istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/bootstrap/option/convert_test.go (about) 1 // Copyright Istio Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package option 16 17 import ( 18 "reflect" 19 "testing" 20 21 networkingAPI "istio.io/api/networking/v1alpha3" 22 "istio.io/istio/pkg/model" 23 ) 24 25 // nolint: lll 26 func TestTlsContextConvert(t *testing.T) { 27 tests := []struct { 28 desc string 29 tls *networkingAPI.ClientTLSSettings 30 sni string 31 meta *model.BootstrapNodeMetadata 32 expectTLSCtx string 33 }{ 34 { 35 desc: "no-tls", 36 tls: &networkingAPI.ClientTLSSettings{}, 37 sni: "", 38 meta: &model.BootstrapNodeMetadata{}, 39 expectTLSCtx: "null", 40 }, 41 { 42 desc: "tls-simple-no-cert", 43 tls: &networkingAPI.ClientTLSSettings{ 44 Mode: networkingAPI.ClientTLSSettings_SIMPLE, 45 }, 46 sni: "", 47 meta: &model.BootstrapNodeMetadata{}, 48 expectTLSCtx: "{\"common_tls_context\":{\"ValidationContextType\":{\"CombinedValidationContext\":{\"default_validation_context\":{}}},\"alpn_protocols\":[\"h2\"]}}", 49 }, 50 { 51 desc: "tls-simple-cert-cli", 52 tls: &networkingAPI.ClientTLSSettings{ 53 Mode: networkingAPI.ClientTLSSettings_SIMPLE, 54 CaCertificates: "foo.pem", 55 Sni: "foo", 56 }, 57 sni: "", 58 meta: &model.BootstrapNodeMetadata{}, 59 expectTLSCtx: `{"common_tls_context":{"ValidationContextType":{"CombinedValidationContext":{"default_validation_context":{},"validation_context_sds_secret_config":{"name":"file-root:foo.pem","sds_config":{"ConfigSourceSpecifier":{"ApiConfigSource":{"api_type":2,"transport_api_version":2,"grpc_services":[{"TargetSpecifier":{"EnvoyGrpc":{"cluster_name":"sds-grpc"}}}],"set_node_on_first_message_only":true}},"resource_api_version":2}}}},"alpn_protocols":["h2"]},"sni":"foo"}`, 60 }, 61 { 62 desc: "tls-simple-cert-cli-meta", 63 tls: &networkingAPI.ClientTLSSettings{ 64 Mode: networkingAPI.ClientTLSSettings_SIMPLE, 65 CaCertificates: "foo.pem", 66 Sni: "foo", 67 }, 68 sni: "", 69 meta: &model.BootstrapNodeMetadata{ 70 NodeMetadata: model.NodeMetadata{ 71 TLSClientRootCert: "/foo/bar/baz.pem", 72 }, 73 }, 74 expectTLSCtx: `{"common_tls_context":{"ValidationContextType":{"CombinedValidationContext":{"default_validation_context":{},"validation_context_sds_secret_config":{"name":"file-root:/foo/bar/baz.pem","sds_config":{"ConfigSourceSpecifier":{"ApiConfigSource":{"api_type":2,"transport_api_version":2,"grpc_services":[{"TargetSpecifier":{"EnvoyGrpc":{"cluster_name":"sds-grpc"}}}],"set_node_on_first_message_only":true}},"resource_api_version":2}}}},"alpn_protocols":["h2"]},"sni":"foo"}`, 75 }, 76 { 77 desc: "tls-cli-mutual-missing-certs", 78 meta: &model.BootstrapNodeMetadata{}, 79 tls: &networkingAPI.ClientTLSSettings{ 80 Mode: networkingAPI.ClientTLSSettings_MUTUAL, 81 }, 82 expectTLSCtx: `{"common_tls_context":{"ValidationContextType":{"CombinedValidationContext":{"default_validation_context":{}}},"alpn_protocols":["h2"]}}`, 83 }, 84 { 85 desc: "tls-cli-mutual", 86 tls: &networkingAPI.ClientTLSSettings{ 87 Mode: networkingAPI.ClientTLSSettings_MUTUAL, 88 ClientCertificate: "foo", 89 PrivateKey: "im-private-foo", 90 Sni: "bar", 91 }, 92 sni: "", 93 meta: &model.BootstrapNodeMetadata{}, 94 expectTLSCtx: `{"common_tls_context":{"tls_certificate_sds_secret_configs":[{"name":"file-cert:foo~im-private-foo","sds_config":{"ConfigSourceSpecifier":{"ApiConfigSource":{"api_type":2,"transport_api_version":2,"grpc_services":[{"TargetSpecifier":{"EnvoyGrpc":{"cluster_name":"sds-grpc"}}}],"set_node_on_first_message_only":true}},"resource_api_version":2}}],"ValidationContextType":{"CombinedValidationContext":{"default_validation_context":{}}},"alpn_protocols":["h2"]},"sni":"bar"}`, 95 }, 96 { 97 desc: "tls-istio-mutual-no-certs", 98 tls: &networkingAPI.ClientTLSSettings{ 99 Mode: networkingAPI.ClientTLSSettings_ISTIO_MUTUAL, 100 }, 101 sni: "i-should-be-sni", 102 meta: &model.BootstrapNodeMetadata{}, 103 expectTLSCtx: `{"common_tls_context":{"tls_certificate_sds_secret_configs":[{"name":"default","sds_config":{"ConfigSourceSpecifier":{"ApiConfigSource":{"api_type":2,"transport_api_version":2,"grpc_services":[{"TargetSpecifier":{"EnvoyGrpc":{"cluster_name":"sds-grpc"}}}],"set_node_on_first_message_only":true}},"initial_fetch_timeout":{},"resource_api_version":2}}],"ValidationContextType":{"CombinedValidationContext":{"default_validation_context":{},"validation_context_sds_secret_config":{"name":"ROOTCA","sds_config":{"ConfigSourceSpecifier":{"ApiConfigSource":{"api_type":2,"transport_api_version":2,"grpc_services":[{"TargetSpecifier":{"EnvoyGrpc":{"cluster_name":"sds-grpc"}}}],"set_node_on_first_message_only":true}},"initial_fetch_timeout":{},"resource_api_version":2}}}},"alpn_protocols":["istio","h2"]},"sni":"i-should-be-sni"}`, 104 }, 105 } 106 107 for _, tt := range tests { 108 t.Run(tt.desc, func(t *testing.T) { 109 if got := convertToJSON(tlsContextConvert(tt.tls, tt.sni, tt.meta)); !reflect.DeepEqual(tt.expectTLSCtx, got) { 110 t.Errorf("%s: expected TLS ctx \n%v got \n%v", tt.desc, tt.expectTLSCtx, got) 111 } 112 }) 113 } 114 }