3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-04 01:09:36 +02:00
Code Issues Projects Releases Packages Wiki Activity

integration: add single-cluster integration tests (#2516)

Browse source 
* integration: add single-cluster integration tests

* remove kind load
This commit is contained in:
Caleb Doxsey 2021-08-24 15:35:05 -06:00 committed by GitHub
parent f5a558d4a0
commit 48cd10d46b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
53 changed files with 7455 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

62
integration/tpl/backends/fortio.libsonnet Normal file
View file

@ -0,0 +1,62 @@
local utils = import '../utils.libsonnet';
function() {
local name = 'fortio',
local image = 'fortio/fortio:1.17.0',
compose: {
services:
utils.ComposeService(name, {
image: image,
depends_on: {
[name + '-init']: {
condition: 'service_completed_successfully',
},
},
command: [
'server',
'-cert',
'/fortio_config/trusted.pem',
'-key',
'/fortio_config/trusted-key.pem',
],
ports: [
'8079:8079/tcp',
],
volumes: [
'fortio_config:/fortio_config',
],
}) +
utils.ComposeService(name + '-init', {
image: 'busybox:latest',
command: [
'sh',
'-c',
|||
echo "$$CERT" >/fortio_config/trusted.pem
echo "$$KEY" >/fortio_config/trusted-key.pem
|||,
],
environment: {
CERT: importstr '../files/trusted.pem',
KEY: importstr '../files/trusted-key.pem',
},
volumes: [
'fortio_config:/fortio_config',
],
}) +
utils.ComposeService(name + '-ready', {
image: 'jwilder/dockerize:0.6.1',
command: [
'-wait',
'http://' + name + ':8080',
'-timeout',
'10m',
],
}),
volumes: {
fortio_config: {},
},
},
kubernetes: [],
}

76
integration/tpl/backends/httpdetails.libsonnet Normal file
View file

@ -0,0 +1,76 @@
local utils = import '../utils.libsonnet';
local Variations() =
[
{
name: 'trusted',
cert: importstr '../files/trusted.pem',
key: importstr '../files/trusted-key.pem',
},
{
name: 'untrusted',
cert: importstr '../files/untrusted.pem',
key: importstr '../files/untrusted-key.pem',
},
{
name: 'wrongly-named',
cert: importstr '../files/invalid.pem',
key: importstr '../files/invalid-key.pem',
},
];
local Command(variation) =
[
'sh',
'-c',
|||
cat <<-END_OF_HTTPDETAILS | tee /app/fullchain.pem
%s
END_OF_HTTPDETAILS
cat <<-END_OF_HTTPDETAILS | tee /app/privkey.pem
%s
END_OF_HTTPDETAILS
node ./index.js
||| % [variation.cert, variation.key],
];
function() {
local suffix = 'httpdetails',
local image = 'mendhak/http-https-echo:19',
compose: {
services: std.foldl(
function(acc, variation)
acc +
utils.ComposeService(variation.name + '-' + suffix, {
image: image,
command: Command(variation),
}) +
utils.ComposeService(variation.name + '-' + suffix + '-ready', {
image: 'jwilder/dockerize:0.6.1',
command: [
'-wait',
'http://' + variation.name + '-' + suffix + ':8080',
'-timeout',
'10m',
],
}),
Variations(),
{}
),
},
kubernetes: std.foldl(
function(acc, variation)
acc + [
utils.KubernetesDeployment(variation.name + '-' + suffix, image, Command(variation), [
{ name: 'http', containerPort: 8080 },
{ name: 'https', containerPort: 8443 },
]),
utils.KubernetesService(variation.name + '-' + suffix, [
{ name: 'http', port: 8080, targetPort: 'http' },
{ name: 'https', port: 8443, targetPort: 'https' },
]),
], Variations(), []
),
}

43
integration/tpl/backends/mock-idp.libsonnet Normal file
View file

@ -0,0 +1,43 @@
local utils = import '../utils.libsonnet';
function(idp) {
local name = 'mock-idp',
local image = 'pomerium/mock-idps:${MOCK_IDPS_TAG:-master}',
local command = [
'--provider',
idp,
'--port',
'8024',
'--root-url',
'https://mock-idp.localhost.pomerium.io/',
],
compose: {
services:
utils.ComposeService(name, {
image: image,
command: command,
ports: [
'8024:8024/tcp',
],
}) +
utils.ComposeService(name + '-ready', {
image: 'jwilder/dockerize:0.6.1',
command: [
'-wait',
'http://' + name + ':8024/.well-known/openid-configuration',
'-timeout',
'10m',
],
}),
volumes: {},
},
kubernetes: [
utils.KubernetesDeployment(name, image, command, [
{ name: 'http', containerPort: 8024 },
]),
utils.KubernetesService(name, [
{ name: 'http', port: 8024, targetPort: 'http' },
]),
],
}

215
integration/tpl/backends/pomerium.libsonnet Normal file
View file

@ -0,0 +1,215 @@
local utils = import '../utils.libsonnet';
local Routes = (import './routes.libsonnet').Routes;
local GoogleCloudServerlessAuthenticationServiceAccount(dns_suffix='') =
{
type: 'service_account',
project_id: 'pomerium-redacted',
private_key_id: 'e07f7c93870c7e03f883560ecd8fd0f4d27b0081',
private_key: importstr '../files/trusted-key.pem',
client_email: 'redacted@pomerium-redacted.iam.gserviceaccount.com',
client_id: '101215990458000334387',
auth_uri: 'http://mock-idp' + dns_suffix + ':8024',
token_uri: 'http://mock-idp' + dns_suffix + ':8024/token',
auth_provider_x509_cert_url: 'http://mock-idp' + dns_suffix + ':8024',
client_x509_cert_url: 'http://mock-idp' + dns_suffix + ':8024',
};
local KubernetesDeployment(name, image, environment) =
{
apiVersion: 'apps/v1',
kind: 'Deployment',
metadata: {
namespace: 'default',
name: name,
},
spec: {
replicas: 1,
selector: { matchLabels: { app: name } },
template: {
metadata: {
labels: { app: name },
},
spec: {
containers: [{
name: name,
image: image,
imagePullPolicy: 'IfNotPresent',
ports: [
{ name: 'http', containerPort: 80 },
{ name: 'https', containerPort: 443 },
{ name: 'grpc', containerPort: 5443 },
],
env: [
{
name: k,
value: environment[k],
}
for k in std.objectFields(environment)
],
}],
},
},
},
};
local KubernetesService(name) =
{
apiVersion: 'v1',
kind: 'Service',
metadata: {
namespace: 'default',
name: name,
labels: { app: name },
},
spec: {
type: 'NodePort',
selector: { app: name },
ports: [
{ name: 'http', port: 80, targetPort: 'http', nodePort: 80 },
{ name: 'https', port: 443, targetPort: 'https', nodePort: 443 },
{ name: 'grpc', port: 5443, targetPort: 'grpc', nodePort: 5443 },
],
},
};
local Environment(mode, idp, dns_suffix) =
{
AUTHENTICATE_SERVICE_URL: 'https://authenticate.localhost.pomerium.io',
CERTIFICATE: std.base64(importstr '../files/trusted.pem'),
CERTIFICATE_KEY: std.base64(importstr '../files/trusted-key.pem'),
CERTIFICATE_AUTHORITY: std.base64(importstr '../files/ca.pem'),
COOKIE_SECRET: 'UYgnt8bxxK5G2sFaNzyqi5Z+OgF8m2akNc0xdQx718w=',
DATABROKER_STORAGE_TYPE: 'redis',
DATABROKER_STORAGE_CONNECTION_STRING: 'redis://redis:6379',
ENVOY_ADMIN_ADDRESS: '0.0.0.0:9901',
GOOGLE_CLOUD_SERVERLESS_AUTHENTICATION_SERVICE_ACCOUNT: std.base64(std.manifestJsonEx(
GoogleCloudServerlessAuthenticationServiceAccount(dns_suffix), ''
)),
IDP_PROVIDER: idp,
IDP_PROVIDER_URL: 'https://mock-idp.localhost.pomerium.io/',
IDP_CLIENT_ID: 'CLIENT_ID',
IDP_CLIENT_SECRET: 'CLIENT_SECRET',
JWT_CLAIMS_HEADERS: 'email,groups,user',
LOG_LEVEL: 'info',
POLICY: std.base64(std.manifestJsonEx(Routes(mode, idp, dns_suffix), '')),
SHARED_SECRET: 'UYgnt8bxxK5G2sFaNzyqi5Z+OgF8m2akNc0xdQx718w=',
SIGNING_KEY: std.base64(importstr '../files/signing-key.pem'),
SIGNING_KEY_ALGORITHM: 'ES256',
} + if mode == 'multi' then {
AUTHORIZE_SERVICE_URL: 'https://pomerium-authorize:5443',
DATABROKER_SERVICE_URL: 'https://pomerium-databroker:5443',
GRPC_ADDRESS: ':5443',
GRPC_INSECURE: 'false',
OVERRIDE_CERTIFICATE_NAME: '*.localhost.pomerium.io',
} else if mode == 'traefik' then {
FORWARD_AUTH_URL: 'https://forward-authenticate.localhost.pomerium.io',
} else if mode == 'nginx' then {
ADDRESS: ':80',
INSECURE_SERVER: 'true',
FORWARD_AUTH_URL: 'https://forward-authenticate.localhost.pomerium.io',
} else {};
local ComposeService(name, definition, additionalAliases=[]) =
utils.ComposeService(name, definition {
depends_on: {
[name + '-ready']: {
condition: 'service_completed_successfully',
}
for name in [
'fortio',
'mock-idp',
'redis',
'trusted-httpdetails',
'untrusted-httpdetails',
'verify',
'websocket-echo',
'wrongly-named-httpdetails',
]
},
}, additionalAliases);
function(mode, idp, dns_suffix='') {
local name = 'pomerium',
local image = 'pomerium/pomerium:${POMERIUM_TAG:-master}',
local environment = Environment(mode, idp, dns_suffix),
compose: {
services: if mode == 'multi' then
ComposeService(name + '-authorize', {
image: image,
environment: environment {
SERVICES: 'authorize',
},
ports: [
'9904:9901/tcp',
'5446:5443/tcp',
],
}) +
ComposeService(name + '-authenticate', {
image: image,
environment: environment {
SERVICES: 'authenticate',
},
ports: [
'9903:9901/tcp',
'5445:5443/tcp',
],
}, ['authenticate.localhost.pomerium.io']) +
ComposeService(name + '-databroker', {
image: image,
environment: environment {
SERVICES: 'databroker',
},
ports: [
'9902:9901/tcp',
'5444:5443/tcp',
],
}) +
ComposeService(name + '-proxy', {
image: image,
environment: environment {
SERVICES: 'proxy',
},
ports: [
'80:80/tcp',
'443:443/tcp',
'5443:5443/tcp',
'9901:9901/tcp',
],
}, ['mock-idp.localhost.pomerium.io'])
else if mode == 'traefik' || mode == 'nginx' then
ComposeService(name, {
image: image,
environment: environment,
}, ['authenticate.localhost.pomerium.io', 'forward-authenticate.localhost.pomerium.io']) +
ComposeService(name + '-ready', {
image: 'jwilder/dockerize:0.6.1',
command: [
'-wait',
if mode == 'nginx' then
'http://' + name + ':80/healthz'
else
'https://' + name + ':443/healthz',
'-timeout',
'10m',
],
})
else
ComposeService(name, {
image: image,
environment: environment,
ports: [
'80:80/tcp',
'443:443/tcp',
'9901:9901/tcp',
],
}, ['authenticate.localhost.pomerium.io']),
volumes: {},
},
kubernetes: [
KubernetesService(name),
KubernetesDeployment(name, image, environment),
],
}

30
integration/tpl/backends/redis.libsonnet Normal file
View file

@ -0,0 +1,30 @@
local utils = import '../utils.libsonnet';
function() {
local name = 'redis',
local image = 'redis:6.2.5-alpine',
compose: {
services:
utils.ComposeService(name, {
image: image,
}) +
utils.ComposeService(name + '-ready', {
image: 'jwilder/dockerize:0.6.1',
command: [
'-wait',
'tcp://' + name + ':6379',
'-timeout',
'10m',
],
}),
},
kubernetes: [
utils.KubernetesDeployment(name, image, null, [
{ name: 'tcp', containerPort: 6379 },
]),
utils.KubernetesService(name, [
{ name: 'tcp', port: 6379, targetPort: 'tcp' },
]),
],
}

197
integration/tpl/backends/routes.libsonnet Normal file
View file

@ -0,0 +1,197 @@
local Routes(mode, idp, dns_suffix) =
[
{
from: 'https://mock-idp.localhost.pomerium.io',
to: 'http://mock-idp' + dns_suffix + ':8024',
allow_public_unauthenticated_access: true,
preserve_host_header: true,
},
{
from: 'https://envoy.localhost.pomerium.io',
to: 'http://localhost:9901',
allow_public_unauthenticated_access: true,
},
{
from: 'https://verify.localhost.pomerium.io',
to: 'http://verify' + dns_suffix + ':80',
allow_any_authenticated_user: true,
pass_identity_headers: true,
},
{
from: 'https://websocket-echo.localhost.pomerium.io',
to: 'http://websocket-echo' + dns_suffix + ':80',
allow_public_unauthenticated_access: true,
allow_websockets: true,
},
{
from: 'https://fortio-ui.localhost.pomerium.io',
to: 'https://fortio' + dns_suffix + ':8080',
allow_any_authenticated_user: true,
},
{
from: 'https://fortio-ping.localhost.pomerium.io',
to: 'https://fortio' + dns_suffix + ':8079',
allow_public_unauthenticated_access: true,
tls_custom_ca: std.base64(importstr '../files/ca.pem'),
tls_server_name: 'fortio-ping.localhost.pomerium.io',
},
{
from: 'tcp+https://redis.localhost.pomerium.io:6379',
to: 'tcp://redis' + dns_suffix + ':6379',
allow_any_authenticated_user: true,
},
// tls_skip_verify
{
from: 'https://httpdetails.localhost.pomerium.io',
to: 'https://trusted-httpdetails' + dns_suffix + ':8443',
path: '/tls-skip-verify-enabled',
tls_skip_verify: true,
allow_public_unauthenticated_access: true,
},
{
from: 'https://httpdetails.localhost.pomerium.io',
to: 'https://trusted-httpdetails' + dns_suffix + ':8443',
path: '/tls-skip-verify-disabled',
tls_skip_verify: false,
allow_public_unauthenticated_access: true,
},
// tls_server_name
{
from: 'https://httpdetails.localhost.pomerium.io',
to: 'https://wrongly-named-httpdetails' + dns_suffix + ':8443',
path: '/tls-server-name-enabled',
tls_server_name: 'httpdetails.localhost.notpomerium.io',
allow_public_unauthenticated_access: true,
},
{
from: 'https://httpdetails.localhost.pomerium.io',
to: 'https://wrongly-named-httpdetails' + dns_suffix + ':8443',
path: '/tls-server-name-disabled',
allow_public_unauthenticated_access: true,
},
// tls_custom_certificate_authority
{
from: 'https://httpdetails.localhost.pomerium.io',
to: 'https://untrusted-httpdetails' + dns_suffix + ':8443',
path: '/tls-custom-ca-enabled',
tls_custom_ca: std.base64(importstr '../files/untrusted-ca.pem'),
tls_server_name: 'httpdetails.localhost.pomerium.io',
allow_public_unauthenticated_access: true,
},
{
from: 'https://httpdetails.localhost.pomerium.io',
to: 'https://untrusted-httpdetails' + dns_suffix + ':8443',
path: '/tls-custom-ca-disabled',
allow_public_unauthenticated_access: true,
},
// tls_client_cert
// {
// from: 'http://httpdetails.localhost.pomerium.io',
// to: 'https://mtls-http-details' + dns_suffix + ':8443',
// path: '/tls-client-cert-enabled',
// tls_client_cert: std.base64(tls.trusted.client.cert),
// tls_client_key: std.base64(tls.trusted.client.key),
// tls_server_name: 'httpdetails.localhost.pomerium.io',
// allow_public_unauthenticated_access: true,
// },
// {
// from: 'http://httpdetails.localhost.pomerium.io',
// to: 'https://mtls-http-details' + dns_suffix + ':8443',
// path: '/tls-client-cert-disabled',
// allow_public_unauthenticated_access: true,
// },
// cors_allow_preflight option
{
from: 'https://httpdetails.localhost.pomerium.io',
to: 'http://trusted-httpdetails' + dns_suffix + ':8080',
prefix: '/cors-enabled',
cors_allow_preflight: true,
},
{
from: 'https://httpdetails.localhost.pomerium.io',
to: 'http://trusted-httpdetails' + dns_suffix + ':8080',
prefix: '/cors-disabled',
cors_allow_preflight: false,
},
// preserve_host_header option
{
from: 'https://httpdetails.localhost.pomerium.io',
to: 'http://trusted-httpdetails' + dns_suffix + ':8080',
prefix: '/preserve-host-header-enabled',
allow_public_unauthenticated_access: true,
preserve_host_header: true,
},
{
from: 'https://httpdetails.localhost.pomerium.io',
to: 'http://trusted-httpdetails' + dns_suffix + ':8080',
prefix: '/preserve-host-header-disabled',
allow_public_unauthenticated_access: true,
preserve_host_header: false,
},
// authorization policy
{
from: 'https://restricted-httpdetails.localhost.pomerium.io',
to: 'http://trusted-httpdetails' + dns_suffix + ':8080',
allow_any_authenticated_user: true,
pass_identity_headers: true,
},
{
from: 'https://httpdetails.localhost.pomerium.io',
prefix: '/by-domain',
to: 'http://trusted-httpdetails' + dns_suffix + ':8080',
allowed_domains: ['dogs.test'],
pass_identity_headers: true,
},
{
from: 'https://httpdetails.localhost.pomerium.io',
prefix: '/by-user',
to: 'http://trusted-httpdetails' + dns_suffix + ':8080',
allowed_users: ['user1@dogs.test'],
pass_identity_headers: true,
},
// catch-all
{
from: 'https://httpdetails.localhost.pomerium.io',
to: 'http://trusted-httpdetails' + dns_suffix + ':8080',
allow_public_unauthenticated_access: true,
pass_identity_headers: true,
set_request_headers: {
'X-Custom-Request-Header': 'custom-request-header-value',
},
},
// websockets
{
from: 'https://enabled-ws-echo.localhost.pomerium.io',
to: 'http://websocket-echo' + dns_suffix + ':80',
allow_public_unauthenticated_access: true,
allow_websockets: true,
},
{
from: 'https://disabled-ws-echo.localhost.pomerium.io',
to: 'http://websocket-echo' + dns_suffix + ':80',
allow_public_unauthenticated_access: true,
},
// cloudrun
{
from: 'https://cloudrun.localhost.pomerium.io',
to: 'http://trusted-httpdetails' + dns_suffix + ':8080',
allow_public_unauthenticated_access: true,
pass_identity_headers: true,
enable_google_cloud_serverless_authentication: true,
set_request_headers: {
'x-idp': idp,
},
},
] + if mode == 'multi' then [
{
from: 'https://authenticate.localhost.pomerium.io',
to: 'https://pomerium-authenticate',
allow_public_unauthenticated_access: true,
host_rewrite: 'authenticate.localhost.pomerium.io',
tls_skip_verify: true,
},
] else [];
{
Routes: Routes,
}

55
integration/tpl/backends/verify.libsonnet Normal file
View file

@ -0,0 +1,55 @@
local utils = import '../utils.libsonnet';
function(mode) {
local name = 'verify',
local image = 'pomerium/verify:${VERIFY_TAG:-latest}',
compose: {
services:
utils.ComposeService(name, {
image: image,
depends_on: {
[name + '-init']: {
condition: 'service_completed_successfully',
},
},
environment: {
SSL_CERT_FILE: '/verify_config/ca.pem',
},
volumes: [
'verify_config:/verify_config',
],
}) +
utils.ComposeService(name + '-init', {
image: 'busybox:latest',
command: [
'sh',
'-c',
"echo '" + (importstr '../files/ca.pem') + "' > /verify_config/ca.pem",
],
volumes: [
'verify_config:/verify_config',
],
}) +
utils.ComposeService(name + '-ready', {
image: 'jwilder/dockerize:0.6.1',
command: [
'-wait',
'http://' + name + ':80/',
'-timeout',
'10m',
],
}),
volumes: {
verify_config: {},
},
},
kubernetes: [
utils.KubernetesService(name, [
{ name: 'http', port: 80, targetPort: 'http' },
]),
utils.KubernetesDeployment(name, image, null, [
{ name: 'http', containerPort: 80 },
]),
],
}

33
integration/tpl/backends/websocket-echo.libsonnet Normal file
View file

@ -0,0 +1,33 @@
local utils = import '../utils.libsonnet';
function() {
local name = 'websocket-echo',
local image = 'pvtmert/websocketd:latest',
local command = ['--port', '80', 'tee'],
compose: {
services:
utils.ComposeService(name, {
image: image,
command: command,
}) +
utils.ComposeService(name + '-ready', {
image: 'jwilder/dockerize:0.6.1',
command: [
'-wait',
'tcp://' + name + ':80',
'-timeout',
'10m',
],
}),
volumes: {},
},
kubernetes: [
utils.KubernetesDeployment(name, image, command, [
{ name: 'http', containerPort: 80 },
]),
utils.KubernetesService(name, [
{ name: 'http', port: 80, targetPort: 'http' },
]),
],
}