diff --git a/test/e2e/lua/dynamic_certificates.go b/test/e2e/lua/dynamic_certificates.go index a8889bf01c..c15f46652d 100644 --- a/test/e2e/lua/dynamic_certificates.go +++ b/test/e2e/lua/dynamic_certificates.go @@ -17,15 +17,12 @@ limitations under the License. package lua import ( - "crypto/tls" "fmt" - "net/http" "strings" "time" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" - "github.com/parnurzeal/gorequest" appsv1beta1 "k8s.io/api/apps/v1beta1" extensions "k8s.io/api/extensions/v1beta1" @@ -54,18 +51,9 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() { }) It("picks up the certificate when we add TLS spec to existing ingress", func() { - ing, err := f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.IngressController.Namespace, "http-svc", 80, nil)) - Expect(err).NotTo(HaveOccurred()) - Expect(ing).NotTo(BeNil()) - time.Sleep(waitForLuaSync) - resp, _, errs := gorequest.New(). - Get(f.IngressController.HTTPURL). - Set("Host", host). - End() - Expect(len(errs)).Should(BeNumerically("==", 0)) - Expect(resp.StatusCode).Should(Equal(http.StatusOK)) - - ing, err = f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.IngressController.Namespace).Get("foo.com", metav1.GetOptions{}) + ensureIngress(f, host) + + ing, err := f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.IngressController.Namespace).Get(host, metav1.GetOptions{}) Expect(err).ToNot(HaveOccurred()) ing.Spec.TLS = []extensions.IngressTLS{ { @@ -80,30 +68,9 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() { Expect(err).ToNot(HaveOccurred()) _, err = f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.IngressController.Namespace).Update(ing) Expect(err).ToNot(HaveOccurred()) - - By("configuring HTTPS endpoint") - err = f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "server_name "+host) && - strings.Contains(server, "listen 443") - }) - Expect(err).ToNot(HaveOccurred()) - time.Sleep(waitForLuaSync) - By("serving the configured certificate on HTTPS endpoint") - resp, _, errs = gorequest.New(). - Get(f.IngressController.HTTPSURL). - Set("Host", ing.Spec.TLS[0].Hosts[0]). - TLSClientConfig(&tls.Config{ - InsecureSkipVerify: true, - ServerName: ing.Spec.TLS[0].Hosts[0], - }). - End() - Expect(len(errs)).Should(BeNumerically("==", 0)) - Expect(resp.StatusCode).Should(Equal(http.StatusOK)) - Expect(len(resp.TLS.PeerCertificates)).Should(BeNumerically("==", 1)) - Expect(resp.TLS.PeerCertificates[0].DNSNames[0]).Should(Equal(host)) + ensureHTTPSRequest(f.IngressController.HTTPSURL, host, host) }) It("picks up the previously missing secret for a given ingress without reloading", func() { @@ -111,16 +78,7 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() { Expect(err).NotTo(HaveOccurred()) Expect(ing).NotTo(BeNil()) time.Sleep(waitForLuaSync) - resp, _, errs := gorequest.New(). - Get(fmt.Sprintf("%s?id=dummy_log_splitter_foo_bar", f.IngressController.HTTPSURL)). - Set("Host", host). - TLSClientConfig(&tls.Config{ - InsecureSkipVerify: true, - ServerName: ing.Spec.TLS[0].Hosts[0], - }). - End() - Expect(len(errs)).Should(BeNumerically("==", 0)) - Expect(resp.StatusCode).Should(Equal(http.StatusOK)) + ensureHTTPSRequest(fmt.Sprintf("%s?id=dummy_log_splitter_foo_bar", f.IngressController.HTTPSURL), host, "ingress.local") _, err = framework.CreateIngressTLSSecret(f.KubeClientSet, ing.Spec.TLS[0].Hosts, @@ -141,18 +99,7 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() { time.Sleep(waitForLuaSync) By("serving the configured certificate on HTTPS endpoint") - resp, _, errs = gorequest.New(). - Get(f.IngressController.HTTPSURL). - Set("Host", ing.Spec.TLS[0].Hosts[0]). - TLSClientConfig(&tls.Config{ - InsecureSkipVerify: true, - ServerName: ing.Spec.TLS[0].Hosts[0], - }). - End() - Expect(len(errs)).Should(BeNumerically("==", 0)) - Expect(resp.StatusCode).Should(Equal(http.StatusOK)) - Expect(len(resp.TLS.PeerCertificates)).Should(BeNumerically("==", 1)) - Expect(resp.TLS.PeerCertificates[0].DNSNames[0]).Should(Equal(host)) + ensureHTTPSRequest(f.IngressController.HTTPSURL, host, host) log, err := f.NginxLogs() Expect(err).ToNot(HaveOccurred()) @@ -173,24 +120,7 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() { Expect(ing).NotTo(BeNil()) time.Sleep(waitForLuaSync) - resp, _, errs := gorequest.New(). - Get(f.IngressController.HTTPSURL). - Set("Host", host). - TLSClientConfig(&tls.Config{ - InsecureSkipVerify: true, - ServerName: host, - }). - End() - Expect(len(errs)).Should(BeNumerically("==", 0)) - Expect(resp.StatusCode).Should(Equal(http.StatusOK)) - - By("configuring HTTPS endpoint") - err = f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "server_name "+host) && - strings.Contains(server, "listen 443") - }) - Expect(err).ToNot(HaveOccurred()) + ensureHTTPSRequest(f.IngressController.HTTPSURL, host, "ingress.local") _, err = framework.CreateIngressTLSSecret(f.KubeClientSet, ing.Spec.TLS[0].Hosts, @@ -212,33 +142,13 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() { time.Sleep(waitForLuaSync) By("serving the configured certificate on HTTPS endpoint") - resp, _, errs = gorequest.New(). - Get(f.IngressController.HTTPSURL). - Set("Host", ing.Spec.TLS[0].Hosts[0]). - TLSClientConfig(&tls.Config{ - InsecureSkipVerify: true, - ServerName: ing.Spec.TLS[0].Hosts[0], - }). - End() - Expect(len(errs)).Should(BeNumerically("==", 0)) - Expect(resp.StatusCode).Should(Equal(http.StatusOK)) - Expect(len(resp.TLS.PeerCertificates)).Should(BeNumerically("==", 1)) - Expect(resp.TLS.PeerCertificates[0].DNSNames[0]).Should(Equal(host)) + ensureHTTPSRequest(f.IngressController.HTTPSURL, host, host) }) It("picks up the updated certificate without reloading", func() { - ing, err := f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.IngressController.Namespace).Get("foo.com", metav1.GetOptions{}) - - resp, _, errs := gorequest.New(). - Get(fmt.Sprintf("%s?id=dummy_log_splitter_foo_bar", f.IngressController.HTTPSURL)). - Set("Host", host). - TLSClientConfig(&tls.Config{ - InsecureSkipVerify: true, - ServerName: ing.Spec.TLS[0].Hosts[0], - }). - End() - Expect(len(errs)).Should(BeNumerically("==", 0)) - Expect(resp.StatusCode).Should(Equal(http.StatusOK)) + ing, err := f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.IngressController.Namespace).Get(host, metav1.GetOptions{}) + + ensureHTTPSRequest(fmt.Sprintf("%s?id=dummy_log_splitter_foo_bar", f.IngressController.HTTPSURL), host, host) _, err = framework.CreateIngressTLSSecret(f.KubeClientSet, ing.Spec.TLS[0].Hosts, @@ -260,18 +170,7 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() { time.Sleep(waitForLuaSync) By("serving the configured certificate on HTTPS endpoint") - resp, _, errs = gorequest.New(). - Get(f.IngressController.HTTPSURL). - Set("Host", ing.Spec.TLS[0].Hosts[0]). - TLSClientConfig(&tls.Config{ - InsecureSkipVerify: true, - ServerName: ing.Spec.TLS[0].Hosts[0], - }). - End() - Expect(len(errs)).Should(BeNumerically("==", 0)) - Expect(resp.StatusCode).Should(Equal(http.StatusOK)) - Expect(len(resp.TLS.PeerCertificates)).Should(BeNumerically("==", 1)) - Expect(resp.TLS.PeerCertificates[0].DNSNames[0]).Should(Equal(host)) + ensureHTTPSRequest(f.IngressController.HTTPSURL, host, host) log, err := f.NginxLogs() Expect(err).ToNot(HaveOccurred()) @@ -286,18 +185,9 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() { }) It("falls back to using default certificate when secret gets deleted without reloading", func() { - ing, err := f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.IngressController.Namespace).Get("foo.com", metav1.GetOptions{}) - - resp, _, errs := gorequest.New(). - Get(fmt.Sprintf("%s?id=dummy_log_splitter_foo_bar", f.IngressController.HTTPSURL)). - Set("Host", host). - TLSClientConfig(&tls.Config{ - InsecureSkipVerify: true, - ServerName: ing.Spec.TLS[0].Hosts[0], - }). - End() - Expect(len(errs)).Should(BeNumerically("==", 0)) - Expect(resp.StatusCode).Should(Equal(http.StatusOK)) + ing, err := f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.IngressController.Namespace).Get(host, metav1.GetOptions{}) + + ensureHTTPSRequest(fmt.Sprintf("%s?id=dummy_log_splitter_foo_bar", f.IngressController.HTTPSURL), host, host) f.KubeClientSet.CoreV1().Secrets(ing.Namespace).Delete(ing.Spec.TLS[0].SecretName, nil) Expect(err).ToNot(HaveOccurred()) @@ -316,18 +206,7 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() { time.Sleep(waitForLuaSync) By("serving the default certificate on HTTPS endpoint") - resp, _, errs = gorequest.New(). - Get(f.IngressController.HTTPSURL). - Set("Host", ing.Spec.TLS[0].Hosts[0]). - TLSClientConfig(&tls.Config{ - InsecureSkipVerify: true, - ServerName: ing.Spec.TLS[0].Hosts[0], - }). - End() - Expect(len(errs)).Should(BeNumerically("==", 0)) - Expect(resp.StatusCode).Should(Equal(http.StatusOK)) - Expect(len(resp.TLS.PeerCertificates)).Should(BeNumerically("==", 1)) - Expect(resp.TLS.PeerCertificates[0].Issuer.CommonName).Should(Equal("Kubernetes Ingress Controller Fake Certificate")) + ensureHTTPSRequest(f.IngressController.HTTPSURL, host, "ingress.local") log, err := f.NginxLogs() Expect(err).ToNot(HaveOccurred()) @@ -343,58 +222,26 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() { It("picks up a non-certificate only change", func() { newHost := "foo2.com" - ing, err := f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.IngressController.Namespace).Get("foo.com", metav1.GetOptions{}) + ing, err := f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.IngressController.Namespace).Get(host, metav1.GetOptions{}) Expect(err).NotTo(HaveOccurred()) - ing.Spec.Rules[0].Host = newHost _, err = f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.IngressController.Namespace).Update(ing) Expect(err).ToNot(HaveOccurred()) - - By("configuring HTTPS endpoint") - err = f.WaitForNginxServer(newHost, - func(server string) bool { - return strings.Contains(server, "server_name "+newHost) && - strings.Contains(server, "listen 443") - }) - Expect(err).ToNot(HaveOccurred()) + time.Sleep(waitForLuaSync) By("serving the configured certificate on HTTPS endpoint") - resp, _, errs := gorequest.New(). - Get(f.IngressController.HTTPSURL). - Set("Host", newHost). - TLSClientConfig(&tls.Config{ - InsecureSkipVerify: true, - ServerName: newHost, - }). - End() - Expect(len(errs)).Should(BeNumerically("==", 0)) - Expect(resp.StatusCode).Should(Equal(http.StatusOK)) - Expect(len(resp.TLS.PeerCertificates)).Should(BeNumerically("==", 1)) - Expect(resp.TLS.PeerCertificates[0].Issuer.CommonName).Should(Equal("Kubernetes Ingress Controller Fake Certificate")) + ensureHTTPSRequest(f.IngressController.HTTPSURL, newHost, "ingress.local") }) It("removes HTTPS configuration when we delete TLS spec", func() { - ing, err := f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.IngressController.Namespace).Get("foo.com", metav1.GetOptions{}) + ing, err := f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.IngressController.Namespace).Get(host, metav1.GetOptions{}) Expect(err).NotTo(HaveOccurred()) - ing.Spec.TLS = []extensions.IngressTLS{} - _, err = f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.IngressController.Namespace).Update(ing) Expect(err).ToNot(HaveOccurred()) - By("configuring HTTP endpoint") - err = f.WaitForNginxServer(host, - func(server string) bool { - return !strings.Contains(server, "ssl_certificate_by_lua_block") && - !strings.Contains(server, "listen 443") - }) - Expect(err).ToNot(HaveOccurred()) + time.Sleep(waitForLuaSync) - resp, _, errs := gorequest.New(). - Get(f.IngressController.HTTPURL). - Set("Host", host). - End() - Expect(len(errs)).Should(BeNumerically("==", 0)) - Expect(resp.StatusCode).Should(Equal(http.StatusOK)) + ensureRequest(f, host) }) }) }) diff --git a/test/e2e/lua/dynamic_configuration.go b/test/e2e/lua/dynamic_configuration.go index 735f964426..ff9ef498cb 100644 --- a/test/e2e/lua/dynamic_configuration.go +++ b/test/e2e/lua/dynamic_configuration.go @@ -17,6 +17,7 @@ limitations under the License. package lua import ( + "crypto/tls" "fmt" "net/http" "regexp" @@ -170,6 +171,21 @@ func ensureRequest(f *framework.Framework, host string) { Expect(resp.StatusCode).Should(Equal(http.StatusOK)) } +func ensureHTTPSRequest(url string, host string, expectedDNSName string) { + resp, _, errs := gorequest.New(). + Get(url). + Set("Host", host). + TLSClientConfig(&tls.Config{ + InsecureSkipVerify: true, + ServerName: host, + }). + End() + Expect(errs).Should(BeEmpty()) + Expect(resp.StatusCode).Should(Equal(http.StatusOK)) + Expect(len(resp.TLS.PeerCertificates)).Should(BeNumerically("==", 1)) + Expect(resp.TLS.PeerCertificates[0].DNSNames[0]).Should(Equal(expectedDNSName)) +} + func getCookie(name string, cookies []*http.Cookie) (*http.Cookie, error) { for _, cookie := range cookies { if cookie.Name == name {