From 85e57ae5200e87e095cfedc5f5eb6f3dfc6aabef Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 17 Jul 2024 02:58:17 +0800 Subject: [PATCH] chore: move backend tls test resources out of the base (#3862) * move backend tls test resources out of the base Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * add notice Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * print response body for debugging Signed-off-by: Huabing Zhao * print policy for debugging Signed-off-by: Huabing Zhao * increase timeout Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- test/e2e/base/manifests.yaml | 28 ----------------- test/e2e/testdata/backend-tls-settings.yaml | 27 ++++++++++++++++ test/e2e/tests/oidc.go | 34 +++++++++++++++------ test/e2e/tests/oidc_testclient.go | 2 +- test/e2e/tests/utils.go | 1 + 5 files changed, 54 insertions(+), 38 deletions(-) diff --git a/test/e2e/base/manifests.yaml b/test/e2e/base/manifests.yaml index 3801f47312c..a604223638a 100644 --- a/test/e2e/base/manifests.yaml +++ b/test/e2e/base/manifests.yaml @@ -6,7 +6,6 @@ # namespace): # - same-namespace (only supports route in same ns) # - all-namespaces (supports routes in all ns) -# - backend-namespaces (supports routes in ns with backend label) apiVersion: v1 kind: Namespace metadata: @@ -50,33 +49,6 @@ spec: name: zipkin-tracing namespace: envoy-gateway-system --- -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: backend-namespaces - namespace: gateway-conformance-infra -spec: - gatewayClassName: "{GATEWAY_CLASS_NAME}" - listeners: - - name: https - port: 443 - protocol: HTTPS - tls: - certificateRefs: - - group: "" - kind: Secret - name: backend-tls-certificate - mode: Terminate - - name: http - port: 80 - protocol: HTTP - allowedRoutes: - namespaces: - from: Selector - selector: - matchLabels: - gateway-conformance: backend ---- apiVersion: v1 kind: Service metadata: diff --git a/test/e2e/testdata/backend-tls-settings.yaml b/test/e2e/testdata/backend-tls-settings.yaml index ffd8abcdd27..749255f82e5 100644 --- a/test/e2e/testdata/backend-tls-settings.yaml +++ b/test/e2e/testdata/backend-tls-settings.yaml @@ -1,3 +1,30 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: backend-namespaces + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: "" + kind: Secret + name: backend-tls-certificate + mode: Terminate + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Selector + selector: + matchLabels: + gateway-conformance: backend +--- apiVersion: v1 data: ca.crt: | diff --git a/test/e2e/tests/oidc.go b/test/e2e/tests/oidc.go index f279d2eddcb..b7617e8e0d7 100644 --- a/test/e2e/tests/oidc.go +++ b/test/e2e/tests/oidc.go @@ -9,14 +9,17 @@ package tests import ( + "context" "io" "net/http" "regexp" "testing" + "time" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/wait" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwhttp "sigs.k8s.io/gateway-api/conformance/utils/http" @@ -75,18 +78,31 @@ var OIDCTest = suite.ConformanceTest{ ) require.NoError(t, err) - // Send a request to the http route with OIDC configured. - // It will be redirected to the keycloak login page - res, err := client.Get(testURL, true) - require.NoError(t, err) - require.Equal(t, 200, res.StatusCode, "Expected 200 OK") - - // Parse the response body to get the URL where the login page would post the user-entered credentials - require.NoError(t, client.ParseLoginForm(res.Body, keyCloakLoginFormID), "Failed to parse login form") + if err := wait.PollUntilContextTimeout(context.TODO(), time.Second, 5*time.Minute, true, + func(_ context.Context) (done bool, err error) { + t.Logf("sending request to %s", testURL) + + // Send a request to the http route with OIDC configured. + // It will be redirected to the keycloak login page + res, err := client.Get(testURL, true) + require.NoError(t, err, "Failed to get the login page") + require.Equal(t, 200, res.StatusCode, "Expected 200 OK") + + // Parse the response body to get the URL where the login page would post the user-entered credentials + if err := client.ParseLoginForm(res.Body, keyCloakLoginFormID); err != nil { + t.Logf("failed to parse login form: %v", err) + return false, nil + } + + t.Log("successfully parsed login form") + return true, nil + }); err != nil { + t.Errorf("failed to parse login form: %v", err) + } // Submit the login form to the IdP. // This will authenticate and redirect back to the application - res, err = client.Login(map[string]string{"username": username, "password": password, "credentialId": ""}) + res, err := client.Login(map[string]string{"username": username, "password": password, "credentialId": ""}) require.NoError(t, err, "Failed to login to the IdP") // Verify that we get the expected response from the application diff --git a/test/e2e/tests/oidc_testclient.go b/test/e2e/tests/oidc_testclient.go index d2bd9f364ce..2f1cc4d5983 100644 --- a/test/e2e/tests/oidc_testclient.go +++ b/test/e2e/tests/oidc_testclient.go @@ -212,7 +212,7 @@ func extractFromData(responseBody string, match formMatch, includeFromInputs boo // Find the form with the specified ID or match criteria form := findForm(doc, match) if form == nil { - return "", "", nil, fmt.Errorf("%s not found", match) + return "", "", nil, fmt.Errorf("%s not found in %s", match, responseBody) } var ( diff --git a/test/e2e/tests/utils.go b/test/e2e/tests/utils.go index 4ee2dbebcf7..33d21516876 100644 --- a/test/e2e/tests/utils.go +++ b/test/e2e/tests/utils.go @@ -93,6 +93,7 @@ func SecurityPolicyMustBeAccepted(t *testing.T, client client.Client, policyName } if policyAcceptedByAncestor(policy.Status.Ancestors, controllerName, ancestorRef) { + t.Logf("SecurityPolicy has been accepted: %v", policy) return true, nil }