Integration tests when k8s CA issues istiod certificate (#20332)

tests/integration/security/mtls_k8s_ca/main_test.go

@@ -0,0 +1,62 @@
+// Copyright 2020 Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package mtls_k8s_ca
+
+import (
+	"testing"
+
+	"istio.io/istio/pkg/test/framework"
+	"istio.io/istio/pkg/test/framework/components/environment"
+	"istio.io/istio/pkg/test/framework/components/galley"
+	"istio.io/istio/pkg/test/framework/components/istio"
+	"istio.io/istio/pkg/test/framework/components/pilot"
+	"istio.io/istio/pkg/test/framework/label"
+	"istio.io/istio/pkg/test/framework/resource"
+)
+
+var (
+	inst istio.Instance
+	g    galley.Instance
+	p    pilot.Instance
+)
+
+func TestMain(m *testing.M) {
+	framework.
+		NewSuite("mtls", m).
+		RequireEnvironment(environment.Kube).
+		Label(label.CustomSetup).
+		SetupOnEnv(environment.Kube, istio.Setup(&inst, setupConfig)).
+		Setup(func(ctx resource.Context) (err error) {
+			if g, err = galley.New(ctx, galley.Config{}); err != nil {
+				return err
+			}
+			if p, err = pilot.New(ctx, pilot.Config{
+				Galley: g,
+			}); err != nil {
+				return err
+			}
+			return nil
+		}).
+		Run()
+}
+
+func setupConfig(cfg *istio.Config) {
+	if cfg == nil {
+		return
+	}
+	cfg.Values["global.pilotCertProvider"] = "kubernetes"
+	cfg.Values["global.mtls.auto"] = "true"
+	cfg.Values["global.controlPlaneSecurityEnabled"] = "true"
+}

tests/integration/security/mtls_k8s_ca/strict_test.go

@@ -0,0 +1,84 @@
+// Copyright 2020 Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package mtls_k8s_ca
+
+import (
+	"testing"
+
+	"istio.io/istio/pkg/test/framework"
+	"istio.io/istio/pkg/test/framework/components/echo"
+	"istio.io/istio/pkg/test/framework/components/environment"
+	"istio.io/istio/pkg/test/framework/components/namespace"
+	"istio.io/istio/tests/integration/security/util/reachability"
+)
+
+// When k8s CA issues the Pilot certificate, this test verifies
+// reachability under different authN scenario when automtls enabled
+// - app A to app B using mTLS.
+// In each test, the steps are:
+// - Configure authn policy.
+// - Wait for config propagation.
+// - Send HTTP/gRPC requests between apps.
+func TestMtlsStrictK8sCA(t *testing.T) {
+	framework.NewTest(t).
+		Run(func(ctx framework.TestContext) {
+
+			rctx := reachability.CreateContext(ctx, g, p)
+			systemNM := namespace.ClaimSystemNamespaceOrFail(ctx, ctx)
+
+			testCases := []reachability.TestCase{
+				{
+					ConfigFile:          "global-mtls-on-no-dr.yaml",
+					Namespace:           systemNM,
+					RequiredEnvironment: environment.Kube,
+					Include: func(src echo.Instance, opts echo.CallOptions) bool {
+						// Exclude calls to the headless service.
+						// Auto mtls does not apply to headless service, because for headless service
+						// the cluster discovery type is ORIGINAL_DST, and it will not apply upstream tls setting
+						return opts.Target != rctx.Headless
+					},
+					ExpectSuccess: func(src echo.Instance, opts echo.CallOptions) bool {
+						// When mTLS is in STRICT mode, DR's TLS settings are default to mTLS so the result would
+						// be the same as having global DR rule.
+						if opts.Target == rctx.Naked {
+							// calls to naked should always succeed.
+							return true
+						}
+
+						// If source is naked, and destination is not, expect failure.
+						return !(src == rctx.Naked && opts.Target != rctx.Naked)
+					},
+				},
+				{
+					ConfigFile:          "global-plaintext.yaml",
+					Namespace:           systemNM,
+					RequiredEnvironment: environment.Kube,
+					Include: func(src echo.Instance, opts echo.CallOptions) bool {
+						// Exclude calls to the headless TCP port.
+						if opts.Target == rctx.Headless && opts.PortName == "tcp" {
+							return false
+						}
+
+						return true
+					},
+					ExpectSuccess: func(src echo.Instance, opts echo.CallOptions) bool {
+						// When mTLS is disabled, all traffic should work.
+						return true
+					},
+				},
+			}
+			rctx.Run(testCases)
+		})
+}

tests/integration/security/mtls_k8s_ca/testdata/global-mtls-on-no-dr.yaml

@@ -0,0 +1,8 @@
+# mTLS is enabled in strict mode without destination rule.
+apiVersion: authentication.istio.io/v1alpha1
+kind: MeshPolicy
+metadata:
+  name: "default"
+spec:
+  peers:
+  - mtls: {}

tests/integration/security/mtls_k8s_ca/testdata/global-plaintext.yaml

@@ -0,0 +1,6 @@
+# mTLS is disabled without destination rule.
+apiVersion: authentication.istio.io/v1alpha1
+kind: MeshPolicy
+metadata:
+  name: "default"
+spec: {}