You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/12/17 11:07:46 UTC
[GitHub] [apisix-ingress-controller] Juneezee commented on a diff in pull request #1533: test(e2e): add stream tcp proxy with SNI test
Juneezee commented on code in PR #1533:
URL: https://github.com/apache/apisix-ingress-controller/pull/1533#discussion_r1051378285
##########
test/e2e/suite-ingress/suite-ingress-resource/stream.go:
##########
@@ -214,4 +223,82 @@ spec:
assert.Equal(ginkgo.GinkgoT(), sr[0].ServerPort, int32(9100))
assert.Equal(ginkgo.GinkgoT(), sr[0].SNI, "")
})
+
+ ginkgo.It("stream tcp proxy with SNI", func() {
+ // create secrets
+ host := "a.test.com"
+ secret := "server-secret"
+ serverCert, serverKey := generateCert(ginkgo.GinkgoT(), []string{host})
+ err := s.NewSecret(secret, serverCert.String(), serverKey.String())
+ assert.Nil(ginkgo.GinkgoT(), err, "create server cert secret error")
+
+ // create ApisixTls resource
+ err = s.NewApisixTls("tls-server", host, secret)
+ assert.Nil(ginkgo.GinkgoT(), err, "create ApisixTls error")
+
+ // check ssl in APISIX
+ assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixTlsCreated(1))
+
+ backendSvc, backendSvcPort := s.DefaultHTTPBackend()
+ apisixRoute := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpbin-tcp-route
+spec:
+ stream:
+ - name: rule1
+ protocol: TCP
+ match:
+ ingressPort: 9100
+ host: %s
+ backend:
+ serviceName: %s
+ servicePort: %d
+`, host, backendSvc, backendSvcPort[0])
+
+ assert.Nil(ginkgo.GinkgoT(), s.CreateVersionedApisixResource(apisixRoute))
+
+ err = s.EnsureNumApisixStreamRoutesCreated(1)
+ assert.Nil(ginkgo.GinkgoT(), err, "Checking number of routes")
+
+ client := s.NewAPISIXClientWithTLSOverTCP(host)
+ client.GET("/ip").WithHost(host).Expect().Status(http.StatusOK)
+ })
})
+
+func generateCert(t ginkgo.GinkgoTInterface, dnsNames []string) (certPemBytes, privPemBytes bytes.Buffer) {
+ priv, err := rsa.GenerateKey(rand.Reader, 2048)
+ pub := priv.Public()
+
+ serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+ serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+ assert.NoError(t, err)
+
+ template := x509.Certificate{
+ SerialNumber: serialNumber,
+ Subject: pkix.Name{
+ Organization: []string{"Acme Co"},
+ },
+ NotBefore: time.Now(),
+ NotAfter: time.Now().Add(time.Hour),
+
+ KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+ ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+ BasicConstraintsValid: true,
+
+ DNSNames: dnsNames,
+ }
+
+ derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
+ assert.NoError(t, err)
+ err = pem.Encode(&certPemBytes, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+ assert.NoError(t, err)
+
+ privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
+ assert.NoError(t, err)
+ err = pem.Encode(&privPemBytes, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes})
+ assert.NoError(t, err)
+
+ return
+}
Review Comment:
> Thanks for your contribution.
>
> Please refer to https://apisix.apache.org/docs/apisix/certificate/
>
> The certificate you create should contain the domain name you requested
Hi @tao12345666333, thanks for your comment. I believe I have generated the certificate correctly. I have tested the `generateCert` function and examined the certificate using `openssl x509`. The domain name is indeed included in the Subject Alternative Name field.
Go Playground link: https://go.dev/play/p/oH_mUd6D8BD
Here I saved the certificate into `test.crt` and examined the the certificate using `openssl x509`. The Subject Alternative Name has the domain name `a.test.com` as expected.
```sh
❯ openssl x509 -noout -text -in test.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d1:e4:87:7d:7e:89:63:e9:6b:e6:8f:99:7c:45:f6:59
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Acme Co
Validity
Not Before: Nov 10 23:00:00 2009 GMT
Not After : Nov 11 00:00:00 2009 GMT
Subject: O = Acme Co
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:23:fd:59:b3:e4:0c:f1:75:78:45:cb:9c:55:
89:0d:3e:79:64:11:8b:78:2e:76:3e:11:4a:af:30:
7f:71:ca:15:3a:80:17:6f:d9:0e:7a:29:dd:92:d7:
f6:fe:3e:f0:5d:23:a4:c6:4b:0b:cf:79:f5:86:bc:
2b:52:81:a1:e4:1a:a1:d2:2c:9b:e8:9b:c1:c6:ec:
04:8b:9c:eb:68:54:b5:b6:60:35:0a:35:5a:30:ff:
76:d4:48:e5:de:1e:b8:77:26:fe:07:6f:08:f4:79:
26:c5:68:ce:5e:ff:e3:ea:3f:cd:28:e0:6f:2a:f8:
9d:38:ee:b8:ed:01:32:e7:ee:08:c2:e1:94:5a:d1:
b1:6c:d6:ba:ed:7a:58:e9:50:87:aa:60:3d:55:34:
b7:d3:87:b8:21:50:a9:73:ee:9c:c5:7a:38:60:d2:
40:5b:2b:87:79:c9:44:c5:48:66:01:28:6c:00:91:
e7:a4:ac:f7:ba:bd:4c:62:2e:2f:42:b4:0c:04:42:
9a:9e:ad:45:8a:67:71:86:65:62:5f:d4:61:59:26:
1e:8b:83:06:3f:ae:25:be:a0:a2:9c:ba:8b:31:fc:
68:fe:c7:59:95:da:e7:4e:ce:83:0c:7e:fd:57:7c:
1f:7a:e7:6c:11:7d:ea:bb:75:a5:02:d4:ab:ce:8c:
4b:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:a.test.com
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
a4:e1:df:cd:52:6a:67:98:0b:ff:9a:4a:14:41:67:7c:a7:d8:
2b:f2:45:1f:a1:93:73:60:4b:7d:26:33:47:3c:24:f7:39:fe:
f2:85:39:52:39:42:12:d8:61:ce:7e:3a:db:72:3d:98:e5:fd:
cc:c7:57:9c:5b:92:f4:cb:1e:cf:20:23:84:5d:d0:3b:29:4f:
90:ea:7a:5a:b5:59:cb:e8:c1:c2:d8:65:5d:87:7a:17:e7:42:
84:18:68:d8:65:1e:c3:5f:2f:23:9f:fb:e0:91:9f:97:39:52:
b8:2c:c6:18:ad:42:5a:59:9b:83:06:d9:3e:33:ee:fa:ab:88:
a3:10:dc:13:ee:72:53:f4:b3:05:37:dc:29:8a:9f:62:bb:2b:
9c:aa:c1:22:fa:aa:17:7e:d1:16:10:ac:5a:d5:d6:23:19:f4:
d9:f7:ca:74:3f:fd:36:a5:ef:bc:8b:67:73:5e:4a:af:2e:c7:
64:19:9e:39:24:7d:b4:b4:5f:80:49:01:6c:c9:87:bc:36:94:
28:92:98:44:82:b3:9b:4b:69:de:69:d9:c1:6b:08:87:b5:9a:
d3:c5:d6:b6:68:d0:55:0c:da:a8:67:82:85:d7:59:75:eb:02:
ad:14:6b:29:01:af:99:b6:77:69:f9:69:63:40:57:b8:5c:34:
8e:83:91:74
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org