From 210e735287f73598e8151bf09b3cfc13c3ee007a Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Sat, 11 Jan 2020 20:08:45 -0800 Subject: [PATCH 01/18] add probe path for whitelisting --- pkg/activator/net/revision_backends.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/activator/net/revision_backends.go b/pkg/activator/net/revision_backends.go index a8f515872eb4..d802c0137049 100644 --- a/pkg/activator/net/revision_backends.go +++ b/pkg/activator/net/revision_backends.go @@ -63,6 +63,7 @@ type revisionDestsUpdate struct { const ( probeTimeout time.Duration = 300 * time.Millisecond probeFrequency time.Duration = 200 * time.Millisecond + probePath = "/_internal/knative/activator/probe" ) // revisionWatcher watches the podIPs and ClusterIP of the service for a revision. It implements the logic @@ -135,6 +136,7 @@ func (rw *revisionWatcher) probe(ctx context.Context, dest string) (bool, error) httpDest := url.URL{ Scheme: "http", Host: dest, + Path: probePath, } // NOTE: changes below may require changes to testing/roundtripper.go to make unit tests passing. return prober.Do(ctx, rw.transport, httpDest.String(), From dc01d9a5f44c3d789632166fcc31185b5210b71d Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Sat, 11 Jan 2020 23:17:11 -0800 Subject: [PATCH 02/18] add e2e for probe whitelisting --- test/config/100-namespace.yaml | 7 +++ test/config/auth/policy.yaml | 15 ++++++ test/conformance.go | 1 + test/e2e/e2e.go | 5 ++ test/e2e/probe_whitelist_test.go | 84 ++++++++++++++++++++++++++++++++ test/e2e_flags.go | 2 + 6 files changed, 114 insertions(+) create mode 100644 test/config/auth/policy.yaml create mode 100644 test/e2e/probe_whitelist_test.go diff --git a/test/config/100-namespace.yaml b/test/config/100-namespace.yaml index d763ceee88cd..8fc7d4f8eec7 100644 --- a/test/config/100-namespace.yaml +++ b/test/config/100-namespace.yaml @@ -21,3 +21,10 @@ apiVersion: v1 kind: Namespace metadata: name: serving-tests-alt +--- +apiVersion: v1 +kind: Namespace +metadata: + name: serving-tests-sidecar-enabled + labels: + istio-injection: enabled diff --git a/test/config/auth/policy.yaml b/test/config/auth/policy.yaml new file mode 100644 index 000000000000..ce75b7c3943c --- /dev/null +++ b/test/config/auth/policy.yaml @@ -0,0 +1,15 @@ +apiVersion: authentication.istio.io/v1alpha1 +kind: Policy +metadata: +  name: default +  namespace: serving-tests-sidecar-enabled +spec: +  origins: +  - jwt: +      issuer: testing@secure.istio.io +      jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json +      triggerRules: +      - excludedPaths: +        - prefix: /metrics +        - prefix: /_internal/knative/activator/probe +  principalBinding: USE_ORIGIN \ No newline at end of file diff --git a/test/conformance.go b/test/conformance.go index 4ede42a2db53..2863fc9b26de 100644 --- a/test/conformance.go +++ b/test/conformance.go @@ -44,6 +44,7 @@ const ( PizzaPlanetText1 = "What a spaceport!" PizzaPlanetText2 = "Re-energize yourself with a slice of pepperoni!" HelloWorldText = "Hello World! How about some tasty noodles?" + UnauthorizedText = "Origin authentication failed." ConcurrentRequests = 50 // We expect to see 100% of requests succeed for traffic sent directly to revisions. diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go index 8d66bc5695a0..db8ebadaeba9 100644 --- a/test/e2e/e2e.go +++ b/test/e2e/e2e.go @@ -50,6 +50,11 @@ func SetupAlternativeNamespace(t *testing.T) *test.Clients { return SetupWithNamespace(t, test.AlternativeServingNamespace) } +//set up sidecar enabled ns +func SetupSideCarEnabledNamespace(t *testing.T) *test.Clients { + return SetupWithNamespace(t, test.SideCarServingNamespace) +} + // SetupWithNamespace creates the client objects needed in the e2e tests under the specified namespace. func SetupWithNamespace(t *testing.T, namespace string) *test.Clients { pkgTest.SetupLoggingFlags() diff --git a/test/e2e/probe_whitelist_test.go b/test/e2e/probe_whitelist_test.go new file mode 100644 index 000000000000..0d4c0b4e61c6 --- /dev/null +++ b/test/e2e/probe_whitelist_test.go @@ -0,0 +1,84 @@ +// +build e2e + +/* +Copyright 2018 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package e2e + +import ( + "testing" + + pkgTest "knative.dev/pkg/test" + "knative.dev/pkg/test/logstream" + "knative.dev/serving/test" + v1a1test "knative.dev/serving/test/v1alpha1" +) + +//This test checks if the activator can probe +//the service when istio end user auth policy is +//applied on the service. +//This test needs istio side car injected and +//istio policy check enabled. If both are not +//enabled the test will pass +//policy is present test/config/auth/policy.yaml +//apply policy before running this test +func TestProbeWhitelist(t *testing.T) { + t.Parallel() + cancel := logstream.Start(t) + defer cancel() + + clients := SetupSideCarEnabledNamespace(t) + + names := test.ResourceNames{ + Service: test.ObjectNameForTest(t), + Image: "helloworld", + } + + test.CleanupOnInterrupt(func() { test.TearDown(clients, names) }) + defer test.TearDown(clients, names) + + t.Log("Creating a new Service") + resources, httpsTransportOption, err := v1a1test.CreateRunLatestServiceReady(t, clients, &names, test.ServingFlags.Https) + if err != nil { + t.Fatalf("Failed to create initial Service: %v: %v", names.Service, err) + } + + url := resources.Route.Status.URL.URL() + var opt interface{} + if test.ServingFlags.Https { + url.Scheme = "https" + if httpsTransportOption == nil { + t.Fatalf("Https transport option is nil") + } + opt = *httpsTransportOption + } + if _, err := pkgTest.WaitForEndpointState( + clients.KubeClient, + t.Logf, + url, + v1a1test.RetryingRouteInconsistency(pkgTest.MatchesAllOf(pkgTest.MatchesBody(test.UnauthorizedText))), + "HelloWorldServesAuthFailed", + test.ServingFlags.ResolvableDomain, + opt); err != nil { + // check if side car is injected before reporting error + _, err = getContainer(clients.KubeClient, resources.Service.Name, "istio-proxy", resources.Service.Namespace) + if err != nil { + t.Log("side car not enabled, skipping test") + return + } + t.Fatalf("The endpoint %s for Route %s didn't serve the expected text %q: %v", url, names.Route, test.UnauthorizedText, err) + } +} diff --git a/test/e2e_flags.go b/test/e2e_flags.go index f8f0bc640b82..acb6431fe8bf 100644 --- a/test/e2e_flags.go +++ b/test/e2e_flags.go @@ -33,6 +33,8 @@ const ( // namespace tests in. AlternativeServingNamespace = "serving-tests-alt" + // side car injected ns + SideCarServingNamespace = "serving-tests-sidecar-enabled" // Environment propagation conformance test objects // ConformanceConfigMap is the name of the configmap to propagate env variables from From 71236b528f83a7e2973c7995d78ede24e3cbf315 Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Sat, 11 Jan 2020 23:31:33 -0800 Subject: [PATCH 03/18] add e2e for probe whitelisting --- test/config/auth/policy.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/test/config/auth/policy.yaml b/test/config/auth/policy.yaml index ce75b7c3943c..aad48fd647dc 100644 --- a/test/config/auth/policy.yaml +++ b/test/config/auth/policy.yaml @@ -1,15 +1,15 @@ apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: -  name: default -  namespace: serving-tests-sidecar-enabled + name: default + namespace: serving-tests-sidecar-enabled spec: -  origins: -  - jwt: -      issuer: testing@secure.istio.io -      jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json -      triggerRules: -      - excludedPaths: -        - prefix: /metrics -        - prefix: /_internal/knative/activator/probe -  principalBinding: USE_ORIGIN \ No newline at end of file + origins: + - jwt: + issuer: testing@secure.istio.io + jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json + triggerRules: + - excludedPaths: + - prefix: /metrics + - prefix: /_internal/knative/activator/probe + principalBinding: USE_ORIGIN \ No newline at end of file From 24d4e548f3d1220190d8e0b5439e944e282b6e9c Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Sat, 11 Jan 2020 23:37:07 -0800 Subject: [PATCH 04/18] add e2e for probe whitelisting --- test/config/100-namespace.yaml | 2 +- test/config/auth/policy.yaml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/test/config/100-namespace.yaml b/test/config/100-namespace.yaml index 8fc7d4f8eec7..8fd19a23f245 100644 --- a/test/config/100-namespace.yaml +++ b/test/config/100-namespace.yaml @@ -27,4 +27,4 @@ kind: Namespace metadata: name: serving-tests-sidecar-enabled labels: - istio-injection: enabled + istio-injection: enabled diff --git a/test/config/auth/policy.yaml b/test/config/auth/policy.yaml index aad48fd647dc..e9ad3f9acafc 100644 --- a/test/config/auth/policy.yaml +++ b/test/config/auth/policy.yaml @@ -12,4 +12,5 @@ spec: - excludedPaths: - prefix: /metrics - prefix: /_internal/knative/activator/probe - principalBinding: USE_ORIGIN \ No newline at end of file + principalBinding: USE_ORIGIN + \ No newline at end of file From 974a09faf38d9407a6267ee9b02aa1a089f9a8c1 Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Sat, 11 Jan 2020 23:37:35 -0800 Subject: [PATCH 05/18] add e2e for probe whitelisting --- test/e2e/probe_whitelist_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/probe_whitelist_test.go b/test/e2e/probe_whitelist_test.go index 0d4c0b4e61c6..61aae678abfa 100644 --- a/test/e2e/probe_whitelist_test.go +++ b/test/e2e/probe_whitelist_test.go @@ -1,7 +1,7 @@ // +build e2e /* -Copyright 2018 The Knative Authors +Copyright 2020 The Knative Authors Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From 6ffd8795c874f5751ab06dcd6bb21b926c7dc129 Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Sun, 12 Jan 2020 18:14:18 -0800 Subject: [PATCH 06/18] add e2e for probe whitelisting --- test/config/100-namespace.yaml | 4 +--- test/config/auth/policy.yaml | 16 ---------------- .../{mtls => security}/destinationrule.yaml | 0 test/config/{mtls => security}/policy.yaml | 16 ++++++++++++++++ test/e2e/probe_whitelist_test.go | 2 +- 5 files changed, 18 insertions(+), 20 deletions(-) delete mode 100644 test/config/auth/policy.yaml rename test/config/{mtls => security}/destinationrule.yaml (100%) rename test/config/{mtls => security}/policy.yaml (67%) diff --git a/test/config/100-namespace.yaml b/test/config/100-namespace.yaml index 8fd19a23f245..801f6bbd8c7e 100644 --- a/test/config/100-namespace.yaml +++ b/test/config/100-namespace.yaml @@ -25,6 +25,4 @@ metadata: apiVersion: v1 kind: Namespace metadata: - name: serving-tests-sidecar-enabled - labels: - istio-injection: enabled + name: serving-tests-security diff --git a/test/config/auth/policy.yaml b/test/config/auth/policy.yaml deleted file mode 100644 index e9ad3f9acafc..000000000000 --- a/test/config/auth/policy.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: authentication.istio.io/v1alpha1 -kind: Policy -metadata: - name: default - namespace: serving-tests-sidecar-enabled -spec: - origins: - - jwt: - issuer: testing@secure.istio.io - jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json - triggerRules: - - excludedPaths: - - prefix: /metrics - - prefix: /_internal/knative/activator/probe - principalBinding: USE_ORIGIN - \ No newline at end of file diff --git a/test/config/mtls/destinationrule.yaml b/test/config/security/destinationrule.yaml similarity index 100% rename from test/config/mtls/destinationrule.yaml rename to test/config/security/destinationrule.yaml diff --git a/test/config/mtls/policy.yaml b/test/config/security/policy.yaml similarity index 67% rename from test/config/mtls/policy.yaml rename to test/config/security/policy.yaml index 3766d690ba5b..56da8dab8681 100644 --- a/test/config/mtls/policy.yaml +++ b/test/config/security/policy.yaml @@ -31,3 +31,19 @@ spec: peers: - mtls: mode: PERMISSIVE +--- +apiVersion: authentication.istio.io/v1alpha1 +kind: Policy +metadata: + name: default + namespace: serving-tests-security +spec: + origins: + - jwt: + issuer: testing@secure.istio.io + jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json + triggerRules: + - excludedPaths: + - prefix: /metrics + - prefix: /_internal/knative/activator/probe + principalBinding: USE_ORIGIN diff --git a/test/e2e/probe_whitelist_test.go b/test/e2e/probe_whitelist_test.go index 61aae678abfa..e4ece956927a 100644 --- a/test/e2e/probe_whitelist_test.go +++ b/test/e2e/probe_whitelist_test.go @@ -40,7 +40,7 @@ func TestProbeWhitelist(t *testing.T) { cancel := logstream.Start(t) defer cancel() - clients := SetupSideCarEnabledNamespace(t) + clients := SetupServingNamespaceforSecurityTesting(t) names := test.ResourceNames{ Service: test.ObjectNameForTest(t), From bd9ad841fd7278326536f7eb1167aec8f586270b Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Sun, 12 Jan 2020 18:18:28 -0800 Subject: [PATCH 07/18] add e2e for probe whitelisting --- test/e2e-common.sh | 3 ++- test/e2e/e2e.go | 2 +- test/e2e_flags.go | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/test/e2e-common.sh b/test/e2e-common.sh index 5df47cbe9aed..6e76c9854655 100644 --- a/test/e2e-common.sh +++ b/test/e2e-common.sh @@ -433,7 +433,8 @@ function test_setup() { if (( MESH )); then kubectl label namespace serving-tests istio-injection=enabled kubectl label namespace serving-tests-alt istio-injection=enabled - ko apply ${KO_FLAGS} -f test/config/mtls/ || return 1 + kubectl label namespace serving-tests-sidecar-enabled istio-injection=enabled + ko apply ${KO_FLAGS} -f test/config/security/ || return 1 fi echo ">> Uploading test images..." diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go index db8ebadaeba9..849e4ca75896 100644 --- a/test/e2e/e2e.go +++ b/test/e2e/e2e.go @@ -51,7 +51,7 @@ func SetupAlternativeNamespace(t *testing.T) *test.Clients { } //set up sidecar enabled ns -func SetupSideCarEnabledNamespace(t *testing.T) *test.Clients { +func SetupServingNamespaceforSecurityTesting(t *testing.T) *test.Clients { return SetupWithNamespace(t, test.SideCarServingNamespace) } diff --git a/test/e2e_flags.go b/test/e2e_flags.go index acb6431fe8bf..55a751b7c81b 100644 --- a/test/e2e_flags.go +++ b/test/e2e_flags.go @@ -34,7 +34,7 @@ const ( AlternativeServingNamespace = "serving-tests-alt" // side car injected ns - SideCarServingNamespace = "serving-tests-sidecar-enabled" + ServingNamespaceforSecurityTesting = "serving-tests-security" // Environment propagation conformance test objects // ConformanceConfigMap is the name of the configmap to propagate env variables from From ff40cb52af66413f35919b0d817404c8c0658dd5 Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Sun, 12 Jan 2020 18:21:31 -0800 Subject: [PATCH 08/18] add e2e for probe whitelisting --- test/e2e-common.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/test/e2e-common.sh b/test/e2e-common.sh index 6e76c9854655..d686d11d329c 100644 --- a/test/e2e-common.sh +++ b/test/e2e-common.sh @@ -433,7 +433,7 @@ function test_setup() { if (( MESH )); then kubectl label namespace serving-tests istio-injection=enabled kubectl label namespace serving-tests-alt istio-injection=enabled - kubectl label namespace serving-tests-sidecar-enabled istio-injection=enabled + kubectl label namespace serving-tests-security istio-injection=enabled ko apply ${KO_FLAGS} -f test/config/security/ || return 1 fi @@ -492,13 +492,15 @@ function test_teardown() { echo ">> Removing test resources (test/config/)" ko delete --ignore-not-found=true --now -f test/config/ if (( MESH )); then - ko delete --ignore-not-found=true --now -f test/config/mtls/ + ko delete --ignore-not-found=true --now -f test/config/security/ fi echo ">> Ensuring test namespaces are clean" kubectl delete all --all --ignore-not-found --now --timeout 60s -n serving-tests kubectl delete --ignore-not-found --now --timeout 60s namespace serving-tests kubectl delete all --all --ignore-not-found --now --timeout 60s -n serving-tests-alt kubectl delete --ignore-not-found --now --timeout 60s namespace serving-tests-alt + kubectl delete all --all --ignore-not-found --now --timeout 60s -n serving-tests-security + kubectl delete --ignore-not-found --now --timeout 60s namespace serving-tests-security } # Dump more information when test fails. From 170b37f7d8e368ffaf53ae71e17c5a166a4ccfae Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Sun, 12 Jan 2020 18:40:22 -0800 Subject: [PATCH 09/18] add e2e for probe whitelisting --- test/e2e-common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e-common.sh b/test/e2e-common.sh index d686d11d329c..8731ce490e1c 100644 --- a/test/e2e-common.sh +++ b/test/e2e-common.sh @@ -500,7 +500,7 @@ function test_teardown() { kubectl delete all --all --ignore-not-found --now --timeout 60s -n serving-tests-alt kubectl delete --ignore-not-found --now --timeout 60s namespace serving-tests-alt kubectl delete all --all --ignore-not-found --now --timeout 60s -n serving-tests-security - kubectl delete --ignore-not-found --now --timeout 60s namespace serving-tests-security + kubectl delete --ignore-not-found --now --timeout 60s namespace serving-tests-security } # Dump more information when test fails. From 7fbb6fe97083b8830559b8b795de8b9b0e86e41d Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Sun, 12 Jan 2020 18:49:46 -0800 Subject: [PATCH 10/18] add e2e for probe whitelisting --- test/e2e/e2e.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go index 849e4ca75896..20987ef4062f 100644 --- a/test/e2e/e2e.go +++ b/test/e2e/e2e.go @@ -52,7 +52,7 @@ func SetupAlternativeNamespace(t *testing.T) *test.Clients { //set up sidecar enabled ns func SetupServingNamespaceforSecurityTesting(t *testing.T) *test.Clients { - return SetupWithNamespace(t, test.SideCarServingNamespace) + return SetupWithNamespace(t, test.ServingNamespaceforSecurityTesting) } // SetupWithNamespace creates the client objects needed in the e2e tests under the specified namespace. From def9ba52eb5fed2a99af573e323bd53e0529cede Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Mon, 13 Jan 2020 06:17:33 -0800 Subject: [PATCH 11/18] add e2e for probe path whitelisting --- test/e2e/probe_whitelist_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/e2e/probe_whitelist_test.go b/test/e2e/probe_whitelist_test.go index e4ece956927a..e1da55d3aa32 100644 --- a/test/e2e/probe_whitelist_test.go +++ b/test/e2e/probe_whitelist_test.go @@ -74,8 +74,7 @@ func TestProbeWhitelist(t *testing.T) { test.ServingFlags.ResolvableDomain, opt); err != nil { // check if side car is injected before reporting error - _, err = getContainer(clients.KubeClient, resources.Service.Name, "istio-proxy", resources.Service.Namespace) - if err != nil { + if _, err := getContainer(clients.KubeClient, resources.Service.Name, "istio-proxy", resources.Service.Namespace); err != nil { t.Log("side car not enabled, skipping test") return } From 36e59baff50d9018e0fa3229b1e3e3387abf8f04 Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Mon, 13 Jan 2020 10:50:20 -0800 Subject: [PATCH 12/18] add e2e for probe path whitelisting --- test/e2e/e2e.go | 3 ++- test/e2e/probe_whitelist_test.go | 5 ++--- test/e2e_flags.go | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go index 20987ef4062f..de1a45941932 100644 --- a/test/e2e/e2e.go +++ b/test/e2e/e2e.go @@ -50,7 +50,8 @@ func SetupAlternativeNamespace(t *testing.T) *test.Clients { return SetupWithNamespace(t, test.AlternativeServingNamespace) } -//set up sidecar enabled ns +//SetupServingNamespaceforSecurityTesting creates the client objects needed in e2e tests +// under the security testing namespace. func SetupServingNamespaceforSecurityTesting(t *testing.T) *test.Clients { return SetupWithNamespace(t, test.ServingNamespaceforSecurityTesting) } diff --git a/test/e2e/probe_whitelist_test.go b/test/e2e/probe_whitelist_test.go index e1da55d3aa32..d8ce657791b6 100644 --- a/test/e2e/probe_whitelist_test.go +++ b/test/e2e/probe_whitelist_test.go @@ -31,9 +31,8 @@ import ( //the service when istio end user auth policy is //applied on the service. //This test needs istio side car injected and -//istio policy check enabled. If both are not -//enabled the test will pass -//policy is present test/config/auth/policy.yaml +//istio policy check enabled. +//policy is present test/config/security/policy.yaml //apply policy before running this test func TestProbeWhitelist(t *testing.T) { t.Parallel() diff --git a/test/e2e_flags.go b/test/e2e_flags.go index 55a751b7c81b..07ae8d7937f3 100644 --- a/test/e2e_flags.go +++ b/test/e2e_flags.go @@ -33,7 +33,7 @@ const ( // namespace tests in. AlternativeServingNamespace = "serving-tests-alt" - // side car injected ns + // ServingNamespaceforSecurityTesting is the namespace for security tests. ServingNamespaceforSecurityTesting = "serving-tests-security" // Environment propagation conformance test objects From c847700a31197f35822a96ce395b800e42a1f41d Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Tue, 14 Jan 2020 11:07:10 -0800 Subject: [PATCH 13/18] e2e for whitelist probe path --- test/config/security/policy.yaml | 2 +- test/conformance.go | 1 - test/e2e/probe_whitelist_test.go | 9 +++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/test/config/security/policy.yaml b/test/config/security/policy.yaml index 56da8dab8681..533399c82d6c 100644 --- a/test/config/security/policy.yaml +++ b/test/config/security/policy.yaml @@ -41,7 +41,7 @@ spec: origins: - jwt: issuer: testing@secure.istio.io - jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json + jwks: "{ \"keys\":[ {\"e\":\"AQAB\",\"kid\":\"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ\",\"kty\":\"RSA\",\"n\":\"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ\"}]} " triggerRules: - excludedPaths: - prefix: /metrics diff --git a/test/conformance.go b/test/conformance.go index 2863fc9b26de..4ede42a2db53 100644 --- a/test/conformance.go +++ b/test/conformance.go @@ -44,7 +44,6 @@ const ( PizzaPlanetText1 = "What a spaceport!" PizzaPlanetText2 = "Re-energize yourself with a slice of pepperoni!" HelloWorldText = "Hello World! How about some tasty noodles?" - UnauthorizedText = "Origin authentication failed." ConcurrentRequests = 50 // We expect to see 100% of requests succeed for traffic sent directly to revisions. diff --git a/test/e2e/probe_whitelist_test.go b/test/e2e/probe_whitelist_test.go index d8ce657791b6..3f16ec55964d 100644 --- a/test/e2e/probe_whitelist_test.go +++ b/test/e2e/probe_whitelist_test.go @@ -19,6 +19,7 @@ limitations under the License. package e2e import ( + "net/http" "testing" pkgTest "knative.dev/pkg/test" @@ -43,7 +44,7 @@ func TestProbeWhitelist(t *testing.T) { names := test.ResourceNames{ Service: test.ObjectNameForTest(t), - Image: "helloworld", + Image: "helloworld-edca531b677458dd5cb687926757a480", } test.CleanupOnInterrupt(func() { test.TearDown(clients, names) }) @@ -68,15 +69,15 @@ func TestProbeWhitelist(t *testing.T) { clients.KubeClient, t.Logf, url, - v1a1test.RetryingRouteInconsistency(pkgTest.MatchesAllOf(pkgTest.MatchesBody(test.UnauthorizedText))), + v1a1test.RetryingRouteInconsistency(pkgTest.MatchesAllOf(pkgTest.IsOneOfStatusCodes(http.StatusUnauthorized))), "HelloWorldServesAuthFailed", test.ServingFlags.ResolvableDomain, opt); err != nil { // check if side car is injected before reporting error if _, err := getContainer(clients.KubeClient, resources.Service.Name, "istio-proxy", resources.Service.Namespace); err != nil { t.Log("side car not enabled, skipping test") - return + t.Skip() } - t.Fatalf("The endpoint %s for Route %s didn't serve the expected text %q: %v", url, names.Route, test.UnauthorizedText, err) + t.Fatalf("The endpoint %s for Route %s didn't serve the expected status %q: %v", url, names.Route, http.StatusUnauthorized, err) } } From d7c9b3bf5fd33fc4b82174d788624e2f668629a7 Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Tue, 14 Jan 2020 11:08:12 -0800 Subject: [PATCH 14/18] e2e for whitelist probe path --- test/e2e/probe_whitelist_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/probe_whitelist_test.go b/test/e2e/probe_whitelist_test.go index 3f16ec55964d..0ec1d388fd63 100644 --- a/test/e2e/probe_whitelist_test.go +++ b/test/e2e/probe_whitelist_test.go @@ -44,7 +44,7 @@ func TestProbeWhitelist(t *testing.T) { names := test.ResourceNames{ Service: test.ObjectNameForTest(t), - Image: "helloworld-edca531b677458dd5cb687926757a480", + Image: "helloworld", } test.CleanupOnInterrupt(func() { test.TearDown(clients, names) }) From bb80418de508c2f70d681bf281d593ea9c8c8907 Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Tue, 14 Jan 2020 17:28:45 -0800 Subject: [PATCH 15/18] e2e for probe whitelist test --- test/e2e/probe_whitelist_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/e2e/probe_whitelist_test.go b/test/e2e/probe_whitelist_test.go index 0ec1d388fd63..31a8872363e8 100644 --- a/test/e2e/probe_whitelist_test.go +++ b/test/e2e/probe_whitelist_test.go @@ -75,8 +75,7 @@ func TestProbeWhitelist(t *testing.T) { opt); err != nil { // check if side car is injected before reporting error if _, err := getContainer(clients.KubeClient, resources.Service.Name, "istio-proxy", resources.Service.Namespace); err != nil { - t.Log("side car not enabled, skipping test") - t.Skip() + t.Skip("side car not enabled, skipping test") } t.Fatalf("The endpoint %s for Route %s didn't serve the expected status %q: %v", url, names.Route, http.StatusUnauthorized, err) } From 2ea9a2b36aa7fbb488ecb4207d1cce8ed5963825 Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Thu, 16 Jan 2020 09:59:36 -0800 Subject: [PATCH 16/18] e2e test for probe whitelisting --- test/e2e/probe_whitelist_test.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/test/e2e/probe_whitelist_test.go b/test/e2e/probe_whitelist_test.go index 31a8872363e8..13e671e61189 100644 --- a/test/e2e/probe_whitelist_test.go +++ b/test/e2e/probe_whitelist_test.go @@ -26,6 +26,7 @@ import ( "knative.dev/pkg/test/logstream" "knative.dev/serving/test" v1a1test "knative.dev/serving/test/v1alpha1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) //This test checks if the activator can probe @@ -33,7 +34,7 @@ import ( //applied on the service. //This test needs istio side car injected and //istio policy check enabled. -//policy is present test/config/security/policy.yaml +//policy is present in test/config/security/policy.yaml //apply policy before running this test func TestProbeWhitelist(t *testing.T) { t.Parallel() @@ -47,6 +48,16 @@ func TestProbeWhitelist(t *testing.T) { Image: "helloworld", } + if test.ServingFlags.Https { + // Save the current Gateway to restore it after the test + oldGateway, err := clients.IstioClient.NetworkingV1alpha3().Gateways(v1a1test.Namespace).Get(v1a1test.GatewayName, metav1.GetOptions{}) + if err != nil { + t.Fatalf("Failed to get Gateway %s/%s", v1a1test.Namespace, v1a1test.GatewayName) + } + test.CleanupOnInterrupt(func() { v1a1test.RestoreGateway(t, clients, *oldGateway) }) + defer v1a1test.RestoreGateway(t, clients, *oldGateway) + } + test.CleanupOnInterrupt(func() { test.TearDown(clients, names) }) defer test.TearDown(clients, names) From 1864bb139a2f364b99d078e5555697f6257558fb Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Thu, 16 Jan 2020 10:01:12 -0800 Subject: [PATCH 17/18] e2e test for probe whitelisting --- test/e2e/probe_whitelist_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e/probe_whitelist_test.go b/test/e2e/probe_whitelist_test.go index 13e671e61189..706bb7161425 100644 --- a/test/e2e/probe_whitelist_test.go +++ b/test/e2e/probe_whitelist_test.go @@ -22,11 +22,11 @@ import ( "net/http" "testing" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" pkgTest "knative.dev/pkg/test" "knative.dev/pkg/test/logstream" "knative.dev/serving/test" v1a1test "knative.dev/serving/test/v1alpha1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) //This test checks if the activator can probe @@ -56,7 +56,7 @@ func TestProbeWhitelist(t *testing.T) { } test.CleanupOnInterrupt(func() { v1a1test.RestoreGateway(t, clients, *oldGateway) }) defer v1a1test.RestoreGateway(t, clients, *oldGateway) - } + } test.CleanupOnInterrupt(func() { test.TearDown(clients, names) }) defer test.TearDown(clients, names) From fe01449a41ec0c1ec4776db1ab62ce2a5b21b52e Mon Sep 17 00:00:00 2001 From: itsmurugappan Date: Thu, 16 Jan 2020 11:21:08 -0800 Subject: [PATCH 18/18] e2e test for probe whitelisting --- test/e2e/probe_whitelist_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/e2e/probe_whitelist_test.go b/test/e2e/probe_whitelist_test.go index 706bb7161425..2cbb26bbc7ef 100644 --- a/test/e2e/probe_whitelist_test.go +++ b/test/e2e/probe_whitelist_test.go @@ -72,7 +72,7 @@ func TestProbeWhitelist(t *testing.T) { if test.ServingFlags.Https { url.Scheme = "https" if httpsTransportOption == nil { - t.Fatalf("Https transport option is nil") + t.Fatalf("HTTPS transport option is nil") } opt = *httpsTransportOption } @@ -86,8 +86,8 @@ func TestProbeWhitelist(t *testing.T) { opt); err != nil { // check if side car is injected before reporting error if _, err := getContainer(clients.KubeClient, resources.Service.Name, "istio-proxy", resources.Service.Namespace); err != nil { - t.Skip("side car not enabled, skipping test") + t.Skip("Side car not enabled, skipping test") } - t.Fatalf("The endpoint %s for Route %s didn't serve the expected status %q: %v", url, names.Route, http.StatusUnauthorized, err) + t.Fatalf("The endpoint %s for Route %s didn't serve the expected status %d: %v", url, names.Route, http.StatusUnauthorized, err) } }