kuma

k8s_api_bypass.go
99 строк · 3.1 Кб
Перенос по словам
1
package k8s_api_bypass
2

3
import (
4
	"fmt"
5

6
	. "github.com/onsi/ginkgo/v2"
7
	. "github.com/onsi/gomega"
8

9
	. "github.com/kumahq/kuma/test/framework"
10
	"github.com/kumahq/kuma/test/framework/client"
11
	"github.com/kumahq/kuma/test/framework/deployments/democlient"
12
	"github.com/kumahq/kuma/test/framework/envs/kubernetes"
13
)
14

15
func K8sApiBypass() {
16
	meshName := "k8s-api-bypass"
17
	namespace := "k8s-api-bypass"
18

19
	meshDefaultMtlsOn := `
20
apiVersion: kuma.io/v1alpha1
21
kind: Mesh
22
metadata:
23
  name: k8s-api-bypass
24
spec:
25
  mtls:
26
    enabledBackend: ca-1
27
    backends:
28
      - name: ca-1
29
        type: builtin
30
  networking:
31
    outbound:
32
      passthrough: %s
33
`
34
	var clientPodName string
35

36
	BeforeAll(func() {
37
		err := NewClusterSetup().
38
			Install(YamlK8s(fmt.Sprintf(meshDefaultMtlsOn, "true"))).
39
			Install(MeshTrafficPermissionAllowAllKubernetes(meshName)).
40
			Install(NamespaceWithSidecarInjection(namespace)).
41
			Install(democlient.Install(democlient.WithNamespace(namespace), democlient.WithMesh(meshName))).
42
			Setup(kubernetes.Cluster)
43
		Expect(err).ToNot(HaveOccurred())
44

45
		clientPodName, err = PodNameOfApp(kubernetes.Cluster, "demo-client", namespace)
46
		Expect(err).ToNot(HaveOccurred())
47
	})
48

49
	E2EAfterAll(func() {
50
		Expect(kubernetes.Cluster.TriggerDeleteNamespace(namespace)).To(Succeed())
51
		Expect(kubernetes.Cluster.DeleteMesh(meshName)).To(Succeed())
52
	})
53

54
	It("should be able to communicate with API Server", func() {
55
		serviceAccount := "/var/run/secrets/kubernetes.io/serviceaccount"
56
		caCert := fmt.Sprintf("%s/ca.crt", serviceAccount)
57

58
		// read service account token
59
		var token string
60
		Eventually(func(g Gomega) {
61
			stdout, _, err := kubernetes.Cluster.Exec(
62
				namespace, clientPodName, "demo-client",
63
				"cat", fmt.Sprintf("%s/token", serviceAccount),
64
			)
65
			g.Expect(err).ToNot(HaveOccurred())
66
			token = stdout
67
		}).Should(Succeed())
68

69
		// given Mesh with passthrough enabled then communication with API Server works
70
		Eventually(func(g Gomega) {
71
			stdout, _, err := client.CollectResponse(
72
				kubernetes.Cluster, "demo-client", "https://kubernetes.default.svc/api",
73
				client.FromKubernetesPod(namespace, "demo-client"),
74
				client.WithCACert(caCert),
75
				client.WithHeader("Authorization", fmt.Sprintf("Bearer %s", token)),
76
			)
77
			g.Expect(err).ToNot(HaveOccurred())
78
			// we expect k8s resource 'meta/v1, Kind=APIVersions'
79
			g.Expect(stdout).To(ContainSubstring(`"kind": "APIVersions"`))
80
		}).Should(Succeed())
81

82
		// when passthrough is disabled on the Mesh
83
		err := kubernetes.Cluster.Install(YamlK8s(fmt.Sprintf(meshDefaultMtlsOn, "false")))
84
		Expect(err).ToNot(HaveOccurred())
85

86
		// then communication with API Server still works
87
		Eventually(func(g Gomega) {
88
			stdout, _, err := client.CollectResponse(
89
				kubernetes.Cluster, "demo-client", "https://kubernetes.default.svc/api",
90
				client.FromKubernetesPod(namespace, "demo-client"),
91
				client.WithCACert(caCert),
92
				client.WithHeader("Authorization", fmt.Sprintf("Bearer %s", token)),
93
			)
94
			g.Expect(err).ToNot(HaveOccurred())
95
			// we expect k8s resource 'meta/v1, Kind=APIVersions'
96
			g.Expect(stdout).To(ContainSubstring(`"kind": "APIVersions"`))
97
		}).Should(Succeed())
98
	})
99
}
100
kuma

Использование cookies
