def jwt_auth_setup(request, kube_apis, ingress_controller_endpoint, ingress_controller, test_namespace) -> JWTAuthMergeableSetup: tokens = {"master": get_token_from_file("master"), "minion": get_token_from_file("minion")} master_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-auth-mergeable/jwt-master-secret.yaml") minion_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-auth-mergeable/jwt-minion-secret.yaml") print("------------------------- Deploy JWT Auth Mergeable Minions Example -----------------------------------") create_items_from_yaml(kube_apis, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml", test_namespace) ingress_host = get_first_ingress_host_from_yaml(f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml") create_example_app(kube_apis, "simple", test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) wait_before_test(2) def fin(): print("Delete Master Secret:") if is_secret_present(kube_apis.v1, master_secret_name, test_namespace): delete_secret(kube_apis.v1, master_secret_name, test_namespace) print("Delete Minion Secret:") if is_secret_present(kube_apis.v1, minion_secret_name, test_namespace): delete_secret(kube_apis.v1, minion_secret_name, test_namespace) print("Clean up the JWT Auth Mergeable Minions Application:") delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml(kube_apis, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml", test_namespace) request.addfinalizer(fin) return JWTAuthMergeableSetup(ingress_controller_endpoint, ingress_host, master_secret_name, minion_secret_name, tokens)
def jwt_auth_setup(request, kube_apis, ingress_controller_endpoint, ingress_controller, test_namespace) -> JWTAuthMergeableSetup: tokens = {"master": get_token_from_file("master"), "minion": get_token_from_file("minion")} master_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-auth-mergeable/jwt-master-secret.yaml") minion_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-auth-mergeable/jwt-minion-secret.yaml") print("------------------------- Deploy JWT Auth Mergeable Minions Example -----------------------------------") create_items_from_yaml(kube_apis.extensions_v1_beta1, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml", test_namespace) ingress_host = get_ingress_host_from_yaml(f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml") common_app = create_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) wait_before_test(2) def fin(): print("Delete Master Secret:") if is_secret_present(kube_apis.v1, master_secret_name, test_namespace): delete_secret(kube_apis.v1, master_secret_name, test_namespace) print("Delete Minion Secret:") if is_secret_present(kube_apis.v1, minion_secret_name, test_namespace): delete_secret(kube_apis.v1, minion_secret_name, test_namespace) print("Clean up the JWT Auth Mergeable Minions Application:") delete_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, common_app, test_namespace) delete_items_from_yaml(kube_apis.extensions_v1_beta1, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml", test_namespace) request.addfinalizer(fin) return JWTAuthMergeableSetup(ingress_controller_endpoint, ingress_host, master_secret_name, minion_secret_name, tokens)
def ingress_controller_prerequisites( cli_arguments, kube_apis, request) -> IngressControllerPrerequisites: """ Create RBAC, SA, IC namespace and default-secret. :param cli_arguments: tests context :param kube_apis: client apis :param request: pytest fixture :return: IngressControllerPrerequisites """ print( "------------------------- Create IC Prerequisites -----------------------------------" ) rbac = configure_rbac(kube_apis.rbac_v1_beta1) namespace = create_ns_and_sa_from_yaml( kube_apis.v1, f"{DEPLOYMENTS}/common/ns-and-sa.yaml") config_map_yaml = f"{DEPLOYMENTS}/common/nginx-config.yaml" create_configmap_from_yaml(kube_apis.v1, namespace, config_map_yaml) with open(config_map_yaml) as f: config_map = yaml.safe_load(f) create_secret_from_yaml( kube_apis.v1, namespace, f"{DEPLOYMENTS}/common/default-server-secret.yaml") def fin(): print("Clean up prerequisites") delete_namespace(kube_apis.v1, namespace) cleanup_rbac(kube_apis.rbac_v1_beta1, rbac) request.addfinalizer(fin) return IngressControllerPrerequisites(config_map, namespace)
def ingress_controller_prerequisites(cli_arguments, kube_apis, request) -> IngressControllerPrerequisites: """ Create RBAC, SA, IC namespace and default-secret. :param cli_arguments: tests context :param kube_apis: client apis :param request: pytest fixture :return: IngressControllerPrerequisites """ print("------------------------- Create IC Prerequisites -----------------------------------") rbac = configure_rbac(kube_apis.rbac_v1_beta1) namespace = create_ns_and_sa_from_yaml(kube_apis.v1, f"{DEPLOYMENTS}/common/ns-and-sa.yaml") config_map_yaml = f"{DEPLOYMENTS}/common/nginx-config.yaml" create_configmap_from_yaml(kube_apis.v1, namespace, config_map_yaml) with open(config_map_yaml) as f: config_map = yaml.safe_load(f) create_secret_from_yaml(kube_apis.v1, namespace, f"{DEPLOYMENTS}/common/default-server-secret.yaml") def fin(): print("Clean up prerequisites") delete_namespace(kube_apis.v1, namespace) cleanup_rbac(kube_apis.rbac_v1_beta1, rbac) request.addfinalizer(fin) return IngressControllerPrerequisites(config_map, namespace)
def test_virtual_server_no_cm(self, kube_apis, crd_ingress_controller, create_certmanager, virtual_server_setup): vs_src = f"{TEST_DATA}/virtual-server-certmanager/virtual-server-no-tls.yaml" patch_virtual_server_from_yaml(kube_apis.custom_objects, virtual_server_setup.vs_name, vs_src, virtual_server_setup.namespace) print("\nStep 1: verify connectivity with no TLS block") resp = requests.get(virtual_server_setup.backend_1_url, headers={"host": virtual_server_setup.vs_host}) assert resp.status_code == 200 resp = requests.get(virtual_server_setup.backend_2_url, headers={"host": virtual_server_setup.vs_host}) assert resp.status_code == 200 print( "\nStep 2: verify connectivity with TLS block but no cert-manager") vs_src = f"{TEST_DATA}/virtual-server-certmanager/virtual-server-no-cm.yaml" secret_src = f"{TEST_DATA}/virtual-server-certmanager/tls-secret.yaml" create_secret_from_yaml(kube_apis.v1, virtual_server_setup.namespace, secret_src) patch_virtual_server_from_yaml(kube_apis.custom_objects, virtual_server_setup.vs_name, vs_src, virtual_server_setup.namespace) resp = requests.get(virtual_server_setup.backend_1_url, headers={"host": virtual_server_setup.vs_host}) assert resp.status_code == 200 resp = requests.get(virtual_server_setup.backend_2_url, headers={"host": virtual_server_setup.vs_host}) assert resp.status_code == 200
def ingress_controller_prerequisites( cli_arguments, kube_apis, request) -> IngressControllerPrerequisites: """ Create RBAC, SA, IC namespace and default-secret. :param cli_arguments: tests context :param kube_apis: client apis :param request: pytest fixture :return: IngressControllerPrerequisites """ print( "------------------------- Create IC Prerequisites -----------------------------------" ) rbac = configure_rbac(kube_apis.rbac_v1) namespace = create_ns_and_sa_from_yaml( kube_apis.v1, f"{DEPLOYMENTS}/common/ns-and-sa.yaml") k8sVersionBin = subprocess.run(["kubectl", "version"], capture_output=True) k8sVersion = (k8sVersionBin.stdout).decode('ascii') serverVersion = k8sVersion[k8sVersion.find("Server Version:"):].lstrip() minorSerVer = serverVersion[serverVersion.find("Minor"):].lstrip()[0:10] k8sMinorVersion = int("".join(filter(str.isdigit, minorSerVer))) if (k8sMinorVersion >= 18): print("Create IngressClass resources:") subprocess.run([ "kubectl", "apply", "-f", f"{DEPLOYMENTS}/common/ingress-class.yaml" ]) subprocess.run([ "kubectl", "apply", "-f", f"{TEST_DATA}/ingress-class/resource/custom-ingress-class-res.yaml" ]) config_map_yaml = f"{DEPLOYMENTS}/common/nginx-config.yaml" create_configmap_from_yaml(kube_apis.v1, namespace, config_map_yaml) with open(config_map_yaml) as f: config_map = yaml.safe_load(f) create_secret_from_yaml( kube_apis.v1, namespace, f"{DEPLOYMENTS}/common/default-server-secret.yaml") def fin(): print("Clean up prerequisites") delete_namespace(kube_apis.v1, namespace) if (k8sMinorVersion >= 18): print("Delete IngressClass resources:") subprocess.run([ "kubectl", "delete", "-f", f"{DEPLOYMENTS}/common/ingress-class.yaml" ]) subprocess.run([ "kubectl", "delete", "-f", f"{TEST_DATA}/ingress-class/resource/custom-ingress-class-res.yaml" ]) cleanup_rbac(kube_apis.rbac_v1, rbac) request.addfinalizer(fin) return IngressControllerPrerequisites(config_map, namespace, k8sMinorVersion)
def setup_policy(kube_apis, test_namespace, mtls_secret, tls_secret, policy): print(f"Create ingress-mtls secret") mtls_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, mtls_secret) print(f"Create ingress-mtls policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy, test_namespace) print(f"Create tls secret") tls_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, tls_secret) return mtls_secret_name, tls_secret_name, pol_name
def backend_setup(request, kube_apis, ingress_controller_prerequisites, test_namespace): """ Replace the ConfigMap and deploy the secret. :param request: pytest fixture :param kube_apis: client apis :param test_namespace: """ app_name = request.param.get("app_type") try: print( "------------------------- Replace ConfigMap with HTTP2 -------------------------" ) cm_source = f"{TEST_DATA}/virtual-server-grpc/nginx-config.yaml" replace_configmap_from_yaml( kube_apis.v1, ingress_controller_prerequisites.config_map['metadata']['name'], ingress_controller_prerequisites.namespace, cm_source) print( "------------------------- Deploy Secret -----------------------------" ) src_sec_yaml = f"{TEST_DATA}/virtual-server-grpc/tls-secret.yaml" create_secret_from_yaml(kube_apis.v1, test_namespace, src_sec_yaml) print( "------------------------- Deploy App -----------------------------" ) app_name = request.param.get("app_type") create_example_app(kube_apis, app_name, test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) except Exception as ex: print("Failed to complete setup, cleaning up..") delete_items_from_yaml(kube_apis, src_sec_yaml, test_namespace) replace_configmap_from_yaml( kube_apis.v1, ingress_controller_prerequisites.config_map['metadata']['name'], ingress_controller_prerequisites.namespace, f"{DEPLOYMENTS}/common/nginx-config.yaml") delete_common_app(kube_apis, app_name, test_namespace) pytest.fail(f"VS GRPC setup failed") def fin(): print("Clean up:") delete_items_from_yaml(kube_apis, src_sec_yaml, test_namespace) replace_configmap_from_yaml( kube_apis.v1, ingress_controller_prerequisites.config_map['metadata']['name'], ingress_controller_prerequisites.namespace, f"{DEPLOYMENTS}/common/nginx-config.yaml") delete_common_app(kube_apis, app_name, test_namespace) request.addfinalizer(fin)
def ingress_controller_prerequisites( cli_arguments, kube_apis, request) -> IngressControllerPrerequisites: """ Create RBAC, SA, IC namespace and default-secret. :param cli_arguments: tests context :param kube_apis: client apis :param request: pytest fixture :return: IngressControllerPrerequisites """ print( "------------------------- Create IC Prerequisites -----------------------------------" ) rbac = configure_rbac(kube_apis.rbac_v1) namespace = create_ns_and_sa_from_yaml( kube_apis.v1, f"{DEPLOYMENTS}/common/ns-and-sa.yaml") print("Create IngressClass resources:") subprocess.run( ["kubectl", "apply", "-f", f"{DEPLOYMENTS}/common/ingress-class.yaml"]) subprocess.run([ "kubectl", "apply", "-f", f"{TEST_DATA}/ingress-class/resource/custom-ingress-class-res.yaml", ]) config_map_yaml = f"{DEPLOYMENTS}/common/nginx-config.yaml" create_configmap_from_yaml(kube_apis.v1, namespace, config_map_yaml) with open(config_map_yaml) as f: config_map = yaml.safe_load(f) create_secret_from_yaml( kube_apis.v1, namespace, f"{DEPLOYMENTS}/common/default-server-secret.yaml") def fin(): print("Clean up prerequisites") delete_namespace(kube_apis.v1, namespace) print("Delete IngressClass resources:") subprocess.run([ "kubectl", "delete", "-f", f"{DEPLOYMENTS}/common/ingress-class.yaml" ]) subprocess.run([ "kubectl", "delete", "-f", f"{TEST_DATA}/ingress-class/resource/custom-ingress-class-res.yaml", ]) cleanup_rbac(kube_apis.rbac_v1, rbac) request.addfinalizer(fin) return IngressControllerPrerequisites(config_map, namespace)
def deploy_tls_secrets(self, kube_apis, v_s_route_setup) -> None: """ Function to deploy secrets to the vs route namespaces. """ print( "------------------------- Deploy Secrets -----------------------------" ) src_sec_yaml = f"{TEST_DATA}/virtual-server-route-grpc/tls-secret.yaml" create_secret_from_yaml(kube_apis.v1, v_s_route_setup.route_m.namespace, src_sec_yaml) create_secret_from_yaml(kube_apis.v1, v_s_route_setup.route_s.namespace, src_sec_yaml) wait_before_test(1)
def wildcard_tls_secret_ingress_controller(cli_arguments, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_setup, request) -> IngressControllerWithSecret: """ Create a Wildcard Ingress Controller according to the installation type :param cli_arguments: pytest context :param kube_apis: client apis :param ingress_controller_prerequisites :param wildcard_tls_secret_setup: test-class prerequisites :param request: pytest fixture :return: IngressController object """ namespace = ingress_controller_prerequisites.namespace print("------------------------- Create IC and wildcard secret -----------------------------------") secret_name = create_secret_from_yaml(kube_apis.v1, namespace, f"{TEST_DATA}/wildcard-tls-secret/wildcard-tls-secret.yaml") extra_args = [f"-wildcard-tls-secret={namespace}/{secret_name}"] name = create_ingress_controller(kube_apis.v1, kube_apis.extensions_v1_beta1, cli_arguments, namespace, extra_args) ensure_connection_to_public_endpoint(wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.public_endpoint.port, wildcard_tls_secret_setup.public_endpoint.port_ssl) def fin(): print("Remove IC and wildcard secret:") delete_ingress_controller(kube_apis.extensions_v1_beta1, name, cli_arguments['deployment-type'], namespace) if is_secret_present(kube_apis.v1, secret_name, namespace): delete_secret(kube_apis.v1, secret_name, namespace) request.addfinalizer(fin) return IngressControllerWithSecret(secret_name)
def smoke_setup(request, kube_apis, ingress_controller_endpoint, ingress_controller, test_namespace) -> SmokeSetup: print( "------------------------- Deploy Smoke Example -----------------------------------" ) secret_name = create_secret_from_yaml( kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml") create_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml", test_namespace) ingress_host = get_first_ingress_host_from_yaml( f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml") common_app = create_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) def fin(): print("Clean up the Smoke Application:") delete_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, common_app, test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml", test_namespace) delete_secret(kube_apis.v1, secret_name, test_namespace) request.addfinalizer(fin) return SmokeSetup(ingress_controller_endpoint, ingress_host)
def ingress_setup(request, kube_apis, ingress_controller_endpoint, test_namespace) -> IngressSetup: print( "------------------------- Deploy Ingress Example -----------------------------------" ) secret_name = create_secret_from_yaml( kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml") create_items_from_yaml(kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace) ingress_host = get_first_ingress_host_from_yaml( f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml") create_example_app(kube_apis, "simple", test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint( ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl, ) req_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/backend1" def fin(): print("Clean up simple app") delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace) delete_secret(kube_apis.v1, secret_name, test_namespace) request.addfinalizer(fin) return IngressSetup(req_url, ingress_host)
def smoke_setup(request, kube_apis, ingress_controller_endpoint, ingress_controller, test_namespace) -> SmokeSetup: print( "------------------------- Deploy Smoke Example -----------------------------------" ) secret_name = create_secret_from_yaml( kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml") create_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml", test_namespace) ingress_host = get_first_ingress_host_from_yaml( f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml") create_example_app(kube_apis, "simple", test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint( ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl, ) def fin(): print("Clean up the Smoke Application:") delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml", test_namespace) delete_secret(kube_apis.v1, secret_name, test_namespace) write_to_json(f"reload-{get_test_file_name(request.node.fspath)}.json", reload_times) request.addfinalizer(fin) return SmokeSetup(ingress_controller_endpoint, ingress_host)
def setup_multiple_policies(self, kube_apis, namespace, credentials, secret_list, policy_1, policy_2, vs_host): print(f"Create {len(secret_list)} htpasswd secrets") # secret_name = create_secret_from_yaml(kube_apis.v1, namespace, secret) secret_name_list = [] for secret in secret_list: secret_name_list.append( create_secret_from_yaml(kube_apis.v1, namespace, secret)) print(f"Create auth basic policy #1") pol_name_1 = create_policy_from_yaml(kube_apis.custom_objects, policy_1, namespace) print(f"Create auth basic policy #2") pol_name_2 = create_policy_from_yaml(kube_apis.custom_objects, policy_2, namespace) wait_before_test() with open(credentials, "r") as file: data = file.readline() headers = { "host": vs_host, "authorization": f"Basic {to_base64(data)}" } return secret_name_list, pol_name_1, pol_name_2, headers
def test_response_codes_after_secret_remove_and_restore( self, kube_apis, auth_basic_secrets_setup, test_namespace, auth_basic_secret): req_url = f"http://{auth_basic_secrets_setup.public_endpoint.public_ip}:{auth_basic_secrets_setup.public_endpoint.port}/backend2" delete_secret(kube_apis.v1, auth_basic_secret.secret_name, test_namespace) wait_before_test(1) resp = requests.get( req_url, headers={ "host": auth_basic_secrets_setup.ingress_host, "authorization": f"Basic {to_base64(auth_basic_secrets_setup.credentials)}" }) assert resp.status_code == 403 auth_basic_secret.secret_name = create_secret_from_yaml( kube_apis.v1, test_namespace, f"{TEST_DATA}/auth-basic-secrets/auth-basic-secret.yaml") wait_before_test(1) resp = requests.get( req_url, headers={ "host": auth_basic_secrets_setup.ingress_host, "authorization": f"Basic {to_base64(auth_basic_secrets_setup.credentials)}" }) assert resp.status_code == 200
def wildcard_tls_secret_ingress_controller(cli_arguments, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_setup, request) -> IngressControllerWithSecret: """ Create a Wildcard Ingress Controller according to the installation type :param cli_arguments: pytest context :param kube_apis: client apis :param ingress_controller_prerequisites :param wildcard_tls_secret_setup: test-class prerequisites :param request: pytest fixture :return: IngressController object """ namespace = ingress_controller_prerequisites.namespace print("------------------------- Create IC and wildcard secret -----------------------------------") secret_name = create_secret_from_yaml(kube_apis.v1, namespace, f"{TEST_DATA}/wildcard-tls-secret/wildcard-tls-secret.yaml") extra_args = [f"-wildcard-tls-secret={namespace}/{secret_name}"] name = create_ingress_controller(kube_apis.v1, kube_apis.extensions_v1_beta1, cli_arguments, namespace, extra_args) ensure_connection_to_public_endpoint(wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.public_endpoint.port, wildcard_tls_secret_setup.public_endpoint.port_ssl) def fin(): print("Remove IC and wildcard secret:") delete_ingress_controller(kube_apis.extensions_v1_beta1, name, cli_arguments['deployment-type'], namespace) if is_secret_present(kube_apis.v1, secret_name, namespace): delete_secret(kube_apis.v1, secret_name, namespace) request.addfinalizer(fin) return IngressControllerWithSecret(secret_name)
def test_certificate_subject_updates_after_secret_update( self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, ingress_controller_prerequisites.namespace) create_secret_from_yaml( kube_apis.v1, ingress_controller_prerequisites.namespace, f"{TEST_DATA}/wildcard-tls-secret/gb-wildcard-tls-secret.yaml") wait_before_test(1) subject_dict = get_server_certificate_subject( wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'GB' assert subject_dict[b'ST'] == b'Cambridgeshire' assert subject_dict[b'CN'] == b'cafe.example.com'
def test_tls_termination(self, kube_apis, crd_ingress_controller, virtual_server_setup, clean_up): print("\nStep 1: no secret") assert_ssl_error(virtual_server_setup) print("\nStep 2: deploy secret and check") secret_name = create_secret_from_yaml( kube_apis.v1, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml") wait_before_test(1) assert_us_subject(virtual_server_setup) print("\nStep 3: remove secret and check") delete_secret(kube_apis.v1, secret_name, virtual_server_setup.namespace) wait_before_test(1) assert_ssl_error(virtual_server_setup) print("\nStep 4: restore secret and check") create_secret_from_yaml( kube_apis.v1, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml") wait_before_test(1) assert_us_subject(virtual_server_setup) print("\nStep 5: deploy invalid secret and check") replace_secret( kube_apis.v1, secret_name, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/invalid-tls-secret.yaml") wait_before_test(1) assert_ssl_error(virtual_server_setup) print("\nStep 6: restore secret and check") replace_secret(kube_apis.v1, secret_name, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml") wait_before_test(1) assert_us_subject(virtual_server_setup) print("\nStep 7: update secret and check") replace_secret(kube_apis.v1, secret_name, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/new-tls-secret.yaml") wait_before_test(1) assert_gb_subject(virtual_server_setup)
def test_certificate_subject_remains_with_invalid_secret( self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, ingress_controller_prerequisites.namespace) create_secret_from_yaml( kube_apis.v1, ingress_controller_prerequisites.namespace, f"{TEST_DATA}/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml" ) wait_before_test(1) subject_dict = get_server_certificate_subject( wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'ES' assert subject_dict[b'ST'] == b'CanaryIslands' assert subject_dict[b'CN'] == b'example.com'
def prometheus_secret_setup(request, kube_apis, test_namespace): print("------------------------- Deploy Prometheus Secret -----------------------------------") prometheus_secret_name = create_secret_from_yaml( kube_apis.v1, "nginx-ingress", f"{TEST_DATA}/prometheus/secret.yaml" ) def fin(): delete_secret(kube_apis.v1, prometheus_secret_name, "nginx-ingress") request.addfinalizer(fin)
def test_response_codes_after_secret_remove_and_restore(self, kube_apis, jwt_secrets_setup, test_namespace, jwt_secret): req_url = f"http://{jwt_secrets_setup.public_endpoint.public_ip}:{jwt_secrets_setup.public_endpoint.port}/backend2" delete_secret(kube_apis.v1, jwt_secret.secret_name, test_namespace) wait_before_test(1) resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token}) assert resp.status_code == 500 jwt_secret.secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret.yaml") wait_before_test(1) resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token}) assert resp.status_code == 200
def test_response_codes_after_secret_remove_and_restore(self, kube_apis, jwt_secrets_setup, test_namespace, jwt_secret): req_url = f"http://{jwt_secrets_setup.public_endpoint.public_ip}:{jwt_secrets_setup.public_endpoint.port}/backend2" delete_secret(kube_apis.v1, jwt_secret.secret_name, test_namespace) wait_before_test(1) resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token}) assert resp.status_code == 500 jwt_secret.secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret.yaml") wait_before_test(1) resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token}) assert resp.status_code == 200
def jwt_secret(request, kube_apis, ingress_controller_endpoint, jwt_secrets_setup, test_namespace) -> JWTSecret: secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret.yaml") wait_before_test(1) def fin(): print("Delete Secret:") if is_secret_present(kube_apis.v1, secret_name, test_namespace): delete_secret(kube_apis.v1, secret_name, test_namespace) request.addfinalizer(fin) return JWTSecret(secret_name)
def jwt_secret(request, kube_apis, ingress_controller_endpoint, jwt_secrets_setup, test_namespace) -> JWTSecret: secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret.yaml") wait_before_test(1) def fin(): print("Delete Secret:") if is_secret_present(kube_apis.v1, secret_name, test_namespace): delete_secret(kube_apis.v1, secret_name, test_namespace) request.addfinalizer(fin) return JWTSecret(secret_name)
def setup_single_policy(self, kube_apis, namespace, token, secret, policy, vs_host): print(f"Create jwk secret") secret_name = create_secret_from_yaml(kube_apis.v1, namespace, secret) print(f"Create jwt policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy, namespace) with open(token, "r") as file: data = file.readline() headers = {"host": vs_host, "token": data} return secret_name, pol_name, headers
def ap_generic_setup(kube_apis, vs_namespace, test_namespace, policy_method, vs_yaml): src_pol_yaml = f"{TEST_DATA}/ap-waf-grpc/policies/waf-block-{policy_method}.yaml" print( "------------------------- Deploy logconf -----------------------------" ) global log_name log_name = create_ap_logconf_from_yaml(kube_apis.custom_objects, src_log_yaml, test_namespace) print( f"------------------------- Deploy AP policy ---------------------------" ) src_appol_yaml = f"{TEST_DATA}/ap-waf-grpc/grpc-block-{policy_method}.yaml" global ap_pol_name ap_pol_name = create_ap_policy_from_yaml(kube_apis.custom_objects, src_appol_yaml, test_namespace) print( "------------------------- Deploy Syslog -----------------------------" ) create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace) wait_before_test(20) syslog_ep = get_service_endpoint(kube_apis, "syslog-svc", test_namespace) print("------------------------- Deploy App -----------------------------") create_example_app(kube_apis, "grpc-vs", vs_namespace) wait_until_all_pods_are_ready(kube_apis.v1, vs_namespace) print( "------------------------- Deploy Secret -----------------------------" ) create_secret_from_yaml(kube_apis.v1, vs_namespace, src_vs_sec_yaml) print( f"------------------------- Deploy policy ---------------------------") src_pol_name = create_ap_waf_policy_from_yaml( kube_apis.custom_objects, src_pol_yaml, vs_namespace, test_namespace, True, True, ap_pol_name, log_name, f"syslog:server={syslog_ep}:514") print( "------------------------- Deploy Virtual Server -----------------------------------" ) vs_name = create_virtual_server_from_yaml(kube_apis.custom_objects, vs_yaml, vs_namespace) return (src_pol_name, vs_name)
def test_with_default_tls_secret(self, kube_apis, ingress_controller_endpoint, secret_setup, default_server_setup): print("Step 1: ensure CN of the default server TLS cert") assert_cn(ingress_controller_endpoint, "NGINXIngressController") print( "Step 2: ensure CN of the default server TLS cert after removing the secret" ) delete_secret(kube_apis.v1, secret_name, secret_namespace) wait_before_test(1) # Ingress Controller retains the previous valid secret assert_cn(ingress_controller_endpoint, "NGINXIngressController") print( "Step 3: ensure CN of the default TLS cert after creating an updated secret" ) create_secret_from_yaml(kube_apis.v1, secret_namespace, new_secret_path) wait_before_test(1) assert_cn(ingress_controller_endpoint, "cafe.example.com") print( "Step 4: ensure CN of the default TLS cert after making the secret invalid" ) replace_secret(kube_apis.v1, secret_name, secret_namespace, invalid_secret_path) wait_before_test(1) # Ingress Controller retains the previous valid secret assert_cn(ingress_controller_endpoint, "cafe.example.com") print( "Step 5: ensure CN of the default TLS cert after restoring the secret" ) replace_secret(kube_apis.v1, secret_name, secret_namespace, secret_path) wait_before_test(1) assert_cn(ingress_controller_endpoint, "NGINXIngressController")
def simple_ingress_setup( request, kube_apis, ingress_controller_endpoint, test_namespace, ingress_controller, ) -> IngressSetup: """ Deploy simple application and all the Ingress resources under test in one namespace. :param request: pytest fixture :param kube_apis: client apis :param ingress_controller_endpoint: public endpoint :param test_namespace: :return: BackendSetup """ req_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/backend1" metrics_url = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.metrics_port}/metrics" secret_name = create_secret_from_yaml( kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml" ) create_example_app(kube_apis, "simple", test_namespace) create_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace ) ingress_host = get_first_ingress_host_from_yaml( f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml" ) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint( ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl, ) def fin(): print("Clean up the Application:") delete_common_app(kube_apis, "simple", test_namespace) delete_secret(kube_apis.v1, secret_name, test_namespace) delete_items_from_yaml( kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace ) request.addfinalizer(fin) return IngressSetup(req_url, metrics_url, ingress_host)
def test_tls_termination(self, kube_apis, ingress_controller_endpoint, test_namespace, tls_setup): print("Step 1: no secret") assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 2: deploy secret and check") create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.secret_path) wait_before_test(1) assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 3: remove secret and check") delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace) wait_before_test(1) assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 4: restore secret and check") create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.secret_path) wait_before_test(1) assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 5: deploy invalid secret and check") delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace) create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.invalid_secret_path) wait_before_test(1) assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 6: restore secret and check") delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace) create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.secret_path) wait_before_test(1) assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 7: update secret and check") replace_secret(kube_apis.v1, tls_setup.secret_name, test_namespace, tls_setup.new_secret_path) wait_before_test(1) assert_gb_subject(ingress_controller_endpoint, tls_setup.ingress_host)
def setup_multiple_policies( self, kube_apis, namespace, token, secret, policy_1, policy_2, vs_host ): print(f"Create jwk secret") secret_name = create_secret_from_yaml(kube_apis.v1, namespace, secret) print(f"Create jwt policy #1") pol_name_1 = create_policy_from_yaml(kube_apis.custom_objects, policy_1, namespace) print(f"Create jwt policy #2") pol_name_2 = create_policy_from_yaml(kube_apis.custom_objects, policy_2, namespace) wait_before_test() with open(token, "r") as file: data = file.readline() headers = {"host": vs_host, "token": data} return secret_name, pol_name_1, pol_name_2, headers
def setup_single_policy(self, kube_apis, test_namespace, credentials, secret, policy, vs_host): print(f"Create htpasswd secret") secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, secret) print(f"Create auth basic policy") pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy, test_namespace) wait_before_test() # generate header without auth if credentials == None : return secret_name, pol_name, {"host": vs_host} with open(credentials, "r") as file: data = file.readline() headers = {"host": vs_host, "authorization": f"Basic {to_base64(data)}"} return secret_name, pol_name, headers
def smoke_setup(request, kube_apis, ingress_controller_endpoint, ingress_controller, test_namespace) -> SmokeSetup: print("------------------------- Deploy Smoke Example -----------------------------------") secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml") create_items_from_yaml(kube_apis.extensions_v1_beta1, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml", test_namespace) ingress_host = get_ingress_host_from_yaml(f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml") common_app = create_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, ingress_controller_endpoint.port_ssl) def fin(): print("Clean up the Smoke Application:") delete_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, common_app, test_namespace) delete_items_from_yaml(kube_apis.extensions_v1_beta1, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml", test_namespace) delete_secret(kube_apis.v1, secret_name, test_namespace) request.addfinalizer(fin) return SmokeSetup(ingress_controller_endpoint, ingress_host)