diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-02-05 12:08:43 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-02-05 12:08:43 +0300 |
commit | 26384c9a61da9922b8fa4b8351d4e42d51661b37 (patch) | |
tree | ef3decbed644db3c97dcdbb5b71d4ade77f3155d /spec/services/clusters | |
parent | 79cbe31b18159ea394c6f6e3027c1dc69bdabb75 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/services/clusters')
-rw-r--r-- | spec/services/clusters/kubernetes/configure_istio_ingress_service_spec.rb | 197 |
1 files changed, 197 insertions, 0 deletions
diff --git a/spec/services/clusters/kubernetes/configure_istio_ingress_service_spec.rb b/spec/services/clusters/kubernetes/configure_istio_ingress_service_spec.rb new file mode 100644 index 00000000000..572e2b91187 --- /dev/null +++ b/spec/services/clusters/kubernetes/configure_istio_ingress_service_spec.rb @@ -0,0 +1,197 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Clusters::Kubernetes::ConfigureIstioIngressService, '#execute' do + include KubernetesHelpers + + let(:cluster) { create(:cluster, :project, :provided_by_gcp) } + let(:api_url) { 'https://kubernetes.example.com' } + let(:project) { cluster.project } + let(:environment) { create(:environment, project: project) } + let(:cluster_project) { cluster.cluster_project } + let(:namespace) { "#{project.name}-#{project.id}-#{environment.slug}" } + let(:kubeclient) { cluster.kubeclient } + + subject do + described_class.new( + cluster: cluster + ).execute + end + + before do + stub_kubeclient_discover_istio(api_url) + stub_kubeclient_create_secret(api_url, namespace: namespace) + stub_kubeclient_put_secret(api_url, "#{namespace}-token", namespace: namespace) + + stub_kubeclient_get_secret( + api_url, + { + metadata_name: "#{namespace}-token", + token: Base64.encode64('sample-token'), + namespace: namespace + } + ) + + stub_kubeclient_get_secret( + api_url, + { + metadata_name: 'istio-ingressgateway-ca-certs', + namespace: 'istio-system' + } + ) + + stub_kubeclient_get_secret( + api_url, + { + metadata_name: 'istio-ingressgateway-certs', + namespace: 'istio-system' + } + ) + + stub_kubeclient_put_secret(api_url, 'istio-ingressgateway-ca-certs', namespace: 'istio-system') + stub_kubeclient_put_secret(api_url, 'istio-ingressgateway-certs', namespace: 'istio-system') + stub_kubeclient_get_gateway(api_url, 'knative-ingress-gateway', namespace: 'knative-serving') + stub_kubeclient_put_gateway(api_url, 'knative-ingress-gateway', namespace: 'knative-serving') + end + + context 'without a serverless_domain_cluster' do + it 'configures gateway to use PASSTHROUGH' do + subject + + expect(WebMock).to have_requested(:put, api_url + '/apis/networking.istio.io/v1alpha3/namespaces/knative-serving/gateways/knative-ingress-gateway').with( + body: hash_including( + apiVersion: "networking.istio.io/v1alpha3", + kind: "Gateway", + metadata: { + generation: 1, + labels: { + "networking.knative.dev/ingress-provider" => "istio", + "serving.knative.dev/release" => "v0.7.0" + }, + name: "knative-ingress-gateway", + namespace: "knative-serving", + selfLink: "/apis/networking.istio.io/v1alpha3/namespaces/knative-serving/gateways/knative-ingress-gateway" + }, + spec: { + selector: { + istio: "ingressgateway" + }, + servers: [ + { + hosts: ["*"], + port: { + name: "http", + number: 80, + protocol: "HTTP" + } + }, + { + hosts: ["*"], + port: { + name: "https", + number: 443, + protocol: "HTTPS" + }, + tls: { + mode: "PASSTHROUGH" + } + } + ] + } + ) + ) + end + end + + context 'with a serverless_domain_cluster' do + let(:serverless_domain_cluster) { create(:serverless_domain_cluster) } + let(:certificate) { OpenSSL::X509::Certificate.new(serverless_domain_cluster.certificate) } + + before do + cluster.application_knative = serverless_domain_cluster.knative + end + + it 'configures certificates' do + subject + + expect(serverless_domain_cluster.reload.key).not_to be_blank + expect(serverless_domain_cluster.reload.certificate).not_to be_blank + + expect(certificate.subject.to_s).to include(serverless_domain_cluster.knative.hostname) + + expect(certificate.not_before).to be_within(1.minute).of(Time.now) + expect(certificate.not_after).to be_within(1.minute).of(Time.now + 1000.years) + + expect(WebMock).to have_requested(:put, api_url + '/api/v1/namespaces/istio-system/secrets/istio-ingressgateway-ca-certs').with( + body: hash_including( + metadata: { + name: 'istio-ingressgateway-ca-certs', + namespace: 'istio-system' + }, + type: 'Opaque' + ) + ) + + expect(WebMock).to have_requested(:put, api_url + '/api/v1/namespaces/istio-system/secrets/istio-ingressgateway-certs').with( + body: hash_including( + metadata: { + name: 'istio-ingressgateway-certs', + namespace: 'istio-system' + }, + type: 'kubernetes.io/tls' + ) + ) + end + + it 'configures gateway to use MUTUAL' do + subject + + expect(WebMock).to have_requested(:put, api_url + '/apis/networking.istio.io/v1alpha3/namespaces/knative-serving/gateways/knative-ingress-gateway').with( + body: { + apiVersion: "networking.istio.io/v1alpha3", + kind: "Gateway", + metadata: { + generation: 1, + labels: { + "networking.knative.dev/ingress-provider" => "istio", + "serving.knative.dev/release" => "v0.7.0" + }, + name: "knative-ingress-gateway", + namespace: "knative-serving", + selfLink: "/apis/networking.istio.io/v1alpha3/namespaces/knative-serving/gateways/knative-ingress-gateway" + }, + spec: { + selector: { + istio: "ingressgateway" + }, + servers: [ + { + hosts: ["*"], + port: { + name: "http", + number: 80, + protocol: "HTTP" + } + }, + { + hosts: ["*"], + port: { + name: "https", + number: 443, + protocol: "HTTPS" + }, + tls: { + mode: "MUTUAL", + privateKey: "/etc/istio/ingressgateway-certs/tls.key", + serverCertificate: "/etc/istio/ingressgateway-certs/tls.crt", + caCertificates: "/etc/istio/ingressgateway-ca-certs/cert.pem" + } + } + ] + } + } + ) + end + end +end |