def jwt_auth_setup(request, kube_apis, ingress_controller_endpoint, ingress_controller, test_namespace) -> JWTAuthMergeableSetup:
tokens = {"master": get_token_from_file("master"), "minion": get_token_from_file("minion")}
master_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace,
f"{TEST_DATA}/jwt-auth-mergeable/jwt-master-secret.yaml")
minion_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace,
f"{TEST_DATA}/jwt-auth-mergeable/jwt-minion-secret.yaml")
print("------------------------- Deploy JWT Auth Mergeable Minions Example -----------------------------------")
create_items_from_yaml(kube_apis, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml", test_namespace)
ingress_host = get_first_ingress_host_from_yaml(f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml")
create_example_app(kube_apis, "simple", test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
wait_before_test(2)
def fin():
print("Delete Master Secret:")
if is_secret_present(kube_apis.v1, master_secret_name, test_namespace):
delete_secret(kube_apis.v1, master_secret_name, test_namespace)
print("Delete Minion Secret:")
if is_secret_present(kube_apis.v1, minion_secret_name, test_namespace):
delete_secret(kube_apis.v1, minion_secret_name, test_namespace)
print("Clean up the JWT Auth Mergeable Minions Application:")
delete_common_app(kube_apis, "simple", test_namespace)
delete_items_from_yaml(kube_apis, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml",
test_namespace)
request.addfinalizer(fin)
return JWTAuthMergeableSetup(ingress_controller_endpoint, ingress_host, master_secret_name, minion_secret_name, tokens)
def jwt_auth_setup(request, kube_apis, ingress_controller_endpoint, ingress_controller, test_namespace) -> JWTAuthMergeableSetup:
tokens = {"master": get_token_from_file("master"), "minion": get_token_from_file("minion")}
master_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace,
f"{TEST_DATA}/jwt-auth-mergeable/jwt-master-secret.yaml")
minion_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace,
f"{TEST_DATA}/jwt-auth-mergeable/jwt-minion-secret.yaml")
print("------------------------- Deploy JWT Auth Mergeable Minions Example -----------------------------------")
create_items_from_yaml(kube_apis.extensions_v1_beta1, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml", test_namespace)
ingress_host = get_ingress_host_from_yaml(f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml")
common_app = create_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
wait_before_test(2)
def fin():
print("Delete Master Secret:")
if is_secret_present(kube_apis.v1, master_secret_name, test_namespace):
delete_secret(kube_apis.v1, master_secret_name, test_namespace)
print("Delete Minion Secret:")
if is_secret_present(kube_apis.v1, minion_secret_name, test_namespace):
delete_secret(kube_apis.v1, minion_secret_name, test_namespace)
print("Clean up the JWT Auth Mergeable Minions Application:")
delete_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, common_app, test_namespace)
delete_items_from_yaml(kube_apis.extensions_v1_beta1, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml",
test_namespace)
request.addfinalizer(fin)
return JWTAuthMergeableSetup(ingress_controller_endpoint, ingress_host, master_secret_name, minion_secret_name, tokens)
def ingress_controller_prerequisites(
cli_arguments, kube_apis, request) -> IngressControllerPrerequisites:
"""
Create RBAC, SA, IC namespace and default-secret.
:param cli_arguments: tests context
:param kube_apis: client apis
:param request: pytest fixture
:return: IngressControllerPrerequisites
"""
print(
"------------------------- Create IC Prerequisites -----------------------------------"
)
rbac = configure_rbac(kube_apis.rbac_v1_beta1)
namespace = create_ns_and_sa_from_yaml(
kube_apis.v1, f"{DEPLOYMENTS}/common/ns-and-sa.yaml")
config_map_yaml = f"{DEPLOYMENTS}/common/nginx-config.yaml"
create_configmap_from_yaml(kube_apis.v1, namespace, config_map_yaml)
with open(config_map_yaml) as f:
config_map = yaml.safe_load(f)
create_secret_from_yaml(
kube_apis.v1, namespace,
f"{DEPLOYMENTS}/common/default-server-secret.yaml")
def fin():
print("Clean up prerequisites")
delete_namespace(kube_apis.v1, namespace)
cleanup_rbac(kube_apis.rbac_v1_beta1, rbac)
request.addfinalizer(fin)
return IngressControllerPrerequisites(config_map, namespace)
def ingress_controller_prerequisites(cli_arguments, kube_apis, request) -> IngressControllerPrerequisites:
"""
Create RBAC, SA, IC namespace and default-secret.
:param cli_arguments: tests context
:param kube_apis: client apis
:param request: pytest fixture
:return: IngressControllerPrerequisites
"""
print("------------------------- Create IC Prerequisites -----------------------------------")
rbac = configure_rbac(kube_apis.rbac_v1_beta1)
namespace = create_ns_and_sa_from_yaml(kube_apis.v1, f"{DEPLOYMENTS}/common/ns-and-sa.yaml")
config_map_yaml = f"{DEPLOYMENTS}/common/nginx-config.yaml"
create_configmap_from_yaml(kube_apis.v1, namespace, config_map_yaml)
with open(config_map_yaml) as f:
config_map = yaml.safe_load(f)
create_secret_from_yaml(kube_apis.v1, namespace, f"{DEPLOYMENTS}/common/default-server-secret.yaml")
def fin():
print("Clean up prerequisites")
delete_namespace(kube_apis.v1, namespace)
cleanup_rbac(kube_apis.rbac_v1_beta1, rbac)
request.addfinalizer(fin)
return IngressControllerPrerequisites(config_map, namespace)
def test_virtual_server_no_cm(self, kube_apis, crd_ingress_controller,
create_certmanager, virtual_server_setup):
vs_src = f"{TEST_DATA}/virtual-server-certmanager/virtual-server-no-tls.yaml"
patch_virtual_server_from_yaml(kube_apis.custom_objects,
virtual_server_setup.vs_name, vs_src,
virtual_server_setup.namespace)
print("\nStep 1: verify connectivity with no TLS block")
resp = requests.get(virtual_server_setup.backend_1_url,
headers={"host": virtual_server_setup.vs_host})
assert resp.status_code == 200
resp = requests.get(virtual_server_setup.backend_2_url,
headers={"host": virtual_server_setup.vs_host})
assert resp.status_code == 200
print(
"\nStep 2: verify connectivity with TLS block but no cert-manager")
vs_src = f"{TEST_DATA}/virtual-server-certmanager/virtual-server-no-cm.yaml"
secret_src = f"{TEST_DATA}/virtual-server-certmanager/tls-secret.yaml"
create_secret_from_yaml(kube_apis.v1, virtual_server_setup.namespace,
secret_src)
patch_virtual_server_from_yaml(kube_apis.custom_objects,
virtual_server_setup.vs_name, vs_src,
virtual_server_setup.namespace)
resp = requests.get(virtual_server_setup.backend_1_url,
headers={"host": virtual_server_setup.vs_host})
assert resp.status_code == 200
resp = requests.get(virtual_server_setup.backend_2_url,
headers={"host": virtual_server_setup.vs_host})
assert resp.status_code == 200
def ingress_controller_prerequisites(
cli_arguments, kube_apis, request) -> IngressControllerPrerequisites:
"""
Create RBAC, SA, IC namespace and default-secret.
:param cli_arguments: tests context
:param kube_apis: client apis
:param request: pytest fixture
:return: IngressControllerPrerequisites
"""
print(
"------------------------- Create IC Prerequisites -----------------------------------"
)
rbac = configure_rbac(kube_apis.rbac_v1)
namespace = create_ns_and_sa_from_yaml(
kube_apis.v1, f"{DEPLOYMENTS}/common/ns-and-sa.yaml")
k8sVersionBin = subprocess.run(["kubectl", "version"], capture_output=True)
k8sVersion = (k8sVersionBin.stdout).decode('ascii')
serverVersion = k8sVersion[k8sVersion.find("Server Version:"):].lstrip()
minorSerVer = serverVersion[serverVersion.find("Minor"):].lstrip()[0:10]
k8sMinorVersion = int("".join(filter(str.isdigit, minorSerVer)))
if (k8sMinorVersion >= 18):
print("Create IngressClass resources:")
subprocess.run([
"kubectl", "apply", "-f",
f"{DEPLOYMENTS}/common/ingress-class.yaml"
])
subprocess.run([
"kubectl", "apply", "-f",
f"{TEST_DATA}/ingress-class/resource/custom-ingress-class-res.yaml"
])
config_map_yaml = f"{DEPLOYMENTS}/common/nginx-config.yaml"
create_configmap_from_yaml(kube_apis.v1, namespace, config_map_yaml)
with open(config_map_yaml) as f:
config_map = yaml.safe_load(f)
create_secret_from_yaml(
kube_apis.v1, namespace,
f"{DEPLOYMENTS}/common/default-server-secret.yaml")
def fin():
print("Clean up prerequisites")
delete_namespace(kube_apis.v1, namespace)
if (k8sMinorVersion >= 18):
print("Delete IngressClass resources:")
subprocess.run([
"kubectl", "delete", "-f",
f"{DEPLOYMENTS}/common/ingress-class.yaml"
])
subprocess.run([
"kubectl", "delete", "-f",
f"{TEST_DATA}/ingress-class/resource/custom-ingress-class-res.yaml"
])
cleanup_rbac(kube_apis.rbac_v1, rbac)
request.addfinalizer(fin)
return IngressControllerPrerequisites(config_map, namespace,
k8sMinorVersion)
def setup_policy(kube_apis, test_namespace, mtls_secret, tls_secret, policy):
print(f"Create ingress-mtls secret")
mtls_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, mtls_secret)
print(f"Create ingress-mtls policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy, test_namespace)
print(f"Create tls secret")
tls_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, tls_secret)
return mtls_secret_name, tls_secret_name, pol_name
def backend_setup(request, kube_apis, ingress_controller_prerequisites,
test_namespace):
"""
Replace the ConfigMap and deploy the secret.
:param request: pytest fixture
:param kube_apis: client apis
:param test_namespace:
"""
app_name = request.param.get("app_type")
try:
print(
"------------------------- Replace ConfigMap with HTTP2 -------------------------"
)
cm_source = f"{TEST_DATA}/virtual-server-grpc/nginx-config.yaml"
replace_configmap_from_yaml(
kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace, cm_source)
print(
"------------------------- Deploy Secret -----------------------------"
)
src_sec_yaml = f"{TEST_DATA}/virtual-server-grpc/tls-secret.yaml"
create_secret_from_yaml(kube_apis.v1, test_namespace, src_sec_yaml)
print(
"------------------------- Deploy App -----------------------------"
)
app_name = request.param.get("app_type")
create_example_app(kube_apis, app_name, test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
except Exception as ex:
print("Failed to complete setup, cleaning up..")
delete_items_from_yaml(kube_apis, src_sec_yaml, test_namespace)
replace_configmap_from_yaml(
kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace,
f"{DEPLOYMENTS}/common/nginx-config.yaml")
delete_common_app(kube_apis, app_name, test_namespace)
pytest.fail(f"VS GRPC setup failed")
def fin():
print("Clean up:")
delete_items_from_yaml(kube_apis, src_sec_yaml, test_namespace)
replace_configmap_from_yaml(
kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace,
f"{DEPLOYMENTS}/common/nginx-config.yaml")
delete_common_app(kube_apis, app_name, test_namespace)
request.addfinalizer(fin)
def ingress_controller_prerequisites(
cli_arguments, kube_apis, request) -> IngressControllerPrerequisites:
"""
Create RBAC, SA, IC namespace and default-secret.
:param cli_arguments: tests context
:param kube_apis: client apis
:param request: pytest fixture
:return: IngressControllerPrerequisites
"""
print(
"------------------------- Create IC Prerequisites -----------------------------------"
)
rbac = configure_rbac(kube_apis.rbac_v1)
namespace = create_ns_and_sa_from_yaml(
kube_apis.v1, f"{DEPLOYMENTS}/common/ns-and-sa.yaml")
print("Create IngressClass resources:")
subprocess.run(
["kubectl", "apply", "-f", f"{DEPLOYMENTS}/common/ingress-class.yaml"])
subprocess.run([
"kubectl",
"apply",
"-f",
f"{TEST_DATA}/ingress-class/resource/custom-ingress-class-res.yaml",
])
config_map_yaml = f"{DEPLOYMENTS}/common/nginx-config.yaml"
create_configmap_from_yaml(kube_apis.v1, namespace, config_map_yaml)
with open(config_map_yaml) as f:
config_map = yaml.safe_load(f)
create_secret_from_yaml(
kube_apis.v1, namespace,
f"{DEPLOYMENTS}/common/default-server-secret.yaml")
def fin():
print("Clean up prerequisites")
delete_namespace(kube_apis.v1, namespace)
print("Delete IngressClass resources:")
subprocess.run([
"kubectl", "delete", "-f",
f"{DEPLOYMENTS}/common/ingress-class.yaml"
])
subprocess.run([
"kubectl",
"delete",
"-f",
f"{TEST_DATA}/ingress-class/resource/custom-ingress-class-res.yaml",
])
cleanup_rbac(kube_apis.rbac_v1, rbac)
request.addfinalizer(fin)
return IngressControllerPrerequisites(config_map, namespace)
def deploy_tls_secrets(self, kube_apis, v_s_route_setup) -> None:
"""
Function to deploy secrets to the vs route namespaces.
"""
print(
"------------------------- Deploy Secrets -----------------------------"
)
src_sec_yaml = f"{TEST_DATA}/virtual-server-route-grpc/tls-secret.yaml"
create_secret_from_yaml(kube_apis.v1,
v_s_route_setup.route_m.namespace,
src_sec_yaml)
create_secret_from_yaml(kube_apis.v1,
v_s_route_setup.route_s.namespace,
src_sec_yaml)
wait_before_test(1)
def wildcard_tls_secret_ingress_controller(cli_arguments, kube_apis, ingress_controller_prerequisites,
wildcard_tls_secret_setup, request) -> IngressControllerWithSecret:
"""
Create a Wildcard Ingress Controller according to the installation type
:param cli_arguments: pytest context
:param kube_apis: client apis
:param ingress_controller_prerequisites
:param wildcard_tls_secret_setup: test-class prerequisites
:param request: pytest fixture
:return: IngressController object
"""
namespace = ingress_controller_prerequisites.namespace
print("------------------------- Create IC and wildcard secret -----------------------------------")
secret_name = create_secret_from_yaml(kube_apis.v1, namespace,
f"{TEST_DATA}/wildcard-tls-secret/wildcard-tls-secret.yaml")
extra_args = [f"-wildcard-tls-secret={namespace}/{secret_name}"]
name = create_ingress_controller(kube_apis.v1, kube_apis.extensions_v1_beta1, cli_arguments, namespace, extra_args)
ensure_connection_to_public_endpoint(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.public_endpoint.port,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
def fin():
print("Remove IC and wildcard secret:")
delete_ingress_controller(kube_apis.extensions_v1_beta1, name, cli_arguments['deployment-type'], namespace)
if is_secret_present(kube_apis.v1, secret_name, namespace):
delete_secret(kube_apis.v1, secret_name, namespace)
request.addfinalizer(fin)
return IngressControllerWithSecret(secret_name)
def smoke_setup(request, kube_apis, ingress_controller_endpoint,
ingress_controller, test_namespace) -> SmokeSetup:
print(
"------------------------- Deploy Smoke Example -----------------------------------"
)
secret_name = create_secret_from_yaml(
kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml")
create_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml",
test_namespace)
ingress_host = get_first_ingress_host_from_yaml(
f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml")
common_app = create_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1,
test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
def fin():
print("Clean up the Smoke Application:")
delete_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1,
common_app, test_namespace)
delete_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml",
test_namespace)
delete_secret(kube_apis.v1, secret_name, test_namespace)
request.addfinalizer(fin)
return SmokeSetup(ingress_controller_endpoint, ingress_host)
def ingress_setup(request, kube_apis, ingress_controller_endpoint,
test_namespace) -> IngressSetup:
print(
"------------------------- Deploy Ingress Example -----------------------------------"
)
secret_name = create_secret_from_yaml(
kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml")
create_items_from_yaml(kube_apis,
f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml",
test_namespace)
ingress_host = get_first_ingress_host_from_yaml(
f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml")
create_example_app(kube_apis, "simple", test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(
ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl,
)
req_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/backend1"
def fin():
print("Clean up simple app")
delete_common_app(kube_apis, "simple", test_namespace)
delete_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml",
test_namespace)
delete_secret(kube_apis.v1, secret_name, test_namespace)
request.addfinalizer(fin)
return IngressSetup(req_url, ingress_host)
def smoke_setup(request, kube_apis, ingress_controller_endpoint,
ingress_controller, test_namespace) -> SmokeSetup:
print(
"------------------------- Deploy Smoke Example -----------------------------------"
)
secret_name = create_secret_from_yaml(
kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml")
create_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml",
test_namespace)
ingress_host = get_first_ingress_host_from_yaml(
f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml")
create_example_app(kube_apis, "simple", test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(
ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl,
)
def fin():
print("Clean up the Smoke Application:")
delete_common_app(kube_apis, "simple", test_namespace)
delete_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml",
test_namespace)
delete_secret(kube_apis.v1, secret_name, test_namespace)
write_to_json(f"reload-{get_test_file_name(request.node.fspath)}.json",
reload_times)
request.addfinalizer(fin)
return SmokeSetup(ingress_controller_endpoint, ingress_host)
def setup_multiple_policies(self, kube_apis, namespace, credentials,
secret_list, policy_1, policy_2, vs_host):
print(f"Create {len(secret_list)} htpasswd secrets")
# secret_name = create_secret_from_yaml(kube_apis.v1, namespace, secret)
secret_name_list = []
for secret in secret_list:
secret_name_list.append(
create_secret_from_yaml(kube_apis.v1, namespace, secret))
print(f"Create auth basic policy #1")
pol_name_1 = create_policy_from_yaml(kube_apis.custom_objects,
policy_1, namespace)
print(f"Create auth basic policy #2")
pol_name_2 = create_policy_from_yaml(kube_apis.custom_objects,
policy_2, namespace)
wait_before_test()
with open(credentials, "r") as file:
data = file.readline()
headers = {
"host": vs_host,
"authorization": f"Basic {to_base64(data)}"
}
return secret_name_list, pol_name_1, pol_name_2, headers
def test_response_codes_after_secret_remove_and_restore(
self, kube_apis, auth_basic_secrets_setup, test_namespace,
auth_basic_secret):
req_url = f"http://{auth_basic_secrets_setup.public_endpoint.public_ip}:{auth_basic_secrets_setup.public_endpoint.port}/backend2"
delete_secret(kube_apis.v1, auth_basic_secret.secret_name,
test_namespace)
wait_before_test(1)
resp = requests.get(
req_url,
headers={
"host":
auth_basic_secrets_setup.ingress_host,
"authorization":
f"Basic {to_base64(auth_basic_secrets_setup.credentials)}"
})
assert resp.status_code == 403
auth_basic_secret.secret_name = create_secret_from_yaml(
kube_apis.v1, test_namespace,
f"{TEST_DATA}/auth-basic-secrets/auth-basic-secret.yaml")
wait_before_test(1)
resp = requests.get(
req_url,
headers={
"host":
auth_basic_secrets_setup.ingress_host,
"authorization":
f"Basic {to_base64(auth_basic_secrets_setup.credentials)}"
})
assert resp.status_code == 200
def wildcard_tls_secret_ingress_controller(cli_arguments, kube_apis, ingress_controller_prerequisites,
wildcard_tls_secret_setup, request) -> IngressControllerWithSecret:
"""
Create a Wildcard Ingress Controller according to the installation type
:param cli_arguments: pytest context
:param kube_apis: client apis
:param ingress_controller_prerequisites
:param wildcard_tls_secret_setup: test-class prerequisites
:param request: pytest fixture
:return: IngressController object
"""
namespace = ingress_controller_prerequisites.namespace
print("------------------------- Create IC and wildcard secret -----------------------------------")
secret_name = create_secret_from_yaml(kube_apis.v1, namespace,
f"{TEST_DATA}/wildcard-tls-secret/wildcard-tls-secret.yaml")
extra_args = [f"-wildcard-tls-secret={namespace}/{secret_name}"]
name = create_ingress_controller(kube_apis.v1, kube_apis.extensions_v1_beta1, cli_arguments, namespace, extra_args)
ensure_connection_to_public_endpoint(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.public_endpoint.port,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
def fin():
print("Remove IC and wildcard secret:")
delete_ingress_controller(kube_apis.extensions_v1_beta1, name, cli_arguments['deployment-type'], namespace)
if is_secret_present(kube_apis.v1, secret_name, namespace):
delete_secret(kube_apis.v1, secret_name, namespace)
request.addfinalizer(fin)
return IngressControllerWithSecret(secret_name)
def test_certificate_subject_updates_after_secret_update(
self, kube_apis, ingress_controller_prerequisites,
wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup):
delete_secret(kube_apis.v1,
wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace)
create_secret_from_yaml(
kube_apis.v1, ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/wildcard-tls-secret/gb-wildcard-tls-secret.yaml")
wait_before_test(1)
subject_dict = get_server_certificate_subject(
wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'GB'
assert subject_dict[b'ST'] == b'Cambridgeshire'
assert subject_dict[b'CN'] == b'cafe.example.com'
def test_tls_termination(self, kube_apis, crd_ingress_controller,
virtual_server_setup, clean_up):
print("\nStep 1: no secret")
assert_ssl_error(virtual_server_setup)
print("\nStep 2: deploy secret and check")
secret_name = create_secret_from_yaml(
kube_apis.v1, virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml")
wait_before_test(1)
assert_us_subject(virtual_server_setup)
print("\nStep 3: remove secret and check")
delete_secret(kube_apis.v1, secret_name,
virtual_server_setup.namespace)
wait_before_test(1)
assert_ssl_error(virtual_server_setup)
print("\nStep 4: restore secret and check")
create_secret_from_yaml(
kube_apis.v1, virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml")
wait_before_test(1)
assert_us_subject(virtual_server_setup)
print("\nStep 5: deploy invalid secret and check")
replace_secret(
kube_apis.v1, secret_name, virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/invalid-tls-secret.yaml")
wait_before_test(1)
assert_ssl_error(virtual_server_setup)
print("\nStep 6: restore secret and check")
replace_secret(kube_apis.v1, secret_name,
virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml")
wait_before_test(1)
assert_us_subject(virtual_server_setup)
print("\nStep 7: update secret and check")
replace_secret(kube_apis.v1, secret_name,
virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/new-tls-secret.yaml")
wait_before_test(1)
assert_gb_subject(virtual_server_setup)
def test_certificate_subject_remains_with_invalid_secret(
self, kube_apis, ingress_controller_prerequisites,
wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup):
delete_secret(kube_apis.v1,
wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace)
create_secret_from_yaml(
kube_apis.v1, ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml"
)
wait_before_test(1)
subject_dict = get_server_certificate_subject(
wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'ES'
assert subject_dict[b'ST'] == b'CanaryIslands'
assert subject_dict[b'CN'] == b'example.com'
def prometheus_secret_setup(request, kube_apis, test_namespace):
print("------------------------- Deploy Prometheus Secret -----------------------------------")
prometheus_secret_name = create_secret_from_yaml(
kube_apis.v1, "nginx-ingress", f"{TEST_DATA}/prometheus/secret.yaml"
)
def fin():
delete_secret(kube_apis.v1, prometheus_secret_name, "nginx-ingress")
request.addfinalizer(fin)
def test_response_codes_after_secret_remove_and_restore(self, kube_apis, jwt_secrets_setup, test_namespace, jwt_secret):
req_url = f"http://{jwt_secrets_setup.public_endpoint.public_ip}:{jwt_secrets_setup.public_endpoint.port}/backend2"
delete_secret(kube_apis.v1, jwt_secret.secret_name, test_namespace)
wait_before_test(1)
resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token})
assert resp.status_code == 500
jwt_secret.secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret.yaml")
wait_before_test(1)
resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token})
assert resp.status_code == 200
def test_response_codes_after_secret_remove_and_restore(self, kube_apis, jwt_secrets_setup, test_namespace, jwt_secret):
req_url = f"http://{jwt_secrets_setup.public_endpoint.public_ip}:{jwt_secrets_setup.public_endpoint.port}/backend2"
delete_secret(kube_apis.v1, jwt_secret.secret_name, test_namespace)
wait_before_test(1)
resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token})
assert resp.status_code == 500
jwt_secret.secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret.yaml")
wait_before_test(1)
resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token})
assert resp.status_code == 200
def jwt_secret(request, kube_apis, ingress_controller_endpoint, jwt_secrets_setup, test_namespace) -> JWTSecret:
secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret.yaml")
wait_before_test(1)
def fin():
print("Delete Secret:")
if is_secret_present(kube_apis.v1, secret_name, test_namespace):
delete_secret(kube_apis.v1, secret_name, test_namespace)
request.addfinalizer(fin)
return JWTSecret(secret_name)
def jwt_secret(request, kube_apis, ingress_controller_endpoint, jwt_secrets_setup, test_namespace) -> JWTSecret:
secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret.yaml")
wait_before_test(1)
def fin():
print("Delete Secret:")
if is_secret_present(kube_apis.v1, secret_name, test_namespace):
delete_secret(kube_apis.v1, secret_name, test_namespace)
request.addfinalizer(fin)
return JWTSecret(secret_name)
def setup_single_policy(self, kube_apis, namespace, token, secret, policy, vs_host):
print(f"Create jwk secret")
secret_name = create_secret_from_yaml(kube_apis.v1, namespace, secret)
print(f"Create jwt policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy, namespace)
with open(token, "r") as file:
data = file.readline()
headers = {"host": vs_host, "token": data}
return secret_name, pol_name, headers
def ap_generic_setup(kube_apis, vs_namespace, test_namespace, policy_method,
vs_yaml):
src_pol_yaml = f"{TEST_DATA}/ap-waf-grpc/policies/waf-block-{policy_method}.yaml"
print(
"------------------------- Deploy logconf -----------------------------"
)
global log_name
log_name = create_ap_logconf_from_yaml(kube_apis.custom_objects,
src_log_yaml, test_namespace)
print(
f"------------------------- Deploy AP policy ---------------------------"
)
src_appol_yaml = f"{TEST_DATA}/ap-waf-grpc/grpc-block-{policy_method}.yaml"
global ap_pol_name
ap_pol_name = create_ap_policy_from_yaml(kube_apis.custom_objects,
src_appol_yaml, test_namespace)
print(
"------------------------- Deploy Syslog -----------------------------"
)
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
wait_before_test(20)
syslog_ep = get_service_endpoint(kube_apis, "syslog-svc", test_namespace)
print("------------------------- Deploy App -----------------------------")
create_example_app(kube_apis, "grpc-vs", vs_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, vs_namespace)
print(
"------------------------- Deploy Secret -----------------------------"
)
create_secret_from_yaml(kube_apis.v1, vs_namespace, src_vs_sec_yaml)
print(
f"------------------------- Deploy policy ---------------------------")
src_pol_name = create_ap_waf_policy_from_yaml(
kube_apis.custom_objects, src_pol_yaml, vs_namespace, test_namespace,
True, True, ap_pol_name, log_name, f"syslog:server={syslog_ep}:514")
print(
"------------------------- Deploy Virtual Server -----------------------------------"
)
vs_name = create_virtual_server_from_yaml(kube_apis.custom_objects,
vs_yaml, vs_namespace)
return (src_pol_name, vs_name)
def test_with_default_tls_secret(self, kube_apis,
ingress_controller_endpoint, secret_setup,
default_server_setup):
print("Step 1: ensure CN of the default server TLS cert")
assert_cn(ingress_controller_endpoint, "NGINXIngressController")
print(
"Step 2: ensure CN of the default server TLS cert after removing the secret"
)
delete_secret(kube_apis.v1, secret_name, secret_namespace)
wait_before_test(1)
# Ingress Controller retains the previous valid secret
assert_cn(ingress_controller_endpoint, "NGINXIngressController")
print(
"Step 3: ensure CN of the default TLS cert after creating an updated secret"
)
create_secret_from_yaml(kube_apis.v1, secret_namespace,
new_secret_path)
wait_before_test(1)
assert_cn(ingress_controller_endpoint, "cafe.example.com")
print(
"Step 4: ensure CN of the default TLS cert after making the secret invalid"
)
replace_secret(kube_apis.v1, secret_name, secret_namespace,
invalid_secret_path)
wait_before_test(1)
# Ingress Controller retains the previous valid secret
assert_cn(ingress_controller_endpoint, "cafe.example.com")
print(
"Step 5: ensure CN of the default TLS cert after restoring the secret"
)
replace_secret(kube_apis.v1, secret_name, secret_namespace,
secret_path)
wait_before_test(1)
assert_cn(ingress_controller_endpoint, "NGINXIngressController")
def simple_ingress_setup(
request,
kube_apis,
ingress_controller_endpoint,
test_namespace,
ingress_controller,
) -> IngressSetup:
"""
Deploy simple application and all the Ingress resources under test in one namespace.
:param request: pytest fixture
:param kube_apis: client apis
:param ingress_controller_endpoint: public endpoint
:param test_namespace:
:return: BackendSetup
"""
req_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/backend1"
metrics_url = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.metrics_port}/metrics"
secret_name = create_secret_from_yaml(
kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml"
)
create_example_app(kube_apis, "simple", test_namespace)
create_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace
)
ingress_host = get_first_ingress_host_from_yaml(
f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml"
)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(
ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl,
)
def fin():
print("Clean up the Application:")
delete_common_app(kube_apis, "simple", test_namespace)
delete_secret(kube_apis.v1, secret_name, test_namespace)
delete_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace
)
request.addfinalizer(fin)
return IngressSetup(req_url, metrics_url, ingress_host)
def test_tls_termination(self, kube_apis, ingress_controller_endpoint,
test_namespace, tls_setup):
print("Step 1: no secret")
assert_unrecognized_name_error(ingress_controller_endpoint,
tls_setup.ingress_host)
print("Step 2: deploy secret and check")
create_secret_from_yaml(kube_apis.v1, test_namespace,
tls_setup.secret_path)
wait_before_test(1)
assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host)
print("Step 3: remove secret and check")
delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)
wait_before_test(1)
assert_unrecognized_name_error(ingress_controller_endpoint,
tls_setup.ingress_host)
print("Step 4: restore secret and check")
create_secret_from_yaml(kube_apis.v1, test_namespace,
tls_setup.secret_path)
wait_before_test(1)
assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host)
print("Step 5: deploy invalid secret and check")
delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)
create_secret_from_yaml(kube_apis.v1, test_namespace,
tls_setup.invalid_secret_path)
wait_before_test(1)
assert_unrecognized_name_error(ingress_controller_endpoint,
tls_setup.ingress_host)
print("Step 6: restore secret and check")
delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)
create_secret_from_yaml(kube_apis.v1, test_namespace,
tls_setup.secret_path)
wait_before_test(1)
assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host)
print("Step 7: update secret and check")
replace_secret(kube_apis.v1, tls_setup.secret_name, test_namespace,
tls_setup.new_secret_path)
wait_before_test(1)
assert_gb_subject(ingress_controller_endpoint, tls_setup.ingress_host)
def setup_multiple_policies(
self, kube_apis, namespace, token, secret, policy_1, policy_2, vs_host
):
print(f"Create jwk secret")
secret_name = create_secret_from_yaml(kube_apis.v1, namespace, secret)
print(f"Create jwt policy #1")
pol_name_1 = create_policy_from_yaml(kube_apis.custom_objects, policy_1, namespace)
print(f"Create jwt policy #2")
pol_name_2 = create_policy_from_yaml(kube_apis.custom_objects, policy_2, namespace)
wait_before_test()
with open(token, "r") as file:
data = file.readline()
headers = {"host": vs_host, "token": data}
return secret_name, pol_name_1, pol_name_2, headers
def setup_single_policy(self, kube_apis, test_namespace, credentials, secret, policy, vs_host):
print(f"Create htpasswd secret")
secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, secret)
print(f"Create auth basic policy")
pol_name = create_policy_from_yaml(kube_apis.custom_objects, policy, test_namespace)
wait_before_test()
# generate header without auth
if credentials == None :
return secret_name, pol_name, {"host": vs_host}
with open(credentials, "r") as file:
data = file.readline()
headers = {"host": vs_host, "authorization": f"Basic {to_base64(data)}"}
return secret_name, pol_name, headers
def smoke_setup(request, kube_apis, ingress_controller_endpoint, ingress_controller, test_namespace) -> SmokeSetup:
print("------------------------- Deploy Smoke Example -----------------------------------")
secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml")
create_items_from_yaml(kube_apis.extensions_v1_beta1, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml", test_namespace)
ingress_host = get_ingress_host_from_yaml(f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml")
common_app = create_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
def fin():
print("Clean up the Smoke Application:")
delete_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1, common_app, test_namespace)
delete_items_from_yaml(kube_apis.extensions_v1_beta1, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml",
test_namespace)
delete_secret(kube_apis.v1, secret_name, test_namespace)
request.addfinalizer(fin)
return SmokeSetup(ingress_controller_endpoint, ingress_host)
