github.com/nginxinc/kubernetes-ingress@v1.12.5/tests/suite/test_default_server.py (about) 1 from ssl import SSLError 2 3 import pytest 4 5 from suite.resources_utils import create_secret_from_yaml, is_secret_present, delete_secret, wait_before_test, \ 6 ensure_connection, replace_secret 7 from suite.ssl_utils import get_server_certificate_subject 8 from settings import TEST_DATA, DEPLOYMENTS 9 10 11 def assert_cn(endpoint, cn): 12 host = "random" # any host would work 13 subject_dict = get_server_certificate_subject(endpoint.public_ip, host, endpoint.port_ssl) 14 assert subject_dict[b'CN'] == cn.encode('ascii') 15 16 17 def assert_unrecognized_name_error(endpoint): 18 try: 19 host = "random" # any host would work 20 get_server_certificate_subject(endpoint.public_ip, host, endpoint.port_ssl) 21 pytest.fail("We expected an SSLError here, but didn't get it or got another error. Exiting...") 22 except SSLError as e: 23 assert "SSL" in e.library 24 assert "TLSV1_UNRECOGNIZED_NAME" in e.reason 25 26 27 secret_path=f"{DEPLOYMENTS}/common/default-server-secret.yaml" 28 test_data_path=f"{TEST_DATA}/default-server" 29 invalid_secret_path=f"{test_data_path}/invalid-tls-secret.yaml" 30 new_secret_path=f"{test_data_path}/new-tls-secret.yaml" 31 secret_name="default-server-secret" 32 secret_namespace="nginx-ingress" 33 34 35 @pytest.fixture(scope="class") 36 def default_server_setup(ingress_controller_endpoint, ingress_controller): 37 ensure_connection(f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port}/") 38 39 40 @pytest.fixture(scope="class") 41 def secret_setup(request, kube_apis): 42 def fin(): 43 if is_secret_present(kube_apis.v1, secret_name, secret_namespace): 44 print("cleaning up secret!") 45 delete_secret(kube_apis.v1, secret_name, secret_namespace) 46 # restore the original secret created in ingress_controller_prerequisites fixture 47 create_secret_from_yaml(kube_apis.v1, secret_namespace, secret_path) 48 49 request.addfinalizer(fin) 50 51 52 @pytest.mark.ingresses 53 class TestDefaultServer: 54 def test_with_default_tls_secret(self, kube_apis, ingress_controller_endpoint, secret_setup, default_server_setup): 55 print("Step 1: ensure CN of the default server TLS cert") 56 assert_cn(ingress_controller_endpoint, "NGINXIngressController") 57 58 print("Step 2: ensure CN of the default server TLS cert after removing the secret") 59 delete_secret(kube_apis.v1, secret_name, secret_namespace) 60 wait_before_test(1) 61 # Ingress Controller retains the previous valid secret 62 assert_cn(ingress_controller_endpoint, "NGINXIngressController") 63 64 print("Step 3: ensure CN of the default TLS cert after creating an updated secret") 65 create_secret_from_yaml(kube_apis.v1, secret_namespace, new_secret_path) 66 wait_before_test(1) 67 assert_cn(ingress_controller_endpoint, "cafe.example.com") 68 69 print("Step 4: ensure CN of the default TLS cert after making the secret invalid") 70 replace_secret(kube_apis.v1, secret_name, secret_namespace, invalid_secret_path) 71 wait_before_test(1) 72 # Ingress Controller retains the previous valid secret 73 assert_cn(ingress_controller_endpoint, "cafe.example.com") 74 75 print("Step 5: ensure CN of the default TLS cert after restoring the secret") 76 replace_secret(kube_apis.v1, secret_name, secret_namespace, secret_path) 77 wait_before_test(1) 78 assert_cn(ingress_controller_endpoint, "NGINXIngressController") 79 80 @pytest.mark.parametrize( 81 "ingress_controller", 82 [ 83 pytest.param( 84 {"extra_args": ["-default-server-tls-secret="]}, 85 ), 86 ], 87 indirect=True, 88 ) 89 def test_without_default_tls_secret(self, ingress_controller_endpoint, default_server_setup): 90 print("Ensure connection to HTTPS cannot be established") 91 assert_unrecognized_name_error(ingress_controller_endpoint)