-
Notifications
You must be signed in to change notification settings - Fork 5.5k
Adding a test of TCP with TLS termination (test-only change) #1183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 3 commits
e338835
f6d2173
7cf2e95
e568657
d568bbc
3016ddb
69e5e89
fb3792a
29069e4
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| { | ||
| "listeners": [ | ||
| { | ||
| "address": "tcp://{{ ip_loopback_address }}:0", | ||
| "filters": [ | ||
| { "type": "read", "name": | ||
| "tcp_proxy", | ||
| "config": { | ||
| "stat_prefix": "test_tcp", | ||
| "route_config": { | ||
| "routes": [ | ||
| { | ||
| "cluster": "cluster_1" | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "address": "tcp://{{ ip_loopback_address }}:0", | ||
| "ssl_context": { | ||
| "ca_cert_file": "{{ test_rundir }}/test/config/integration/certs/cacert.pem", | ||
| "cert_chain_file": "{{ test_rundir }}/test/config/integration/certs/servercert.pem", | ||
| "private_key_file": "{{ test_rundir }}/test/config/integration/certs/serverkey.pem", | ||
| "verify_certificate_hash": "75:1D:5F:48:82:7E:30:1D:06:33:EC:B2:88:E3:22:5F:D0:48:D8:F2:D4:F8:7F:A9:89:7F:7E:AF:8F:89:AB:D0", | ||
| "alpn_protocols": "h2,http/1.1", | ||
| "alt_alpn_protocols": "http/1.1" | ||
| }, | ||
| "filters": [ | ||
| { "type": "read", "name": "tcp_proxy", | ||
| "config": { | ||
| "stat_prefix": "test_tcp_sans_tls", | ||
| "route_config": { | ||
| "routes": [ | ||
| { | ||
| "cluster": "cluster_1" | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| }, | ||
| { "type": "read", "name": "client_ssl_auth", | ||
| "config": { | ||
| "auth_api_cluster": "ssl_auth", | ||
| "stat_prefix": "ssl_stats", | ||
| "refresh_delay_ms": 600000, | ||
| "ip_white_list": [ "127.0.0.1/32", "::1/64"] | ||
| } | ||
| } | ||
| ] | ||
| }], | ||
| "admin": { "access_log_path": "/dev/null", "address": "tcp://{{ ip_loopback_address }}:0" }, | ||
| "statsd_udp_ip_address": "{{ ip_loopback_address }}:8125", | ||
|
|
||
| "cluster_manager": { | ||
| "clusters": [ | ||
| { | ||
| "name": "cluster_1", | ||
| "connect_timeout_ms": 5000, | ||
| "type": "static", | ||
| "lb_type": "round_robin", | ||
| "hosts": [{"url": "tcp://{{ ip_loopback_address }}:{{ upstream_0 }}"}] | ||
| }, | ||
| { | ||
| "name": "ssl_auth", | ||
| "connect_timeout_ms": 5000, | ||
| "type": "strict_dns", | ||
| "lb_type": "round_robin", | ||
| "dns_lookup_family": "{{ dns_lookup_family }}", | ||
| "hosts": [{"url": "tcp://localhost:{{ upstream_1 }}"}] | ||
| }] | ||
| } | ||
| } |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| #include "test/integration/ssl_utility.h" | ||
|
|
||
| #include "common/json/json_loader.h" | ||
| #include "common/network/utility.h" | ||
| #include "common/ssl/context_config_impl.h" | ||
| #include "common/ssl/context_manager_impl.h" | ||
|
|
||
| #include "test/integration/server.h" | ||
| #include "test/test_common/environment.h" | ||
| #include "test/test_common/network_utility.h" | ||
|
|
||
| namespace Envoy { | ||
| namespace Ssl { | ||
|
|
||
| ClientContextPtr createClientSslContext(bool alpn, bool san, ContextManager& context_manager) { | ||
| std::string json_plain = R"EOF( | ||
| { | ||
| "ca_cert_file": "{{ test_rundir }}/test/config/integration/certs/cacert.pem", | ||
| "cert_chain_file": "{{ test_rundir }}/test/config/integration/certs/clientcert.pem", | ||
| "private_key_file": "{{ test_rundir }}/test/config/integration/certs/clientkey.pem" | ||
| } | ||
| )EOF"; | ||
|
|
||
| std::string json_alpn = R"EOF( | ||
| { | ||
| "ca_cert_file": "{{ test_rundir }}/test/config/integration/certs/cacert.pem", | ||
| "cert_chain_file": "{{ test_rundir }}/test/config/integration/certs/clientcert.pem", | ||
| "private_key_file": "{{ test_rundir }}/test/config/integration/certs/clientkey.pem", | ||
| "alpn_protocols": "h2,http/1.1" | ||
| } | ||
| )EOF"; | ||
|
|
||
| std::string json_san = R"EOF( | ||
| { | ||
| "ca_cert_file": "{{ test_rundir }}/test/config/integration/certs/cacert.pem", | ||
| "cert_chain_file": "{{ test_rundir }}/test/config/integration/certs/clientcert.pem", | ||
| "private_key_file": "{{ test_rundir }}/test/config/integration/certs/clientkey.pem", | ||
| "verify_subject_alt_name": [ "istio:account_a.namespace_foo.cluster.local" ] | ||
| } | ||
| )EOF"; | ||
|
|
||
| std::string json_alpn_san = R"EOF( | ||
| { | ||
| "ca_cert_file": "{{ test_rundir }}/test/config/integration/certs/cacert.pem", | ||
| "cert_chain_file": "{{ test_rundir }}/test/config/integration/certs/clientcert.pem", | ||
| "private_key_file": "{{ test_rundir }}/test/config/integration/certs/clientkey.pem", | ||
| "alpn_protocols": "h2,http/1.1", | ||
| "verify_subject_alt_name": [ "istio:account_a.namespace_foo.cluster.local" ] | ||
| } | ||
| )EOF"; | ||
|
|
||
| std::string target; | ||
| if (alpn) { | ||
| target = san ? json_alpn_san : json_alpn; | ||
| } else { | ||
| target = san ? json_san : json_plain; | ||
| } | ||
| Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(target); | ||
| ContextConfigImpl cfg(*loader); | ||
| static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); | ||
| return context_manager.createSslClientContext(*client_stats_store, cfg); | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If so, I will need to change this function to support TLS (non-mTLS) case as well. In terms of refactoring, I think it's better we have this PR focusing on it (and probably we can do it better here :) ). |
||
| } | ||
|
|
||
| Network::Address::InstanceConstSharedPtr getSslAddress(Network::Address::IpVersion version, | ||
| int port) { | ||
| std::string url = | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As a general preference, prefer |
||
| "tcp://" + Network::Test::getLoopbackAddressUrlString(version) + ":" + std::to_string(port); | ||
| return Network::Utility::resolveUrl(url); | ||
| } | ||
|
|
||
| } // Ssl | ||
| } // Envoy | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| #pragma once | ||
|
|
||
| #include "envoy/network/address.h" | ||
| #include "envoy/ssl/context_manager.h" | ||
|
|
||
| namespace Envoy { | ||
| namespace Ssl { | ||
|
|
||
| ClientContextPtr createClientSslContext(bool alpn, bool san, ContextManager& context_manager); | ||
|
|
||
| Network::Address::InstanceConstSharedPtr getSslAddress(Network::Address::IpVersion version, | ||
| int port); | ||
|
|
||
| } // Ssl | ||
| } // Envoy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const, etc. above