You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/12/17 11:07:46 UTC

[GitHub] [apisix-ingress-controller] Juneezee commented on a diff in pull request #1533: test(e2e): add stream tcp proxy with SNI test

Juneezee commented on code in PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533#discussion_r1051378285


##########
test/e2e/suite-ingress/suite-ingress-resource/stream.go:
##########
@@ -214,4 +223,82 @@ spec:
 		assert.Equal(ginkgo.GinkgoT(), sr[0].ServerPort, int32(9100))
 		assert.Equal(ginkgo.GinkgoT(), sr[0].SNI, "")
 	})
+
+	ginkgo.It("stream tcp proxy with SNI", func() {
+		// create secrets
+		host := "a.test.com"
+		secret := "server-secret"
+		serverCert, serverKey := generateCert(ginkgo.GinkgoT(), []string{host})
+		err := s.NewSecret(secret, serverCert.String(), serverKey.String())
+		assert.Nil(ginkgo.GinkgoT(), err, "create server cert secret error")
+
+		// create ApisixTls resource
+		err = s.NewApisixTls("tls-server", host, secret)
+		assert.Nil(ginkgo.GinkgoT(), err, "create ApisixTls error")
+
+		// check ssl in APISIX
+		assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixTlsCreated(1))
+
+		backendSvc, backendSvcPort := s.DefaultHTTPBackend()
+		apisixRoute := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  name: httpbin-tcp-route
+spec:
+  stream:
+  - name: rule1
+    protocol: TCP
+    match:
+      ingressPort: 9100
+      host: %s
+    backend:
+      serviceName: %s
+      servicePort: %d
+`, host, backendSvc, backendSvcPort[0])
+
+		assert.Nil(ginkgo.GinkgoT(), s.CreateVersionedApisixResource(apisixRoute))
+
+		err = s.EnsureNumApisixStreamRoutesCreated(1)
+		assert.Nil(ginkgo.GinkgoT(), err, "Checking number of routes")
+
+		client := s.NewAPISIXClientWithTLSOverTCP(host)
+		client.GET("/ip").WithHost(host).Expect().Status(http.StatusOK)
+	})
 })
+
+func generateCert(t ginkgo.GinkgoTInterface, dnsNames []string) (certPemBytes, privPemBytes bytes.Buffer) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	pub := priv.Public()
+
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	assert.NoError(t, err)
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Organization: []string{"Acme Co"},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour),
+
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		BasicConstraintsValid: true,
+
+		DNSNames: dnsNames,
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
+	assert.NoError(t, err)
+	err = pem.Encode(&certPemBytes, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	assert.NoError(t, err)
+
+	privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
+	assert.NoError(t, err)
+	err = pem.Encode(&privPemBytes, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes})
+	assert.NoError(t, err)
+
+	return
+}

Review Comment:
   > Thanks for your contribution.
   > 
   > Please refer to https://apisix.apache.org/docs/apisix/certificate/
   > 
   > The certificate you create should contain the domain name you requested
   
   Hi @tao12345666333, thanks for your comment. I believe I have generated the certificate correctly. I have tested the `generateCert` function and examined the certificate using `openssl x509`. The domain name is indeed included in the Subject Alternative Name field.
   
   Go Playground link: https://go.dev/play/p/oH_mUd6D8BD
   
   Here I saved the certificate into `test.crt` and examined the the certificate using `openssl x509`. The Subject Alternative Name has the domain name `a.test.com` as expected.
   ```sh
   ❯ openssl x509 -noout -text -in test.crt
   Certificate:
       Data:
           Version: 3 (0x2)
           Serial Number:
               d1:e4:87:7d:7e:89:63:e9:6b:e6:8f:99:7c:45:f6:59
           Signature Algorithm: sha256WithRSAEncryption
           Issuer: O = Acme Co
           Validity
               Not Before: Nov 10 23:00:00 2009 GMT
               Not After : Nov 11 00:00:00 2009 GMT
           Subject: O = Acme Co
           Subject Public Key Info:
               Public Key Algorithm: rsaEncryption
                   Public-Key: (2048 bit)
                   Modulus:
                       00:ba:23:fd:59:b3:e4:0c:f1:75:78:45:cb:9c:55:
                       89:0d:3e:79:64:11:8b:78:2e:76:3e:11:4a:af:30:
                       7f:71:ca:15:3a:80:17:6f:d9:0e:7a:29:dd:92:d7:
                       f6:fe:3e:f0:5d:23:a4:c6:4b:0b:cf:79:f5:86:bc:
                       2b:52:81:a1:e4:1a:a1:d2:2c:9b:e8:9b:c1:c6:ec:
                       04:8b:9c:eb:68:54:b5:b6:60:35:0a:35:5a:30:ff:
                       76:d4:48:e5:de:1e:b8:77:26:fe:07:6f:08:f4:79:
                       26:c5:68:ce:5e:ff:e3:ea:3f:cd:28:e0:6f:2a:f8:
                       9d:38:ee:b8:ed:01:32:e7:ee:08:c2:e1:94:5a:d1:
                       b1:6c:d6:ba:ed:7a:58:e9:50:87:aa:60:3d:55:34:
                       b7:d3:87:b8:21:50:a9:73:ee:9c:c5:7a:38:60:d2:
                       40:5b:2b:87:79:c9:44:c5:48:66:01:28:6c:00:91:
                       e7:a4:ac:f7:ba:bd:4c:62:2e:2f:42:b4:0c:04:42:
                       9a:9e:ad:45:8a:67:71:86:65:62:5f:d4:61:59:26:
                       1e:8b:83:06:3f:ae:25:be:a0:a2:9c:ba:8b:31:fc:
                       68:fe:c7:59:95:da:e7:4e:ce:83:0c:7e:fd:57:7c:
                       1f:7a:e7:6c:11:7d:ea:bb:75:a5:02:d4:ab:ce:8c:
                       4b:67
                   Exponent: 65537 (0x10001)
           X509v3 extensions:
               X509v3 Key Usage: critical
                   Digital Signature, Key Encipherment
               X509v3 Extended Key Usage: 
                   TLS Web Server Authentication, TLS Web Client Authentication
               X509v3 Basic Constraints: critical
                   CA:FALSE
               X509v3 Subject Alternative Name: 
                   DNS:a.test.com
       Signature Algorithm: sha256WithRSAEncryption
       Signature Value:
           a4:e1:df:cd:52:6a:67:98:0b:ff:9a:4a:14:41:67:7c:a7:d8:
           2b:f2:45:1f:a1:93:73:60:4b:7d:26:33:47:3c:24:f7:39:fe:
           f2:85:39:52:39:42:12:d8:61:ce:7e:3a:db:72:3d:98:e5:fd:
           cc:c7:57:9c:5b:92:f4:cb:1e:cf:20:23:84:5d:d0:3b:29:4f:
           90:ea:7a:5a:b5:59:cb:e8:c1:c2:d8:65:5d:87:7a:17:e7:42:
           84:18:68:d8:65:1e:c3:5f:2f:23:9f:fb:e0:91:9f:97:39:52:
           b8:2c:c6:18:ad:42:5a:59:9b:83:06:d9:3e:33:ee:fa:ab:88:
           a3:10:dc:13:ee:72:53:f4:b3:05:37:dc:29:8a:9f:62:bb:2b:
           9c:aa:c1:22:fa:aa:17:7e:d1:16:10:ac:5a:d5:d6:23:19:f4:
           d9:f7:ca:74:3f:fd:36:a5:ef:bc:8b:67:73:5e:4a:af:2e:c7:
           64:19:9e:39:24:7d:b4:b4:5f:80:49:01:6c:c9:87:bc:36:94:
           28:92:98:44:82:b3:9b:4b:69:de:69:d9:c1:6b:08:87:b5:9a:
           d3:c5:d6:b6:68:d0:55:0c:da:a8:67:82:85:d7:59:75:eb:02:
           ad:14:6b:29:01:af:99:b6:77:69:f9:69:63:40:57:b8:5c:34:
           8e:83:91:74
   ```
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org