Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: Add external auth integration tests #2717

Closed
jpeach opened this issue Jul 22, 2020 · 3 comments
Closed

Auth: Add external auth integration tests #2717

jpeach opened this issue Jul 22, 2020 · 3 comments
Labels
area/httpproxy Issues or PRs related to the HTTPProxy API. area/testing Issues or PRs related to tests or testing tools. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@jpeach
Copy link
Contributor

jpeach commented Jul 22, 2020

Please describe the problem you have

Add integration tests to cover the major points of the external auth API. Ensure that context is provided properly, along with fail open, enable/disable and other API fields.

xref #432
xref #2643
@jpeach jpeach added area/httpproxy Issues or PRs related to the HTTPProxy API. area/testing Issues or PRs related to tests or testing tools. labels Jul 22, 2020
@jpeach jpeach self-assigned this Jul 22, 2020
@jpeach jpeach mentioned this issue Jul 22, 2020
Closed
@jpeach
Copy link
Contributor Author

jpeach commented Sep 11, 2020

Sample fixtures

# Create a self-signed issuer to give us secrets.

apiVersion: cert-manager.io/v1alpha3
kind: ClusterIssuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ingress-conformance-echo
$apply:
  fixture:
    as: echo

---

apiVersion: v1
kind: Service
metadata:
  name: ingress-conformance-echo
$apply:
  fixture:
    as: echo

---

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: echo
spec:
  dnsNames:
  - echo.projectcontour.io
  secretName: echo
  issuerRef:
    name: selfsigned
    kind: ClusterIssuer

---

# Separate testserver into its own namespace.

apiVersion: v1
kind: Namespace
metadata:
  name: testserver-auth

---

# Issue a self-signed certificate for testserver.

apiVersion: cert-manager.io/v1alpha3
kind: Certificate
metadata:
  name: testserver
  namespace: testserver-auth
spec:
  dnsNames:
  - testserver
  secretName: testserver
  issuerRef:
    name: selfsigned
    kind: ClusterIssuer

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: testserver
  namespace: testserver-auth
  labels:
    app.kubernetes.io/name: testserver
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: testserver
  replicas: 1
  template:
    metadata:
      labels:
        app.kubernetes.io/name: testserver
    spec:
      serviceAccountName: testserver
      automountServiceAccountToken: false
      containers:
      - name: testserver
        image: docker.io/projectcontour/contour-authserver:v1
        imagePullPolicy: IfNotPresent
        command:
        - /contour-authserver
        args:
        - testserver
        - --address=:9443
        - --tls-ca-path=/tls/ca.crt
        - --tls-cert-path=/tls/tls.crt
        - --tls-key-path=/tls/tls.key
        ports:
        - name: auth
          containerPort: 9443
          protocol: TCP
        volumeMounts:
        - name: tls
          mountPath: /tls
          readOnly: true
        resources:
          limits:
            cpu: 100m
            memory: 30Mi
      volumes:
      - name: tls
        secret:
          secretName: testserver

---

apiVersion: v1
kind: Service
metadata:
  name: testserver
  namespace: testserver-auth
  labels:
    app.kubernetes.io/name: testserver
spec:
  ports:
  - name: auth
    protocol: TCP
    port: 9443
    targetPort: 9443
  selector:
    app.kubernetes.io/name: testserver
  type: ClusterIP

---

apiVersion: projectcontour.io/v1alpha1
kind: ExtensionService
metadata:
  name: testserver
  namespace: testserver-auth
spec:
  services:
  - name: testserver
    port: 9443

---

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: echo
spec:
  virtualhost:
    fqdn: echo.projectcontour.io
    tls:
      secretName: echo
    authorization:
      serviceRef:
        apiVersion: projectcontour.io/v1alpha1
        kind: ExtensionService
        name: testserver
        namespace: testserver-auth
    timeout: 500ms
    authPolicy:
      disabled: false
      context:
        key1: value1
        key2: value2
  routes:
  - services:
    - name: echo
      port: 80

jpeach added a commit to jpeach/contour that referenced this issue Sep 30, 2020
@jpeach
testsuite: add a basic external auth test
7c30b7a 
Add basic integration test for an external authorization server. This
ensures that if the authorization server is present, context is propagated
correctly, and authorization can be disabled on routes.

This updates projectcontour#2717.

Signed-off-by: James Peach <jpeach@vmware.com>
@jpeach jpeach mentioned this issue Sep 30, 2020
Merged
jpeach added a commit to jpeach/contour that referenced this issue Sep 30, 2020
@jpeach
testsuite: add a basic external auth test
48710d9 
Add a basic integration test for an external authorization server. This
ensures that if the authorization server is present, context is propagated
correctly, and authorization can be disabled on routes.

This updates projectcontour#2717.

Signed-off-by: James Peach <jpeach@vmware.com>
jpeach added a commit to jpeach/contour that referenced this issue Sep 30, 2020
@jpeach
testsuite: add a basic external auth test
20a2522 
Add a basic integration test for an external authorization server. This
ensures that if the authorization server is present, context is propagated
correctly, and authorization can be disabled on routes.

This updates projectcontour#2717.

Signed-off-by: James Peach <jpeach@vmware.com>
jpeach added a commit to jpeach/contour that referenced this issue Oct 1, 2020
@jpeach
testsuite: add a basic external auth test
ce9137d 
Add a basic integration test for an external authorization server. This
ensures that if the authorization server is present, context is propagated
correctly, and authorization can be disabled on routes.

This updates projectcontour#2717.

Signed-off-by: James Peach <jpeach@vmware.com>
jpeach added a commit that referenced this issue Oct 1, 2020
@jpeach
testsuite: add a basic external auth test (#2955)
3c375a6 
Add a basic integration test for an external authorization server. This
ensures that if the authorization server is present, context is propagated
correctly, and authorization can be disabled on routes.

This updates #2717.

Signed-off-by: James Peach <jpeach@vmware.com>
@jpeach jpeach removed their assignment Jun 7, 2021
@github-actions GitHub Actions
Copy link

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 12, 2024
@github-actions GitHub Actions
Copy link

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Feb 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/httpproxy Issues or PRs related to the HTTPProxy API. area/testing Issues or PRs related to tests or testing tools. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jpeach