From b5d08c087662345ae6731c8dbf7672964e6a6d54 Mon Sep 17 00:00:00 2001 From: shawnh2 Date: Sun, 21 Apr 2024 16:21:52 +0800 Subject: [PATCH 1/3] remove explicit test case definition for xds translator test Signed-off-by: shawnh2 --- .../in/xds-ir/mixed-tls-jwt-authn.yaml | 11 +- .../xds-ir/mixed-tls-jwt-authn.clusters.yaml | 36 +- .../xds-ir/mixed-tls-jwt-authn.endpoints.yaml | 3 +- .../xds-ir/mixed-tls-jwt-authn.listeners.yaml | 23 +- .../xds-ir/mixed-tls-jwt-authn.routes.yaml | 6 +- internal/xds/translator/translator_test.go | 577 +++++------------- 6 files changed, 161 insertions(+), 495 deletions(-) diff --git a/internal/xds/translator/testdata/in/xds-ir/mixed-tls-jwt-authn.yaml b/internal/xds/translator/testdata/in/xds-ir/mixed-tls-jwt-authn.yaml index 36984ea69f6..e77e1262245 100644 --- a/internal/xds/translator/testdata/in/xds-ir/mixed-tls-jwt-authn.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/mixed-tls-jwt-authn.yaml @@ -8,11 +8,12 @@ http: mergeSlashes: true escapedSlashesAction: UnescapeAndRedirect tls: - - name: first-listener - # byte slice representation of "cert-data" - serverCertificate: [99, 101, 114, 116, 45, 100, 97, 116, 97] - # byte slice representation of "key-data" - privateKey: [107, 101, 121, 45, 100, 97, 116, 97] + certificates: + - name: first-listener + # byte slice representation of "cert-data" + serverCertificate: [99, 101, 114, 116, 45, 100, 97, 116, 97] + # byte slice representation of "key-data" + privateKey: [107, 101, 121, 45, 100, 97, 116, 97] routes: - name: "first-route" hostname: "*" diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml index 7a0c933174e..d53a7a1b2ce 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml @@ -1,4 +1,7 @@ -- commonLbConfig: +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s dnsLookupFamily: V4_ONLY @@ -12,34 +15,3 @@ outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS -- commonLbConfig: - localityWeightedLbConfig: {} - connectTimeout: 10s - dnsLookupFamily: V4_ONLY - dnsRefreshRate: 30s - lbPolicy: LEAST_REQUEST - loadAssignment: - clusterName: localhost_443 - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: localhost - portValue: 443 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - locality: {} - name: localhost_443 - outlierDetection: {} - perConnectionBufferLimitBytes: 32768 - respectDnsTtl: true - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - validationContext: - trustedCa: - filename: /etc/ssl/certs/ca-certificates.crt - type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.endpoints.yaml index 0d68b430c20..3b3f2d09076 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.endpoints.yaml @@ -8,4 +8,5 @@ portValue: 50000 loadBalancingWeight: 1 loadBalancingWeight: 1 - locality: {} + locality: + region: first-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml index 85bb8b4ac73..5fa3f9246df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml @@ -2,6 +2,7 @@ socketAddress: address: 0.0.0.0 portValue: 10080 + drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager @@ -14,26 +15,6 @@ initialStreamWindowSize: 65536 maxConcurrentStreams: 100 httpFilters: - - name: envoy.filters.http.jwt_authn - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication - providers: - first-route/example: - audiences: - - foo.com - issuer: https://www.example.com - payloadInMetadata: https://www.example.com - remoteJwks: - asyncFetch: {} - cacheDuration: 300s - httpUri: - cluster: localhost_443 - timeout: 5s - uri: https://localhost/jwt/public-key/jwks.json - retryPolicy: {} - requirementMap: - first-route: - providerName: first-route/example - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router @@ -48,8 +29,6 @@ routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH statPrefix: https - upgradeConfigs: - - upgradeType: websocket useRemoteAddress: true transportSocket: name: envoy.transport_sockets.tls diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.routes.yaml index c73bec09093..75d30a0592a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.routes.yaml @@ -10,7 +10,5 @@ name: first-route route: cluster: first-route-dest - typedPerFilterConfig: - envoy.filters.http.jwt_authn: - '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig - requirementName: first-route + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go index f60d23a8bb1..9b79aa53bd7 100644 --- a/internal/xds/translator/translator_test.go +++ b/internal/xds/translator/translator_test.go @@ -41,322 +41,129 @@ var ( overrideTestData = flag.Bool("override-testdata", false, "if override the test output data.") ) +type testFileConfig struct { + dnsDomain string + requireSecrets bool + requireEnvoyPatchPolicies bool + errMsg string +} + func TestTranslateXds(t *testing.T) { - testCases := []struct { - name string - dnsDomain string - requireSecrets bool - requireEnvoyPatchPolicies bool - err bool - }{ - { - name: "empty", - }, - { - name: "http-route", - }, - { - name: "http-route-regex", - }, - { - name: "http-route-redirect", - }, - { - name: "http-route-mirror", - }, - { - name: "http-route-multiple-mirrors", - }, - { - name: "http-route-multiple-matches", - }, - { - name: "http-route-direct-response", - }, - { - name: "http-route-request-headers", - }, - { - name: "http-route-response-add-headers", - }, - { - name: "http-route-response-remove-headers", - }, - { - name: "http-route-response-add-remove-headers", - }, - { - name: "http-route-weighted-invalid-backend", - }, - { - name: "http-route-dns-cluster", - }, - { - name: "http-route-with-tls-system-truststore", + testConfigs := map[string]testFileConfig{ + "http-route-with-tls-system-truststore": { requireSecrets: true, }, - { - name: "http-route-with-tlsbundle", + "http-route-with-tlsbundle": { requireSecrets: true, }, - { - name: "http-route-with-tlsbundle-multiple-certs", + "http-route-with-tlsbundle-multiple-certs": { requireSecrets: true, }, - { - name: "simple-tls", + "simple-tls": { requireSecrets: true, }, - { - name: "mutual-tls", + "mutual-tls": { requireSecrets: true, }, - { - name: "mutual-tls-required-client-certificate-disabled", + "mixed-tls-jwt-authn": { requireSecrets: true, }, - { - name: "http3", + "mutual-tls-required-client-certificate-disabled": { requireSecrets: true, }, - { - name: "tls-route-passthrough", - }, - { - name: "tcp-route-simple", - }, - { - name: "tcp-route-complex", - }, - { - name: "tcp-route-tls-terminate", - }, - { - name: "multiple-simple-tcp-route-same-port", - }, - { - name: "http-route-weighted-backend", - }, - { - name: "tcp-route-weighted-backend", - }, - { - name: "multiple-listeners-same-port", + "http3": { requireSecrets: true, }, - { - name: "udp-route", - }, - { - name: "http2-route", - }, - { - name: "http-route-rewrite-url-prefix", - }, - { - name: "http-route-rewrite-root-path-url-prefix", - }, - { - name: "http-route-rewrite-url-fullpath", - }, - { - name: "http-route-rewrite-url-host", - }, - { - name: "http-route-timeout", - }, - - { - name: "ratelimit", + "multiple-listeners-same-port": { + requireSecrets: true, }, - { - name: "ratelimit-custom-domain", + "ratelimit-custom-domain": { dnsDomain: "example-cluster.local", }, - { - name: "ratelimit-sourceip", - }, - { - name: "accesslog", - }, - { - name: "tracing", - }, - { - name: "metrics-virtual-host", - }, - { - name: "jsonpatch", + "jsonpatch": { requireEnvoyPatchPolicies: true, requireSecrets: true, - err: true, }, - { - name: "jsonpatch-missing-resource", + "jsonpatch-missing-resource": { requireEnvoyPatchPolicies: true, - err: true, }, - { - name: "jsonpatch-invalid-patch", + "jsonpatch-invalid-patch": { requireEnvoyPatchPolicies: true, - err: true, + errMsg: "unable to unmarshal xds resource", }, - { - name: "jsonpatch-add-op-without-value", + "jsonpatch-add-op-without-value": { requireEnvoyPatchPolicies: true, - err: true, + errMsg: "the add operation requires a value", }, - { - name: "jsonpatch-move-op-with-value", + "jsonpatch-move-op-with-value": { requireEnvoyPatchPolicies: true, - err: true, - }, - { - name: "listener-tcp-keepalive", - }, - { - name: "load-balancer", - }, - { - name: "cors", - }, - { - name: "jwt-multi-route-multi-provider", + errMsg: "the value field can not be set for the remove operation", }, - { - name: "jwt-multi-route-single-provider", - }, - { - name: "jwt-ratelimit", - }, - { - name: "jwt-single-route-single-match", - }, - { - name: "oidc", + "oidc": { requireSecrets: true, }, - { - name: "http-route-partial-invalid", - }, - { - name: "listener-proxy-protocol", - }, - { - name: "jwt-custom-extractor", - }, - { - name: "proxy-protocol-upstream", - }, - { - name: "basic-auth", - }, - { - name: "health-check", - }, - { - name: "local-ratelimit", - }, - { - name: "circuit-breaker", - }, - { - name: "suppress-envoy-headers", - }, - { - name: "fault-injection", - }, - { - name: "headers-with-underscores-action", - }, - { - name: "tls-with-ciphers-versions-alpn", - }, - { - name: "path-settings", - }, - { - name: "client-ip-detection", - }, - { - name: "http1-trailers", - }, - { - name: "http1-preserve-case", - }, - { - name: "timeout", - }, - { - name: "ext-auth", - }, - { - name: "http10", - }, - { - name: "upstream-tcpkeepalive", - }, - { - name: "client-timeout", - }, - { - name: "client-buffer-limit", + "http-route-invalid": { + errMsg: "validation failed for xds resource", }, - { - name: "retry-partial-invalid", + "tcp-route-invalid": { + errMsg: "validation failed for xds resource", }, - { - name: "multiple-listeners-same-port-with-different-filters", + "tcp-route-invalid-endpoint": { + errMsg: "validation failed for xds resource", }, - { - name: "listener-connection-limit", + "udp-route-invalid": { + errMsg: "validation failed for xds resource", }, - { - name: "ext-proc", + "jsonpatch-invalid": { + errMsg: "validation failed for xds resource", }, - { - name: "http-endpoint-stats", + "jsonpatch-invalid-listener": { + errMsg: "validation failed for xds resource", }, - { - name: "tcp-endpoint-stats", + "accesslog-invalid": { + errMsg: "validation failed for xds resource", }, - { - name: "udp-endpoint-stats", - }, - { - name: "tracing-endpoint-stats", - }, - { - name: "accesslog-endpoint-stats", - }, - { - name: "ratelimit-endpoint-stats", - }, - { - name: "wasm", - }, - { - name: "jwt-optional", + "tracing-invalid": { + errMsg: "validation failed for xds resource", }, } - for _, tc := range testCases { - tc := tc - t.Run(tc.name, func(t *testing.T) { - dnsDomain := tc.dnsDomain - if dnsDomain == "" { + inputFiles, err := filepath.Glob(filepath.Join("testdata", "in", "xds-ir", "*.yaml")) + require.NoError(t, err) + + for _, inputFile := range inputFiles { + inputFile := inputFile + inputFileName := testName(inputFile) + t.Run(inputFileName, func(t *testing.T) { + cfg, ok := testConfigs[inputFileName] + if !ok { + cfg = testFileConfig{ + dnsDomain: "", + requireSecrets: false, + requireEnvoyPatchPolicies: false, + errMsg: "", + } + } + + dnsDomain := cfg.dnsDomain + if len(dnsDomain) == 0 { dnsDomain = "cluster.local" } - ir := requireXdsIRFromInputTestData(t, "xds-ir", tc.name+".yaml") + + x := requireXdsIRFromInputTestData(t, inputFile) tr := &Translator{ GlobalRateLimit: &GlobalRateLimitSettings{ ServiceURL: ratelimit.GetServiceURL("envoy-gateway-system", dnsDomain), }, } - tCtx, err := tr.Translate(ir) - if !strings.HasSuffix(tc.name, "partial-invalid") && !tc.err { + tCtx, err := tr.Translate(x) + if !strings.HasSuffix(inputFileName, "partial-invalid") && len(cfg.errMsg) == 0 { require.NoError(t, err) + } else if len(cfg.errMsg) > 0 { + require.Error(t, err) + require.Contains(t, err.Error(), cfg.errMsg) + return } listeners := tCtx.XdsResources[resourcev3.ListenerType] @@ -364,23 +171,25 @@ func TestTranslateXds(t *testing.T) { clusters := tCtx.XdsResources[resourcev3.ClusterType] endpoints := tCtx.XdsResources[resourcev3.EndpointType] if *overrideTestData { - require.NoError(t, file.Write(requireResourcesToYAMLString(t, listeners), filepath.Join("testdata", "out", "xds-ir", tc.name+".listeners.yaml"))) - require.NoError(t, file.Write(requireResourcesToYAMLString(t, routes), filepath.Join("testdata", "out", "xds-ir", tc.name+".routes.yaml"))) - require.NoError(t, file.Write(requireResourcesToYAMLString(t, clusters), filepath.Join("testdata", "out", "xds-ir", tc.name+".clusters.yaml"))) - require.NoError(t, file.Write(requireResourcesToYAMLString(t, endpoints), filepath.Join("testdata", "out", "xds-ir", tc.name+".endpoints.yaml"))) + require.NoError(t, file.Write(requireResourcesToYAMLString(t, listeners), filepath.Join("testdata", "out", "xds-ir", inputFileName+".listeners.yaml"))) + require.NoError(t, file.Write(requireResourcesToYAMLString(t, routes), filepath.Join("testdata", "out", "xds-ir", inputFileName+".routes.yaml"))) + require.NoError(t, file.Write(requireResourcesToYAMLString(t, clusters), filepath.Join("testdata", "out", "xds-ir", inputFileName+".clusters.yaml"))) + require.NoError(t, file.Write(requireResourcesToYAMLString(t, endpoints), filepath.Join("testdata", "out", "xds-ir", inputFileName+".endpoints.yaml"))) } - require.Equal(t, requireTestDataOutFile(t, "xds-ir", tc.name+".listeners.yaml"), requireResourcesToYAMLString(t, listeners)) - require.Equal(t, requireTestDataOutFile(t, "xds-ir", tc.name+".routes.yaml"), requireResourcesToYAMLString(t, routes)) - require.Equal(t, requireTestDataOutFile(t, "xds-ir", tc.name+".clusters.yaml"), requireResourcesToYAMLString(t, clusters)) - require.Equal(t, requireTestDataOutFile(t, "xds-ir", tc.name+".endpoints.yaml"), requireResourcesToYAMLString(t, endpoints)) - if tc.requireSecrets { + require.Equal(t, requireTestDataOutFile(t, "xds-ir", inputFileName+".listeners.yaml"), requireResourcesToYAMLString(t, listeners)) + require.Equal(t, requireTestDataOutFile(t, "xds-ir", inputFileName+".routes.yaml"), requireResourcesToYAMLString(t, routes)) + require.Equal(t, requireTestDataOutFile(t, "xds-ir", inputFileName+".clusters.yaml"), requireResourcesToYAMLString(t, clusters)) + require.Equal(t, requireTestDataOutFile(t, "xds-ir", inputFileName+".endpoints.yaml"), requireResourcesToYAMLString(t, endpoints)) + + if cfg.requireSecrets { secrets := tCtx.XdsResources[resourcev3.SecretType] if *overrideTestData { - require.NoError(t, file.Write(requireResourcesToYAMLString(t, secrets), filepath.Join("testdata", "out", "xds-ir", tc.name+".secrets.yaml"))) + require.NoError(t, file.Write(requireResourcesToYAMLString(t, secrets), filepath.Join("testdata", "out", "xds-ir", inputFileName+".secrets.yaml"))) } - require.Equal(t, requireTestDataOutFile(t, "xds-ir", tc.name+".secrets.yaml"), requireResourcesToYAMLString(t, secrets)) + require.Equal(t, requireTestDataOutFile(t, "xds-ir", inputFileName+".secrets.yaml"), requireResourcesToYAMLString(t, secrets)) } - if tc.requireEnvoyPatchPolicies { + + if cfg.requireEnvoyPatchPolicies { got := tCtx.EnvoyPatchPolicyStatuses for _, e := range got { require.NoError(t, field.SetValue(e, "LastTransitionTime", metav1.NewTime(time.Time{}))) @@ -388,10 +197,10 @@ func TestTranslateXds(t *testing.T) { if *overrideTestData { out, err := yaml.Marshal(got) require.NoError(t, err) - require.NoError(t, file.Write(string(out), filepath.Join("testdata", "out", "xds-ir", tc.name+".envoypatchpolicies.yaml"))) + require.NoError(t, file.Write(string(out), filepath.Join("testdata", "out", "xds-ir", inputFileName+".envoypatchpolicies.yaml"))) } - in := requireTestDataOutFile(t, "xds-ir", tc.name+".envoypatchpolicies.yaml") + in := requireTestDataOutFile(t, "xds-ir", inputFileName+".envoypatchpolicies.yaml") want := xtypes.EnvoyPatchPolicyStatuses{} require.NoError(t, yaml.Unmarshal([]byte(in), &want)) opts := cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime") @@ -401,152 +210,56 @@ func TestTranslateXds(t *testing.T) { } } -func TestTranslateXdsNegative(t *testing.T) { - testCases := []struct { - name string - dnsDomain string - requireSecrets bool - }{ - { - name: "http-route-invalid", - }, - { - name: "tcp-route-invalid", - }, - { - name: "tcp-route-invalid-endpoint", - }, - { - name: "udp-route-invalid", - }, - { - name: "jsonpatch-invalid", - }, - { - name: "jsonpatch-invalid-listener", - }, - { - name: "accesslog-invalid", - }, - { - name: "tracing-invalid", - }, - } - - for _, tc := range testCases { - tc := tc - t.Run(tc.name, func(t *testing.T) { - dnsDomain := tc.dnsDomain - if dnsDomain == "" { - dnsDomain = "cluster.local" - } - ir := requireXdsIRFromInputTestData(t, "xds-ir", tc.name+".yaml") - tr := &Translator{ - GlobalRateLimit: &GlobalRateLimitSettings{ - ServiceURL: ratelimit.GetServiceURL("envoy-gateway-system", dnsDomain), - }, - } - - _, err := tr.Translate(ir) - require.Error(t, err) - if tc.name != "jsonpatch-invalid" { - require.Contains(t, err.Error(), "validation failed for xds resource") - } - }) - } -} - func TestTranslateRateLimitConfig(t *testing.T) { - testCases := []struct { - name string - }{ - { - name: "empty-header-matches", - }, - { - name: "distinct-match", - }, - { - name: "distinct-remote-address-match", - }, - { - name: "value-match", - }, - { - name: "multiple-matches", - }, - { - name: "multiple-rules", - }, - { - name: "multiple-routes", - }, - { - name: "masked-remote-address-match", - }, - { - name: "multiple-masked-remote-address-match-with-same-cidr", - }, - } + inputFiles, err := filepath.Glob(filepath.Join("testdata", "in", "ratelimit-config", "*.yaml")) + require.NoError(t, err) - for _, tc := range testCases { - tc := tc - t.Run(tc.name, func(t *testing.T) { - in := requireXdsIRListenerFromInputTestData(t, "ratelimit-config", tc.name+".yaml") + for _, inputFile := range inputFiles { + inputFile := inputFile + inputFileName := testName(inputFile) + t.Run(inputFileName, func(t *testing.T) { + in := requireXdsIRListenerFromInputTestData(t, inputFile) out := BuildRateLimitServiceConfig(in) if *overrideTestData { - require.NoError(t, file.Write(requireYamlRootToYAMLString(t, out), filepath.Join("testdata", "out", "ratelimit-config", tc.name+".yaml"))) + require.NoError(t, file.Write(requireYamlRootToYAMLString(t, out), inputFile)) } - require.Equal(t, requireTestDataOutFile(t, "ratelimit-config", tc.name+".yaml"), requireYamlRootToYAMLString(t, out)) + require.Equal(t, requireTestDataOutFile(t, "ratelimit-config", inputFileName+".yaml"), requireYamlRootToYAMLString(t, out)) }) } } func TestTranslateXdsWithExtension(t *testing.T) { - testCases := []struct { - name string - requireSecrets bool - err string - }{ - // Require secrets for all the tests since the extension for testing always injects one - { - name: "empty", - requireSecrets: true, - err: "", + testConfigs := map[string]testFileConfig{ + "http-route-extension-route-error": { + errMsg: "route hook resource error", }, - { - name: "http-route", - requireSecrets: true, - err: "", - }, - { - name: "http-route-extension-filter", - requireSecrets: true, - err: "", - }, - { - name: "http-route-extension-route-error", - requireSecrets: true, - err: "route hook resource error", - }, - { - name: "http-route-extension-virtualhost-error", - requireSecrets: true, - err: "extension post xds virtual host hook error", + "http-route-extension-virtualhost-error": { + errMsg: "extension post xds virtual host hook error", }, - { - name: "http-route-extension-listener-error", - requireSecrets: true, - err: "extension post xds listener hook error", + "http-route-extension-listener-error": { + errMsg: "extension post xds listener hook error", }, } - for _, tc := range testCases { - tc := tc - t.Run(tc.name, func(t *testing.T) { + inputFiles, err := filepath.Glob(filepath.Join("testdata", "in", "extension-xds-ir", "*.yaml")) + require.NoError(t, err) + + for _, inputFile := range inputFiles { + inputFile := inputFile + inputFileName := testName(inputFile) + t.Run(inputFileName, func(t *testing.T) { + cfg, ok := testConfigs[inputFileName] + if !ok { + cfg = testFileConfig{ + dnsDomain: "", + requireSecrets: true, // default: true + requireEnvoyPatchPolicies: false, + } + } + // Testdata for the extension tests is similar to the ir test dat // New directory is just to keep them separate and easy to understand - ir := requireXdsIRFromInputTestData(t, "extension-xds-ir", tc.name+".yaml") + x := requireXdsIRFromInputTestData(t, inputFile) tr := &Translator{ GlobalRateLimit: &GlobalRateLimitSettings{ ServiceURL: ratelimit.GetServiceURL("envoy-gateway-system", "cluster.local"), @@ -574,10 +287,9 @@ func TestTranslateXdsWithExtension(t *testing.T) { extMgr := testutils.NewManager(ext) tr.ExtensionManager = &extMgr - tCtx, err := tr.Translate(ir) - - if tc.err != "" { - require.EqualError(t, err, tc.err) + tCtx, err := tr.Translate(x) + if len(cfg.errMsg) > 0 { + require.EqualError(t, err, cfg.errMsg) } else { require.NoError(t, err) listeners := tCtx.XdsResources[resourcev3.ListenerType] @@ -585,42 +297,45 @@ func TestTranslateXdsWithExtension(t *testing.T) { clusters := tCtx.XdsResources[resourcev3.ClusterType] endpoints := tCtx.XdsResources[resourcev3.EndpointType] if *overrideTestData { - require.NoError(t, file.Write(requireResourcesToYAMLString(t, listeners), filepath.Join("testdata", "out", "extension-xds-ir", tc.name+".listeners.yaml"))) - require.NoError(t, file.Write(requireResourcesToYAMLString(t, routes), filepath.Join("testdata", "out", "extension-xds-ir", tc.name+".routes.yaml"))) - require.NoError(t, file.Write(requireResourcesToYAMLString(t, clusters), filepath.Join("testdata", "out", "extension-xds-ir", tc.name+".clusters.yaml"))) - require.NoError(t, file.Write(requireResourcesToYAMLString(t, endpoints), filepath.Join("testdata", "out", "extension-xds-ir", tc.name+".endpoints.yaml"))) + require.NoError(t, file.Write(requireResourcesToYAMLString(t, listeners), filepath.Join("testdata", "out", "extension-xds-ir", inputFileName+".listeners.yaml"))) + require.NoError(t, file.Write(requireResourcesToYAMLString(t, routes), filepath.Join("testdata", "out", "extension-xds-ir", inputFileName+".routes.yaml"))) + require.NoError(t, file.Write(requireResourcesToYAMLString(t, clusters), filepath.Join("testdata", "out", "extension-xds-ir", inputFileName+".clusters.yaml"))) + require.NoError(t, file.Write(requireResourcesToYAMLString(t, endpoints), filepath.Join("testdata", "out", "extension-xds-ir", inputFileName+".endpoints.yaml"))) } - require.Equal(t, requireTestDataOutFile(t, "extension-xds-ir", tc.name+".listeners.yaml"), requireResourcesToYAMLString(t, listeners)) - require.Equal(t, requireTestDataOutFile(t, "extension-xds-ir", tc.name+".routes.yaml"), requireResourcesToYAMLString(t, routes)) - require.Equal(t, requireTestDataOutFile(t, "extension-xds-ir", tc.name+".clusters.yaml"), requireResourcesToYAMLString(t, clusters)) - require.Equal(t, requireTestDataOutFile(t, "extension-xds-ir", tc.name+".endpoints.yaml"), requireResourcesToYAMLString(t, endpoints)) - if tc.requireSecrets { + require.Equal(t, requireTestDataOutFile(t, "extension-xds-ir", inputFileName+".listeners.yaml"), requireResourcesToYAMLString(t, listeners)) + require.Equal(t, requireTestDataOutFile(t, "extension-xds-ir", inputFileName+".routes.yaml"), requireResourcesToYAMLString(t, routes)) + require.Equal(t, requireTestDataOutFile(t, "extension-xds-ir", inputFileName+".clusters.yaml"), requireResourcesToYAMLString(t, clusters)) + require.Equal(t, requireTestDataOutFile(t, "extension-xds-ir", inputFileName+".endpoints.yaml"), requireResourcesToYAMLString(t, endpoints)) + if cfg.requireSecrets { secrets := tCtx.XdsResources[resourcev3.SecretType] if *overrideTestData { - require.NoError(t, file.Write(requireResourcesToYAMLString(t, secrets), filepath.Join("testdata", "out", "extension-xds-ir", tc.name+".secrets.yaml"))) + require.NoError(t, file.Write(requireResourcesToYAMLString(t, secrets), filepath.Join("testdata", "out", "extension-xds-ir", inputFileName+".secrets.yaml"))) } - require.Equal(t, requireTestDataOutFile(t, "extension-xds-ir", tc.name+".secrets.yaml"), requireResourcesToYAMLString(t, secrets)) + require.Equal(t, requireTestDataOutFile(t, "extension-xds-ir", inputFileName+".secrets.yaml"), requireResourcesToYAMLString(t, secrets)) } } }) } } -func requireXdsIRFromInputTestData(t *testing.T, name ...string) *ir.Xds { +func testName(inputFile string) string { + _, fileName := filepath.Split(inputFile) + return strings.TrimSuffix(fileName, ".yaml") +} + +func requireXdsIRFromInputTestData(t *testing.T, name string) *ir.Xds { t.Helper() - elems := append([]string{"testdata", "in"}, name...) - content, err := inFiles.ReadFile(filepath.Join(elems...)) + content, err := inFiles.ReadFile(name) require.NoError(t, err) - ir := &ir.Xds{} - err = yaml.Unmarshal(content, ir) + x := &ir.Xds{} + err = yaml.Unmarshal(content, x) require.NoError(t, err) - return ir + return x } -func requireXdsIRListenerFromInputTestData(t *testing.T, name ...string) *ir.HTTPListener { +func requireXdsIRListenerFromInputTestData(t *testing.T, name string) *ir.HTTPListener { t.Helper() - elems := append([]string{"testdata", "in"}, name...) - content, err := inFiles.ReadFile(filepath.Join(elems...)) + content, err := inFiles.ReadFile(name) require.NoError(t, err) listener := &ir.HTTPListener{} err = yaml.Unmarshal(content, listener) From db1ad30737cada6ad6dbd30274fd39a8858e60a0 Mon Sep 17 00:00:00 2001 From: shawnh2 Date: Sun, 21 Apr 2024 16:47:18 +0800 Subject: [PATCH 2/3] fix lint and gen-check Signed-off-by: shawnh2 --- internal/xds/translator/translator_test.go | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go index 9b79aa53bd7..64827b22216 100644 --- a/internal/xds/translator/translator_test.go +++ b/internal/xds/translator/translator_test.go @@ -221,7 +221,7 @@ func TestTranslateRateLimitConfig(t *testing.T) { in := requireXdsIRListenerFromInputTestData(t, inputFile) out := BuildRateLimitServiceConfig(in) if *overrideTestData { - require.NoError(t, file.Write(requireYamlRootToYAMLString(t, out), inputFile)) + require.NoError(t, file.Write(requireYamlRootToYAMLString(t, out), filepath.Join("testdata", "out", "ratelimit-config", inputFileName+".yaml"))) } require.Equal(t, requireTestDataOutFile(t, "ratelimit-config", inputFileName+".yaml"), requireYamlRootToYAMLString(t, out)) }) @@ -250,14 +250,10 @@ func TestTranslateXdsWithExtension(t *testing.T) { t.Run(inputFileName, func(t *testing.T) { cfg, ok := testConfigs[inputFileName] if !ok { - cfg = testFileConfig{ - dnsDomain: "", - requireSecrets: true, // default: true - requireEnvoyPatchPolicies: false, - } + cfg = testFileConfig{requireSecrets: true} } - // Testdata for the extension tests is similar to the ir test dat + // Testdata for the extension tests is similar to the ir test data // New directory is just to keep them separate and easy to understand x := requireXdsIRFromInputTestData(t, inputFile) tr := &Translator{ From 5c288f7f917005aa4d656261cbe740300e4b8004 Mon Sep 17 00:00:00 2001 From: shawnh2 Date: Tue, 23 Apr 2024 13:02:48 +0800 Subject: [PATCH 3/3] check secret from translator context Signed-off-by: shawnh2 --- .../listener-proxy-protocol.secrets.yaml | 12 +++++ ...e-port-with-different-filters.secrets.yaml | 8 +++ .../suppress-envoy-headers.secrets.yaml | 12 +++++ .../tcp-route-tls-terminate.secrets.yaml | 6 +++ ...ls-with-ciphers-versions-alpn.secrets.yaml | 12 +++++ internal/xds/translator/translator_test.go | 51 +++---------------- 6 files changed, 58 insertions(+), 43 deletions(-) create mode 100644 internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.secrets.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.secrets.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.secrets.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.secrets.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.secrets.yaml diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.secrets.yaml new file mode 100644 index 00000000000..ad88ffe43cd --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.secrets.yaml @@ -0,0 +1,12 @@ +- name: secret-1 + tlsCertificate: + certificateChain: + inlineBytes: Y2VydC1kYXRh + privateKey: + inlineBytes: a2V5LWRhdGE= +- name: secret-2 + tlsCertificate: + certificateChain: + inlineBytes: Y2VydC1kYXRh + privateKey: + inlineBytes: a2V5LWRhdGE= diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.secrets.yaml new file mode 100644 index 00000000000..81afea10735 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.secrets.yaml @@ -0,0 +1,8 @@ +- genericSecret: + secret: + inlineBytes: Y2xpZW50MTpzZWNyZXQK + name: oauth2/client_secret/securitypolicy/default/policy-for-gateway-2 +- genericSecret: + secret: + inlineBytes: "" + name: oauth2/hmac_secret/securitypolicy/default/policy-for-gateway-2 diff --git a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.secrets.yaml new file mode 100644 index 00000000000..ad88ffe43cd --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.secrets.yaml @@ -0,0 +1,12 @@ +- name: secret-1 + tlsCertificate: + certificateChain: + inlineBytes: Y2VydC1kYXRh + privateKey: + inlineBytes: a2V5LWRhdGE= +- name: secret-2 + tlsCertificate: + certificateChain: + inlineBytes: Y2VydC1kYXRh + privateKey: + inlineBytes: a2V5LWRhdGE= diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.secrets.yaml new file mode 100644 index 00000000000..d4d502ac098 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.secrets.yaml @@ -0,0 +1,6 @@ +- name: envoy-gateway-tls-secret-1 + tlsCertificate: + certificateChain: + inlineBytes: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + privateKey: + inlineBytes: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.secrets.yaml new file mode 100644 index 00000000000..ad88ffe43cd --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.secrets.yaml @@ -0,0 +1,12 @@ +- name: secret-1 + tlsCertificate: + certificateChain: + inlineBytes: Y2VydC1kYXRh + privateKey: + inlineBytes: a2V5LWRhdGE= +- name: secret-2 + tlsCertificate: + certificateChain: + inlineBytes: Y2VydC1kYXRh + privateKey: + inlineBytes: a2V5LWRhdGE= diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go index 67490032bf1..28868500b68 100644 --- a/internal/xds/translator/translator_test.go +++ b/internal/xds/translator/translator_test.go @@ -42,47 +42,18 @@ var ( ) type testFileConfig struct { - dnsDomain string - requireSecrets bool requireEnvoyPatchPolicies bool + dnsDomain string errMsg string } func TestTranslateXds(t *testing.T) { testConfigs := map[string]testFileConfig{ - "http-route-with-tls-system-truststore": { - requireSecrets: true, - }, - "http-route-with-tlsbundle": { - requireSecrets: true, - }, - "http-route-with-tlsbundle-multiple-certs": { - requireSecrets: true, - }, - "simple-tls": { - requireSecrets: true, - }, - "mutual-tls": { - requireSecrets: true, - }, - "mixed-tls-jwt-authn": { - requireSecrets: true, - }, - "mutual-tls-required-client-certificate-disabled": { - requireSecrets: true, - }, - "http3": { - requireSecrets: true, - }, - "multiple-listeners-same-port": { - requireSecrets: true, - }, "ratelimit-custom-domain": { dnsDomain: "example-cluster.local", }, "jsonpatch": { requireEnvoyPatchPolicies: true, - requireSecrets: true, }, "jsonpatch-missing-resource": { requireEnvoyPatchPolicies: true, @@ -99,9 +70,6 @@ func TestTranslateXds(t *testing.T) { requireEnvoyPatchPolicies: true, errMsg: "the value field can not be set for the remove operation", }, - "oidc": { - requireSecrets: true, - }, "http-route-invalid": { errMsg: "validation failed for xds resource", }, @@ -126,9 +94,6 @@ func TestTranslateXds(t *testing.T) { "tracing-invalid": { errMsg: "validation failed for xds resource", }, - { - name: "http2", - }, } inputFiles, err := filepath.Glob(filepath.Join("testdata", "in", "xds-ir", "*.yaml")) @@ -141,9 +106,8 @@ func TestTranslateXds(t *testing.T) { cfg, ok := testConfigs[inputFileName] if !ok { cfg = testFileConfig{ - dnsDomain: "", - requireSecrets: false, requireEnvoyPatchPolicies: false, + dnsDomain: "", errMsg: "", } } @@ -184,8 +148,8 @@ func TestTranslateXds(t *testing.T) { require.Equal(t, requireTestDataOutFile(t, "xds-ir", inputFileName+".clusters.yaml"), requireResourcesToYAMLString(t, clusters)) require.Equal(t, requireTestDataOutFile(t, "xds-ir", inputFileName+".endpoints.yaml"), requireResourcesToYAMLString(t, endpoints)) - if cfg.requireSecrets { - secrets := tCtx.XdsResources[resourcev3.SecretType] + secrets, ok := tCtx.XdsResources[resourcev3.SecretType] + if ok && len(secrets) > 0 { if *overrideTestData { require.NoError(t, file.Write(requireResourcesToYAMLString(t, secrets), filepath.Join("testdata", "out", "xds-ir", inputFileName+".secrets.yaml"))) } @@ -253,7 +217,7 @@ func TestTranslateXdsWithExtension(t *testing.T) { t.Run(inputFileName, func(t *testing.T) { cfg, ok := testConfigs[inputFileName] if !ok { - cfg = testFileConfig{requireSecrets: true} + cfg = testFileConfig{} } // Testdata for the extension tests is similar to the ir test data @@ -305,8 +269,9 @@ func TestTranslateXdsWithExtension(t *testing.T) { require.Equal(t, requireTestDataOutFile(t, "extension-xds-ir", inputFileName+".routes.yaml"), requireResourcesToYAMLString(t, routes)) require.Equal(t, requireTestDataOutFile(t, "extension-xds-ir", inputFileName+".clusters.yaml"), requireResourcesToYAMLString(t, clusters)) require.Equal(t, requireTestDataOutFile(t, "extension-xds-ir", inputFileName+".endpoints.yaml"), requireResourcesToYAMLString(t, endpoints)) - if cfg.requireSecrets { - secrets := tCtx.XdsResources[resourcev3.SecretType] + + secrets, ok := tCtx.XdsResources[resourcev3.SecretType] + if ok { if *overrideTestData { require.NoError(t, file.Write(requireResourcesToYAMLString(t, secrets), filepath.Join("testdata", "out", "extension-xds-ir", inputFileName+".secrets.yaml"))) }