fix TestDisableAutomtlsOverridesSSLConfig assertion reset reason

solo-io · May 16, 2024 · 93dad84 · 93dad84
1 parent 2ac8189
commit 93dad84
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 23 deletions.
diff --git a/test/kubernetes/e2e/features/istio/gloo_gateway_auto_mtls_suite.go b/test/kubernetes/e2e/features/istio/gloo_gateway_auto_mtls_suite.go
@@ -118,10 +118,22 @@ func (s *glooIstioAutoMtlsTestingSuite) TestMtlsPermissivePeerAuth() {
 		s.NoError(err, "can delete generated routing manifest")
 	})
 
-	// Ensure that the proxy service and deployment are created
+	// Initially use automtls (no sslConfig on upstream)
 	err := s.testInstallation.Actions.Kubectl().ApplyFile(s.ctx, s.enableAutomtlsFile)
+	// Ensure that the proxy service and deployment are created
 	s.NoError(err, "can apply generated routing manifest")
 
+	s.testInstallation.Assertions.AssertEventualCurlResponse(
+		s.ctx,
+		curlPodExecOpt,
+		[]curl.Option{
+			curl.WithHost(kubeutils.ServiceFQDN(metav1.ObjectMeta{Name: defaults.GatewayProxyName, Namespace: s.testInstallation.Metadata.InstallNamespace})),
+			curl.WithHostHeader("httpbin"),
+			curl.WithPath("/headers"),
+			curl.WithPort(80),
+		},
+		expectedMtlsResponse, time.Minute)
+
 	// Apply permissive peer auth policy
 	err = s.testInstallation.Actions.Kubectl().ApplyFile(s.ctx, permissivePeerAuthManifest)
 	s.NoError(err, "can apply permissivePeerAuth")
@@ -276,10 +288,11 @@ func (s *glooIstioAutoMtlsTestingSuite) TestDisableAutomtlsOverridesSSLConfig()
 		s.NoError(err, "can delete manifest")
 	})
 
-	// Initially use automtls (remove sslConfig on upstream)
-	err := s.testInstallation.Actions.Kubectl().ApplyFile(s.ctx, s.enableAutomtlsFile)
-	s.NoError(err, "can apply generated routing manifest with automtls upstream")
+	// Uuse sslConfig on upstream with automtls disabled (sslConfig will overwrite automtls)
+	err := s.testInstallation.Actions.Kubectl().ApplyFile(s.ctx, s.sslConfigAndDisableAutomtlsFile)
+	s.NoError(err, "can apply generated routing manifest with sslConfig upstream")
 
+	// Check sslConfig upstream is working
 	s.testInstallation.Assertions.AssertEventualCurlResponse(
 		s.ctx,
 		curlPodExecOpt,
@@ -295,7 +308,7 @@ func (s *glooIstioAutoMtlsTestingSuite) TestDisableAutomtlsOverridesSSLConfig()
 	err = s.testInstallation.Actions.Kubectl().ApplyFile(s.ctx, disablePeerAuthManifest)
 	s.NoError(err, "can apply disablePeerAuthManifest")
 
-	// Check peer auth policy is working
+	// Check disable peer auth policy is working when sslConfig is set
 	s.testInstallation.Assertions.AssertEventualCurlResponse(
 		s.ctx,
 		curlPodExecOpt,
@@ -306,20 +319,4 @@ func (s *glooIstioAutoMtlsTestingSuite) TestDisableAutomtlsOverridesSSLConfig()
 			curl.WithPort(80),
 		},
 		expectedServiceUnavailableResponse, time.Minute)
-
-	// Switch to use sslConfig on upstream (do not explictly disable automtls)
-	err = s.testInstallation.Actions.Kubectl().ApplyFile(s.ctx, s.sslConfigAndDisableAutomtlsFile)
-	s.NoError(err, "can apply generated routing manifest with sslConfig upstream")
-
-	// Check sslConfig upstream is working
-	s.testInstallation.Assertions.AssertEventualCurlResponse(
-		s.ctx,
-		curlPodExecOpt,
-		[]curl.Option{
-			curl.WithHost(kubeutils.ServiceFQDN(metav1.ObjectMeta{Name: defaults.GatewayProxyName, Namespace: s.testInstallation.Metadata.InstallNamespace})),
-			curl.WithHostHeader("httpbin"),
-			curl.WithPath("/headers"),
-			curl.WithPort(80),
-		},
-		expectedPlaintextResponse, time.Minute)
 }
diff --git a/test/kubernetes/e2e/features/istio/gloo_gateway_no_auto_mtls_suite.go b/test/kubernetes/e2e/features/istio/gloo_gateway_no_auto_mtls_suite.go
@@ -129,7 +129,7 @@ func (s *glooIstioTestingSuite) TestPermissivePeerAuth() {
 }
 
 func (s *glooIstioTestingSuite) TestUpstreamSSLConfigStrictPeerAuth() {
-	// With auto mtls disabled in the mesh, the request should fail when the strict peer auth policy is applied
+	// With auto mtls disabled in the mesh, the request should succeed when Upstream is configured with sslConfig
 	s.testInstallation.Assertions.AssertEventualCurlResponse(
 		s.ctx,
 		curlPodExecOpt,

diff --git a/test/kubernetes/e2e/features/istio/types.go b/test/kubernetes/e2e/features/istio/types.go
@@ -59,6 +59,6 @@ var (
 
 	expectedServiceUnavailableResponse = &testmatchers.HttpResponse{
 		StatusCode: http.StatusServiceUnavailable,
-		Body:       gomega.ContainSubstring("upstream connect error or disconnect/reset before headers. reset reason: connection termination"),
+		Body:       gomega.ContainSubstring("upstream connect error or disconnect/reset before headers"),
 	}
 )