From 6a8fc0d5dd01ccea090f8d3030810959dbbe3801 Mon Sep 17 00:00:00 2001 From: Kuat Date: Fri, 1 Nov 2019 02:32:04 -0700 Subject: [PATCH] test: add TLS SD validation (#2503) * basic TLS test Signed-off-by: Kuat Yessenov * basic TLS test Signed-off-by: Kuat Yessenov * fix a unit test Signed-off-by: Kuat Yessenov * add mTLS certs Signed-off-by: Kuat Yessenov * add principals Signed-off-by: Kuat Yessenov --- extensions/common/context.cc | 32 +- extensions/common/context.h | 15 +- extensions/stackdriver/log/logger.cc | 4 +- extensions/stackdriver/log/logger_test.cc | 6 +- extensions/stackdriver/metric/record.cc | 9 +- extensions/stats/plugin.h | 5 +- test/envoye2e/basic_flow/basic_xds_test.go | 30 ++ test/envoye2e/driver/envoy.go | 6 +- test/envoye2e/driver/resource.go | 19 +- test/envoye2e/driver/scenario.go | 10 +- test/envoye2e/driver/stackdriver.go | 57 ++-- test/envoye2e/env/ports.go | 2 + test/envoye2e/env/setup.go | 2 +- test/envoye2e/env/tcp_server.go | 17 +- .../fake_stackdriver/data.go | 276 ------------------ .../stackdriver_plugin_test.go | 19 +- .../stackdriver_xds_test.go | 64 +++- .../tcp_metadata_exchange_test.go | 25 +- testdata/bootstrap/client.yaml.tmpl | 1 + .../certs}/cert-chain.pem | 0 testdata/certs/client-key.cert | 27 ++ testdata/certs/client.cert | 20 ++ testdata/certs/generate.sh | 21 ++ .../certs}/key.pem | 0 .../certs}/root-cert.pem | 0 testdata/certs/root.cert | 21 ++ testdata/certs/root.key | 27 ++ testdata/certs/server-key.cert | 27 ++ testdata/certs/server.cert | 20 ++ .../client_request_count.yaml.tmpl | 30 ++ .../stackdriver/server_access_log.yaml.tmpl | 136 +++++++++ .../server_request_count.yaml.tmpl | 31 ++ testdata/transport_socket/client.yaml.tmpl | 11 + testdata/transport_socket/server.yaml.tmpl | 11 + 34 files changed, 609 insertions(+), 372 deletions(-) delete mode 100644 test/envoye2e/stackdriver_plugin/fake_stackdriver/data.go rename {test/envoye2e/tcp_metadata_exchange => testdata/certs}/cert-chain.pem (100%) create mode 100644 testdata/certs/client-key.cert create mode 100644 testdata/certs/client.cert create mode 100644 testdata/certs/generate.sh rename {test/envoye2e/tcp_metadata_exchange => testdata/certs}/key.pem (100%) rename {test/envoye2e/tcp_metadata_exchange => testdata/certs}/root-cert.pem (100%) create mode 100644 testdata/certs/root.cert create mode 100644 testdata/certs/root.key create mode 100644 testdata/certs/server-key.cert create mode 100644 testdata/certs/server.cert create mode 100644 testdata/stackdriver/client_request_count.yaml.tmpl create mode 100644 testdata/stackdriver/server_access_log.yaml.tmpl create mode 100644 testdata/stackdriver/server_request_count.yaml.tmpl create mode 100644 testdata/transport_socket/client.yaml.tmpl create mode 100644 testdata/transport_socket/server.yaml.tmpl diff --git a/extensions/common/context.cc b/extensions/common/context.cc index 1d8a2cff1632..43f77c11a299 100644 --- a/extensions/common/context.cc +++ b/extensions/common/context.cc @@ -71,6 +71,19 @@ void extractServiceName(const std::string& fqdn, std::string* service_name) { } // namespace +StringView AuthenticationPolicyString(ServiceAuthenticationPolicy policy) { + switch (policy) { + case ServiceAuthenticationPolicy::None: + return kNone; + case ServiceAuthenticationPolicy::MutualTLS: + return kMutualTLS; + default: + break; + } + return {}; + ; +} + using google::protobuf::util::JsonStringToMessage; using google::protobuf::util::MessageToJsonString; @@ -181,16 +194,25 @@ void populateHTTPRequestInfo(bool outbound, RequestInfo* request_info) { ->toString(); int64_t destination_port = 0; - std::string tls_version; if (outbound) { getValue({"upstream", "port"}, &destination_port); - getValue({"upstream", "mtls"}, &request_info->mTLS); - getStringValue({"upstream", "tls_version"}, &tls_version); + getStringValue({"upstream", "uri_san_peer_certificate"}, + &request_info->destination_principal); + getStringValue({"upstream", "uri_san_local_certificate"}, + &request_info->source_principal); } else { getValue({"destination", "port"}, &destination_port); - getValue({"connection", "mtls"}, &request_info->mTLS); - getStringValue({"connection", "tls_version"}, &tls_version); + bool mtls = false; + if (getValue({"connection", "mtls"}, &mtls)) { + request_info->service_auth_policy = + mtls ? ::Wasm::Common::ServiceAuthenticationPolicy::MutualTLS + : ::Wasm::Common::ServiceAuthenticationPolicy::None; + } + getStringValue({"connection", "uri_san_local_certificate"}, + &request_info->destination_principal); + getStringValue({"connection", "uri_san_peer_certificate"}, + &request_info->source_principal); } request_info->destination_port = destination_port; } diff --git a/extensions/common/context.h b/extensions/common/context.h index 0dd0edcbef2f..0976024f84f7 100644 --- a/extensions/common/context.h +++ b/extensions/common/context.h @@ -49,6 +49,17 @@ const std::string kProtocolGRPC = "grpc"; const std::set kGrpcContentTypes{ "application/grpc", "application/grpc+proto", "application/grpc+json"}; +enum class ServiceAuthenticationPolicy : int64_t { + Unspecified = 0, + None = 1, + MutualTLS = 2, +}; + +constexpr StringView kMutualTLS = "MUTUAL_TLS"; +constexpr StringView kNone = "NONE"; + +StringView AuthenticationPolicyString(ServiceAuthenticationPolicy policy); + // RequestInfo represents the information collected from filter stream // callbacks. This is used to fill metrics and logs. struct RequestInfo { @@ -86,8 +97,8 @@ struct RequestInfo { // Operation of the request, i.e. HTTP method or gRPC API method. std::string request_operation; - // Indicates if the request uses mTLS. - bool mTLS = false; + // Service authentication policy (NONE, MUTUAL_TLS) + ServiceAuthenticationPolicy service_auth_policy; // Principal of source and destination workload extracted from TLS // certificate. diff --git a/extensions/stackdriver/log/logger.cc b/extensions/stackdriver/log/logger.cc index 9375c33b8aa8..b9f07d41a8f9 100644 --- a/extensions/stackdriver/log/logger.cc +++ b/extensions/stackdriver/log/logger.cc @@ -95,8 +95,8 @@ void Logger::addLogEntry(const ::Wasm::Common::RequestInfo& request_info, (*label_map)["destination_principal"] = request_info.destination_principal; (*label_map)["source_principal"] = request_info.source_principal; (*label_map)["service_authentication_policy"] = - request_info.mTLS ? "true" : "false"; - + std::string(::Wasm::Common::AuthenticationPolicyString( + request_info.service_auth_policy)); // Accumulate estimated size of the request. If the current request exceeds // the size limit, flush the request out. size_ += new_entry->ByteSizeLong(); diff --git a/extensions/stackdriver/log/logger_test.cc b/extensions/stackdriver/log/logger_test.cc index 5ec78da2dc29..f298a2ef1fdc 100644 --- a/extensions/stackdriver/log/logger_test.cc +++ b/extensions/stackdriver/log/logger_test.cc @@ -80,7 +80,8 @@ ::Wasm::Common::RequestInfo requestInfo() { request_info.request_protocol = "HTTP"; request_info.destination_principal = "destination_principal"; request_info.source_principal = "source_principal"; - request_info.mTLS = true; + request_info.service_auth_policy = + ::Wasm::Common::ServiceAuthenticationPolicy::MutualTLS; return request_info; } @@ -117,7 +118,8 @@ google::logging::v2::WriteLogEntriesRequest expectedRequest( (*label_map)["destination_principal"] = request_info.destination_principal; (*label_map)["source_principal"] = request_info.source_principal; (*label_map)["service_authentication_policy"] = - request_info.mTLS ? "true" : "false"; + std::string(::Wasm::Common::AuthenticationPolicyString( + request_info.service_auth_policy)); } return req; } diff --git a/extensions/stackdriver/metric/record.cc b/extensions/stackdriver/metric/record.cc index b07ba90ae3ee..5cc82baf2c5f 100644 --- a/extensions/stackdriver/metric/record.cc +++ b/extensions/stackdriver/metric/record.cc @@ -21,9 +21,6 @@ namespace Extensions { namespace Stackdriver { namespace Metric { -constexpr char kMutualTLS[] = "MUTUAL_TLS"; -constexpr char kNone[] = "NONE"; - void record(bool is_outbound, const ::wasm::common::NodeInfo &local_node_info, const ::wasm::common::NodeInfo &peer_node_info, const ::Wasm::Common::RequestInfo &request_info) { @@ -40,7 +37,8 @@ void record(bool is_outbound, const ::wasm::common::NodeInfo &local_node_info, {requestOperationKey(), request_info.request_operation}, {requestProtocolKey(), request_info.request_protocol}, {serviceAuthenticationPolicyKey(), - request_info.mTLS ? kMutualTLS : kNone}, + ::Wasm::Common::AuthenticationPolicyString( + request_info.service_auth_policy)}, {destinationServiceNameKey(), request_info.destination_service_host}, {destinationServiceNamespaceKey(), peer_node_info.namespace_()}, {destinationPortKey(), std::to_string(request_info.destination_port)}, @@ -65,7 +63,8 @@ void record(bool is_outbound, const ::wasm::common::NodeInfo &local_node_info, {requestOperationKey(), request_info.request_operation}, {requestProtocolKey(), request_info.request_protocol}, {serviceAuthenticationPolicyKey(), - request_info.mTLS ? kMutualTLS : kNone}, + ::Wasm::Common::AuthenticationPolicyString( + request_info.service_auth_policy)}, {destinationServiceNameKey(), request_info.destination_service_host}, {destinationServiceNamespaceKey(), local_node_info.namespace_()}, {destinationPortKey(), std::to_string(request_info.destination_port)}, diff --git a/extensions/stats/plugin.h b/extensions/stats/plugin.h index 97c3b1142a84..e8b341995ddb 100644 --- a/extensions/stats/plugin.h +++ b/extensions/stats/plugin.h @@ -59,8 +59,6 @@ constexpr StringView Sep = "#@"; const std::string unknown = "unknown"; const std::string vSource = "source"; const std::string vDest = "destination"; -const std::string vMTLS = "mutual_tls"; -const std::string vNone = "none"; const std::string vDash = "-"; const std::string default_field_separator = ";.;"; @@ -191,7 +189,8 @@ struct IstioDimensions { request.response_flag.empty() ? vDash : request.response_flag; connection_security_policy = - outbound ? unknown : (request.mTLS ? vMTLS : vNone); + std::string(::Wasm::Common::AuthenticationPolicyString( + request.service_auth_policy)); permissive_response_code = request.rbac_permissive_engine_result.empty() ? "none" diff --git a/test/envoye2e/basic_flow/basic_xds_test.go b/test/envoye2e/basic_flow/basic_xds_test.go index 0b28d4acfb2e..7cd9b3706de6 100644 --- a/test/envoye2e/basic_flow/basic_xds_test.go +++ b/test/envoye2e/basic_flow/basic_xds_test.go @@ -75,6 +75,7 @@ filter_chains: route: cluster: inbound|9080|http|server.default.svc.cluster.local timeout: 0s +{{ .Vars.ServerTLSContext | indent 2 }} ` func TestBasicHTTP(t *testing.T) { @@ -103,3 +104,32 @@ func TestBasicHTTP(t *testing.T) { t.Fatal(err) } } + +func TestBasicHTTPwithTLS(t *testing.T) { + ports := env.NewPorts(env.BasicHTTPwithTLS) + params := &driver.Params{ + Vars: map[string]string{ + "BackendPort": fmt.Sprintf("%d", ports.BackendPort), + "ClientPort": fmt.Sprintf("%d", ports.ClientToServerProxyPort), + "ClientAdmin": fmt.Sprintf("%d", ports.ClientAdminPort), + "ServerAdmin": fmt.Sprintf("%d", ports.ServerAdminPort), + "ServerPort": fmt.Sprintf("%d", ports.ProxyToServerProxyPort), + }, + XDS: int(ports.XDSPort), + } + params.Vars["ClientTLSContext"] = params.LoadTestData("testdata/transport_socket/client.yaml.tmpl") + params.Vars["ServerTLSContext"] = params.LoadTestData("testdata/transport_socket/server.yaml.tmpl") + if err := (&driver.Scenario{ + []driver.Step{ + &driver.XDS{}, + &driver.Update{Node: "client", Version: "0", Listeners: []string{ClientHTTPListener}}, + &driver.Update{Node: "server", Version: "0", Listeners: []string{ServerHTTPListener}}, + &driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/client.yaml.tmpl")}, + &driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/server.yaml.tmpl")}, + &driver.Sleep{1 * time.Second}, + &driver.Get{ports.ClientToServerProxyPort, "hello, world!"}, + }, + }).Run(params); err != nil { + t.Fatal(err) + } +} diff --git a/test/envoye2e/driver/envoy.go b/test/envoye2e/driver/envoy.go index 9f1bbb0c3a17..d33eb57f9e75 100644 --- a/test/envoye2e/driver/envoy.go +++ b/test/envoye2e/driver/envoy.go @@ -32,8 +32,6 @@ import ( type Envoy struct { // template for the bootstrap Bootstrap string - // working directory (optional) - Dir string tmpFile string cmd *exec.Cmd @@ -81,9 +79,7 @@ func (e *Envoy) Run(p *Params) error { cmd := exec.Command(envoyPath, args...) cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout - if e.Dir != "" { - cmd.Dir = e.Dir - } + cmd.Dir = BazelWorkspace() log.Printf("envoy cmd %v", cmd.Args) e.cmd = cmd diff --git a/test/envoye2e/driver/resource.go b/test/envoye2e/driver/resource.go index 652e0a2a1fd4..318fcd34cecf 100644 --- a/test/envoye2e/driver/resource.go +++ b/test/envoye2e/driver/resource.go @@ -19,6 +19,8 @@ import ( "os/exec" "path/filepath" "strings" + + "github.com/golang/protobuf/proto" ) // Loads resources in the test data directory @@ -33,14 +35,21 @@ func BazelWorkspace() string { return strings.TrimSuffix(string(workspace), "\n") } +// Normalizes test data path +func TestPath(testFileName string) string { + return filepath.Join(BazelWorkspace(), testFileName) +} + +// Loads a test file content func LoadTestData(testFileName string) string { - data, err := ioutil.ReadFile(filepath.Join(BazelWorkspace(), testFileName)) + data, err := ioutil.ReadFile(TestPath(testFileName)) if err != nil { panic(err) } return string(data) } +// Loads a test file and fills in template variables func (p *Params) LoadTestData(testFileName string) string { data := LoadTestData(testFileName) out, err := p.Fill(data) @@ -49,3 +58,11 @@ func (p *Params) LoadTestData(testFileName string) string { } return out } + +// Loads a test file as YAML into a proto and fills in template variables +func (p *Params) LoadTestProto(testFileName string, msg proto.Message) { + data := LoadTestData(testFileName) + if err := p.FillYAML(data, msg); err != nil { + panic(err) + } +} diff --git a/test/envoye2e/driver/scenario.go b/test/envoye2e/driver/scenario.go index 40ed2a35c9ac..aecba17c4b67 100644 --- a/test/envoye2e/driver/scenario.go +++ b/test/envoye2e/driver/scenario.go @@ -96,7 +96,15 @@ func (s *Sleep) Run(_ *Params) error { func (s *Sleep) Cleanup() {} func (p *Params) Fill(s string) (string, error) { - t := template.Must(template.New("params").Option("missingkey=zero").Parse(s)) + t := template.Must(template.New("params"). + Option("missingkey=zero"). + Funcs(template.FuncMap{ + "indent": func(n int, s string) string { + pad := strings.Repeat(" ", n) + return pad + strings.Replace(s, "\n", "\n"+pad, -1) + }, + }). + Parse(s)) var b bytes.Buffer if err := t.Execute(&b, p); err != nil { return "", err diff --git a/test/envoye2e/driver/stackdriver.go b/test/envoye2e/driver/stackdriver.go index 0e10c714bf89..df2bf973f789 100644 --- a/test/envoye2e/driver/stackdriver.go +++ b/test/envoye2e/driver/stackdriver.go @@ -85,67 +85,62 @@ func (sd *Stackdriver) Cleanup() { close(sd.done) } -func (sd *Stackdriver) Check(ts []string, ls []string) Step { - return &checkStackdriver{ - sd: sd, - ts: ts, - ls: ls, - } -} - -type checkStackdriver struct { - sd *Stackdriver - ts []string - ls []string -} - -func (s *checkStackdriver) Run(p *Params) error { +func (sd *Stackdriver) Check(p *Params, tsFiles []string, lsFiles []string) Step { // check as sets of strings by marshaling to proto twant := make(map[string]struct{}) - for _, t := range s.ts { + for _, t := range tsFiles { pb := &monitoring.TimeSeries{} - if err := p.FillYAML(t, pb); err != nil { - return err - } + p.LoadTestProto(t, pb) twant[proto.MarshalTextString(pb)] = struct{}{} } lwant := make(map[string]struct{}) - for _, l := range s.ls { + for _, l := range lsFiles { pb := &logging.WriteLogEntriesRequest{} - if err := p.FillYAML(l, pb); err != nil { - return err - } + p.LoadTestProto(l, pb) lwant[proto.MarshalTextString(pb)] = struct{}{} } + return &checkStackdriver{ + sd: sd, + twant: twant, + lwant: lwant, + } +} +type checkStackdriver struct { + sd *Stackdriver + twant map[string]struct{} + lwant map[string]struct{} +} + +func (s *checkStackdriver) Run(p *Params) error { foundAllLogs := false foundAllMetrics := false for i := 0; i < 30; i++ { s.sd.Lock() - foundAllLogs = reflect.DeepEqual(s.sd.ls, lwant) + foundAllLogs = reflect.DeepEqual(s.sd.ls, s.lwant) if !foundAllLogs { - log.Printf("got log entries %d, want %d\n", len(s.sd.ls), len(lwant)) - if len(s.sd.ls) >= len(lwant) { + log.Printf("got log entries %d, want %d\n", len(s.sd.ls), len(s.lwant)) + if len(s.sd.ls) >= len(s.lwant) { for got := range s.sd.ls { log.Println(got) } log.Println("--- but want ---") - for want := range lwant { + for want := range s.lwant { log.Println(want) } return fmt.Errorf("failed to receive expected logs") } } - foundAllMetrics = reflect.DeepEqual(s.sd.ts, twant) + foundAllMetrics = reflect.DeepEqual(s.sd.ts, s.twant) if !foundAllMetrics { - log.Printf("got metrics %d, want %d\n", len(s.sd.ts), len(twant)) - if len(s.sd.ts) >= len(twant) { + log.Printf("got metrics %d, want %d\n", len(s.sd.ts), len(s.twant)) + if len(s.sd.ts) >= len(s.twant) { for got := range s.sd.ts { log.Println(got) } log.Println("--- but want ---") - for want := range twant { + for want := range s.twant { log.Println(want) } return fmt.Errorf("failed to receive expected metrics") diff --git a/test/envoye2e/env/ports.go b/test/envoye2e/env/ports.go index 563f4c1543b1..bfe695beb7cd 100644 --- a/test/envoye2e/env/ports.go +++ b/test/envoye2e/env/ports.go @@ -34,7 +34,9 @@ const ( // xDS driven tests BasicHTTP + BasicHTTPwithTLS StackDriverPayload + StackDriverPayloadWithTLS StackDriverReload StackDriverParallel diff --git a/test/envoye2e/env/setup.go b/test/envoye2e/env/setup.go index 50b5dbb32380..b7ea7fd244c0 100644 --- a/test/envoye2e/env/setup.go +++ b/test/envoye2e/env/setup.go @@ -266,7 +266,7 @@ func (s *TestSetup) SetUpClientServerEnvoy() error { } } if s.startTcpBackend { - s.tcpBackend, err = NewTCPServer(s.ports.BackendPort, "hello", s.EnableTls) + s.tcpBackend, err = NewTCPServer(s.ports.BackendPort, "hello", s.EnableTls, s.Dir) if err != nil { log.Printf("unable to create TCP server %v", err) } else { diff --git a/test/envoye2e/env/tcp_server.go b/test/envoye2e/env/tcp_server.go index 217c0accf06b..6537b658ece1 100644 --- a/test/envoye2e/env/tcp_server.go +++ b/test/envoye2e/env/tcp_server.go @@ -23,6 +23,7 @@ import ( "io/ioutil" "log" "net" + "path/filepath" "time" ) @@ -32,18 +33,21 @@ type TCPServer struct { lis net.Listener prefix string enableTLS bool + dir string } // NewTCPServer creates a new TCP server. -func NewTCPServer(port uint16, prefix string, enableTLS bool) (*TCPServer, error) { +func NewTCPServer(port uint16, prefix string, enableTLS bool, rootDir string) (*TCPServer, error) { log.Printf("Tcp server listening on port %v\n", port) var lis net.Listener if enableTLS { - certificate, err := tls.LoadX509KeyPair("cert-chain.pem", "key.pem") + certificate, err := tls.LoadX509KeyPair( + filepath.Join(rootDir, "testdata/certs/cert-chain.pem"), + filepath.Join(rootDir, "testdata/certs/key.pem")) if err != nil { return nil, err } - caCert, err := ioutil.ReadFile("root-cert.pem") + caCert, err := ioutil.ReadFile(filepath.Join(rootDir, "testdata/certs/root-cert.pem")) if err != nil { return nil, err } @@ -76,6 +80,7 @@ func NewTCPServer(port uint16, prefix string, enableTLS bool) (*TCPServer, error lis: lis, prefix: prefix, enableTLS: enableTLS, + dir: rootDir, }, nil } @@ -102,12 +107,12 @@ func handleConnection(conn net.Conn, prefix string) { } // WaitForTCPServer waits for a TCP server -func WaitForTCPServer(port uint16, enableTLS bool) error { +func WaitForTCPServer(port uint16, enableTLS bool, rootDir string) error { var config *tls.Config if enableTLS { certPool := x509.NewCertPool() - bs, err := ioutil.ReadFile("cert-chain.pem") + bs, err := ioutil.ReadFile(filepath.Join(rootDir, "testdata/certs/cert-chain.pem")) if err != nil { return fmt.Errorf("failed to read client ca cert: %s", err) } @@ -165,7 +170,7 @@ func (s *TCPServer) Start() <-chan error { errCh <- Serve(s.lis, s.prefix) }() go func() { - errCh <- WaitForTCPServer(s.port, s.enableTLS) + errCh <- WaitForTCPServer(s.port, s.enableTLS, s.dir) }() return errCh diff --git a/test/envoye2e/stackdriver_plugin/fake_stackdriver/data.go b/test/envoye2e/stackdriver_plugin/fake_stackdriver/data.go deleted file mode 100644 index 88e61c230317..000000000000 --- a/test/envoye2e/stackdriver_plugin/fake_stackdriver/data.go +++ /dev/null @@ -1,276 +0,0 @@ -// Copyright 2019 Istio Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package fakestackdriver - -// ServerRequestCountJSON is a JSON string of server request count metric protocol. -const ServerRequestCountJSON = `{ - "metric":{ - "type":"istio.io/service/server/request_count", - "labels":{ - "destination_owner":"kubernetes://api/apps/v1/namespaces/default/deployment/ratings-v1", - "destination_port":"{{ .Vars.ServerPort }}", - "destination_principal":"", - "destination_service_name":"server.default.svc.cluster.local", - "destination_service_namespace":"default", - "destination_workload_name":"ratings-v1", - "destination_workload_namespace":"default", - "mesh_uid":"", - "request_operation":"GET", - "request_protocol":"http", - "response_code":"200", - "service_authentication_policy":"NONE", - "source_owner":"kubernetes://api/apps/v1/namespaces/default/deployment/productpage-v1", - "source_principal":"", - "source_workload_name":"productpage-v1", - "source_workload_namespace":"default", - "mesh_uid": "mesh" - } - }, - "resource":{ - "type":"k8s_container", - "labels":{ - "cluster_name":"test-cluster", - "container_name":"istio-proxy", - "location":"us-east4-b", - "namespace_name":"default", - "pod_name":"ratings-v1-84975bc778-pxz2w", - "project_id":"test-project" - } - }, - "points":[ - { - "value":{ - "int64Value":"10" - } - } - ] - }` - -// ClientRequestCountJSON is a JSON string of client request count metric protocol. -const ClientRequestCountJSON = `{ - "metric":{ - "type":"istio.io/service/client/request_count", - "labels":{ - "destination_owner":"kubernetes://api/apps/v1/namespaces/default/deployment/ratings-v1", - "destination_port":"{{ .Vars.ServerPort }}", - "destination_principal":"", - "destination_service_name":"127.0.0.1:{{ .Vars.ClientPort }}", - "destination_service_namespace":"default", - "destination_workload_name":"ratings-v1", - "destination_workload_namespace":"default", - "mesh_uid":"", - "request_operation":"GET", - "request_protocol":"http", - "response_code":"200", - "service_authentication_policy":"NONE", - "source_owner":"kubernetes://api/apps/v1/namespaces/default/deployment/productpage-v1", - "source_principal":"", - "source_workload_name":"productpage-v1", - "source_workload_namespace":"default", - "mesh_uid": "mesh" - } - }, - "resource":{ - "type":"k8s_pod", - "labels":{ - "cluster_name":"test-cluster", - "location":"us-east4-b", - "namespace_name":"default", - "pod_name":"productpage-v1-84975bc778-pxz2w", - "project_id":"test-project" - } - }, - "points":[ - { - "value":{ - "int64Value":"10" - } - } - ] -}` - -// ServerAccessLogJSON is a JSON string of server access log request. -const ServerAccessLogJSON = `{ - "logName":"projects/test-project/logs/server-accesslog-stackdriver", - "resource":{ - "type":"k8s_container", - "labels":{ - "cluster_name":"test-cluster", - "container_name":"istio-proxy", - "location":"us-east4-b", - "namespace_name":"default", - "pod_name":"ratings-v1-84975bc778-pxz2w", - "project_id":"test-project" - } - }, - "labels":{ - "destination_name":"ratings-v1-84975bc778-pxz2w", - "destination_namespace":"default", - "destination_workload":"ratings-v1", - "mesh_uid": "mesh" - }, - "entries":[ - { - "severity":"INFO", - "labels":{ - "destination_principal":"", - "destination_service_host":"server.default.svc.cluster.local", - "protocol":"http", - "request_operation":"GET", - "response_flag":"", - "service_authentication_policy":"false", - "source_name":"productpage-v1-84975bc778-pxz2w", - "source_namespace":"default", - "source_principal":"", - "source_workload":"productpage-v1" - } - }, - { - "severity":"INFO", - "labels":{ - "destination_principal":"", - "destination_service_host":"server.default.svc.cluster.local", - "protocol":"http", - "request_operation":"GET", - "response_flag":"", - "service_authentication_policy":"false", - "source_name":"productpage-v1-84975bc778-pxz2w", - "source_namespace":"default", - "source_principal":"", - "source_workload":"productpage-v1" - } - }, - { - "severity":"INFO", - "labels":{ - "destination_principal":"", - "destination_service_host":"server.default.svc.cluster.local", - "protocol":"http", - "request_operation":"GET", - "response_flag":"", - "service_authentication_policy":"false", - "source_name":"productpage-v1-84975bc778-pxz2w", - "source_namespace":"default", - "source_principal":"", - "source_workload":"productpage-v1" - } - }, - { - "severity":"INFO", - "labels":{ - "destination_principal":"", - "destination_service_host":"server.default.svc.cluster.local", - "protocol":"http", - "request_operation":"GET", - "response_flag":"", - "service_authentication_policy":"false", - "source_name":"productpage-v1-84975bc778-pxz2w", - "source_namespace":"default", - "source_principal":"", - "source_workload":"productpage-v1" - } - }, - { - "severity":"INFO", - "labels":{ - "destination_principal":"", - "destination_service_host":"server.default.svc.cluster.local", - "protocol":"http", - "request_operation":"GET", - "response_flag":"", - "service_authentication_policy":"false", - "source_name":"productpage-v1-84975bc778-pxz2w", - "source_namespace":"default", - "source_principal":"", - "source_workload":"productpage-v1" - } - }, - { - "severity":"INFO", - "labels":{ - "destination_principal":"", - "destination_service_host":"server.default.svc.cluster.local", - "protocol":"http", - "request_operation":"GET", - "response_flag":"", - "service_authentication_policy":"false", - "source_name":"productpage-v1-84975bc778-pxz2w", - "source_namespace":"default", - "source_principal":"", - "source_workload":"productpage-v1" - } - }, - { - "severity":"INFO", - "labels":{ - "destination_principal":"", - "destination_service_host":"server.default.svc.cluster.local", - "protocol":"http", - "request_operation":"GET", - "response_flag":"", - "service_authentication_policy":"false", - "source_name":"productpage-v1-84975bc778-pxz2w", - "source_namespace":"default", - "source_principal":"", - "source_workload":"productpage-v1" - } - }, - { - "severity":"INFO", - "labels":{ - "destination_principal":"", - "destination_service_host":"server.default.svc.cluster.local", - "protocol":"http", - "request_operation":"GET", - "response_flag":"", - "service_authentication_policy":"false", - "source_name":"productpage-v1-84975bc778-pxz2w", - "source_namespace":"default", - "source_principal":"", - "source_workload":"productpage-v1" - } - }, - { - "severity":"INFO", - "labels":{ - "destination_principal":"", - "destination_service_host":"server.default.svc.cluster.local", - "protocol":"http", - "request_operation":"GET", - "response_flag":"", - "service_authentication_policy":"false", - "source_name":"productpage-v1-84975bc778-pxz2w", - "source_namespace":"default", - "source_principal":"", - "source_workload":"productpage-v1" - } - }, - { - "severity":"INFO", - "labels":{ - "destination_principal":"", - "destination_service_host":"server.default.svc.cluster.local", - "protocol":"http", - "request_operation":"GET", - "response_flag":"", - "service_authentication_policy":"false", - "source_name":"productpage-v1-84975bc778-pxz2w", - "source_namespace":"default", - "source_principal":"", - "source_workload":"productpage-v1" - } - } - ] -}` diff --git a/test/envoye2e/stackdriver_plugin/stackdriver_plugin_test.go b/test/envoye2e/stackdriver_plugin/stackdriver_plugin_test.go index 06fc29941042..c3d9ed49948b 100644 --- a/test/envoye2e/stackdriver_plugin/stackdriver_plugin_test.go +++ b/test/envoye2e/stackdriver_plugin/stackdriver_plugin_test.go @@ -21,7 +21,6 @@ import ( "time" "github.com/d4l3k/messagediff" - "github.com/golang/protobuf/jsonpb" "istio.io/proxy/test/envoye2e/driver" "istio.io/proxy/test/envoye2e/env" @@ -100,14 +99,13 @@ func verifyCreateTimeSeriesReq(got *monitoringpb.CreateTimeSeriesRequest) (error var srvReqCount, cltReqCount monitoringpb.TimeSeries p := &driver.Params{ Vars: map[string]string{ - "ServerPort": "20045", - "ClientPort": "20042", + "ServerPort": "20045", + "ClientPort": "20042", + "ServiceAuthenticationPolicy": "NONE", }, } - client, _ := p.Fill(fs.ClientRequestCountJSON) - server, _ := p.Fill(fs.ServerRequestCountJSON) - jsonpb.UnmarshalString(server, &srvReqCount) - jsonpb.UnmarshalString(client, &cltReqCount) + p.LoadTestProto("testdata/stackdriver/client_request_count.yaml.tmpl", &cltReqCount) + p.LoadTestProto("testdata/stackdriver/server_request_count.yaml.tmpl", &srvReqCount) isClient := true for _, t := range got.TimeSeries { if t.Metric.Type == srvReqCount.Metric.Type { @@ -124,7 +122,12 @@ func verifyCreateTimeSeriesReq(got *monitoringpb.CreateTimeSeriesRequest) (error func verifyWriteLogEntriesReq(got *logging.WriteLogEntriesRequest) error { var srvLogReq logging.WriteLogEntriesRequest - jsonpb.UnmarshalString(fs.ServerAccessLogJSON, &srvLogReq) + p := &driver.Params{ + Vars: map[string]string{ + "ServiceAuthenticationPolicy": "NONE", + }, + } + p.LoadTestProto("testdata/stackdriver/server_access_log.yaml.tmpl", &srvLogReq) return compareLogEntries(got, &srvLogReq) } diff --git a/test/envoye2e/stackdriver_plugin/stackdriver_xds_test.go b/test/envoye2e/stackdriver_plugin/stackdriver_xds_test.go index cd5e03c5e6f9..f46c123f782d 100644 --- a/test/envoye2e/stackdriver_plugin/stackdriver_xds_test.go +++ b/test/envoye2e/stackdriver_plugin/stackdriver_xds_test.go @@ -21,7 +21,6 @@ import ( "istio.io/proxy/test/envoye2e/driver" "istio.io/proxy/test/envoye2e/env" - fs "istio.io/proxy/test/envoye2e/stackdriver_plugin/fake_stackdriver" ) const StackdriverClientHTTPListener = ` @@ -114,23 +113,68 @@ filter_chains: route: cluster: inbound|9080|http|server.default.svc.cluster.local timeout: 0s +{{ .Vars.ServerTLSContext | indent 2 }} ` func TestStackdriverPayload(t *testing.T) { ports := env.NewPorts(env.StackDriverPayload) params := &driver.Params{ Vars: map[string]string{ - "ClientPort": fmt.Sprintf("%d", ports.ClientToServerProxyPort), - "SDPort": fmt.Sprintf("%d", ports.SDPort), - "BackendPort": fmt.Sprintf("%d", ports.BackendPort), - "ClientAdmin": fmt.Sprintf("%d", ports.ClientAdminPort), - "ServerAdmin": fmt.Sprintf("%d", ports.ServerAdminPort), - "ServerPort": fmt.Sprintf("%d", ports.ProxyToServerProxyPort), + "ClientPort": fmt.Sprintf("%d", ports.ClientToServerProxyPort), + "SDPort": fmt.Sprintf("%d", ports.SDPort), + "BackendPort": fmt.Sprintf("%d", ports.BackendPort), + "ClientAdmin": fmt.Sprintf("%d", ports.ClientAdminPort), + "ServerAdmin": fmt.Sprintf("%d", ports.ServerAdminPort), + "ServerPort": fmt.Sprintf("%d", ports.ProxyToServerProxyPort), + "ServiceAuthenticationPolicy": "NONE", + }, + XDS: int(ports.XDSPort), + } + params.Vars["ClientMetadata"] = params.LoadTestData("testdata/client_node_metadata.json.tmpl") + params.Vars["ServerMetadata"] = params.LoadTestData("testdata/server_node_metadata.json.tmpl") + + sd := &driver.Stackdriver{Port: ports.SDPort} + + if err := (&driver.Scenario{ + []driver.Step{ + &driver.XDS{}, + sd, + &driver.Update{Node: "client", Version: "0", Listeners: []string{StackdriverClientHTTPListener}}, + &driver.Update{Node: "server", Version: "0", Listeners: []string{StackdriverServerHTTPListener}}, + &driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/server.yaml.tmpl")}, + &driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/client.yaml.tmpl")}, + &driver.Sleep{1 * time.Second}, + &driver.Repeat{N: 10, Step: &driver.Get{ports.ClientToServerProxyPort, "hello, world!"}}, + sd.Check(params, + []string{"testdata/stackdriver/client_request_count.yaml.tmpl", "testdata/stackdriver/server_request_count.yaml.tmpl"}, + []string{"testdata/stackdriver/server_access_log.yaml.tmpl"}, + ), + }, + }).Run(params); err != nil { + t.Fatal(err) + } +} + +func TestStackdriverPayloadWithTLS(t *testing.T) { + ports := env.NewPorts(env.StackDriverPayloadWithTLS) + params := &driver.Params{ + Vars: map[string]string{ + "ClientPort": fmt.Sprintf("%d", ports.ClientToServerProxyPort), + "SDPort": fmt.Sprintf("%d", ports.SDPort), + "BackendPort": fmt.Sprintf("%d", ports.BackendPort), + "ClientAdmin": fmt.Sprintf("%d", ports.ClientAdminPort), + "ServerAdmin": fmt.Sprintf("%d", ports.ServerAdminPort), + "ServerPort": fmt.Sprintf("%d", ports.ProxyToServerProxyPort), + "ServiceAuthenticationPolicy": "MUTUAL_TLS", + "SourcePrincipal": "spiffe://cluster.local/ns/default/sa/client", + "DestinationPrincipal": "spiffe://cluster.local/ns/default/sa/server", }, XDS: int(ports.XDSPort), } params.Vars["ClientMetadata"] = params.LoadTestData("testdata/client_node_metadata.json.tmpl") params.Vars["ServerMetadata"] = params.LoadTestData("testdata/server_node_metadata.json.tmpl") + params.Vars["ClientTLSContext"] = params.LoadTestData("testdata/transport_socket/client.yaml.tmpl") + params.Vars["ServerTLSContext"] = params.LoadTestData("testdata/transport_socket/server.yaml.tmpl") sd := &driver.Stackdriver{Port: ports.SDPort} @@ -144,9 +188,9 @@ func TestStackdriverPayload(t *testing.T) { &driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/client.yaml.tmpl")}, &driver.Sleep{1 * time.Second}, &driver.Repeat{N: 10, Step: &driver.Get{ports.ClientToServerProxyPort, "hello, world!"}}, - sd.Check( - []string{fs.ServerRequestCountJSON, fs.ClientRequestCountJSON}, - []string{fs.ServerAccessLogJSON}, + sd.Check(params, + []string{"testdata/stackdriver/client_request_count.yaml.tmpl", "testdata/stackdriver/server_request_count.yaml.tmpl"}, + []string{"testdata/stackdriver/server_access_log.yaml.tmpl"}, ), }, }).Run(params); err != nil { diff --git a/test/envoye2e/tcp_metadata_exchange/tcp_metadata_exchange_test.go b/test/envoye2e/tcp_metadata_exchange/tcp_metadata_exchange_test.go index 8791db12651d..70f6ee8da0d9 100644 --- a/test/envoye2e/tcp_metadata_exchange/tcp_metadata_exchange_test.go +++ b/test/envoye2e/tcp_metadata_exchange/tcp_metadata_exchange_test.go @@ -24,6 +24,7 @@ import ( "testing" "text/template" + "istio.io/proxy/test/envoye2e/driver" "istio.io/proxy/test/envoye2e/env" ) @@ -47,13 +48,10 @@ tls_context: alpn_protocols: - istio2 tls_certificates: - - certificate_chain: - inline_string: "-----BEGIN CERTIFICATE-----\nMIIFMTCCAxmgAwIBAgIDAxaCMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNVBAoMBUlz\ndGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTE5MDcyMjIxMzAzMloXDTIxMDcyMTIx\nMzAzMlowNzEOMAwGA1UECgwFSXN0aW8xGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBD\nQTELMAkGA1UEBwwCY2EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC4\nrEngnty6lVXmyFqC5DsLpoDXWPaOXr4bmKYHL4PeL5vX/OOn+kbHhm4JjYOxKTmO\nYtdLttsQZT7jUd+3WercyVIesWULIO33VbEtNvqKE408J0+5W266+Y+dSmVbrbOf\na6nKP6gpVf1r7Rf0NeS4S3XnUQ0igWo/Pbqn3S2C+ewkR66sCAB5vopKLzdABIN1\n7oLXil2mY4cotk4QPDRgk+AHh+uw1w6JC2c3FcNi3MLh7DIVsLyX//3BWX2bs4jR\nFKva6w1KX2nohECj5FqCd7JuFdqtQO+XW5Ihhag3Hzq9VrqDgR2h0XACLqRNJQG4\n0yzP0b0SvOdpOj6JE33IxOBcLGTvrteBadA0sMzWoCfqYeFLOBhFUGSDamHqd0Or\nqIAza/dE3Pb3VX0OZzW601PqnWXr4YDIKIdb3tgc97j/zbYvcjp40MQfgik6S/lZ\nv8E5ZHHc1Je0zGojL8mAjoklCET1HyP/aRSMIRekdYuCjPqjVyrGeeS3R/Fatigm\ngicVYvFDT7iGauyHPA7894CavHVaA40q20Y78bDJSVgsiznNGN7n2oenBZ7P8kbk\nY2pbNnqhn67v5Na1uSHVGMjB+kbVn0WZbbSawKp0W30TCtnuaBdfI1QjOWYdkIEs\npvtdI31V3cLJO9vzegwhcdYS7YG95m6VrdMQbaBE3wIDAQABo1swWTAdBgNVHQ4E\nFgQUuTgg1nLlC0d35VPxZh1T6NqkDg8wEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV\nHQ8BAf8EBAMCAuQwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUA\nA4ICAQBV0mZPDPDOna692/cRVP2qHoHzEsYLttTioRCmQT8ideW8tpW7IwWozpKr\nBlcaCXUc1K8hoMFSgYCcuh+VMH8qNCQHDEcWoPHPBFrr83ALRVdh4cYeMa7ZcIRS\nl08Fa5TbVQXDkkj+t0KFr6VIBzXvVw8W/r8bgy4LSu/33WGQg4fRecp9mm0j/P8Y\nDaWalN1m8TeRZtN1k7ltHmkeOPH+3NlgZ4YvlZ+ltPMrXowdP+/nCZgeR1BzFmer\n0EVZ0Hq35EvXrmrrN5X4cc3b9OmaQpPQxqSlA/8hwyd0ItLZCYv1v4CB+0AI6CvY\nP2RtxJ87UCz9wlthIlV2a8/d0NItV08HATfK5nXjuY8Ndm3V+jgEGGivizEaSeso\ngrBKJ/TbyoUpsfji5Fc2ogzrGkon1EFgR/WJ8FVlty2YVnjTfjVxD8OJ8Znjm1MH\nYbisHAdTqTND0Fa2F7GFxtltD0DxQ2zsH3D8W98dxeRRigYCifixqFtk72iE702o\n4K3CfPhi7MN4dxbQNFXtjrjnIQn9lN+ih+E1RK0Z4LTrd4WwsJF1MHBm6MRIFu4t\nxaJb3fB5Artwn6DJ1vhfLoONDfwbrRL9/QDt0fFKtnCMbHcApsGJmrXskGim8Kma\nCw3FWjtdhpzmgK5L0SVell2IK3gEF3rphETn37YFDCttOUzpCg==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFFDCCAvygAwIBAgIUZqU0Sviq/wULK6UV7PoAZ7B+nqAwDQYJKoZIhvcNAQEL\nBQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTkwNzIy\nMjEzMDA0WhcNMjkwNzE5MjEzMDA0WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE\nAwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANNl5/pH\n/ktdqEsb83cqHrYJCyzbvWce6k/iud4Czu6FClFX8b+n/Rv9GrZFxJwKAFlUx3iA\nBGlSn/1XYpnhudQhgVGvyuWNO5kX4BfrAJwfWt+7Mn6NcWvunDqwqUPxI07sgCJW\nAYBAwkZH/Nhn6tj571XWNPziUtCwlPNkFMiRu/2nI/tq12IgwimFjVgiCuprNfyX\ntQz/DMVTWpCRQLK5ptlYMfk0P25UKyJdKHnr1MPQBJmPXMfSSqpGjksikV4QnYc7\nCXB3ucq7ty0IWA8QXH+86WqMTh22mosWVXHe0OGbzYtuyVnXc1G7YRv4D87G3Ves\nG4n/8e+RaDTacvwOsYEkuQGk+s8pggPkIqydGy02JNZ4cSRpXJRTzME2BgBZxT8S\nEw1Omr5+iuLNRAKEYRM/eWI7qrs5fxpD6K9JELHS41hWHGdW94PP0wKz70trx5pM\nfLpcVm7BQ5ppgf+t4vgKnrNiACQpfyZbInCBU0doaZaqVMnKH0vgyM7xrC43fsOP\ny5URy3tEH8Uk7Dbvsmj7AXR7IPKlYtgcqcJXmeWa+kLOpx3G55hgJL1ySrxXg/qz\nAobgmV0IycH2ntn5lXvjbwe0cfXAnZgGoALZjJVuEazyBmmVzjBjG2Qcq35nHfp8\nRm6WnCZIaGsZqgoDuSJD280ZLWW7R0PMcnypAgMBAAGjQjBAMB0GA1UdDgQWBBQZ\nh3/ckcK23ZYKO+JsZowd3dIobDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE\nAwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAjh4CdrwnLsqwVxyVSgxd7TfSHtKE/J2Y\n2IZ4fJYXGkq3McPk2e9u0zjCH0buvfDwyAItLIacD+YwIP+OC2WxLe+YMZ5KkXl3\nLuhQ2TOoRlrbp5tYLQITZIIl9+vNkgnn1DkdxkLm9cDDag19LSxa9Rjrnb3wwFAT\nIzEhy+d18FpQtdMMhmonU/L8Oy5LqjT5BR3T8VrXYUsaAkcUs/yHNTFAY3iJFBWL\nZ8dFa5v0A1Ryi8quSNo7lK/hSEZvvV9k4XfFAolXSUqe8BCuXe0rbAq3Jq9HgDww\noImGM0uz4Zf89uhTk1O7UOUfQoSTmA0yZICtQkCiOC0J4AlAOTmiEXUC9gicV3R8\ndvVOqNBOcBELglZ+NIMm6FQQqPh1nZ6A3Bh+JRTPerAF12725RZZE6XMxq2MSr3G\nk5yH10QPMH7/DJRQUhRHAhbge+jk2csa7EGSxABcbsPLSV+cEzXRO4cJeItoZQLh\nsaFhIn9lGukXG6lgiperOqZl6DFVcUG6/nogK7KOTAnV9zjR/7vNwvYzPI9iOR3V\n6dbG38KnipcfL885VLJVTnfhvYHlxFklCKTEnOHnmKsM0qjQuky3DBzmDA6iqeOM\nSHRje5LKxi7mllJfu/X0MxYJWiu6i4gMCWZsC3UtAJQ09x7iwcNr/1bl9ApGszOy\nUff0OxD2hzk=\n-----END CERTIFICATE-----\n" - private_key: - inline_string: "-----BEGIN RSA PRIVATE KEY-----\nMIIJKAIBAAKCAgEAuKxJ4J7cupVV5shaguQ7C6aA11j2jl6+G5imBy+D3i+b1/zj\np/pGx4ZuCY2DsSk5jmLXS7bbEGU+41Hft1nq3MlSHrFlCyDt91WxLTb6ihONPCdP\nuVtuuvmPnUplW62zn2upyj+oKVX9a+0X9DXkuEt151ENIoFqPz26p90tgvnsJEeu\nrAgAeb6KSi83QASDde6C14pdpmOHKLZOEDw0YJPgB4frsNcOiQtnNxXDYtzC4ewy\nFbC8l//9wVl9m7OI0RSr2usNSl9p6IRAo+RagneybhXarUDvl1uSIYWoNx86vVa6\ng4EdodFwAi6kTSUBuNMsz9G9ErznaTo+iRN9yMTgXCxk767XgWnQNLDM1qAn6mHh\nSzgYRVBkg2ph6ndDq6iAM2v3RNz291V9Dmc1utNT6p1l6+GAyCiHW97YHPe4/822\nL3I6eNDEH4IpOkv5Wb/BOWRx3NSXtMxqIy/JgI6JJQhE9R8j/2kUjCEXpHWLgoz6\no1cqxnnkt0fxWrYoJoInFWLxQ0+4hmrshzwO/PeAmrx1WgONKttGO/GwyUlYLIs5\nzRje59qHpwWez/JG5GNqWzZ6oZ+u7+TWtbkh1RjIwfpG1Z9FmW20msCqdFt9EwrZ\n7mgXXyNUIzlmHZCBLKb7XSN9Vd3CyTvb83oMIXHWEu2BveZula3TEG2gRN8CAwEA\nAQKCAgBC6lLerFGo3iHBPQnm8dIfV5bJ8TdtwRC7qSVH50SuBqw+qCjJnht1gtVu\narO0Rw7O9Cu1CK36E+Wksu8QXemHVP+HlZnaXXU8sPVBP/GqhIkhqdDuhh3qbDFI\nukNd4+P5OSbN3SEO0VTBfai3Wavlx5oSVkEfJqub/L8cwj0Sf4K8Zqj5NvENLCip\n1s/7R2dnHSSV+1IRz3CTJPPGWDpWYF7F+89ARbzDlbkxsZYZxYpsGIzRZTgBD8Yg\nAFBOUdCaihX3fkJTl50lnn5ZpI3TRpIF569UJfpq6shZkzevuYYsQzfUHL3i+6PN\ndp8cQPONyB8tsn8DQiXL8Enmm4Rw1KgVicc7r14PT1iNPkB1DJd6a0wTbjHKdt14\naSoVneDJc/7s2clgC/W/PUiKrXff7uaTe3sN0qTN4dtI9uNFT5HQ5Af9+p/coP8z\ncGxGIqQHFzmYivXzkjScrQ4cFHjWSDMBW/fttlrRAOO3qiDOVti1jG2pnbDH1TZU\nailFAD92jlOQ3hel90S7YwjvuU4cw2/JiJLhvQujPUlVfgdRkGMfiZ4PfT+k8uX7\n8fkFWRdbSdO7Fwr9u/7ORcbsX7vUFWT/NSn04a9UYdrHPt6r4ETcKbP0SsQF7Qp7\nw1tIgC/oSDSEulyJzA3o4Ci9v3n67r0yLDeRERHFj51gQ3G60QKCAQEA3CYLSExI\nRQoNu6jxx92jCKIRYlIaTo8f5DbONDqQPJIGiL37GG5Tf2qjanUUZRKPUx1SwfVZ\nP/UMa6IgDYYHO+Kvv2GsOajBlSOjs+28qV3AI+m45qWulT/NaESiDE2nMwAExXIy\nHCqVGgnW8ZMhDhL39Q0Cgt9tUoK6O1fuRrp27uKaLD+YYmhtDWy7mS8BvWcIl7CU\njBOM3PS7rs5RRJd3/8joCmEMGuzPsMtFF2iwA5SigsWLMjD7QHyWPDT0NlShxIMP\nA0LAIcoxer5FoCUw/XorCT6VkY1Mr7dA8D4X2ZIT5ZI/Y7AJZj8Gn47LSfrfCyVF\nvk/CyJnC2Df1KQKCAQEA1r9F17kU3r1DaZeTNuwgOtxDMpEBTbF1GoHz97g4ef3W\nMAWnCw51cTEtmsNqDElWszAWqlRjyHd+N+LdKiicZG3V9bhOSHNHu9QCQDn5um43\nw5IUSI8gQ4CqXhGXfZ5slXdHUYDCZ6VYt+0srR0rEDQoWd0cwYLA3wuOVISl7o4+\nltAbFBrv0GdCR22tJZwIRqcrqYCKFuwtKuOFzyj597OADCE/qWn8969LBq4kXYdM\n6IosifGOiAF49sl13Q/aDCam60VjEWKF+TqdmsO3TCLvrupuKnvEdXlXK5IJbIXe\n+Z+b2kiov5wBR+u1bfeXdH35uxSgVr86XxXLRe9ixwKCAQBSCKcpoKtJdq6ZYCIA\nbRmEbQf3UErXPUQQAVAjbDM1LuDacZiwiOP6Vd1hHRGlfB4GRaYB+o/wYjrnnLk+\n8NOfQCBnO1k2/yhrj6U/tfYYUoP3ne81m0WL/gNnuDN+TC1itr4QaTY9Aq0ez83V\npRKrMOxO1zM5W1JcbbRByslSd8c7yxrSJDx/ZxRD7WGWekq2rj8obzdbXymdaGDL\nibwEyECCAvZcb79YBSh7Y7NyPqNgIjHQcxYkdNYbOJGvC7h4yl6hYIjmmSgJL1Py\nvhYpz9IKkkyZHEYVv8Z0r9+15h1zCJj7cdzHI+DMxe2M5WPhRGd6ur/bY9NcdteB\nRJDJAoIBAA7XHwt+ZdvStoLoj6re/Ic0y4wGC1IELnSLgIGhAH4ltZSR/247LJCK\n9nzYfk6lDtHJQ/e3Z0HmSBmymtgcAFrMYFnfx8En/lAToagwmXpxvXbNdItjILap\ngJyJmK98sEJQAOS4AjdJbO0g/dJkzqILCLLVHfSdhZikYsyichkfSWIAta5ZAjOj\nvyfSg4Gy27uON+05zdExtxlcqdWcHlIo3HN6JL0fbvTq70Nh629vNzhmvBc4U0JA\n38wmNff17XqjfSuLGwKLjXigvV2Bovwm+etblgtnjDcWEJkZOX9/bN5RUmLuXIMJ\nU+lVd69Gyfep8QUlssLr6ivCBM8rcOcCggEBAMuanzBKGV2ct+TUifFE84zqFIyE\n56PoW0mkKNbtNCswEAsbPPLsdhSoTrkMZcIy933S4TvYe7PXrSwr4w8eGEQv/wvY\nyUkSrNwu38P8V2d6uCkZ5z5TnafzB3g7eRDYw3e6jBl9ACyPcOpc44ScrX4n6mqb\nJOQ0oAvE6LVmwq4HxosSXQVymUhNBUflHpYkG8OBz3e2l+oO+0ojQ1AMspx46gEO\nNmEX44x7BXED0Vf8er4GDMRnVtXBD3z7oerGqJC9CtWK/u4DeLc4cJ2oWTY7wc2r\nQM8PWj4L8NlUfm8t7KG10FUjJlzwPXU1VJXfqzJP2X8yRq3O8OATZgaLjYs=\n-----END RSA PRIVATE KEY-----\n" + - certificate_chain: { filename: "testdata/certs/cert-chain.pem" } + private_key: { filename: "testdata/certs/key.pem" } validation_context: - trusted_ca: - inline_string: "-----BEGIN CERTIFICATE-----\nMIIFFDCCAvygAwIBAgIUZqU0Sviq/wULK6UV7PoAZ7B+nqAwDQYJKoZIhvcNAQEL\nBQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTkwNzIy\nMjEzMDA0WhcNMjkwNzE5MjEzMDA0WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE\nAwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANNl5/pH\n/ktdqEsb83cqHrYJCyzbvWce6k/iud4Czu6FClFX8b+n/Rv9GrZFxJwKAFlUx3iA\nBGlSn/1XYpnhudQhgVGvyuWNO5kX4BfrAJwfWt+7Mn6NcWvunDqwqUPxI07sgCJW\nAYBAwkZH/Nhn6tj571XWNPziUtCwlPNkFMiRu/2nI/tq12IgwimFjVgiCuprNfyX\ntQz/DMVTWpCRQLK5ptlYMfk0P25UKyJdKHnr1MPQBJmPXMfSSqpGjksikV4QnYc7\nCXB3ucq7ty0IWA8QXH+86WqMTh22mosWVXHe0OGbzYtuyVnXc1G7YRv4D87G3Ves\nG4n/8e+RaDTacvwOsYEkuQGk+s8pggPkIqydGy02JNZ4cSRpXJRTzME2BgBZxT8S\nEw1Omr5+iuLNRAKEYRM/eWI7qrs5fxpD6K9JELHS41hWHGdW94PP0wKz70trx5pM\nfLpcVm7BQ5ppgf+t4vgKnrNiACQpfyZbInCBU0doaZaqVMnKH0vgyM7xrC43fsOP\ny5URy3tEH8Uk7Dbvsmj7AXR7IPKlYtgcqcJXmeWa+kLOpx3G55hgJL1ySrxXg/qz\nAobgmV0IycH2ntn5lXvjbwe0cfXAnZgGoALZjJVuEazyBmmVzjBjG2Qcq35nHfp8\nRm6WnCZIaGsZqgoDuSJD280ZLWW7R0PMcnypAgMBAAGjQjBAMB0GA1UdDgQWBBQZ\nh3/ckcK23ZYKO+JsZowd3dIobDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE\nAwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAjh4CdrwnLsqwVxyVSgxd7TfSHtKE/J2Y\n2IZ4fJYXGkq3McPk2e9u0zjCH0buvfDwyAItLIacD+YwIP+OC2WxLe+YMZ5KkXl3\nLuhQ2TOoRlrbp5tYLQITZIIl9+vNkgnn1DkdxkLm9cDDag19LSxa9Rjrnb3wwFAT\nIzEhy+d18FpQtdMMhmonU/L8Oy5LqjT5BR3T8VrXYUsaAkcUs/yHNTFAY3iJFBWL\nZ8dFa5v0A1Ryi8quSNo7lK/hSEZvvV9k4XfFAolXSUqe8BCuXe0rbAq3Jq9HgDww\noImGM0uz4Zf89uhTk1O7UOUfQoSTmA0yZICtQkCiOC0J4AlAOTmiEXUC9gicV3R8\ndvVOqNBOcBELglZ+NIMm6FQQqPh1nZ6A3Bh+JRTPerAF12725RZZE6XMxq2MSr3G\nk5yH10QPMH7/DJRQUhRHAhbge+jk2csa7EGSxABcbsPLSV+cEzXRO4cJeItoZQLh\nsaFhIn9lGukXG6lgiperOqZl6DFVcUG6/nogK7KOTAnV9zjR/7vNwvYzPI9iOR3V\n6dbG38KnipcfL885VLJVTnfhvYHlxFklCKTEnOHnmKsM0qjQuky3DBzmDA6iqeOM\nSHRje5LKxi7mllJfu/X0MxYJWiu6i4gMCWZsC3UtAJQ09x7iwcNr/1bl9ApGszOy\nUff0OxD2hzk=\n-----END CERTIFICATE-----\n" + trusted_ca: { filename: "testdata/certs/root-cert.pem" } require_client_certificate: true ` @@ -63,13 +61,10 @@ tls_context: alpn_protocols: - istio2 tls_certificates: - - certificate_chain: - inline_string: "-----BEGIN CERTIFICATE-----\nMIIFMTCCAxmgAwIBAgIDAxaCMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNVBAoMBUlz\ndGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTE5MDcyMjIxMzAzMloXDTIxMDcyMTIx\nMzAzMlowNzEOMAwGA1UECgwFSXN0aW8xGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBD\nQTELMAkGA1UEBwwCY2EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC4\nrEngnty6lVXmyFqC5DsLpoDXWPaOXr4bmKYHL4PeL5vX/OOn+kbHhm4JjYOxKTmO\nYtdLttsQZT7jUd+3WercyVIesWULIO33VbEtNvqKE408J0+5W266+Y+dSmVbrbOf\na6nKP6gpVf1r7Rf0NeS4S3XnUQ0igWo/Pbqn3S2C+ewkR66sCAB5vopKLzdABIN1\n7oLXil2mY4cotk4QPDRgk+AHh+uw1w6JC2c3FcNi3MLh7DIVsLyX//3BWX2bs4jR\nFKva6w1KX2nohECj5FqCd7JuFdqtQO+XW5Ihhag3Hzq9VrqDgR2h0XACLqRNJQG4\n0yzP0b0SvOdpOj6JE33IxOBcLGTvrteBadA0sMzWoCfqYeFLOBhFUGSDamHqd0Or\nqIAza/dE3Pb3VX0OZzW601PqnWXr4YDIKIdb3tgc97j/zbYvcjp40MQfgik6S/lZ\nv8E5ZHHc1Je0zGojL8mAjoklCET1HyP/aRSMIRekdYuCjPqjVyrGeeS3R/Fatigm\ngicVYvFDT7iGauyHPA7894CavHVaA40q20Y78bDJSVgsiznNGN7n2oenBZ7P8kbk\nY2pbNnqhn67v5Na1uSHVGMjB+kbVn0WZbbSawKp0W30TCtnuaBdfI1QjOWYdkIEs\npvtdI31V3cLJO9vzegwhcdYS7YG95m6VrdMQbaBE3wIDAQABo1swWTAdBgNVHQ4E\nFgQUuTgg1nLlC0d35VPxZh1T6NqkDg8wEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV\nHQ8BAf8EBAMCAuQwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUA\nA4ICAQBV0mZPDPDOna692/cRVP2qHoHzEsYLttTioRCmQT8ideW8tpW7IwWozpKr\nBlcaCXUc1K8hoMFSgYCcuh+VMH8qNCQHDEcWoPHPBFrr83ALRVdh4cYeMa7ZcIRS\nl08Fa5TbVQXDkkj+t0KFr6VIBzXvVw8W/r8bgy4LSu/33WGQg4fRecp9mm0j/P8Y\nDaWalN1m8TeRZtN1k7ltHmkeOPH+3NlgZ4YvlZ+ltPMrXowdP+/nCZgeR1BzFmer\n0EVZ0Hq35EvXrmrrN5X4cc3b9OmaQpPQxqSlA/8hwyd0ItLZCYv1v4CB+0AI6CvY\nP2RtxJ87UCz9wlthIlV2a8/d0NItV08HATfK5nXjuY8Ndm3V+jgEGGivizEaSeso\ngrBKJ/TbyoUpsfji5Fc2ogzrGkon1EFgR/WJ8FVlty2YVnjTfjVxD8OJ8Znjm1MH\nYbisHAdTqTND0Fa2F7GFxtltD0DxQ2zsH3D8W98dxeRRigYCifixqFtk72iE702o\n4K3CfPhi7MN4dxbQNFXtjrjnIQn9lN+ih+E1RK0Z4LTrd4WwsJF1MHBm6MRIFu4t\nxaJb3fB5Artwn6DJ1vhfLoONDfwbrRL9/QDt0fFKtnCMbHcApsGJmrXskGim8Kma\nCw3FWjtdhpzmgK5L0SVell2IK3gEF3rphETn37YFDCttOUzpCg==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFFDCCAvygAwIBAgIUZqU0Sviq/wULK6UV7PoAZ7B+nqAwDQYJKoZIhvcNAQEL\nBQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTkwNzIy\nMjEzMDA0WhcNMjkwNzE5MjEzMDA0WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE\nAwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANNl5/pH\n/ktdqEsb83cqHrYJCyzbvWce6k/iud4Czu6FClFX8b+n/Rv9GrZFxJwKAFlUx3iA\nBGlSn/1XYpnhudQhgVGvyuWNO5kX4BfrAJwfWt+7Mn6NcWvunDqwqUPxI07sgCJW\nAYBAwkZH/Nhn6tj571XWNPziUtCwlPNkFMiRu/2nI/tq12IgwimFjVgiCuprNfyX\ntQz/DMVTWpCRQLK5ptlYMfk0P25UKyJdKHnr1MPQBJmPXMfSSqpGjksikV4QnYc7\nCXB3ucq7ty0IWA8QXH+86WqMTh22mosWVXHe0OGbzYtuyVnXc1G7YRv4D87G3Ves\nG4n/8e+RaDTacvwOsYEkuQGk+s8pggPkIqydGy02JNZ4cSRpXJRTzME2BgBZxT8S\nEw1Omr5+iuLNRAKEYRM/eWI7qrs5fxpD6K9JELHS41hWHGdW94PP0wKz70trx5pM\nfLpcVm7BQ5ppgf+t4vgKnrNiACQpfyZbInCBU0doaZaqVMnKH0vgyM7xrC43fsOP\ny5URy3tEH8Uk7Dbvsmj7AXR7IPKlYtgcqcJXmeWa+kLOpx3G55hgJL1ySrxXg/qz\nAobgmV0IycH2ntn5lXvjbwe0cfXAnZgGoALZjJVuEazyBmmVzjBjG2Qcq35nHfp8\nRm6WnCZIaGsZqgoDuSJD280ZLWW7R0PMcnypAgMBAAGjQjBAMB0GA1UdDgQWBBQZ\nh3/ckcK23ZYKO+JsZowd3dIobDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE\nAwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAjh4CdrwnLsqwVxyVSgxd7TfSHtKE/J2Y\n2IZ4fJYXGkq3McPk2e9u0zjCH0buvfDwyAItLIacD+YwIP+OC2WxLe+YMZ5KkXl3\nLuhQ2TOoRlrbp5tYLQITZIIl9+vNkgnn1DkdxkLm9cDDag19LSxa9Rjrnb3wwFAT\nIzEhy+d18FpQtdMMhmonU/L8Oy5LqjT5BR3T8VrXYUsaAkcUs/yHNTFAY3iJFBWL\nZ8dFa5v0A1Ryi8quSNo7lK/hSEZvvV9k4XfFAolXSUqe8BCuXe0rbAq3Jq9HgDww\noImGM0uz4Zf89uhTk1O7UOUfQoSTmA0yZICtQkCiOC0J4AlAOTmiEXUC9gicV3R8\ndvVOqNBOcBELglZ+NIMm6FQQqPh1nZ6A3Bh+JRTPerAF12725RZZE6XMxq2MSr3G\nk5yH10QPMH7/DJRQUhRHAhbge+jk2csa7EGSxABcbsPLSV+cEzXRO4cJeItoZQLh\nsaFhIn9lGukXG6lgiperOqZl6DFVcUG6/nogK7KOTAnV9zjR/7vNwvYzPI9iOR3V\n6dbG38KnipcfL885VLJVTnfhvYHlxFklCKTEnOHnmKsM0qjQuky3DBzmDA6iqeOM\nSHRje5LKxi7mllJfu/X0MxYJWiu6i4gMCWZsC3UtAJQ09x7iwcNr/1bl9ApGszOy\nUff0OxD2hzk=\n-----END CERTIFICATE-----\n" - private_key: - inline_string: "-----BEGIN RSA PRIVATE KEY-----\nMIIJKAIBAAKCAgEAuKxJ4J7cupVV5shaguQ7C6aA11j2jl6+G5imBy+D3i+b1/zj\np/pGx4ZuCY2DsSk5jmLXS7bbEGU+41Hft1nq3MlSHrFlCyDt91WxLTb6ihONPCdP\nuVtuuvmPnUplW62zn2upyj+oKVX9a+0X9DXkuEt151ENIoFqPz26p90tgvnsJEeu\nrAgAeb6KSi83QASDde6C14pdpmOHKLZOEDw0YJPgB4frsNcOiQtnNxXDYtzC4ewy\nFbC8l//9wVl9m7OI0RSr2usNSl9p6IRAo+RagneybhXarUDvl1uSIYWoNx86vVa6\ng4EdodFwAi6kTSUBuNMsz9G9ErznaTo+iRN9yMTgXCxk767XgWnQNLDM1qAn6mHh\nSzgYRVBkg2ph6ndDq6iAM2v3RNz291V9Dmc1utNT6p1l6+GAyCiHW97YHPe4/822\nL3I6eNDEH4IpOkv5Wb/BOWRx3NSXtMxqIy/JgI6JJQhE9R8j/2kUjCEXpHWLgoz6\no1cqxnnkt0fxWrYoJoInFWLxQ0+4hmrshzwO/PeAmrx1WgONKttGO/GwyUlYLIs5\nzRje59qHpwWez/JG5GNqWzZ6oZ+u7+TWtbkh1RjIwfpG1Z9FmW20msCqdFt9EwrZ\n7mgXXyNUIzlmHZCBLKb7XSN9Vd3CyTvb83oMIXHWEu2BveZula3TEG2gRN8CAwEA\nAQKCAgBC6lLerFGo3iHBPQnm8dIfV5bJ8TdtwRC7qSVH50SuBqw+qCjJnht1gtVu\narO0Rw7O9Cu1CK36E+Wksu8QXemHVP+HlZnaXXU8sPVBP/GqhIkhqdDuhh3qbDFI\nukNd4+P5OSbN3SEO0VTBfai3Wavlx5oSVkEfJqub/L8cwj0Sf4K8Zqj5NvENLCip\n1s/7R2dnHSSV+1IRz3CTJPPGWDpWYF7F+89ARbzDlbkxsZYZxYpsGIzRZTgBD8Yg\nAFBOUdCaihX3fkJTl50lnn5ZpI3TRpIF569UJfpq6shZkzevuYYsQzfUHL3i+6PN\ndp8cQPONyB8tsn8DQiXL8Enmm4Rw1KgVicc7r14PT1iNPkB1DJd6a0wTbjHKdt14\naSoVneDJc/7s2clgC/W/PUiKrXff7uaTe3sN0qTN4dtI9uNFT5HQ5Af9+p/coP8z\ncGxGIqQHFzmYivXzkjScrQ4cFHjWSDMBW/fttlrRAOO3qiDOVti1jG2pnbDH1TZU\nailFAD92jlOQ3hel90S7YwjvuU4cw2/JiJLhvQujPUlVfgdRkGMfiZ4PfT+k8uX7\n8fkFWRdbSdO7Fwr9u/7ORcbsX7vUFWT/NSn04a9UYdrHPt6r4ETcKbP0SsQF7Qp7\nw1tIgC/oSDSEulyJzA3o4Ci9v3n67r0yLDeRERHFj51gQ3G60QKCAQEA3CYLSExI\nRQoNu6jxx92jCKIRYlIaTo8f5DbONDqQPJIGiL37GG5Tf2qjanUUZRKPUx1SwfVZ\nP/UMa6IgDYYHO+Kvv2GsOajBlSOjs+28qV3AI+m45qWulT/NaESiDE2nMwAExXIy\nHCqVGgnW8ZMhDhL39Q0Cgt9tUoK6O1fuRrp27uKaLD+YYmhtDWy7mS8BvWcIl7CU\njBOM3PS7rs5RRJd3/8joCmEMGuzPsMtFF2iwA5SigsWLMjD7QHyWPDT0NlShxIMP\nA0LAIcoxer5FoCUw/XorCT6VkY1Mr7dA8D4X2ZIT5ZI/Y7AJZj8Gn47LSfrfCyVF\nvk/CyJnC2Df1KQKCAQEA1r9F17kU3r1DaZeTNuwgOtxDMpEBTbF1GoHz97g4ef3W\nMAWnCw51cTEtmsNqDElWszAWqlRjyHd+N+LdKiicZG3V9bhOSHNHu9QCQDn5um43\nw5IUSI8gQ4CqXhGXfZ5slXdHUYDCZ6VYt+0srR0rEDQoWd0cwYLA3wuOVISl7o4+\nltAbFBrv0GdCR22tJZwIRqcrqYCKFuwtKuOFzyj597OADCE/qWn8969LBq4kXYdM\n6IosifGOiAF49sl13Q/aDCam60VjEWKF+TqdmsO3TCLvrupuKnvEdXlXK5IJbIXe\n+Z+b2kiov5wBR+u1bfeXdH35uxSgVr86XxXLRe9ixwKCAQBSCKcpoKtJdq6ZYCIA\nbRmEbQf3UErXPUQQAVAjbDM1LuDacZiwiOP6Vd1hHRGlfB4GRaYB+o/wYjrnnLk+\n8NOfQCBnO1k2/yhrj6U/tfYYUoP3ne81m0WL/gNnuDN+TC1itr4QaTY9Aq0ez83V\npRKrMOxO1zM5W1JcbbRByslSd8c7yxrSJDx/ZxRD7WGWekq2rj8obzdbXymdaGDL\nibwEyECCAvZcb79YBSh7Y7NyPqNgIjHQcxYkdNYbOJGvC7h4yl6hYIjmmSgJL1Py\nvhYpz9IKkkyZHEYVv8Z0r9+15h1zCJj7cdzHI+DMxe2M5WPhRGd6ur/bY9NcdteB\nRJDJAoIBAA7XHwt+ZdvStoLoj6re/Ic0y4wGC1IELnSLgIGhAH4ltZSR/247LJCK\n9nzYfk6lDtHJQ/e3Z0HmSBmymtgcAFrMYFnfx8En/lAToagwmXpxvXbNdItjILap\ngJyJmK98sEJQAOS4AjdJbO0g/dJkzqILCLLVHfSdhZikYsyichkfSWIAta5ZAjOj\nvyfSg4Gy27uON+05zdExtxlcqdWcHlIo3HN6JL0fbvTq70Nh629vNzhmvBc4U0JA\n38wmNff17XqjfSuLGwKLjXigvV2Bovwm+etblgtnjDcWEJkZOX9/bN5RUmLuXIMJ\nU+lVd69Gyfep8QUlssLr6ivCBM8rcOcCggEBAMuanzBKGV2ct+TUifFE84zqFIyE\n56PoW0mkKNbtNCswEAsbPPLsdhSoTrkMZcIy933S4TvYe7PXrSwr4w8eGEQv/wvY\nyUkSrNwu38P8V2d6uCkZ5z5TnafzB3g7eRDYw3e6jBl9ACyPcOpc44ScrX4n6mqb\nJOQ0oAvE6LVmwq4HxosSXQVymUhNBUflHpYkG8OBz3e2l+oO+0ojQ1AMspx46gEO\nNmEX44x7BXED0Vf8er4GDMRnVtXBD3z7oerGqJC9CtWK/u4DeLc4cJ2oWTY7wc2r\nQM8PWj4L8NlUfm8t7KG10FUjJlzwPXU1VJXfqzJP2X8yRq3O8OATZgaLjYs=\n-----END RSA PRIVATE KEY-----\n" + - certificate_chain: { filename: "testdata/certs/cert-chain.pem" } + private_key: { filename: "testdata/certs/key.pem" } validation_context: - trusted_ca: - inline_string: "-----BEGIN CERTIFICATE-----\nMIIFFDCCAvygAwIBAgIUZqU0Sviq/wULK6UV7PoAZ7B+nqAwDQYJKoZIhvcNAQEL\nBQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTkwNzIy\nMjEzMDA0WhcNMjkwNzE5MjEzMDA0WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE\nAwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANNl5/pH\n/ktdqEsb83cqHrYJCyzbvWce6k/iud4Czu6FClFX8b+n/Rv9GrZFxJwKAFlUx3iA\nBGlSn/1XYpnhudQhgVGvyuWNO5kX4BfrAJwfWt+7Mn6NcWvunDqwqUPxI07sgCJW\nAYBAwkZH/Nhn6tj571XWNPziUtCwlPNkFMiRu/2nI/tq12IgwimFjVgiCuprNfyX\ntQz/DMVTWpCRQLK5ptlYMfk0P25UKyJdKHnr1MPQBJmPXMfSSqpGjksikV4QnYc7\nCXB3ucq7ty0IWA8QXH+86WqMTh22mosWVXHe0OGbzYtuyVnXc1G7YRv4D87G3Ves\nG4n/8e+RaDTacvwOsYEkuQGk+s8pggPkIqydGy02JNZ4cSRpXJRTzME2BgBZxT8S\nEw1Omr5+iuLNRAKEYRM/eWI7qrs5fxpD6K9JELHS41hWHGdW94PP0wKz70trx5pM\nfLpcVm7BQ5ppgf+t4vgKnrNiACQpfyZbInCBU0doaZaqVMnKH0vgyM7xrC43fsOP\ny5URy3tEH8Uk7Dbvsmj7AXR7IPKlYtgcqcJXmeWa+kLOpx3G55hgJL1ySrxXg/qz\nAobgmV0IycH2ntn5lXvjbwe0cfXAnZgGoALZjJVuEazyBmmVzjBjG2Qcq35nHfp8\nRm6WnCZIaGsZqgoDuSJD280ZLWW7R0PMcnypAgMBAAGjQjBAMB0GA1UdDgQWBBQZ\nh3/ckcK23ZYKO+JsZowd3dIobDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE\nAwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAjh4CdrwnLsqwVxyVSgxd7TfSHtKE/J2Y\n2IZ4fJYXGkq3McPk2e9u0zjCH0buvfDwyAItLIacD+YwIP+OC2WxLe+YMZ5KkXl3\nLuhQ2TOoRlrbp5tYLQITZIIl9+vNkgnn1DkdxkLm9cDDag19LSxa9Rjrnb3wwFAT\nIzEhy+d18FpQtdMMhmonU/L8Oy5LqjT5BR3T8VrXYUsaAkcUs/yHNTFAY3iJFBWL\nZ8dFa5v0A1Ryi8quSNo7lK/hSEZvvV9k4XfFAolXSUqe8BCuXe0rbAq3Jq9HgDww\noImGM0uz4Zf89uhTk1O7UOUfQoSTmA0yZICtQkCiOC0J4AlAOTmiEXUC9gicV3R8\ndvVOqNBOcBELglZ+NIMm6FQQqPh1nZ6A3Bh+JRTPerAF12725RZZE6XMxq2MSr3G\nk5yH10QPMH7/DJRQUhRHAhbge+jk2csa7EGSxABcbsPLSV+cEzXRO4cJeItoZQLh\nsaFhIn9lGukXG6lgiperOqZl6DFVcUG6/nogK7KOTAnV9zjR/7vNwvYzPI9iOR3V\n6dbG38KnipcfL885VLJVTnfhvYHlxFklCKTEnOHnmKsM0qjQuky3DBzmDA6iqeOM\nSHRje5LKxi7mllJfu/X0MxYJWiu6i4gMCWZsC3UtAJQ09x7iwcNr/1bl9ApGszOy\nUff0OxD2hzk=\n-----END CERTIFICATE-----\n" + trusted_ca: { filename: "testdata/certs/root-cert.pem" } ` const clientNodeMetadata = `"NAMESPACE": "default", @@ -150,6 +145,7 @@ var expectedServerStats = map[string]int{ func TestTcpMetadataExchange(t *testing.T) { s := env.NewClientServerEnvoyTestSetup(env.TcpMetadataExchangeTest, t) + s.Dir = driver.BazelWorkspace() s.SetNoBackend(true) s.SetStartTcpBackend(true) s.SetTlsContext(tlsContext) @@ -167,7 +163,7 @@ func TestTcpMetadataExchange(t *testing.T) { defer s.TearDownClientServerEnvoy() certPool := x509.NewCertPool() - bs, err := ioutil.ReadFile("cert-chain.pem") + bs, err := ioutil.ReadFile(driver.TestPath("testdata/certs/cert-chain.pem")) if err != nil { t.Fatalf("failed to read client ca cert: %s", err) } @@ -176,7 +172,8 @@ func TestTcpMetadataExchange(t *testing.T) { t.Fatal("failed to append client certs") } - certificate, err := tls.LoadX509KeyPair("cert-chain.pem", "key.pem") + certificate, err := tls.LoadX509KeyPair(driver.TestPath("testdata/certs/cert-chain.pem"), + driver.TestPath("testdata/certs/key.pem")) if err != nil { t.Fatal("failed to get certificate") } diff --git a/testdata/bootstrap/client.yaml.tmpl b/testdata/bootstrap/client.yaml.tmpl index a7c91440f63f..3dc9d6c06ad5 100644 --- a/testdata/bootstrap/client.yaml.tmpl +++ b/testdata/bootstrap/client.yaml.tmpl @@ -39,3 +39,4 @@ static_resources: socket_address: address: 127.0.0.1 port_value: {{ .Vars.ServerPort }} +{{ .Vars.ClientTLSContext | indent 4 }} diff --git a/test/envoye2e/tcp_metadata_exchange/cert-chain.pem b/testdata/certs/cert-chain.pem similarity index 100% rename from test/envoye2e/tcp_metadata_exchange/cert-chain.pem rename to testdata/certs/cert-chain.pem diff --git a/testdata/certs/client-key.cert b/testdata/certs/client-key.cert new file mode 100644 index 000000000000..64d5f6409813 --- /dev/null +++ b/testdata/certs/client-key.cert @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEA07MQ4NQQrnDxl3gwHh5NNUyJzrYmK57GogtoJype0jrEjldw +XZCYnvJEf9DJs1wtZ5p7Zij5wgM0vJsRB1BMM/uH8M8OikmlCyoajmA7wk5VVSRy +56h6ni14T93YOHEGlmnJOF7mkav1940ppuiNeT4V6+f8SDX+M5z1NplnkoOQAPqh +9s9191dpQC4lGinstioMFdnbXXvdtBFcgzDIsKxEL9/EHM/fCSQrcz0+SeJY0RSM +1GrqnnyWGfTQ/77R6pvhtMbW5ULUR4jKuQ5qvYGyLdn9Xh+k/8u+UXlF50Ndj3VC +kxHGnzFEZFy8QtRCd1jiYsh6HZWgOAeAzUkqQQIDAQABAoIBAGhJtU3cil80+n7w +0Vt09/oCu3yelM02SYn4bpWktNOB6eRpRMyC9/yNQptoooR+K0v3eUTJeMhPxgIH +rerZbsDI7538kqAjSW/njO+IjsfYyQbJjuV6RPV5VuSZV/PuEh20/VCMx68JdIFA +BD3aIB+TKz9sqAZ2usR4VQBRsAknat5RhdcE7CGcbEiNGbSn1ASqTif+oiRZBnTZ +hXik9gbjMi57nG2Mq8Ww0XZGAsFY+NxCldTVI//GwHT38uatjUvF8c/pfpKfDpam +iD7U0EJsPUh/nzITCX+py7BDYcYDByhLWbgviH7/CoMT3wnggZQfpljepEG9PqMF +59FYAoUCgYEA9sv853zOR50msCs/66ohh5zbC/1DH1J9yWsk0VsmH096zfgUGCqP +0aTT7b25XnZYkvGiWslp8IEHc6ADEkwGsp88i0EvVO2pK/3xdAaCReVqF6jZs9Dn +0CuJHmJfgZaJsGT8ofQfUOSWhddLXGcLHMinjaPZOakn8XAizbtcoRsCgYEA25gG +pdD1xwU07y8iVY6gxsDQbNRJbAkgtVju/8fIkqe/PxhvwUhxF8zdlL29+P/PYBjw +P4L9zHVXQUKqV4clBECuhA31Yz9zhfivzz6y4NLzM7+6EzjQ4TOLlo2Vp7oPjN3y +29NHbPqG4JEwJ8aqXJqtWMUUdp4LuF+N5dkIM9MCgYAPXUOxZaOx8aam8QpZsY3E +048PgATdvlT2ZSU1o2cMK/aJPBiEKKIrewd2lYkkyFlbTI++9ysRPfcoy51lVjZU +iHVMdhJsRx9xDa4qev1BPLcOIgTrnOXRn+Q5cAZiGu0XfjH8IyaP8qssSer3JbMb +Z6KGvtyXKmDCNyjzheaOYQKBgAsBysuC9t7b9vRKQ4lQVeTAg3IBDhEZQAd3BrvR +cs9PEzoBapCgpfKQdUbgX+ZcRDPH7DrywO//rbj6s3khsAxPha/e1z77TjoX5hAY +T3UPfdtJL/WIsoenQsbwH+FBZUglU+gK5hijUiFthaFoxt9PbYL2lfkAIQxD1eQA +hfW7AoGAGflnz6ea3u1j0hAFykKZ3D/82/qCjaB2H2jmdpl2xHodhUodrmYWkDBu +vB28ez8aTx8QlIk0GIVVYolM7zlyCBs6FXrH34fL9P44najLqfQUbKdUUOqb6lfT +BC1Kcvm8frJLtUUqFTkgtgrRlqihIja1uvF65VoHF1AfjUslhdc= +-----END RSA PRIVATE KEY----- diff --git a/testdata/certs/client.cert b/testdata/certs/client.cert new file mode 100644 index 000000000000..f4ba596de3c6 --- /dev/null +++ b/testdata/certs/client.cert @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDXDCCAkSgAwIBAgIQUwQ9hAAm16Yf+PkWD1VM/jANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVN1bm55dmFsZTET +MBEGA1UECgwKZ29vZ2xlLmNvbTAeFw0xOTA4MTIxODU2MDhaFw0yNDA4MTAxODU2 +MDhaMBMxETAPBgNVBAoTCEp1anUgb3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA07MQ4NQQrnDxl3gwHh5NNUyJzrYmK57GogtoJype0jrEjldwXZCY +nvJEf9DJs1wtZ5p7Zij5wgM0vJsRB1BMM/uH8M8OikmlCyoajmA7wk5VVSRy56h6 +ni14T93YOHEGlmnJOF7mkav1940ppuiNeT4V6+f8SDX+M5z1NplnkoOQAPqh9s91 +91dpQC4lGinstioMFdnbXXvdtBFcgzDIsKxEL9/EHM/fCSQrcz0+SeJY0RSM1Grq +nnyWGfTQ/77R6pvhtMbW5ULUR4jKuQ5qvYGyLdn9Xh+k/8u+UXlF50Ndj3VCkxHG +nzFEZFy8QtRCd1jiYsh6HZWgOAeAzUkqQQIDAQABo3wwejAOBgNVHQ8BAf8EBAMC +BaAwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBT1a7HehaEjoID50KbCqhryIRwh +ETA5BgNVHREBAf8ELzAthitzcGlmZmU6Ly9jbHVzdGVyLmxvY2FsL25zL2RlZmF1 +bHQvc2EvY2xpZW50MA0GCSqGSIb3DQEBCwUAA4IBAQBW/xkRoVxuo+g9P6/mWuVI +BSY7tsrdff8qkKzEmRLLSgMUFpDw5529wUSAsOwPjHK9xXeCT5lLxQMcbaGShf70 +4r/lceFJXUpQ0NHU6uJx3DdTUXXhDc4Zhq6rX1GaxqYvKWVMAKCPmDEXVHd5Yh4u +ZZIeq1uOTc7t3B6wXhQ68zY2GURjEMksafoCT65J/2CD5fBgBFOEeYxCl4iN5Vcv +MM+xfi1ZiGTAakiCSSOUydaP5MBdbl04ZMKDDEZTRLJwEDmg0T1x6/T7zumtjrnX +5T4c/LV5cEMMb4vjty5MSNY/8t5dT6Bq8T4tAEN83W2OyABfSowyecXAItcMcZ66 +-----END CERTIFICATE----- diff --git a/testdata/certs/generate.sh b/testdata/certs/generate.sh new file mode 100644 index 000000000000..1dcb75bfe7b6 --- /dev/null +++ b/testdata/certs/generate.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +openssl genrsa -out root.key 2048 +openssl req -x509 -new -nodes -key root.key -sha256 -days 1825 -out root.cert + +# generate mTLS cert for client as follows: +go run security/tools/generate_cert/main.go -host="spiffe://cluster.local/ns/default/sa/client" -signer-priv=mixer/test/client/pilotplugin_mtls/testdata/root.key -signer-cert=mixer/test/client/pilotplugin_mtls/testdata/root.cert --mode=signer diff --git a/test/envoye2e/tcp_metadata_exchange/key.pem b/testdata/certs/key.pem similarity index 100% rename from test/envoye2e/tcp_metadata_exchange/key.pem rename to testdata/certs/key.pem diff --git a/test/envoye2e/tcp_metadata_exchange/root-cert.pem b/testdata/certs/root-cert.pem similarity index 100% rename from test/envoye2e/tcp_metadata_exchange/root-cert.pem rename to testdata/certs/root-cert.pem diff --git a/testdata/certs/root.cert b/testdata/certs/root.cert new file mode 100644 index 000000000000..c6c8d2bd0418 --- /dev/null +++ b/testdata/certs/root.cert @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZzCCAk+gAwIBAgIUMzjfEUF3LQ/WfBiwIC9h+qndbGYwDQYJKoZIhvcNAQEL +BQAwQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZh +bGUxEzARBgNVBAoMCmdvb2dsZS5jb20wHhcNMTkwODEyMTgzMTAyWhcNMjQwODEw +MTgzMTAyWjBDMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVN1 +bm55dmFsZTETMBEGA1UECgwKZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAL2O52MbZig1pfU1tut+QX/ISI3m2uMi079ZWy4ZE+Ccm4Ta +XdR66T94T2x7uWbT2AtNIxZO+LPT75Suh1Zb/O1px3dKul7U1Fpl7gLVnKXQ35zL +/fCh7MPa+aipZHH1KGG56ebdmoXrKM+S5k502Dm0Q0uyGxksBAiXHyixaiq00rYV +XYrv9qw1wphYea2SLBRaQOpJrPI1CZu267LTMTq9a6gGTwMuz9tDveT/cM8Nh17C +so+6PrLEbpXAJPqNUyuJBGsDG9AyqBh4ZKmgRDR+ZE03jNncaEx2vkjFenXLI+// +YgZA1NJVAefCFfGRNGRZ+bR/01brUbnuGJCgJv0CAwEAAaNTMFEwHQYDVR0OBBYE +FPVrsd6FoSOggPnQpsKqGvIhHCERMB8GA1UdIwQYMBaAFPVrsd6FoSOggPnQpsKq +GvIhHCERMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALKX8nmy +SN8+MB5cSj/LymQpYlJVdvf0p2cBikWCVcAWL+CvBafYF0Y93ooKbv/jCZhWdGmz +ItbJjwauaXDphHEGbAzyjsQXH1ZQti6+HigMIvTOYuqiOd+Lstdim9QHvgLCywT0 +PJ3k44/KyfEXN870heJmEDN4uv+hASmH+9zvhRqE/ABnb2An4auQT5j3/BXU0jjl +sv3XDZ/Ke4PXqPptg4VGbhQi1+OUFoqAgvQFGbur0hnWFPsehC29kISMAJt/iTGJ +HC0g4ZKkij56ohHIB6OLNJ1rGMS9OFwt+0ok0AI7kVI5K3KLdhPEY1k48t6ThFCn +wPWDdGnjesEmztc= +-----END CERTIFICATE----- diff --git a/testdata/certs/root.key b/testdata/certs/root.key new file mode 100644 index 000000000000..3d0debfc5ab4 --- /dev/null +++ b/testdata/certs/root.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAvY7nYxtmKDWl9TW2635Bf8hIjeba4yLTv1lbLhkT4JybhNpd +1HrpP3hPbHu5ZtPYC00jFk74s9PvlK6HVlv87WnHd0q6XtTUWmXuAtWcpdDfnMv9 +8KHsw9r5qKlkcfUoYbnp5t2ahesoz5LmTnTYObRDS7IbGSwECJcfKLFqKrTSthVd +iu/2rDXCmFh5rZIsFFpA6kms8jUJm7brstMxOr1rqAZPAy7P20O95P9wzw2HXsKy +j7o+ssRulcAk+o1TK4kEawMb0DKoGHhkqaBENH5kTTeM2dxoTHa+SMV6dcsj7/9i +BkDU0lUB58IV8ZE0ZFn5tH/TVutRue4YkKAm/QIDAQABAoIBAQCFj8hHk4micVKS ++Rr+yQIbqCI/Idc+zU5HeA1/6JmR3KbTsA0G5uesGfhUZsTWyBNkuyAq2s/v3Tfl +Gigv2DbZjXvG+PdiVDGf1Ewk4SAz0X2NfEpcH6u0wHjCt0AX73ZZjWZajfAPxgcG +Yuo1g6zK09HK5x6i2Nmqt9hzkrZMic0i8oRCGSdMVuROuLedpsnsXLd5PI5OgiRj +xMXbYfk1oviwdKiIo44wvp+XAKriCHEkJdD5RVKLarKWfPkgriK+CrUv8+C6O03X +PLuxKUpOUEYwhi4dm1Pd5mIziOZbDI56lUU/9UC5vhg0/EY8G2xwvubLKP/bQCFJ +jJdJEf4hAoGBAPp6zBPii51q6GqbFJTvzOJ39mDtzS28JbilKysEuxcAH5QegsUL +PtABGqieiUoCBjSXJvW+6ReALpDk2RTpnWw5AGEJFBu64w5eWiUhr+CDVisr1VqD +oG6IVYi9bsNDsP7VZSemRmkZ5GgChzHpPp0m9lvHZ4yBzVxmVJUx+/SpAoGBAMG8 +Y3+B9wx7Cmc7SkGLPGOiEENSZlXCWdUKhQZCsBcgZgY4SGtDy0LTgkQHZf3k68OE +U/c7K1S7IUXCgyzXQc+KRd82y9fAOSRN9ZWLg9In+HAIWdPNvzU3rfZZmTLQRQj5 +NR0wzXB/06HBl135RG8oFQNAXA5fRrmdemhHUoA1AoGBAPXlq4cx9kIZ/AT8Ld5w +9EC36EYL7kuh055Ld++Je2n/EwFEWri6a3WkP9mdmcXv6suiP/ss6oPJsO1J3Nss +5QCjjP21/emjNNicQ/8D7TeJeAR1ycRMSCl66g2NerlzMMVcFSwxjhoL8zEwmiyj +gHajE2PShJNpsoOtagf1xBXRAoGBAKcG+mlV7V5vPfreXRjBKCFl+ctw4RWS58wK +s8FAAX0Oy6cVIyqHWliU7bwk/MO2d6UrExEVjDgS1Y7FMj6Ynv6FYdQd9ARgj2ND +azWxAMdQ+pnsOTWoLu98v5iiirgKY1pnMGmoR5Z0Pks5En1MiLmkvuj8teEWN22T +3ZLF2tT5AoGBAO1cIyyt7CHYvlTHpFpdfWtwCMepKTX2TV430qBwXItW7hhv9now +lvMVIDBVFaLfYTbMBkUWAE603t52hQ/brxhbzo72T87s6hVgzMnxu2cUJbu9s47i +c5MjY6ddvw/cN7nNTMLRWHYFDncJIV4wyKmKOTHdeSB93/UcYZKKH6HS +-----END RSA PRIVATE KEY----- diff --git a/testdata/certs/server-key.cert b/testdata/certs/server-key.cert new file mode 100644 index 000000000000..54075a4da215 --- /dev/null +++ b/testdata/certs/server-key.cert @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA4vmrWwXSHIOLtRzMnPaAx2jB7kVzUd2PMIddSczm1JJFYusE +GV0JoDGK3ZNh5bz0Ye7F/mKAOlv1a13sAJ8jcx7GC0UgbIbA2+0b/sOGXXu/9rhp +ahLa7wC6mxdlXE85EwAk/EwCkgXqD5Zrbq6rinJ1Rw3S8AxPrIT422FzpHV+mjAa +PW9qcC8w53/aMAxg80uBcge/4gYamD3bDnoRQp0bywrv3gtE+d20OusA8gN99x93 +6yoEotVukZkq8Dbj7CQFhXvPhDkBTIm4cynA1h9V0GEgWCr9DDWV3A9nftL9bDPT +r4oznZSJG41+VTx9/tLY1imjvRe6lqGgxRgdcwIDAQABAoIBAQDSZz9BkZPEeuz3 +Z0sF9jxKngGoLxlHumsSQWlpEFiqlS1dFR8no+dYaJSh8g2+OfsRDZbcydK0Rqqq +bNZpfRwPi2dq6xmzgPcm6BYbhIT6A81fmHOfsPris3pIate7SnVN98RRXOTFGFZx +PK86WxEJtjChPV9cxwzUkC9grmXU/Jbk1Dfdn2karEGnzwwhpZjsukUG/c1ug6Ig +6Wa1Ml5uxU0TAx44IFi3c6kMLf3hJVOc5wDtA196TGfhcAKBUYDW4DhOWt5gkg+C +YYry1zLfTrMt019bnMp4AG8ximmAhkH+As9G/v4Qg7+oPJ4CdQ7uJUd7HSfbl8U5 +jgefqPuBAoGBAPb/alLTN3BiJAh2JnffTQYOpLQdQ8kamoNcA+WtxRKEOyLii9W2 +UOieDiyzZqFuvqRqNmPhWuC04Q55TIZKZHFW23KEiLspIZxp47Zghy7IV99xR/bo +TcWNGVh8CuJpO5u8sc863+x2hO61oWe/S3d82sW+ffsswYMQs6Gg6NNFAoGBAOs/ +b9SN6+WVZ1a+i0JsC8RDbtWvo1AyE6uT03IL2jJRAlGIWjejc+bPUbfwU/1IdrjG +LJOVSVK63cep5Zsz/1dgfOWZ6nabvzTLhLaKxXiKgKjABeQhvRk0OfE/aZsVy2ul +X9iXH/mNZj09A1KHB0TKswLXmbY2quUg2dUlu51XAoGAXGd1mYLXbL3qiRfakGID +6M41pASGxYekYpxcAOMfpSu/C/ABLHTGlB/9YY/ER4Ss4cmyi29VlldVExsiG+Nc +7GH4O0GF/a8HmgKrZCF8sW3WIgu5Ro/l+JAu+UF+uPFxkXPoeYSnHUnBtaRRvAR+ +8TbOicgYTY2S37ux2DfgopkCgYBwClWLqVA5lu+Ru8x9hRIRloA6G52vezotFIm3 +Hnf8UOLGzCcTqrBvtDvaXAbUcefBVvkyDP7P/RnVl1A4nAo3pke13plxhfoJ/ggm +HG+yWlyugk4L+hmi4GHcSXRVnYq1qRy9/jQHWdXgwqdLbe4DUHrzlpWp192KpRu6 +TW9OnwKBgQDpM23NlpduTo0iCsKvTcjSZUrz7tQJ12T740ZjWe1s8vNvOcRoeO8A +JQzVhxxOQx8mC3+NsbMWjkACAS5z6byC1rle88Gexnw5pT7MlaZU3xnxMukRIso/ +Oo3EnpZzE6UlZ782oz1ibrpEGqn112marhzUIwoM/PnhNHKlTZLH/w== +-----END RSA PRIVATE KEY----- diff --git a/testdata/certs/server.cert b/testdata/certs/server.cert new file mode 100644 index 000000000000..8db6682a96be --- /dev/null +++ b/testdata/certs/server.cert @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDXDCCAkSgAwIBAgIQVTt6pYOM9fp3zF1NXUUJojANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVN1bm55dmFsZTET +MBEGA1UECgwKZ29vZ2xlLmNvbTAeFw0xOTA4MTIxODU1NDlaFw0yNDA4MTAxODU1 +NDlaMBMxETAPBgNVBAoTCEp1anUgb3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA4vmrWwXSHIOLtRzMnPaAx2jB7kVzUd2PMIddSczm1JJFYusEGV0J +oDGK3ZNh5bz0Ye7F/mKAOlv1a13sAJ8jcx7GC0UgbIbA2+0b/sOGXXu/9rhpahLa +7wC6mxdlXE85EwAk/EwCkgXqD5Zrbq6rinJ1Rw3S8AxPrIT422FzpHV+mjAaPW9q +cC8w53/aMAxg80uBcge/4gYamD3bDnoRQp0bywrv3gtE+d20OusA8gN99x936yoE +otVukZkq8Dbj7CQFhXvPhDkBTIm4cynA1h9V0GEgWCr9DDWV3A9nftL9bDPTr4oz +nZSJG41+VTx9/tLY1imjvRe6lqGgxRgdcwIDAQABo3wwejAOBgNVHQ8BAf8EBAMC +BaAwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBT1a7HehaEjoID50KbCqhryIRwh +ETA5BgNVHREBAf8ELzAthitzcGlmZmU6Ly9jbHVzdGVyLmxvY2FsL25zL2RlZmF1 +bHQvc2Evc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IBAQCsBUDD33vlXI1FvwZuqSZ5 +zHQtH7N9jFtPu8qTkhHTlnA/Tt5S0IxuZDt2XfAhzYyQOgP6z8yVxdDP4FSlQuXq +TrFr9tT4DGBOh44oV/SYUX5zn9RFJ+HJ22U5cEUo+WpqTx/vQzrm4kI3KMZ7Augt +W915b1lkjrVlW+pnT7gGNYX4DD7cDX3vKfWDb78zb5hhdbyX/8jJx4BRfvdmO0E8 +qbpQgGZj5sbhmJ7a4bGhA3OFproEznmvGP85a+jT/pEO7V9fb3YBW5z7xr/fEnyu +50d3ydKKPzM6oQY6FjLIwKzqo7bVtQCYSzk2n49Sjs+GKphG/oCWhqW6JKbs8D0n +-----END CERTIFICATE----- diff --git a/testdata/stackdriver/client_request_count.yaml.tmpl b/testdata/stackdriver/client_request_count.yaml.tmpl new file mode 100644 index 000000000000..3e67a784185e --- /dev/null +++ b/testdata/stackdriver/client_request_count.yaml.tmpl @@ -0,0 +1,30 @@ +metric: + labels: + destination_owner: kubernetes://api/apps/v1/namespaces/default/deployment/ratings-v1 + destination_port: '{{ .Vars.ServerPort }}' + destination_principal: "{{ .Vars.DestinationPrincipal }}" + destination_service_name: 127.0.0.1:{{ .Vars.ClientPort }} + destination_service_namespace: default + destination_workload_name: ratings-v1 + destination_workload_namespace: default + mesh_uid: mesh + request_operation: GET + request_protocol: http + response_code: "200" + service_authentication_policy: "" # TODO: upstream TLS indicator is not reported + source_owner: kubernetes://api/apps/v1/namespaces/default/deployment/productpage-v1 + source_principal: "{{ .Vars.SourcePrincipal }}" + source_workload_name: productpage-v1 + source_workload_namespace: default + type: istio.io/service/client/request_count +points: +- value: + int64Value: "10" +resource: + labels: + cluster_name: test-cluster + location: us-east4-b + namespace_name: default + pod_name: productpage-v1-84975bc778-pxz2w + project_id: test-project + type: k8s_pod diff --git a/testdata/stackdriver/server_access_log.yaml.tmpl b/testdata/stackdriver/server_access_log.yaml.tmpl new file mode 100644 index 000000000000..158ef2dd6137 --- /dev/null +++ b/testdata/stackdriver/server_access_log.yaml.tmpl @@ -0,0 +1,136 @@ +entries: +- labels: + destination_principal: "{{ .Vars.DestinationPrincipal }}" + destination_service_host: server.default.svc.cluster.local + protocol: http + request_operation: GET + response_flag: "" + service_authentication_policy: {{ .Vars.ServiceAuthenticationPolicy }} + source_name: productpage-v1-84975bc778-pxz2w + source_namespace: default + source_principal: "{{ .Vars.SourcePrincipal }}" + source_workload: productpage-v1 + severity: INFO +- labels: + destination_principal: "{{ .Vars.DestinationPrincipal }}" + destination_service_host: server.default.svc.cluster.local + protocol: http + request_operation: GET + response_flag: "" + service_authentication_policy: {{ .Vars.ServiceAuthenticationPolicy }} + source_name: productpage-v1-84975bc778-pxz2w + source_namespace: default + source_principal: "{{ .Vars.SourcePrincipal }}" + source_workload: productpage-v1 + severity: INFO +- labels: + destination_principal: "{{ .Vars.DestinationPrincipal }}" + destination_service_host: server.default.svc.cluster.local + protocol: http + request_operation: GET + response_flag: "" + service_authentication_policy: {{ .Vars.ServiceAuthenticationPolicy }} + source_name: productpage-v1-84975bc778-pxz2w + source_namespace: default + source_principal: "{{ .Vars.SourcePrincipal }}" + source_workload: productpage-v1 + severity: INFO +- labels: + destination_principal: "{{ .Vars.DestinationPrincipal }}" + destination_service_host: server.default.svc.cluster.local + protocol: http + request_operation: GET + response_flag: "" + service_authentication_policy: {{ .Vars.ServiceAuthenticationPolicy }} + source_name: productpage-v1-84975bc778-pxz2w + source_namespace: default + source_principal: "{{ .Vars.SourcePrincipal }}" + source_workload: productpage-v1 + severity: INFO +- labels: + destination_principal: "{{ .Vars.DestinationPrincipal }}" + destination_service_host: server.default.svc.cluster.local + protocol: http + request_operation: GET + response_flag: "" + service_authentication_policy: {{ .Vars.ServiceAuthenticationPolicy }} + source_name: productpage-v1-84975bc778-pxz2w + source_namespace: default + source_principal: "{{ .Vars.SourcePrincipal }}" + source_workload: productpage-v1 + severity: INFO +- labels: + destination_principal: "{{ .Vars.DestinationPrincipal }}" + destination_service_host: server.default.svc.cluster.local + protocol: http + request_operation: GET + response_flag: "" + service_authentication_policy: {{ .Vars.ServiceAuthenticationPolicy }} + source_name: productpage-v1-84975bc778-pxz2w + source_namespace: default + source_principal: "{{ .Vars.SourcePrincipal }}" + source_workload: productpage-v1 + severity: INFO +- labels: + destination_principal: "{{ .Vars.DestinationPrincipal }}" + destination_service_host: server.default.svc.cluster.local + protocol: http + request_operation: GET + response_flag: "" + service_authentication_policy: {{ .Vars.ServiceAuthenticationPolicy }} + source_name: productpage-v1-84975bc778-pxz2w + source_namespace: default + source_principal: "{{ .Vars.SourcePrincipal }}" + source_workload: productpage-v1 + severity: INFO +- labels: + destination_principal: "{{ .Vars.DestinationPrincipal }}" + destination_service_host: server.default.svc.cluster.local + protocol: http + request_operation: GET + response_flag: "" + service_authentication_policy: {{ .Vars.ServiceAuthenticationPolicy }} + source_name: productpage-v1-84975bc778-pxz2w + source_namespace: default + source_principal: "{{ .Vars.SourcePrincipal }}" + source_workload: productpage-v1 + severity: INFO +- labels: + destination_principal: "{{ .Vars.DestinationPrincipal }}" + destination_service_host: server.default.svc.cluster.local + protocol: http + request_operation: GET + response_flag: "" + service_authentication_policy: {{ .Vars.ServiceAuthenticationPolicy }} + source_name: productpage-v1-84975bc778-pxz2w + source_namespace: default + source_principal: "{{ .Vars.SourcePrincipal }}" + source_workload: productpage-v1 + severity: INFO +- labels: + destination_principal: "{{ .Vars.DestinationPrincipal }}" + destination_service_host: server.default.svc.cluster.local + protocol: http + request_operation: GET + response_flag: "" + service_authentication_policy: {{ .Vars.ServiceAuthenticationPolicy }} + source_name: productpage-v1-84975bc778-pxz2w + source_namespace: default + source_principal: "{{ .Vars.SourcePrincipal }}" + source_workload: productpage-v1 + severity: INFO +labels: + destination_name: ratings-v1-84975bc778-pxz2w + destination_namespace: default + destination_workload: ratings-v1 + mesh_uid: mesh +logName: projects/test-project/logs/server-accesslog-stackdriver +resource: + labels: + cluster_name: test-cluster + container_name: istio-proxy + location: us-east4-b + namespace_name: default + pod_name: ratings-v1-84975bc778-pxz2w + project_id: test-project + type: k8s_container diff --git a/testdata/stackdriver/server_request_count.yaml.tmpl b/testdata/stackdriver/server_request_count.yaml.tmpl new file mode 100644 index 000000000000..f6c25ccc2076 --- /dev/null +++ b/testdata/stackdriver/server_request_count.yaml.tmpl @@ -0,0 +1,31 @@ +metric: + labels: + destination_owner: kubernetes://api/apps/v1/namespaces/default/deployment/ratings-v1 + destination_port: '{{ .Vars.ServerPort }}' + destination_principal: "{{ .Vars.DestinationPrincipal }}" + destination_service_name: server.default.svc.cluster.local + destination_service_namespace: default + destination_workload_name: ratings-v1 + destination_workload_namespace: default + mesh_uid: mesh + request_operation: GET + request_protocol: http + response_code: "200" + service_authentication_policy: {{ .Vars.ServiceAuthenticationPolicy }} + source_owner: kubernetes://api/apps/v1/namespaces/default/deployment/productpage-v1 + source_principal: "{{ .Vars.SourcePrincipal }}" + source_workload_name: productpage-v1 + source_workload_namespace: default + type: istio.io/service/server/request_count +points: +- value: + int64Value: "10" +resource: + labels: + cluster_name: test-cluster + container_name: istio-proxy + location: us-east4-b + namespace_name: default + pod_name: ratings-v1-84975bc778-pxz2w + project_id: test-project + type: k8s_container diff --git a/testdata/transport_socket/client.yaml.tmpl b/testdata/transport_socket/client.yaml.tmpl new file mode 100644 index 000000000000..e9862ad86f06 --- /dev/null +++ b/testdata/transport_socket/client.yaml.tmpl @@ -0,0 +1,11 @@ +transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext + common_tls_context: + tls_certificates: + - certificate_chain: { filename: "testdata/certs/client.cert" } + private_key: { filename: "testdata/certs/client-key.cert" } + validation_context: + trusted_ca: { filename: "testdata/certs/root.cert" } + sni: server.com diff --git a/testdata/transport_socket/server.yaml.tmpl b/testdata/transport_socket/server.yaml.tmpl new file mode 100644 index 000000000000..16b8392e1a43 --- /dev/null +++ b/testdata/transport_socket/server.yaml.tmpl @@ -0,0 +1,11 @@ +transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext + common_tls_context: + tls_certificates: + - certificate_chain: { filename: "testdata/certs/server.cert" } + private_key: { filename: "testdata/certs/server-key.cert" } + validation_context: + trusted_ca: { filename: "testdata/certs/root.cert" } + require_client_certificate: true