You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/12/16 07:35:23 UTC
[GitHub] [apisix-ingress-controller] Juneezee opened a new pull request, #1533: test(e2e): add stcp proxy SNI stream test
Juneezee opened a new pull request, #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533
### Type of change:
- [x] New test case
### What this PR does / why we need it:
Closes: https://github.com/apache/apisix-ingress-controller/issues/1438
### Pre-submission checklist:
<!--
Please follow the requirements:
1. Use Draft if the PR is not ready to be reviewed
2. Test is required for the feat/fix PR, unless you have a good reason
3. Doc is required for the feat PR
4. Use a new commit to resolve review instead of `push -f`
5. Use "request review" to notify the reviewer once you have resolved the review
-->
* [x] Did you explain what problem does this PR solve? Or what new features have been added?
* [x] Have you added corresponding test cases?
* [ ] Have you modified the corresponding document?
* [x] Is this PR backward compatible? **If it is not backward compatible, please discuss on the [mailing list](https://github.com/apache/apisix-ingress-controller#community) first**
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] Juneezee commented on pull request #1533: test(e2e): add stream tcp proxy with SNI test
Posted by GitBox <gi...@apache.org>.
Juneezee commented on PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533#issuecomment-1354427118
The test passes if I modify the code to create `TLSRoute`
```go
ginkgo.It("stream tcp proxy with SNI", func() {
// create secrets
host := "a.test.com"
secret := "server-secret"
serverCert, serverKey := generateCert(ginkgo.GinkgoT(), []string{host})
err := s.NewSecret(secret, serverCert.String(), serverKey.String())
assert.Nil(ginkgo.GinkgoT(), err, "create server cert secret error")
// create ApisixTls resource
err = s.NewApisixTls("tls-server", host, secret)
assert.Nil(ginkgo.GinkgoT(), err, "create ApisixTls error")
// check ssl in APISIX
assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixTlsCreated(1))
backendSvc, backendSvcPort := s.DefaultHTTPBackend()
route := fmt.Sprintf(`
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: basic-tls-route
spec:
hostnames: ["%s"]
rules:
- backendRefs:
- name: %s
port: %d
`, host, backendSvc, backendSvcPort[0])
assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(route), "creating TLSRoute")
assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixStreamRoutesCreated(1), "Checking number of routes")
assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixUpstreamsCreated(1), "Checking number of upstreams")
client := s.NewAPISIXClientWithTLSOverTCP(host)
client.GET("/ip").WithHost(host).Expect().Status(http.StatusOK)
})
```
So I think I might have missed something in my code. Maybe creating `ApisixRoute` resource only isn't sufficient?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on pull request #1533: test(e2e): add stream tcp proxy with SNI test
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533#issuecomment-1355165427
Please refer to https://apisix.apache.org/docs/apisix/certificate/
The certificate you create should contain the domain name you requested
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on pull request #1533: test(e2e): add stream tcp proxy with SNI test
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533#issuecomment-1367779374
@AlinsRan PTAL
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] AlinsRan commented on a diff in pull request #1533: test(e2e): add stream tcp proxy with SNI test
Posted by GitBox <gi...@apache.org>.
AlinsRan commented on code in PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533#discussion_r1060265300
##########
test/e2e/suite-ingress/suite-ingress-resource/stream.go:
##########
@@ -214,4 +223,82 @@ spec:
assert.Equal(ginkgo.GinkgoT(), sr[0].ServerPort, int32(9100))
assert.Equal(ginkgo.GinkgoT(), sr[0].SNI, "")
})
+
+ ginkgo.It("stream tcp proxy with SNI", func() {
+ // create secrets
+ host := "a.test.com"
+ secret := "server-secret"
+ serverCert, serverKey := generateCert(ginkgo.GinkgoT(), []string{host})
+ err := s.NewSecret(secret, serverCert.String(), serverKey.String())
+ assert.Nil(ginkgo.GinkgoT(), err, "create server cert secret error")
+
+ // create ApisixTls resource
+ err = s.NewApisixTls("tls-server", host, secret)
+ assert.Nil(ginkgo.GinkgoT(), err, "create ApisixTls error")
+
+ // check ssl in APISIX
+ assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixTlsCreated(1))
+
+ backendSvc, backendSvcPort := s.DefaultHTTPBackend()
+ apisixRoute := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpbin-tcp-route
+spec:
+ stream:
+ - name: rule1
+ protocol: TCP
+ match:
+ ingressPort: 9100
Review Comment:
`ingressPort: 9110`
https://github.com/apache/apisix-ingress-controller/blob/master/test/e2e/testdata/apisix-gw-config-v3.yaml#L44-L45
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 merged pull request #1533: test(e2e): add stream tcp proxy with SNI test
Posted by "tao12345666333 (via GitHub)" <gi...@apache.org>.
tao12345666333 merged PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] AlinsRan commented on a diff in pull request #1533: test(e2e): add stream tcp proxy with SNI test
Posted by GitBox <gi...@apache.org>.
AlinsRan commented on code in PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533#discussion_r1060271135
##########
test/e2e/suite-ingress/suite-ingress-resource/stream.go:
##########
@@ -214,4 +223,82 @@ spec:
assert.Equal(ginkgo.GinkgoT(), sr[0].ServerPort, int32(9100))
assert.Equal(ginkgo.GinkgoT(), sr[0].SNI, "")
})
+
+ ginkgo.It("stream tcp proxy with SNI", func() {
+ // create secrets
+ host := "a.test.com"
+ secret := "server-secret"
+ serverCert, serverKey := generateCert(ginkgo.GinkgoT(), []string{host})
+ err := s.NewSecret(secret, serverCert.String(), serverKey.String())
+ assert.Nil(ginkgo.GinkgoT(), err, "create server cert secret error")
+
+ // create ApisixTls resource
+ err = s.NewApisixTls("tls-server", host, secret)
+ assert.Nil(ginkgo.GinkgoT(), err, "create ApisixTls error")
+
+ // check ssl in APISIX
+ assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixTlsCreated(1))
+
+ backendSvc, backendSvcPort := s.DefaultHTTPBackend()
+ apisixRoute := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpbin-tcp-route
+spec:
+ stream:
+ - name: rule1
+ protocol: TCP
+ match:
+ ingressPort: 9100
Review Comment:
9100 tls is not enabled
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] Juneezee commented on pull request #1533: test(e2e): add stream tcp proxy with SNI test
Posted by GitBox <gi...@apache.org>.
Juneezee commented on PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533#issuecomment-1369677554
@AlinsRan Sorry I made a typo :bowing_man: . Please rerun the tests. Thank you
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] codecov-commenter commented on pull request #1533: test(e2e): add stream tcp proxy with SNI test
Posted by GitBox <gi...@apache.org>.
codecov-commenter commented on PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533#issuecomment-1369626236
# [Codecov](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1533?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#1533](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1533?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (43f5c40) into [master](https://codecov.io/gh/apache/apisix-ingress-controller/commit/d22a6fc820f7699af411b8ecaa971307cfc82dbd?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (d22a6fc) will **increase** coverage by `0.21%`.
> The diff coverage is `n/a`.
```diff
@@ Coverage Diff @@
## master #1533 +/- ##
==========================================
+ Coverage 41.22% 41.44% +0.21%
==========================================
Files 85 87 +2
Lines 7440 7420 -20
==========================================
+ Hits 3067 3075 +8
+ Misses 4020 3990 -30
- Partials 353 355 +2
```
| [Impacted Files](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1533?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [pkg/providers/ingress/translation/annotations.go](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1533/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL3Byb3ZpZGVycy9pbmdyZXNzL3RyYW5zbGF0aW9uL2Fubm90YXRpb25zLmdv) | `58.82% <0.00%> (-29.42%)` | :arrow_down: |
| [...ation/annotations/upstreamscheme/upstreamscheme.go](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1533/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL3Byb3ZpZGVycy9pbmdyZXNzL3RyYW5zbGF0aW9uL2Fubm90YXRpb25zL3Vwc3RyZWFtc2NoZW1lL3Vwc3RyZWFtc2NoZW1lLmdv) | `84.61% <0.00%> (-15.39%)` | :arrow_down: |
| [pkg/config/config.go](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1533/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL2NvbmZpZy9jb25maWcuZ28=) | `63.54% <0.00%> (-0.59%)` | :arrow_down: |
| [pkg/providers/apisix/translation/apisix\_route.go](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1533/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL3Byb3ZpZGVycy9hcGlzaXgvdHJhbnNsYXRpb24vYXBpc2l4X3JvdXRlLmdv) | `30.40% <0.00%> (-0.09%)` | :arrow_down: |
| [pkg/providers/ingress/provider.go](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1533/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL3Byb3ZpZGVycy9pbmdyZXNzL3Byb3ZpZGVyLmdv) | `0.00% <0.00%> (ø)` | |
| [pkg/providers/k8s/pod/provider.go](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1533/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL3Byb3ZpZGVycy9rOHMvcG9kL3Byb3ZpZGVyLmdv) | `0.00% <0.00%> (ø)` | |
| [pkg/providers/utils/scheme.go](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1533/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL3Byb3ZpZGVycy91dGlscy9zY2hlbWUuZ28=) | `100.00% <0.00%> (ø)` | |
| [pkg/providers/utils/schema.go](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1533/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL3Byb3ZpZGVycy91dGlscy9zY2hlbWEuZ28=) | `100.00% <0.00%> (ø)` | |
| [pkg/providers/ingress/ingress.go](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1533/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL3Byb3ZpZGVycy9pbmdyZXNzL2luZ3Jlc3MuZ28=) | `4.09% <0.00%> (+0.10%)` | :arrow_up: |
| [...kg/providers/apisix/translation/apisix\_upstream.go](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1533/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL3Byb3ZpZGVycy9hcGlzaXgvdHJhbnNsYXRpb24vYXBpc2l4X3Vwc3RyZWFtLmdv) | `62.33% <0.00%> (+6.49%)` | :arrow_up: |
:mega: We’re building smart automated test selection to slash your CI/CD build times. [Learn more](https://about.codecov.io/iterative-testing/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on pull request #1533: test(e2e): add stream tcp proxy with SNI test
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533#issuecomment-1369698589
Re-run all test cases
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] AlinsRan commented on a diff in pull request #1533: test(e2e): add stream tcp proxy with SNI test
Posted by GitBox <gi...@apache.org>.
AlinsRan commented on code in PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533#discussion_r1062139476
##########
test/e2e/suite-ingress/suite-ingress-resource/stream.go:
##########
@@ -214,4 +223,82 @@ spec:
assert.Equal(ginkgo.GinkgoT(), sr[0].ServerPort, int32(9100))
assert.Equal(ginkgo.GinkgoT(), sr[0].SNI, "")
})
+
+ ginkgo.It("stream tcp proxy with SNI", func() {
+ // create secrets
+ host := "a.test.com"
+ secret := "server-secret"
+ serverCert, serverKey := generateCert(ginkgo.GinkgoT(), []string{host})
+ err := s.NewSecret(secret, serverCert.String(), serverKey.String())
+ assert.Nil(ginkgo.GinkgoT(), err, "create server cert secret error")
+
+ // create ApisixTls resource
+ err = s.NewApisixTls("tls-server", host, secret)
+ assert.Nil(ginkgo.GinkgoT(), err, "create ApisixTls error")
+
+ // check ssl in APISIX
+ assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixTlsCreated(1))
+
+ backendSvc, backendSvcPort := s.DefaultHTTPBackend()
+ apisixRoute := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpbin-tcp-route
+spec:
+ stream:
+ - name: rule1
+ protocol: TCP
+ match:
+ ingressPort: 9110
+ host: %s
+ backend:
+ serviceName: %s
+ servicePort: %d
+`, host, backendSvc, backendSvcPort[0])
+
+ assert.Nil(ginkgo.GinkgoT(), s.CreateVersionedApisixResource(apisixRoute))
+
+ err = s.EnsureNumApisixStreamRoutesCreated(1)
+ assert.Nil(ginkgo.GinkgoT(), err, "Checking number of routes")
+
+ client := s.NewAPISIXClientWithTLSOverTCP(host)
Review Comment:
I recommend adding the use of other host cases here to ensure that the configured sni is valid.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] Juneezee commented on pull request #1533: test(e2e): add stream tcp proxy with SNI test
Posted by GitBox <gi...@apache.org>.
Juneezee commented on PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533#issuecomment-1354363266
My first attempt on Issue #1438.
Currently the test fails with the following error:
```
[FAILED]
Error Trace: /home/jun/Desktop/github/apisix-ingress-controller/test/e2e/reporter.go:23
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/reporter.go:23
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/assertion.go:262
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/chain.go:132
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/request.go:1803
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/request.go:1705
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/request.go:1666
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/stream.go:266
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/node.go:445
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/suite.go:847
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/asm_amd64.s:1594
Error:
Error Trace: /home/jun/Desktop/github/apisix-ingress-controller/test/e2e/reporter.go:23
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/assertion.go:262
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/chain.go:132
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/request.go:1803
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/request.go:1705
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/request.go:1666
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/stream.go:266
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/node.go:445
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/suite.go:847
/home/jun/Desktop/github/apisix-ingress-controller/test/e2e/asm_amd64.s:1594
Error:
failed to send http request
Get "https://localhost:30258/ip": EOF
assertion:
Request("GET").Expect()
Test: suite-ingress-resource: ApisixRoute stream Testing SNI with v2 stream tcp proxy with SNI
```
However, the test passes if I don't set the `host` field for the `ApisixRoute` resource and use `NewAPISIXClientWithTCPProxy`, as summarised in the following table:
| | `NewAPISIXClientWithTCPProxy` | `NewAPISIXClientWithTLSOverTCP` |
|---------------|:-----------------------------:|:-------------------------------:|
| No `host` set | Pass | Fail (EOF) |
| `host` set | Fail (EOF) | Fail (EOF) |
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] Juneezee commented on a diff in pull request #1533: test(e2e): add stream tcp proxy with SNI test
Posted by GitBox <gi...@apache.org>.
Juneezee commented on code in PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533#discussion_r1051378285
##########
test/e2e/suite-ingress/suite-ingress-resource/stream.go:
##########
@@ -214,4 +223,82 @@ spec:
assert.Equal(ginkgo.GinkgoT(), sr[0].ServerPort, int32(9100))
assert.Equal(ginkgo.GinkgoT(), sr[0].SNI, "")
})
+
+ ginkgo.It("stream tcp proxy with SNI", func() {
+ // create secrets
+ host := "a.test.com"
+ secret := "server-secret"
+ serverCert, serverKey := generateCert(ginkgo.GinkgoT(), []string{host})
+ err := s.NewSecret(secret, serverCert.String(), serverKey.String())
+ assert.Nil(ginkgo.GinkgoT(), err, "create server cert secret error")
+
+ // create ApisixTls resource
+ err = s.NewApisixTls("tls-server", host, secret)
+ assert.Nil(ginkgo.GinkgoT(), err, "create ApisixTls error")
+
+ // check ssl in APISIX
+ assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixTlsCreated(1))
+
+ backendSvc, backendSvcPort := s.DefaultHTTPBackend()
+ apisixRoute := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpbin-tcp-route
+spec:
+ stream:
+ - name: rule1
+ protocol: TCP
+ match:
+ ingressPort: 9100
+ host: %s
+ backend:
+ serviceName: %s
+ servicePort: %d
+`, host, backendSvc, backendSvcPort[0])
+
+ assert.Nil(ginkgo.GinkgoT(), s.CreateVersionedApisixResource(apisixRoute))
+
+ err = s.EnsureNumApisixStreamRoutesCreated(1)
+ assert.Nil(ginkgo.GinkgoT(), err, "Checking number of routes")
+
+ client := s.NewAPISIXClientWithTLSOverTCP(host)
+ client.GET("/ip").WithHost(host).Expect().Status(http.StatusOK)
+ })
})
+
+func generateCert(t ginkgo.GinkgoTInterface, dnsNames []string) (certPemBytes, privPemBytes bytes.Buffer) {
+ priv, err := rsa.GenerateKey(rand.Reader, 2048)
+ pub := priv.Public()
+
+ serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+ serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+ assert.NoError(t, err)
+
+ template := x509.Certificate{
+ SerialNumber: serialNumber,
+ Subject: pkix.Name{
+ Organization: []string{"Acme Co"},
+ },
+ NotBefore: time.Now(),
+ NotAfter: time.Now().Add(time.Hour),
+
+ KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+ ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+ BasicConstraintsValid: true,
+
+ DNSNames: dnsNames,
+ }
+
+ derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
+ assert.NoError(t, err)
+ err = pem.Encode(&certPemBytes, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+ assert.NoError(t, err)
+
+ privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
+ assert.NoError(t, err)
+ err = pem.Encode(&privPemBytes, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes})
+ assert.NoError(t, err)
+
+ return
+}
Review Comment:
> Thanks for your contribution.
>
> Please refer to https://apisix.apache.org/docs/apisix/certificate/
>
> The certificate you create should contain the domain name you requested
Hi @tao12345666333, thanks for your comment. I believe I have generated the certificate correctly. I have tested the `generateCert` function and examined the certificate using `openssl x509`. The domain name is indeed included in the Subject Alternative Name field.
Go Playground link: https://go.dev/play/p/oH_mUd6D8BD
Here I saved the certificate into `test.crt` and examined the the certificate using `openssl x509`. The Subject Alternative Name has the domain name `a.test.com` as expected.
```sh
❯ openssl x509 -noout -text -in test.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d1:e4:87:7d:7e:89:63:e9:6b:e6:8f:99:7c:45:f6:59
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Acme Co
Validity
Not Before: Nov 10 23:00:00 2009 GMT
Not After : Nov 11 00:00:00 2009 GMT
Subject: O = Acme Co
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:23:fd:59:b3:e4:0c:f1:75:78:45:cb:9c:55:
89:0d:3e:79:64:11:8b:78:2e:76:3e:11:4a:af:30:
7f:71:ca:15:3a:80:17:6f:d9:0e:7a:29:dd:92:d7:
f6:fe:3e:f0:5d:23:a4:c6:4b:0b:cf:79:f5:86:bc:
2b:52:81:a1:e4:1a:a1:d2:2c:9b:e8:9b:c1:c6:ec:
04:8b:9c:eb:68:54:b5:b6:60:35:0a:35:5a:30:ff:
76:d4:48:e5:de:1e:b8:77:26:fe:07:6f:08:f4:79:
26:c5:68:ce:5e:ff:e3:ea:3f:cd:28:e0:6f:2a:f8:
9d:38:ee:b8:ed:01:32:e7:ee:08:c2:e1:94:5a:d1:
b1:6c:d6:ba:ed:7a:58:e9:50:87:aa:60:3d:55:34:
b7:d3:87:b8:21:50:a9:73:ee:9c:c5:7a:38:60:d2:
40:5b:2b:87:79:c9:44:c5:48:66:01:28:6c:00:91:
e7:a4:ac:f7:ba:bd:4c:62:2e:2f:42:b4:0c:04:42:
9a:9e:ad:45:8a:67:71:86:65:62:5f:d4:61:59:26:
1e:8b:83:06:3f:ae:25:be:a0:a2:9c:ba:8b:31:fc:
68:fe:c7:59:95:da:e7:4e:ce:83:0c:7e:fd:57:7c:
1f:7a:e7:6c:11:7d:ea:bb:75:a5:02:d4:ab:ce:8c:
4b:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:a.test.com
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
a4:e1:df:cd:52:6a:67:98:0b:ff:9a:4a:14:41:67:7c:a7:d8:
2b:f2:45:1f:a1:93:73:60:4b:7d:26:33:47:3c:24:f7:39:fe:
f2:85:39:52:39:42:12:d8:61:ce:7e:3a:db:72:3d:98:e5:fd:
cc:c7:57:9c:5b:92:f4:cb:1e:cf:20:23:84:5d:d0:3b:29:4f:
90:ea:7a:5a:b5:59:cb:e8:c1:c2:d8:65:5d:87:7a:17:e7:42:
84:18:68:d8:65:1e:c3:5f:2f:23:9f:fb:e0:91:9f:97:39:52:
b8:2c:c6:18:ad:42:5a:59:9b:83:06:d9:3e:33:ee:fa:ab:88:
a3:10:dc:13:ee:72:53:f4:b3:05:37:dc:29:8a:9f:62:bb:2b:
9c:aa:c1:22:fa:aa:17:7e:d1:16:10:ac:5a:d5:d6:23:19:f4:
d9:f7:ca:74:3f:fd:36:a5:ef:bc:8b:67:73:5e:4a:af:2e:c7:
64:19:9e:39:24:7d:b4:b4:5f:80:49:01:6c:c9:87:bc:36:94:
28:92:98:44:82:b3:9b:4b:69:de:69:d9:c1:6b:08:87:b5:9a:
d3:c5:d6:b6:68:d0:55:0c:da:a8:67:82:85:d7:59:75:eb:02:
ad:14:6b:29:01:af:99:b6:77:69:f9:69:63:40:57:b8:5c:34:
8e:83:91:74
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] AlinsRan commented on a diff in pull request #1533: test(e2e): add stream tcp proxy with SNI test
Posted by GitBox <gi...@apache.org>.
AlinsRan commented on code in PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533#discussion_r1060265300
##########
test/e2e/suite-ingress/suite-ingress-resource/stream.go:
##########
@@ -214,4 +223,82 @@ spec:
assert.Equal(ginkgo.GinkgoT(), sr[0].ServerPort, int32(9100))
assert.Equal(ginkgo.GinkgoT(), sr[0].SNI, "")
})
+
+ ginkgo.It("stream tcp proxy with SNI", func() {
+ // create secrets
+ host := "a.test.com"
+ secret := "server-secret"
+ serverCert, serverKey := generateCert(ginkgo.GinkgoT(), []string{host})
+ err := s.NewSecret(secret, serverCert.String(), serverKey.String())
+ assert.Nil(ginkgo.GinkgoT(), err, "create server cert secret error")
+
+ // create ApisixTls resource
+ err = s.NewApisixTls("tls-server", host, secret)
+ assert.Nil(ginkgo.GinkgoT(), err, "create ApisixTls error")
+
+ // check ssl in APISIX
+ assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixTlsCreated(1))
+
+ backendSvc, backendSvcPort := s.DefaultHTTPBackend()
+ apisixRoute := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpbin-tcp-route
+spec:
+ stream:
+ - name: rule1
+ protocol: TCP
+ match:
+ ingressPort: 9100
Review Comment:
`9110`
https://github.com/apache/apisix-ingress-controller/blob/master/test/e2e/testdata/apisix-gw-config-v3.yaml#L44-L45
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org