From 7045225a24246be37f472e9b5a5bc611093b78b1 Mon Sep 17 00:00:00 2001 From: NiniOak Date: Tue, 3 Dec 2024 15:45:02 -0800 Subject: [PATCH] update golden file tests --- agent/xds/resources_test.go | 160 ++++++++++++++++++ .../api-gateway-with-http-route.latest.golden | 9 +- ...multiple-inline-certificates.latest.golden | 18 +- 3 files changed, 184 insertions(+), 3 deletions(-) diff --git a/agent/xds/resources_test.go b/agent/xds/resources_test.go index 622127a99251..f681714752c3 100644 --- a/agent/xds/resources_test.go +++ b/agent/xds/resources_test.go @@ -1000,6 +1000,73 @@ func getAPIGatewayGoldenTestCases(t *testing.T) []goldenTestCase { }}, nil) }, }, + { + name: "api-gateway-with-multiple-inline-certificates-tls-params-unset", + create: func(t testinf.T) *proxycfg.ConfigSnapshot { + return proxycfg.TestConfigSnapshotAPIGateway(t, "default", nil, func(entry *structs.APIGatewayConfigEntry, bound *structs.BoundAPIGatewayConfigEntry) { + entry.Listeners = []structs.APIGatewayListener{ + { + Name: "listener", + Protocol: structs.ListenerProtocolTCP, + Port: 8080, + TLS: structs.APIGatewayTLSConfiguration{ + Certificates: []structs.ResourceReference{{ + Kind: structs.InlineCertificate, + Name: "certificate", + }}, + }, + }, + } + bound.Listeners = []structs.BoundAPIGatewayListener{ + { + Name: "listener", + Certificates: []structs.ResourceReference{ + { + Kind: structs.InlineCertificate, + Name: "certificate", + }, + { + Kind: structs.InlineCertificate, + Name: "certificate-too", + }, + }, + Routes: []structs.ResourceReference{{ + Kind: structs.TCPRoute, + Name: "route", + }}, + }, + } + }, + []structs.BoundRoute{ + &structs.TCPRouteConfigEntry{ + Kind: structs.TCPRoute, + Name: "route", + Services: []structs.TCPService{{ + Name: "service", + }}, + Parents: []structs.ResourceReference{ + { + Kind: structs.APIGateway, + Name: "api-gateway", + }, + }, + }, + }, []structs.InlineCertificateConfigEntry{ + { + Kind: structs.InlineCertificate, + Name: "certificate", + PrivateKey: gatewayTestPrivateKey, + Certificate: gatewayTestCertificate, + }, + { + Kind: structs.InlineCertificate, + Name: "certificate-too", + PrivateKey: gatewayTestPrivateKeyTwo, + Certificate: gatewayTestCertificateTwo, + }, + }, nil) + }, + }, { name: "api-gateway-with-multiple-inline-certificates", create: func(t testinf.T) *proxycfg.ConfigSnapshot { @@ -1073,6 +1140,87 @@ func getAPIGatewayGoldenTestCases(t *testing.T) []goldenTestCase { }, nil) }, }, + { + name: "api-gateway-with-http-route-tls-params-unset", + create: func(t testinf.T) *proxycfg.ConfigSnapshot { + return proxycfg.TestConfigSnapshotAPIGateway(t, "default", nil, func(entry *structs.APIGatewayConfigEntry, bound *structs.BoundAPIGatewayConfigEntry) { + entry.Listeners = []structs.APIGatewayListener{ + { + Name: "listener", + Protocol: structs.ListenerProtocolHTTP, + Port: 8080, + }, + } + bound.Listeners = []structs.BoundAPIGatewayListener{ + { + Name: "listener", + Certificates: []structs.ResourceReference{{ + Kind: structs.InlineCertificate, + Name: "certificate", + }}, + Routes: []structs.ResourceReference{{ + Kind: structs.HTTPRoute, + Name: "route", + }}, + }, + } + }, []structs.BoundRoute{ + &structs.HTTPRouteConfigEntry{ + Kind: structs.HTTPRoute, + Name: "route", + Rules: []structs.HTTPRouteRule{{ + Filters: structs.HTTPFilters{ + Headers: []structs.HTTPHeaderFilter{ + { + Add: map[string]string{ + "X-Header-Add": "added", + }, + Set: map[string]string{ + "X-Header-Set": "set", + }, + Remove: []string{"X-Header-Remove"}, + }, + }, + RetryFilter: &structs.RetryFilter{ + NumRetries: 3, + RetryOn: []string{"cancelled"}, + RetryOnStatusCodes: []uint32{500}, + RetryOnConnectFailure: true, + }, + TimeoutFilter: &structs.TimeoutFilter{ + IdleTimeout: time.Second * 30, + RequestTimeout: time.Second * 30, + }, + }, + Services: []structs.HTTPService{{ + Name: "service", + }}, + }}, + Parents: []structs.ResourceReference{ + { + Kind: structs.APIGateway, + Name: "api-gateway", + }, + }, + }, + }, []structs.InlineCertificateConfigEntry{{ + Kind: structs.InlineCertificate, + Name: "certificate", + PrivateKey: gatewayTestPrivateKey, + Certificate: gatewayTestCertificate, + }}, []proxycfg.UpdateEvent{{ + CorrelationID: "discovery-chain:" + serviceUID.String(), + Result: &structs.DiscoveryChainResponse{ + Chain: serviceChain, + }, + }, { + CorrelationID: "upstream-target:" + serviceChain.ID() + ":" + serviceUID.String(), + Result: &structs.IndexedCheckServiceNodes{ + Nodes: proxycfg.TestUpstreamNodes(t, "service"), + }, + }}) + }, + }, { name: "api-gateway-with-http-route", create: func(t testinf.T) *proxycfg.ConfigSnapshot { @@ -1082,6 +1230,18 @@ func getAPIGatewayGoldenTestCases(t *testing.T) []goldenTestCase { Name: "listener", Protocol: structs.ListenerProtocolHTTP, Port: 8080, + TLS: structs.APIGatewayTLSConfiguration{ + Certificates: []structs.ResourceReference{{ + Kind: structs.InlineCertificate, + Name: "certificate", + }}, + MinVersion: types.TLSv1_2, + MaxVersion: types.TLSv1_3, + CipherSuites: []types.TLSCipherSuite{ + types.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + types.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + }, + }, }, } bound.Listeners = []structs.BoundAPIGatewayListener{ diff --git a/agent/xds/testdata/listeners/api-gateway-with-http-route.latest.golden b/agent/xds/testdata/listeners/api-gateway-with-http-route.latest.golden index dbb15d8751ea..c2d0bf17ce33 100644 --- a/agent/xds/testdata/listeners/api-gateway-with-http-route.latest.golden +++ b/agent/xds/testdata/listeners/api-gateway-with-http-route.latest.golden @@ -61,7 +61,14 @@ } } ], - "tlsParams": {} + "tlsParams": { + "cipherSuites": [ + "ECDHE-ECDSA-AES256-GCM-SHA384", + "ECDHE-RSA-CHACHA20-POLY1305" + ], + "tlsMaximumProtocolVersion": "TLSv1_3", + "tlsMinimumProtocolVersion": "TLSv1_2" + } }, "requireClientCertificate": false } diff --git a/agent/xds/testdata/listeners/api-gateway-with-multiple-inline-certificates.latest.golden b/agent/xds/testdata/listeners/api-gateway-with-multiple-inline-certificates.latest.golden index 4cd71ba606b0..a51c63ae068b 100644 --- a/agent/xds/testdata/listeners/api-gateway-with-multiple-inline-certificates.latest.golden +++ b/agent/xds/testdata/listeners/api-gateway-with-multiple-inline-certificates.latest.golden @@ -41,7 +41,14 @@ } } ], - "tlsParams": {} + "tlsParams": { + "cipherSuites": [ + "ECDHE-ECDSA-AES256-GCM-SHA384", + "ECDHE-RSA-CHACHA20-POLY1305" + ], + "tlsMaximumProtocolVersion": "TLSv1_3", + "tlsMinimumProtocolVersion": "TLSv1_2" + } }, "requireClientCertificate": false } @@ -73,7 +80,14 @@ } } ], - "tlsParams": {}, + "tlsParams": { + "cipherSuites": [ + "ECDHE-ECDSA-AES256-GCM-SHA384", + "ECDHE-RSA-CHACHA20-POLY1305" + ], + "tlsMaximumProtocolVersion": "TLSv1_3", + "tlsMinimumProtocolVersion": "TLSv1_2" + }, "validationContext": { "trustedCa": { "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"