kuma
705 строк · 21.2 Кб
1package gateway2import (4"encoding/base64"5"fmt"6"strings"7"github.com/gruntwork-io/terratest/modules/k8s"9. "github.com/onsi/ginkgo/v2"10. "github.com/onsi/gomega"11. "github.com/kumahq/kuma/test/framework"13"github.com/kumahq/kuma/test/framework/client"14"github.com/kumahq/kuma/test/framework/deployments/testserver"15"github.com/kumahq/kuma/test/framework/envs/kubernetes"16)17func Gateway() {19meshName := "simple-gateway"20namespace := "simple-gateway"21clientNamespace := "client-simple-gateway"22meshGateway := `23apiVersion: kuma.io/v1alpha124kind: MeshGateway25metadata:26name: simple-gateway27mesh: simple-gateway28spec:29selectors:30- match:31kuma.io/service: simple-gateway32conf:33listeners:34- port: 808035protocol: HTTP36hostname: example.kuma.io37tags:38hostname: example.kuma.io39- port: 808140protocol: HTTPS41tls:42mode: TERMINATE43certificates:44- secret: kuma-io-certificate-k8s` +45// secret names have to be unique because46// we're removing secrets using owner reference, and we're relying on async namespace deletion,47// so we could have a situation where the secrets are not yet deleted,48// and we're trying to create a new mesh with the same secret name which k8s treats as changing the mesh of the secret49// and results in "cannot change mesh of the Secret. Delete the Secret first and apply it again."50// https://app.circleci.com/pipelines/github/kumahq/kuma/24848/workflows/f33edb5a-74cb-45ae-b0c2-4b14bf289585/jobs/49723951`52hostname: example.kuma.io53tags:54hostname: example.kuma.io55- port: 808156protocol: HTTPS57tls:58mode: TERMINATE59certificates:60- secret: kuma-io-certificate-k8s` +61// secret names have to be unique because62// we're removing secrets using owner reference, and we're relying on async namespace deletion,63// so we could have a situation where the secrets are not yet deleted,64// and we're trying to create a new mesh with the same secret name which k8s treats as changing the mesh of the secret65// and results in "cannot change mesh of the Secret. Delete the Secret first and apply it again."66// https://app.circleci.com/pipelines/github/kumahq/kuma/24848/workflows/f33edb5a-74cb-45ae-b0c2-4b14bf289585/jobs/49723967`68hostname: otherexample.kuma.io69tags:70hostname: otherexample.kuma.io71- port: 808272protocol: HTTP73hostname: '*'74- port: 808375protocol: TCP76`77httpsSecret := func() string {78cert, key, err := CreateCertsFor("example.kuma.io")79Expect(err).To(Succeed())80secretData := base64.StdEncoding.EncodeToString([]byte(strings.Join([]string{key, cert}, "\n")))81return fmt.Sprintf(`82apiVersion: v183kind: Secret84metadata:85name: kuma-io-certificate-k8s86namespace: %s87labels:88kuma.io/mesh: simple-gateway89data:90value: %s91type: system.kuma.io/secret92`, Config.KumaNamespace, secretData)93}94var clusterIP string95BeforeAll(func() {97err := NewClusterSetup().98Install(MTLSMeshKubernetes(meshName)).99Install(Namespace(clientNamespace)).100Install(NamespaceWithSidecarInjection(namespace)).101Install(testserver.Install(102testserver.WithName("demo-client"),103testserver.WithNamespace(clientNamespace),104)).105Install(testserver.Install(106testserver.WithName("echo-server"),107testserver.WithMesh(meshName),108testserver.WithNamespace(namespace),109testserver.WithEchoArgs("echo", "--instance", "echo-server"),110)).111Install(YamlK8s(httpsSecret())).112Install(YamlK8s(meshGateway)).113Install(YamlK8s(MkGatewayInstance("simple-gateway", namespace, meshName))).114Install(MeshTrafficPermissionAllowAllKubernetes(meshName)).115Setup(kubernetes.Cluster)116Expect(err).ToNot(HaveOccurred())117Eventually(func(g Gomega) {119var err error120clusterIP, err = k8s.RunKubectlAndGetOutputE(121kubernetes.Cluster.GetTesting(),122kubernetes.Cluster.GetKubectlOptions(namespace),123"get", "service", "simple-gateway", "-ojsonpath={.spec.clusterIP}",124)125g.Expect(err).ToNot(HaveOccurred())126g.Expect(clusterIP).ToNot(BeEmpty())127}, "30s", "1s").Should(Succeed())128})129E2EAfterAll(func() {131Expect(kubernetes.Cluster.TriggerDeleteNamespace(namespace)).To(Succeed())132Expect(kubernetes.Cluster.TriggerDeleteNamespace(clientNamespace)).To(Succeed())133Expect(kubernetes.Cluster.DeleteMesh(meshName)).To(Succeed())134})135meshGatewayRoutes := func(name, path, destination string) []string {137return []string{138fmt.Sprintf(`139apiVersion: kuma.io/v1alpha1140kind: MeshGatewayRoute141metadata:142name: %s143mesh: simple-gateway144spec:145selectors:146- match:147kuma.io/service: simple-gateway148conf:149http:150rules:151- matches:152- path:153match: PREFIX154value: %s155backends:156- destination:157kuma.io/service: %s158- matches:159- path:160match: PREFIX161value: /rewrite-host%s162filters:163- rewrite:164hostToBackendHostname: true165backends:166- destination:167kuma.io/service: %s168`, name, path, destination, path, destination),169fmt.Sprintf(`170apiVersion: kuma.io/v1alpha1171kind: MeshGatewayRoute172metadata:173name: %s-specific174mesh: simple-gateway175spec:176selectors:177- match:178kuma.io/service: simple-gateway179conf:180http:181hostnames:182- specific.kuma.io183rules:184- matches:185- path:186match: PREFIX187value: %s188filters:189- requestHeader:190add:191- name: x-specific-hostname-header192value: "true"193backends:194- destination:195kuma.io/service: %s196- matches:197- path:198match: PREFIX199value: /rewrite-host%s200filters:201- rewrite:202hostToBackendHostname: true203backends:204- destination:205kuma.io/service: %s206`, name, path, destination, path, destination),207fmt.Sprintf(`208apiVersion: kuma.io/v1alpha1209kind: MeshGatewayRoute210metadata:211name: %s-specific-listener212mesh: simple-gateway213spec:214selectors:215- match:216kuma.io/service: simple-gateway217hostname: otherexample.kuma.io218conf:219http:220rules:221- matches:222- path:223match: PREFIX224value: "%s-specific-listener"225filters:226- requestHeader:227add:228- name: x-listener-by-hostname-header229value: "true"230backends:231- destination:232kuma.io/service: %s233`, name, path, destination),234}235}236httpRoute := func(name, path, destination string) []string {238return []string{239fmt.Sprintf(`240apiVersion: kuma.io/v1alpha1241kind: MeshHTTPRoute242metadata:243name: %s244namespace: %s245labels:246kuma.io/mesh: simple-gateway247spec:248targetRef:249kind: MeshGateway250name: simple-gateway251to:252- targetRef:253kind: Mesh254rules:255- matches:256- path:257type: PathPrefix258value: "%s"259default:260backendRefs:261- kind: MeshService262name: "%s"263- targetRef:264kind: Mesh265hostnames:266- specific.kuma.io267rules:268- matches:269- path:270type: PathPrefix271value: "%s"272default:273filters:274- type: RequestHeaderModifier275requestHeaderModifier:276add:277- name: x-specific-hostname-header278value: "true"279backendRefs:280- kind: MeshService281name: "%s"282`, name, Config.KumaNamespace, path, destination, path, destination),283fmt.Sprintf(`284apiVersion: kuma.io/v1alpha1285kind: MeshHTTPRoute286metadata:287name: %s288namespace: %s289labels:290kuma.io/mesh: simple-gateway291spec:292targetRef:293kind: MeshGateway294name: simple-gateway295tags:296hostname: otherexample.kuma.io297to:298- targetRef:299kind: Mesh300rules:301- matches:302- path:303type: PathPrefix304value: "%s-specific-listener"305default:306filters:307- type: RequestHeaderModifier308requestHeaderModifier:309add:310- name: x-listener-by-hostname-header311value: "true"312backendRefs:313- kind: MeshService314name: "%s"315`, name+"-hostname-specific", Config.KumaNamespace, path, destination),316}317}318basicRouting := func(name string, routeYAMLs []string) {320Context(fmt.Sprintf("Mesh service - %s", name), func() {321BeforeAll(func() {322Expect(NewClusterSetup().323Install(YamlK8s(routeYAMLs...)).324Setup(kubernetes.Cluster),325).To(Succeed())326})327E2EAfterAll(func() {329Expect(NewClusterSetup().330Install(DeleteYamlK8s(routeYAMLs...)).331Setup(kubernetes.Cluster),332).To(Succeed())333})334It("should proxy to service via HTTP without port in host", func() {336Eventually(func(g Gomega) {337response, err := client.CollectEchoResponse(338kubernetes.Cluster, "demo-client",339"http://simple-gateway.simple-gateway:8080/",340client.WithHeader("host", "example.kuma.io"),341client.FromKubernetesPod(clientNamespace, "demo-client"),342)343g.Expect(err).ToNot(HaveOccurred())345g.Expect(response.Instance).To(Equal("echo-server"))346g.Expect(response.Received.Headers).ToNot(HaveKey("X-Specific-Hostname-Header"))347}, "1m", "1s").Should(Succeed())348})349It("should proxy to service via HTTP with port in host", func() {350Eventually(func(g Gomega) {351response, err := client.CollectEchoResponse(352kubernetes.Cluster, "demo-client",353"http://simple-gateway.simple-gateway:8080/",354client.WithHeader("host", "example.kuma.io:8080"),355client.FromKubernetesPod(clientNamespace, "demo-client"),356)357g.Expect(err).ToNot(HaveOccurred())359g.Expect(response.Instance).To(Equal("echo-server"))360g.Expect(response.Received.Headers).ToNot(HaveKey("X-Specific-Hostname-Header"))361}, "30s", "1s").Should(Succeed())362})363It("should proxy to service via HTTPS", func() {365Eventually(func(g Gomega) {366response, err := client.CollectEchoResponse(367kubernetes.Cluster, "demo-client",368"https://example.kuma.io:8081/",369client.Resolve("example.kuma.io:8081", clusterIP),370client.FromKubernetesPod(clientNamespace, "demo-client"),371client.Insecure(),372)373g.Expect(err).ToNot(HaveOccurred())375g.Expect(response.Instance).To(Equal("echo-server"))376g.Expect(response.Received.Headers).ToNot(HaveKey("X-Specific-Hostname-Header"))377}, "30s", "1s").Should(Succeed())378})379It("should automatically set host header from service address", func() {381Eventually(func(g Gomega) {382response, err := client.CollectEchoResponse(383kubernetes.Cluster, "demo-client",384"http://simple-gateway.simple-gateway:8082/",385client.WithHeader("host", "example.kuma.io"),386client.FromKubernetesPod(clientNamespace, "demo-client"),387)388g.Expect(err).ToNot(HaveOccurred())390g.Expect(response.Received.Headers["Host"]).To(HaveLen(1))391g.Expect(response.Received.Headers["Host"]).To(ContainElements("example.kuma.io"))392g.Expect(response.Received.Headers).ToNot(HaveKey("X-Specific-Hostname-Header"))393}, "30s", "1s").Should(Succeed())394})395It("should route based on host name", func() {397Eventually(func(g Gomega) {398response, err := client.CollectEchoResponse(399kubernetes.Cluster, "demo-client",400"http://simple-gateway.simple-gateway:8082/",401client.WithHeader("host", "specific.kuma.io"),402client.FromKubernetesPod(clientNamespace, "demo-client"),403)404g.Expect(err).ToNot(HaveOccurred())406g.Expect(response.Received.Headers["Host"]).To(HaveLen(1))407g.Expect(response.Received.Headers["Host"]).To(ContainElements("specific.kuma.io"))408g.Expect(response.Received.Headers["X-Specific-Hostname-Header"]).To(ContainElements("true"))409}, "30s", "1s").Should(Succeed())410})411It("should match routes by SNI", func() {413Eventually(func(g Gomega) {414response, err := client.CollectEchoResponse(415kubernetes.Cluster, "demo-client",416"https://otherexample.kuma.io:8081/-specific-listener",417client.Resolve("otherexample.kuma.io:8081", clusterIP),418client.FromKubernetesPod(clientNamespace, "demo-client"),419client.Insecure(),420)421g.Expect(err).ToNot(HaveOccurred())423g.Expect(response.Received.Headers["Host"]).To(HaveLen(1))424g.Expect(response.Received.Headers["Host"]).To(ContainElements("otherexample.kuma.io:8081"))425g.Expect(response.Received.Headers["X-Listener-By-Hostname-Header"]).To(ContainElements("true"))426}, "30s", "1s").Should(Succeed())427})428It("should isolate routes by SNI", func() {430Eventually(func(g Gomega) {431response, err := client.CollectEchoResponse(432kubernetes.Cluster, "demo-client",433"https://example.kuma.io:8081/-specific-listener",434client.Resolve("example.kuma.io:8081", clusterIP),435client.FromKubernetesPod(clientNamespace, "demo-client"),436client.Insecure(),437)438g.Expect(err).ToNot(HaveOccurred())440g.Expect(response.Received.Headers["Host"]).To(HaveLen(1))441g.Expect(response.Received.Headers["Host"]).To(ContainElements("example.kuma.io:8081"))442g.Expect(response.Received.Headers["X-Listener-By-Hostname-Header"]).NotTo(ContainElements("true"))443}, "30s", "1s").Should(Succeed())444})445It("should check both SNI and Host", func() {447Consistently(func(g Gomega) {448status, err := client.CollectFailure(449kubernetes.Cluster, "demo-client",450"https://otherexample.kuma.io:8081/-specific-listener",451client.Resolve("otherexample.kuma.io:8081", clusterIP),452// Note the header differs from the SNI453client.WithHeader("host", "example.kuma.io"),454client.FromKubernetesPod(clientNamespace, "demo-client"),455client.Insecure(),456)457g.Expect(err).ToNot(HaveOccurred())459g.Expect(status.ResponseCode).To(Equal(404))460}, "30s", "1s").Should(Succeed())461})462})463}464basicRouting("MeshGatewayRoute", meshGatewayRoutes("internal-service", "/", "echo-server_simple-gateway_svc_80"))466basicRouting("MeshHTTPRoute", httpRoute("internal-service", "/", "echo-server_simple-gateway_svc_80"))467Context("Rate Limit", func() {469rt := `apiVersion: kuma.io/v1alpha1470kind: RateLimit471metadata:472name: gateway-rate-limit473mesh: simple-gateway474spec:475sources:476- match:477kuma.io/service: simple-gateway478destinations:479- match:480kuma.io/service: rt-echo-server_simple-gateway_svc_80481conf:482http:483requests: 5484interval: 10s`485routes := meshGatewayRoutes("rt-echo-server", "/rt", "rt-echo-server_simple-gateway_svc_80")486BeforeAll(func() {488err := NewClusterSetup().489Install(testserver.Install(490testserver.WithName("rt-echo-server"),491testserver.WithMesh(meshName),492testserver.WithNamespace(namespace),493testserver.WithEchoArgs("echo", "--instance", "rt-echo-server"),494)).495Install(YamlK8s(rt)).496Install(YamlK8s(routes...)).497Setup(kubernetes.Cluster)498Expect(err).ToNot(HaveOccurred())499})500AfterAll(func() {502err := NewClusterSetup().503Install(DeleteYamlK8s(routes...)).504Setup(kubernetes.Cluster)505Expect(err).ToNot(HaveOccurred())506})507It("should rate limit", func() {509Eventually(func(g Gomega) {510response, err := client.CollectFailure(511kubernetes.Cluster, "demo-client",512"http://simple-gateway.simple-gateway:8080/rt",513client.WithHeader("host", "example.kuma.io"),514client.FromKubernetesPod(clientNamespace, "demo-client"),515client.NoFail(),516client.OutputFormat(`{ "received": { "status": %{response_code} } }`),517)518g.Expect(err).ToNot(HaveOccurred())520g.Expect(response.ResponseCode).To(Equal(429))521}, "30s", "1s").Should(Succeed())522})523})524Context("TCPRoute", func() {526routes := []string{527fmt.Sprintf(`528apiVersion: kuma.io/v1alpha1529kind: MeshTCPRoute530metadata:531name: simple-gateway-tcp-route532namespace: %s533labels:534kuma.io/mesh: simple-gateway535spec:536targetRef:537kind: MeshGateway538name: simple-gateway539to:540- targetRef:541kind: Mesh542rules:543- default:544backendRefs:545- kind: MeshService546name: test-tcp-server_simple-gateway_svc_80547`, Config.KumaNamespace),548}549BeforeAll(func() {550err := NewClusterSetup().551Install(testserver.Install(552testserver.WithName("test-tcp-server"),553testserver.WithServicePortAppProtocol("tcp"),554testserver.WithMesh(meshName),555testserver.WithNamespace(namespace),556)).557Install(YamlK8s(routes...)).558Setup(kubernetes.Cluster)559Expect(err).ToNot(HaveOccurred())560})561AfterAll(func() {562err := NewClusterSetup().563Install(DeleteYamlK8s(routes...)).564Setup(kubernetes.Cluster)565Expect(err).ToNot(HaveOccurred())566})567It("should work on TCP service", func() {569Eventually(func(g Gomega) {570response, err := client.CollectEchoResponse(571kubernetes.Cluster, "demo-client",572"http://simple-gateway.simple-gateway:8083/",573client.FromKubernetesPod(clientNamespace, "demo-client"),574)575g.Expect(err).ToNot(HaveOccurred())576g.Expect(response.Instance).To(HavePrefix("test-tcp-server"))577}, "30s", "1s").Should(Succeed())578})579})580Context("External Service", func() {582externalService := `583apiVersion: kuma.io/v1alpha1584kind: ExternalService585mesh: simple-gateway586metadata:587name: simple-gateway-external-service588spec:589tags:590kuma.io/service: external-service591kuma.io/protocol: http592networking:593address: es-echo-server.client-simple-gateway.svc.cluster.local:80`594BeforeAll(func() {596err := NewClusterSetup().597Install(testserver.Install(598testserver.WithName("es-echo-server"),599testserver.WithNamespace(clientNamespace),600testserver.WithEchoArgs("echo", "--instance", "es-echo-server"),601)).602Install(YamlK8s(externalService)).603Setup(kubernetes.Cluster)604Expect(err).ToNot(HaveOccurred())605})606It("should proxy to service via HTTP", func() {608route := meshGatewayRoutes("es-echo-server", "/external-service", "external-service")609setup := NewClusterSetup().Install(YamlK8s(route...))610Expect(setup.Setup(kubernetes.Cluster)).To(Succeed())611Eventually(func(g Gomega) {613response, err := client.CollectEchoResponse(614kubernetes.Cluster, "demo-client",615"http://simple-gateway.simple-gateway:8080/external-service",616client.WithHeader("host", "example.kuma.io"),617client.FromKubernetesPod(clientNamespace, "demo-client"),618)619g.Expect(err).ToNot(HaveOccurred())621g.Expect(response.Instance).To(Equal("es-echo-server"))622}, "30s", "1s").Should(Succeed())623Expect(NewClusterSetup().Install(DeleteYamlK8s(route...)).Setup(kubernetes.Cluster)).To(Succeed())625})626It("should automatically set host header from external service address when rewrite.hostToBackendHostname is set to true", func() {628route := meshGatewayRoutes("es-echo-server", "/external-service", "external-service")629setup := NewClusterSetup().Install(YamlK8s(route...))630Expect(setup.Setup(kubernetes.Cluster)).To(Succeed())631// don't rewrite host to backend hostname633Eventually(func(g Gomega) {634response, err := client.CollectEchoResponse(635kubernetes.Cluster, "demo-client",636"http://simple-gateway.simple-gateway:8080/external-service",637client.WithHeader("host", "example.kuma.io"),638client.FromKubernetesPod(clientNamespace, "demo-client"),639)640g.Expect(err).ToNot(HaveOccurred())642g.Expect(response.Received.Headers["Host"]).To(HaveLen(1))643g.Expect(response.Received.Headers["Host"]).To(ContainElements("example.kuma.io"))644}, "30s", "1s").Should(Succeed())645// rewrite host to backend hostname647Eventually(func(g Gomega) {648response, err := client.CollectEchoResponse(649kubernetes.Cluster, "demo-client",650"http://simple-gateway.simple-gateway:8080/rewrite-host/external-service",651client.WithHeader("host", "example.kuma.io"),652client.FromKubernetesPod(clientNamespace, "demo-client"),653)654g.Expect(err).ToNot(HaveOccurred())656g.Expect(response.Received.Headers["Host"]).To(HaveLen(1))657g.Expect(response.Received.Headers["Host"]).To(ContainElements("es-echo-server.client-simple-gateway.svc.cluster.local"))658}, "30s", "1s").Should(Succeed())659Expect(NewClusterSetup().Install(DeleteYamlK8s(route...)).Setup(kubernetes.Cluster)).To(Succeed())661})662It("should handle external-service excluded by tags", func() {664route := fmt.Sprintf(`665apiVersion: kuma.io/v1alpha1666kind: MeshGatewayRoute667metadata:668name: %s669mesh: simple-gateway670spec:671selectors:672- match:673kuma.io/service: simple-gateway674conf:675http:676rules:677- matches:678- path:679match: PREFIX680value: %s681backends:682- destination:683kuma.io/service: %s684nonexistent: tag685`, "es-echo-server-broken", "/external-service", "external-service")686setup := NewClusterSetup().Install(YamlK8s(route))688Expect(setup.Setup(kubernetes.Cluster)).To(Succeed())689Eventually(func(g Gomega) {691response, err := client.CollectFailure(692kubernetes.Cluster, "demo-client",693"http://simple-gateway.simple-gateway:8080/external-service",694client.WithHeader("host", "example.kuma.io"),695client.FromKubernetesPod(clientNamespace, "demo-client"),696)697g.Expect(err).ToNot(HaveOccurred())699g.Expect(response.ResponseCode).To(Equal(503))700}, "30s", "1s").Should(Succeed())701Expect(NewClusterSetup().Install(DeleteYamlK8s(route)).Setup(kubernetes.Cluster)).To(Succeed())703})704})705}706