envoy: Initial changes

2025-05-17 11:07:18 +02:00 · 2020-05-18 16:34:31 -04:00 · 2020-05-18 16:34:31 -04:00 · 99e788a9b4
commit 99e788a9b4
parent 8f78497e99
107 changed files with 2542 additions and 3322 deletions
--- a/integration/internal/cluster/certs.go
+++ b/integration/internal/cluster/certs.go
@ -1,116 +1,69 @@
 package cluster

 import (
+	"bytes"
 	"context"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/google/uuid"
 )

 // TLSCerts holds the certificate authority, certificate and certificate key for a TLS connection.
 type TLSCerts struct {
-	CA     []byte
-	Cert   []byte
-	Key    []byte
-	Client struct {
-		Cert []byte
-		Key  []byte
-	}
+	CA   string
+	Cert string
+	Key  string
 }

-// TLSCertsBundle holds various TLSCerts.
-type TLSCertsBundle struct {
-	Trusted      TLSCerts
-	WronglyNamed TLSCerts
-	Untrusted    TLSCerts
-}
-
-func bootstrapCerts(ctx context.Context) (*TLSCertsBundle, error) {
-	wd := filepath.Join(os.TempDir(), "pomerium-integration-tests", "certs")
-	err := os.MkdirAll(wd, 0755)
+func bootstrapCerts(ctx context.Context) (*TLSCerts, error) {
+	err := run(ctx, "mkcert", withArgs("-install"))
 	if err != nil {
-		return nil, fmt.Errorf("error creating integration tests working directory: %w", err)
+		return nil, fmt.Errorf("error install root certificate: %w", err)
 	}

-	var bundle TLSCertsBundle
-
-	var generators = []struct {
-		certs   *TLSCerts
-		caroot  string
-		install bool
-		name    string
-	}{
-		{&bundle.Trusted, filepath.Join(wd, "trusted"), true, "*.localhost.pomerium.io"},
-		{&bundle.WronglyNamed, filepath.Join(wd, "wrongly-named"), true, "*.localhost.notpomerium.io"},
-		{&bundle.Untrusted, filepath.Join(wd, "untrusted"), false, "*.localhost.pomerium.io"},
+	var buf bytes.Buffer
+	err = run(ctx, "mkcert", withArgs("-CAROOT"), withStdout(&buf))
+	if err != nil {
+		return nil, fmt.Errorf("error running mkcert")
 	}

-	for _, generator := range generators {
-		err = os.MkdirAll(generator.caroot, 0755)
-		if err != nil {
-			return nil, fmt.Errorf("error creating integration tests %s working directory: %w",
-				filepath.Base(generator.caroot), err)
-		}
-
-		args := []string{"-install"}
-		env := []string{"CAROOT=" + generator.caroot}
-		if !generator.install {
-			env = append(env, "TRUST_STORES=xxx")
-		}
-		err = run(ctx, "mkcert", withArgs(args...), withEnv(env...))
-		if err != nil {
-			return nil, fmt.Errorf("error creating %s certificate authority: %w",
-				filepath.Base(generator.caroot), err)
-		}
-
-		fp := filepath.Join(generator.caroot, "rootCA.pem")
-		generator.certs.CA, err = ioutil.ReadFile(fp)
-		if err != nil {
-			return nil, fmt.Errorf("error reading %s root ca: %w",
-				filepath.Base(generator.caroot), err)
-		}
-
-		env = []string{"CAROOT=" + generator.caroot}
-		err = run(ctx, "mkcert", withArgs(generator.name), withWorkingDir(generator.caroot), withEnv(env...))
-		if err != nil {
-			return nil, fmt.Errorf("error generating %s certificates: %w",
-				filepath.Base(generator.caroot), err)
-		}
-		err = run(ctx, "mkcert", withArgs("-client", generator.name), withWorkingDir(generator.caroot), withEnv(env...))
-		if err != nil {
-			return nil, fmt.Errorf("error generating %s client certificates: %w",
-				filepath.Base(generator.caroot), err)
-		}
-
-		fp = filepath.Join(generator.caroot, strings.ReplaceAll(generator.name, "*", "_wildcard")+".pem")
-		generator.certs.Cert, err = ioutil.ReadFile(fp)
-		if err != nil {
-			return nil, fmt.Errorf("error reading %s certificate: %w",
-				filepath.Base(generator.caroot), err)
-		}
-
-		fp = filepath.Join(generator.caroot, strings.ReplaceAll(generator.name, "*", "_wildcard")+"-client.pem")
-		generator.certs.Client.Cert, err = ioutil.ReadFile(fp)
-		if err != nil {
-			return nil, fmt.Errorf("error reading %s client certificate: %w",
-				filepath.Base(generator.caroot), err)
-		}
-
-		fp = filepath.Join(generator.caroot, strings.ReplaceAll(generator.name, "*", "_wildcard")+"-key.pem")
-		generator.certs.Key, err = ioutil.ReadFile(fp)
-		if err != nil {
-			return nil, fmt.Errorf("error reading %s certificate key: %w",
-				filepath.Base(generator.caroot), err)
-		}
-		fp = filepath.Join(generator.caroot, strings.ReplaceAll(generator.name, "*", "_wildcard")+"-client-key.pem")
-		generator.certs.Client.Key, err = ioutil.ReadFile(fp)
-		if err != nil {
-			return nil, fmt.Errorf("error reading %s client certificate key: %w",
-				filepath.Base(generator.caroot), err)
-		}
+	caPath := strings.TrimSpace(buf.String())
+	ca, err := ioutil.ReadFile(filepath.Join(caPath, "rootCA.pem"))
+	if err != nil {
+		return nil, fmt.Errorf("error reading root ca: %w", err)
 	}

-	return &bundle, nil
+	wd := filepath.Join(os.TempDir(), uuid.New().String())
+	err = os.MkdirAll(wd, 0755)
+	if err != nil {
+		return nil, fmt.Errorf("error creating temporary directory: %w", err)
+	}
+	defer func() {
+		_ = os.RemoveAll(wd)
+	}()
+
+	err = run(ctx, "mkcert", withArgs("*.localhost.pomerium.io"), withWorkingDir(wd))
+	if err != nil {
+		return nil, fmt.Errorf("error generating certificates: %w", err)
+	}
+
+	cert, err := ioutil.ReadFile(filepath.Join(wd, "_wildcard.localhost.pomerium.io.pem"))
+	if err != nil {
+		return nil, fmt.Errorf("error reading certificate: %w", err)
+	}
+
+	key, err := ioutil.ReadFile(filepath.Join(wd, "_wildcard.localhost.pomerium.io-key.pem"))
+	if err != nil {
+		return nil, fmt.Errorf("error reading certificate key: %w", err)
+	}
+
+	return &TLSCerts{
+		CA:   string(ca),
+		Cert: string(cert),
+		Key:  string(key),
+	}, nil
 }
--- a/integration/internal/cluster/cluster.go
+++ b/integration/internal/cluster/cluster.go
@ -11,10 +11,10 @@ import (

 // A Cluster is used to configure a kubernetes cluster.
 type Cluster struct {
-	Transport *http.Transport
+	workingDir string

-	workingDir  string
-	certsBundle *TLSCertsBundle
+	transport http.RoundTripper
+	certs     *TLSCerts
 }

 // New creates a new Cluster.
@ -32,7 +32,7 @@ func (cluster *Cluster) NewHTTPClient() *http.Client {
 		panic(err)
 	}
 	return &http.Client{
-		Transport: &loggingRoundTripper{cluster.Transport},
+		Transport: &loggingRoundTripper{cluster.transport},
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
--- a/integration/internal/cluster/cmd.go
+++ b/integration/internal/cluster/cmd.go
@ -5,7 +5,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"os"
 	"os/exec"

 	"github.com/rs/zerolog/log"
@ -19,12 +18,6 @@ func withArgs(args ...string) cmdOption {
 	}
 }

-func withEnv(env ...string) cmdOption {
-	return func(cmd *exec.Cmd) {
-		cmd.Env = append(os.Environ(), env...)
-	}
-}
-
 func withStdin(rdr io.Reader) cmdOption {
 	return func(cmd *exec.Cmd) {
 		cmd.Stdin = rdr
--- a/integration/internal/cluster/setup.go
+++ b/integration/internal/cluster/setup.go
@ -15,18 +15,17 @@ import (
 	"time"

 	"github.com/google/go-jsonnet"
+	"github.com/pomerium/pomerium/integration/internal/httputil"
 	"github.com/rs/zerolog/log"
-
-	"github.com/pomerium/pomerium/integration/internal/netutil"
 )

 var requiredDeployments = []string{
-	"ingress-nginx/nginx-ingress-controller",
 	"default/httpdetails",
 	"default/openid",
 	"default/pomerium-authenticate",
 	"default/pomerium-authorize",
 	"default/pomerium-proxy",
+	"ingress-nginx/nginx-ingress-controller",
 }

 // Setup configures the test cluster so that it is ready for the integration tests.
@ -36,7 +35,7 @@ func (cluster *Cluster) Setup(ctx context.Context) error {
 		return fmt.Errorf("error running kubectl cluster-info: %w", err)
 	}

-	cluster.certsBundle, err = bootstrapCerts(ctx)
+	cluster.certs, err = bootstrapCerts(ctx)
 	if err != nil {
 		return err
 	}
@ -56,14 +55,13 @@ func (cluster *Cluster) Setup(ctx context.Context) error {
 		return err
 	}

-	cluster.Transport = &http.Transport{
-		DialContext: netutil.NewLocalDialer((&net.Dialer{}), map[string]string{
-			"443": hostport,
-		}).DialContext,
+	cluster.transport = httputil.NewLocalRoundTripper(&http.Transport{
 		TLSClientConfig: &tls.Config{
 			InsecureSkipVerify: true,
 		},
-	}
+	}, map[string]string{
+		"443": hostport,
+	})

 	return nil
 }
@ -145,21 +143,9 @@ func (cluster *Cluster) generateManifests() (string, error) {
 	}

 	vm := jsonnet.MakeVM()
-	for _, item := range []struct {
-		name  string
-		certs *TLSCerts
-	}{
-		{"trusted", &cluster.certsBundle.Trusted},
-		{"wrongly-named", &cluster.certsBundle.WronglyNamed},
-		{"untrusted", &cluster.certsBundle.Untrusted},
-	} {
-
-		vm.ExtVar("tls-"+item.name+"-ca", string(item.certs.CA))
-		vm.ExtVar("tls-"+item.name+"-cert", string(item.certs.Cert))
-		vm.ExtVar("tls-"+item.name+"-key", string(item.certs.Key))
-		vm.ExtVar("tls-"+item.name+"-client-cert", string(item.certs.Client.Cert))
-		vm.ExtVar("tls-"+item.name+"-client-key", string(item.certs.Client.Key))
-	}
+	vm.ExtVar("tls-ca", cluster.certs.CA)
+	vm.ExtVar("tls-cert", cluster.certs.Cert)
+	vm.ExtVar("tls-key", cluster.certs.Key)
 	vm.Importer(&jsonnet.FileImporter{
 		JPaths: []string{filepath.Join(cluster.workingDir, "manifests")},
 	})
@ -178,7 +164,7 @@ func applyManifests(ctx context.Context, jsonsrc string) error {
 	}

 	log.Info().Msg("waiting for deployments to come up")
-	ctx, clearTimeout := context.WithTimeout(ctx, 15*time.Minute)
+	ctx, clearTimeout := context.WithTimeout(ctx, 5*time.Minute)
 	defer clearTimeout()
 	ticker := time.NewTicker(time.Second * 5)
 	defer ticker.Stop()