github.com/nginxinc/kubernetes-ingress@v1.12.5/tests/suite/test_wildcard_tls_secret.py (about) 1 import requests 2 import pytest 3 from settings import TEST_DATA 4 from suite.fixtures import PublicEndpoint 5 from suite.ssl_utils import get_server_certificate_subject 6 from suite.resources_utils import create_items_from_yaml, delete_items_from_yaml,\ 7 create_secret_from_yaml, delete_secret, create_example_app, delete_common_app,\ 8 is_secret_present, wait_until_all_pods_are_ready, create_ingress_controller,\ 9 delete_ingress_controller, wait_before_test, ensure_connection_to_public_endpoint 10 from suite.yaml_utils import get_first_ingress_host_from_yaml 11 12 paths = ["backend1", "backend2"] 13 14 15 class WildcardTLSSecretSetup: 16 """ 17 Encapsulate Wildcard TLS Secret Example details. 18 19 Attributes: 20 public_endpoint (PublicEndpoint): 21 namespace (str): 22 ingress_host (str): 23 """ 24 def __init__(self, public_endpoint: PublicEndpoint, namespace, ingress_host): 25 self.public_endpoint = public_endpoint 26 self.namespace = namespace 27 self.ingress_host = ingress_host 28 29 30 class IngressControllerWithSecret: 31 """ 32 Encapsulate secret name for the IC. 33 34 Attributes: 35 secret_name (str): 36 """ 37 def __init__(self, secret_name): 38 self.secret_name = secret_name 39 40 41 @pytest.fixture(scope="class", params=["standard", "mergeable"]) 42 def wildcard_tls_secret_setup(request, kube_apis, 43 ingress_controller_endpoint, test_namespace) -> WildcardTLSSecretSetup: 44 ing_type = request.param 45 print("------------------------- Deploy Wildcard-Tls-Secret-Example -----------------------------------") 46 create_items_from_yaml(kube_apis, 47 f"{TEST_DATA}/wildcard-tls-secret/{ing_type}/wildcard-secret-ingress.yaml", test_namespace) 48 host = get_first_ingress_host_from_yaml(f"{TEST_DATA}/wildcard-tls-secret/{ing_type}/wildcard-secret-ingress.yaml") 49 create_example_app(kube_apis, "simple", test_namespace) 50 wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) 51 52 def fin(): 53 print("Clean up Wildcard-Tls-Secret-Example:") 54 delete_items_from_yaml(kube_apis, 55 f"{TEST_DATA}/wildcard-tls-secret/{ing_type}/wildcard-secret-ingress.yaml", 56 test_namespace) 57 delete_common_app(kube_apis, "simple", test_namespace) 58 59 request.addfinalizer(fin) 60 61 return WildcardTLSSecretSetup(ingress_controller_endpoint, test_namespace, host) 62 63 64 @pytest.fixture(scope="class") 65 def wildcard_tls_secret_ingress_controller(cli_arguments, kube_apis, ingress_controller_prerequisites, 66 wildcard_tls_secret_setup, request) -> IngressControllerWithSecret: 67 """ 68 Create a Wildcard Ingress Controller according to the installation type 69 :param cli_arguments: pytest context 70 :param kube_apis: client apis 71 :param ingress_controller_prerequisites 72 :param wildcard_tls_secret_setup: test-class prerequisites 73 :param request: pytest fixture 74 :return: IngressController object 75 """ 76 namespace = ingress_controller_prerequisites.namespace 77 print("------------------------- Create IC and wildcard secret -----------------------------------") 78 secret_name = create_secret_from_yaml(kube_apis.v1, namespace, 79 f"{TEST_DATA}/wildcard-tls-secret/wildcard-tls-secret.yaml") 80 extra_args = [f"-wildcard-tls-secret={namespace}/{secret_name}", "-enable-custom-resources=false"] 81 name = create_ingress_controller(kube_apis.v1, kube_apis.apps_v1_api, cli_arguments, namespace, extra_args) 82 ensure_connection_to_public_endpoint(wildcard_tls_secret_setup.public_endpoint.public_ip, 83 wildcard_tls_secret_setup.public_endpoint.port, 84 wildcard_tls_secret_setup.public_endpoint.port_ssl) 85 86 def fin(): 87 print("Remove IC and wildcard secret:") 88 delete_ingress_controller(kube_apis.apps_v1_api, name, cli_arguments['deployment-type'], namespace) 89 if is_secret_present(kube_apis.v1, secret_name, namespace): 90 delete_secret(kube_apis.v1, secret_name, namespace) 91 92 request.addfinalizer(fin) 93 return IngressControllerWithSecret(secret_name) 94 95 96 @pytest.mark.ingresses 97 @pytest.mark.smoke 98 class TestTLSWildcardSecrets: 99 @pytest.mark.parametrize("path", paths) 100 def test_response_code_200(self, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup, path): 101 req_url = f"https://{wildcard_tls_secret_setup.public_endpoint.public_ip}:" \ 102 f"{wildcard_tls_secret_setup.public_endpoint.port_ssl}/{path}" 103 resp = requests.get(req_url, headers={"host": wildcard_tls_secret_setup.ingress_host}, verify=False) 104 assert resp.status_code == 200 105 106 def test_certificate_subject(self, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): 107 subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, 108 wildcard_tls_secret_setup.ingress_host, 109 wildcard_tls_secret_setup.public_endpoint.port_ssl) 110 assert subject_dict[b'C'] == b'ES' 111 assert subject_dict[b'ST'] == b'CanaryIslands' 112 assert subject_dict[b'O'] == b'nginx' 113 assert subject_dict[b'OU'] == b'example.com' 114 assert subject_dict[b'CN'] == b'example.com' 115 116 def test_certificate_subject_remains_with_invalid_secret(self, kube_apis, ingress_controller_prerequisites, 117 wildcard_tls_secret_ingress_controller, 118 wildcard_tls_secret_setup): 119 delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, 120 ingress_controller_prerequisites.namespace) 121 create_secret_from_yaml(kube_apis.v1, ingress_controller_prerequisites.namespace, 122 f"{TEST_DATA}/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml") 123 wait_before_test(1) 124 subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, 125 wildcard_tls_secret_setup.ingress_host, 126 wildcard_tls_secret_setup.public_endpoint.port_ssl) 127 assert subject_dict[b'C'] == b'ES' 128 assert subject_dict[b'ST'] == b'CanaryIslands' 129 assert subject_dict[b'CN'] == b'example.com' 130 131 def test_certificate_subject_updates_after_secret_update(self, kube_apis, ingress_controller_prerequisites, 132 wildcard_tls_secret_ingress_controller, 133 wildcard_tls_secret_setup): 134 delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, 135 ingress_controller_prerequisites.namespace) 136 create_secret_from_yaml(kube_apis.v1, ingress_controller_prerequisites.namespace, 137 f"{TEST_DATA}/wildcard-tls-secret/gb-wildcard-tls-secret.yaml") 138 wait_before_test(1) 139 subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, 140 wildcard_tls_secret_setup.ingress_host, 141 wildcard_tls_secret_setup.public_endpoint.port_ssl) 142 assert subject_dict[b'C'] == b'GB' 143 assert subject_dict[b'ST'] == b'Cambridgeshire' 144 assert subject_dict[b'CN'] == b'cafe.example.com' 145 146 def test_response_and_subject_remains_after_secret_delete(self, kube_apis, ingress_controller_prerequisites, 147 wildcard_tls_secret_ingress_controller, 148 wildcard_tls_secret_setup): 149 delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, 150 ingress_controller_prerequisites.namespace) 151 wait_before_test(1) 152 req_url = f"https://{wildcard_tls_secret_setup.public_endpoint.public_ip}:" \ 153 f"{wildcard_tls_secret_setup.public_endpoint.port_ssl}/backend1" 154 resp = requests.get(req_url, headers={"host": wildcard_tls_secret_setup.ingress_host}, verify=False) 155 assert resp.status_code == 200 156 subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, 157 wildcard_tls_secret_setup.ingress_host, 158 wildcard_tls_secret_setup.public_endpoint.port_ssl) 159 assert subject_dict[b'C'] == b'GB' 160 assert subject_dict[b'ST'] == b'Cambridgeshire' 161 assert subject_dict[b'CN'] == b'cafe.example.com'