kuma

1
package gateway
2

3
import (
4
	"fmt"
5
	"io"
6
	"net"
7

8
	"github.com/gruntwork-io/terratest/modules/k8s"
9
	. "github.com/onsi/ginkgo/v2"
10
	. "github.com/onsi/gomega"
11

12
	. "github.com/kumahq/kuma/test/framework"
13
	client "github.com/kumahq/kuma/test/framework/client"
14
	"github.com/kumahq/kuma/test/framework/deployments/testserver"
15
	"github.com/kumahq/kuma/test/framework/envs/kubernetes"
16
)
17

18
func GatewayAPI() {
19
	if Config.IPV6 {
20
		fmt.Println("IPv6 tests use kind which doesn't support the LoadBalancer ServiceType")
21
		return
22
	}
23

24
	meshName := "gatewayapi"
25
	namespace := "gatewayapi"
26
	externalServicesNamespace := "gatewayapi-external-services"
27

28
	externalService := fmt.Sprintf(`
29
apiVersion: kuma.io/v1alpha1
30
kind: ExternalService
31
mesh: %s
32
metadata:
33
  name: external-service
34
spec:
35
  tags:
36
    kuma.io/service: external-service
37
    kuma.io/protocol: http
38
  networking:
39
    address: external-service.gatewayapi-external-services.svc.cluster.local:80
40
`, meshName)
41

42
	BeforeAll(func() {
43
		setup := NewClusterSetup().
44
			Install(NamespaceWithSidecarInjection(namespace)).
45
			Install(Namespace(externalServicesNamespace)).
46
			Install(MTLSMeshKubernetes(meshName)).
47
			Install(MeshTrafficPermissionAllowAllKubernetes(meshName)).
48
			Install(testserver.Install(
49
				testserver.WithName("test-server-1"),
50
				testserver.WithMesh(meshName),
51
				testserver.WithNamespace(namespace),
52
				testserver.WithEchoArgs("echo", "--instance", "test-server-1"),
53
			)).
54
			Install(testserver.Install(
55
				testserver.WithName("test-server-2"),
56
				testserver.WithMesh(meshName),
57
				testserver.WithNamespace(namespace),
58
				testserver.WithEchoArgs("echo", "--instance", "test-server-2"),
59
			)).
60
			Install(testserver.Install(
61
				testserver.WithName("external-service"),
62
				testserver.WithNamespace(externalServicesNamespace),
63
				testserver.WithEchoArgs("echo", "--instance", "external-service"),
64
			)).
65
			Install(YamlK8s(externalService))
66
		Expect(setup.Setup(kubernetes.Cluster)).To(Succeed())
67
	})
68

69
	E2EAfterAll(func() {
70
		Expect(kubernetes.Cluster.TriggerDeleteNamespace(namespace)).To(Succeed())
71
		Expect(kubernetes.Cluster.TriggerDeleteNamespace(externalServicesNamespace)).To(Succeed())
72
		Expect(kubernetes.Cluster.DeleteMesh(meshName)).To(Succeed())
73
	})
74

75
	GatewayIP := func(name string) string {
76
		var ip string
77
		Eventually(func(g Gomega) {
78
			out, err := k8s.RunKubectlAndGetOutputE(
79
				kubernetes.Cluster.GetTesting(),
80
				kubernetes.Cluster.GetKubectlOptions(namespace),
81
				"get", "gateway", name, "-ojsonpath={.status.addresses[0].value}",
82
			)
83
			g.Expect(err).ToNot(HaveOccurred())
84
			g.Expect(out).ToNot(BeEmpty())
85
			ip = out
86
		}, "120s", "1s").Should(Succeed(), "could not get a LoadBalancer IP of the Gateway")
87
		return ip
88
	}
89

90
	Describe("GatewayClass parametersRef", Ordered, func() {
91
		gatewayName := "kuma-ha"
92
		haGatewayClass := `
93
apiVersion: gateway.networking.k8s.io/v1beta1
94
kind: GatewayClass
95
metadata:
96
  name: ha-kuma
97
spec:
98
  controllerName: gateways.kuma.io/controller
99
  parametersRef:
100
    kind: MeshGatewayConfig
101
    group: kuma.io
102
    name: ha-config`
103

104
		haConfig := `
105
apiVersion: kuma.io/v1alpha1
106
kind: MeshGatewayConfig
107
metadata:
108
  name: ha-config
109
spec:
110
  replicas: 3`
111

112
		haGateway := fmt.Sprintf(`
113
apiVersion: gateway.networking.k8s.io/v1beta1
114
kind: Gateway
115
metadata:
116
  name: %s
117
  namespace: %s
118
  annotations:
119
    kuma.io/mesh: %s
120
spec:
121
  gatewayClassName: ha-kuma
122
  listeners:
123
  - name: proxy
124
    port: 10080
125
    protocol: HTTP
126
`, gatewayName, namespace, meshName)
127

128
		BeforeAll(func() {
129
			Expect(YamlK8s(haConfig)(kubernetes.Cluster)).To(Succeed())
130
			Expect(YamlK8s(haGatewayClass)(kubernetes.Cluster)).To(Succeed())
131
			Expect(YamlK8s(haGateway)(kubernetes.Cluster)).To(Succeed())
132
			Expect(WaitPodsAvailable(namespace, gatewayName)(kubernetes.Cluster)).To(Succeed())
133
		})
134
		E2EAfterAll(func() {
135
			Expect(k8s.RunKubectlE(kubernetes.Cluster.GetTesting(), kubernetes.Cluster.GetKubectlOptions(namespace), "delete", "gateway", gatewayName)).To(Succeed())
136
			Expect(k8s.RunKubectlE(kubernetes.Cluster.GetTesting(), kubernetes.Cluster.GetKubectlOptions(namespace), "delete", "gatewayclass", "ha-kuma")).To(Succeed())
137
			Expect(k8s.RunKubectlE(kubernetes.Cluster.GetTesting(), kubernetes.Cluster.GetKubectlOptions(namespace), "delete", "meshgatewayconfig", "ha-config")).To(Succeed())
138
		})
139

140
		It("should create the right number of pods", func() {
141
			Expect(kubernetes.Cluster.WaitApp(gatewayName, namespace, 3)).To(Succeed())
142
		})
143

144
		It("should create the right number of pods after updating MeshGatewayConfig", func() {
145
			newHaConfig := `
146
apiVersion: kuma.io/v1alpha1
147
kind: MeshGatewayConfig
148
metadata:
149
  name: ha-config
150
spec:
151
  replicas: 4`
152
			Expect(YamlK8s(newHaConfig)(kubernetes.Cluster)).To(Succeed())
153

154
			Expect(kubernetes.Cluster.WaitApp(gatewayName, namespace, 4)).To(Succeed())
155
		})
156
	})
157

158
	Context("HTTP Gateway", Ordered, func() {
159
		const gatewayName = "kuma-http"
160

161
		gateway := fmt.Sprintf(`
162
apiVersion: gateway.networking.k8s.io/v1beta1
163
kind: Gateway
164
metadata:
165
  name: %s
166
  namespace: %s
167
  annotations:
168
    kuma.io/mesh: %s
169
spec:
170
  gatewayClassName: kuma
171
  listeners:
172
  - name: proxy
173
    port: 10080
174
    protocol: HTTP
175
`, gatewayName, namespace, meshName)
176

177
		var address string
178

179
		BeforeAll(func() {
180
			Expect(YamlK8s(gateway)(kubernetes.Cluster)).To(Succeed())
181
			address = net.JoinHostPort(GatewayIP(gatewayName), "10080")
182
			Expect(WaitPodsAvailable(namespace, gatewayName)(kubernetes.Cluster)).To(Succeed())
183
		})
184
		E2EAfterAll(func() {
185
			Expect(k8s.RunKubectlE(kubernetes.Cluster.GetTesting(), kubernetes.Cluster.GetKubectlOptions(namespace), "delete", "gateway", gatewayName)).To(Succeed())
186
		})
187

188
		It("should send default static payload for no route", func() {
189
			Eventually(func(g Gomega) {
190
				resp, err := client.MakeDirectRequest("http://" + address)
191

192
				g.Expect(err).ToNot(HaveOccurred())
193
				g.Expect(resp.StatusCode).To(Equal(404))
194

195
				defer resp.Body.Close()
196
				body, err := io.ReadAll(resp.Body)
197
				g.Expect(err).ToNot(HaveOccurred())
198
				g.Expect(body).ToNot(BeEmpty())
199
			}, "30s", "1s").Should(Succeed())
200
		})
201

202
		It("should route the traffic to test-server by path", func() {
203
			// given
204
			route := fmt.Sprintf(`
205
apiVersion: gateway.networking.k8s.io/v1beta1
206
kind: HTTPRoute
207
metadata:
208
  name: test-server-paths
209
  namespace: %s
210
  annotations:
211
    kuma.io/mesh: %s
212
spec:
213
  parentRefs:
214
  - name: %s
215
  rules:
216
  - backendRefs:
217
    - name: test-server-1
218
      port: 80
219
    matches:
220
    - path:
221
        type: PathPrefix
222
        value: /1
223
  - backendRefs:
224
    - name: test-server-2
225
      port: 80
226
    matches:
227
    - path:
228
        type: PathPrefix
229
        value: /2
230
`, namespace, meshName, gatewayName)
231

232
			// when
233
			err := YamlK8s(route)(kubernetes.Cluster)
234

235
			// then
236
			Expect(err).ToNot(HaveOccurred())
237

238
			Eventually(func(g Gomega) {
239
				resp, err := client.CollectResponseDirectly("http://" + address + "/1")
240
				g.Expect(err).ToNot(HaveOccurred())
241
				g.Expect(resp.Instance).To(Equal("test-server-1"))
242
			}, "30s", "1s").Should(Succeed())
243

244
			Eventually(func(g Gomega) {
245
				resp, err := client.CollectResponseDirectly("http://" + address + "/2")
246
				g.Expect(err).ToNot(HaveOccurred())
247
				g.Expect(resp.Instance).To(Equal("test-server-2"))
248
			}, "30s", "1s").Should(Succeed())
249

250
			Expect(k8s.KubectlDeleteFromStringE(
251
				kubernetes.Cluster.GetTesting(),
252
				kubernetes.Cluster.GetKubectlOptions(namespace),
253
				route,
254
			)).To(Succeed())
255
		})
256

257
		It("should route the traffic to test-server by header", func() {
258
			// given
259
			routes := fmt.Sprintf(`
260
apiVersion: gateway.networking.k8s.io/v1beta1
261
kind: HTTPRoute
262
metadata:
263
  name: test-server-1
264
  namespace: %s
265
  annotations:
266
    kuma.io/mesh: %s
267
spec:
268
  parentRefs:
269
  - name: %s
270
  hostnames:
271
  - "test-server-1.com"
272
  rules:
273
  - backendRefs:
274
    - name: test-server-1
275
      port: 80
276
---
277
apiVersion: gateway.networking.k8s.io/v1beta1
278
kind: HTTPRoute
279
metadata:
280
  name: test-server-2
281
  namespace: %s
282
  annotations:
283
    kuma.io/mesh: %s
284
spec:
285
  parentRefs:
286
  - name: %s
287
  hostnames:
288
  - "test-server-2.com"
289
  rules:
290
  - backendRefs:
291
    - name: test-server-2
292
      port: 80
293
`, namespace, meshName, gatewayName, namespace, meshName, gatewayName)
294

295
			// when
296
			err := YamlK8s(routes)(kubernetes.Cluster)
297

298
			// then
299
			Expect(err).ToNot(HaveOccurred())
300

301
			Eventually(func(g Gomega) {
302
				resp, err := client.CollectResponseDirectly("http://"+address, client.WithHeader("host", "test-server-1.com"))
303
				g.Expect(err).ToNot(HaveOccurred())
304
				g.Expect(resp.Instance).To(Equal("test-server-1"))
305
			}, "30s", "1s").Should(Succeed())
306

307
			Eventually(func(g Gomega) {
308
				resp, err := client.CollectResponseDirectly("http://"+address, client.WithHeader("host", "test-server-2.com"))
309
				g.Expect(err).ToNot(HaveOccurred())
310
				g.Expect(resp.Instance).To(Equal("test-server-2"))
311
			}, "30s", "1s").Should(Succeed())
312

313
			Expect(k8s.KubectlDeleteFromStringE(
314
				kubernetes.Cluster.GetTesting(),
315
				kubernetes.Cluster.GetKubectlOptions(namespace),
316
				routes,
317
			)).To(Succeed())
318
		})
319

320
		It("should route to external service", func() {
321
			// given
322
			routes := fmt.Sprintf(`
323
apiVersion: gateway.networking.k8s.io/v1beta1
324
kind: HTTPRoute
325
metadata:
326
  name: external-service
327
  namespace: %s
328
  annotations:
329
    kuma.io/mesh: %s
330
spec:
331
  parentRefs:
332
  - name: %s
333
  hostnames:
334
  - "external-service.com"
335
  rules:
336
  - backendRefs:
337
    - group: kuma.io
338
      kind: ExternalService
339
      name: external-service
340
`, namespace, meshName, gatewayName)
341

342
			// when
343
			err := YamlK8s(routes)(kubernetes.Cluster)
344

345
			// then
346
			Expect(err).ToNot(HaveOccurred())
347

348
			Eventually(func(g Gomega) {
349
				resp, err := client.CollectResponseDirectly("http://"+address, client.WithHeader("host", "external-service.com"))
350
				g.Expect(err).ToNot(HaveOccurred())
351
				g.Expect(resp.Instance).To(Equal("external-service"))
352
			}, "30s", "1s").Should(Succeed())
353

354
			Expect(k8s.KubectlDeleteFromStringE(
355
				kubernetes.Cluster.GetTesting(),
356
				kubernetes.Cluster.GetKubectlOptions(namespace),
357
				routes,
358
			)).To(Succeed())
359
		})
360
	})
361

362
	Context("HTTPS Gateway", Ordered, func() {
363
		const gatewayName = "kuma-https"
364
		secret := fmt.Sprintf(`
365
apiVersion: v1
366
kind: Secret
367
metadata:
368
  name: secret-tls
369
  namespace: %s
370
type: kubernetes.io/tls
371
data:
372
  tls.crt: >-
373
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVPekNDQXlPZ0F3SUJBZ0lSQU5RUisvcTNEWk5jLy80ckdXKzR5am93RFFZSktvWklodmNOQVFFTEJRQXcKSFRFYk1Ca0dBMVVFQXhNU2EzVnRZUzFqYjI1MGNtOXNMWEJzWVc1bE1CNFhEVEl5TURFeU5ERXdNekExTmxvWApEVE15TURFeU1qRXdNekExTmxvd0hURWJNQmtHQTFVRUF4TVNhM1Z0WVMxamIyNTBjbTlzTFhCc1lXNWxNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0M0E2bzRvT3A3MnZMV1ZmTVM1WWFHRzAKdFFHY0FRVEFvR3diY2VheUFaN2xQbElNZVFPNXdNYlpFUGw3TUMvZWJxQ3NNWjB0THJoQ0tOUHh2QUt5WG05OAoyK2lRVlk5bkNZemlQZGZmZEY1aVk2SDhQL0FxNDVSbDVIYmpmcFNIZ3JRYlRXUUZCbUNsNkJrV3BPTEYwcThOCkozV0RpVHMvdnlkSWF6Q0tOTjRsTlIxVEFSODdXL0c3MHRxVnd2R1FEN1Y0VXFFUDRia05nQVVmNW5iSmtZTSsKeVROSG9remRaUFhyaHlmMkhqYXlzekRQZWhEMThlMkNaeDJhWEMxMVFRSnFHQmp6QWsvU2FOVUpya1poc0lpYgo5SGZZQ3BQMHprTmNYWms0MnJPMVdMOVRaNDZQUjNNVVNYa1A4Q1lkcUxrV1pGc0kwUFZGNk5ZdHA1cEJUUUlECkFRQUJvNElCZERDQ0FYQXdEZ1lEVlIwUEFRSC9CQVFEQWdLa01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUIKTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkdJRDAvUVRpclJUTEtwVmpZc09SVjhjaEZZMQpNSUlCRndZRFZSMFJCSUlCRGpDQ0FRcUNCMkZ1ZEMxa1pYYUNDV3h2WTJGc2FHOXpkSWNFWkVQbEFZY0Vmd0FBCkFZY0VyQkVBQVljRXJCSUFBWWNFd0tnQk00Y1FBQUFBQUFBQUFBQUFBQUFBQUFBQUFZY1EvUUQ5RWpSV0FBQUEKQUFBQUFBQUFBWWNRL1hvUlhLSGdxeEpJUTgyV1lrUGxBWWNRL29BQUFBQUFBQUFBQUFBQUFBQUFBWWNRL29BQQpBQUFBQUFBZ1B6Yi8vdXhJWFljUS9vQUFBQUFBQUFBQVFnai8vdVVIMlljUS9vQUFBQUFBQUFBQVFwMy8vamdCCnA0Y1Evb0FBQUFBQUFBQlFWQUQvL3U4NUVvY1Evb0FBQUFBQUFBQlVtSUQvL254dHZZY1Evb0FBQUFBQUFBQmcKRlhYLy9yZ1V0SWNRL29BQUFBQUFBQURJLzMvLy9tZkJ1WWNRL29BQUFBQUFBQUQyeTI0dWlNY0huVEFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQVFFQUxkTVBnaE1sRGdSQW04UHJwL0FxdERGWTRLN3p4Qmhzc2dTNWNnUWtKdnU3CitJVmszQ2o2aXdObUFhdDZCdFJYUmREODUxdlJxRDBzNk90QXBUZXlyaVcrZlgwcWN1UVc1NXVQbTZFM0JEZGcKNU9qZXRhYU9heXppUmRzeTdOU0N2bWtrWURRUVQvTTF6WDBXdlBXTkR0SDhpd2c1aEpoOHFrK3A0Q2M3blAvSAowSlBpaVQ1TEs1bE1aOGZTRHowUHBGeTF0MUd3N3RzTkhBdHN6NkZGaDJOZ1FtdkxpNFJpa1J4SGViRWlZdzlECjhtSzQ3WSsxVnErWFQ3eHd1aTZ0YzBCQXRRSnZVSUQremMvazg5QU55YmpFSFNvMG01d2RyTmpiRzBBb0xxbVAKbHM5UHY0cDNIbjJRMlRaVW5xd250Nk12cm1zYlVpSFhGYXFsOE9FclpBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
374
  tls.key: >-
375
    LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdDNBNm80b09wNzJ2TFdWZk1TNVlhR0cwdFFHY0FRVEFvR3diY2VheUFaN2xQbElNCmVRTzV3TWJaRVBsN01DL2VicUNzTVowdExyaENLTlB4dkFLeVhtOTgyK2lRVlk5bkNZemlQZGZmZEY1aVk2SDgKUC9BcTQ1Umw1SGJqZnBTSGdyUWJUV1FGQm1DbDZCa1dwT0xGMHE4TkozV0RpVHMvdnlkSWF6Q0tOTjRsTlIxVApBUjg3Vy9HNzB0cVZ3dkdRRDdWNFVxRVA0YmtOZ0FVZjVuYkprWU0reVROSG9remRaUFhyaHlmMkhqYXlzekRQCmVoRDE4ZTJDWngyYVhDMTFRUUpxR0JqekFrL1NhTlVKcmtaaHNJaWI5SGZZQ3BQMHprTmNYWms0MnJPMVdMOVQKWjQ2UFIzTVVTWGtQOENZZHFMa1daRnNJMFBWRjZOWXRwNXBCVFFJREFRQUJBb0lCQUhyRHJUck5wa2swZFF4WQpqNENHbDd3ang2QnIxMUFITWpNcXBxTnYxU21vZ1p0WHBlbEhTUVZ2RHM2QmFLUXpKUlc4aWdFYVE2YkV3ZUk1CkZjclJzelhvUHhPZGJSc1Z3Y3R1Y2VzWmtmNTdQRFdacnd2TFc2aTdKQVhtV3hIWHJXa1h5RDNlOWszeVdKWWcKVkRzOVdVOUt2KzdzZ245Ukc3UitRY1VhMHlQVmM5MFN1RU0vengxVG9ZR09QL3ZJUjNwVlkwVW9jNHFWMWt6ZwpKUUJvVWxBcGZJU0w2TWpEWE5Eekk1QjRkNWpyMWVWTmJZNEdxbnlSNDlOMXRnRjRjdFFYSzNvYUJTY1BSaHl2Ci8rRXJOVDZiNDFUeUsyVFRYQkNMdDM0Ynl0REtxc3kxVXIvdE1lOWE5NnVxU1ZIUkFjbzU3YjZ3MGhZV0pvUlAKVjRFVDlnRUNnWUVBd01MSDR4ZUN1QjBraE9ERTJsbU9ZekJDQ1Rpd3p0bkltVlRXN0hnS1B2V0FTR1pVRS91dgpHQWZackVId0o0NERvT2pnTkgyN09qL2ZxZTNIeDZ0VXNBTlJ3THF2dkhCcldLdWZRS090THFHTzN6MUlCWGtWCmFtV1QyazJJMTVmakVVbnVCcGZkc1ROUEdFNHFWeU53V2szdUpNNytsQlFQYkRqYWsvaFNLQzBDZ1lFQTg1NTkKditsSXV0UHpIUmYwaGcxSUtzZWJ5cWRJYm41RytQOVNEUXV1aHc3UFhKQnhXS2JsUmd6MTFwdW1BUi96U3RnQQpDcUpncUJhbmQzV1JRWVliZnBiN0VpK0FoSkRpMVp3ZGRGVGsybUE5YUtsVlVOdXl5VHg5cjNCTjlzV1lxRGVnCm4rdGJmL3lyNnBLaHBRd25VMFVtMW5OYVdhbG0xczBuM2dyVUVhRUNnWUFocW1NcXdGSnVRWGk5VkZ4TkhsTUYKODhtMHZwZnlxSXFtYlBEVWYrcWFNRnBsU3Fub2k0NTdEZlB3Wjl1L3JNZnBkSUtqNkVtbzFMc0ZmS2Zsc1lDcQo5UWwwTmFhM3JKS3krOVptZmEramMwZjJxVWRJM1dybUdET0lidjQxV1N1cE8xWTlCSTBOZzc2T3FpZ3U2OXVWCmlnTExudk5MZlcxc0kwblppZ2NmU1FLQmdCQmY1Y25oYno4SGdmN0JubkRvTWFLV2VoVTcrelZhRFlFdEFDSGEKV0NmQnloUkpyU1N0U3huVFF5N2lsVnpiL2VsWTdWL0puRCtRRGorTVNuQWlDSFVReHQxcERmVmJHN1FKNHp6dgplOVpsdzVybVR0SzVnYUhmQy8rZng4Mi9hRXhlT05DbTdDYUZJRFVMR0F4VTdjdStDU2MrNTZMQkxTVmc4cjRNCjhrWWhBb0dCQUtMaDVnblYxaEhYcWNZckZpWjVpWVY5L3BJUXFMdkI4VXNHVUljRm1Vb3hnZ0JKcXpRUUExaDAKQXE5cW4rTStBUlNNRUk0WFVmUjhqQnVTNk1sWmh6czRyeXRUckt0dWdmSFpLNEdGQjFuYzNPSlR5QmpTWUFmZAp5a2t4UUtrcWd4aERDZUFveG1qVkRUUDhLRGgzZ2hySUFBWWozSDFzS0Q0K1dmRXZyRHByCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
376
`, namespace)
377

378
		gateway := fmt.Sprintf(`
379
apiVersion: gateway.networking.k8s.io/v1beta1
380
kind: Gateway
381
metadata:
382
  name: %s
383
  namespace: %s
384
  annotations:
385
    kuma.io/mesh: %s
386
spec:
387
  gatewayClassName: kuma
388
  listeners:
389
  - name: proxy
390
    port: 8090
391
    hostname: 'test-server-1.com'
392
    protocol: HTTPS
393
    tls:
394
      certificateRefs:
395
      - name: secret-tls
396
  - name: proxy-wildcard
397
    port: 8091
398
    protocol: HTTPS
399
    tls:
400
      certificateRefs:
401
      - name: secret-tls
402
`, gatewayName, namespace, meshName)
403

404
		var ip string
405

406
		BeforeAll(func() {
407
			Expect(YamlK8s(secret)(kubernetes.Cluster)).To(Succeed())
408
			Expect(YamlK8s(gateway)(kubernetes.Cluster)).To(Succeed())
409
			ip = GatewayIP(gatewayName)
410
			Expect(WaitPodsAvailable(namespace, gatewayName)(kubernetes.Cluster)).To(Succeed())
411
		})
412
		E2EAfterAll(func() {
413
			Expect(k8s.RunKubectlE(kubernetes.Cluster.GetTesting(), kubernetes.Cluster.GetKubectlOptions(namespace), "delete", "gateway", gatewayName)).To(Succeed())
414
		})
415

416
		It("should route the traffic using TLS", func() {
417
			// given
418
			route := fmt.Sprintf(`
419
apiVersion: gateway.networking.k8s.io/v1beta1
420
kind: HTTPRoute
421
metadata:
422
  name: test-server-paths
423
  namespace: %s
424
  annotations:
425
    kuma.io/mesh: %s
426
spec:
427
  parentRefs:
428
  - name: %s
429
  rules:
430
  - backendRefs:
431
    - name: test-server-1
432
      port: 80
433
    matches:
434
    - path:
435
        type: PathPrefix
436
        value: /
437
`, namespace, meshName, gatewayName)
438

439
			// when
440
			err := YamlK8s(route)(kubernetes.Cluster)
441

442
			// then
443
			Expect(err).ToNot(HaveOccurred())
444

445
			Eventually(func(g Gomega) {
446
				resp, err := client.CollectResponseDirectly("https://"+net.JoinHostPort(ip, "8090"), client.WithHeader("host", "test-server-1.com"))
447
				g.Expect(err).ToNot(HaveOccurred())
448
				g.Expect(resp.Instance).To(Equal("test-server-1"))
449
			}, "30s", "1s").Should(Succeed())
450

451
			Eventually(func(g Gomega) {
452
				resp, err := client.CollectResponseDirectly("https://" + net.JoinHostPort(ip, "8091"))
453
				g.Expect(err).ToNot(HaveOccurred())
454
				g.Expect(resp.Instance).To(Equal("test-server-1"))
455
			}, "30s", "1s").Should(Succeed())
456

457
			Expect(k8s.KubectlDeleteFromStringE(
458
				kubernetes.Cluster.GetTesting(),
459
				kubernetes.Cluster.GetKubectlOptions(namespace),
460
				route,
461
			)).To(Succeed())
462
		})
463

464
		It("should manage Kuma Secret", func() {
465
			// given converted Kuma secret
466
			convertedSecretName := fmt.Sprintf("gapi-%s-secret-tls", namespace)
467
			var kumaSecret string
468
			Eventually(func(g Gomega) {
469
				out, err := kubernetes.Cluster.GetKumactlOptions().RunKumactlAndGetOutput("get", "secret", "-m", meshName, convertedSecretName, "-o", "json")
470
				g.Expect(err).ToNot(HaveOccurred())
471
				kumaSecret = out
472
			}, "30s", "1s").Should(Succeed())
473

474
			// when original secret is changed
475
			secret = fmt.Sprintf(`
476
apiVersion: v1
477
kind: Secret
478
metadata:
479
  name: secret-tls
480
  namespace: %s
481
type: kubernetes.io/tls
482
data:
483
  tls.crt: >-
484
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLRENDQWhDZ0F3SUJBZ0lRZUxvNDFxKzJMcWpNWjNubnZSMWd2akFOQmdrcWhraUc5dzBCQVFzRkFEQVhNUlV3RXdZRFZRUURFd3gwWlhOMExtdDFiV0V1YVc4d0hoY05Nakl3TXpJME1UTTFNRE0xV2hjTk16SXdNekl4TVRNMU1ETTFXakFYTVJVd0V3WURWUVFERXd4MFpYTjBMbXQxYldFdWFXOHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDbW41aVNPV0h6Y1YrWEtxQ1Z4QTRoaUhBd2UrbnZNWkxxbmcwWkZxY1FiNkVZTWw3bXMzQU5VaXlRUVNURVZyWkdYTXJDZWY0N0VYdWZ1NlVFeGsyNkcrK2FTcjFpKzZlZE5ELzAyZklQL1JwYmZDMXlqdnhjRGJ6eWE4SUlING5DUE5LNElPVmpBZmtVRVpmSk1aVGRORUZ5MUN0S3Nod2hRY3BPd3d6em5uNmhRM284U3d3SFhlSGxlNGFCdnMvTnlpT1FTbFNXTzVxcUszdHRHSWxaRmMvbGJJWVU0N2Rqd2tMVFBNVFpXTW9BdjZvSEhVdzdvSkRDR2lGaGpzQjA3UFRMaS9udTUrekhKaG1jWUJTSC9CUkprMHpXMTlLS09odVhlQ2lLRCtJV0U5ZEN1bjZWSmpUb3B6WllNZzdBYnYwMmdkRStjYkVCejRZcTZyR0hBZ01CQUFHamNEQnVNQTRHQTFVZER3RUIvd1FFQXdJQ3BEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBVEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlIzb1loRDMxK0c1TUFEdVlUR2tXbzlXczJJNERBWEJnTlZIUkVFRURBT2dneDBaWE4wTG10MWJXRXVhVzh3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUNhTUZZTWR5REt0WlhLN1hJRVJ2cmpxVlQ4VXlqTVp5RHFwVzNUeW9rSVliMGNmOHNuaEVHQUZlelhiNmZUTnd4TThEaUtFWEZnK0RMSnNJWEwzcTYyK3BWNjdOTjI1R0c1eklGSit4bG9YU1NWbXRMWEhvUVpJSGNLaUJnenVWaFo3d3NMdmo1UjYyTll4d2RpS2piZ0VSblRlaldpQzRlRUJsM0hHSk51NTV6RjI1cFRZdXZocGhwSnZmYUhzdWh2bndIWE1WbXhDWGErZFF3czV3T3dqalNIYkFMOER3Rk9pd0JBTXMrNEI2QXZQNzBYN0NkdURXV0tmUzdmVE1VN3lvNGtOT1JGRDc5TXBzWEN2QVlQenJwYjY4cDdJdjlXQTlSU0dLSXhrdjFuaFNnbjhtVWZvaHBQVVU1L2RuMzdxQnFZTUtTbG9uVlZWYUNUOWU0Yz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
485
  tls.key: >-
486
    LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcHArWWtqbGg4M0ZmbHlxZ2xjUU9JWWh3TUh2cDd6R1M2cDROR1JhbkVHK2hHREplCjVyTndEVklza0VFa3hGYTJSbHpLd25uK094RjduN3VsQk1aTnVodnZta3E5WXZ1bm5UUS85Tm55RC8wYVczd3QKY283OFhBMjg4bXZDQ0IrSndqelN1Q0RsWXdINUZCR1h5VEdVM1RSQmN0UXJTckljSVVIS1RzTU04NTUrb1VONgpQRXNNQjEzaDVYdUdnYjdQemNvamtFcFVsanVhcWl0N2JSaUpXUlhQNVd5R0ZPTzNZOEpDMHp6RTJWaktBTCtxCkJ4MU1PNkNRd2hvaFlZN0FkT3oweTR2NTd1ZnN4eVlabkdBVWgvd1VTWk5NMXRmU2lqb2JsM2dvaWcvaUZoUFgKUXJwK2xTWTA2S2MyV0RJT3dHNzlOb0hSUG5HeEFjK0dLdXF4aHdJREFRQUJBb0lCQUdNbHNtN0lNRzNndDRYRworcmxEYVRrdzY3a2Q4dXkrN2ZJbnpCbHlya1NNZUNwaXhxKzJkR1dvMFJXaGZkUksyTGx6dTc4UFFtVTVtUHRLCmQvNG9WZFg1aTVDZkNxU2NwSGRad1BqY3V6b2lYSTIxallHT2JjSUU5cnExdmthQkpjTHIyR055UjZ5clh1QS8KTzdlZmhqbytQdmVxSW55WEVVQUUydklWQkY3dHFoYVpIalA3S1dZa0U1cjRlSGMrM0NSbVB5VWFSTDhsdXpRNwowc1hLZEJUMmZ5WnRTc0NadXM3aEt3dHN3K3V6dFY5QjN0VjA0V3BONDhKMkMzQjFoanNjU2xWeS9UNHo5Z1ZBCkJWU21aMENnVUY2VmU2QW1zNmJDaVcxR3ZWOUVuTnBSUkpXb1BQNDRleldyU1ZYUkxFcThkVmtySWlISUkrQW0KeUVwT2JkRUNnWUVBemFuRDRFOTZZb3E1bys0UDlYbERTdTZld3JEZDloc3pmYWZTcXovcGx6SW1zQi8veEFLNQo4VE40T2trR0dPRC82cDBLR3EzdU9XN2Z5c1ArZDZBbWZLNXhZcENvUnA4ZXNYNUNSSmxKS1pBY09YWHFGaHFwCklYUEdQcDRFQ0tYRGJCTitnQTZSZm9zVzdaYTI3b0hHdDNqYitwSXFaeDRCMENDSC84VDR3ejhDZ1lFQXoyZTQKRS9EV09FUGVJeElyb3pTeFo4VG00dU9hTFlucEY5NkxHc2Q3cGNveTJiVW5vMTUxMy84bGplaTlGRytxKzNRUwp2TVgzeGlaMmc1OURqby9FRmdDeHVFRURHZGw5a1FLemJ4bEVPamRNUnAvNDVNV1VySm5lUklhWklBRGExVmt0CkludmZndnl3NXlra2t3SWFlalhnc2dFNGp4WUVaNm1nZkZQWko3a0NnWUVBakMrcjFMcFlNZE5kdHVBUEFNUW4KbW13TXk2akRvMzNuR3ovSjJmRTJ5RmpuQmliSnNGSXJiTDRvdFpJUkZlUklqU04rUDdGUE1OYml0TlBrSUthSgpsWE5TMWx6RVYxOGZETjJEVGo4dUg2YWJsbzlKZ01lcmdhSG8vOFcxK2k4RGhpZkRrb1picG1Zb3VzcUE1eEtPCjRZRUFjVXd3bXhsWkl3VUpyczRVd3dFQ2dZQXBaY0ZuTVlZQW13Tkdxc1ROQWFKN1hPRGMzcU1TZmRscHEwREcKcXBSeWhnWmFULzlHYTM5Sm8yckNoWGJnRWwzbGJNaWtwenNLY1BqczBxZ3dWMS9ES0laUWlhRnQwbXh1dWtSSQpZNW1ycVFmdmZOUzREUHZjNjZWaXRoN3dOVnQ0aENFdkpkeDZENmZicSttaDhpU0l5aUk4UldRZG96NWoxb2F5CjZpV0krUUtCZ1FDdmVUdDNDWFpuT2FOVXpHNzYxc293WFh4ZGpCMFlvUExjTXJGMFZyaGtNZlZrYnR5NTM1bDgKV2lzOVdkNVhVSW1LV21jWExzUlZGczRqVi9ZWCtLcHN6TmdSdWVmVEoycDhWL1JCMEZ3aDduV3ZlQzNuOHZOZwpONkFWd0VBczdERVhxZFZYek5xNmwzZHlOeFgxTDNNVlBlVmJQVEVmWlVOdktqNmVkMjJ0ZkE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
487
`, namespace)
488
			err := YamlK8s(secret)(kubernetes.Cluster)
489

490
			// then copied secret is also changed
491
			Expect(err).ToNot(HaveOccurred())
492
			Eventually(func(g Gomega) {
493
				out, err := kubernetes.Cluster.GetKumactlOptions().RunKumactlAndGetOutput("get", "secret", "-m", meshName, convertedSecretName, "-o", "json")
494
				g.Expect(err).ToNot(HaveOccurred())
495
				g.Expect(out).ToNot(MatchJSON(kumaSecret))
496
			}, "30s", "1s").Should(Succeed())
497

498
			// when original secret is removed
499
			err = k8s.RunKubectlE(kubernetes.Cluster.GetTesting(), kubernetes.Cluster.GetKubectlOptions(namespace), "delete", "secret", "secret-tls")
500

501
			// then copied secret is removed
502
			Expect(err).ToNot(HaveOccurred())
503
			Eventually(func(g Gomega) {
504
				_, err := kubernetes.Cluster.GetKumactlOptions().RunKumactlAndGetOutput("get", "secret", "-m", meshName, convertedSecretName)
505
				g.Expect(err).To(HaveOccurred())
506
			}, "30s", "1s").Should(Succeed())
507
		})
508
	})
509
}
510