istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/mtls_healthcheck_test.go (about)

     1  //go:build integ
     2  // +build integ
     3  
     4  //  Copyright Istio Authors
     5  //
     6  //  Licensed under the Apache License, Version 2.0 (the "License");
     7  //  you may not use this file except in compliance with the License.
     8  //  You may obtain a copy of the License at
     9  //
    10  //      http://www.apache.org/licenses/LICENSE-2.0
    11  //
    12  //  Unless required by applicable law or agreed to in writing, software
    13  //  distributed under the License is distributed on an "AS IS" BASIS,
    14  //  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    15  //  See the License for the specific language governing permissions and
    16  //  limitations under the License.
    17  
    18  package security
    19  
    20  import (
    21  	"fmt"
    22  	"strconv"
    23  	"testing"
    24  	"time"
    25  
    26  	"istio.io/api/annotation"
    27  	"istio.io/istio/pkg/config/protocol"
    28  	"istio.io/istio/pkg/test/framework"
    29  	"istio.io/istio/pkg/test/framework/components/echo"
    30  	"istio.io/istio/pkg/test/framework/components/echo/deployment"
    31  	"istio.io/istio/pkg/test/framework/components/namespace"
    32  )
    33  
    34  // TestMtlsHealthCheck verifies Kubernetes HTTP health check can work when mTLS
    35  // is enabled, https://github.com/istio/istio/issues/9150.
    36  // Currently this test can only pass on Prow with a real GKE cluster, and fail
    37  // on Minikube. For more details, see https://github.com/istio/istio/issues/12754.
    38  func TestMtlsHealthCheck(t *testing.T) {
    39  	framework.NewTest(t).
    40  		Run(func(t framework.TestContext) {
    41  			ns := namespace.NewOrFail(t, t, namespace.Config{Prefix: "healthcheck", Inject: true})
    42  			for _, testCase := range []struct {
    43  				name    string
    44  				rewrite bool
    45  			}{
    46  				{name: "rewrite-success", rewrite: true},
    47  			} {
    48  				t.NewSubTest(testCase.name).Run(func(t framework.TestContext) {
    49  					runHealthCheckDeployment(t, ns, testCase.name, testCase.rewrite)
    50  				})
    51  			}
    52  		})
    53  }
    54  
    55  func runHealthCheckDeployment(ctx framework.TestContext, ns namespace.Instance, //nolint:interfacer
    56  	name string, rewrite bool,
    57  ) {
    58  	ctx.Helper()
    59  	wantSuccess := rewrite
    60  	policyYAML := fmt.Sprintf(`apiVersion: security.istio.io/v1beta1
    61  kind: PeerAuthentication
    62  metadata:
    63    name: "mtls-strict-for-%v"
    64  spec:
    65    selector:
    66      matchLabels:
    67        app: "%v"
    68    mtls:
    69      mode: STRICT
    70  `, name, name)
    71  	ctx.ConfigIstio().YAML(ns.Name(), policyYAML).ApplyOrFail(ctx)
    72  
    73  	var healthcheck echo.Instance
    74  	cfg := echo.Config{
    75  		Namespace: ns,
    76  		Service:   name,
    77  		Ports: []echo.Port{{
    78  			Name:         "http-8080",
    79  			Protocol:     protocol.HTTP,
    80  			ServicePort:  8080,
    81  			WorkloadPort: 8080,
    82  		}},
    83  		Subsets: []echo.SubsetConfig{
    84  			{
    85  				Annotations: map[string]string{annotation.SidecarRewriteAppHTTPProbers.Name: strconv.FormatBool(rewrite)},
    86  			},
    87  		},
    88  	}
    89  	// Negative test, we expect the health check fails, so set a timeout duration.
    90  	if !rewrite {
    91  		cfg.ReadinessTimeout = time.Second * 15
    92  	}
    93  	_, err := deployment.New(ctx).
    94  		With(&healthcheck, cfg).
    95  		Build()
    96  	gotSuccess := err == nil
    97  	if gotSuccess != wantSuccess {
    98  		ctx.Errorf("health check app %v, got error %v, want success = %v", name, err, wantSuccess)
    99  	}
   100  }