add integration test for https IP address route (#4477)

add integration test for https IP address route (#4476) Update the integration test libsonnet templates to assign a fixed IP address to the trusted-httpdetails service. This requires also assigning a fixed IP subnet to the docker network. Configure a route with a 'to' URL using https and this fixed IP address. Add a corresponding certificate with the IP address. Finally, add a test case that makes a request to this route.
2025-04-29 18:36:30 +02:00 · 2023-08-18 09:59:52 -07:00 · 2023-08-18 09:59:52 -07:00 · 0d1744a31a
commit 0d1744a31a
parent b4b80f26f7
11 changed files with 217 additions and 115 deletions
--- a/integration/clusters/kubernetes/compose.yml
+++ b/integration/clusters/kubernetes/compose.yml
--- a/integration/clusters/multi/compose.yml
+++ b/integration/clusters/multi/compose.yml
--- a/integration/clusters/single/compose.yml
+++ b/integration/clusters/single/compose.yml
--- a/integration/policy_test.go
+++ b/integration/policy_test.go
@ -411,3 +411,20 @@ func rawJWTPayload(t *testing.T, jwt string) map[string]interface{} {
 	require.NoError(t, err, "JWT payload could not be deserialized")
 	return decoded
 }
+
+func TestUpstreamViaIPAddress(t *testing.T) {
+	// Verify that we can make a successful request to a route with a 'to' URL
+	// that uses https with an IP address.
+	client := getClient(t)
+	res, err := client.Get("https://httpdetails-ip-address.localhost.pomerium.io/")
+	require.NoError(t, err, "unexpected http error")
+	defer res.Body.Close()
+
+	var result struct {
+		Headers  map[string]string `json:"headers"`
+		Protocol string            `json:"protocol"`
+	}
+	err = json.NewDecoder(res.Body).Decode(&result)
+	require.NoError(t, err)
+	assert.Equal(t, "https", result.Protocol)
+}
--- a/integration/tpl/backends/httpdetails.libsonnet
+++ b/integration/tpl/backends/httpdetails.libsonnet
@ -4,8 +4,9 @@ local Variations() =
  [
    {
      name: 'trusted',
-      cert: importstr '../files/trusted.pem',
-      key: importstr '../files/trusted-key.pem',
+      cert: importstr '../files/trusted-sans.pem',
+      key: importstr '../files/trusted-sans-key.pem',
+      ipv4Address: '172.20.0.50',
    },
    {
      name: 'trusted-1',
@ -60,6 +61,11 @@ function() {
        utils.ComposeService(variation.name + '-' + suffix, {
          image: image,
          command: Command(variation),
+          [if std.get(variation, 'ipv4Address') != null then 'networks']: {
+            main: {
+              ipv4_address: variation.ipv4Address,
+            }
+          },
        }) +
        utils.ComposeService(variation.name + '-' + suffix + '-ready', {
          image: 'jwilder/dockerize:0.6.1',
--- a/integration/tpl/backends/routes.libsonnet
+++ b/integration/tpl/backends/routes.libsonnet
@ -40,6 +40,12 @@ local Routes(mode, idp, dns_suffix) =
      to: 'tcp://redis' + dns_suffix + ':6379',
      allow_any_authenticated_user: true,
    },
+    // specify https upstream by IP address
+    {
+      from: 'https://httpdetails-ip-address.localhost.pomerium.io',
+      to: 'https://172.20.0.50:8443',
+      allow_public_unauthenticated_access: true,
+    },
    // tls_skip_verify
    {
      from: 'https://httpdetails.localhost.pomerium.io',
--- a/integration/tpl/deployments/multi.libsonnet
+++ b/integration/tpl/deployments/multi.libsonnet
@ -10,7 +10,11 @@ function(idp) utils.Merge([
  (import '../backends/websocket-echo.libsonnet')().compose,
  {
    networks: {
-      main: {},
+      main: {
+        ipam: {
+          config: [{subnet: "172.20.0.0/16"}],
+        },
+      },
    },
  },
 ])
--- a/integration/tpl/deployments/single.libsonnet
+++ b/integration/tpl/deployments/single.libsonnet
@ -10,7 +10,11 @@ function(idp) utils.Merge([
  (import '../backends/websocket-echo.libsonnet')().compose,
  {
    networks: {
-      main: {},
+      main: {
+        ipam: {
+          config: [{subnet: "172.20.0.0/16"}],
+        },
+      },
    },
  },
 ])
--- a/integration/tpl/files/trusted-sans-key.pem
+++ b/integration/tpl/files/trusted-sans-key.pem
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDilxaHaDYWtAA2
+HF8I9JjTxz+kehoyx2rx2ZnroOLC7qp7RkQodTDR8otcwyi5rtuiC1TR0/GGEqqi
+BtqU9YwtDSyisqOgHpmTvVpwdXGklKgQCXEKQZCZyggY8i6abFXoG+DcbjZVKuDa
+rQj07Je1eZKQVVIdEFit19m7l9kbRuxddpwWLnZR71hlVpX/uniMb8VSCcb9h6nM
+IRchJ4eUHuwzLuVcx3Sq0ZDKIBiGPBnj/jI8icZoElU6STp8kN4a0b15syL54uoC
+s7/EDCDmtgAtXNXez/Zt76oISLwznbgOR5N7nZYUFA+haA76QXrZ3M1csNwzef4E
+J2cxpDaPAgMBAAECggEAYTddrR7jBf6YkJ6/j4ISB9rWzWSt1NeGZNltlpDieawY
+bOeK2qjdF1auwE/jKzeAeBfQfm4mk9VybC3wnjRzveiHHA708P/v+FknclSRO4Gk
+Ua0bWMEknzb1Hm7Z29tbSEidwzVuDkBlVK0kyKCxvmS4o0BYCKw4v+16N2hA99g5
+LahplROhz5qRZwhNFJrDZr7HFCjay8s+kP6Q83ZMugxd9WKuMA6WODD51Jx2Uxy9
+S4b6sXAzBNY2kPWOiTDP4CHi/KVCzSIMy3fVGfOTQ8qP3EwnKb8RYBiEWhopurWT
+0cfKSzUgNSZMAAJJy8cxIRntoGMQLD8IOZIam+ItkQKBgQDlnwm76VnK80f2nNgY
+MteUV/Pq1t+eDDZx2+Vkb1y7dRjExnHeIx8Zka9NuEC5Aob/T0M1/riR6QKahYPK
+wzfV6AS/Rx3HciqjWpwW3gG4fIMXd22cF2KkzTcjY0sbsvyDzF/cdvF1DVEIZOQg
+92K9BI1R9wMtXSOOjHLMpv9AXQKBgQD8nujGxztXfOnojSwFnOOMAVVJ1rOqWRJW
+8jUpWAwFKq+f+G6NKesEMqblXsQyYNiEPsgTWEjxcQLXwcoe5+Ct35HXCx9QU/r5
+5FcYOvFlV+HYiIVrElYu6TGJ6p3+tS/nL0fpigD4TwKtJ19CNXtnPzRKFZt4CNaf
+ULeR8nJT2wKBgQDiNWoOgBVglYi4j81nEXdFgdwe5y4G8nsUchArgHX3iqUq/WCh
+TGjK91qkHDakn3RuRE6eUT1IXraJVwvfWBdT6SVl4bjvDn7EcGh2XYSfD9c99+4
+nWUle7GtIB2XHR4c7VMmytqWeNbykQoY2/2evoRGUjUEFLR5sy1JJd9iVQKBgGEd
+Dctsx8lIQfueWbAGsgsecBUkrojsGPrHvdwY9vX9hOpwbL9jv+8rMbG3jqD3TgT4
+xZ16MQBwO3GKFBNxfJQbAEu1AOK2hiMOvtSXxDj7Yd0GDpQsxmjeSKcGRJqoOLQd
+Hv4OiXTrmtHJ8vrW6Iu2ZnmceNnaO/ee5hL7KyxFAoGAealomMLKdpx8sqU3x+q2
+ZjwHcujFJAwMXXaAi/1cgln1JuVWr577t44VbfYNvaCQah4yZJqKpbzWzdJdatD
+JR855qFt2gBQBn6fwliFDB+e3Phrd4IwjwH3/sjl7Z7SB1ANj5DYXpceu7gaNlyZ
+/5jXf1x0Dk3QDs0JXbgJmPs=
+-----END PRIVATE KEY-----
--- a/integration/tpl/files/trusted-sans.pem
+++ b/integration/tpl/files/trusted-sans.pem
@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEhDCCAuygAwIBAgIQX48RpK9MrVcpPDQc6AScZzANBgkqhkiG9w0BAQsFADCB
+gzEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMSwwKgYDVQQLDCNjYWxl
+YkBjYWxlYi1wYy1saW51eCAoQ2FsZWIgRG94c2V5KTEzMDEGA1UEAwwqbWtjZXJ0
+IGNhbGViQGNhbGViLXBjLWxpbnV4IChDYWxlYiBEb3hzZXkpMB4XDTIxMDgxMDE3
+MzIxMFoXDTIzMTExMDE4MzIxMFowVzEnMCUGA1UEChMebWtjZXJ0IGRldmVsb3Bt
+ZW50IGNlcnRpZmljYXRlMSwwKgYDVQQLDCNjYWxlYkBjYWxlYi1wYy1saW51eCAo
+Q2FsZWIgRG94c2V5KTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOKX
+FodoNha0ADYcXwj0mNPHP6R6GjLHavHZmeug4sLuqntGRCh1MNHyi1zDKLmu26IL
+VNHT8YYSqqIG2pT1jC0NLKKyo6AemZO9WnB1caSUqBAJcQpBkJnKCBjyLppsVegb
+4NxuNlUq4NqtCPTsl7V5kpBVUh0QWK3X2buX2RtG7F12nBYudlHvWGVWlf+6eIxv
+xVIJxv2HqcwhFyEnh5Qe7DMu5VzHdKrRkMogGIY8GeP+MjyJxmgSVTpJOnyQ3hrR
+vXmzIvni6gKzv8QMIOa2AC1c1d7P9m3vqghIvDOduA5Hk3udlhQUD6FoDvpBetnc
+zVyw3DN5/gQnZzGkNo8CAwEAAaOBnjCBmzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwHwYDVR0jBBgwFoAUhYZYWIBHyk6ZVTnp3lRt/tyBP00w
+UwYDVR0RBEwwSoITdHJ1c3RlZC1odHRwZGV0YWlsc4ItdHJ1c3RlZC1odHRwZGV0
+YWlscy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FshwSsFAAyMA0GCSqGSIb3DQEB
+CwUAA4IBgQAinBz0fCwQzao6BBoxy4PP+1cogODyFWmVfBnpQT9dE5r+VdX7vxAp
+cgNKnxn6RL0uEVlEvIoW3IExR+/Yw5j4kxNrYYgGTxiVOoVQu5Fa0BUwtlYegVrt
+O/2kCsaExTcM51JCyrdzYZkISU8UEoWcQvh/xkbR5I+Pq1MKdNLQu/kCfr3EwkCT
+bjac/AvTVYAGd3ux5KeQWUmdwHTJ52c6C7I9FO+yGYs+I9jFjSMVJKWgs5tuk6yP
+SHOL6y4LkwnkRWdaCdUxlipFflSRdbVPgBpl+y7Av+DnHnuKdNhjeVWGl9h2ozV
+oNO2PUfEawFsqakizLtvNTU4I83AaJLFWGqTPGkl3H02RoD8DgXfLGvsoiUutNnf
+ISGHomD+3HlfHCLQtxQCgfyxT2J57yai+Ba+2HjsMTx5Q/a/7HqoEakxHff6Yf0J
+kaQ07lDuMg9Bmq+n6Yg4n4I7b9txE4nF71JWCGglPgKupuUJB1umGdN3eGgE3VWe
+8GSRvXCCVlQ=
+-----END CERTIFICATE-----
--- a/integration/tpl/utils.libsonnet
+++ b/integration/tpl/utils.libsonnet
@ -96,8 +96,8 @@ local ParseURL(rawURL) =
 local ComposeService(name, definition, additionalAliases=[]) =
  {
    [name]: definition {
-      networks: {
-        main: {
+      networks+: {
+        main+: {
          aliases: [name] + additionalAliases,
        },
      },