istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/filebased_tls_origination/destination_rule_tls_test.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/filebased_tls_origination/destination_rule_tls_test.go (about)

     1  //go:build integ
     2  // +build integ
     3  
     4  // Copyright Istio Authors
     5  //
     6  // Licensed under the Apache License, Version 2.0 (the "License");
     7  // you may not use this file except in compliance with the License.
     8  // You may obtain a copy of the License at
     9  //
    10  //     http://www.apache.org/licenses/LICENSE-2.0
    11  //
    12  // Unless required by applicable law or agreed to in writing, software
    13  // distributed under the License is distributed on an "AS IS" BASIS,
    14  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    15  // See the License for the specific language governing permissions and
    16  // limitations under the License.
    17  
    18  package filebasedtlsorigination
    19  
    20  import (
    21  	"testing"
    22  
    23  	"istio.io/istio/pkg/test/echo/common/scheme"
    24  	"istio.io/istio/pkg/test/framework"
    25  	"istio.io/istio/pkg/test/framework/components/echo"
    26  	"istio.io/istio/pkg/test/framework/components/echo/check"
    27  )
    28  
    29  // TestDestinationRuleTls tests that MUTUAL tls mode is respected in DestinationRule.
    30  // This sets up a client and server with appropriate cert config and ensures we can successfully send a message.
    31  func TestDestinationRuleTls(t *testing.T) {
    32  	framework.
    33  		NewTest(t).
    34  		Run(func(t framework.TestContext) {
    35  			ns := appNS
    36  
    37  			// Setup our destination rule, enforcing TLS to "server". These certs will be created/mounted below.
    38  			t.ConfigIstio().YAML(ns.Name(), `
    39  apiVersion: networking.istio.io/v1alpha3
    40  kind: DestinationRule
    41  metadata:
    42    name: db-mtls
    43  spec:
    44    exportTo: ["."]
    45    host: server
    46    trafficPolicy:
    47      tls:
    48        mode: MUTUAL
    49        clientCertificate: /etc/certs/custom/cert-chain.pem
    50        privateKey: /etc/certs/custom/key.pem
    51        caCertificates: /etc/certs/custom/root-cert.pem
    52        sni: server
    53  `).ApplyOrFail(t)
    54  
    55  			for _, portName := range []string{"grpc", "http", "tcp"} {
    56  				portName := portName
    57  				t.NewSubTest(portName).Run(func(t framework.TestContext) {
    58  					opts := echo.CallOptions{
    59  						To:    server,
    60  						Count: 1,
    61  						Port: echo.Port{
    62  							Name: portName,
    63  						},
    64  						Check: check.OK(),
    65  					}
    66  					if portName == "tcp" {
    67  						opts.Scheme = scheme.TCP
    68  					}
    69  					client[0].CallOrFail(t, opts)
    70  				})
    71  			}
    72  		})
    73  }