Skip to content

Commit 3e1cd8a

Browse files
authored
Set mtls to STRICT mode when running tests with istio enabled (#3981)
* Set mtls to STRICT mode when running tests with istio enabled
1 parent 933eb9b commit 3e1cd8a

File tree

2 files changed

+47
-3
lines changed

2 files changed

+47
-3
lines changed

integration-tests/src/test/java/oracle/weblogic/kubernetes/ItIstioMiiDomain.java

Lines changed: 36 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
// Copyright (c) 2020, 2022, Oracle and/or its affiliates.
1+
// Copyright (c) 2020, 2023, Oracle and/or its affiliates.
22
// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
33

44
package oracle.weblogic.kubernetes;
@@ -26,6 +26,7 @@
2626
import oracle.weblogic.kubernetes.annotations.IntegrationTest;
2727
import oracle.weblogic.kubernetes.annotations.Namespaces;
2828
import oracle.weblogic.kubernetes.logging.LoggingFacade;
29+
import oracle.weblogic.kubernetes.utils.ExecCommand;
2930
import oracle.weblogic.kubernetes.utils.ExecResult;
3031
import org.junit.jupiter.api.BeforeAll;
3132
import org.junit.jupiter.api.DisplayName;
@@ -37,13 +38,15 @@
3738
import static oracle.weblogic.kubernetes.TestConstants.DOMAIN_API_VERSION;
3839
import static oracle.weblogic.kubernetes.TestConstants.IMAGE_PULL_POLICY;
3940
import static oracle.weblogic.kubernetes.TestConstants.K8S_NODEPORT_HOST;
41+
import static oracle.weblogic.kubernetes.TestConstants.KUBERNETES_CLI;
4042
import static oracle.weblogic.kubernetes.TestConstants.MII_BASIC_IMAGE_NAME;
4143
import static oracle.weblogic.kubernetes.TestConstants.MII_BASIC_IMAGE_TAG;
4244
import static oracle.weblogic.kubernetes.TestConstants.TEST_IMAGES_REPO_SECRET_NAME;
4345
import static oracle.weblogic.kubernetes.TestConstants.WEBLOGIC_IMAGE_TAG;
4446
import static oracle.weblogic.kubernetes.TestConstants.WEBLOGIC_SLIM;
4547
import static oracle.weblogic.kubernetes.actions.ActionConstants.MODEL_DIR;
4648
import static oracle.weblogic.kubernetes.actions.ActionConstants.RESOURCE_DIR;
49+
import static oracle.weblogic.kubernetes.actions.ActionConstants.WORK_DIR;
4750
import static oracle.weblogic.kubernetes.actions.TestActions.addLabelsToNamespace;
4851
import static oracle.weblogic.kubernetes.actions.TestActions.patchDomainResourceWithNewIntrospectVersion;
4952
import static oracle.weblogic.kubernetes.utils.ApplicationUtils.checkAppUsingHostHeader;
@@ -62,6 +65,7 @@
6265
import static oracle.weblogic.kubernetes.utils.DomainUtils.createDomainAndVerify;
6366
import static oracle.weblogic.kubernetes.utils.ExecCommand.exec;
6467
import static oracle.weblogic.kubernetes.utils.FileUtils.generateFileFromTemplate;
68+
import static oracle.weblogic.kubernetes.utils.FileUtils.replaceStringInFile;
6569
import static oracle.weblogic.kubernetes.utils.ImageUtils.createTestRepoSecret;
6670
import static oracle.weblogic.kubernetes.utils.IstioUtils.createAdminServer;
6771
import static oracle.weblogic.kubernetes.utils.IstioUtils.deployHttpIstioGatewayAndVirtualservice;
@@ -72,6 +76,7 @@
7276
import static oracle.weblogic.kubernetes.utils.PodUtils.setPodAntiAffinity;
7377
import static oracle.weblogic.kubernetes.utils.SecretUtils.createSecretWithUsernamePassword;
7478
import static oracle.weblogic.kubernetes.utils.ThreadSafeLogger.getLogger;
79+
import static org.apache.commons.io.FileUtils.copyFile;
7580
import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
7681
import static org.junit.jupiter.api.Assertions.assertEquals;
7782
import static org.junit.jupiter.api.Assertions.assertNotNull;
@@ -126,6 +131,8 @@ public static void initAll(@Namespaces(2) List<String> namespaces) {
126131

127132
// install and verify operator
128133
installAndVerifyOperator(opNamespace, domainNamespace);
134+
135+
enableStrictMode(domainNamespace);
129136
}
130137

131138
/**
@@ -237,6 +244,17 @@ void testIstioModelInImageDomain() {
237244

238245
int istioIngressPort = getIstioHttpIngressPort();
239246
logger.info("Istio Ingress Port is {0}", istioIngressPort);
247+
248+
String curlCmd = "curl -j -sk --show-error --noproxy '*' "
249+
+ " -H 'Host: " + domainNamespace + ".org'"
250+
+ " --url http://" + K8S_NODEPORT_HOST + ":" + istioIngressPort + "/console/login/LoginForm.jsp";
251+
ExecResult result = null;
252+
logger.info("curl command {0}", curlCmd);
253+
result = assertDoesNotThrow(() -> exec(curlCmd, true));
254+
assertEquals(0, result.exitValue(), "Got expected exit value");
255+
result = assertDoesNotThrow(() -> ExecCommand.exec(KUBERNETES_CLI + " delete -f "
256+
+ Paths.get(WORK_DIR, "istio-tls-mode.yaml").toString(), true));
257+
assertEquals(0, result.exitValue(), "Got expected exit value");
240258

241259
// We can not verify Rest Management console thru Adminstration NodePort
242260
// in istio, as we can not enable Adminstration NodePort
@@ -254,7 +272,7 @@ void testIstioModelInImageDomain() {
254272
+ "/management/weblogic/latest/domainRuntime/domainSecurityRuntime?"
255273
+ "link=none";
256274

257-
ExecResult result = null;
275+
result = null;
258276
logger.info("curl command {0}", curlCmd2);
259277
result = assertDoesNotThrow(
260278
() -> exec(curlCmd2, true));
@@ -274,7 +292,7 @@ void testIstioModelInImageDomain() {
274292
}
275293

276294
Path archivePath = Paths.get(testWebAppWarLoc);
277-
ExecResult result = null;
295+
result = null;
278296
result = deployToClusterUsingRest(K8S_NODEPORT_HOST,
279297
String.valueOf(istioIngressPort),
280298
ADMIN_USERNAME_DEFAULT, ADMIN_PASSWORD_DEFAULT,
@@ -364,4 +382,19 @@ private DomainResource createDomainResource(String domainUid, String domNamespac
364382
setPodAntiAffinity(domain);
365383
return domain;
366384
}
385+
386+
private static void enableStrictMode(String namespace) {
387+
assertDoesNotThrow(() -> {
388+
copyFile(Paths.get(RESOURCE_DIR, "istio", "istio-tls-mode.yaml").toFile(),
389+
Paths.get(WORK_DIR, "istio-tls-mode.yaml").toFile());
390+
});
391+
assertDoesNotThrow(() -> {
392+
replaceStringInFile(Paths.get(WORK_DIR, "istio-tls-mode.yaml").toString(),
393+
"NAMESPACE", namespace);
394+
});
395+
ExecResult result = assertDoesNotThrow(() -> ExecCommand.exec(KUBERNETES_CLI + " apply -f "
396+
+ Paths.get(WORK_DIR, "istio-tls-mode.yaml").toString(), true));
397+
logger.info(result.stdout());
398+
logger.info(result.stderr());
399+
}
367400
}
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# Copyright (c) 2023, Oracle and/or its affiliates.
2+
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
3+
4+
apiVersion: security.istio.io/v1beta1
5+
kind: PeerAuthentication
6+
metadata:
7+
name: "strict-tls-policy"
8+
namespace: NAMESPACE
9+
spec:
10+
mtls:
11+
mode: STRICT

0 commit comments

Comments
 (0)