From 93dad84bdd73af4f25334bbc163f7d83efa065ed Mon Sep 17 00:00:00 2001 From: npolshakova Date: Thu, 16 May 2024 11:43:38 -0400 Subject: [PATCH] fix TestDisableAutomtlsOverridesSSLConfig assertion reset reason --- .../istio/gloo_gateway_auto_mtls_suite.go | 39 +++++++++---------- .../istio/gloo_gateway_no_auto_mtls_suite.go | 2 +- test/kubernetes/e2e/features/istio/types.go | 2 +- 3 files changed, 20 insertions(+), 23 deletions(-) diff --git a/test/kubernetes/e2e/features/istio/gloo_gateway_auto_mtls_suite.go b/test/kubernetes/e2e/features/istio/gloo_gateway_auto_mtls_suite.go index b8d0b473063..9183e8413cd 100644 --- a/test/kubernetes/e2e/features/istio/gloo_gateway_auto_mtls_suite.go +++ b/test/kubernetes/e2e/features/istio/gloo_gateway_auto_mtls_suite.go @@ -118,10 +118,22 @@ func (s *glooIstioAutoMtlsTestingSuite) TestMtlsPermissivePeerAuth() { s.NoError(err, "can delete generated routing manifest") }) - // Ensure that the proxy service and deployment are created + // Initially use automtls (no sslConfig on upstream) err := s.testInstallation.Actions.Kubectl().ApplyFile(s.ctx, s.enableAutomtlsFile) + // Ensure that the proxy service and deployment are created s.NoError(err, "can apply generated routing manifest") + s.testInstallation.Assertions.AssertEventualCurlResponse( + s.ctx, + curlPodExecOpt, + []curl.Option{ + curl.WithHost(kubeutils.ServiceFQDN(metav1.ObjectMeta{Name: defaults.GatewayProxyName, Namespace: s.testInstallation.Metadata.InstallNamespace})), + curl.WithHostHeader("httpbin"), + curl.WithPath("/headers"), + curl.WithPort(80), + }, + expectedMtlsResponse, time.Minute) + // Apply permissive peer auth policy err = s.testInstallation.Actions.Kubectl().ApplyFile(s.ctx, permissivePeerAuthManifest) s.NoError(err, "can apply permissivePeerAuth") @@ -276,10 +288,11 @@ func (s *glooIstioAutoMtlsTestingSuite) TestDisableAutomtlsOverridesSSLConfig() s.NoError(err, "can delete manifest") }) - // Initially use automtls (remove sslConfig on upstream) - err := s.testInstallation.Actions.Kubectl().ApplyFile(s.ctx, s.enableAutomtlsFile) - s.NoError(err, "can apply generated routing manifest with automtls upstream") + // Uuse sslConfig on upstream with automtls disabled (sslConfig will overwrite automtls) + err := s.testInstallation.Actions.Kubectl().ApplyFile(s.ctx, s.sslConfigAndDisableAutomtlsFile) + s.NoError(err, "can apply generated routing manifest with sslConfig upstream") + // Check sslConfig upstream is working s.testInstallation.Assertions.AssertEventualCurlResponse( s.ctx, curlPodExecOpt, @@ -295,7 +308,7 @@ func (s *glooIstioAutoMtlsTestingSuite) TestDisableAutomtlsOverridesSSLConfig() err = s.testInstallation.Actions.Kubectl().ApplyFile(s.ctx, disablePeerAuthManifest) s.NoError(err, "can apply disablePeerAuthManifest") - // Check peer auth policy is working + // Check disable peer auth policy is working when sslConfig is set s.testInstallation.Assertions.AssertEventualCurlResponse( s.ctx, curlPodExecOpt, @@ -306,20 +319,4 @@ func (s *glooIstioAutoMtlsTestingSuite) TestDisableAutomtlsOverridesSSLConfig() curl.WithPort(80), }, expectedServiceUnavailableResponse, time.Minute) - - // Switch to use sslConfig on upstream (do not explictly disable automtls) - err = s.testInstallation.Actions.Kubectl().ApplyFile(s.ctx, s.sslConfigAndDisableAutomtlsFile) - s.NoError(err, "can apply generated routing manifest with sslConfig upstream") - - // Check sslConfig upstream is working - s.testInstallation.Assertions.AssertEventualCurlResponse( - s.ctx, - curlPodExecOpt, - []curl.Option{ - curl.WithHost(kubeutils.ServiceFQDN(metav1.ObjectMeta{Name: defaults.GatewayProxyName, Namespace: s.testInstallation.Metadata.InstallNamespace})), - curl.WithHostHeader("httpbin"), - curl.WithPath("/headers"), - curl.WithPort(80), - }, - expectedPlaintextResponse, time.Minute) } diff --git a/test/kubernetes/e2e/features/istio/gloo_gateway_no_auto_mtls_suite.go b/test/kubernetes/e2e/features/istio/gloo_gateway_no_auto_mtls_suite.go index e3abd49feeb..3ab79659574 100644 --- a/test/kubernetes/e2e/features/istio/gloo_gateway_no_auto_mtls_suite.go +++ b/test/kubernetes/e2e/features/istio/gloo_gateway_no_auto_mtls_suite.go @@ -129,7 +129,7 @@ func (s *glooIstioTestingSuite) TestPermissivePeerAuth() { } func (s *glooIstioTestingSuite) TestUpstreamSSLConfigStrictPeerAuth() { - // With auto mtls disabled in the mesh, the request should fail when the strict peer auth policy is applied + // With auto mtls disabled in the mesh, the request should succeed when Upstream is configured with sslConfig s.testInstallation.Assertions.AssertEventualCurlResponse( s.ctx, curlPodExecOpt, diff --git a/test/kubernetes/e2e/features/istio/types.go b/test/kubernetes/e2e/features/istio/types.go index 37dff48035b..bdd59ff56a7 100644 --- a/test/kubernetes/e2e/features/istio/types.go +++ b/test/kubernetes/e2e/features/istio/types.go @@ -59,6 +59,6 @@ var ( expectedServiceUnavailableResponse = &testmatchers.HttpResponse{ StatusCode: http.StatusServiceUnavailable, - Body: gomega.ContainSubstring("upstream connect error or disconnect/reset before headers. reset reason: connection termination"), + Body: gomega.ContainSubstring("upstream connect error or disconnect/reset before headers"), } )