Skip to content

Commit

Permalink
chore(e2e): enable mTLS in envoy config tests (#12732)
Browse files Browse the repository at this point in the history 
## Motivation

We will need this to test MeshTLS policy

<!--
> Changelog: skip
-->
<!--
Uncomment the above section to explicitly set a [`> Changelog:` entry
here](https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#submitting-a-patch)?
-->

Signed-off-by: Marcin Skalski <[email protected]>
  • Loading branch information
@Automaat
Automaat authored Feb 3, 2025
1 parent fe21ef2 commit 919d1fb
Show file tree
Hide file tree
Showing 19 changed files with 3,059 additions and 161 deletions.
13 changes: 11 additions & 2 deletions test/e2e_env/universal/envoyconfig/envoyconfig.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,11 @@ func EnvoyConfigTest() {
builders.Mesh().
WithName(meshName).
WithoutInitialPolicies().
WithMeshServicesEnabled(mesh_proto.Mesh_MeshServices_Exclusive),
WithMeshServicesEnabled(mesh_proto.Mesh_MeshServices_Exclusive).
WithBuiltinMTLSBackend("ca-1").WithEnabledMTLSBackend("ca-1"),
),
).
Install(MeshTrafficPermissionAllowAllUniversal(meshName)).
Install(DemoClientUniversal("demo-client", meshName,
WithTransparentProxy(true)),
).
Expand Down Expand Up @@ -78,7 +80,7 @@ func EnvoyConfigTest() {
output, err := universal.Cluster.GetKumactlOptions().
RunKumactlAndGetOutput("inspect", "dataplane", dpp, "--type", "config", "--mesh", meshName, "--shadow", "--include=diff")
Expect(err).ToNot(HaveOccurred())
redacted := redactIPs(output)
redacted := redactStatPrefixes(redactIPs(output))

response := types.InspectDataplanesConfig{}
Expect(json.Unmarshal([]byte(redacted), &response)).To(Succeed())
Expand Down Expand Up @@ -154,3 +156,10 @@ var ipRegex = regexp.MustCompile(ipv4Regex + "|" + ipv6Regex)
func redactIPs(jsonStr string) string {
return ipRegex.ReplaceAllString(jsonStr, "IP_REDACTED")
}

// TODO this should be removed after fixing: https://github.com/kumahq/kuma/issues/12733
var statsPrefixRegex = regexp.MustCompile("\"statPrefix\":\\s\".*\"")

func redactStatPrefixes(jsonStr string) string {
return statsPrefixRegex.ReplaceAllString(jsonStr, "\"statPrefix\": \"STAT_PREFIX_REDACTED\"")
}
179 changes: 170 additions & 9 deletions test/e2e_env/universal/envoyconfig/testdata/meshaccesslog/inbound.demo-client.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"diff": [
{
"op": "add",
"path": "/type.googleapis.com~1envoy.config.listener.v3.Listener/inbound:IP_REDACTED:3000/filterChains/0/filters/0/typedConfig/accessLog",
"path": "/type.googleapis.com~1envoy.config.listener.v3.Listener/inbound:IP_REDACTED:3000/filterChains/0/filters/1/typedConfig/accessLog",
"value": [
{
"name": "envoy.access_loggers.file",
Expand All @@ -29,6 +29,46 @@
}
},
"name": "envoyconfig_demo-client__kuma-3_msvc_3000",
"transportSocket": {
"name": "envoy.transport_sockets.tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
"commonTlsContext": {
"alpnProtocols": [
"kuma"
],
"combinedValidationContext": {
"defaultValidationContext": {
"matchTypedSubjectAltNames": [
{
"matcher": {
"exact": "spiffe://envoyconfig/demo-client"
},
"sanType": "URI"
}
]
},
"validationContextSdsSecretConfig": {
"name": "mesh_ca:secret:envoyconfig",
"sdsConfig": {
"ads": {},
"resourceApiVersion": "V3"
}
}
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "identity_cert:secret:envoyconfig",
"sdsConfig": {
"ads": {},
"resourceApiVersion": "V3"
}
}
]
},
"sni": "a65abe81bca1750d1.demo-client.3000.envoyconfig.ms"
}
},
"type": "EDS",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
Expand All @@ -47,6 +87,46 @@
}
},
"name": "envoyconfig_test-server__kuma-3_msvc_80",
"transportSocket": {
"name": "envoy.transport_sockets.tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
"commonTlsContext": {
"alpnProtocols": [
"kuma"
],
"combinedValidationContext": {
"defaultValidationContext": {
"matchTypedSubjectAltNames": [
{
"matcher": {
"exact": "spiffe://envoyconfig/test-server"
},
"sanType": "URI"
}
]
},
"validationContextSdsSecretConfig": {
"name": "mesh_ca:secret:envoyconfig",
"sdsConfig": {
"ads": {},
"resourceApiVersion": "V3"
}
}
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "identity_cert:secret:envoyconfig",
"sdsConfig": {
"ads": {},
"resourceApiVersion": "V3"
}
}
]
},
"sni": "a029781856823048e.test-server.80.envoyconfig.ms"
}
},
"type": "EDS",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
Expand Down Expand Up @@ -220,6 +300,29 @@
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
"policies": {
"MeshTrafficPermission": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"any": true
}
]
}
}
},
"statPrefix": "STAT_PREFIX_REDACTED"
}
},
{
"name": "envoy.filters.network.tcp_proxy",
"typedConfig": {
Expand All @@ -240,10 +343,47 @@
],
"cluster": "localhost:3000",
"idleTimeout": "7200s",
"statPrefix": "localhost_3000"
"statPrefix": "STAT_PREFIX_REDACTED"
}
}
]
],
"transportSocket": {
"name": "envoy.transport_sockets.tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"combinedValidationContext": {
"defaultValidationContext": {
"matchTypedSubjectAltNames": [
{
"matcher": {
"prefix": "spiffe://envoyconfig/"
},
"sanType": "URI"
}
]
},
"validationContextSdsSecretConfig": {
"name": "mesh_ca:secret:envoyconfig",
"sdsConfig": {
"ads": {},
"resourceApiVersion": "V3"
}
}
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "identity_cert:secret:envoyconfig",
"sdsConfig": {
"ads": {},
"resourceApiVersion": "V3"
}
}
]
},
"requireClientCertificate": true
}
}
}
],
"metadata": {
Expand Down Expand Up @@ -274,7 +414,7 @@
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"cluster": "inbound:passthrough:ipv4",
"statPrefix": "inbound_passthrough_ipv4"
"statPrefix": "STAT_PREFIX_REDACTED"
}
}
]
Expand All @@ -300,7 +440,7 @@
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"cluster": "inbound:passthrough:ipv6",
"statPrefix": "inbound_passthrough_ipv6"
"statPrefix": "STAT_PREFIX_REDACTED"
}
}
]
Expand All @@ -326,7 +466,7 @@
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"cluster": "envoyconfig_demo-client__kuma-3_msvc_3000",
"statPrefix": "envoyconfig_demo-client__kuma-3_msvc_3000"
"statPrefix": "STAT_PREFIX_REDACTED"
}
}
]
Expand Down Expand Up @@ -388,7 +528,7 @@
}
]
},
"statPrefix": "envoyconfig_test-server__kuma-3_msvc_80"
"statPrefix": "STAT_PREFIX_REDACTED"
}
}
]
Expand Down Expand Up @@ -417,7 +557,7 @@
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"cluster": "outbound:passthrough:ipv4",
"statPrefix": "outbound_passthrough_ipv4"
"statPrefix": "STAT_PREFIX_REDACTED"
}
}
]
Expand All @@ -442,7 +582,7 @@
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"cluster": "outbound:passthrough:ipv6",
"statPrefix": "outbound_passthrough_ipv6"
"statPrefix": "STAT_PREFIX_REDACTED"
}
}
]
Expand All @@ -452,6 +592,27 @@
"trafficDirection": "OUTBOUND",
"useOriginalDst": true
}
},
"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret": {
"identity_cert:secret:envoyconfig": {
"name": "identity_cert:secret:envoyconfig",
"tlsCertificate": {
"certificateChain": {
"inlineBytes": "Q0VSVA=="
},
"privateKey": {
"inlineBytes": "S0VZ"
}
}
},
"mesh_ca:secret:envoyconfig": {
"name": "mesh_ca:secret:envoyconfig",
"validationContext": {
"trustedCa": {
"inlineBytes": "Q0E="
}
}
}
}
}
}
Loading

0 comments on commit 919d1fb

Please sign in to comment.