e2e: add openssl e2e test

e2e/openssl/deployment/ns.yml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: e2e-test

e2e/openssl/deployment/portforwarder.yml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: port-forwarder-coordinator
+  namespace: e2e-test
+  labels:
+    app.kubernetes.io/name: port-forwarder-coordinator
+spec:
+  containers:
+    - name: port-forwarder
+      image: ghcr.io/msanft/nunki/port-forwarder@sha256:56b377727ba3fe9ebafdab7f13b1295a8a33eee5b929517232b683b8f37b6d40
+      env:
+        - name: LISTEN_PORT
+          value: "1313"
+        - name: FORWARD_HOST
+          value: coordinator
+        - name: FORWARD_PORT
+          value: "1313"
+      command:
+        - /bin/bash
+        - "-c"
+        - echo Starting port-forward with socat; exec socat -d -d TCP-LISTEN:${LISTEN_PORT},fork TCP:${FORWARD_HOST}:${FORWARD_PORT}
+      ports:
+        - containerPort: 1313
+      resources:
+        requests:
+          memory: 50Mi
+        limits:
+          memory: 50Mi

e2e/openssl/openssl_test.go

@@ -0,0 +1,69 @@
+//go:build e2e
+// +build e2e
+
+package openssl
+
+import (
+	"context"
+	"log/slog"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/edgelesssys/nunki/e2e/internal/kubeclient"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+// namespace the tests are executed in.
+const namespace = "e2e-test"
+
+/*
+This tests an OpenSSL deployment on Nunki.
+
+It does so by:
+  - Templating the container image into the deployment YAML.
+  - Exec'ing into the OpenSSL frontend, which talks mTLS to the OpenSSL backend, asserting that the connection is successful.
+*/
+func TestOpenssl(t *testing.T) {
+	require := require.New(t)
+	assert := assert.New(t)
+
+	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	c, err := kubeclient.NewFromConfigFile(clientcmd.RecommendedHomeFile, log)
+	require.NoError(err)
+
+	frontendPods, err := c.PodsFromDeployment(context.Background(), namespace, "openssl-frontend")
+	require.NoError(err)
+	require.Len(frontendPods, 1)
+
+	// Start the frontend server
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
+	defer cancel()
+	stdout, stderr, err := c.Exec(ctx, namespace, frontendPods[0].Name,
+		[]string{"/bin/bash", "-c", "openssl s_server -www -port 443 -cert /tls-config/certChain.pem -key /tls-config/key.pem -cert_chain /tls-config/certChain.pem &"},
+	)
+	require.NoError(err, "stdout: %s, stderr: %s", stdout, stderr)
+
+	// Call the backend server from the frontend
+	ctx, cancel = context.WithTimeout(context.Background(), 1*time.Minute)
+	defer cancel()
+	stdout, stderr, err = c.Exec(ctx, namespace, frontendPods[0].Name,
+		[]string{"/bin/bash", "-c", "echo \"THIS IS A TEST MESSAGE\" | openssl s_client -connect openssl-backend:443 -verify_return_error -CAfile /tls-config/MeshCACert.pem -cert /tls-config/certChain.pem -key /tls-config/key.pem"},
+	)
+	require.NoError(err, "stdout: %s, stderr: %s", stdout, stderr)
+
+	// Call the frontend server from the client
+	clientPods, err := c.PodsFromDeployment(context.Background(), namespace, "openssl-client")
+	require.NoError(err)
+	require.Len(clientPods, 1)
+
+	ctx, cancel = context.WithTimeout(context.Background(), 1*time.Minute)
+	defer cancel()
+	stdout, stderr, err = c.Exec(ctx, namespace, clientPods[0].Name,
+		[]string{"/bin/bash", "-c", "echo \"THIS IS A TEST MESSAGE\" | openssl s_client -connect openssl-frontend:443 -verify_return_error -CAfile /tls-config/RootCACert.pem"},
+	)
+	require.NoError(err, "stdout: %s, stderr: %s", stdout, stderr)
+	assert.Contains(stdout, "Verification: OK")
+}