Create rl policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy_ingress_class_src, test_namespace) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name) assert ( policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid" ) print(f"Patch vs with policy: {src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, src, virtual_server_setup.namespace, ) wait_before_test() vs_info = read_custom_resource(kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name) assert ( vs_info["status"] and vs_info["status"]["reason"] == "AddedOrUpdated" and vs_info["status"]["state"] == "Valid" ) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup)
def test_policy_non_matching_ingress_class( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, src, ): """ Test if non matching policy gets caught by vc validation """ print(f"Create rl policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy_other_ingress_class_src, test_namespace) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name) assert "status" not in policy_info, "the policy is not managed by the IC, therefore the status is not updated" print(f"Patch vs with policy: {src}") patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, src, virtual_server_setup.namespace, ) wait_before_test() vs_info = read_custom_resource(kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name) assert ( vs_info["status"] and "rate-limit-primary is missing or invalid" in vs_info["status"]["message"] and vs_info["status"]["reason"] == "AddedOrUpdatedWithWarning" and vs_info["status"]["state"] == "Warning" ) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) self.restore_default_vs(kube_apis, virtual_server_setup)
def test_jwt_policy_override( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, ): """ Test if first reference to a policy in the same context(subroute) takes precedence, i.e. in this case, policy without $httptoken over policy with $httptoken. """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies( kube_apis, v_s_route_setup.route_m.namespace, valid_token, jwk_sec_valid_src, jwt_pol_valid_src, jwt_pol_multi_src, v_s_route_setup.vs_host, ) print(f"Patch vsr with policies: {jwt_pol_valid_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, jwt_vsr_override_src, v_s_route_setup.route_m.namespace, ) wait_before_test() resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp.status_code) crd_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_policy(kube_apis.custom_objects, pol_name_1, v_s_route_setup.route_m.namespace) delete_policy(kube_apis.custom_objects, pol_name_2, v_s_route_setup.route_m.namespace) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) assert resp.status_code == 401 assert f"Authorization Required" in resp.text assert (f"Multiple jwt policies in the same context is not valid." in crd_info["status"]["message"])
def test_jwt_policy_token( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, token, ): """ Test jwt-policy with no token, valid token and invalid token """ secret, pol_name, headers = self.setup_single_policy( kube_apis, test_namespace, token, jwk_sec_valid_src, jwt_pol_valid_src, virtual_server_setup.vs_host, ) print(f"Patch vs with policy: {jwt_vs_single_src}") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, jwt_vs_single_src, virtual_server_setup.namespace, ) wait_before_test() resp1 = requests.get( virtual_server_setup.backend_1_url, headers={"host": virtual_server_setup.vs_host}, ) print(resp1.status_code) resp2 = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp2.status_code) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) assert resp1.status_code == 401 assert f"401 Authorization Required" in resp1.text if token == valid_token: assert resp2.status_code == 200 assert f"Request ID:" in resp2.text else: assert resp2.status_code == 401 assert f"Authorization Required" in resp2.text
def test_overide_vs_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, test_namespace, config_setup, v_s_route_setup, src, ): """ Test if vsr subroute policy overrides vs spec policy and vsr subroute policy overrides vs route policy """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create deny policy") deny_pol_name = create_policy_from_yaml( kube_apis.custom_objects, deny_pol_src, v_s_route_setup.route_m.namespace) print(f"Create allow policy") allow_pol_name = create_policy_from_yaml( kube_apis.custom_objects, allow_pol_src, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, allow_vsr_src, v_s_route_setup.route_m.namespace, ) # patch vs with blocking policy patch_virtual_server_from_yaml(kube_apis.custom_objects, v_s_route_setup.vs_name, src, v_s_route_setup.namespace) wait_before_test() print(f"\nUse IP listed in deny block: 10.0.0.1") resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") delete_policy(kube_apis.custom_objects, deny_pol_name, v_s_route_setup.route_m.namespace) delete_policy(kube_apis.custom_objects, allow_pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) patch_virtual_server_from_yaml(kube_apis.custom_objects, v_s_route_setup.vs_name, std_vs_src, v_s_route_setup.namespace) wait_before_test() assert resp.status_code == 200 and "Server address:" in resp.text
def test_auth_basic_policy_secret( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, htpasswd_secret, ): """ Test auth-basic-policy with a valid and an invalid secret """ if htpasswd_secret == htpasswd_sec_valid_src: pol = auth_basic_pol_valid_src vs = auth_basic_vs_single_src elif htpasswd_secret == htpasswd_sec_invalid_src: pol = auth_basic_pol_invalid_sec_src vs = auth_basic_vs_single_invalid_sec_src else: pytest.fail("Invalid configuration") secret, pol_name, headers = self.setup_single_policy( kube_apis, test_namespace, valid_credentials, htpasswd_secret, pol, virtual_server_setup.vs_host, ) print(f"Patch vs with policy: {pol}") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, vs, virtual_server_setup.namespace, ) wait_before_test() resp = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp.status_code) crd_info = read_custom_resource( kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name, ) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) if htpasswd_secret == htpasswd_sec_valid_src: assert resp.status_code == 200 assert f"Request ID:" in resp.text assert crd_info["status"]["state"] == "Valid" elif htpasswd_secret == htpasswd_sec_invalid_src: assert resp.status_code == 500 assert f"Internal Server Error" in resp.text assert crd_info["status"]["state"] == "Warning" else: pytest.fail(f"Not a valid case or parameter")
def test_ap_waf_policy_block( self, kube_apis, crd_ingress_controller_with_ap, v_s_route_setup, appprotect_setup, test_namespace, ap_enable, ): """ Test if WAF policy is working with VSR deployments """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create waf policy") create_ap_waf_policy_from_yaml( kube_apis.custom_objects, waf_pol_dataguard_src, v_s_route_setup.route_m.namespace, test_namespace, ap_enable, ap_enable, ap_pol_name, log_name, "syslog:server=127.0.0.1:514", ) wait_before_test() print(f"Patch vsr with policy: {waf_subroute_vsr_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, waf_subroute_vsr_src, v_s_route_setup.route_m.namespace, ) wait_before_test() ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects, test_namespace, "appolicies", ap_policy_uds) assert_ap_crd_info(ap_crd_info, ap_policy_uds) wait_before_test(120) response = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}+'</script>'", headers={"host": v_s_route_setup.vs_host}, ) print(response.text) delete_policy(kube_apis.custom_objects, "waf-policy", v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) if ap_enable == True: assert_invalid_responses(response) elif ap_enable == False: assert_valid_responses(response) else: pytest.fail(f"Invalid arguments")
def test_auth_basic_policy_credentials( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, credentials, ): """ Test auth-basic-policy with no credentials, valid credentials and invalid credentials """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" secret, pol_name, headers = self.setup_single_policy( kube_apis, v_s_route_setup.route_m.namespace, credentials, htpasswd_sec_valid_src, auth_basic_pol_valid_src, v_s_route_setup.vs_host, ) print(f"Patch vsr with policy: {auth_basic_vsr_valid_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, auth_basic_vsr_valid_src, v_s_route_setup.route_m.namespace, ) wait_before_test() resp = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers) print(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) if credentials == valid_credentials: assert resp.status_code == 200 assert f"Request ID:" in resp.text else: assert resp.status_code == 401 assert f"Authorization Required" in resp.text
def test_rl_policy_override_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, src, ): """ Test if rate-limiting policy with lower rps is used when multiple policies are listed in vsr:subroute And test if the order of policies in vsr:subroute has no effect """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create rl policy: 1rps") pol_name_pri = create_policy_from_yaml( kube_apis.custom_objects, rl_pol_pri_src, v_s_route_setup.route_m.namespace) print(f"Create rl policy: 5rps") pol_name_sec = create_policy_from_yaml( kube_apis.custom_objects, rl_pol_sec_src, v_s_route_setup.route_m.namespace) print(f"Patch vsr with policy: {src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, src, v_s_route_setup.route_m.namespace, ) wait_before_test() occur = [] t_end = time.perf_counter() + 1 resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) print(resp.status_code) assert resp.status_code == 200 while time.perf_counter() < t_end: resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) occur.append(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name_pri, v_s_route_setup.route_m.namespace) delete_policy(kube_apis.custom_objects, pol_name_sec, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert occur.count(200) <= 1
def test_route_override_spec( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, config_setup, ): """ Test allow policy specified under routes overrides block in spec """ resp = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create deny policy") deny_pol_name = create_policy_from_yaml(kube_apis.custom_objects, deny_pol_src, test_namespace) print(f"Create allow policy") allow_pol_name = create_policy_from_yaml(kube_apis.custom_objects, allow_pol_src, test_namespace) patch_virtual_server_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, override_vs_spec_route_src, virtual_server_setup.namespace, ) wait_before_test() print(f"Use IP listed in both deny and allow policies: 10.0.0.1") resp = requests.get( virtual_server_setup.backend_1_url, headers={ "host": virtual_server_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") self.restore_default_vs(kube_apis, virtual_server_setup) delete_policy(kube_apis.custom_objects, deny_pol_name, test_namespace) delete_policy(kube_apis.custom_objects, allow_pol_name, test_namespace) assert resp.status_code == 200 and "Server address:" in resp.text
def test_rl_policy_1rs_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, src, ): """ Test if rate-limiting policy is working with ~1 rps in vsr:subroute """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create rl policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, rl_pol_pri_src, v_s_route_setup.route_m.namespace) print(f"Patch vsr with policy: {src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, src, v_s_route_setup.route_m.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", pol_name) occur = [] t_end = time.perf_counter() + 1 resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) print(resp.status_code) assert resp.status_code == 200 while time.perf_counter() < t_end: resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) occur.append(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") assert occur.count(200) <= 1
def test_jwt_policy_delete_policy( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, ): """ Test if requests result in 500 when policy is deleted """ secret, pol_name, headers = self.setup_single_policy( kube_apis, test_namespace, valid_token, jwk_sec_valid_src, jwt_pol_valid_src, virtual_server_setup.vs_host, ) print(f"Patch vs with policy: {jwt_pol_valid_src}") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, jwt_vs_single_src, virtual_server_setup.namespace, ) wait_before_test() resp1 = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp1.status_code) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) resp2 = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp2.status_code) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) assert resp1.status_code == 200 assert resp2.status_code == 500
def test_rl_policy_invalid_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, src, ): """ Test if using an invalid policy in vsr:subroute results in 500 """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create rl policy") invalid_pol_name = create_policy_from_yaml( kube_apis.custom_objects, rl_pol_invalid_src, v_s_route_setup.route_m.namespace) print(f"Patch vsr with policy: {src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, src, v_s_route_setup.route_m.namespace, ) wait_before_test() policy_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", invalid_pol_name, ) resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) print(resp.status_code) delete_policy(kube_apis.custom_objects, invalid_pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "Rejected" and policy_info["status"]["state"] == "Invalid") assert resp.status_code == 500
def test_auth_basic_policy_credentials( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, credentials, ): """ Test auth-basic-policy with no credentials, valid credentials and invalid credentials """ secret, pol_name, headers = self.setup_single_policy( kube_apis, test_namespace, credentials, htpasswd_sec_valid_src, auth_basic_pol_valid_src, virtual_server_setup.vs_host, ) print(f"Patch vs with policy: {auth_basic_vs_single_src}") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, auth_basic_vs_single_src, virtual_server_setup.namespace, ) wait_before_test() resp = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) if credentials in valid_credentials_list: assert resp.status_code == 200 assert f"Request ID:" in resp.text else: assert resp.status_code == 401 assert f"Authorization Required" in resp.text
def cleanup(kube_apis, ingress_controller_prerequisites, src_pol_name, test_namespace, vs_or_vsr, vs_name, vsr) -> None: vsr_namespace = test_namespace if vs_or_vsr == "vs" else vsr.namespace replace_configmap_from_yaml( kube_apis.v1, ingress_controller_prerequisites.config_map['metadata']['name'], ingress_controller_prerequisites.namespace, f"{DEPLOYMENTS}/common/nginx-config.yaml") delete_ap_logconf(kube_apis.custom_objects, log_name, test_namespace) delete_ap_policy(kube_apis.custom_objects, ap_pol_name, test_namespace) delete_policy(kube_apis.custom_objects, src_pol_name, vsr_namespace) delete_common_app(kube_apis, "grpc-vs", vsr_namespace) delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace) if vs_or_vsr == "vs": delete_virtual_server(kube_apis.custom_objects, vs_name, test_namespace) delete_items_from_yaml(kube_apis, src_vs_sec_yaml, test_namespace) elif vs_or_vsr == "vsr": print("Delete test namespaces") delete_namespace(kube_apis.v1, vsr.namespace)
def test_rl_policy_deleted_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, src, ): """ Test if deleting a policy results in 500 """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" print(f"Create rl policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, rl_pol_pri_src, v_s_route_setup.route_m.namespace) print(f"Patch vsr with policy: {src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, src, v_s_route_setup.route_m.namespace, ) wait_before_test() resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) assert resp.status_code == 200 print(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) self.restore_default_vsr(kube_apis, v_s_route_setup) assert resp.status_code == 500
def test_jwt_policy_token( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, token, ): """ Test jwt-policy with no token, valid token and invalid token """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" secret, pol_name, headers = self.setup_single_policy( kube_apis, v_s_route_setup.route_m.namespace, token, jwk_sec_valid_src, jwt_pol_valid_src, v_s_route_setup.vs_host, ) print(f"Patch vsr with policy: {jwt_vsr_valid_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, jwt_vsr_valid_src, v_s_route_setup.route_m.namespace, ) wait_before_test() resp1 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) print(resp1.status_code) resp2 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers) print(resp2.status_code) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) assert resp1.status_code == 401 assert f"401 Authorization Required" in resp1.text if token == valid_token: assert resp2.status_code == 200 assert f"Request ID:" in resp2.text else: assert resp2.status_code == 401 assert f"Authorization Required" in resp2.text
def test_jwt_policy_override( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, ): """ Test if first reference to a policy in the same context takes precedence """ secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies( kube_apis, test_namespace, valid_token, jwk_sec_valid_src, jwt_pol_valid_src, jwt_pol_multi_src, virtual_server_setup.vs_host, ) print(f"Patch vs with multiple policy in spec context") print( f"Patch vs with policy in order: {jwt_pol_multi_src} and {jwt_pol_valid_src}" ) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, jwt_vs_multi_1_src, virtual_server_setup.namespace, ) wait_before_test() resp1 = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp1.status_code) print( f"Patch vs with policy in order: {jwt_pol_valid_src} and {jwt_pol_multi_src}" ) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, jwt_vs_multi_2_src, virtual_server_setup.namespace, ) wait_before_test() resp2 = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp2.status_code) print(f"Patch vs with multiple policy in route context") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, jwt_vs_override_route, virtual_server_setup.namespace, ) wait_before_test() resp3 = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp3.status_code) delete_policy(kube_apis.custom_objects, pol_name_1, test_namespace) delete_policy(kube_apis.custom_objects, pol_name_2, test_namespace) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) assert ( resp1.status_code == 401 ) # 401 unauthorized, since no token is attached to policy in spec context assert resp2.status_code == 200 assert ( resp3.status_code == 401 ) # 401 unauthorized, since no token is attached to policy in route context
def test_jwt_policy( self, kube_apis, crd_ingress_controller, virtual_server_setup, test_namespace, policy, ): """ Test jwt-policy with a valid and an invalid policy """ secret, pol_name, headers = self.setup_single_policy( kube_apis, test_namespace, valid_token, jwk_sec_valid_src, policy, virtual_server_setup.vs_host, ) print(f"Patch vs with policy: {policy}") policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name) if policy == jwt_pol_valid_src: vs_src = jwt_vs_single_src assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") elif policy == jwt_pol_invalid_src: vs_src = jwt_vs_single_invalid_pol_src assert (policy_info["status"] and policy_info["status"]["reason"] == "Rejected" and policy_info["status"]["state"] == "Invalid") else: pytest.fail("Invalid configuration") delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, vs_src, virtual_server_setup.namespace, ) wait_before_test() resp = requests.get(virtual_server_setup.backend_1_url, headers=headers) print(resp.status_code) crd_info = read_custom_resource( kube_apis.custom_objects, virtual_server_setup.namespace, "virtualservers", virtual_server_setup.vs_name, ) delete_policy(kube_apis.custom_objects, pol_name, test_namespace) delete_secret(kube_apis.v1, secret, test_namespace) delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, virtual_server_setup.namespace, ) if policy == jwt_pol_valid_src: assert resp.status_code == 200 assert f"Request ID:" in resp.text assert crd_info["status"]["state"] == "Valid" elif policy == jwt_pol_invalid_src: assert resp.status_code == 500 assert f"Internal Server Error" in resp.text assert crd_info["status"]["state"] == "Warning" else: pytest.fail(f"Not a valid case or parameter")
def test_invalid_policy_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, test_namespace, config_setup, v_s_route_setup, ): """ Test if applying invalid-policy results in 500. """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create invalid policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, invalid_pol_src, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, invalid_vsr_src, v_s_route_setup.route_m.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", pol_name) print(f"\nUse IP listed in deny block: 10.0.0.1") resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") vsr_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "Rejected" and policy_info["status"]["state"] == "Invalid") assert resp.status_code == 500 and "500 Internal Server Error" in resp.text assert (vsr_info["status"]["state"] == "Warning" and vsr_info["status"]["reason"] == "AddedOrUpdatedWithWarning")
def test_override_policy_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, test_namespace, config_setup, v_s_route_setup, ): """ Test if ip (10.0.0.1) allow-listing overrides block-listing (policy specified in vsr subroute) """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create deny policy") deny_pol_name = create_policy_from_yaml( kube_apis.custom_objects, deny_pol_src, v_s_route_setup.route_m.namespace) print(f"Create allow policy") allow_pol_name = create_policy_from_yaml( kube_apis.custom_objects, allow_pol_src, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, override_vsr_src, v_s_route_setup.route_m.namespace, ) wait_before_test() print(f"\nUse IP listed in deny block: 10.0.0.1") resp1 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp1.status_code}\n{resp1.text}") print(f"\nUse IP not listed in deny block: 10.0.0.2") resp2 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.2" }, ) print(f"Response: {resp2.status_code}\n{resp2.text}") delete_policy(kube_apis.custom_objects, deny_pol_name, v_s_route_setup.route_m.namespace) delete_policy(kube_apis.custom_objects, allow_pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert (resp2.status_code == 403 and "403 Forbidden" in resp2.text and resp1.status_code == 200 and "Server address:" in resp1.text)
def test_allow_policy_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, test_namespace, config_setup, v_s_route_setup, ): """ Test if ip (10.0.0.1) block-listing is working (policy specified in vsr subroute): default(no policy) -> deny """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp.status_code}\n{resp.text}") assert resp.status_code == 200 print(f"Create allow policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, allow_pol_src, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, allow_vsr_src, v_s_route_setup.route_m.namespace, ) wait_before_test() policy_info = read_custom_resource(kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", pol_name) print(f"\nUse IP listed in deny block: 10.0.0.1") resp1 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1" }, ) print(f"Response: {resp1.status_code}\n{resp1.text}") print(f"\nUse IP not listed in deny block: 10.0.0.2") resp2 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={ "host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.2" }, ) print(f"Response: {resp2.status_code}\n{resp2.text}") delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") assert (resp2.status_code == 403 and "403 Forbidden" in resp2.text and resp1.status_code == 200 and "Server address:" in resp1.text)
def test_jwt_policy( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, policy, ): """ Test jwt-policy with a valid and an invalid policy """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" if policy == jwt_pol_valid_src: vsr = jwt_vsr_valid_src elif policy == jwt_pol_invalid_src: vsr = jwt_vsr_invalid_src else: pytest.fail(f"Not a valid case or parameter") secret, pol_name, headers = self.setup_single_policy( kube_apis, v_s_route_setup.route_m.namespace, valid_token, jwk_sec_valid_src, policy, v_s_route_setup.vs_host, ) print(f"Patch vsr with policy: {policy}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, vsr, v_s_route_setup.route_m.namespace, ) wait_before_test() resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp.status_code) policy_info = read_custom_resource(kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", pol_name) crd_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) if policy == jwt_pol_valid_src: assert resp.status_code == 200 assert f"Request ID:" in resp.text assert crd_info["status"]["state"] == "Valid" assert (policy_info["status"] and policy_info["status"]["reason"] == "AddedOrUpdated" and policy_info["status"]["state"] == "Valid") elif policy == jwt_pol_invalid_src: assert resp.status_code == 500 assert f"Internal Server Error" in resp.text assert crd_info["status"]["state"] == "Warning" assert (policy_info["status"] and policy_info["status"]["reason"] == "Rejected" and policy_info["status"]["state"] == "Invalid") else: pytest.fail(f"Not a valid case or parameter")
def test_override_vs_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, test_namespace, v_s_route_setup, src, ): """ Test if vsr subroute policy overrides vs spec policy And vsr subroute policy overrides vs route policy """ rate_sec = 5 req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" # policy for virtualserver print(f"Create rl policy: 1rps") pol_name_vs = create_policy_from_yaml( kube_apis.custom_objects, rl_pol_pri_src, v_s_route_setup.route_m.namespace) # policy for virtualserverroute print(f"Create rl policy: 5rps") pol_name_vsr = create_policy_from_yaml( kube_apis.custom_objects, rl_pol_sec_src, v_s_route_setup.route_m.namespace) # patch vsr with 5rps policy patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, rl_vsr_sec_src, v_s_route_setup.route_m.namespace, ) # patch vs with 1rps policy patch_virtual_server_from_yaml(kube_apis.custom_objects, v_s_route_setup.vs_name, src, v_s_route_setup.namespace) wait_before_test() occur = [] t_end = time.perf_counter() + 1 resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) print(resp.status_code) assert resp.status_code == 200 while time.perf_counter() < t_end: resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers={"host": v_s_route_setup.vs_host}, ) occur.append(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name_vs, v_s_route_setup.route_m.namespace) delete_policy(kube_apis.custom_objects, pol_name_vsr, v_s_route_setup.route_m.namespace) self.restore_default_vsr(kube_apis, v_s_route_setup) patch_virtual_server_from_yaml(kube_apis.custom_objects, v_s_route_setup.vs_name, std_vs_src, v_s_route_setup.namespace) assert rate_sec >= occur.count(200) >= (rate_sec - 2)
def test_jwt_policy_delete_policy( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, ): """ Test if requests result in 500 when policy is deleted """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" secret, pol_name, headers = self.setup_single_policy( kube_apis, v_s_route_setup.route_m.namespace, valid_token, jwk_sec_valid_src, jwt_pol_valid_src, v_s_route_setup.vs_host, ) print(f"Patch vsr with policy: {jwt_pol_valid_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, jwt_vsr_valid_src, v_s_route_setup.route_m.namespace, ) wait_before_test() resp1 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp1.status_code) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) resp2 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp2.status_code) crd_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) assert resp1.status_code == 200 assert f"Request ID:" in resp1.text assert crd_info["status"]["state"] == "Warning" assert (f"{v_s_route_setup.route_m.namespace}/{pol_name} is missing" in crd_info["status"]["message"]) assert resp2.status_code == 500 assert f"Internal Server Error" in resp2.text
def test_auth_basic_policy_secret( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, htpasswd_secret, ): """ Test auth-basic-policy with a valid and an invalid secret """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" if htpasswd_secret == htpasswd_sec_valid_src: pol = auth_basic_pol_valid_src vsr = auth_basic_vsr_valid_src elif htpasswd_secret == htpasswd_sec_invalid_src: pol = auth_basic_pol_invalid_sec_src vsr = auth_basic_vsr_invalid_sec_src else: pytest.fail(f"Not a valid case or parameter") secret, pol_name, headers = self.setup_single_policy( kube_apis, v_s_route_setup.route_m.namespace, valid_credentials, htpasswd_secret, pol, v_s_route_setup.vs_host, ) print(f"Patch vsr with policy: {pol}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, vsr, v_s_route_setup.route_m.namespace, ) wait_before_test() resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp.status_code) crd_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) if htpasswd_secret == htpasswd_sec_valid_src: assert resp.status_code == 200 assert f"Request ID:" in resp.text assert crd_info["status"]["state"] == "Valid" elif htpasswd_secret == htpasswd_sec_invalid_src: assert resp.status_code == 500 assert f"Internal Server Error" in resp.text assert crd_info["status"]["state"] == "Warning" else: pytest.fail(f"Not a valid case or parameter")
def test_jwt_policy_override_vs_vsr( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, vs_src, ): """ Test if policy specified in vsr:subroute (policy without $httptoken) takes preference over policy specified in: 1. vs:spec (policy with $httptoken) 2. vs:route (policy with $httptoken) """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" secret, pol_name_1, pol_name_2, headers = self.setup_multiple_policies( kube_apis, v_s_route_setup.route_m.namespace, valid_token, jwk_sec_valid_src, jwt_pol_valid_src, jwt_pol_multi_src, v_s_route_setup.vs_host, ) print(f"Patch vsr with policies: {jwt_pol_valid_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, jwt_vsr_valid_multi_src, v_s_route_setup.route_m.namespace, ) patch_virtual_server_from_yaml( kube_apis.custom_objects, v_s_route_setup.vs_name, vs_src, v_s_route_setup.namespace, ) wait_before_test() resp = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp.status_code) delete_policy(kube_apis.custom_objects, pol_name_1, v_s_route_setup.route_m.namespace) delete_policy(kube_apis.custom_objects, pol_name_2, v_s_route_setup.route_m.namespace) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) patch_virtual_server_from_yaml(kube_apis.custom_objects, v_s_route_setup.vs_name, std_vs_src, v_s_route_setup.namespace) assert resp.status_code == 401 assert f"Authorization Required" in resp.text
def test_auth_basic_policy_delete_secret( self, kube_apis, crd_ingress_controller, v_s_route_app_setup, v_s_route_setup, test_namespace, ): """ Test if requests result in 500 when secret is deleted """ req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" secret, pol_name, headers = self.setup_single_policy( kube_apis, v_s_route_setup.route_m.namespace, valid_credentials, htpasswd_sec_valid_src, auth_basic_pol_valid_src, v_s_route_setup.vs_host, ) print(f"Patch vsr with policy: {auth_basic_pol_valid_src}") patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, auth_basic_vsr_valid_src, v_s_route_setup.route_m.namespace, ) wait_before_test() resp1 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp1.status_code) delete_secret(kube_apis.v1, secret, v_s_route_setup.route_m.namespace) resp2 = requests.get( f"{req_url}{v_s_route_setup.route_m.paths[0]}", headers=headers, ) print(resp2.status_code) crd_info = read_custom_resource( kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "virtualserverroutes", v_s_route_setup.route_m.name, ) delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace) patch_v_s_route_from_yaml( kube_apis.custom_objects, v_s_route_setup.route_m.name, std_vsr_src, v_s_route_setup.route_m.namespace, ) assert resp1.status_code == 200 assert f"Request ID:" in resp1.text assert crd_info["status"]["state"] == "Warning" assert ( f"references an invalid secret {v_s_route_setup.route_m.namespace}/{secret}: secret doesn't exist or of an unsupported type" in crd_info["status"]["message"]) assert resp2.status_code == 500 assert f"Internal Server Error" in resp2.text