Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bug 1986228: NE-310 e2e test for HSTS
- Loading branch information
Showing
2 changed files
with
165 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,122 @@ | ||
// +build e2e | ||
|
||
package e2e | ||
|
||
import ( | ||
"context" | ||
"testing" | ||
"time" | ||
|
||
configv1 "github.com/openshift/api/config/v1" | ||
operatorv1 "github.com/openshift/api/operator/v1" | ||
routev1 "github.com/openshift/api/route/v1" | ||
"github.com/openshift/cluster-ingress-operator/pkg/operator/controller" | ||
|
||
appsv1 "k8s.io/api/apps/v1" | ||
corev1 "k8s.io/api/core/v1" | ||
"k8s.io/apimachinery/pkg/types" | ||
) | ||
|
||
// Helper function for int32 pointers | ||
func intPtr(s int32) *int32 { | ||
return &s | ||
} | ||
|
||
func TestHstsPolicyWorks(t *testing.T) { | ||
icName := types.NamespacedName{Namespace: operatorNamespace, Name: "hsts-policy"} | ||
domain := icName.Name + "." + dnsConfig.Spec.BaseDomain | ||
domain2 := icName.Name + "2." + dnsConfig.Spec.BaseDomain | ||
|
||
maxAgePolicy := configv1.MaxAgePolicy{LargestMaxAge: intPtr(99999), SmallestMaxAge: intPtr(1)} | ||
domainPatterns := []string{domain, domain2} | ||
hstsPolicy := []configv1.RequiredHSTSPolicy{ | ||
{ | ||
DomainPatterns: domainPatterns, | ||
PreloadPolicy: configv1.RequirePreloadPolicy, | ||
IncludeSubDomainsPolicy: configv1.RequireIncludeSubDomains, | ||
MaxAge: maxAgePolicy, | ||
}, | ||
} | ||
ic := newPrivateIngress(icName, domain, hstsPolicy) | ||
if err := kclient.Create(context.TODO(), ic); err != nil { | ||
t.Fatalf("failed to create ingress config %s: %v", icName, err) | ||
} else { | ||
p := ic.Spec.RequiredHSTSPolicies[0] | ||
t.Logf("created an ingress config with DomainPatterns: %v, preload policy: %s, includeSubDomains policy: %s, largest age: %d, smallest age: %d", p.DomainPatterns, p.PreloadPolicy, p.IncludeSubDomainsPolicy, *p.MaxAge.LargestMaxAge, *p.MaxAge.SmallestMaxAge) | ||
} | ||
defer assertIngressConfigDeleted(t, kclient, ic) | ||
|
||
conditions := []operatorv1.OperatorCondition{ | ||
{Type: operatorv1.IngressControllerAvailableConditionType, Status: operatorv1.ConditionTrue}, | ||
{Type: operatorv1.LoadBalancerManagedIngressConditionType, Status: operatorv1.ConditionFalse}, | ||
{Type: operatorv1.DNSManagedIngressConditionType, Status: operatorv1.ConditionFalse}, | ||
} | ||
io := newPrivateController(icName, domain) | ||
if err := kclient.Create(context.TODO(), io); err != nil { | ||
t.Fatalf("failed to create ingresscontroller %s: %v", icName, err) | ||
} | ||
defer assertIngressControllerDeleted(t, kclient, io) | ||
if err := waitForIngressControllerCondition(t, kclient, 5*time.Minute, icName, conditions...); err != nil { | ||
t.Fatalf("failed to observe expected conditions: %v", err) | ||
} | ||
|
||
deployment := &appsv1.Deployment{} | ||
if err := kclient.Get(context.TODO(), controller.RouterDeploymentName(io), deployment); err != nil { | ||
t.Fatalf("failed to get ingresscontroller deployment: %v", err) | ||
} | ||
|
||
service := &corev1.Service{} | ||
if err := kclient.Get(context.TODO(), controller.InternalIngressControllerServiceName(io), service); err != nil { | ||
t.Fatalf("failed to get ingresscontroller service: %v", err) | ||
} | ||
|
||
echoPod := buildEchoPod("hsts-policy-echo", deployment.Namespace) | ||
if err := kclient.Create(context.TODO(), echoPod); err != nil { | ||
t.Fatalf("failed to create pod %s/%s: %v", echoPod.Namespace, echoPod.Name, err) | ||
} | ||
defer func() { | ||
if err := kclient.Delete(context.TODO(), echoPod); err != nil { | ||
t.Fatalf("failed to delete pod %s/%s: %v", echoPod.Namespace, echoPod.Name, err) | ||
} | ||
}() | ||
|
||
echoService := buildEchoService(echoPod.Name, echoPod.Namespace, echoPod.ObjectMeta.Labels) | ||
if err := kclient.Create(context.TODO(), echoService); err != nil { | ||
t.Fatalf("failed to create service %s/%s: %v", echoService.Namespace, echoService.Name, err) | ||
} | ||
defer func() { | ||
if err := kclient.Delete(context.TODO(), echoService); err != nil { | ||
t.Fatalf("failed to delete service %s/%s: %v", echoService.Namespace, echoService.Name, err) | ||
} | ||
}() | ||
|
||
// this should pass the HSTS policy validation | ||
echoRoute := buildRoute(echoPod.Name, echoPod.Namespace, echoService.Name) | ||
echoRoute.Spec = routev1.RouteSpec{Host: domain, TLS: &routev1.TLSConfig{Termination: routev1.TLSTerminationReencrypt}} | ||
echoRoute.Annotations = map[string]string{ | ||
"haproxy.router.openshift.io/hsts_header": "max-age=99999", | ||
} | ||
if err := kclient.Create(context.TODO(), echoRoute); err != nil { | ||
t.Fatalf("failed to create route %s/%s: %v", echoRoute.Namespace, echoRoute.Name, err) | ||
} else { | ||
t.Logf("created a route %s/%s with annotation %s", echoRoute.Namespace, echoRoute.Name, echoRoute.Annotations) | ||
} | ||
|
||
// this should fail the HSTS policy validation | ||
echoRoute2 := buildRoute(echoPod.Name+"2", echoPod.Namespace, echoService.Name) | ||
echoRoute2.Spec = routev1.RouteSpec{Host: domain2, TLS: &routev1.TLSConfig{Termination: routev1.TLSTerminationReencrypt}} | ||
echoRoute2.Annotations = map[string]string{ | ||
"haproxy.router.openshift.io/hsts_header": "max-age=99999999", | ||
} | ||
if err := kclient.Create(context.TODO(), echoRoute2); err == nil { | ||
t.Fatalf("failed to reject invalid route %s/%s, max-age 99999999", echoRoute2.Namespace, echoRoute2.Name) | ||
} else { | ||
t.Logf("rejected an invalid route %s/%s with annotation %s: %v", echoRoute2.Namespace, echoRoute2.Name, echoRoute2.Annotations, err) | ||
} | ||
|
||
defer func() { | ||
if err := kclient.Delete(context.TODO(), echoRoute); err != nil { | ||
t.Fatalf("failed to delete route %s/%s: %v", echoRoute.Namespace, echoRoute.Name, err) | ||
} | ||
}() | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters