From 08c4533ca0c596efbec5eac66740e2c1526e6b16 Mon Sep 17 00:00:00 2001 From: tellet Date: Wed, 17 Jul 2019 17:58:32 +0300 Subject: [PATCH] Add tests for TLS Support (VS+VSR) --- tests/data/common/app/secure/app.yaml | 108 ++++++++++ .../data/common/app/vsr/secure/multiple.yaml | 66 ++++++ tests/data/common/app/vsr/secure/single.yaml | 79 ++++++++ .../route-multiple.yaml | 22 ++ .../route-single-disable-tls.yaml | 15 ++ .../route-single-invalid.yaml | 15 ++ .../route-single.yaml | 15 ++ .../standard/virtual-server.yaml | 11 + .../standard/virtual-server.yaml | 22 ++ .../virtual-server-disable-tls.yaml | 22 ++ .../virtual-server-invalid.yaml | 22 ++ tests/suite/test_hsts.py | 4 +- tests/suite/test_v_s_route_upstream_tls.py | 188 ++++++++++++++++++ .../suite/test_virtual_server_upstream_tls.py | 124 ++++++++++++ 14 files changed, 711 insertions(+), 2 deletions(-) create mode 100644 tests/data/common/app/secure/app.yaml create mode 100644 tests/data/common/app/vsr/secure/multiple.yaml create mode 100644 tests/data/common/app/vsr/secure/single.yaml create mode 100644 tests/data/virtual-server-route-upstream-tls/route-multiple.yaml create mode 100644 tests/data/virtual-server-route-upstream-tls/route-single-disable-tls.yaml create mode 100644 tests/data/virtual-server-route-upstream-tls/route-single-invalid.yaml create mode 100644 tests/data/virtual-server-route-upstream-tls/route-single.yaml create mode 100644 tests/data/virtual-server-route-upstream-tls/standard/virtual-server.yaml create mode 100644 tests/data/virtual-server-upstream-tls/standard/virtual-server.yaml create mode 100644 tests/data/virtual-server-upstream-tls/virtual-server-disable-tls.yaml create mode 100644 tests/data/virtual-server-upstream-tls/virtual-server-invalid.yaml create mode 100644 tests/suite/test_v_s_route_upstream_tls.py create mode 100644 tests/suite/test_virtual_server_upstream_tls.py diff --git a/tests/data/common/app/secure/app.yaml b/tests/data/common/app/secure/app.yaml new file mode 100644 index 0000000000..8cdfa640c7 --- /dev/null +++ b/tests/data/common/app/secure/app.yaml @@ -0,0 +1,108 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend1 +spec: + replicas: 2 + selector: + matchLabels: + app: backend1 + template: + metadata: + labels: + app: backend1 + spec: + containers: + - name: backend1 + image: nginxdemos/hello:plain-text + ports: + - containerPort: 80 +--- +apiVersion: v1 +kind: Service +metadata: + name: backend1-svc +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + name: http + selector: + app: backend1 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend2 +spec: + replicas: 1 + selector: + matchLabels: + app: backend2 + template: + metadata: + labels: + app: backend2 + spec: + containers: + - name: backend2 + image: nginx + ports: + - containerPort: 80 + volumeMounts: + - name: secret + mountPath: "/etc/nginx/ssl" + readOnly: true + - name: config-volume + mountPath: /etc/nginx/conf.d + volumes: + - name: secret + secret: + secretName: app-tls-secret + - name: config-volume + configMap: + name: secure-config +--- +apiVersion: v1 +kind: Service +metadata: + name: backend2-svc +spec: + ports: + - port: 80 + targetPort: 443 + protocol: TCP + name: https + selector: + app: backend2 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: secure-config +data: + app.conf: |- + server { + listen 443 ssl; + + server_name app.example.com; + + ssl_certificate /etc/nginx/ssl/tls.crt; + ssl_certificate_key /etc/nginx/ssl/tls.key; + + default_type text/plain; + + location / { + return 200 "here is your response via ssl port $server_port with X-Forwarded-Port $http_x_forwarded_port\n"; + } + } +--- +apiVersion: v1 +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVCakNDQXU2Z0F3SUJBZ0lKQUpicWVnTHB0U2JhTUEwR0NTcUdTSWIzRFFFQkJRVUFNRjh4Q3pBSkJnTlYKQkFZVEFrZENNUk13RVFZRFZRUUlFd3BUYjIxbExWTjBZWFJsTVNFd0h3WURWUVFLRXhoSmJuUmxjbTVsZENCWAphV1JuYVhSeklGQjBlU0JNZEdReEdEQVdCZ05WQkFNVEQyRndjQzVsZUdGdGNHeGxMbU52YlRBZUZ3MHhPREF5Ck1USXdNREF6TkRWYUZ3MHhPVEF5TVRJd01EQXpORFZhTUY4eEN6QUpCZ05WQkFZVEFrZENNUk13RVFZRFZRUUkKRXdwVGIyMWxMVk4wWVhSbE1TRXdId1lEVlFRS0V4aEpiblJsY201bGRDQlhhV1JuYVhSeklGQjBlU0JNZEdReApHREFXQmdOVkJBTVREMkZ3Y0M1bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQCkFEQ0NBUW9DZ2dFQkFLenNmMll0R2hVU0lyYWpTS1ZLSVBrTmFzODcrTzJDaHlsZTduL212V012WFJZZWI2R3oKQktKV3FkSS9UajlQQlJxTWVzajByMjF5UlAwaVc0VVBTYjZNT3psNisyYjBJeS9nTEhJRGxJN0NDTVU5cThHSAorL3Y4ZjAyMXJWYmUrNGdsWmZWVTZJbXg2Vlc0ODkzVTcwQXR6Y1hGNnFDUGRUWDNjWW02MTVmNE02M1YzdTdqClJGN1JINzBDL1NScVVvN29FVmZxR0thN1prdWVodnlLSWZURE5hQUt0WFhDLzlCeDlYSDIyREFxcTVKRUhHVHAKSVluRFE4eFdFRXlUQmx1V2JwU0JwUEVMRDcyUHhwQW9DU0trdVdXSzJYbmlKOG9BTFZJWlhaaHFvamw4Sk5SMgpiNWE3RFJEcTNTYzNNSzhwMEwzZXFsLzRPcnhjUGdJUVdtTUNBd0VBQWFPQnhEQ0J3VEFkQmdOVkhRNEVGZ1FVCmtvK2owNGJWaDZyTjdCbk8wbjRLMUo4S2tIRXdnWkVHQTFVZEl3U0JpVENCaG9BVWtvK2owNGJWaDZyTjdCbk8KMG40SzFKOEtrSEdoWTZSaE1GOHhDekFKQmdOVkJBWVRBa2RDTVJNd0VRWURWUVFJRXdwVGIyMWxMVk4wWVhSbApNU0V3SHdZRFZRUUtFeGhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhHREFXQmdOVkJBTVREMkZ3CmNDNWxlR0Z0Y0d4bExtTnZiWUlKQUpicWVnTHB0U2JhTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y04KQVFFRkJRQURnZ0VCQUc3RUxMUGVrQXJkYy9COUxsZXZsMCtLNWtYN2JsZDBqa1JmZjRzalA5MTdkSFliem0zMQoxNi9QT0ZKc3ZmOTFhNXdOTnNzL3JOVG13ZEZuSC8xNTJJVEgyamJiUEd5bGIyMkNiemgvU09XWVUzcnJEeHk3ClVtMFNqMmdJUHRWdjc3WTY4Y1ZtOTNVK3oxNjM1akVNUUtXcUpYRlBCSU9iWVd1SWNManJ1WTg5dGhpdUtVNTcKNGlraFlqT0t2ZnU4NVNyUDQybGV5Qk1PMHROVVNCZWl6SmZpWDA1N3RtR0xwaXhRYnBsaTlXUjc5bXpLcFJwZApEaEdFMHpxZ1ZSMDlOeGF2cmpNcjdtNHpvRGg1d09McFVQSEVCU2FhU2QzNzA4WGwrTFVDSTNQajhHcEtvUWRlCm11b2t3MndVTFQzR0ZTZjd4OTZSdUJqTmRWb3NSRkJpZjM0PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBck94L1ppMGFGUklpdHFOSXBVb2crUTFxenp2NDdZS0hLVjd1ZithOVl5OWRGaDV2Cm9iTUVvbGFwMGo5T1AwOEZHb3g2eVBTdmJYSkUvU0piaFE5SnZvdzdPWHI3WnZRakwrQXNjZ09VanNJSXhUMnIKd1lmNysveC9UYld0VnQ3N2lDVmw5VlRvaWJIcFZianozZFR2UUMzTnhjWHFvSTkxTmZkeGliclhsL2d6cmRYZQo3dU5FWHRFZnZRTDlKR3BTanVnUlYrb1lwcnRtUzU2Ry9Jb2g5TU0xb0FxMWRjTC8wSEgxY2ZiWU1DcXJra1FjClpPa2hpY05EekZZUVRKTUdXNVp1bElHazhRc1B2WS9Ha0NnSklxUzVaWXJaZWVJbnlnQXRVaGxkbUdxaU9Yd2sKMUhadmxyc05FT3JkSnpjd3J5blF2ZDZxWC9nNnZGdytBaEJhWXdJREFRQUJBb0lCQVFDSGd2WDdmbEM0UG5RUgpxRGZmd0EzQzNtN2JZK1laU25iZFJ0V2tTWkFVMENNa21FbG04RUVyYnJxNlZuM2RRdkYrOHFPdUk0SHVST1FuCmN1dEJoTStIa2FFLzFFNTdTY3JoVTgzQXMybVJ6aUROWVJ6ZUZ0Q3praFc1TWl4YXJYZDBJOHFZelNkRjhMUW8KUno1a2t0L0M3YUlaNEpXVHFaaHk2Q3lEZ0hZL1VpcEFGZG5mTE1NWG00Q1R3OTVGV1VpNGRaUHY4ZzVNNFZVUQo1K25sMUdPUFdsdGpNaWRlY0VxYVlYdzh3amVYQ1JNMDZLeWJSaDU1cU5reHladDZ4YWU4d0JLaE1PV2VRcmVPCjZhQ0tBQjNaOC9vM21JeTd2WjUzWE51WEFQaHhLR3E2OFVkQTgrQ1lKb3dPNFdscGhKRkE2QUcrYjZpRnJwNkgKZmFybVkxRkJBb0dCQU5wT0xZUGVhNEY1eXhxU3NpYkFpTXJiYkZROTlDejRZampkTUlEM25zWnpFblVrdjF0QwpGbTUwOHhodFk0TFRiUEQ0c2RPcmNETVlqYTM0UENKQTFOV0p5UXdZWkdMaEhxTXg1NWJjQ2VaL1Y0S3FlN29ZCm5aK2tPb29RbFBsQUFTZVViYU0vWCtHdDRUdjdwVGxjQWJETWVTd1Z0R2I2ZXFhZUpNUFJmZlhUQW9HQkFNckkKVGVBSjhkejQ2TC9raWZOMjMrVVFkSGdZdzZ5cExSZ0JuRllweGpIM1VWOWRFZVdXdUZzdzhraTVha25TVmIwVgpFaWJqb1BCdjZxd1RvWmhKNHE5L0lOdzJmZE4xTGV3N3ZOaG5vL1A5MHJpUDZ4b2llczJsN2c3bmlEUDJ5ZnRaCnpJSkU0OUs2SVJzT3c4ZHkrS3hrQzJaZDdWcy9BM2x1Q2hYZWVWOHhBb0dBSG9yTGdXU1A0K2gzU3Z0MUkwalMKbXBjQ1cvTGpBNXVvbWs0UDZDczhzb1VNOHdpMklQMXBDQUVpdGFzd1BmQjRrR29xN3ZOUVdrVzRKTHZUSmZPdQpFMFlZczdHQjhmZVBBc1FMbzZhYlYvMCs4QkFNQ1doQ1BVQ0wxQjhueUl0MDNlVzlSUmFyd25aQ1NkTVdOYVV5CnMxcVlKVnZRQm94S3RwN3ZnOW4rWm5NQ2dZRUFsUmJmNnJCbEdzb0dsYzg1ZmI4UXJpR0RBQ2wwOUNVTituQjAKdVFUTnF6N2luUEtZamV4YWJ2RjFzUEpocXhUeDVLcnhSWlptWldCamNWQ2RwcEhzRUl1dlpUakxHZ1UxVmxJMQpiZ1lGRFFhNVB1alJPYzNQN0JMckRCbytrYllJbXJ4VEdCUCtUSmg4YnFCVVlQZXV6VkJnOFVwdGtJQ3IxVU9LCk5ybnpFb0VDZ1lFQXh5a3JTblQreGdjZHFSaXBQenFnL1NJT0VJTXp2VHp2alQ2cG9nb1FhOGhYUkJxTTQ3NUoKVnJlMWlIUXF5b2tDcEM0d0wvTWx2SkhhNW1FMExkdGdyNG9UOUVsMkwrNy9qNHlUL01CUHB2a2M2UWtKaEFLcgpYQ2pIN29seHhWVmhjaVUwZG9JUlYwL0VjRjAwS1NnQnBXR1dOU2UyVm44cTdFelhISHpQVC80PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + name: app-tls-secret +type: Opaque \ No newline at end of file diff --git a/tests/data/common/app/vsr/secure/multiple.yaml b/tests/data/common/app/vsr/secure/multiple.yaml new file mode 100644 index 0000000000..967697a3fb --- /dev/null +++ b/tests/data/common/app/vsr/secure/multiple.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend1 +spec: + replicas: 1 + selector: + matchLabels: + app: backend1 + template: + metadata: + labels: + app: backend1 + spec: + containers: + - name: backend1 + image: nginxdemos/hello:plain-text + ports: + - containerPort: 80 +--- +apiVersion: v1 +kind: Service +metadata: + name: backend1-svc +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + name: http + selector: + app: backend1 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend3 +spec: + replicas: 1 + selector: + matchLabels: + app: backend3 + template: + metadata: + labels: + app: backend3 + spec: + containers: + - name: backend3 + image: nginxdemos/hello:plain-text + ports: + - containerPort: 80 +--- +apiVersion: v1 +kind: Service +metadata: + name: backend3-svc + labels: +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + name: http + selector: + app: backend3 \ No newline at end of file diff --git a/tests/data/common/app/vsr/secure/single.yaml b/tests/data/common/app/vsr/secure/single.yaml new file mode 100644 index 0000000000..720aac43d4 --- /dev/null +++ b/tests/data/common/app/vsr/secure/single.yaml @@ -0,0 +1,79 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend2 + namespace: backend2-namespace +spec: + replicas: 1 + selector: + matchLabels: + app: backend2 + template: + metadata: + labels: + app: backend2 + spec: + containers: + - name: backend2 + image: nginx + ports: + - containerPort: 80 + volumeMounts: + - name: secret + mountPath: "/etc/nginx/ssl" + readOnly: true + - name: config-volume + mountPath: /etc/nginx/conf.d + volumes: + - name: secret + secret: + secretName: app-tls-secret + - name: config-volume + configMap: + name: secure-config +--- +apiVersion: v1 +kind: Service +metadata: + name: backend2-svc + namespace: backend2-namespace +spec: + ports: + - port: 80 + targetPort: 443 + protocol: TCP + name: https + selector: + app: backend2 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: secure-config + namespace: backend2-namespace +data: + app.conf: |- + server { + listen 443 ssl; + + server_name app.example.com; + + ssl_certificate /etc/nginx/ssl/tls.crt; + ssl_certificate_key /etc/nginx/ssl/tls.key; + + default_type text/plain; + + location / { + return 200 "here is your response via ssl port $server_port with X-Forwarded-Port $http_x_forwarded_port\n"; + } + } +--- +apiVersion: v1 +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVCakNDQXU2Z0F3SUJBZ0lKQUpicWVnTHB0U2JhTUEwR0NTcUdTSWIzRFFFQkJRVUFNRjh4Q3pBSkJnTlYKQkFZVEFrZENNUk13RVFZRFZRUUlFd3BUYjIxbExWTjBZWFJsTVNFd0h3WURWUVFLRXhoSmJuUmxjbTVsZENCWAphV1JuYVhSeklGQjBlU0JNZEdReEdEQVdCZ05WQkFNVEQyRndjQzVsZUdGdGNHeGxMbU52YlRBZUZ3MHhPREF5Ck1USXdNREF6TkRWYUZ3MHhPVEF5TVRJd01EQXpORFZhTUY4eEN6QUpCZ05WQkFZVEFrZENNUk13RVFZRFZRUUkKRXdwVGIyMWxMVk4wWVhSbE1TRXdId1lEVlFRS0V4aEpiblJsY201bGRDQlhhV1JuYVhSeklGQjBlU0JNZEdReApHREFXQmdOVkJBTVREMkZ3Y0M1bGVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQCkFEQ0NBUW9DZ2dFQkFLenNmMll0R2hVU0lyYWpTS1ZLSVBrTmFzODcrTzJDaHlsZTduL212V012WFJZZWI2R3oKQktKV3FkSS9UajlQQlJxTWVzajByMjF5UlAwaVc0VVBTYjZNT3psNisyYjBJeS9nTEhJRGxJN0NDTVU5cThHSAorL3Y4ZjAyMXJWYmUrNGdsWmZWVTZJbXg2Vlc0ODkzVTcwQXR6Y1hGNnFDUGRUWDNjWW02MTVmNE02M1YzdTdqClJGN1JINzBDL1NScVVvN29FVmZxR0thN1prdWVodnlLSWZURE5hQUt0WFhDLzlCeDlYSDIyREFxcTVKRUhHVHAKSVluRFE4eFdFRXlUQmx1V2JwU0JwUEVMRDcyUHhwQW9DU0trdVdXSzJYbmlKOG9BTFZJWlhaaHFvamw4Sk5SMgpiNWE3RFJEcTNTYzNNSzhwMEwzZXFsLzRPcnhjUGdJUVdtTUNBd0VBQWFPQnhEQ0J3VEFkQmdOVkhRNEVGZ1FVCmtvK2owNGJWaDZyTjdCbk8wbjRLMUo4S2tIRXdnWkVHQTFVZEl3U0JpVENCaG9BVWtvK2owNGJWaDZyTjdCbk8KMG40SzFKOEtrSEdoWTZSaE1GOHhDekFKQmdOVkJBWVRBa2RDTVJNd0VRWURWUVFJRXdwVGIyMWxMVk4wWVhSbApNU0V3SHdZRFZRUUtFeGhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhHREFXQmdOVkJBTVREMkZ3CmNDNWxlR0Z0Y0d4bExtTnZiWUlKQUpicWVnTHB0U2JhTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y04KQVFFRkJRQURnZ0VCQUc3RUxMUGVrQXJkYy9COUxsZXZsMCtLNWtYN2JsZDBqa1JmZjRzalA5MTdkSFliem0zMQoxNi9QT0ZKc3ZmOTFhNXdOTnNzL3JOVG13ZEZuSC8xNTJJVEgyamJiUEd5bGIyMkNiemgvU09XWVUzcnJEeHk3ClVtMFNqMmdJUHRWdjc3WTY4Y1ZtOTNVK3oxNjM1akVNUUtXcUpYRlBCSU9iWVd1SWNManJ1WTg5dGhpdUtVNTcKNGlraFlqT0t2ZnU4NVNyUDQybGV5Qk1PMHROVVNCZWl6SmZpWDA1N3RtR0xwaXhRYnBsaTlXUjc5bXpLcFJwZApEaEdFMHpxZ1ZSMDlOeGF2cmpNcjdtNHpvRGg1d09McFVQSEVCU2FhU2QzNzA4WGwrTFVDSTNQajhHcEtvUWRlCm11b2t3MndVTFQzR0ZTZjd4OTZSdUJqTmRWb3NSRkJpZjM0PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBck94L1ppMGFGUklpdHFOSXBVb2crUTFxenp2NDdZS0hLVjd1ZithOVl5OWRGaDV2Cm9iTUVvbGFwMGo5T1AwOEZHb3g2eVBTdmJYSkUvU0piaFE5SnZvdzdPWHI3WnZRakwrQXNjZ09VanNJSXhUMnIKd1lmNysveC9UYld0VnQ3N2lDVmw5VlRvaWJIcFZianozZFR2UUMzTnhjWHFvSTkxTmZkeGliclhsL2d6cmRYZQo3dU5FWHRFZnZRTDlKR3BTanVnUlYrb1lwcnRtUzU2Ry9Jb2g5TU0xb0FxMWRjTC8wSEgxY2ZiWU1DcXJra1FjClpPa2hpY05EekZZUVRKTUdXNVp1bElHazhRc1B2WS9Ha0NnSklxUzVaWXJaZWVJbnlnQXRVaGxkbUdxaU9Yd2sKMUhadmxyc05FT3JkSnpjd3J5blF2ZDZxWC9nNnZGdytBaEJhWXdJREFRQUJBb0lCQVFDSGd2WDdmbEM0UG5RUgpxRGZmd0EzQzNtN2JZK1laU25iZFJ0V2tTWkFVMENNa21FbG04RUVyYnJxNlZuM2RRdkYrOHFPdUk0SHVST1FuCmN1dEJoTStIa2FFLzFFNTdTY3JoVTgzQXMybVJ6aUROWVJ6ZUZ0Q3praFc1TWl4YXJYZDBJOHFZelNkRjhMUW8KUno1a2t0L0M3YUlaNEpXVHFaaHk2Q3lEZ0hZL1VpcEFGZG5mTE1NWG00Q1R3OTVGV1VpNGRaUHY4ZzVNNFZVUQo1K25sMUdPUFdsdGpNaWRlY0VxYVlYdzh3amVYQ1JNMDZLeWJSaDU1cU5reHladDZ4YWU4d0JLaE1PV2VRcmVPCjZhQ0tBQjNaOC9vM21JeTd2WjUzWE51WEFQaHhLR3E2OFVkQTgrQ1lKb3dPNFdscGhKRkE2QUcrYjZpRnJwNkgKZmFybVkxRkJBb0dCQU5wT0xZUGVhNEY1eXhxU3NpYkFpTXJiYkZROTlDejRZampkTUlEM25zWnpFblVrdjF0QwpGbTUwOHhodFk0TFRiUEQ0c2RPcmNETVlqYTM0UENKQTFOV0p5UXdZWkdMaEhxTXg1NWJjQ2VaL1Y0S3FlN29ZCm5aK2tPb29RbFBsQUFTZVViYU0vWCtHdDRUdjdwVGxjQWJETWVTd1Z0R2I2ZXFhZUpNUFJmZlhUQW9HQkFNckkKVGVBSjhkejQ2TC9raWZOMjMrVVFkSGdZdzZ5cExSZ0JuRllweGpIM1VWOWRFZVdXdUZzdzhraTVha25TVmIwVgpFaWJqb1BCdjZxd1RvWmhKNHE5L0lOdzJmZE4xTGV3N3ZOaG5vL1A5MHJpUDZ4b2llczJsN2c3bmlEUDJ5ZnRaCnpJSkU0OUs2SVJzT3c4ZHkrS3hrQzJaZDdWcy9BM2x1Q2hYZWVWOHhBb0dBSG9yTGdXU1A0K2gzU3Z0MUkwalMKbXBjQ1cvTGpBNXVvbWs0UDZDczhzb1VNOHdpMklQMXBDQUVpdGFzd1BmQjRrR29xN3ZOUVdrVzRKTHZUSmZPdQpFMFlZczdHQjhmZVBBc1FMbzZhYlYvMCs4QkFNQ1doQ1BVQ0wxQjhueUl0MDNlVzlSUmFyd25aQ1NkTVdOYVV5CnMxcVlKVnZRQm94S3RwN3ZnOW4rWm5NQ2dZRUFsUmJmNnJCbEdzb0dsYzg1ZmI4UXJpR0RBQ2wwOUNVTituQjAKdVFUTnF6N2luUEtZamV4YWJ2RjFzUEpocXhUeDVLcnhSWlptWldCamNWQ2RwcEhzRUl1dlpUakxHZ1UxVmxJMQpiZ1lGRFFhNVB1alJPYzNQN0JMckRCbytrYllJbXJ4VEdCUCtUSmg4YnFCVVlQZXV6VkJnOFVwdGtJQ3IxVU9LCk5ybnpFb0VDZ1lFQXh5a3JTblQreGdjZHFSaXBQenFnL1NJT0VJTXp2VHp2alQ2cG9nb1FhOGhYUkJxTTQ3NUoKVnJlMWlIUXF5b2tDcEM0d0wvTWx2SkhhNW1FMExkdGdyNG9UOUVsMkwrNy9qNHlUL01CUHB2a2M2UWtKaEFLcgpYQ2pIN29seHhWVmhjaVUwZG9JUlYwL0VjRjAwS1NnQnBXR1dOU2UyVm44cTdFelhISHpQVC80PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + name: app-tls-secret + namespace: backend2-namespace +type: Opaque \ No newline at end of file diff --git a/tests/data/virtual-server-route-upstream-tls/route-multiple.yaml b/tests/data/virtual-server-route-upstream-tls/route-multiple.yaml new file mode 100644 index 0000000000..1b877482c7 --- /dev/null +++ b/tests/data/virtual-server-route-upstream-tls/route-multiple.yaml @@ -0,0 +1,22 @@ +apiVersion: k8s.nginx.org/v1alpha1 +kind: VirtualServerRoute +metadata: + name: backends +spec: + host: virtual-server-route.example.com + upstreams: + - name: backend1 + service: backend1-svc + port: 80 + tls: + enable: + - name: backend3 + service: backend3-svc + port: 80 + tls: + enable: False + subroutes: + - path: "/backends/backend1" + upstream: backend1 + - path: "/backends/backend3" + upstream: backend3 \ No newline at end of file diff --git a/tests/data/virtual-server-route-upstream-tls/route-single-disable-tls.yaml b/tests/data/virtual-server-route-upstream-tls/route-single-disable-tls.yaml new file mode 100644 index 0000000000..90cb1c608f --- /dev/null +++ b/tests/data/virtual-server-route-upstream-tls/route-single-disable-tls.yaml @@ -0,0 +1,15 @@ +apiVersion: k8s.nginx.org/v1alpha1 +kind: VirtualServerRoute +metadata: + name: backend2 +spec: + host: virtual-server-route.example.com + upstreams: + - name: backend2 + service: backend2-svc + port: 80 + tls: + enable: + subroutes: + - path: "/backend2" + upstream: backend2 \ No newline at end of file diff --git a/tests/data/virtual-server-route-upstream-tls/route-single-invalid.yaml b/tests/data/virtual-server-route-upstream-tls/route-single-invalid.yaml new file mode 100644 index 0000000000..dd9d5a704c --- /dev/null +++ b/tests/data/virtual-server-route-upstream-tls/route-single-invalid.yaml @@ -0,0 +1,15 @@ +apiVersion: k8s.nginx.org/v1alpha1 +kind: VirtualServerRoute +metadata: + name: backend2 +spec: + host: virtual-server-route.example.com + upstreams: + - name: backend2 + service: backend2-svc + port: 80 + tls: + enable: "" + subroutes: + - path: "/backend2" + upstream: backend2 \ No newline at end of file diff --git a/tests/data/virtual-server-route-upstream-tls/route-single.yaml b/tests/data/virtual-server-route-upstream-tls/route-single.yaml new file mode 100644 index 0000000000..462920b194 --- /dev/null +++ b/tests/data/virtual-server-route-upstream-tls/route-single.yaml @@ -0,0 +1,15 @@ +apiVersion: k8s.nginx.org/v1alpha1 +kind: VirtualServerRoute +metadata: + name: backend2 +spec: + host: virtual-server-route.example.com + upstreams: + - name: backend2 + service: backend2-svc + port: 80 + tls: + enable: True + subroutes: + - path: "/backend2" + upstream: backend2 \ No newline at end of file diff --git a/tests/data/virtual-server-route-upstream-tls/standard/virtual-server.yaml b/tests/data/virtual-server-route-upstream-tls/standard/virtual-server.yaml new file mode 100644 index 0000000000..36a354f3a6 --- /dev/null +++ b/tests/data/virtual-server-route-upstream-tls/standard/virtual-server.yaml @@ -0,0 +1,11 @@ +apiVersion: k8s.nginx.org/v1alpha1 +kind: VirtualServer +metadata: + name: virtual-server-route +spec: + host: virtual-server-route.example.com + routes: + - path: "/backends" + route: backends-namespace/backends + - path: "/backend2" + route: backend2-namespace/backend2 \ No newline at end of file diff --git a/tests/data/virtual-server-upstream-tls/standard/virtual-server.yaml b/tests/data/virtual-server-upstream-tls/standard/virtual-server.yaml new file mode 100644 index 0000000000..130e636c8f --- /dev/null +++ b/tests/data/virtual-server-upstream-tls/standard/virtual-server.yaml @@ -0,0 +1,22 @@ +apiVersion: k8s.nginx.org/v1alpha1 +kind: VirtualServer +metadata: + name: virtual-server +spec: + host: virtual-server.example.com + upstreams: + - name: backend2 + service: backend2-svc + port: 80 + tls: + enable: True + - name: backend1 + service: backend1-svc + port: 80 + tls: + enable: False + routes: + - path: "/backend1" + upstream: backend1 + - path: "/backend2" + upstream: backend2 \ No newline at end of file diff --git a/tests/data/virtual-server-upstream-tls/virtual-server-disable-tls.yaml b/tests/data/virtual-server-upstream-tls/virtual-server-disable-tls.yaml new file mode 100644 index 0000000000..63750305f4 --- /dev/null +++ b/tests/data/virtual-server-upstream-tls/virtual-server-disable-tls.yaml @@ -0,0 +1,22 @@ +apiVersion: k8s.nginx.org/v1alpha1 +kind: VirtualServer +metadata: + name: virtual-server +spec: + host: virtual-server.example.com + upstreams: + - name: backend2 + service: backend2-svc + port: 80 + tls: + enable: + - name: backend1 + service: backend1-svc + port: 80 + tls: + enable: False + routes: + - path: "/backend1" + upstream: backend1 + - path: "/backend2" + upstream: backend2 \ No newline at end of file diff --git a/tests/data/virtual-server-upstream-tls/virtual-server-invalid.yaml b/tests/data/virtual-server-upstream-tls/virtual-server-invalid.yaml new file mode 100644 index 0000000000..bcb0a772a8 --- /dev/null +++ b/tests/data/virtual-server-upstream-tls/virtual-server-invalid.yaml @@ -0,0 +1,22 @@ +apiVersion: k8s.nginx.org/v1alpha1 +kind: VirtualServer +metadata: + name: virtual-server +spec: + host: virtual-server.example.com + upstreams: + - name: backend2 + service: backend2-svc + port: 80 + tls: + enable: Invalid + - name: backend1 + service: backend1-svc + port: 80 + tls: + enable: False + routes: + - path: "/backend1" + upstream: backend1 + - path: "/backend2" + upstream: backend2 \ No newline at end of file diff --git a/tests/suite/test_hsts.py b/tests/suite/test_hsts.py index ea5acccb82..451632beb7 100644 --- a/tests/suite/test_hsts.py +++ b/tests/suite/test_hsts.py @@ -41,7 +41,7 @@ def hsts_setup(request, test_namespace) ingress_name = get_names_from_yaml(f"{TEST_DATA}/hsts/{request.param}/hsts-ingress.yaml")[0] ingress_host = get_first_ingress_host_from_yaml(f"{TEST_DATA}/hsts/{request.param}/hsts-ingress.yaml") - common_app = create_example_app(kube_apis, "simple", test_namespace) + create_example_app(kube_apis, "simple", test_namespace) wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, @@ -52,7 +52,7 @@ def hsts_setup(request, def fin(): print("Clean up HSTS Example:") - delete_common_app(kube_apis.v1, kube_apis.apps_v1_api, common_app, test_namespace) + delete_common_app(kube_apis, "simple", test_namespace) delete_items_from_yaml(kube_apis, f"{TEST_DATA}/hsts/{request.param}/hsts-ingress.yaml", test_namespace) diff --git a/tests/suite/test_v_s_route_upstream_tls.py b/tests/suite/test_v_s_route_upstream_tls.py new file mode 100644 index 0000000000..074a11301b --- /dev/null +++ b/tests/suite/test_v_s_route_upstream_tls.py @@ -0,0 +1,188 @@ +import requests +import pytest + +from settings import TEST_DATA +from suite.custom_resources_utils import get_vs_nginx_template_conf, patch_v_s_route_from_yaml +from suite.resources_utils import create_items_from_yaml, get_first_pod_name, \ + delete_items_from_yaml, wait_until_all_pods_are_ready, wait_before_test, get_events + + +def assert_response_codes(resp_1, resp_2, code_1=200, code_2=200): + assert resp_1.status_code == code_1 + assert resp_2.status_code == code_2 + + +def get_event_count(event_text, events_list) -> int: + for i in range(len(events_list) - 1, -1, -1): + if event_text in events_list[i].message: + return events_list[i].count + pytest.fail(f"Failed to find the event \"{event_text}\" in the list. Exiting...") + + +def assert_event_count_increased(event_text, count, events_list): + for i in range(len(events_list) - 1, -1, -1): + if event_text in events_list[i].message: + assert events_list[i].count > count + return + pytest.fail(f"Failed to find the event \"{event_text}\" in the list. Exiting...") + + +def assert_event(event_text, events_list): + for i in range(len(events_list) - 1, -1, -1): + if event_text in events_list[i].message: + return + pytest.fail(f"Failed to find the event \"{event_text}\" in the list. Exiting...") + + +def assert_no_new_events(old_list, new_list): + assert len(old_list) == len(new_list), "expected: lists are the same" + for i in range(len(new_list) - 1, -1, -1): + if old_list[i].count != new_list[i].count: + pytest.fail(f"Expected: no new events. There is a new event found:\"{new_list[i].message}\". Exiting...") + + +@pytest.fixture(scope="class") +def v_s_route_secure_app_setup(request, kube_apis, v_s_route_setup) -> None: + """ + Prepare a secure example app for Virtual Server Route. + + 1st namespace with backend1-svc and backend3-svc and deployment + and 2nd namespace with https backend2-svc and deployment. + + :param request: internal pytest fixture + :param kube_apis: client apis + :param v_s_route_setup: + :return: + """ + print("---------------------- Deploy a VS Route Example Application ----------------------------") + create_items_from_yaml(kube_apis, + f"{TEST_DATA}/common/app/vsr/secure/multiple.yaml", v_s_route_setup.route_m.namespace) + + create_items_from_yaml(kube_apis, + f"{TEST_DATA}/common/app/vsr/secure/single.yaml", v_s_route_setup.route_s.namespace) + + wait_until_all_pods_are_ready(kube_apis.v1, v_s_route_setup.route_m.namespace) + wait_until_all_pods_are_ready(kube_apis.v1, v_s_route_setup.route_s.namespace) + + def fin(): + print("Clean up the Application:") + delete_items_from_yaml(kube_apis, + f"{TEST_DATA}/common/app/vsr/secure/multiple.yaml", + v_s_route_setup.route_m.namespace) + delete_items_from_yaml(kube_apis, + f"{TEST_DATA}/common/app/vsr/secure/single.yaml", + v_s_route_setup.route_s.namespace) + + request.addfinalizer(fin) + + +@pytest.mark.parametrize('crd_ingress_controller, v_s_route_setup', + [({"type": "complete", "extra_args": [f"-enable-custom-resources"]}, + {"example": "virtual-server-route-upstream-tls"})], + indirect=True) +class TestVSRouteUpstreamOptions: + def test_responses_and_config_after_setup(self, kube_apis, ingress_controller_prerequisites, + crd_ingress_controller, v_s_route_setup, v_s_route_secure_app_setup): + ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace) + config = get_vs_nginx_template_conf(kube_apis.v1, + v_s_route_setup.namespace, + v_s_route_setup.vs_name, + ic_pod_name, + ingress_controller_prerequisites.namespace) + req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" + resp_1 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", + headers={"host": v_s_route_setup.vs_host}) + resp_2 = requests.get(f"{req_url}{v_s_route_setup.route_s.paths[0]}", + headers={"host": v_s_route_setup.vs_host}) + vs_line = f"vs_{v_s_route_setup.namespace}_{v_s_route_setup.vs_name}" + proxy_host_s = f"{vs_line}_vsr_{v_s_route_setup.route_s.namespace}_{v_s_route_setup.route_s.name}" + proxy_host_m = f"{vs_line}_vsr_{v_s_route_setup.route_m.namespace}_{v_s_route_setup.route_m.name}" + assert f'proxy_pass https://{proxy_host_m}' not in config + assert f'proxy_pass https://{proxy_host_s}' in config + assert_response_codes(resp_1, resp_2) + + def test_events_after_setup(self, kube_apis, ingress_controller_prerequisites, + crd_ingress_controller, v_s_route_setup, v_s_route_secure_app_setup): + text_s = f"{v_s_route_setup.route_s.namespace}/{v_s_route_setup.route_s.name}" + text_m = f"{v_s_route_setup.route_m.namespace}/{v_s_route_setup.route_m.name}" + text_vs = f"{v_s_route_setup.namespace}/{v_s_route_setup.vs_name}" + vsr_s_event_text = f"Configuration for {text_s} was added or updated" + vsr_m_event_text = f"Configuration for {text_m} was added or updated" + vs_event_text = f"Configuration for {text_vs} was added or updated" + events_ns_m = get_events(kube_apis.v1, v_s_route_setup.route_m.namespace) + events_ns_s = get_events(kube_apis.v1, v_s_route_setup.route_s.namespace) + assert_event(vsr_s_event_text, events_ns_s) + assert_event(vsr_m_event_text, events_ns_m) + assert_event(vs_event_text, events_ns_m) + + def test_invalid_value_rejection(self, kube_apis, ingress_controller_prerequisites, + crd_ingress_controller, + v_s_route_setup, v_s_route_secure_app_setup): + ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace) + initial_events_ns_m = get_events(kube_apis.v1, v_s_route_setup.route_m.namespace) + initial_events_ns_s = get_events(kube_apis.v1, v_s_route_setup.route_s.namespace) + patch_v_s_route_from_yaml(kube_apis.custom_objects, + v_s_route_setup.route_s.name, + f"{TEST_DATA}/virtual-server-route-upstream-tls/route-single-invalid.yaml", + v_s_route_setup.route_s.namespace) + wait_before_test(1) + config = get_vs_nginx_template_conf(kube_apis.v1, + v_s_route_setup.namespace, + v_s_route_setup.vs_name, + ic_pod_name, + ingress_controller_prerequisites.namespace) + req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" + resp_1 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", + headers={"host": v_s_route_setup.vs_host}) + resp_2 = requests.get(f"{req_url}{v_s_route_setup.route_s.paths[0]}", + headers={"host": v_s_route_setup.vs_host}) + new_events_ns_m = get_events(kube_apis.v1, v_s_route_setup.route_m.namespace) + new_events_ns_s = get_events(kube_apis.v1, v_s_route_setup.route_s.namespace) + + vs_line = f"vs_{v_s_route_setup.namespace}_{v_s_route_setup.vs_name}" + proxy_host_s = f"{vs_line}_vsr_{v_s_route_setup.route_s.namespace}_{v_s_route_setup.route_s.name}" + proxy_host_m = f"{vs_line}_vsr_{v_s_route_setup.route_m.namespace}_{v_s_route_setup.route_m.name}" + assert f'proxy_pass https://{proxy_host_m}' not in config + assert f'proxy_pass https://{proxy_host_s}' in config + assert_response_codes(resp_1, resp_2) + assert_no_new_events(initial_events_ns_m, new_events_ns_m) + assert_no_new_events(initial_events_ns_s, new_events_ns_s) + + def test_responses_and_config_after_disable_tls(self, kube_apis, ingress_controller_prerequisites, + crd_ingress_controller, + v_s_route_setup, v_s_route_secure_app_setup): + ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace) + text_s = f"{v_s_route_setup.route_s.namespace}/{v_s_route_setup.route_s.name}" + text_m = f"{v_s_route_setup.route_m.namespace}/{v_s_route_setup.route_m.name}" + text_vs = f"{v_s_route_setup.namespace}/{v_s_route_setup.vs_name}" + vsr_s_event_text = f"Configuration for {text_s} was added or updated" + vsr_m_event_text = f"Configuration for {text_m} was added or updated" + vs_event_text = f"Configuration for {text_vs} was added or updated" + initial_events_ns_m = get_events(kube_apis.v1, v_s_route_setup.route_m.namespace) + initial_events_ns_s = get_events(kube_apis.v1, v_s_route_setup.route_s.namespace) + initial_count_vsr_m = get_event_count(vsr_m_event_text, initial_events_ns_m) + initial_count_vsr_s = get_event_count(vsr_s_event_text, initial_events_ns_s) + initial_count_vs = get_event_count(vs_event_text, initial_events_ns_m) + patch_v_s_route_from_yaml(kube_apis.custom_objects, + v_s_route_setup.route_s.name, + f"{TEST_DATA}/virtual-server-route-upstream-tls/route-single-disable-tls.yaml", + v_s_route_setup.route_s.namespace) + wait_before_test(1) + config = get_vs_nginx_template_conf(kube_apis.v1, + v_s_route_setup.namespace, + v_s_route_setup.vs_name, + ic_pod_name, + ingress_controller_prerequisites.namespace) + req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}" + resp_1 = requests.get(f"{req_url}{v_s_route_setup.route_m.paths[0]}", + headers={"host": v_s_route_setup.vs_host}) + resp_2 = requests.get(f"{req_url}{v_s_route_setup.route_s.paths[0]}", + headers={"host": v_s_route_setup.vs_host}) + new_events_ns_m = get_events(kube_apis.v1, v_s_route_setup.route_m.namespace) + new_events_ns_s = get_events(kube_apis.v1, v_s_route_setup.route_s.namespace) + + assert 'proxy_pass https://' not in config + assert_response_codes(resp_1, resp_2, 200, 400) + assert_event_count_increased(vsr_m_event_text, initial_count_vsr_m, new_events_ns_m) + assert_event_count_increased(vs_event_text, initial_count_vs, new_events_ns_m) + assert_event_count_increased(vsr_s_event_text, initial_count_vsr_s, new_events_ns_s) diff --git a/tests/suite/test_virtual_server_upstream_tls.py b/tests/suite/test_virtual_server_upstream_tls.py new file mode 100644 index 0000000000..dabb15a67e --- /dev/null +++ b/tests/suite/test_virtual_server_upstream_tls.py @@ -0,0 +1,124 @@ +import requests +import pytest + +from settings import TEST_DATA +from suite.custom_resources_utils import get_vs_nginx_template_conf, patch_virtual_server_from_yaml +from suite.resources_utils import get_first_pod_name, wait_before_test, get_events + + +def assert_response_codes(resp_1, resp_2, code_1=200, code_2=200): + assert resp_1.status_code == code_1 + assert resp_2.status_code == code_2 + + +def get_event_count(event_text, events_list) -> int: + for i in range(len(events_list) - 1, -1, -1): + if event_text in events_list[i].message: + return events_list[i].count + pytest.fail(f"Failed to find the event \"{event_text}\" in the list. Exiting...") + + +def assert_event_count_increased(event_text, count, events_list): + for i in range(len(events_list) - 1, -1, -1): + if event_text in events_list[i].message: + assert events_list[i].count > count + return + pytest.fail(f"Failed to find the event \"{event_text}\" in the list. Exiting...") + + +def assert_event(event_text, events_list): + for i in range(len(events_list) - 1, -1, -1): + if event_text in events_list[i].message: + return + pytest.fail(f"Failed to find the event \"{event_text}\" in the list. Exiting...") + + +def assert_no_new_events(old_list, new_list): + assert len(old_list) == len(new_list), "expected: lists are the same" + for i in range(len(new_list) - 1, -1, -1): + if old_list[i].count != new_list[i].count: + pytest.fail(f"Expected: no new events. There is a new event found:\"{new_list[i].message}\". Exiting...") + + +@pytest.mark.parametrize('crd_ingress_controller, virtual_server_setup', + [({"type": "complete", "extra_args": [f"-enable-custom-resources"]}, + {"example": "virtual-server-upstream-tls", "app_type": "secure"})], + indirect=True) +class TestVirtualServerUpstreamTls: + def test_responses_and_config_after_setup(self, kube_apis, ingress_controller_prerequisites, + crd_ingress_controller, virtual_server_setup): + ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace) + config = get_vs_nginx_template_conf(kube_apis.v1, + virtual_server_setup.namespace, + virtual_server_setup.vs_name, + ic_pod_name, + ingress_controller_prerequisites.namespace) + resp_1 = requests.get(virtual_server_setup.backend_1_url, + headers={"host": virtual_server_setup.vs_host}) + resp_2 = requests.get(virtual_server_setup.backend_2_url, + headers={"host": virtual_server_setup.vs_host}) + + proxy_host = f"vs_{virtual_server_setup.namespace}_{virtual_server_setup.vs_name}" + assert f'proxy_pass https://{proxy_host}_backend1' not in config + assert f'proxy_pass https://{proxy_host}_backend2' in config + assert_response_codes(resp_1, resp_2) + + def test_event_after_setup(self, kube_apis, ingress_controller_prerequisites, + crd_ingress_controller, virtual_server_setup): + text = f"{virtual_server_setup.namespace}/{virtual_server_setup.vs_name}" + vs_event_text = f"Configuration for {text} was added or updated" + events_vs = get_events(kube_apis.v1, virtual_server_setup.namespace) + assert_event(vs_event_text, events_vs) + + def test_invalid_value_rejection(self, kube_apis, ingress_controller_prerequisites, + crd_ingress_controller, virtual_server_setup): + ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace) + initial_events_vs = get_events(kube_apis.v1, virtual_server_setup.namespace) + patch_virtual_server_from_yaml(kube_apis.custom_objects, + virtual_server_setup.vs_name, + f"{TEST_DATA}/virtual-server-upstream-tls/virtual-server-invalid.yaml", + virtual_server_setup.namespace) + wait_before_test(1) + config = get_vs_nginx_template_conf(kube_apis.v1, + virtual_server_setup.namespace, + virtual_server_setup.vs_name, + ic_pod_name, + ingress_controller_prerequisites.namespace) + resp_1 = requests.get(virtual_server_setup.backend_1_url, + headers={"host": virtual_server_setup.vs_host}) + resp_2 = requests.get(virtual_server_setup.backend_2_url, + headers={"host": virtual_server_setup.vs_host}) + new_events_vs = get_events(kube_apis.v1, virtual_server_setup.namespace) + + proxy_host = f"vs_{virtual_server_setup.namespace}_{virtual_server_setup.vs_name}" + assert f'proxy_pass https://{proxy_host}_backend1' not in config + assert f'proxy_pass https://{proxy_host}_backend2' in config + assert_response_codes(resp_1, resp_2) + assert_no_new_events(initial_events_vs, new_events_vs) + + def test_responses_and_config_after_disable_tls(self, kube_apis, ingress_controller_prerequisites, + crd_ingress_controller, virtual_server_setup): + ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace) + text = f"{virtual_server_setup.namespace}/{virtual_server_setup.vs_name}" + vs_event_text = f"Configuration for {text} was added or updated" + initial_events_vs = get_events(kube_apis.v1, virtual_server_setup.namespace) + initial_count = get_event_count(vs_event_text, initial_events_vs) + patch_virtual_server_from_yaml(kube_apis.custom_objects, + virtual_server_setup.vs_name, + f"{TEST_DATA}/virtual-server-upstream-tls/virtual-server-disable-tls.yaml", + virtual_server_setup.namespace) + wait_before_test(1) + config = get_vs_nginx_template_conf(kube_apis.v1, + virtual_server_setup.namespace, + virtual_server_setup.vs_name, + ic_pod_name, + ingress_controller_prerequisites.namespace) + resp_1 = requests.get(virtual_server_setup.backend_1_url, + headers={"host": virtual_server_setup.vs_host}) + resp_2 = requests.get(virtual_server_setup.backend_2_url, + headers={"host": virtual_server_setup.vs_host}) + new_events_vs = get_events(kube_apis.v1, virtual_server_setup.namespace) + + assert 'proxy_pass https://' not in config + assert_response_codes(resp_1, resp_2, 200, 400) + assert_event_count_increased(vs_event_text, initial_count, new_events_vs)