diff --git a/test/test_real_cluster.rb b/test/test_real_cluster.rb index 59c9deb0..568c9374 100644 --- a/test/test_real_cluster.rb +++ b/test/test_real_cluster.rb @@ -16,59 +16,71 @@ def teardown WebMock.disable_net_connect! # Don't allow any connections in other tests. end + # Partially isolated tests that check Client behavior with given `verify_ssl` value: + + # localhost and 127.0.0.1 are among names on the certificate + HOSTNAME_COVERED_BY_CERT = 'https://127.0.0.1:6443'.freeze + # 127.0.0.2 also means localhost but is not included in the certificate. + HOSTNAME_NOT_ON_CERT = 'https://127.0.0.2:6443'.freeze + def test_real_cluster_verify_peer config = Kubeclient::Config.read(config_file('external.kubeconfig')) context = config.context - # localhost and 127.0.0.1 are among names on the certificate client1 = Kubeclient::Client.new( - 'https://127.0.0.1:6443', 'v1', + HOSTNAME_COVERED_BY_CERT, 'v1', ssl_options: context.ssl_options.merge(verify_ssl: OpenSSL::SSL::VERIFY_PEER), auth_options: context.auth_options ) - client1.discover - client1.get_nodes - exercise_watcher_with_timeout(client1.watch_nodes) - # 127.0.0.2 also means localhost but is not included in the certificate. + check_cert_accepted(client1) client2 = Kubeclient::Client.new( - 'https://127.0.0.2:6443', 'v1', + HOSTNAME_NOT_ON_CERT, 'v1', ssl_options: context.ssl_options.merge(verify_ssl: OpenSSL::SSL::VERIFY_PEER), auth_options: context.auth_options ) - # TODO: all OpenSSL exceptions should be wrapped with Kubeclient error. - assert_raises(Kubeclient::HttpError, OpenSSL::SSL::SSLError) do - client2.discover - end - # Since discovery fails, methods like .get_nodes, .watch_nodes would all fail - # on method_missing -> discover. Call lower-level methods to test actual connection. - assert_raises(Kubeclient::HttpError, OpenSSL::SSL::SSLError) do - client2.get_entities('Node', 'nodes', {}) - end - assert_raises(Kubeclient::HttpError, OpenSSL::SSL::SSLError) do - exercise_watcher_with_timeout(client2.watch_entities('nodes')) - end + check_cert_rejected(client2) end def test_real_cluster_verify_none config = Kubeclient::Config.read(config_file('external.kubeconfig')) context = config.context - # localhost and 127.0.0.1 are among names on the certificate client1 = Kubeclient::Client.new( - 'https://127.0.0.1:6443', 'v1', + HOSTNAME_COVERED_BY_CERT, 'v1', ssl_options: context.ssl_options.merge(verify_ssl: OpenSSL::SSL::VERIFY_NONE), auth_options: context.auth_options ) - client1.get_nodes - # 127.0.0.2 also means localhost but is not included in the certificate. + check_cert_accepted(client1) client2 = Kubeclient::Client.new( - 'https://127.0.0.2:6443', 'v1', + HOSTNAME_NOT_ON_CERT, 'v1', ssl_options: context.ssl_options.merge(verify_ssl: OpenSSL::SSL::VERIFY_NONE), auth_options: context.auth_options ) - client2.get_nodes + check_cert_accepted(client2) end private + # Test cert checking on discovery, CRUD, and watch code paths. + def check_cert_accepted(client) + client.discover + client.get_nodes + exercise_watcher_with_timeout(client.watch_nodes) + end + + def check_cert_rejected(client) + # TODO: all OpenSSL exceptions should be wrapped with Kubeclient error. + assert_raises(Kubeclient::HttpError, OpenSSL::SSL::SSLError) do + client.discover + end + # Since discovery fails, methods like .get_nodes, .watch_nodes would all fail + # on method_missing -> discover. Call lower-level methods to test actual connection. + assert_raises(Kubeclient::HttpError, OpenSSL::SSL::SSLError) do + client.get_entities('Node', 'nodes', {}) + end + assert_raises(Kubeclient::HttpError, OpenSSL::SSL::SSLError) do + exercise_watcher_with_timeout(client.watch_entities('nodes')) + end + end + def exercise_watcher_with_timeout(watcher) thread = Thread.new do sleep(1)