This is an automated email from the ASF dual-hosted git repository.
kichan pushed a commit to branch master
in repository
https://gitbox.apache.org/repos/asf/trafficserver-ingress-controller.git
The following commit(s) were added to refs/heads/master by this push:
new febcddc Sni test fix (#324)
febcddc is described below
commit febcddc96368b967a3772242c21f2ef9b8bf30c1
Author: saurabh-saraswat <[email protected]>
AuthorDate: Mon Jan 5 03:28:59 2026 +0530
Sni test fix (#324)
* Update build.yml
* Update build.yml
* Update build.yml
* Update build.yml
* Fixed to include certificates in ATS
* Temp Changes to trigger the tests
* Update container image for node-https
* Remove imagePullPolicy from ats-deployment.yaml
* test change to get logs
Added commands to retrieve pod and resource information from Kubernetes.
* Set imagePullPolicy to Never
* Set imagePullPolicy to Never for node-app-3
* Enhance test with pod description and log retrieval
Added commands to describe and fetch logs for backend pods.
* Added the certificates in build.yaml and corrected image poslicy
* Remove App certs creation from test_ingress
* Removed local repo
* Preparing for original repo
---
.github/workflows/build.yml | 17 ++++
bin/tls-config.sh | 43 ++++++---
k8s/images/node-app-3/yaml/app3-deploy.yaml | 3 +-
k8s/images/node-app-4/yaml/app4-deploy.yaml | 1 +
tests/data/setup/apps/app-service.yaml | 2 +-
tests/data/setup/configmaps/ats-configmap.yaml | 11 +--
tests/data/setup/ingresses/ats-ingress.yaml | 9 +-
.../data/setup/traffic-server/ats-deployment.yaml | 30 +++---
tests/suite/test_ingress.py | 106 +++++++++++----------
watcher/handlerIngress.go | 1 +
10 files changed, 140 insertions(+), 83 deletions(-)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7352eab..a1c6a3c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -63,6 +63,23 @@ jobs:
run: |
eval $(minikube -p minikube docker-env)
docker build -t caching-app k8s/images/caching-app/
+
+ - name: Create CA to sign certificates
+ run: |
+ mkdir -p tests/certs
+ openssl genrsa -out tests/certs/rootCA.key 4096
+ openssl req -x509 -new -key tests/certs/rootCA.key -sha256 -days 1
-out tests/certs/rootCA.crt -subj
"/C=US/ST=State/L=City/O=MyOrg/OU=MyUnit/CN=TestRootCA" -addext
"basicConstraints=critical,CA:TRUE" -addext
"keyUsage=critical,keyCertSign,cRLSign" -addext "subjectKeyIdentifier=hash"
+
+ - name: Create Certs for node-app-4
+ run: |
+ openssl genrsa -out k8s/images/node-app-4/origin.key 4096
+ openssl req -x509 -new -key k8s/images/node-app-4/origin.key -sha256
-days 1 -out k8s/images/node-app-4/origin.crt -subj
"/C=US/ST=State/L=City/O=MyOrg/OU=MyUnit/CN=test.example.com"
+
+ - name: Create Certs for node-app-3
+ run: |
+ openssl genrsa -out k8s/images/node-app-3/backend.key 2048
+ openssl req -new -key k8s/images/node-app-3/backend.key -out
k8s/images/node-app-3/backend.csr -subj
"/C=US/ST=State/L=City/O=TestOrg/CN=test.example.com.backend.svc.cluster.local"
+ openssl x509 -req -in k8s/images/node-app-3/backend.csr -CA
tests/certs/rootCA.crt -CAkey tests/certs/rootCA.key -CAcreateserial -out
k8s/images/node-app-3/backend.crt -days 1 -sha256
- name: Build App 3
run: |
diff --git a/bin/tls-config.sh b/bin/tls-config.sh
index 4dd02e6..4c18d0c 100755
--- a/bin/tls-config.sh
+++ b/bin/tls-config.sh
@@ -19,22 +19,37 @@
set +x
if [ -z "${POD_TLS_PATH}" ]; then
- echo "POD_TLS_PATH not defined"
- exit 1
+ echo "POD_TLS_PATH not defined"
+ exit 1
fi
-tlspath="$POD_TLS_PATH/"
-tlskey="$POD_TLS_PATH/tls.key"
-tlscrt="$POD_TLS_PATH/tls.crt"
+
+# Clear existing file
+> /opt/ats/etc/trafficserver/ssl_multicert.config
+
+found_any=false
+
+IFS=':' read -r -a paths <<< "$POD_TLS_PATH"
+
+for tlspath in "${paths[@]}"; do
+ tlskey="${tlspath}/tls.key"
+ tlscrt="${tlspath}/tls.crt"
-if [ ! -f "${tlscrt}" ]; then
- echo "${tlscrt} not found"
- exit 1
-fi
+ if [ ! -f "${tlscrt}" ]; then
+ echo "${tlscrt} not found"
+ exit 1
+ fi
-if [ ! -f "${tlskey}" ]; then
- echo "${tlskey} not found"
- exit 1
-fi
+ if [ ! -f "${tlskey}" ]; then
+ echo "${tlskey} not found"
+ exit 1
+ fi
-echo "dest_ip=* ssl_cert_name=${tlscrt} ssl_key_name=${tlskey}" >
/opt/ats/etc/trafficserver/ssl_multicert.config
+ echo "dest_ip=* ssl_cert_name=${tlscrt} ssl_key_name=${tlskey}" >>
/opt/ats/etc/trafficserver/ssl_multicert.config
+ found_any=true
+done
+
+if [ "$found_any" = false ]; then
+ echo "No valid TLS cert/key pairs found in $tlspath"
+ exit 1
+fi
diff --git a/k8s/images/node-app-3/yaml/app3-deploy.yaml
b/k8s/images/node-app-3/yaml/app3-deploy.yaml
index 1c5d2bc..46776f7 100644
--- a/k8s/images/node-app-3/yaml/app3-deploy.yaml
+++ b/k8s/images/node-app-3/yaml/app3-deploy.yaml
@@ -20,7 +20,8 @@ spec:
spec:
containers:
- name: node-https
- image: node-https-app:latest
+ image: node-app-3:latest
+ imagePullPolicy: Never
ports:
- containerPort: 8443
name: https
diff --git a/k8s/images/node-app-4/yaml/app4-deploy.yaml
b/k8s/images/node-app-4/yaml/app4-deploy.yaml
index 7f7b327..8ee6f9f 100644
--- a/k8s/images/node-app-4/yaml/app4-deploy.yaml
+++ b/k8s/images/node-app-4/yaml/app4-deploy.yaml
@@ -21,6 +21,7 @@ spec:
containers:
- name: node-app-4-container
image: node-app-4:latest
+ imagePullPolicy: Never
ports:
- containerPort: 8443
name: https
diff --git a/tests/data/setup/apps/app-service.yaml
b/tests/data/setup/apps/app-service.yaml
index 1c184df..d8016a2 100644
--- a/tests/data/setup/apps/app-service.yaml
+++ b/tests/data/setup/apps/app-service.yaml
@@ -49,7 +49,7 @@ metadata:
namespace: trafficserver-test-2
spec:
ports:
- - port: 8080
+ - port: 8443
name: "appsvc2http"
protocol: TCP
targetPort: 8080
diff --git a/tests/data/setup/configmaps/ats-configmap.yaml
b/tests/data/setup/configmaps/ats-configmap.yaml
index 7219922..330398e 100644
--- a/tests/data/setup/configmaps/ats-configmap.yaml
+++ b/tests/data/setup/configmaps/ats-configmap.yaml
@@ -14,12 +14,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-apiVersion: v1
-kind: Namespace
-metadata:
- name: trafficserver-test
-
----
apiVersion: v1
kind: ConfigMap
@@ -36,3 +30,8 @@ data:
proxy.config.http.cache.http: "1"
proxy.config.http.cache.required_headers: "0"
+ proxy.config.diags.debug.enabled: "1"
+
+ proxy.config.ssl.CA.cert.path: "/etc/ats/ssl/ca/"
+ proxy.config.ssl.CA.cert.filename: "tls.crt"
+
diff --git a/tests/data/setup/ingresses/ats-ingress.yaml
b/tests/data/setup/ingresses/ats-ingress.yaml
index 49ec984..12e3971 100644
--- a/tests/data/setup/ingresses/ats-ingress.yaml
+++ b/tests/data/setup/ingresses/ats-ingress.yaml
@@ -27,6 +27,7 @@ metadata:
name: app-ingress
namespace: trafficserver-test-2
spec:
+ ingressClassName: ats
rules:
- host: test.media.com
http:
@@ -56,4 +57,10 @@ spec:
name: appsvc1
port:
number: 8080
-
+ - path: /app2
+ pathType: Exact
+ backend:
+ service:
+ name: appsvc2
+ port:
+ number: 8080
diff --git a/tests/data/setup/traffic-server/ats-deployment.yaml
b/tests/data/setup/traffic-server/ats-deployment.yaml
index 0216d86..0c6be53 100644
--- a/tests/data/setup/traffic-server/ats-deployment.yaml
+++ b/tests/data/setup/traffic-server/ats-deployment.yaml
@@ -35,7 +35,6 @@ spec:
matchLabels:
app: trafficserver-test
- # DO NOT EXCEED ONE COPY
replicas: 1
# DO NOT EXCEED ONE COPY
template:
@@ -47,13 +46,19 @@ spec:
containers:
- name: trafficserver-test
image: ats-ingress:latest # Needs to be updated
+ imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: "/etc/ats/ssl"
name: ats-ssl
- readOnly: true
+ - mountPath: "/etc/ats/ssl/ca"
+ name: ca-ssl
+ - mountPath: "/etc/ats/ssl/server"
+ name: server-ssl
+ - mountPath: "/etc/ats/ssl/server2"
+ name: server2-ssl
- name: varlog
mountPath: /opt/ats/var/log/trafficserver
- imagePullPolicy: IfNotPresent
+
env:
- name: POD_NAME
valueFrom:
@@ -63,12 +68,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
-# - name: INGRESS_CLASS
-# value: "ats"
- name: SNIPPET
value: "1"
- name: POD_TLS_PATH
- value: "/etc/ats/ssl"
+ value: "/etc/ats/ssl:/etc/ats/ssl/server:/etc/ats/ssl/server2"
ports:
- containerPort: 8080
name: http
@@ -83,16 +86,19 @@ spec:
mountPath: "/var/log"
- name: config-volume
mountPath: "/fluentd/etc"
-# - name: trafficserver-exporter
-# image: ats-ingress-exporter:latest
-# imagePullPolicy: IfNotPresent
-# args: ["--endpoint=http://127.0.0.1:8080/_stats";]
-# ports:
-# - containerPort: 9122
volumes:
- name: ats-ssl
secret:
secretName: tls-secret
+ - name: server-ssl
+ secret:
+ secretName: server-secret
+ - name: server2-ssl
+ secret:
+ secretName: server2-secret
+ - name: ca-ssl
+ secret:
+ secretName: ca-secret
- name: varlog
emptyDir: {}
- name: config-volume
diff --git a/tests/suite/test_ingress.py b/tests/suite/test_ingress.py
index c5d8e41..0cfcbd8 100644
--- a/tests/suite/test_ingress.py
+++ b/tests/suite/test_ingress.py
@@ -40,39 +40,39 @@ def misc_command(command):
def create_certs():
# Work dir
- misc_command('mkdir -p certs')
+ #misc_command('mkdir -p certs')
# Root CA
- misc_command('openssl genrsa -out certs/rootCA.key 4096')
- misc_command(
- 'openssl req -x509 -new -key certs/rootCA.key -sha256 -days 3650 '
- '-out certs/rootCA.crt '
- '-subj "/C=US/ST=State/L=City/O=MyOrg/OU=MyUnit/CN=TestRootCA" '
- '-addext "basicConstraints=critical,CA:TRUE" '
- '-addext "keyUsage=critical,keyCertSign,cRLSign" '
- '-addext "subjectKeyIdentifier=hash"'
- )
+ #misc_command('openssl genrsa -out certs/rootCA.key 4096')
+ #misc_command(
+ # 'openssl req -x509 -new -key certs/rootCA.key -sha256 -days 3650 '
+ # '-out certs/rootCA.crt '
+ # '-subj "/C=US/ST=State/L=City/O=MyOrg/OU=MyUnit/CN=TestRootCA" '
+ # '-addext "basicConstraints=critical,CA:TRUE" '
+ # '-addext "keyUsage=critical,keyCertSign,cRLSign" '
+ # '-addext "subjectKeyIdentifier=hash"'
+ #)
#Self-Signed certificate for node-app-4
- misc_command('openssl genrsa -out ../k8s/images/node-app-4/origin.key
4096')
- misc_command(
- 'openssl req -x509 -new -key ../k8s/images/node-app-4/origin.key
-sha256 -days 3650 '
- '-out ../k8s/images/node-app-4/origin.crt '
- '-subj "/C=US/ST=State/L=City/O=MyOrg/OU=MyUnit/CN=test.example.com" '
- )
+ #misc_command('openssl genrsa -out ../k8s/images/node-app-4/origin.key
4096')
+ #misc_command(
+ # 'openssl req -x509 -new -key ../k8s/images/node-app-4/origin.key
-sha256 -days 3650 '
+ # '-out ../k8s/images/node-app-4/origin.crt '
+ # '-subj "/C=US/ST=State/L=City/O=MyOrg/OU=MyUnit/CN=test.example.com" '
+ #)
# Backend CA
- misc_command('openssl genrsa -out ../k8s/images/node-app-3/backend.key
2048')
- misc_command(
- 'openssl req -new -key ../k8s/images/node-app-3/backend.key '
- '-out ../k8s/images/node-app-3/backend.csr '
- '-subj
"/C=US/ST=State/L=City/O=TestOrg/CN=test.example.com.backend.svc.cluster.local"
'
- )
- misc_command(
- 'openssl x509 -req -in ../k8s/images/node-app-3/backend.csr -CA
certs/rootCA.crt -CAkey certs/rootCA.key -CAcreateserial '
- '-out ../k8s/images/node-app-3/backend.crt '
- '-days 365 -sha256 '
- )
+ #misc_command('openssl genrsa -out ../k8s/images/node-app-3/backend.key
2048')
+ #misc_command(
+ # 'openssl req -new -key ../k8s/images/node-app-3/backend.key '
+ # '-out ../k8s/images/node-app-3/backend.csr '
+ # '-subj
"/C=US/ST=State/L=City/O=TestOrg/CN=test.example.com.backend.svc.cluster.local"
'
+ #)
+ #misc_command(
+ # 'openssl x509 -req -in ../k8s/images/node-app-3/backend.csr -CA
certs/rootCA.crt -CAkey certs/rootCA.key -CAcreateserial '
+ # '-out ../k8s/images/node-app-3/backend.crt '
+ # '-days 365 -sha256 '
+ #)
# Server key + CSR
misc_command('openssl genrsa -out certs/server.key 2048')
@@ -197,8 +197,8 @@ def setup_module(module):
misc_command('kubectl logs $(kubectl get pod -n trafficserver-test-2 -o
name | head -1) -n trafficserver-test-2')
misc_command('kubectl exec $(kubectl get pod -n trafficserver-test-2 -o
name | head -1) -n trafficserver-test-2 -- ps auxxx')
misc_command('kubectl exec $(kubectl get pod -n trafficserver-test-2 -o
name | head -1) -n trafficserver-test-2 -- curl -v localhost:8080/app1')
- misc_command('kubectl exec $(kubectl get pod -n trafficserver-test-2 -o
name | head -1) -n trafficserver-test-2 -- curl -v $(kubectl get pod -n
trafficserver-test-2 -o jsonpath={.items[0].status.podIP}):8080/app1')
- misc_command('kubectl exec $(kubectl get pod -n trafficserver-test-3 -o
name | head -1) -n trafficserver-test-3 -- curl -v $(kubectl get pod -n
trafficserver-test-2 -o jsonpath={.items[0].status.podIP}):8080/app1')
+ misc_command('kubectl exec $(kubectl get pod -n trafficserver-test-2 -o
name | head -1) -n trafficserver-test-2 -- curl -v $(kubectl get pod -n
trafficserver-test-2 -o jsonpath={.items[0].status.podIP}):8080/app1')
+ misc_command('kubectl exec $(kubectl get pod -n trafficserver-test-3 -o
name | head -1) -n trafficserver-test-3 -- curl -v $(kubectl get pod -n
trafficserver-test-2 -o jsonpath={.items[0].status.podIP}):8080/app1')
# misc_command('kubectl logs $(kubectl get pod -n trafficserver-test-3
-o name | head -1) -n trafficserver-test-3')
misc_command('kubectl exec $(kubectl get pod -n trafficserver-test -o
name) -n trafficserver-test -- curl -v $(kubectl get pod -n
trafficserver-test-2 -o jsonpath={.items[0].status.podIP}):8080/app1')
@@ -366,7 +366,7 @@ class TestIngress:
assert mod_time1 == mod_time2 and age1 != age2, "Expected Date
provided by both responses to be same and the Age mentioned in second response
to be more than 0"
def test_cache_https_node_app3(self, minikubeip):
- command = f'curl -k -i -v --cacert certs/rootCA.crt --resolve
test.example.com:30443:{minikubeip} https://test.example.com:30443/node-app3'
+ command = f'curl -i -v --cacert certs/rootCA.crt --resolve
test.example.com:30443:{minikubeip} https://test.example.com:30443/node-app3'
response_1 = subprocess.run(command, shell=True, capture_output=True,
text=True)
response1 = response_1.stdout.strip()
response1_list = response1.split('\n')
@@ -477,7 +477,7 @@ class TestIngress:
kubectl_apply('../ats_sni/http2/on.yaml')
time.sleep(10) # wait for config changes propagate
- cmd = f'curl -k --cacert certs/rootCA. crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
+ cmd = f'curl --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
assert result.returncode == 0, f"Curl HTTPS/2 request failed:
{result.stderr}"
assert "SSL connection using TLS" in result.stderr, "TLS handshake
failed"
@@ -489,7 +489,7 @@ class TestIngress:
def test_https2_disabled(self, minikubeip):
kubectl_apply('../ats_sni/http2/off.yaml')
time.sleep(5)
- cmd = f'curl -k --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
+ cmd = f'curl --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
assert result.returncode == 0, f"Curl HTTPS/2 request failed:
{result.stderr}"
assert "SSL connection using TLS" in result.stderr, "TLS handshake
failed"
@@ -501,7 +501,7 @@ class TestIngress:
def test_verify_client_none(self, minikubeip):
kubectl_apply('../ats_sni/verify-client/none.yaml')
time.sleep(7)
- cmd = f'curl -k --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
+ cmd = f'curl --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
assert result.returncode == 0, f"Curl failed: {result.stderr}"
assert "SSL connection using TLS" in result.stderr, "TLS handshake
failed"
@@ -510,7 +510,7 @@ class TestIngress:
def test_verify_client_moderate_without_crt(self, minikubeip):
kubectl_apply('../ats_sni/verify-client/moderate.yaml')
time.sleep(7)
- cmd = f'curl -k --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
+ cmd = f'curl --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
assert result.returncode == 0, f"Curl failed: {result.stderr}"
assert "SSL connection using TLS" in result.stderr, "TLS handshake
failed"
@@ -519,7 +519,7 @@ class TestIngress:
def test_verify_client_moderate_with_crt(self, minikubeip):
kubectl_apply('../ats_sni/verify-client/moderate.yaml')
time.sleep(7)
- cmd = f'curl -k --cacert certs/rootCA.crt --cert certs/client1.crt
--key certs/client1.key -v --resolve test.edge.com:30443:{minikubeip}
https://test.edge.com:30443/app2'
+ cmd = f'curl --cacert certs/rootCA.crt --cert certs/client1.crt --key
certs/client1.key -v --resolve test.edge.com:30443:{minikubeip}
https://test.edge.com:30443/app2'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
assert result.returncode == 0, f"Curl failed: {result.stderr}"
assert "SSL connection using TLS" in result.stderr, "TLS handshake
failed"
@@ -528,7 +528,7 @@ class TestIngress:
def test_verify_client_strict_with_crt(self, minikubeip):
kubectl_apply('../ats_sni/verify-client/strict.yaml')
time.sleep(7)
- cmd = f'curl -k --cacert certs/rootCA.crt --cert certs/client1.crt
--key certs/client1.key -v --resolve test.edge.com:30443:{minikubeip}
https://test.edge.com:30443/app2'
+ cmd = f'curl --cacert certs/rootCA.crt --cert certs/client1.crt --key
certs/client1.key -v --resolve test.edge.com:30443:{minikubeip}
https://test.edge.com:30443/app2'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
assert result.returncode == 0, f"Curl failed: {result.stderr}"
assert "SSL connection using TLS" in result.stderr, "TLS handshake
failed"
@@ -538,7 +538,7 @@ class TestIngress:
kubectl_apply('../ats_sni/verify-client/strict.yaml')
time.sleep(7)
- cmd = f'curl -k --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
+ cmd = f'curl --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
assert result.returncode != 0, "Curl unexpectedly succeeded without
client certificate"
expected_error = "tlsv13 alert certificate required"
@@ -549,7 +549,7 @@ class TestIngress:
def test_host_sni_none(self, minikubeip):
kubectl_apply('../ats_sni/host-sni-policy/disabled.yaml')
time.sleep(7)
- cmd = f'curl -k --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
+ cmd = f'curl --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
assert result.returncode == 0, f"Curl failed: {result.stderr}"
assert "SSL connection using TLS" in result.stderr, "TLS handshake
failed"
@@ -558,7 +558,7 @@ class TestIngress:
def test_host_sni_match_enforced(self, minikubeip):
kubectl_apply('../ats_sni/host-sni-policy/enforced.yaml')
time.sleep(7)
- cmd = f'curl -k --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
+ cmd = f'curl --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
assert result.returncode == 0, f"Curl failed: {result.stderr}"
assert "SSL connection using TLS" in result.stderr, "TLS handshake
failed"
@@ -567,7 +567,7 @@ class TestIngress:
def test_host_sni_mismatch_enforced(self, minikubeip):
time.sleep(7)
cmd = (
- f'curl -k -v --cacert certs/rootCA.crt '
+ f'curl -v --cacert certs/rootCA.crt '
f'--resolve test.example.com:30443:{minikubeip} '
f'https://test.example.com:30443/node-app3 '
f'-H "Host: test.edge.com"'
@@ -592,7 +592,7 @@ class TestIngress:
def test_host_sni_match_permissive(self, minikubeip):
kubectl_apply('../ats_sni/host-sni-policy/permissive.yaml')
time.sleep(7)
- cmd = f'curl -k --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
+ cmd = f'curl --cacert certs/rootCA.crt -v --resolve
test.edge.com:30443:{minikubeip} https://test.edge.com:30443/app2'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
assert result.returncode == 0, f"Curl failed: {result.stderr}"
assert "SSL connection using TLS" in result.stderr, "TLS handshake
failed"
@@ -601,7 +601,7 @@ class TestIngress:
def test_host_sni_mismatch_permissive(self, minikubeip):
time.sleep(7)
cmd = (
- f'curl -k -v --cacert certs/rootCA.crt '
+ f'curl -v --cacert certs/rootCA.crt '
f'--resolve test.example.com:30443:{minikubeip} '
f'https://test.example.com:30443/node-app3 '
f'-H "Host: test.edge.com"'
@@ -630,7 +630,7 @@ class TestIngress:
kubectl_apply('../ats_sni/verify-server-policy/enforced.yaml')
time.sleep(7)
- cmd = f'curl -k -v --cacert certs/rootCA.crt --resolve
test.example.com:30443:{minikubeip} https://test.example.com:30443/node-app3'
+ cmd = f'curl -v --cacert certs/rootCA.crt --resolve
test.example.com:30443:{minikubeip} https://test.example.com:30443/node-app3'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
full_output = result.stdout + result.stderr
@@ -647,7 +647,7 @@ class TestIngress:
kubectl_apply('../ats_sni/verify-server-policy/enforced.yaml')
time.sleep(7)
- cmd = f'curl -k -v --cacert certs/rootCA.crt --resolve
test.example.com:30443:{minikubeip} https://test.example.com:30443/node-app4'
+ cmd = f'curl -v --cacert certs/rootCA.crt --resolve
test.example.com:30443:{minikubeip} https://test.example.com:30443/node-app4'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
full_output = result.stdout + result.stderr
@@ -683,7 +683,7 @@ class TestIngress:
kubectl_apply('../ats_sni/verify-server-policy/disabled.yaml')
time.sleep(7)
- cmd = f'curl -k -v --cacert certs/rootCA.crt --resolve
test.example.com:30443:{minikubeip} https://test.example.com:30443/node-app3'
+ cmd = f'curl -v --cacert certs/rootCA.crt --resolve
test.example.com:30443:{minikubeip} https://test.example.com:30443/node-app3'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
full_output = result.stdout + result.stderr
@@ -700,7 +700,7 @@ class TestIngress:
kubectl_apply('../ats_sni/verify-server-policy/disabled.yaml')
time.sleep(7)
- cmd = f'curl -k -v --cacert certs/rootCA.crt --resolve
test.example.com:30443:{minikubeip} https://test.example.com:30443/node-app4'
+ cmd = f'curl -v --cacert certs/rootCA.crt --resolve
test.example.com:30443:{minikubeip} https://test.example.com:30443/node-app4'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
full_output = result.stdout + result.stderr
@@ -719,7 +719,7 @@ class TestIngress:
kubectl_apply('../ats_sni/verify-server-policy/permissive.yaml')
time.sleep(7)
- cmd = f'curl -k -v --cacert certs/rootCA.crt --resolve
test.example.com:30443:{minikubeip} https://test.example.com:30443/node-app3'
+ cmd = f'curl -v --cacert certs/rootCA.crt --resolve
test.example.com:30443:{minikubeip} https://test.example.com:30443/node-app3'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
full_output = result.stdout + result.stderr
@@ -738,10 +738,20 @@ class TestIngress:
time.sleep(7)
# Connect to Flask on 8449 with self-signed origin.crt
- cmd = f'curl -k -v --cacert certs/rootCA.crt --resolve
test.example.com:30443:{minikubeip} https://test.example.com:30443/node-app4'
+ cmd = f'curl -v --cacert certs/rootCA.crt --resolve
test.example.com:30443:{minikubeip} https://test.example.com:30443/node-app4'
result = subprocess.run(cmd, shell=True, capture_output=True,
text=True)
full_output = result.stdout + result.stderr
+ misc_command('kubectl get pods -n backend')
+ misc_command('kubectl get pods -n trafficserver-test-2')
+
+ misc_command('kubectl get all -A')
+
+ misc_command('kubectl describe pods -n backend')
+
+ misc_command('kubectl get pods -n backend -o name | xargs -n1 kubectl
logs --prefix -n backend')
+
+
assert result.returncode == 0, f"Curl failed: {result.stderr}"
assert "SSL connection using TLS" in full_output, "TLS handshake
failed"
assert "HTTP/1.1 200 OK" in full_output or "HTTP/2 200" in full_output
or "200 OK" in full_output, \
diff --git a/watcher/handlerIngress.go b/watcher/handlerIngress.go
index eea242b..4be5649 100644
--- a/watcher/handlerIngress.go
+++ b/watcher/handlerIngress.go
@@ -60,6 +60,7 @@ func (g *IgHandler) add(obj interface{}) {
// add the script before adding route
snippet, snippetErr :=
util.ExtractServerSnippet(ingressObj.GetAnnotations())
if snippetErr == nil {
+ log.Println("Snippet in the handlerIngress.go file: ", snippet)
g.Ep.RedisClient.DBOneSAdd(nameversion, snippet)
}
