Skip to content

Commit

Permalink
Add ingress security customization field tests
Browse files Browse the repository at this point in the history 
Signed-off-by: Evgeny Slutsky <[email protected]>
  • Loading branch information
@eslutsky
eslutsky committed Feb 18, 2025
1 parent 72c9131 commit fe55e23
Showing 1 changed file with 63 additions and 0 deletions.
63 changes: 63 additions & 0 deletions test/suites/standard1/router.robot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,24 @@ ${ROUTER_TUNING_CONFIG} SEPARATOR=\n
... \ \ \ \ tlsInspectDelay: 6s
... \ \ \ \ threadCount: 3
... \ \ \ \ maxConnections: 60000
${ROUTER_SECURITY_CONFIG} SEPARATOR=\n
... ---
... ingress:
... \ \ certificateSecret: router-certs-custom
... \ \ routeAdmissionPolicy:
... \ \ \ \ wildcardPolicy: WildcardsAllowed
... \ \ clientTLS:
... \ \ \ \ clientCertificatePolicy: Required
... \ \ \ \ clientCA:
... \ \ \ \ \ \ name: router-ca-certs-custom
... \ \ tlsSecurityProfile:
... \ \ \ \ type: Custom
... \ \ \ \ custom:
... \ \ \ \ \ \ Ciphers:
... \ \ \ \ \ \ - ECDHE-RSA-AES256-GCM-SHA384
... \ \ \ \ \ \ - DHE-RSA-AES256-GCM-SHA384
... \ \ \ \ \ \ - TLS_CHACHA20_POLY1305_SHA256
... \ \ \ \ \ \ MinTLSVersion: VersionTLS13


*** Test Cases ***
Expand Down Expand Up @@ -149,6 +167,28 @@ Router Verify Tuning Configuration
Pod Environment Should Match Value openshift-ingress ROUTER_COMPRESSION_MIME text/html application/*
Pod Environment Should Match Value openshift-ingress ROUTER_DISABLE_HTTP2 false

Router Verify Security Configuration
[Documentation] Test ingress security configuration.
[Setup] Run Keywords
... Setup With Custom Config ${ROUTER_SECURITY_CONFIG}
... AND
... Create Custom Resources
Wait For Router Ready
Pod Environment Should Match Value openshift-ingress ROUTER_ALLOW_WILDCARD_ROUTES true
Pod Environment Should Match Value openshift-ingress ROUTER_MUTUAL_TLS_AUTH required
Pod Environment Should Match Value
... openshift-ingress
... ROUTER_MUTUAL_TLS_AUTH_CA
... /etc/pki/tls/client-ca/ca-bundle.pem
Pod Environment Should Match Value
... openshift-ingress
... ROUTER_CIPHERS
... ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
Pod Environment Should Match Value openshift-ingress ROUTER_CIPHERSUITES TLS_CHACHA20_POLY1305_SHA256
Pod Environment Should Match Value openshift-ingress SSL_MIN_VERSION TLSv1.3
Pod Volume Should Contain Secret openshift-ingress default-certificate router-certs-custom
[Teardown] Delete Custom CA Secret


*** Keywords ***
Setup
Expand Down Expand Up @@ -265,3 +305,26 @@ Pod Environment Should Match Value
... ${EMPTY}
... .items[*].spec.containers[*].env[?(@.name=="${env_name}")].value
Should Be Equal As Strings ${is} ${expected_value}

Pod Volume Should Contain Secret
[Documentation] Check if pod volume exists by Name
[Arguments] ${name_space} ${volume_name} ${expected_value}
${is}= Oc Get JsonPath
... pod
... ${name_space}
... ${EMPTY}
... .items[*].spec.volumes[?(@.name=="${volume_name}")].secret.secretName
Should Be Equal As Strings ${is} ${expected_value}

Create Custom Resources
[Documentation] Copy Default certs to custom
Run With Kubeconfig
... oc get secret router-certs-default -n openshift-ingress -oyaml | sed 's/name: .*/name: router-certs-custom/' | oc create -f - -oyaml | true
Run With Kubeconfig oc extract configmap/openshift-service-ca.crt --to=/tmp/ --confirm
Run With Kubeconfig
... oc create configmap router-ca-certs-custom -n openshift-ingress --from-file=ca-bundle.pem=/tmp/service-ca.crt --dry-run -o yaml | oc apply -f -

Delete Custom CA Secret
[Documentation] Copy Default certs to custom
Oc Delete secret/router-certs-custom -n openshift-ingress
Oc Delete configmap/router-ca-certs-custom -n openshift-ingress

0 comments on commit fe55e23

Please sign in to comment.