add downstream mTLS integration test cases (#4234)

* integration test config: add downstream mTLS routes Add two new CA certificates for use with downstream mTLS tests, and a client certificate/key pair issued by each CA. Add a few routes to the policy template that require a client CA. Update the generated output configurations. (based on commit ed63a6a6e7) * add downstream mTLS integration test cases These are modeled after the tests added to v0.17 in 83957a9, but here the expected behavior is that requests with an invalid client certificate will receive a 495 response only after authentication.
2025-05-30 09:27:19 +02:00 · 2023-06-13 10:25:21 -07:00 · 2023-06-13 10:25:21 -07:00 · 3ebee1159c
commit 3ebee1159c
parent d96ca0611a
12 changed files with 335 additions and 6 deletions
--- a/integration/main_test.go
+++ b/integration/main_test.go
@ -105,6 +105,14 @@ func getClient(t testing.TB) *http.Client {
 	}
 }

+// Returns a new http.Client configured with the same settings as getClient(),
+// as well as a pointer to the wrapped http.Transport, so that the
+// http.Transport can be easily customized.
+func getClientWithTransport(t testing.TB) (*http.Client, *http.Transport) {
+	client := getClient(t)
+	return client, client.Transport.(loggingRoundTripper).transport.(*http.Transport)
+}
+
 func waitForHealthy(ctx context.Context) error {
 	client := getClient(nil)
 	check := func(endpoint string) error {
@ -194,3 +202,14 @@ func mustParseURL(str string) *url.URL {
 	}
 	return u
 }
+
+func loadCertificate(t *testing.T, certName string) tls.Certificate {
+	t.Helper()
+	certFile := filepath.Join(".", "tpl", "files", certName+".pem")
+	keyFile := filepath.Join(".", "tpl", "files", certName+"-key.pem")
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return cert
+}