From e0938e22eb07f1ed558483ec5c7817fbc318d870 Mon Sep 17 00:00:00 2001 From: Tero Saarni Date: Fri, 19 Jan 2024 21:10:22 +0200 Subject: [PATCH] update after review Signed-off-by: Tero Saarni --- .../v3/backendcavalidation_test.go | 24 +++++++------------ .../featuretests/v3/backendclientauth_test.go | 15 +++++------- 2 files changed, 14 insertions(+), 25 deletions(-) diff --git a/internal/featuretests/v3/backendcavalidation_test.go b/internal/featuretests/v3/backendcavalidation_test.go index 897bb7dbf7b..53458d92667 100644 --- a/internal/featuretests/v3/backendcavalidation_test.go +++ b/internal/featuretests/v3/backendcavalidation_test.go @@ -112,13 +112,15 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) { TypeUrl: listenerType, }) - // assert that the cluster now has a certificate and subject name. - c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ + expectedResponse := &envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil, nil), + tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), caSecret.Data[dag.CACertificateKey], "subjname", "", nil, nil), ), TypeUrl: clusterType, - }) + } + + // assert that the cluster now has a certificate and subject name. + c.Request(clusterType).Equals(expectedResponse) // Contour does not use SDS to transmit the CA for upstream validation, issue 1405, // assert that SDS is empty. @@ -160,12 +162,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) { }) // assert that the cluster now has a certificate and subject name. - c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ - Resources: resources(t, - tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil, nil), - ), - TypeUrl: clusterType, - }) + c.Request(clusterType).Equals(expectedResponse) // Contour does not use SDS to transmit the CA for upstream validation, issue 1405, // assert that SDS is empty. @@ -210,10 +207,5 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) { }) rh.OnAdd(tcpproxy) - c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ - Resources: resources(t, - tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil, nil), - ), - TypeUrl: clusterType, - }) + c.Request(clusterType).Equals(expectedResponse) } diff --git a/internal/featuretests/v3/backendclientauth_test.go b/internal/featuretests/v3/backendclientauth_test.go index f1f52811853..72b74c37e73 100644 --- a/internal/featuretests/v3/backendclientauth_test.go +++ b/internal/featuretests/v3/backendclientauth_test.go @@ -119,12 +119,14 @@ func TestBackendClientAuthenticationWithHTTPProxy(t *testing.T) { }) rh.OnAdd(proxy) - c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ + expectedResponse := &envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsCluster(cluster("default/backend/443/950c17581f", "default/backend/http", "default_backend_443"), []byte(featuretests.CERTIFICATE), "subjname", "", sec1, nil), + tlsCluster(cluster("default/backend/443/950c17581f", "default/backend/http", "default_backend_443"), sec2.Data[dag.CACertificateKey], "subjname", "", sec1, nil), ), TypeUrl: clusterType, - }) + } + + c.Request(clusterType).Equals(expectedResponse) rh.OnDelete(proxy) @@ -150,12 +152,7 @@ func TestBackendClientAuthenticationWithHTTPProxy(t *testing.T) { }) rh.OnAdd(tcpproxy) - c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ - Resources: resources(t, - tlsCluster(cluster("default/backend/443/950c17581f", "default/backend/http", "default_backend_443"), []byte(featuretests.CERTIFICATE), "subjname", "", sec1, nil), - ), - TypeUrl: clusterType, - }) + c.Request(clusterType).Equals(expectedResponse) // Test the error branch when Envoy client certificate secret does not exist. rh.OnDelete(sec1)