Skip to content

Commit

Permalink
Generate certs and private keys for tests (#6100)
Browse files Browse the repository at this point in the history 
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
  • Loading branch information
@tsaarni
tsaarni authored Jan 23, 2024
1 parent 5f22aeb commit 26ddb0f
Show file tree
Hide file tree
Showing 24 changed files with 185 additions and 655 deletions.
138 changes: 71 additions & 67 deletions internal/featuretests/kubernetes.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,11 @@ package featuretests
// kubernetes helpers

import (
"testing"

"github.com/projectcontour/contour/internal/dag"
"github.com/projectcontour/contour/internal/fixture"
"github.com/tsaarni/certyaml"
v1 "k8s.io/api/core/v1"
networking_v1 "k8s.io/api/networking/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand All @@ -32,75 +37,74 @@ func IngressBackend(svc *v1.Service) *networking_v1.IngressBackend {
}
}

// nolint:revive,gosec
const (
// CERTIFICATE generated by
// openssl genrsa -out example-key.pem 2048
// openssl req -new -x509 -days 18250 -key example-key.pem -sha256 -subj "/CN=www.example.com" -out example.pem
CERTIFICATE = `-----BEGIN CERTIFICATE-----
MIIDFzCCAf+gAwIBAgIUZULFakfIJl0qaJXAVPCz2nzvB38wDQYJKoZIhvcNAQEL
BQAwGjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMCAXDTIyMDgxOTExMDkxNVoY
DzIwNzIwODA2MTEwOTE1WjAaMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS9S4d/ea6wqiib8UeyHMptoks
w+q2DNuF75NQHLh5Z2rUnE/N8/KVhpIx81QdId1maWS0b3392hCRRFY3sDlMpRk/
1uoQgzLdk8pjw1JiqoDpvTiKZsADmVuUcCdHLNEzYtcLWBv0VyyNyE5pdrnVnMbx
w1aiQ8w2lcBCJQ8Y4DAc5oKlvBu49aUsvfFZwjL6Cr1qafQiYylqQcz7zqGBYjXc
iMzN+4fE1XQlw1iy6XmVZiHQr8Sb7EBI+g0iJapgNv7tBunzywSvAYK8N42QQOll
1sKEVf7thoNEmJTIUFo6m57Fys7LQ/B8in5JwBU+1FjqNWLJ1Gj+zIc93oc3AgMB
AAGjUzBRMB0GA1UdDgQWBBS/BZ2Uu1Y0//Um8bOqyyWz9LnPvzAfBgNVHSMEGDAW
gBS/BZ2Uu1Y0//Um8bOqyyWz9LnPvzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQCTZ6ZDi7aU7NjZdGWNLrRCBEt+FcD+mdvtRcaSp2K7m+WObnWl
rDM7V/s8ziu8ffwfwEbaBKYVLO7Mww8ke0WclBp1sq6A5AWy1sBCQYJuPCdOJNY0
fLaZObhUSQvNGw1wAXkgczrsOa/5QII356UsLiqhninXWYTMvNehab4+QW6Dldqo
EyxKgX2Ls984ZN5CDvvXfRnkeQW1/K705ReZq8qmtmCwU5wHYy0IoJGNapeX45VY
6s2n5I5CpH4L9Ua4NLgqphjC/QYK4q71GHTZD89mfTsmE+0flgFDS+wrv5SusK8u
CY2iW9j8VptZU8LVs9FrhgecEtfXbTA3MeSo
-----END CERTIFICATE-----`

CERTIFICATE_WITH_TEXT = CERTIFICATE + "\t\r\n"

RSA_PRIVATE_KEY = `-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0vUuHf3musKoom/FHshzKbaJLMPqtgzbhe+TUBy4eWdq1JxP
zfPylYaSMfNUHSHdZmlktG99/doQkURWN7A5TKUZP9bqEIMy3ZPKY8NSYqqA6b04
imbAA5lblHAnRyzRM2LXC1gb9FcsjchOaXa51ZzG8cNWokPMNpXAQiUPGOAwHOaC
pbwbuPWlLL3xWcIy+gq9amn0ImMpakHM+86hgWI13IjMzfuHxNV0JcNYsul5lWYh
0K/Em+xASPoNIiWqYDb+7Qbp88sErwGCvDeNkEDpZdbChFX+7YaDRJiUyFBaOpue
xcrOy0PwfIp+ScAVPtRY6jViydRo/syHPd6HNwIDAQABAoIBAEf36RHGSu6v9gPk
iaUk0VULtuSUuf/9hu68es873Rtd0q5R3U/vx3SHglyUHMALi5Kipf6AgsUVnc1R
OPCqqAGj2WdUFGopuDKrdsJuIi8S6APVz/I3d45CxWFwmZXIjl4vfBmcp3zGOKbu
DQIhxOhBIgXclDOrWYHNuNdX+TyMr9cBe9bPtsWmN6Wl8V26kLzboQ3bIsM9taL+
sizVNrLL4U7oqbsKVhmI1m78+VaucQeK+XuyvuT6toOxY/Mgidcp4Mwq06aOTFug
N/u+VyXNen3Vk6/kMTxbaM9aQ05cnOrKqrgJAhiFGb+lcqvvGlwGxNqGcBABYkqf
ejhNdEECgYEA/3shOSl4GmEGZZXTARo0bDnelSpSJgmlStBeAGraq+lm/4IrTCCB
2tmJkEs6uiCEH7vkbbI/lLlhNjM2gKDovP3UwTQHGfiHlcIYYICMIpbp7+Ar9+ex
4KPXmgqqhTKC4xQYGoUE6INlpZcQ4blA4AtQbhgcC4Cp8FD/QbXp0xECgYEA02Ll
EAxzHZBNoK/5oPL0LiDUW/zPdOWCQCW8oGW5gDUvCLQ/lntegL8Qzubt7PZ4xgeg
m2ENTDcp1Zfn9s0T1V2T9Sba8gShUCvm9nLVCj4OQ3lwDufwHFuhKFpj1BVnHD5y
9yhXfyrFgvhamepEjq6LZUCrL1HxZqgOezv6JccCgYBqM1oFNArcFFcfZV+YRrdi
AdBX+4a4jyvp5KIe1ExgSB7rucWb2KuCOQmpNMyN0LR7qJR1UTKC9WjGqhVO9RSq
c228fo8xKZHbHBscCnO2cTt/3pUIcYUM167pNuPZiLzF/nVimMcIjI51fk2jN2oT
eECP82+9DFgYMONbAm7XsQKBgH/Y3ztenDz0Ks8Vv3/FkUNY3bco5vwHV0ieyj+k
ZpYRFHpKMe88fEKXzH2mk53uz8rNkCiJgTZoYqfpcQUGsYkpSLRLpL4daMcJVm4V
s523PH84sjqBsuojzQuP57K8oxkk9/ld79VctAprVLikRISbMnmxrBc5kywIVoHY
G4m/AoGBAPV0wuytURR3CbPHz28wrKRh/xnHrW+Fp3ooRfj8Pr/4zDVsqqNz2gA3
yVb6kAEpg2ON9NOWSfoUfC+THitOnRm8pKL1QL7oiq/2+s3IiK+jSevEU7TUfjio
1LwtUqv1MbKdv7TgkU0YQ99iLocWF4F4oWF6AX86/BL9y7gcbE0y
-----END RSA PRIVATE KEY-----`

CRL = `-----BEGIN X509 CRL-----
MIHlMIGMAgEBMAoGCCqGSM49BAMCMBsxGTAXBgNVBAMTEGNsaWVudC1yb290LWNh
LTEXDTIyMDYyMTA5NDQ0NVoXDTIyMDYyODA5NDQ0NVowGzAZAggW+pmWu/XnExcN
MjIwNjIxMDk0NDQ1WqAjMCEwHwYDVR0jBBgwFoAULRlmjBtfjbzwV2WeO9Vj5pWO
h5gwCgYIKoZIzj0EAwIDSAAwRQIhANVFCqByuASAcbz6ovyvi5KCtPfNjHjxVaNT
x69LFPN1AiA5pF5rqHy1FBctZBTW+3LTEEX35j3p1++zcNu8oHMO/w==
-----END X509 CRL-----`
)
var CACertificate = certyaml.Certificate{
Subject: "CN=ca",
}

var ServerCertificate = certyaml.Certificate{
Issuer: &CACertificate,
Subject: "CN=www.example.com",
SubjectAltNames: []string{"DNS:www.example.com"},
}

var ClientCertificate = certyaml.Certificate{
Issuer: &CACertificate,
Subject: "CN=client",
}

var CRL = certyaml.CRL{
Issuer: &CACertificate,
}

func TLSSecret(t *testing.T, name string, credential *certyaml.Certificate) *v1.Secret {
cert, key, err := credential.PEM()
if err != nil {
t.Fatal(err)
}
return &v1.Secret{
ObjectMeta: fixture.ObjectMeta(name),
Type: v1.SecretTypeTLS,
Data: map[string][]byte{
v1.TLSCertKey: cert,
v1.TLSPrivateKeyKey: key,
},
}
}

func CASecret(t *testing.T, name string, credential *certyaml.Certificate) *v1.Secret {
cert, _, err := credential.PEM()
if err != nil {
t.Fatal(err)
}
return &v1.Secret{
ObjectMeta: fixture.ObjectMeta(name),
Type: v1.SecretTypeOpaque,
Data: map[string][]byte{
dag.CACertificateKey: cert,
},
}
}

func CRLSecret(t *testing.T, name string, credential *certyaml.CRL) *v1.Secret {
crl, err := credential.PEM()
if err != nil {
t.Fatal(err)
}
return &v1.Secret{
ObjectMeta: fixture.ObjectMeta(name),
Type: v1.SecretTypeOpaque,
Data: map[string][]byte{
dag.CRLKey: crl,
},
}
}

func Secretdata(cert, key string) map[string][]byte {
return map[string][]byte{
v1.TLSCertKey: []byte(cert),
v1.TLSPrivateKeyKey: []byte(key),
func PEMBytes(t *testing.T, cert *certyaml.Certificate) []byte {
c, _, err := cert.PEM()
if err != nil {
t.Fatal(err)
}
return c
}

func Endpoints(ns, name string, subsets ...v1.EndpointSubset) *v1.Endpoints {
Expand Down
35 changes: 5 additions & 30 deletions internal/featuretests/v3/authorization_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,12 +86,7 @@ func authzResponseTimeout(t *testing.T, rh ResourceEventHandlerWrapper, c *Conto
envoy_v3.TLSInspector(),
),
FilterChains: []*envoy_listener_v3.FilterChain{
filterchaintls(fqdn,
&corev1.Secret{
ObjectMeta: fixture.ObjectMeta("certificate"),
Type: "kubernetes.io/tls",
Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY),
},
filterchaintls(fqdn, featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate),
authzFilterFor(
fqdn,
&envoy_config_filter_http_ext_authz_v3.ExtAuthz{
Expand Down Expand Up @@ -172,12 +167,7 @@ func authzFailOpen(t *testing.T, rh ResourceEventHandlerWrapper, c *Contour) {
envoy_v3.TLSInspector(),
),
FilterChains: []*envoy_listener_v3.FilterChain{
filterchaintls(fqdn,
&corev1.Secret{
ObjectMeta: fixture.ObjectMeta("certificate"),
Type: "kubernetes.io/tls",
Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY),
},
filterchaintls(fqdn, featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate),
authzFilterFor(
fqdn,
&envoy_config_filter_http_ext_authz_v3.ExtAuthz{
Expand Down Expand Up @@ -487,12 +477,7 @@ func authzInvalidReference(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont
envoy_v3.TLSInspector(),
),
FilterChains: []*envoy_listener_v3.FilterChain{
filterchaintls(fqdn,
&corev1.Secret{
ObjectMeta: fixture.ObjectMeta("certificate"),
Type: "kubernetes.io/tls",
Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY),
},
filterchaintls(fqdn, featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate),
authzFilterFor(
fqdn,
&envoy_config_filter_http_ext_authz_v3.ExtAuthz{
Expand Down Expand Up @@ -551,12 +536,7 @@ func authzWithRequestBodyBufferSettings(t *testing.T, rh ResourceEventHandlerWra
envoy_v3.TLSInspector(),
),
FilterChains: []*envoy_listener_v3.FilterChain{
filterchaintls(fqdn,
&corev1.Secret{
ObjectMeta: fixture.ObjectMeta("certificate"),
Type: "kubernetes.io/tls",
Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY),
},
filterchaintls(fqdn, featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate),
authzFilterFor(
fqdn,
&envoy_config_filter_http_ext_authz_v3.ExtAuthz{
Expand Down Expand Up @@ -631,12 +611,7 @@ func TestAuthorization(t *testing.T) {
Ports: featuretests.Ports(featuretests.Port("", 80)),
}))

rh.OnAdd(&corev1.Secret{
ObjectMeta: fixture.ObjectMeta("certificate"),
Type: "kubernetes.io/tls",
Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY),
})

rh.OnAdd(featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate))
f(t, rh, c)
})
}
Expand Down
23 changes: 6 additions & 17 deletions internal/featuretests/v3/backendcavalidation_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,28 +18,17 @@ import (

envoy_discovery_v3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1"
"github.com/projectcontour/contour/internal/dag"
"github.com/projectcontour/contour/internal/featuretests"
"github.com/projectcontour/contour/internal/fixture"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
)

func TestClusterServiceTLSBackendCAValidation(t *testing.T) {
rh, c, done := setup(t)
defer done()

secret := &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
Namespace: "default",
},
Type: v1.SecretTypeOpaque,
Data: map[string][]byte{
dag.CACertificateKey: []byte(featuretests.CERTIFICATE),
},
}
caSecret := featuretests.CASecret(t, "foo", &featuretests.CACertificate)

svc := fixture.NewService("default/kuard").
Annotate("projectcontour.io/upstream-protocol.tls", "securebackend,443").
Expand All @@ -60,7 +49,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) {
}},
},
}
rh.OnAdd(secret)
rh.OnAdd(caSecret)
rh.OnAdd(svc)
rh.OnAdd(p1)

Expand Down Expand Up @@ -93,7 +82,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) {
Name: svc.Name,
Port: 443,
UpstreamValidation: &contour_api_v1.UpstreamValidation{
CACertificate: secret.Name,
CACertificate: caSecret.Name,
SubjectName: "subjname",
},
}},
Expand All @@ -114,7 +103,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) {
// assert that the cluster now has a certificate and subject name.
c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{
Resources: resources(t,
tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil, nil),
tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), caSecret, "subjname", "", nil, nil),
),
TypeUrl: clusterType,
})
Expand All @@ -140,7 +129,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) {
Name: svc.Name,
Port: 443,
UpstreamValidation: &contour_api_v1.UpstreamValidation{
CACertificate: secret.Name,
CACertificate: caSecret.Name,
SubjectName: "subjname",
},
}},
Expand All @@ -161,7 +150,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) {
// assert that the cluster now has a certificate and subject name.
c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{
Resources: resources(t,
tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil, nil),
tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), caSecret, "subjname", "", nil, nil),
),
TypeUrl: clusterType,
})
Expand Down
Loading

0 comments on commit 26ddb0f

Please sign in to comment.