diff --git a/e2e/openssl/openssl_test.go b/e2e/openssl/openssl_test.go index aaff54572b..07a5583ce6 100644 --- a/e2e/openssl/openssl_test.go +++ b/e2e/openssl/openssl_test.go @@ -23,40 +23,8 @@ import ( // namespace the tests are executed in. const namespaceEnv = "K8S_NAMESPACE" -// TestBackend verifies that the certificates minted by the coordinator are accepted by OpenSSL in server and client mode. -// -// The test expects deployments/openssl to be available in the cluster (manifest set and workloads ready). -func TestFrontend2Backend(t *testing.T) { - require := require.New(t) - - ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute) - defer cancel() - - c := kubeclient.NewForTest(t) - - namespace := os.Getenv(namespaceEnv) - require.NotEmpty(namespace, "environment variable %q must be set", namespaceEnv) - - frontendPods, err := c.PodsFromDeployment(ctx, namespace, "openssl-frontend") - require.NoError(err) - require.Len(frontendPods, 1, "pod not found: %s/%s", namespace, "openssl-frontend") - - require.NoError(c.WaitForPod(ctx, namespace, frontendPods[0].Name)) - - // Call the backend server from the frontend. If this command produces no TLS error, we verified that - // - the certificate in the frontend pod can be used as a client certificate - // - the certificate in the backend pod can be used as a server certificate - // - the backend's CA configuration accepted the frontend certificate - // - the frontend's CA configuration accepted the backend certificate - stdout, stderr, err := c.Exec(ctx, namespace, frontendPods[0].Name, - []string{"/bin/bash", "-c", `printf "GET / HTTP/1.0\nHost: openssl-backend\n" | openssl s_client -connect openssl-backend:443 -verify_return_error -CAfile /tls-config/MeshCACert.pem -cert /tls-config/certChain.pem -key /tls-config/key.pem`}, - ) - t.Log(stdout) - require.NoError(err, "stderr: %q", stderr) -} - -// TestFrontend verifies the certificate used by the OpenSSL frontend comes from the coordinator. -func TestFrontend(t *testing.T) { +// TestOpenSSL runs e2e tests on the example OpenSSL deployment. +func TestOpenSSL(t *testing.T) { c := kubeclient.NewForTest(t) namespace := os.Getenv(namespaceEnv) @@ -120,4 +88,36 @@ func TestFrontend(t *testing.T) { conn.Close() }) } + + // TODO(burgerdev): this test should be run with its own kubectl apply/contrast set preface. + t.Run("certificates can be used by OpenSSL", func(t *testing.T) { + // This test verifies that the certificates minted by the coordinator are accepted by OpenSSL in server and client mode. + require := require.New(t) + + ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute) + defer cancel() + + c := kubeclient.NewForTest(t) + + const opensslFrontend = "openssl-frontend" + const opensslBackend = "openssl-backend" + + require.NoError(c.WaitForDeployment(ctx, namespace, opensslFrontend)) + require.NoError(c.WaitForDeployment(ctx, namespace, opensslBackend)) + + frontendPods, err := c.PodsFromDeployment(ctx, namespace, opensslFrontend) + require.NoError(err) + require.Len(frontendPods, 1, "pod not found: %s/%s", namespace, opensslFrontend) + + // Call the backend server from the frontend. If this command produces no TLS error, we verified that + // - the certificate in the frontend pod can be used as a client certificate + // - the certificate in the backend pod can be used as a server certificate + // - the backend's CA configuration accepted the frontend certificate + // - the frontend's CA configuration accepted the backend certificate + stdout, stderr, err := c.Exec(ctx, namespace, frontendPods[0].Name, + []string{"/bin/bash", "-c", `printf "GET / HTTP/1.0\nHost: openssl-backend\n" | openssl s_client -connect openssl-backend:443 -verify_return_error -CAfile /tls-config/MeshCACert.pem -cert /tls-config/certChain.pem -key /tls-config/key.pem`}, + ) + t.Log(stdout) + require.NoError(err, "stderr: %q", stderr) + }) }