diff --git a/internal/featuretests/kubernetes.go b/internal/featuretests/kubernetes.go index 5f257e80f28..c72fbb5de7d 100644 --- a/internal/featuretests/kubernetes.go +++ b/internal/featuretests/kubernetes.go @@ -16,6 +16,11 @@ package featuretests // kubernetes helpers import ( + "testing" + + "github.com/projectcontour/contour/internal/dag" + "github.com/projectcontour/contour/internal/fixture" + "github.com/tsaarni/certyaml" v1 "k8s.io/api/core/v1" networking_v1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -32,75 +37,74 @@ func IngressBackend(svc *v1.Service) *networking_v1.IngressBackend { } } -// nolint:revive,gosec -const ( - // CERTIFICATE generated by - // openssl genrsa -out example-key.pem 2048 - // openssl req -new -x509 -days 18250 -key example-key.pem -sha256 -subj "/CN=www.example.com" -out example.pem - CERTIFICATE = `-----BEGIN CERTIFICATE----- -MIIDFzCCAf+gAwIBAgIUZULFakfIJl0qaJXAVPCz2nzvB38wDQYJKoZIhvcNAQEL -BQAwGjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMCAXDTIyMDgxOTExMDkxNVoY -DzIwNzIwODA2MTEwOTE1WjAaMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS9S4d/ea6wqiib8UeyHMptoks -w+q2DNuF75NQHLh5Z2rUnE/N8/KVhpIx81QdId1maWS0b3392hCRRFY3sDlMpRk/ -1uoQgzLdk8pjw1JiqoDpvTiKZsADmVuUcCdHLNEzYtcLWBv0VyyNyE5pdrnVnMbx -w1aiQ8w2lcBCJQ8Y4DAc5oKlvBu49aUsvfFZwjL6Cr1qafQiYylqQcz7zqGBYjXc -iMzN+4fE1XQlw1iy6XmVZiHQr8Sb7EBI+g0iJapgNv7tBunzywSvAYK8N42QQOll -1sKEVf7thoNEmJTIUFo6m57Fys7LQ/B8in5JwBU+1FjqNWLJ1Gj+zIc93oc3AgMB -AAGjUzBRMB0GA1UdDgQWBBS/BZ2Uu1Y0//Um8bOqyyWz9LnPvzAfBgNVHSMEGDAW -gBS/BZ2Uu1Y0//Um8bOqyyWz9LnPvzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 -DQEBCwUAA4IBAQCTZ6ZDi7aU7NjZdGWNLrRCBEt+FcD+mdvtRcaSp2K7m+WObnWl -rDM7V/s8ziu8ffwfwEbaBKYVLO7Mww8ke0WclBp1sq6A5AWy1sBCQYJuPCdOJNY0 -fLaZObhUSQvNGw1wAXkgczrsOa/5QII356UsLiqhninXWYTMvNehab4+QW6Dldqo -EyxKgX2Ls984ZN5CDvvXfRnkeQW1/K705ReZq8qmtmCwU5wHYy0IoJGNapeX45VY -6s2n5I5CpH4L9Ua4NLgqphjC/QYK4q71GHTZD89mfTsmE+0flgFDS+wrv5SusK8u -CY2iW9j8VptZU8LVs9FrhgecEtfXbTA3MeSo ------END CERTIFICATE-----` - - CERTIFICATE_WITH_TEXT = CERTIFICATE + "\t\r\n" - - RSA_PRIVATE_KEY = `-----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA0vUuHf3musKoom/FHshzKbaJLMPqtgzbhe+TUBy4eWdq1JxP -zfPylYaSMfNUHSHdZmlktG99/doQkURWN7A5TKUZP9bqEIMy3ZPKY8NSYqqA6b04 -imbAA5lblHAnRyzRM2LXC1gb9FcsjchOaXa51ZzG8cNWokPMNpXAQiUPGOAwHOaC -pbwbuPWlLL3xWcIy+gq9amn0ImMpakHM+86hgWI13IjMzfuHxNV0JcNYsul5lWYh -0K/Em+xASPoNIiWqYDb+7Qbp88sErwGCvDeNkEDpZdbChFX+7YaDRJiUyFBaOpue -xcrOy0PwfIp+ScAVPtRY6jViydRo/syHPd6HNwIDAQABAoIBAEf36RHGSu6v9gPk -iaUk0VULtuSUuf/9hu68es873Rtd0q5R3U/vx3SHglyUHMALi5Kipf6AgsUVnc1R -OPCqqAGj2WdUFGopuDKrdsJuIi8S6APVz/I3d45CxWFwmZXIjl4vfBmcp3zGOKbu -DQIhxOhBIgXclDOrWYHNuNdX+TyMr9cBe9bPtsWmN6Wl8V26kLzboQ3bIsM9taL+ -sizVNrLL4U7oqbsKVhmI1m78+VaucQeK+XuyvuT6toOxY/Mgidcp4Mwq06aOTFug -N/u+VyXNen3Vk6/kMTxbaM9aQ05cnOrKqrgJAhiFGb+lcqvvGlwGxNqGcBABYkqf -ejhNdEECgYEA/3shOSl4GmEGZZXTARo0bDnelSpSJgmlStBeAGraq+lm/4IrTCCB -2tmJkEs6uiCEH7vkbbI/lLlhNjM2gKDovP3UwTQHGfiHlcIYYICMIpbp7+Ar9+ex -4KPXmgqqhTKC4xQYGoUE6INlpZcQ4blA4AtQbhgcC4Cp8FD/QbXp0xECgYEA02Ll -EAxzHZBNoK/5oPL0LiDUW/zPdOWCQCW8oGW5gDUvCLQ/lntegL8Qzubt7PZ4xgeg -m2ENTDcp1Zfn9s0T1V2T9Sba8gShUCvm9nLVCj4OQ3lwDufwHFuhKFpj1BVnHD5y -9yhXfyrFgvhamepEjq6LZUCrL1HxZqgOezv6JccCgYBqM1oFNArcFFcfZV+YRrdi -AdBX+4a4jyvp5KIe1ExgSB7rucWb2KuCOQmpNMyN0LR7qJR1UTKC9WjGqhVO9RSq -c228fo8xKZHbHBscCnO2cTt/3pUIcYUM167pNuPZiLzF/nVimMcIjI51fk2jN2oT -eECP82+9DFgYMONbAm7XsQKBgH/Y3ztenDz0Ks8Vv3/FkUNY3bco5vwHV0ieyj+k -ZpYRFHpKMe88fEKXzH2mk53uz8rNkCiJgTZoYqfpcQUGsYkpSLRLpL4daMcJVm4V -s523PH84sjqBsuojzQuP57K8oxkk9/ld79VctAprVLikRISbMnmxrBc5kywIVoHY -G4m/AoGBAPV0wuytURR3CbPHz28wrKRh/xnHrW+Fp3ooRfj8Pr/4zDVsqqNz2gA3 -yVb6kAEpg2ON9NOWSfoUfC+THitOnRm8pKL1QL7oiq/2+s3IiK+jSevEU7TUfjio -1LwtUqv1MbKdv7TgkU0YQ99iLocWF4F4oWF6AX86/BL9y7gcbE0y ------END RSA PRIVATE KEY-----` - - CRL = `-----BEGIN X509 CRL----- -MIHlMIGMAgEBMAoGCCqGSM49BAMCMBsxGTAXBgNVBAMTEGNsaWVudC1yb290LWNh -LTEXDTIyMDYyMTA5NDQ0NVoXDTIyMDYyODA5NDQ0NVowGzAZAggW+pmWu/XnExcN -MjIwNjIxMDk0NDQ1WqAjMCEwHwYDVR0jBBgwFoAULRlmjBtfjbzwV2WeO9Vj5pWO -h5gwCgYIKoZIzj0EAwIDSAAwRQIhANVFCqByuASAcbz6ovyvi5KCtPfNjHjxVaNT -x69LFPN1AiA5pF5rqHy1FBctZBTW+3LTEEX35j3p1++zcNu8oHMO/w== ------END X509 CRL-----` -) +var CACertificate = certyaml.Certificate{ + Subject: "CN=ca", +} + +var ServerCertificate = certyaml.Certificate{ + Issuer: &CACertificate, + Subject: "CN=www.example.com", + SubjectAltNames: []string{"DNS:www.example.com"}, +} + +var ClientCertificate = certyaml.Certificate{ + Issuer: &CACertificate, + Subject: "CN=client", +} + +var CRL = certyaml.CRL{ + Issuer: &CACertificate, +} + +func TLSSecret(t *testing.T, name string, credential *certyaml.Certificate) *v1.Secret { + cert, key, err := credential.PEM() + if err != nil { + t.Fatal(err) + } + return &v1.Secret{ + ObjectMeta: fixture.ObjectMeta(name), + Type: v1.SecretTypeTLS, + Data: map[string][]byte{ + v1.TLSCertKey: cert, + v1.TLSPrivateKeyKey: key, + }, + } +} + +func CASecret(t *testing.T, name string, credential *certyaml.Certificate) *v1.Secret { + cert, _, err := credential.PEM() + if err != nil { + t.Fatal(err) + } + return &v1.Secret{ + ObjectMeta: fixture.ObjectMeta(name), + Type: v1.SecretTypeOpaque, + Data: map[string][]byte{ + dag.CACertificateKey: cert, + }, + } +} + +func CRLSecret(t *testing.T, name string, credential *certyaml.CRL) *v1.Secret { + crl, err := credential.PEM() + if err != nil { + t.Fatal(err) + } + return &v1.Secret{ + ObjectMeta: fixture.ObjectMeta(name), + Type: v1.SecretTypeOpaque, + Data: map[string][]byte{ + dag.CRLKey: crl, + }, + } +} -func Secretdata(cert, key string) map[string][]byte { - return map[string][]byte{ - v1.TLSCertKey: []byte(cert), - v1.TLSPrivateKeyKey: []byte(key), +func PEMBytes(t *testing.T, cert *certyaml.Certificate) []byte { + c, _, err := cert.PEM() + if err != nil { + t.Fatal(err) } + return c } func Endpoints(ns, name string, subsets ...v1.EndpointSubset) *v1.Endpoints { diff --git a/internal/featuretests/v3/authorization_test.go b/internal/featuretests/v3/authorization_test.go index 9388bb904fa..81f5d992c09 100644 --- a/internal/featuretests/v3/authorization_test.go +++ b/internal/featuretests/v3/authorization_test.go @@ -86,12 +86,7 @@ func authzResponseTimeout(t *testing.T, rh ResourceEventHandlerWrapper, c *Conto envoy_v3.TLSInspector(), ), FilterChains: []*envoy_listener_v3.FilterChain{ - filterchaintls(fqdn, - &corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("certificate"), - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }, + filterchaintls(fqdn, featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate), authzFilterFor( fqdn, &envoy_config_filter_http_ext_authz_v3.ExtAuthz{ @@ -172,12 +167,7 @@ func authzFailOpen(t *testing.T, rh ResourceEventHandlerWrapper, c *Contour) { envoy_v3.TLSInspector(), ), FilterChains: []*envoy_listener_v3.FilterChain{ - filterchaintls(fqdn, - &corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("certificate"), - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }, + filterchaintls(fqdn, featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate), authzFilterFor( fqdn, &envoy_config_filter_http_ext_authz_v3.ExtAuthz{ @@ -487,12 +477,7 @@ func authzInvalidReference(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont envoy_v3.TLSInspector(), ), FilterChains: []*envoy_listener_v3.FilterChain{ - filterchaintls(fqdn, - &corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("certificate"), - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }, + filterchaintls(fqdn, featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate), authzFilterFor( fqdn, &envoy_config_filter_http_ext_authz_v3.ExtAuthz{ @@ -551,12 +536,7 @@ func authzWithRequestBodyBufferSettings(t *testing.T, rh ResourceEventHandlerWra envoy_v3.TLSInspector(), ), FilterChains: []*envoy_listener_v3.FilterChain{ - filterchaintls(fqdn, - &corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("certificate"), - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }, + filterchaintls(fqdn, featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate), authzFilterFor( fqdn, &envoy_config_filter_http_ext_authz_v3.ExtAuthz{ @@ -631,12 +611,7 @@ func TestAuthorization(t *testing.T) { Ports: featuretests.Ports(featuretests.Port("", 80)), })) - rh.OnAdd(&corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("certificate"), - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) - + rh.OnAdd(featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate)) f(t, rh, c) }) } diff --git a/internal/featuretests/v3/backendcavalidation_test.go b/internal/featuretests/v3/backendcavalidation_test.go index ba2f6f5805c..0c64475c6b5 100644 --- a/internal/featuretests/v3/backendcavalidation_test.go +++ b/internal/featuretests/v3/backendcavalidation_test.go @@ -18,11 +18,9 @@ import ( envoy_discovery_v3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3" contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" - "github.com/projectcontour/contour/internal/dag" "github.com/projectcontour/contour/internal/featuretests" "github.com/projectcontour/contour/internal/fixture" v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" ) @@ -30,16 +28,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) { rh, c, done := setup(t) defer done() - secret := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: "default", - }, - Type: v1.SecretTypeOpaque, - Data: map[string][]byte{ - dag.CACertificateKey: []byte(featuretests.CERTIFICATE), - }, - } + caSecret := featuretests.CASecret(t, "foo", &featuretests.CACertificate) svc := fixture.NewService("default/kuard"). Annotate("projectcontour.io/upstream-protocol.tls", "securebackend,443"). @@ -60,7 +49,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) { }}, }, } - rh.OnAdd(secret) + rh.OnAdd(caSecret) rh.OnAdd(svc) rh.OnAdd(p1) @@ -93,7 +82,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) { Name: svc.Name, Port: 443, UpstreamValidation: &contour_api_v1.UpstreamValidation{ - CACertificate: secret.Name, + CACertificate: caSecret.Name, SubjectName: "subjname", }, }}, @@ -114,7 +103,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) { // assert that the cluster now has a certificate and subject name. c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil, nil), + tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), caSecret, "subjname", "", nil, nil), ), TypeUrl: clusterType, }) @@ -140,7 +129,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) { Name: svc.Name, Port: 443, UpstreamValidation: &contour_api_v1.UpstreamValidation{ - CACertificate: secret.Name, + CACertificate: caSecret.Name, SubjectName: "subjname", }, }}, @@ -161,7 +150,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) { // assert that the cluster now has a certificate and subject name. c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil, nil), + tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), caSecret, "subjname", "", nil, nil), ), TypeUrl: clusterType, }) diff --git a/internal/featuretests/v3/backendclientauth_test.go b/internal/featuretests/v3/backendclientauth_test.go index 5b2f066b150..ab168a87b90 100644 --- a/internal/featuretests/v3/backendclientauth_test.go +++ b/internal/featuretests/v3/backendclientauth_test.go @@ -28,7 +28,6 @@ import ( "github.com/sirupsen/logrus" v1 "k8s.io/api/core/v1" networking_v1 "k8s.io/api/networking/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" ) @@ -63,38 +62,14 @@ func proxyClientCertificateOpt(t *testing.T) func(*dag.Builder) { } } -func clientSecret() *v1.Secret { - return &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "envoyclientsecret", - Namespace: "default", - }, - Type: v1.SecretTypeTLS, - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } -} - -func caSecret() *v1.Secret { - return &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "backendcacert", - Namespace: "default", - }, - Type: v1.SecretTypeOpaque, - Data: map[string][]byte{ - dag.CACertificateKey: []byte(featuretests.CERTIFICATE), - }, - } -} - func TestBackendClientAuthenticationWithHTTPProxy(t *testing.T) { rh, c, done := setup(t, proxyClientCertificateOpt(t)) defer done() - sec1 := clientSecret() - sec2 := caSecret() - rh.OnAdd(sec1) - rh.OnAdd(sec2) + clientSecret := featuretests.TLSSecret(t, "envoyclientsecret", &featuretests.ClientCertificate) + caSecret := featuretests.CASecret(t, "backendcacert", &featuretests.CACertificate) + rh.OnAdd(clientSecret) + rh.OnAdd(caSecret) svc := fixture.NewService("backend"). WithPorts(v1.ServicePort{Name: "http", Port: 443}) @@ -111,7 +86,7 @@ func TestBackendClientAuthenticationWithHTTPProxy(t *testing.T) { Port: 443, Protocol: ref.To("tls"), UpstreamValidation: &projcontour.UpstreamValidation{ - CACertificate: sec2.Name, + CACertificate: caSecret.Name, SubjectName: "subjname", }, }}, @@ -121,13 +96,13 @@ func TestBackendClientAuthenticationWithHTTPProxy(t *testing.T) { c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsCluster(cluster("default/backend/443/950c17581f", "default/backend/http", "default_backend_443"), []byte(featuretests.CERTIFICATE), "subjname", "", sec1, nil), + tlsCluster(cluster("default/backend/443/950c17581f", "default/backend/http", "default_backend_443"), caSecret, "subjname", "", clientSecret, nil), ), TypeUrl: clusterType, }) // Test the error branch when Envoy client certificate secret does not exist. - rh.OnDelete(sec1) + rh.OnDelete(clientSecret) c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: nil, TypeUrl: clusterType, @@ -138,10 +113,10 @@ func TestBackendClientAuthenticationWithIngress(t *testing.T) { rh, c, done := setup(t, proxyClientCertificateOpt(t)) defer done() - sec1 := clientSecret() - sec2 := caSecret() - rh.OnAdd(sec1) - rh.OnAdd(sec2) + clientSecret := featuretests.TLSSecret(t, "envoyclientsecret", &featuretests.ClientCertificate) + caSecret := featuretests.CASecret(t, "backendcacert", &featuretests.CACertificate) + rh.OnAdd(clientSecret) + rh.OnAdd(caSecret) svc := fixture.NewService("backend"). Annotate("projectcontour.io/upstream-protocol.tls", "443"). @@ -158,13 +133,13 @@ func TestBackendClientAuthenticationWithIngress(t *testing.T) { c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsClusterWithoutValidation(cluster("default/backend/443/4929fca9d4", "default/backend/http", "default_backend_443"), "", sec1, nil), + tlsClusterWithoutValidation(cluster("default/backend/443/4929fca9d4", "default/backend/http", "default_backend_443"), "", clientSecret, nil), ), TypeUrl: clusterType, }) // Test the error branch when Envoy client certificate secret does not exist. - rh.OnDelete(sec1) + rh.OnDelete(clientSecret) c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: nil, TypeUrl: clusterType, @@ -175,10 +150,10 @@ func TestBackendClientAuthenticationWithExtensionService(t *testing.T) { rh, c, done := setup(t, proxyClientCertificateOpt(t)) defer done() - sec1 := clientSecret() - sec2 := caSecret() - rh.OnAdd(sec1) - rh.OnAdd(sec2) + clientSecret := featuretests.TLSSecret(t, "envoyclientsecret", &featuretests.ClientCertificate) + caSecret := featuretests.CASecret(t, "backendcacert", &featuretests.CACertificate) + rh.OnAdd(clientSecret) + rh.OnAdd(caSecret) svc := fixture.NewService("backend"). WithPorts(v1.ServicePort{Name: "grpc", Port: 6001}) @@ -191,7 +166,7 @@ func TestBackendClientAuthenticationWithExtensionService(t *testing.T) { {Name: svc.Name, Port: 6001}, }, UpstreamValidation: &projcontour.UpstreamValidation{ - CACertificate: sec2.Name, + CACertificate: caSecret.Name, SubjectName: "subjname", }, }, @@ -202,18 +177,11 @@ func TestBackendClientAuthenticationWithExtensionService(t *testing.T) { tlsSocket := envoy_v3.UpstreamTLSTransportSocket( envoy_v3.UpstreamTLSContext( &dag.PeerValidationContext{ - CACertificate: &dag.Secret{Object: &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: map[string][]byte{dag.CACertificateKey: []byte(featuretests.CERTIFICATE)}, - }}, - SubjectNames: []string{"subjname"}, + CACertificate: &dag.Secret{Object: featuretests.CASecret(t, "secret", &featuretests.CACertificate)}, + SubjectNames: []string{"subjname"}, }, "subjname", - &dag.Secret{Object: sec1}, + &dag.Secret{Object: clientSecret}, nil, "h2", ), @@ -229,7 +197,7 @@ func TestBackendClientAuthenticationWithExtensionService(t *testing.T) { }) // Test the error branch when Envoy client certificate secret does not exist. - rh.OnDelete(sec1) + rh.OnDelete(clientSecret) c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: nil, TypeUrl: clusterType, diff --git a/internal/featuretests/v3/downstreamvalidation_test.go b/internal/featuretests/v3/downstreamvalidation_test.go index d82744eca5b..1322aee9a28 100644 --- a/internal/featuretests/v3/downstreamvalidation_test.go +++ b/internal/featuretests/v3/downstreamvalidation_test.go @@ -24,7 +24,6 @@ import ( "github.com/projectcontour/contour/internal/featuretests" "github.com/projectcontour/contour/internal/fixture" v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" ) @@ -32,26 +31,10 @@ func TestDownstreamTLSCertificateValidation(t *testing.T) { rh, c, done := setup(t) defer done() - serverTLSSecret := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "serverTLSSecret", - Namespace: "default", - }, - Type: v1.SecretTypeTLS, - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + serverTLSSecret := featuretests.TLSSecret(t, "serverTLSSecret", &featuretests.ServerCertificate) rh.OnAdd(serverTLSSecret) - clientCASecret := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "clientCASecret", - Namespace: "default", - }, - Type: v1.SecretTypeOpaque, - Data: map[string][]byte{ - dag.CACertificateKey: []byte(featuretests.CERTIFICATE), - }, - } + clientCASecret := featuretests.CASecret(t, "clientCASecret", &featuretests.CACertificate) rh.OnAdd(clientCASecret) service := fixture.NewService("kuard"). @@ -207,16 +190,7 @@ func TestDownstreamTLSCertificateValidation(t *testing.T) { TypeUrl: listenerType, }).Status(proxy3).IsValid() - crlSecret := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "crl", - Namespace: "default", - }, - Type: v1.SecretTypeOpaque, - Data: map[string][]byte{ - dag.CRLKey: []byte(featuretests.CRL), - }, - } + crlSecret := featuretests.CRLSecret(t, "crl", &featuretests.CRL) rh.OnAdd(crlSecret) proxy4 := fixture.NewProxy("example.com"). diff --git a/internal/featuretests/v3/envoy.go b/internal/featuretests/v3/envoy.go index 1f3bf079b2c..1f97413aa69 100644 --- a/internal/featuretests/v3/envoy.go +++ b/internal/featuretests/v3/envoy.go @@ -43,7 +43,6 @@ import ( "google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/wrapperspb" v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) // DefaultCluster returns a copy of the default Cluster, with each @@ -184,24 +183,23 @@ func cluster(name, servicename, statName string) *envoy_cluster_v3.Cluster { }) } -func tlsCluster(c *envoy_cluster_v3.Cluster, ca []byte, subjectName, sni string, clientSecret *v1.Secret, upstreamTLS *dag.UpstreamTLS, alpnProtocols ...string) *envoy_cluster_v3.Cluster { +func tlsCluster(c *envoy_cluster_v3.Cluster, ca *v1.Secret, subjectName, sni string, clientSecret *v1.Secret, upstreamTLS *dag.UpstreamTLS, alpnProtocols ...string) *envoy_cluster_v3.Cluster { var secret *dag.Secret if clientSecret != nil { secret = &dag.Secret{Object: clientSecret} } + // Secret for validation is optional. + var s *dag.Secret + if ca != nil { + s = &dag.Secret{Object: ca} + } + c.TransportSocket = envoy_v3.UpstreamTLSTransportSocket( envoy_v3.UpstreamTLSContext( &dag.PeerValidationContext{ - CACertificate: &dag.Secret{Object: &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: map[string][]byte{dag.CACertificateKey: ca}, - }}, - SubjectNames: []string{subjectName}, + CACertificate: s, + SubjectNames: []string{subjectName}, }, sni, secret, diff --git a/internal/featuretests/v3/extensionservice_test.go b/internal/featuretests/v3/extensionservice_test.go index 43642ca7652..379ddd7fff2 100644 --- a/internal/featuretests/v3/extensionservice_test.go +++ b/internal/featuretests/v3/extensionservice_test.go @@ -25,7 +25,6 @@ import ( matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" - "github.com/projectcontour/contour/internal/dag" envoy_v3 "github.com/projectcontour/contour/internal/envoy/v3" "github.com/projectcontour/contour/internal/featuretests" "github.com/projectcontour/contour/internal/fixture" @@ -123,7 +122,7 @@ func extUpstreamValidation(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont ValidationContext: &envoy_v3_tls.CertificateValidationContext{ TrustedCa: &envoy_core_v3.DataSource{ Specifier: &envoy_core_v3.DataSource_InlineBytes{ - InlineBytes: []byte(featuretests.CERTIFICATE), + InlineBytes: featuretests.PEMBytes(t, &featuretests.CACertificate), }, }, MatchTypedSubjectAltNames: []*envoy_v3_tls.SubjectAltNameMatcher{ @@ -172,13 +171,7 @@ func extUpstreamValidation(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont }) // Create a secret for the CA certificate that can be delegated - rh.OnAdd(&corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("otherNs/cacert"), - Type: corev1.SecretTypeOpaque, - Data: map[string][]byte{ - dag.CACertificateKey: []byte(featuretests.CERTIFICATE), - }, - }) + rh.OnAdd(featuretests.CASecret(t, "otherNs/cacert", &featuretests.CACertificate)) // Update the validation spec to reference a secret that is not delegated. rh.OnUpdate(ext, &v1alpha1.ExtensionService{ @@ -429,14 +422,7 @@ func TestExtensionService(t *testing.T) { // Add common test fixtures. - rh.OnAdd(&corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("ns/cacert"), - Type: corev1.SecretTypeOpaque, - Data: map[string][]byte{ - dag.CACertificateKey: []byte(featuretests.CERTIFICATE), - }, - }) - + rh.OnAdd(featuretests.CASecret(t, "ns/cacert", &featuretests.CACertificate)) rh.OnAdd(fixture.NewService("ns/svc1").WithPorts(corev1.ServicePort{Port: 8081})) rh.OnAdd(fixture.NewService("ns/svc2").WithPorts(corev1.ServicePort{Port: 8082})) diff --git a/internal/featuretests/v3/externalname_test.go b/internal/featuretests/v3/externalname_test.go index a8e28dfb898..c05abdfa143 100644 --- a/internal/featuretests/v3/externalname_test.go +++ b/internal/featuretests/v3/externalname_test.go @@ -278,14 +278,7 @@ func TestExternalNameService(t *testing.T) { ), }) - sec1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + sec1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) // Create TCPProxy with upstream protocol 'tls' to an externalName type service // and verify that the SNI on the upstream request matches the externalName value. diff --git a/internal/featuretests/v3/fallbackcert_test.go b/internal/featuretests/v3/fallbackcert_test.go index bcef7c82d56..9e3cb6905d6 100644 --- a/internal/featuretests/v3/fallbackcert_test.go +++ b/internal/featuretests/v3/fallbackcert_test.go @@ -22,6 +22,7 @@ import ( envoy_discovery_v3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3" contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" "github.com/projectcontour/contour/internal/dag" + "github.com/projectcontour/contour/internal/envoy" envoy_v3 "github.com/projectcontour/contour/internal/envoy/v3" "github.com/projectcontour/contour/internal/featuretests" "github.com/projectcontour/contour/internal/fixture" @@ -47,25 +48,10 @@ func TestFallbackCertificate(t *testing.T) { }) defer done() - sec1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + sec1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) rh.OnAdd(sec1) - fallbackSecret := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "fallbacksecret", - Namespace: "admin", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } - + fallbackSecret := featuretests.TLSSecret(t, "admin/fallbacksecret", &featuretests.ServerCertificate) rh.OnAdd(fallbackSecret) s1 := fixture.NewService("backend"). @@ -295,7 +281,7 @@ func TestFallbackCertificate(t *testing.T) { TypeUrl: secretType, Resources: resources(t, &envoy_tls_v3.Secret{ - Name: "admin/fallbacksecret/0567f551af", + Name: envoy.Secretname(&dag.Secret{Object: fallbackSecret}), Type: &envoy_tls_v3.Secret_TlsCertificate{ TlsCertificate: &envoy_tls_v3.TlsCertificate{ CertificateChain: &envoy_core_v3.DataSource{ @@ -312,7 +298,7 @@ func TestFallbackCertificate(t *testing.T) { }, }, &envoy_tls_v3.Secret{ - Name: "default/secret/0567f551af", + Name: envoy.Secretname(&dag.Secret{Object: sec1}), Type: &envoy_tls_v3.Secret_TlsCertificate{ TlsCertificate: &envoy_tls_v3.TlsCertificate{ CertificateChain: &envoy_core_v3.DataSource{ diff --git a/internal/featuretests/v3/global_authorization_test.go b/internal/featuretests/v3/global_authorization_test.go index a02d3a58b11..270380316d0 100644 --- a/internal/featuretests/v3/global_authorization_test.go +++ b/internal/featuretests/v3/global_authorization_test.go @@ -115,11 +115,7 @@ func globalExternalAuthorizationFilterExistsTLS(t *testing.T, rh ResourceEventHa ), FilterChains: []*envoy_listener_v3.FilterChain{ filterchaintls("foo.com", - &corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("certificate"), - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }, + featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate), authzFilterFor( "foo.com", &envoy_config_filter_http_ext_authz_v3.ExtAuthz{ @@ -189,11 +185,7 @@ func globalExternalAuthorizationWithTLSGlobalAuthDisabled(t *testing.T, rh Resou ), FilterChains: []*envoy_listener_v3.FilterChain{ filterchaintls("foo.com", - &corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("certificate"), - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }, + featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate), httpsFilterFor("foo.com"), nil, "h2", "http/1.1"), }, @@ -327,11 +319,7 @@ func globalExternalAuthorizationWithMergedAuthPolicyTLS(t *testing.T, rh Resourc ), FilterChains: []*envoy_listener_v3.FilterChain{ filterchaintls("foo.com", - &corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("certificate"), - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }, + featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate), authzFilterFor( "foo.com", &envoy_config_filter_http_ext_authz_v3.ExtAuthz{ @@ -448,11 +436,7 @@ func globalExternalAuthorizationWithTLSAuthOverride(t *testing.T, rh ResourceEve ), FilterChains: []*envoy_listener_v3.FilterChain{ filterchaintls("foo.com", - &corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("certificate"), - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }, + featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate), authzFilterFor( "foo.com", &envoy_config_filter_http_ext_authz_v3.ExtAuthz{ @@ -570,11 +554,7 @@ func TestGlobalAuthorization(t *testing.T) { Ports: featuretests.Ports(featuretests.Port("", 80)), })) - rh.OnAdd(&corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("certificate"), - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) + rh.OnAdd(featuretests.TLSSecret(t, "certificate", &featuretests.ServerCertificate)) f(t, rh, c) }) diff --git a/internal/featuretests/v3/globalratelimit_test.go b/internal/featuretests/v3/globalratelimit_test.go index 121ba521e07..afe7e16e33c 100644 --- a/internal/featuretests/v3/globalratelimit_test.go +++ b/internal/featuretests/v3/globalratelimit_test.go @@ -839,16 +839,8 @@ func TestGlobalRateLimiting(t *testing.T) { // Add common test fixtures. rh.OnAdd(fixture.NewService("s1").WithPorts(corev1.ServicePort{Port: 80})) rh.OnAdd(fixture.NewService("s2").WithPorts(corev1.ServicePort{Port: 80})) - rh.OnAdd(&corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("tls-cert"), - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) - rh.OnAdd(&corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("fallback-cert"), - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) + rh.OnAdd(featuretests.TLSSecret(t, "tls-cert", &featuretests.ServerCertificate)) + rh.OnAdd(featuretests.TLSSecret(t, "fallback-cert", &featuretests.ServerCertificate)) f(t, rh, c) }) diff --git a/internal/featuretests/v3/headerpolicy_test.go b/internal/featuretests/v3/headerpolicy_test.go index 824b668d4b3..9b9ff24ec41 100644 --- a/internal/featuretests/v3/headerpolicy_test.go +++ b/internal/featuretests/v3/headerpolicy_test.go @@ -24,7 +24,6 @@ import ( "github.com/projectcontour/contour/internal/featuretests" "github.com/projectcontour/contour/internal/fixture" v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" ) @@ -155,14 +154,7 @@ func TestHeaderPolicy_ReplaceHeader_HTTProxy(t *testing.T) { }), ) - rh.OnAdd(&v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) + rh.OnAdd(featuretests.TLSSecret(t, "foo", &featuretests.ServerCertificate)) // Proxy with SNI rh.OnAdd(fixture.NewProxy("simple").WithSpec( @@ -275,14 +267,7 @@ func TestHeaderPolicy_ReplaceHostHeader_HTTProxy(t *testing.T) { }), ) - rh.OnAdd(&v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) + rh.OnAdd(featuretests.TLSSecret(t, "foo", &featuretests.ServerCertificate)) // Proxy with SNI rh.OnAdd(fixture.NewProxy("simple").WithSpec( diff --git a/internal/featuretests/v3/httproute_test.go b/internal/featuretests/v3/httproute_test.go index 6d3dabae393..00558c16f4b 100644 --- a/internal/featuretests/v3/httproute_test.go +++ b/internal/featuretests/v3/httproute_test.go @@ -100,14 +100,7 @@ func TestGateway_TLS(t *testing.T) { WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)}), ) - sec1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "tlscert", - Namespace: "projectcontour", - }, - Type: v1.SecretTypeTLS, - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + sec1 := featuretests.TLSSecret(t, "projectcontour/tlscert", &featuretests.ServerCertificate) rh.OnAdd(sec1) diff --git a/internal/featuretests/v3/jwtverification_test.go b/internal/featuretests/v3/jwtverification_test.go index c3ba34337b3..1b68efcfb17 100644 --- a/internal/featuretests/v3/jwtverification_test.go +++ b/internal/featuretests/v3/jwtverification_test.go @@ -28,7 +28,6 @@ import ( matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3" contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" - "github.com/projectcontour/contour/internal/dag" envoy_v3 "github.com/projectcontour/contour/internal/envoy/v3" "github.com/projectcontour/contour/internal/featuretests" "github.com/projectcontour/contour/internal/fixture" @@ -36,21 +35,13 @@ import ( "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/durationpb" corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) func TestJWTVerification(t *testing.T) { rh, c, done := setup(t) defer done() - sec1 := &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + sec1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) rh.OnAdd(sec1) s1 := fixture.NewService("s1"). @@ -725,13 +716,7 @@ func TestJWTVerification(t *testing.T) { ), }) - rh.OnAdd(&corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("default/cacert"), - Type: corev1.SecretTypeOpaque, - Data: map[string][]byte{ - dag.CACertificateKey: []byte(featuretests.CERTIFICATE), - }, - }) + rh.OnAdd(featuretests.CASecret(t, "cacert", &featuretests.CACertificate)) // JWKS with upstream validation proxy7 := fixture.NewProxy("simple").WithSpec( @@ -857,7 +842,7 @@ func TestJWTVerification(t *testing.T) { ValidationContext: &envoy_tls_v3.CertificateValidationContext{ TrustedCa: &envoy_core_v3.DataSource{ Specifier: &envoy_core_v3.DataSource_InlineBytes{ - InlineBytes: []byte(featuretests.CERTIFICATE), + InlineBytes: featuretests.PEMBytes(t, &featuretests.CACertificate), }, }, MatchTypedSubjectAltNames: []*envoy_tls_v3.SubjectAltNameMatcher{ @@ -1194,14 +1179,7 @@ func TestJWTVerification_Inclusion(t *testing.T) { rh, c, done := setup(t) defer done() - sec1 := &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + sec1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) rh.OnAdd(sec1) s1 := fixture.NewService("s1"). diff --git a/internal/featuretests/v3/listeners_test.go b/internal/featuretests/v3/listeners_test.go index da83cc20a9a..0b1053f6578 100644 --- a/internal/featuretests/v3/listeners_test.go +++ b/internal/featuretests/v3/listeners_test.go @@ -153,15 +153,7 @@ func TestTLSListener(t *testing.T) { rh, c, done := setup(t) defer done() - // s1 is a tls secret - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + s1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) svc1 := fixture.NewService("backend"). WithPorts(v1.ServicePort{Name: "http", Port: 80}) @@ -282,15 +274,7 @@ func TestHTTPProxyTLSListener(t *testing.T) { rh, c, done := setup(t) defer done() - // secret1 is a tls secret - secret1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + secret1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) svc1 := fixture.NewService("backend"). WithPorts(v1.ServicePort{Name: "http", Port: 80}) @@ -442,15 +426,7 @@ func TestTLSListenerCipherSuites(t *testing.T) { }) defer done() - // secret1 is a tls secret - secret1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + secret1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) svc1 := fixture.NewService("backend"). WithPorts(v1.ServicePort{Name: "http", Port: 80}) @@ -526,15 +502,7 @@ func TestLDSFilter(t *testing.T) { rh, c, done := setup(t) defer done() - // s1 is a tls secret - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + s1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) svc1 := fixture.NewService("backend"). WithPorts(v1.ServicePort{Name: "http", Port: 80}) @@ -672,15 +640,7 @@ func TestLDSIngressHTTPSUseProxyProtocol(t *testing.T) { }) defer done() - // s1 is a tls secret - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + s1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) svc1 := fixture.NewService("backend"). WithPorts(v1.ServicePort{Name: "http", Port: 80}) @@ -767,15 +727,7 @@ func TestLDSCustomAddressAndPort(t *testing.T) { }) defer done() - // s1 is a tls secret - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + s1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) svc1 := fixture.NewService("backend"). WithPorts(v1.ServicePort{Name: "http", Port: 80}) @@ -856,15 +808,7 @@ func TestLDSCustomAccessLogPaths(t *testing.T) { }) defer done() - // s1 is a tls secret - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + s1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) svc1 := fixture.NewService("backend"). WithPorts(v1.ServicePort{Name: "http", Port: 80}) @@ -959,15 +903,7 @@ func TestHTTPProxyHTTPS(t *testing.T) { Nonce: "0", }) - // s1 is a tls secret - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + s1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) // p1 is a httpproxy that has TLS p1 := &contour_api_v1.HTTPProxy{ @@ -1039,15 +975,7 @@ func TestHTTPProxyTLSVersion(t *testing.T) { defer done() - // secret1 is a tls secret - secret1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + secret1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) rh.OnAdd(secret1) rh.OnAdd(fixture.NewService("backend"). @@ -1351,14 +1279,7 @@ func TestGatewayListenersSetAddress(t *testing.T) { rh.OnAdd(fixture.NewService("svc1"). WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)}), ) - tlssecret := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "tlscert", - Namespace: "projectcontour", - }, - Type: v1.SecretTypeTLS, - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + tlssecret := featuretests.TLSSecret(t, "projectcontour/tlscert", &featuretests.ServerCertificate) rh.OnAdd(tlssecret) rh.OnAdd(gc) @@ -1563,15 +1484,7 @@ func TestSocketOptions(t *testing.T) { WithPorts(v1.ServicePort{Name: "http", Port: 80}) rh.OnAdd(svc1) - // secret1 is a tls secret - secret1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + secret1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) rh.OnAdd(secret1) // p1 is a tls httpproxy diff --git a/internal/featuretests/v3/route_test.go b/internal/featuretests/v3/route_test.go index 3dc5f5702ca..0acd164cef4 100644 --- a/internal/featuretests/v3/route_test.go +++ b/internal/featuretests/v3/route_test.go @@ -323,14 +323,7 @@ func TestEditIngressInPlace(t *testing.T) { Nonce: "4", }) - rh.OnAdd(&v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "hello-kitty", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) + rh.OnAdd(featuretests.TLSSecret(t, "hello-kitty", &featuretests.ServerCertificate)) // i4 is the same as i3, and includes a TLS spec object to enable ingress_https routes // i3 is like i2, but adds the ingress.kubernetes.io/force-ssl-redirect: "true" annotation @@ -436,14 +429,7 @@ func TestSSLRedirectOverlay(t *testing.T) { } rh.OnAdd(i1) - rh.OnAdd(&v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "example-tls", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) + rh.OnAdd(featuretests.TLSSecret(t, "example-tls", &featuretests.ServerCertificate)) s2 := fixture.NewService("nginx-ingress/challenge-service"). WithPorts(v1.ServicePort{Name: "http", Port: 8009, TargetPort: intstr.FromInt(8080)}) @@ -498,11 +484,8 @@ func TestInvalidCertInIngress(t *testing.T) { defer done() // Create an invalid TLS secret - secret := &v1.Secret{ - ObjectMeta: fixture.ObjectMeta("example-tls"), - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata("wrong", featuretests.RSA_PRIVATE_KEY), - } + secret := featuretests.TLSSecret(t, "example-tls", &featuretests.ServerCertificate) + secret.Data[v1.TLSCertKey] = []byte("wrong") rh.OnAdd(secret) // Create a service @@ -541,11 +524,7 @@ func TestInvalidCertInIngress(t *testing.T) { ), nil) // Correct the secret - rh.OnUpdate(secret, &v1.Secret{ - ObjectMeta: fixture.ObjectMeta("example-tls"), - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) + rh.OnUpdate(secret, featuretests.TLSSecret(t, "example-tls", &featuretests.ServerCertificate)) assertRDS(t, c, "2", virtualhosts( envoy_v3.VirtualHost("kuard.io", @@ -692,14 +671,7 @@ func TestRDSFilter(t *testing.T) { } rh.OnAdd(i1) - rh.OnAdd(&v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "example-tls", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) + rh.OnAdd(featuretests.TLSSecret(t, "example-tls", &featuretests.ServerCertificate)) s2 := fixture.NewService("nginx-ingress/challenge-service"). WithPorts(v1.ServicePort{Name: "http", Port: 8009, TargetPort: intstr.FromInt(8080)}) @@ -1118,14 +1090,7 @@ func TestRouteWithTLS(t *testing.T) { rh.OnAdd(fixture.NewService("kuard"). WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)})) - rh.OnAdd(&v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "example-tls", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) + rh.OnAdd(featuretests.TLSSecret(t, "example-tls", &featuretests.ServerCertificate)) p1 := &contour_api_v1.HTTPProxy{ ObjectMeta: metav1.ObjectMeta{ @@ -1189,14 +1154,7 @@ func TestRouteWithTLS_InsecurePaths(t *testing.T) { rh.OnAdd(fixture.NewService("svc2"). WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)})) - rh.OnAdd(&v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "example-tls", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) + rh.OnAdd(featuretests.TLSSecret(t, "example-tls", &featuretests.ServerCertificate)) p1 := &contour_api_v1.HTTPProxy{ ObjectMeta: metav1.ObjectMeta{ @@ -1286,14 +1244,7 @@ func TestRouteWithTLS_InsecurePaths_DisablePermitInsecureTrue(t *testing.T) { rh.OnAdd(fixture.NewService("svc2"). WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)})) - rh.OnAdd(&v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "example-tls", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) + rh.OnAdd(featuretests.TLSSecret(t, "example-tls", &featuretests.ServerCertificate)) p1 := &contour_api_v1.HTTPProxy{ ObjectMeta: metav1.ObjectMeta{ @@ -1497,14 +1448,7 @@ func TestHTTPProxyRouteWithTLS(t *testing.T) { rh.OnAdd(fixture.NewService("kuard"). WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)})) - rh.OnAdd(&v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "example-tls", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) + rh.OnAdd(featuretests.TLSSecret(t, "example-tls", &featuretests.ServerCertificate)) proxy1 := &contour_api_v1.HTTPProxy{ ObjectMeta: metav1.ObjectMeta{ @@ -1566,14 +1510,7 @@ func TestHTTPProxyRouteWithTLS_InsecurePaths(t *testing.T) { rh.OnAdd(fixture.NewService("svc2"). WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)})) - rh.OnAdd(&v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "example-tls", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) + rh.OnAdd(featuretests.TLSSecret(t, "example-tls", &featuretests.ServerCertificate)) proxy1 := &contour_api_v1.HTTPProxy{ ObjectMeta: metav1.ObjectMeta{ @@ -1659,14 +1596,7 @@ func TestHTTPProxyRouteWithTLS_InsecurePaths_DisablePermitInsecureTrue(t *testin rh.OnAdd(fixture.NewService("svc2"). WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)})) - rh.OnAdd(&v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "example-tls", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - }) + rh.OnAdd(featuretests.TLSSecret(t, "example-tls", &featuretests.ServerCertificate)) proxy1 := &contour_api_v1.HTTPProxy{ ObjectMeta: metav1.ObjectMeta{ diff --git a/internal/featuretests/v3/secrets_test.go b/internal/featuretests/v3/secrets_test.go index 3d93cf51217..c77b5f4000b 100644 --- a/internal/featuretests/v3/secrets_test.go +++ b/internal/featuretests/v3/secrets_test.go @@ -32,16 +32,7 @@ func TestSDSVisibility(t *testing.T) { rh, c, done := setup(t) defer done() - // s1 is a tls secret - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } - // add secret + s1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) rh.OnAdd(s1) // assert that the secret is _not_ visible as it is @@ -105,16 +96,7 @@ func TestSDSShouldNotIncrementVersionNumberForUnrelatedSecret(t *testing.T) { svc1 := fixture.NewService("backend"). WithPorts(v1.ServicePort{Name: "http", Port: 80}) - // s1 is a tls secret - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } - // add secret + s1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) rh.OnAdd(s1) // i1 is a tls ingress diff --git a/internal/featuretests/v3/tcpproxy_test.go b/internal/featuretests/v3/tcpproxy_test.go index 8fae97bc3a2..2997dcda016 100644 --- a/internal/featuretests/v3/tcpproxy_test.go +++ b/internal/featuretests/v3/tcpproxy_test.go @@ -32,14 +32,7 @@ func TestTCPProxy(t *testing.T) { rh, c, done := setup(t) defer done() - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + s1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) svc := fixture.NewService("correct-backend"). WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)}) @@ -129,14 +122,7 @@ func TestTCPProxyDelegation(t *testing.T) { rh, c, done := setup(t) defer done() - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + s1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) svc := fixture.NewService("app/backend"). WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)}) @@ -312,14 +298,7 @@ func TestTCPProxyTLSBackend(t *testing.T) { rh, c, done := setup(t) defer done() - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "k8s-tls", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + s1 := featuretests.TLSSecret(t, "k8s-tls", &featuretests.ServerCertificate) svc := fixture.NewService("kubernetes"). Annotate("projectcontour.io/upstream-protocol.tls", "https,443"). @@ -394,14 +373,7 @@ func TestTCPProxyAndHTTPService(t *testing.T) { rh, c, done := setup(t) defer done() - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + s1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) svc := fixture.NewService("backend"). WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)}) @@ -483,14 +455,7 @@ func TestTCPProxyAndHTTPServicePermitInsecure(t *testing.T) { rh, c, done := setup(t) defer done() - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + s1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) svc := fixture.NewService("backend"). WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)}) @@ -754,14 +719,7 @@ func TestTCPProxyMissingTLS(t *testing.T) { rh, c, done := setup(t) defer done() - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + s1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) svc := fixture.NewService("backend"). WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)}) @@ -865,14 +823,7 @@ func TestTCPProxyInvalidLoadBalancerPolicy(t *testing.T) { rh, c, done := setup(t) defer done() - s1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + s1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) svc := fixture.NewService("backend"). WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)}) diff --git a/internal/featuretests/v3/tcproute_test.go b/internal/featuretests/v3/tcproute_test.go index 44bcb503db4..8071ca4daa4 100644 --- a/internal/featuretests/v3/tcproute_test.go +++ b/internal/featuretests/v3/tcproute_test.go @@ -189,15 +189,7 @@ func TestTCPRoute_TLSTermination(t *testing.T) { rh.OnAdd(svc1) - sec1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "tlscert", - Namespace: "projectcontour", - }, - Type: v1.SecretTypeTLS, - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } - + sec1 := featuretests.TLSSecret(t, "projectcontour/tlscert", &featuretests.ServerCertificate) rh.OnAdd(sec1) rh.OnAdd(&gatewayapi_v1beta1.GatewayClass{ diff --git a/internal/featuretests/v3/tlscertificatedelegation_test.go b/internal/featuretests/v3/tlscertificatedelegation_test.go index 16aefeb1774..8c6ddc23f4e 100644 --- a/internal/featuretests/v3/tlscertificatedelegation_test.go +++ b/internal/featuretests/v3/tlscertificatedelegation_test.go @@ -24,7 +24,6 @@ import ( "github.com/projectcontour/contour/internal/fixture" v1 "k8s.io/api/core/v1" networking_v1 "k8s.io/api/networking/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) func TestTLSCertificateDelegation(t *testing.T) { @@ -39,16 +38,7 @@ func TestTLSCertificateDelegation(t *testing.T) { TypeUrl: listenerType, }) - sec1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "wildcard", - Namespace: "secret", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } - - // add a secret object secret/wildcard. + sec1 := featuretests.TLSSecret(t, "secret/wildcard", &featuretests.ServerCertificate) rh.OnAdd(sec1) s1 := fixture.NewService("kuard"). diff --git a/internal/featuretests/v3/tlsprotocolversion_test.go b/internal/featuretests/v3/tlsprotocolversion_test.go index 14a9d09f0da..4673f025f6c 100644 --- a/internal/featuretests/v3/tlsprotocolversion_test.go +++ b/internal/featuretests/v3/tlsprotocolversion_test.go @@ -26,21 +26,13 @@ import ( "github.com/projectcontour/contour/internal/fixture" v1 "k8s.io/api/core/v1" networking_v1 "k8s.io/api/networking/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) func TestTLSProtocolVersion(t *testing.T) { rh, c, done := setup(t) defer done() - sec1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + sec1 := featuretests.TLSSecret(t, "secret", &featuretests.ServerCertificate) rh.OnAdd(sec1) s1 := fixture.NewService("backend"). diff --git a/internal/featuretests/v3/tlsroute_test.go b/internal/featuretests/v3/tlsroute_test.go index 2efc814eaeb..4d3cb638b9f 100644 --- a/internal/featuretests/v3/tlsroute_test.go +++ b/internal/featuretests/v3/tlsroute_test.go @@ -253,15 +253,7 @@ func TestTLSRoute_TLSTermination(t *testing.T) { WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromInt(8080)}), ) - sec1 := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "tlscert", - Namespace: "projectcontour", - }, - Type: v1.SecretTypeTLS, - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } - + sec1 := featuretests.TLSSecret(t, "projectcontour/tlscert", &featuretests.ServerCertificate) rh.OnAdd(sec1) rh.OnAdd(gc) diff --git a/internal/featuretests/v3/upstreamtls_test.go b/internal/featuretests/v3/upstreamtls_test.go index 6e10562decf..52367a24c5f 100644 --- a/internal/featuretests/v3/upstreamtls_test.go +++ b/internal/featuretests/v3/upstreamtls_test.go @@ -49,10 +49,10 @@ func TestUpstreamTLSWithHTTPProxy(t *testing.T) { }) defer done() - sec1 := clientSecret() - sec2 := caSecret() - rh.OnAdd(sec1) - rh.OnAdd(sec2) + clientSecret := featuretests.TLSSecret(t, "envoyclientsecret", &featuretests.ClientCertificate) + caSecret := featuretests.CASecret(t, "backendcacert", &featuretests.CACertificate) + rh.OnAdd(clientSecret) + rh.OnAdd(caSecret) svc := fixture.NewService("backend"). WithPorts(v1.ServicePort{Name: "http", Port: 443}) @@ -69,7 +69,7 @@ func TestUpstreamTLSWithHTTPProxy(t *testing.T) { Port: 443, Protocol: ref.To("tls"), UpstreamValidation: &projcontour.UpstreamValidation{ - CACertificate: sec2.Name, + CACertificate: caSecret.Name, SubjectName: "subjname", }, }}, @@ -81,10 +81,10 @@ func TestUpstreamTLSWithHTTPProxy(t *testing.T) { Resources: resources(t, tlsCluster( cluster("default/backend/443/950c17581f", "default/backend/http", "default_backend_443"), - []byte(featuretests.CERTIFICATE), + caSecret, "subjname", "", - sec1, + clientSecret, &dag.UpstreamTLS{ MinimumProtocolVersion: "1.2", MaximumProtocolVersion: "1.2", @@ -156,13 +156,7 @@ func TestUpstreamTLSWithExtensionService(t *testing.T) { // Add common test fixtures. - rh.OnAdd(&corev1.Secret{ - ObjectMeta: fixture.ObjectMeta("ns/cacert"), - Type: corev1.SecretTypeOpaque, - Data: map[string][]byte{ - dag.CACertificateKey: []byte(featuretests.CERTIFICATE), - }, - }) + rh.OnAdd(featuretests.CASecret(t, "ns/cacert", &featuretests.CACertificate)) rh.OnAdd(fixture.NewService("ns/svc1").WithPorts(corev1.ServicePort{Port: 8081})) @@ -200,7 +194,7 @@ func TestUpstreamTLSWithExtensionService(t *testing.T) { ValidationContext: &envoy_v3_tls.CertificateValidationContext{ TrustedCa: &envoy_core_v3.DataSource{ Specifier: &envoy_core_v3.DataSource_InlineBytes{ - InlineBytes: []byte(featuretests.CERTIFICATE), + InlineBytes: featuretests.PEMBytes(t, &featuretests.CACertificate), }, }, MatchTypedSubjectAltNames: []*envoy_v3_tls.SubjectAltNameMatcher{ diff --git a/internal/featuretests/v3/wildcardhost_test.go b/internal/featuretests/v3/wildcardhost_test.go index 0d0d575c132..c3dd43d3cd5 100644 --- a/internal/featuretests/v3/wildcardhost_test.go +++ b/internal/featuretests/v3/wildcardhost_test.go @@ -175,14 +175,7 @@ func TestIngressWildcardHostHTTPSWildcardSecret(t *testing.T) { rh, c, done := setup(t) defer done() - sec := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "wildcard-tls-secret", - Namespace: "default", - }, - Type: "kubernetes.io/tls", - Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY), - } + sec := featuretests.TLSSecret(t, "wildcard-tls-secret", &featuretests.ServerCertificate) rh.OnAdd(sec) svc := fixture.NewService("svc").