istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/file_mounted_certs/p2p_mtls_test.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/file_mounted_certs/p2p_mtls_test.go (about)

     1  //go:build integ
     2  // +build integ
     3  
     4  //  Copyright Istio Authors
     5  //
     6  //  Licensed under the Apache License, Version 2.0 (the "License");
     7  //  you may not use this file except in compliance with the License.
     8  //  You may obtain a copy of the License at
     9  //
    10  //      http://www.apache.org/licenses/LICENSE-2.0
    11  //
    12  //  Unless required by applicable law or agreed to in writing, software
    13  //  distributed under the License is distributed on an "AS IS" BASIS,
    14  //  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    15  //  See the License for the specific language governing permissions and
    16  //  limitations under the License.
    17  
    18  package filemountedcerts
    19  
    20  import (
    21  	"testing"
    22  	"time"
    23  
    24  	"istio.io/istio/pkg/test/framework"
    25  	"istio.io/istio/pkg/test/framework/components/echo"
    26  	"istio.io/istio/pkg/test/framework/components/echo/check"
    27  	"istio.io/istio/pkg/test/util/retry"
    28  )
    29  
    30  const (
    31  	ServerSecretName = "test-server-cred"
    32  	ServerCertsPath  = "tests/testdata/certs/mountedcerts-server"
    33  
    34  	ClientSecretName = "test-client-cred"
    35  	ClientCertsPath  = "tests/testdata/certs/mountedcerts-client"
    36  
    37  	// nolint: lll
    38  	ExpectedXfccHeader = `By=spiffe://cluster.local/ns/mounted-certs/sa/server;Hash=86948ccdaf2de73b20d389dc212aaf2d72f9f1ca239327cc2e8b05e61b1676d1;Subject="CN=client.mounted-certs.svc.cluster.local";URI=spiffe://cluster.local/ns/mounted-certs/sa/client;DNS=client.mounted-certs.svc`
    39  )
    40  
    41  func TestClientToServiceTls(t *testing.T) {
    42  	framework.NewTest(t).
    43  		Run(func(t framework.TestContext) {
    44  			createObject(t, echo1NS.Name(), DestinationRuleConfigMutual)
    45  			createObject(t, "istio-system", PeerAuthenticationConfig)
    46  
    47  			opts := echo.CallOptions{
    48  				To:    server,
    49  				Count: 1,
    50  				Port: echo.Port{
    51  					Name: "http",
    52  				},
    53  				Check: check.And(
    54  					check.OK(),
    55  					check.RequestHeader("X-Forwarded-Client-Cert", ExpectedXfccHeader)),
    56  				Retry: echo.Retry{
    57  					Options: []retry.Option{retry.Delay(5 * time.Second), retry.Timeout(1 * time.Minute)},
    58  				},
    59  			}
    60  
    61  			client[0].CallOrFail(t, opts)
    62  		})
    63  }
    64  
    65  const (
    66  	DestinationRuleConfigMutual = `
    67  apiVersion: networking.istio.io/v1alpha3
    68  kind: DestinationRule
    69  metadata:
    70    name: server
    71    namespace: {{.AppNamespace}}
    72  spec:
    73    host: "server.{{.AppNamespace}}.svc.cluster.local"
    74    trafficPolicy:
    75      tls:
    76        mode: MUTUAL
    77        caCertificates: /client-certs/root-cert.pem
    78        clientCertificate: /client-certs/cert-chain.pem
    79        privateKey: /client-certs/key.pem
    80        subjectAltNames:
    81          - server.mounted-certs.svc
    82  
    83  `
    84  
    85  	PeerAuthenticationConfig = `
    86  apiVersion: security.istio.io/v1beta1
    87  kind: PeerAuthentication
    88  metadata:
    89    name: default
    90    namespace: "istio-system"
    91  spec:
    92    mtls:
    93      mode: STRICT
    94  `
    95  )
    96  
    97  func createObject(ctx framework.TestContext, serviceNamespace string, yamlManifest string) {
    98  	args := map[string]string{"AppNamespace": serviceNamespace}
    99  	ctx.ConfigIstio().Eval(serviceNamespace, args, yamlManifest).ApplyOrFail(ctx)
   100  }