From 9372db76b2d0f59a9c62713df2e4431575e060f2 Mon Sep 17 00:00:00 2001 From: Kuat Yessenov Date: Wed, 2 Nov 2022 18:31:53 +0000 Subject: [PATCH 1/2] wip Signed-off-by: Kuat Yessenov --- test/envoye2e/basic_flow/basic_test.go | 1 + testdata/certs/client-key.cert | 55 ++++++++++--------- testdata/certs/client.cert | 39 +++++++------ testdata/certs/client_ext.cnf | 7 +++ testdata/certs/generate.sh | 12 +++- testdata/certs/root.cert | 37 ++++++------- testdata/certs/root.key | 55 ++++++++++--------- testdata/certs/server-key.cert | 55 ++++++++++--------- testdata/certs/server.cert | 38 +++++++------ testdata/certs/server.csr | 16 ++++++ testdata/certs/server_ext.cnf | 7 +++ testdata/cluster/original_dst.yaml.tmpl | 29 ++++++++++ testdata/listener/terminate_connect.yaml.tmpl | 35 ++++++++++++ 13 files changed, 248 insertions(+), 138 deletions(-) create mode 100644 testdata/certs/client_ext.cnf create mode 100644 testdata/certs/server.csr create mode 100644 testdata/certs/server_ext.cnf diff --git a/test/envoye2e/basic_flow/basic_test.go b/test/envoye2e/basic_flow/basic_test.go index 54a2ce4f382..b4955136d36 100644 --- a/test/envoye2e/basic_flow/basic_test.go +++ b/test/envoye2e/basic_flow/basic_test.go @@ -132,6 +132,7 @@ func TestBasicCONNECT(t *testing.T) { params.Vars["ServerClusterName"] = "internal_outbound" params.Vars["ServerInternalAddress"] = "internal_inbound" params.Vars["ServerNetworkFilters"] = driver.LoadTestData("testdata/filters/restore_tls.yaml.tmpl") + params.Vars["quic"] = "true" updateClient := &driver.Update{Node: "client", Version: "{{ .N }}", Clusters: []string{ diff --git a/testdata/certs/client-key.cert b/testdata/certs/client-key.cert index 64d5f640981..fbe64cde161 100644 --- a/testdata/certs/client-key.cert +++ b/testdata/certs/client-key.cert @@ -1,27 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEA07MQ4NQQrnDxl3gwHh5NNUyJzrYmK57GogtoJype0jrEjldw -XZCYnvJEf9DJs1wtZ5p7Zij5wgM0vJsRB1BMM/uH8M8OikmlCyoajmA7wk5VVSRy -56h6ni14T93YOHEGlmnJOF7mkav1940ppuiNeT4V6+f8SDX+M5z1NplnkoOQAPqh -9s9191dpQC4lGinstioMFdnbXXvdtBFcgzDIsKxEL9/EHM/fCSQrcz0+SeJY0RSM -1GrqnnyWGfTQ/77R6pvhtMbW5ULUR4jKuQ5qvYGyLdn9Xh+k/8u+UXlF50Ndj3VC -kxHGnzFEZFy8QtRCd1jiYsh6HZWgOAeAzUkqQQIDAQABAoIBAGhJtU3cil80+n7w -0Vt09/oCu3yelM02SYn4bpWktNOB6eRpRMyC9/yNQptoooR+K0v3eUTJeMhPxgIH -rerZbsDI7538kqAjSW/njO+IjsfYyQbJjuV6RPV5VuSZV/PuEh20/VCMx68JdIFA -BD3aIB+TKz9sqAZ2usR4VQBRsAknat5RhdcE7CGcbEiNGbSn1ASqTif+oiRZBnTZ -hXik9gbjMi57nG2Mq8Ww0XZGAsFY+NxCldTVI//GwHT38uatjUvF8c/pfpKfDpam -iD7U0EJsPUh/nzITCX+py7BDYcYDByhLWbgviH7/CoMT3wnggZQfpljepEG9PqMF -59FYAoUCgYEA9sv853zOR50msCs/66ohh5zbC/1DH1J9yWsk0VsmH096zfgUGCqP -0aTT7b25XnZYkvGiWslp8IEHc6ADEkwGsp88i0EvVO2pK/3xdAaCReVqF6jZs9Dn -0CuJHmJfgZaJsGT8ofQfUOSWhddLXGcLHMinjaPZOakn8XAizbtcoRsCgYEA25gG -pdD1xwU07y8iVY6gxsDQbNRJbAkgtVju/8fIkqe/PxhvwUhxF8zdlL29+P/PYBjw -P4L9zHVXQUKqV4clBECuhA31Yz9zhfivzz6y4NLzM7+6EzjQ4TOLlo2Vp7oPjN3y -29NHbPqG4JEwJ8aqXJqtWMUUdp4LuF+N5dkIM9MCgYAPXUOxZaOx8aam8QpZsY3E -048PgATdvlT2ZSU1o2cMK/aJPBiEKKIrewd2lYkkyFlbTI++9ysRPfcoy51lVjZU -iHVMdhJsRx9xDa4qev1BPLcOIgTrnOXRn+Q5cAZiGu0XfjH8IyaP8qssSer3JbMb -Z6KGvtyXKmDCNyjzheaOYQKBgAsBysuC9t7b9vRKQ4lQVeTAg3IBDhEZQAd3BrvR -cs9PEzoBapCgpfKQdUbgX+ZcRDPH7DrywO//rbj6s3khsAxPha/e1z77TjoX5hAY -T3UPfdtJL/WIsoenQsbwH+FBZUglU+gK5hijUiFthaFoxt9PbYL2lfkAIQxD1eQA -hfW7AoGAGflnz6ea3u1j0hAFykKZ3D/82/qCjaB2H2jmdpl2xHodhUodrmYWkDBu -vB28ez8aTx8QlIk0GIVVYolM7zlyCBs6FXrH34fL9P44najLqfQUbKdUUOqb6lfT -BC1Kcvm8frJLtUUqFTkgtgrRlqihIja1uvF65VoHF1AfjUslhdc= ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCOZbIDvbyKV3pX +JO9ckVHHGkfDcZekdY5QkO8mhyxzgm0db/czaKef8tq8SfoRBiUpDUTeM8EBwBpk +HB4NW7pep1VCYyT0QANwpgkKObW3/c2IB/a+gTF5OS5QpRFRvmHPKdbTEUDqnbfo ++jdTh1RXS13ULml32jLLbJJ8g1hu5Lxp2az50WizwzeNjV8sBcQ6lSfWqJrxkjis +u9UEO9sAv1kYheHtmmEPFZIdbJQqAqwhQvD11Oxz8LZoPGEX0fqGI+G5LMI7dCGC +pIZOd3GXDkevAAorO2kdMokISo0zXbXsM4nS5R6ycpnlfKuCtUwfTYPh7k6MD0kS +9I5ZGScJAgMBAAECggEAF8RUhnhUMDjyk/n3s5kTr6oswSvD9jCizMKsD9+u5San +RKsL9PoqRDGaHaQxR0chy6zJylaUB9FC9mOVBoDBZgwC2H5IzDWk/VfRGXJRaMDF +XceKgPh6Q/PtzYsHjX+7voKKtxbhoWcqq4mb02a6holvQztt4hG6uaZI+txHVda6 +94+hgxL06DwNPh9VCiStXC4WeB1BaWRlqj0d5LY8v3ipDDeokOBqxPuR7Haf9kGK +0MwYe5blPdZgBwM0UHg9NAOJNHoEZ5P7zVDMaUk0BTJ2EVzoHmlexzeEcHmg8qRh +EqMjW0jlwcl17jQ1QMXN+zt91AkytklUvbpBKHQtkwKBgQC72ghoeecaBNoyenKR +29unbQ/W8J+OZUYdW701G54xxykAHckeGnYIhZ76fzzfuEVTwII2Is8POlMVeNjl +EbfW/KPaL2t+cxh5yLErcFRsLiB+67RBCwktOUnKRqIm/hVs33xJE753o6aJGm0E +MsYnYeDIFW74Ct+utVJyln4T9wKBgQDCDkPBk0VQBkPZgTp8lUUqvjRQECIUGptx +iC9z/vCXsNekomVPlBHahdPnjVKr6p52aJJcWfiEMUIHvOnTNbQnWJHApfx0h7JS +SNy36BqirynU49nbg3Z2bql7S7zAHkrazocQqnTOzfDT2LDDyHwP6+2jmVAshNv7 +O1Xcvb3c/wKBgD4xp8r/YTZKGPvRcpE8G3NJNo9RR2JbwWUC9JfatvuAFuEE+4tN +83pK0yHYco0Xc0yRVgsaZzeBdfSL+DOPNDCnoJAiVxKchKP9gDsDi8/tTbD31Mwc +HUOtzfJ8hD8orGtJatq/ALaXphGKgEF9lgF/9G4KOp1A7GHpgoyRqthtAoGAOkLG +HOv2N1xqKncd9CFsrrSESDVPxfFnEeLtPEoiOaiiVY9cE1RFN/JN+Ir5cxvxj2M9 +7fQlJKsVQ/V3zi2ldNqmh8xNyz6iTwoJGj3ZIVatnHj8A2eovU3kHFxUwulVV/QB +oQNMJnq1/yRjjaQ3eyA+LIvvAi6xTPA3ixp8UkkCgYBI7/rSqdHt1aY4Ubp/Qb1P +8F2oqkI0yT0E31+y/H/PP1b0Hf/CedQhyBYfrt2NkLo4ejSX738fH0onCKUgbSiT +dEtO6maVpV/P5qC2D4sYvLI4iaT0FjEz6sbSUWp2qmPlcsQwwq2mF0bUkAd4uCQk +RVD3SeqV4EwOsq/r2ny5VQ== +-----END PRIVATE KEY----- diff --git a/testdata/certs/client.cert b/testdata/certs/client.cert index f4ba596de3c..beaf8c8dcdc 100644 --- a/testdata/certs/client.cert +++ b/testdata/certs/client.cert @@ -1,20 +1,23 @@ -----BEGIN CERTIFICATE----- -MIIDXDCCAkSgAwIBAgIQUwQ9hAAm16Yf+PkWD1VM/jANBgkqhkiG9w0BAQsFADBD -MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVN1bm55dmFsZTET -MBEGA1UECgwKZ29vZ2xlLmNvbTAeFw0xOTA4MTIxODU2MDhaFw0yNDA4MTAxODU2 -MDhaMBMxETAPBgNVBAoTCEp1anUgb3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEA07MQ4NQQrnDxl3gwHh5NNUyJzrYmK57GogtoJype0jrEjldwXZCY -nvJEf9DJs1wtZ5p7Zij5wgM0vJsRB1BMM/uH8M8OikmlCyoajmA7wk5VVSRy56h6 -ni14T93YOHEGlmnJOF7mkav1940ppuiNeT4V6+f8SDX+M5z1NplnkoOQAPqh9s91 -91dpQC4lGinstioMFdnbXXvdtBFcgzDIsKxEL9/EHM/fCSQrcz0+SeJY0RSM1Grq -nnyWGfTQ/77R6pvhtMbW5ULUR4jKuQ5qvYGyLdn9Xh+k/8u+UXlF50Ndj3VCkxHG -nzFEZFy8QtRCd1jiYsh6HZWgOAeAzUkqQQIDAQABo3wwejAOBgNVHQ8BAf8EBAMC -BaAwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBT1a7HehaEjoID50KbCqhryIRwh -ETA5BgNVHREBAf8ELzAthitzcGlmZmU6Ly9jbHVzdGVyLmxvY2FsL25zL2RlZmF1 -bHQvc2EvY2xpZW50MA0GCSqGSIb3DQEBCwUAA4IBAQBW/xkRoVxuo+g9P6/mWuVI -BSY7tsrdff8qkKzEmRLLSgMUFpDw5529wUSAsOwPjHK9xXeCT5lLxQMcbaGShf70 -4r/lceFJXUpQ0NHU6uJx3DdTUXXhDc4Zhq6rX1GaxqYvKWVMAKCPmDEXVHd5Yh4u -ZZIeq1uOTc7t3B6wXhQ68zY2GURjEMksafoCT65J/2CD5fBgBFOEeYxCl4iN5Vcv -MM+xfi1ZiGTAakiCSSOUydaP5MBdbl04ZMKDDEZTRLJwEDmg0T1x6/T7zumtjrnX -5T4c/LV5cEMMb4vjty5MSNY/8t5dT6Bq8T4tAEN83W2OyABfSowyecXAItcMcZ66 +MIIDxzCCAq+gAwIBAgIUNcRvk34WYmZ33/X2OmPe5G2mRAswDQYJKoZIhvcNAQEL +BQAwPTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMSEwHwYDVQQKDBhJbnRlcm5l +dCBXaWRnaXRzIFB0eSBMdGQwHhcNMjIxMTAyMTgyMDUyWhcNMjcwNTEwMTgyMDUy +WjA9MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExITAfBgNVBAoMGEludGVybmV0 +IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AI5lsgO9vIpXelck71yRUccaR8Nxl6R1jlCQ7yaHLHOCbR1v9zNop5/y2rxJ+hEG +JSkNRN4zwQHAGmQcHg1bul6nVUJjJPRAA3CmCQo5tbf9zYgH9r6BMXk5LlClEVG+ +Yc8p1tMRQOqdt+j6N1OHVFdLXdQuaXfaMstsknyDWG7kvGnZrPnRaLPDN42NXywF +xDqVJ9aomvGSOKy71QQ72wC/WRiF4e2aYQ8Vkh1slCoCrCFC8PXU7HPwtmg8YRfR ++oYj4bkswjt0IYKkhk53cZcOR68ACis7aR0yiQhKjTNdtewzidLlHrJymeV8q4K1 +TB9Ng+HuTowPSRL0jlkZJwkCAwEAAaOBvjCBuzAJBgNVHRMEAjAAMBEGCWCGSAGG ++EIBAQQEAwIHgDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwIw +NgYDVR0RBC8wLYYrc3BpZmZlOi8vY2x1c3Rlci5sb2NhbC9ucy9kZWZhdWx0L3Nh +L2NsaWVudDAdBgNVHQ4EFgQUEr3U4t0vU2OfEkNhkv/OQkZzHvMwHwYDVR0jBBgw +FoAU4QAONZ/lVw4pbdUOVA03YKVvqGAwDQYJKoZIhvcNAQELBQADggEBAC76IVYv +kkD+ojj6O9w40y5U7YJ6UL2s7tN5HHZrV6t608YdgooJ9GLvUVDRlOohCB3MjBQE +M059b7+b6rqGJYNWQWlICdvZ1rSHUQRdWNAe9xqgmYXGT2zLgZJyhplboz381oPu +BUwFhs+j6Xek+1ub+NpiYjRZQ37jp5xeh6jodyKJdkGY6Arxe6nrO6ZuebIySXbG +k5GbeGyvXcCgqycatromMWmtG71zUtesfCu7GNyrReuJQ4f778Tb/N5qopBXOOum +ciJgRQH2bVUMEMutLvj+FROOl54YtO/3Lxi2kzzLAEfBHG6NC6yfq+TBIi++xgsP +3au7z8O9muicSto= -----END CERTIFICATE----- diff --git a/testdata/certs/client_ext.cnf b/testdata/certs/client_ext.cnf new file mode 100644 index 00000000000..fde8b913ded --- /dev/null +++ b/testdata/certs/client_ext.cnf @@ -0,0 +1,7 @@ +basicConstraints = CA:FALSE +nsCertType = client +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth +subjectAltName = @alt_names +[alt_names] +URI.1 = spiffe://cluster.local/ns/default/sa/client diff --git a/testdata/certs/generate.sh b/testdata/certs/generate.sh index 13c2656da66..0518850c682 100644 --- a/testdata/certs/generate.sh +++ b/testdata/certs/generate.sh @@ -17,7 +17,15 @@ openssl genrsa -out root.key 2048 openssl req -x509 -new -nodes -key root.key -sha256 -days 1825 -out root.cert -# generate mTLS cert for client as follows: -go run security/tools/generate_cert/main.go -host="spiffe://cluster.local/ns/default/sa/client" -signer-priv=mixer/test/client/pilotplugin_mtls/testdata/root.key -signer-cert=mixer/test/client/pilotplugin_mtls/testdata/root.cert --mode=signer +# Server certificate: +openssl genrsa -out server-key.cert 2048 +openssl req -new -key server-key.cert -out server.csr +openssl x509 -req -in server.csr -CA root.cert -CAkey root.key -out server.cert -days 1650 -sha256 -extfile server_ext.cnf + +# Client certificate: +openssl genrsa -out client-key.cert 2048 +openssl req -new -key client-key.cert -out client.csr +openssl x509 -req -in client.csr -CA root.cert -CAkey root.key -out client.cert -days 1650 -sha256 -extfile client_ext.cnf + # Stackdriver certs need localhost as the common name diff --git a/testdata/certs/root.cert b/testdata/certs/root.cert index c6c8d2bd041..8ab65fa3cf1 100644 --- a/testdata/certs/root.cert +++ b/testdata/certs/root.cert @@ -1,21 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDZzCCAk+gAwIBAgIUMzjfEUF3LQ/WfBiwIC9h+qndbGYwDQYJKoZIhvcNAQEL -BQAwQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZh -bGUxEzARBgNVBAoMCmdvb2dsZS5jb20wHhcNMTkwODEyMTgzMTAyWhcNMjQwODEw -MTgzMTAyWjBDMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVN1 -bm55dmFsZTETMBEGA1UECgwKZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD -ggEPADCCAQoCggEBAL2O52MbZig1pfU1tut+QX/ISI3m2uMi079ZWy4ZE+Ccm4Ta -XdR66T94T2x7uWbT2AtNIxZO+LPT75Suh1Zb/O1px3dKul7U1Fpl7gLVnKXQ35zL -/fCh7MPa+aipZHH1KGG56ebdmoXrKM+S5k502Dm0Q0uyGxksBAiXHyixaiq00rYV -XYrv9qw1wphYea2SLBRaQOpJrPI1CZu267LTMTq9a6gGTwMuz9tDveT/cM8Nh17C -so+6PrLEbpXAJPqNUyuJBGsDG9AyqBh4ZKmgRDR+ZE03jNncaEx2vkjFenXLI+// -YgZA1NJVAefCFfGRNGRZ+bR/01brUbnuGJCgJv0CAwEAAaNTMFEwHQYDVR0OBBYE -FPVrsd6FoSOggPnQpsKqGvIhHCERMB8GA1UdIwQYMBaAFPVrsd6FoSOggPnQpsKq -GvIhHCERMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALKX8nmy -SN8+MB5cSj/LymQpYlJVdvf0p2cBikWCVcAWL+CvBafYF0Y93ooKbv/jCZhWdGmz -ItbJjwauaXDphHEGbAzyjsQXH1ZQti6+HigMIvTOYuqiOd+Lstdim9QHvgLCywT0 -PJ3k44/KyfEXN870heJmEDN4uv+hASmH+9zvhRqE/ABnb2An4auQT5j3/BXU0jjl -sv3XDZ/Ke4PXqPptg4VGbhQi1+OUFoqAgvQFGbur0hnWFPsehC29kISMAJt/iTGJ -HC0g4ZKkij56ohHIB6OLNJ1rGMS9OFwt+0ok0AI7kVI5K3KLdhPEY1k48t6ThFCn -wPWDdGnjesEmztc= +MIIDWzCCAkOgAwIBAgIUEQ3MTVIpIdYHZPx7+Y0cmOTjR/QwDQYJKoZIhvcNAQEL +BQAwPTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMSEwHwYDVQQKDBhJbnRlcm5l +dCBXaWRnaXRzIFB0eSBMdGQwHhcNMjIxMTAyMTgwMTI5WhcNMjcxMTAxMTgwMTI5 +WjA9MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExITAfBgNVBAoMGEludGVybmV0 +IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AJqJYGCKrPqgrHE8fsi+P1uXbqsFzO322Za168wNJh0cIy4Lzd0zGbDXvsVujQ0s +UOUfNyM2qgb6G/7GJ5WYluwSWRYbv2Cc1c3XiGyIBl/eE/utNQ+wfIgf6XbMilWm +CG1WzOEU+ss8d1qewk+Kfdf7u+vKMKU52QMOd75Kwpn513QHZGFBVxAZCVlRtyhe +qL+Nk1pT7mQLux22bwUDqLjT5wwtSscSjPWOgQHetjiz6W1nD+pyMRUl0YMf37pY +t0n44lR98hh1mv0LPYfSKGo/RzjlUEJiGEfomwbb4sBW3dQnInqeMrH6vDsDSHzK +Wt5XoQs17uu/YkIChrIpA2kCAwEAAaNTMFEwHQYDVR0OBBYEFOEADjWf5VcOKW3V +DlQNN2Clb6hgMB8GA1UdIwQYMBaAFOEADjWf5VcOKW3VDlQNN2Clb6hgMA8GA1Ud +EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFgY2O2ueINKw4dbMcJqMo+6 +cG6AszL9GafnlA1qSJtD6cHyyF8lkhWzHtIAM1/QrwO3/yciquMw1gTubwxF44Uk +NvTPUnqw4bPWNXlqowrXzoM1uqQcvGCwhcEfHkOtiSVXR7Sa+0fGCLGpmlwdWUw1 +WbRTFCOKqmJFC0/J7/smcTrCzac28YRcELnTsVOVa6jXrib9TUvnwzK2nI8tK8OO +SLQTJFjEgig17XztZ8OCT0MTPwvE7A+nLaPwf5/vC5NtCF7HyL67H3ItdbNX6C/U +w7LGFivmoENW31jZirbAEmbRpvCBvlarEP+vteR61JDkZ3Y7KfgYxzykxRK6WFw= -----END CERTIFICATE----- diff --git a/testdata/certs/root.key b/testdata/certs/root.key index 3d0debfc5ab..f1adf6d2b94 100644 --- a/testdata/certs/root.key +++ b/testdata/certs/root.key @@ -1,27 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpgIBAAKCAQEAvY7nYxtmKDWl9TW2635Bf8hIjeba4yLTv1lbLhkT4JybhNpd -1HrpP3hPbHu5ZtPYC00jFk74s9PvlK6HVlv87WnHd0q6XtTUWmXuAtWcpdDfnMv9 -8KHsw9r5qKlkcfUoYbnp5t2ahesoz5LmTnTYObRDS7IbGSwECJcfKLFqKrTSthVd -iu/2rDXCmFh5rZIsFFpA6kms8jUJm7brstMxOr1rqAZPAy7P20O95P9wzw2HXsKy -j7o+ssRulcAk+o1TK4kEawMb0DKoGHhkqaBENH5kTTeM2dxoTHa+SMV6dcsj7/9i -BkDU0lUB58IV8ZE0ZFn5tH/TVutRue4YkKAm/QIDAQABAoIBAQCFj8hHk4micVKS -+Rr+yQIbqCI/Idc+zU5HeA1/6JmR3KbTsA0G5uesGfhUZsTWyBNkuyAq2s/v3Tfl -Gigv2DbZjXvG+PdiVDGf1Ewk4SAz0X2NfEpcH6u0wHjCt0AX73ZZjWZajfAPxgcG -Yuo1g6zK09HK5x6i2Nmqt9hzkrZMic0i8oRCGSdMVuROuLedpsnsXLd5PI5OgiRj -xMXbYfk1oviwdKiIo44wvp+XAKriCHEkJdD5RVKLarKWfPkgriK+CrUv8+C6O03X -PLuxKUpOUEYwhi4dm1Pd5mIziOZbDI56lUU/9UC5vhg0/EY8G2xwvubLKP/bQCFJ -jJdJEf4hAoGBAPp6zBPii51q6GqbFJTvzOJ39mDtzS28JbilKysEuxcAH5QegsUL -PtABGqieiUoCBjSXJvW+6ReALpDk2RTpnWw5AGEJFBu64w5eWiUhr+CDVisr1VqD -oG6IVYi9bsNDsP7VZSemRmkZ5GgChzHpPp0m9lvHZ4yBzVxmVJUx+/SpAoGBAMG8 -Y3+B9wx7Cmc7SkGLPGOiEENSZlXCWdUKhQZCsBcgZgY4SGtDy0LTgkQHZf3k68OE -U/c7K1S7IUXCgyzXQc+KRd82y9fAOSRN9ZWLg9In+HAIWdPNvzU3rfZZmTLQRQj5 -NR0wzXB/06HBl135RG8oFQNAXA5fRrmdemhHUoA1AoGBAPXlq4cx9kIZ/AT8Ld5w -9EC36EYL7kuh055Ld++Je2n/EwFEWri6a3WkP9mdmcXv6suiP/ss6oPJsO1J3Nss -5QCjjP21/emjNNicQ/8D7TeJeAR1ycRMSCl66g2NerlzMMVcFSwxjhoL8zEwmiyj -gHajE2PShJNpsoOtagf1xBXRAoGBAKcG+mlV7V5vPfreXRjBKCFl+ctw4RWS58wK -s8FAAX0Oy6cVIyqHWliU7bwk/MO2d6UrExEVjDgS1Y7FMj6Ynv6FYdQd9ARgj2ND -azWxAMdQ+pnsOTWoLu98v5iiirgKY1pnMGmoR5Z0Pks5En1MiLmkvuj8teEWN22T -3ZLF2tT5AoGBAO1cIyyt7CHYvlTHpFpdfWtwCMepKTX2TV430qBwXItW7hhv9now -lvMVIDBVFaLfYTbMBkUWAE603t52hQ/brxhbzo72T87s6hVgzMnxu2cUJbu9s47i -c5MjY6ddvw/cN7nNTMLRWHYFDncJIV4wyKmKOTHdeSB93/UcYZKKH6HS ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCaiWBgiqz6oKxx +PH7Ivj9bl26rBczt9tmWtevMDSYdHCMuC83dMxmw177Fbo0NLFDlHzcjNqoG+hv+ +xieVmJbsElkWG79gnNXN14hsiAZf3hP7rTUPsHyIH+l2zIpVpghtVszhFPrLPHda +nsJPin3X+7vryjClOdkDDne+SsKZ+dd0B2RhQVcQGQlZUbcoXqi/jZNaU+5kC7sd +tm8FA6i40+cMLUrHEoz1joEB3rY4s+ltZw/qcjEVJdGDH9+6WLdJ+OJUffIYdZr9 +Cz2H0ihqP0c45VBCYhhH6JsG2+LAVt3UJyJ6njKx+rw7A0h8ylreV6ELNe7rv2JC +AoayKQNpAgMBAAECggEABIhw0Kgkso3VvRUVkXkeJedDXmYjSJwn7gcsUV4V3v75 +K7O6MEm8UE8FyCgJ4GfrQAtKPGDRPDboLREeLmHNVIOlxBOgiZqUHW9775YOXM/I +dYaTQsBuKLaJ7DuL977w6pckF5qcUCuYAysav0dMUXJvhNc3ldMkcdXh7o2mF2rc +aY0OdN2Za16hCaIQAmbvOqUXbrQRahQos3DAuOze9vLKEAMC+uPHPTY4N2Iu7Dnj +UeiTFIH271tOtsB6bNJBnMbve6yw14K93kQiVoSOFufliSj3qveYQRzqEd78Kkl7 +DqgXB4uIAjapBcs6n/X+vcbDEN/+9DxsQ6jBiNptEQKBgQDAXuv/OteUkfywMPiu +jEj+ps1sW5LL3Oz3wR2Ryq7+TK70QTyRpWm+Hjb1mOPGQQueyS1i81d9t6m47dZH +HTWCk6eP3i4t0iFVxsSx8zy4M/xfl6KFyFYls65rBMCtk19AHCAf8wrA16zYRGQ/ +MCLIDpZ2fK34oiVBsqrmdR7Q2QKBgQDNptS3Almsyk9dO/oQwRzr2tFapFU4Je48 +YdBB3OrLcGN4OIt7mqRYp8XiY4RcIQgM4N1GWQ99I7DJwY6e2XjXlu71h3NWUTRg +PoPbAwtx2TYtpwUfnQ07rXT5SbGZpf+Cqtc6PiAY0EcIvZuzh7twSOM6fEddYQoa +9LbVEz8tEQKBgQCDctk0CBMzVCYkhvIG45klWPlZp6FBaG8MRIteCe9VmTSbdtBa +fXsqDB9l5tkNqXi1QaafzMPmBdAVq38WDOF5nkeLSTio2sMoh6/0IM9G108GSukl +HWWwUX1HZ3H5qZAWkKFq83pPl5BmHyWY/91kcoNh54RBNxraL6oT28f40QKBgQDM +FSxxNS7iz5406wk9STc3Q96QshYz80hZucPfKKoFG9JKgurAzfUcWdqB0LqQZuND +TH+qiUVarWmKvr+XGj/Wytz24eVumoV8oW1ekcXwxFsEsQPfnI5+U6OKpDxQOzC2 +bm3KSc62cTKdFPUIE8HKKzr8VkrH+z35BDLQfxop0QKBgHq/X2vRzk6SzqEmBz9b +t4dI/raW0cA5uia9orzfg4U5IKHMygw0tR2azHFC3pqRiOaYNADn511mdfE+U6PJ +Lh/4ZJtFtQ0+F//srM8+tvb5nDE9z5A0n+p2/3v8lC9u7gGzewx7Fl5xtsPkU9pO +lzOWbdeVA2Y/g1AFYHMX7/xi +-----END PRIVATE KEY----- diff --git a/testdata/certs/server-key.cert b/testdata/certs/server-key.cert index 54075a4da21..4047aac534b 100644 --- a/testdata/certs/server-key.cert +++ b/testdata/certs/server-key.cert @@ -1,27 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA4vmrWwXSHIOLtRzMnPaAx2jB7kVzUd2PMIddSczm1JJFYusE -GV0JoDGK3ZNh5bz0Ye7F/mKAOlv1a13sAJ8jcx7GC0UgbIbA2+0b/sOGXXu/9rhp -ahLa7wC6mxdlXE85EwAk/EwCkgXqD5Zrbq6rinJ1Rw3S8AxPrIT422FzpHV+mjAa -PW9qcC8w53/aMAxg80uBcge/4gYamD3bDnoRQp0bywrv3gtE+d20OusA8gN99x93 -6yoEotVukZkq8Dbj7CQFhXvPhDkBTIm4cynA1h9V0GEgWCr9DDWV3A9nftL9bDPT -r4oznZSJG41+VTx9/tLY1imjvRe6lqGgxRgdcwIDAQABAoIBAQDSZz9BkZPEeuz3 -Z0sF9jxKngGoLxlHumsSQWlpEFiqlS1dFR8no+dYaJSh8g2+OfsRDZbcydK0Rqqq -bNZpfRwPi2dq6xmzgPcm6BYbhIT6A81fmHOfsPris3pIate7SnVN98RRXOTFGFZx -PK86WxEJtjChPV9cxwzUkC9grmXU/Jbk1Dfdn2karEGnzwwhpZjsukUG/c1ug6Ig -6Wa1Ml5uxU0TAx44IFi3c6kMLf3hJVOc5wDtA196TGfhcAKBUYDW4DhOWt5gkg+C -YYry1zLfTrMt019bnMp4AG8ximmAhkH+As9G/v4Qg7+oPJ4CdQ7uJUd7HSfbl8U5 -jgefqPuBAoGBAPb/alLTN3BiJAh2JnffTQYOpLQdQ8kamoNcA+WtxRKEOyLii9W2 -UOieDiyzZqFuvqRqNmPhWuC04Q55TIZKZHFW23KEiLspIZxp47Zghy7IV99xR/bo -TcWNGVh8CuJpO5u8sc863+x2hO61oWe/S3d82sW+ffsswYMQs6Gg6NNFAoGBAOs/ -b9SN6+WVZ1a+i0JsC8RDbtWvo1AyE6uT03IL2jJRAlGIWjejc+bPUbfwU/1IdrjG -LJOVSVK63cep5Zsz/1dgfOWZ6nabvzTLhLaKxXiKgKjABeQhvRk0OfE/aZsVy2ul -X9iXH/mNZj09A1KHB0TKswLXmbY2quUg2dUlu51XAoGAXGd1mYLXbL3qiRfakGID -6M41pASGxYekYpxcAOMfpSu/C/ABLHTGlB/9YY/ER4Ss4cmyi29VlldVExsiG+Nc -7GH4O0GF/a8HmgKrZCF8sW3WIgu5Ro/l+JAu+UF+uPFxkXPoeYSnHUnBtaRRvAR+ -8TbOicgYTY2S37ux2DfgopkCgYBwClWLqVA5lu+Ru8x9hRIRloA6G52vezotFIm3 -Hnf8UOLGzCcTqrBvtDvaXAbUcefBVvkyDP7P/RnVl1A4nAo3pke13plxhfoJ/ggm -HG+yWlyugk4L+hmi4GHcSXRVnYq1qRy9/jQHWdXgwqdLbe4DUHrzlpWp192KpRu6 -TW9OnwKBgQDpM23NlpduTo0iCsKvTcjSZUrz7tQJ12T740ZjWe1s8vNvOcRoeO8A -JQzVhxxOQx8mC3+NsbMWjkACAS5z6byC1rle88Gexnw5pT7MlaZU3xnxMukRIso/ -Oo3EnpZzE6UlZ782oz1ibrpEGqn112marhzUIwoM/PnhNHKlTZLH/w== ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC+3js555q2V18G +IRwSS3aLbTnwKaiIcNjZIcpOJWsirDLCgLzlULQh259K9IFGr3pzFIgYCMXDevAy +p6cH3dVfD95+gjqWqJ4rpo0g6aRfj3rrLzrooOQJR4aaRkPIqnWcgkfJYyvfproj +OA+aB+8j5k9yY+zvcYcDjN/PP29mnP6cOkIsMq9wI44HrZY4FP8QU7AucAcWOvt6 +t5vST05v43A0WpsYwAMuVQxuknHKELrkpDE+zwKxobrpPzLG2WVuC7r8mGrD1cHF +5A6K7aXiWYTe80wY5PFFbXo2x8IhIaqjCnwA+xFwmeuOCRI7KdI+Hb8gNKLGwiMH +K/rcClSlAgMBAAECggEADRvMK4Tpjj5f61bYy7TdFmRRB1qFFaHScs8sSsOtIPt8 +nPkkgAdT58NipE44lrc0jLTLSANKOcu2tXPoN9UXc2jumfetuG0qN8s/hBQn0txS +z9Y1kIaEQtLjvrK2sxBp9W7JKV6jQ7/6prKR9701wlxt9mhAfI1qfWbudBhiOUTO +pcRr8Ck/ZE/I4gh5+Rvgj8tfg96B3Qq1MbZZ6lI0dNS6BQ97UICTE/xmHqrlCRD9 +JwFXDSQHC/hRWqJl3vFYIGFYeL4GngRn5+WOR7j1p6q2jszTT81jRCRtdHvllcYl +tY7CqpgG6erWoebnBCi8ox2uzY+Nbw4LrxjQOZG0fQKBgQDgs5POGvrWnwbMXpOA +L2obYC4RmPHK6tf46wabbUJx7gLGzzoeRnpc8DH3OYkpswo1vKjgiI5KCqWg4xA5 +cmLFp6PC+Sgp7dKqkTncFOFTy4r6jgRzpgaIbQZuDNhCh5xCMDqUxTl0KoV2J687 +Xo5ZbhPJgto/dXPijJgT3zLUSwKBgQDZdDh4sq3j/VodaYz5yjnWkX6OatWrRkG5 +VnFg0ZAzhqUQWmfYkE1Lb7S8paaBI5f/RRMHiq5eOBy67gZzBpZp/FrWvF8rgUPg +h8qp1BuZUcQ7oIm2klakXVb5dODgl6jQfe7jWH8KTwYJolMwfsaJ8Naa04kyikS2 +Jc3ItS6EzwKBgQCq/fzsSvu3dyzlONNmKK7GRlrIaWsWz7+qXK+ad3qo2Eako+3G +PDvBncdoKxCF+wk5+2dH9qLRFWkVFbWzAajIYNnt9UzrG1/FDN7K69jMu4f3QzuA +BkfSaaUK+htYBXqTo7/wlmUyUWlekLR4qWwKAgpsvnb285pMPFE+TguQIQKBgQCk +hlNntsDsW7a/xCl+oKvMFT7soBZTxQ9bG/UibMwuv/PJgK1LZDqnFbhoduiYkoah +A/EW5q1w6gGKySamBtjtDZrpF5LmBqKFkhgbEDllckEHYDpxoRzetSRmDzFJnFWE +kZOZ/U35TbritSc97N1oZojokZ4fWBAOxGGDNtogbwKBgQCN3kevOYBwSyKRiklu +dca+CZb4smXCrzaGq5ue9vDyiuXoid8eMscHeGbn5zGBvZyCUQvU8M79Ptm+g0cy +DsXEZ6xCfiOPb0z/XAm2xEJqGnHvzOjj9FwG+RF7PKlBB1SVIcpoe0VpsgznD8tP +TI2BPjeIOJvMiYoDx1DAuhbp9g== +-----END PRIVATE KEY----- diff --git a/testdata/certs/server.cert b/testdata/certs/server.cert index 8db6682a96b..f6ba6f6e625 100644 --- a/testdata/certs/server.cert +++ b/testdata/certs/server.cert @@ -1,20 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDXDCCAkSgAwIBAgIQVTt6pYOM9fp3zF1NXUUJojANBgkqhkiG9w0BAQsFADBD -MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVN1bm55dmFsZTET -MBEGA1UECgwKZ29vZ2xlLmNvbTAeFw0xOTA4MTIxODU1NDlaFw0yNDA4MTAxODU1 -NDlaMBMxETAPBgNVBAoTCEp1anUgb3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEA4vmrWwXSHIOLtRzMnPaAx2jB7kVzUd2PMIddSczm1JJFYusEGV0J -oDGK3ZNh5bz0Ye7F/mKAOlv1a13sAJ8jcx7GC0UgbIbA2+0b/sOGXXu/9rhpahLa -7wC6mxdlXE85EwAk/EwCkgXqD5Zrbq6rinJ1Rw3S8AxPrIT422FzpHV+mjAaPW9q -cC8w53/aMAxg80uBcge/4gYamD3bDnoRQp0bywrv3gtE+d20OusA8gN99x936yoE -otVukZkq8Dbj7CQFhXvPhDkBTIm4cynA1h9V0GEgWCr9DDWV3A9nftL9bDPTr4oz -nZSJG41+VTx9/tLY1imjvRe6lqGgxRgdcwIDAQABo3wwejAOBgNVHQ8BAf8EBAMC -BaAwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBT1a7HehaEjoID50KbCqhryIRwh -ETA5BgNVHREBAf8ELzAthitzcGlmZmU6Ly9jbHVzdGVyLmxvY2FsL25zL2RlZmF1 -bHQvc2Evc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IBAQCsBUDD33vlXI1FvwZuqSZ5 -zHQtH7N9jFtPu8qTkhHTlnA/Tt5S0IxuZDt2XfAhzYyQOgP6z8yVxdDP4FSlQuXq -TrFr9tT4DGBOh44oV/SYUX5zn9RFJ+HJ22U5cEUo+WpqTx/vQzrm4kI3KMZ7Augt -W915b1lkjrVlW+pnT7gGNYX4DD7cDX3vKfWDb78zb5hhdbyX/8jJx4BRfvdmO0E8 -qbpQgGZj5sbhmJ7a4bGhA3OFproEznmvGP85a+jT/pEO7V9fb3YBW5z7xr/fEnyu -50d3ydKKPzM6oQY6FjLIwKzqo7bVtQCYSzk2n49Sjs+GKphG/oCWhqW6JKbs8D0n +MIIDvDCCAqSgAwIBAgIUA5B66o/DRpXnqGjyWRlvgeiFlU8wDQYJKoZIhvcNAQEL +BQAwPTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMSEwHwYDVQQKDBhJbnRlcm5l +dCBXaWRnaXRzIFB0eSBMdGQwHhcNMjIxMTAyMTgyNzA3WhcNMjcwNTEwMTgyNzA3 +WjA9MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExITAfBgNVBAoMGEludGVybmV0 +IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AL7eOznnmrZXXwYhHBJLdottOfApqIhw2Nkhyk4layKsMsKAvOVQtCHbn0r0gUav +enMUiBgIxcN68DKnpwfd1V8P3n6COpaoniumjSDppF+PeusvOuig5AlHhppGQ8iq +dZyCR8ljK9+muiM4D5oH7yPmT3Jj7O9xhwOM388/b2ac/pw6Qiwyr3AjjgetljgU +/xBTsC5wBxY6+3q3m9JPTm/jcDRamxjAAy5VDG6SccoQuuSkMT7PArGhuuk/MsbZ +ZW4LuvyYasPVwcXkDortpeJZhN7zTBjk8UVtejbHwiEhqqMKfAD7EXCZ644JEjsp +0j4dvyA0osbCIwcr+twKVKUCAwEAAaOBszCBsDAJBgNVHRMEAjAAMBEGCWCGSAGG ++EIBAQQEAwIGQDAOBgNVHQ8BAf8EBAMCBaAwQAYDVR0RBDkwN4Yrc3BpZmZlOi8v +Y2x1c3Rlci5sb2NhbC9ucy9kZWZhdWx0L3NhL3NlcnZlcoIIaXN0aW8uaW8wHQYD +VR0OBBYEFDFa3IJOzeyX60Y1KQxqDATglbVSMB8GA1UdIwQYMBaAFOEADjWf5VcO +KW3VDlQNN2Clb6hgMA0GCSqGSIb3DQEBCwUAA4IBAQCGLgjHejSfUD8a0uFFzIC5 +nKHhG55mo6kEJNspm2yOb4jtOFHLzExEFpgFUHmqzhSvuhLruEPWT0WDANS8p5x4 +opA2vJakh5OxxVYURUCNxI3w9MFET/BqgDjcrNDjFTZkoJ4Pt2/egw8RJp8kXz36 +4iSdbHNN838Y+36Ke9+xV0U7g0I2dP26wKEYdV98e6zMQlmtCyCKTOUxq2MWKvPv +OlmQ8++iWtDpA9AIcQfFeuQN3AbgJbMCw174GqVQfeOWVP4ojenXnui6KP7uyQvh +KRu89cJLqPLZ5FHr67eE5sI0ixd7fP5EKRSRztGJeB3J4oOd4jUbKGUhg6e/M6F8 -----END CERTIFICATE----- diff --git a/testdata/certs/server.csr b/testdata/certs/server.csr new file mode 100644 index 00000000000..5f6b1565c91 --- /dev/null +++ b/testdata/certs/server.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICgjCCAWoCAQAwPTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMSEwHwYDVQQK +DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC+3js555q2V18GIRwSS3aLbTnwKaiIcNjZIcpOJWsirDLCgLzl +ULQh259K9IFGr3pzFIgYCMXDevAyp6cH3dVfD95+gjqWqJ4rpo0g6aRfj3rrLzro +oOQJR4aaRkPIqnWcgkfJYyvfprojOA+aB+8j5k9yY+zvcYcDjN/PP29mnP6cOkIs +Mq9wI44HrZY4FP8QU7AucAcWOvt6t5vST05v43A0WpsYwAMuVQxuknHKELrkpDE+ +zwKxobrpPzLG2WVuC7r8mGrD1cHF5A6K7aXiWYTe80wY5PFFbXo2x8IhIaqjCnwA ++xFwmeuOCRI7KdI+Hb8gNKLGwiMHK/rcClSlAgMBAAGgADANBgkqhkiG9w0BAQsF +AAOCAQEAIKr1a5455s8ahiwjuRN/lqYkQLCr1EyQBJLT9mez7xUkSsvy5uzTSU88 +UsPH4PptG+Bvw/+fkBBGildwtDFsq5pgnILUeDPE6cK5ePProZAICNBUK72XkwUm +PUI5wh+8VfpCnIBNvQ1nRl2/lydYyEIkFoQpJ86MzPVqeIck2G8jGxq8Ocs5QvfJ +B+0smVYifMO10M1VMRJGOkeB0J5b4i3WT4W0JJ6Wzk+chCl3EE575rRlZbSXKaT4 +RVl36LlDl+8Rvt1VP0eOxySmfZsBXzDQe59gU00+nEv9fH+y8DefCNZsTHXE4Egt +AAxA6Xy5PAU0xIoU+7go4M+HtidDAA== +-----END CERTIFICATE REQUEST----- diff --git a/testdata/certs/server_ext.cnf b/testdata/certs/server_ext.cnf new file mode 100644 index 00000000000..b3466c9068a --- /dev/null +++ b/testdata/certs/server_ext.cnf @@ -0,0 +1,7 @@ +basicConstraints = CA:FALSE +nsCertType = server +keyUsage = critical, digitalSignature, keyEncipherment +subjectAltName = @alt_names +[alt_names] +URI.1 = spiffe://cluster.local/ns/default/sa/server +DNS.1 = istio.io diff --git a/testdata/cluster/original_dst.yaml.tmpl b/testdata/cluster/original_dst.yaml.tmpl index a91178b7d45..7931d77543a 100644 --- a/testdata/cluster/original_dst.yaml.tmpl +++ b/testdata/cluster/original_dst.yaml.tmpl @@ -6,9 +6,37 @@ typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: +{{ if eq .Vars.quic "true" }} + http3_protocol_options: + allow_extended_connect: true +{{ else }} http2_protocol_options: allow_connect: true +{{ end }} transport_socket: +{{ if eq .Vars.quic "true" }} + name: envoy.transport_sockets.quic + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicUpstreamTransport + value: + upstream_tls_context: + common_tls_context: + tls_certificate_sds_secret_configs: + name: client + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + set_node_on_first_message_only: true + transport_api_version: V3 + resource_api_version: V3 + validation_context: + trusted_ca: { filename: "testdata/certs/root.cert" } + sni: istio.io +{{ else }} name: tls typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct @@ -28,3 +56,4 @@ transport_socket: resource_api_version: V3 validation_context: trusted_ca: { filename: "testdata/certs/root.cert" } +{{ end }} diff --git a/testdata/listener/terminate_connect.yaml.tmpl b/testdata/listener/terminate_connect.yaml.tmpl index a8556a64fe6..2422b085c93 100644 --- a/testdata/listener/terminate_connect.yaml.tmpl +++ b/testdata/listener/terminate_connect.yaml.tmpl @@ -1,8 +1,17 @@ name: terminate_connect address: socket_address: +{{ if eq .Vars.quic "true" }} + protocol: UDP +{{ end }} address: 127.0.0.1 port_value: {{ .Ports.ServerTunnelPort }} +{{ if eq .Vars.quic "true" }} +udp_listener_config: + quic_options: {} + downstream_socket_config: + prefer_gro: true +{{ end }} filter_chains: - filters: # Capture SSL info for the internal listener passthrough @@ -14,6 +23,9 @@ filter_chains: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: terminate_connect +{{ if eq .Vars.quic "true" }} + codec_type: HTTP3 +{{ end }} route_config: name: local_route virtual_hosts: @@ -39,6 +51,28 @@ filter_chains: upgrade_configs: - upgrade_type: CONNECT transport_socket: +{{ if eq .Vars.quic "true" }} + name: quic + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicDownstreamTransport + value: + downstream_tls_context: + common_tls_context: + tls_certificate_sds_secret_configs: + name: server + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + set_node_on_first_message_only: true + transport_api_version: V3 + resource_api_version: V3 + validation_context: + trusted_ca: { filename: "testdata/certs/root.cert" } +{{ else }} name: tls typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct @@ -59,3 +93,4 @@ filter_chains: validation_context: trusted_ca: { filename: "testdata/certs/root.cert" } require_client_certificate: true +{{ end }} From 86d778c551773af541f5c80ed2497454128596e4 Mon Sep 17 00:00:00 2001 From: Kuat Yessenov Date: Wed, 2 Nov 2022 13:12:15 -0700 Subject: [PATCH 2/2] connect with quic Signed-off-by: Kuat Yessenov --- test/envoye2e/basic_flow/basic_test.go | 123 ++++++++++-------- test/envoye2e/driver/envoy.go | 25 ++-- test/envoye2e/inventory.go | 3 +- testdata/listener/terminate_connect.yaml.tmpl | 5 + 4 files changed, 94 insertions(+), 62 deletions(-) diff --git a/test/envoye2e/basic_flow/basic_test.go b/test/envoye2e/basic_flow/basic_test.go index b4955136d36..8ccfc1288b9 100644 --- a/test/envoye2e/basic_flow/basic_test.go +++ b/test/envoye2e/basic_flow/basic_test.go @@ -15,6 +15,7 @@ package client_test import ( + "strconv" "testing" "time" @@ -22,6 +23,20 @@ import ( "istio.io/proxy/test/envoye2e/driver" ) +var ProtocolOptions = []struct { + Name string + Quic bool +}{ + { + Name: "h2", + Quic: false, + }, + { + Name: "quic", + Quic: true, + }, +} + func TestBasicTCPFlow(t *testing.T) { params := driver.NewTestParams(t, map[string]string{ "ConnectionCount": "10", @@ -128,60 +143,64 @@ func TestBasicHTTPGateway(t *testing.T) { } func TestBasicCONNECT(t *testing.T) { - params := driver.NewTestParams(t, map[string]string{}, envoye2e.ProxyE2ETests) - params.Vars["ServerClusterName"] = "internal_outbound" - params.Vars["ServerInternalAddress"] = "internal_inbound" - params.Vars["ServerNetworkFilters"] = driver.LoadTestData("testdata/filters/restore_tls.yaml.tmpl") - params.Vars["quic"] = "true" + for _, options := range ProtocolOptions { + t.Run(options.Name, func(t *testing.T) { + params := driver.NewTestParams(t, map[string]string{}, envoye2e.ProxyE2ETests) + params.Vars["ServerClusterName"] = "internal_outbound" + params.Vars["ServerInternalAddress"] = "internal_inbound" + params.Vars["ServerNetworkFilters"] = driver.LoadTestData("testdata/filters/restore_tls.yaml.tmpl") + params.Vars["quic"] = strconv.FormatBool(options.Quic) - updateClient := &driver.Update{Node: "client", Version: "{{ .N }}", - Clusters: []string{ - driver.LoadTestData("testdata/cluster/internal_outbound.yaml.tmpl"), - driver.LoadTestData("testdata/cluster/original_dst.yaml.tmpl"), - }, - Listeners: []string{ - driver.LoadTestData("testdata/listener/client.yaml.tmpl"), - driver.LoadTestData("testdata/listener/internal_outbound.yaml.tmpl"), - }, - Secrets: []string{ - driver.LoadTestData("testdata/secret/client.yaml.tmpl"), - }, - } + updateClient := &driver.Update{Node: "client", Version: "{{ .N }}", + Clusters: []string{ + driver.LoadTestData("testdata/cluster/internal_outbound.yaml.tmpl"), + driver.LoadTestData("testdata/cluster/original_dst.yaml.tmpl"), + }, + Listeners: []string{ + driver.LoadTestData("testdata/listener/client.yaml.tmpl"), + driver.LoadTestData("testdata/listener/internal_outbound.yaml.tmpl"), + }, + Secrets: []string{ + driver.LoadTestData("testdata/secret/client.yaml.tmpl"), + }, + } - updateServer := &driver.Update{Node: "server", Version: "{{ .N }}", - Clusters: []string{ - driver.LoadTestData("testdata/cluster/internal_inbound.yaml.tmpl"), - }, - Listeners: []string{ - driver.LoadTestData("testdata/listener/terminate_connect.yaml.tmpl"), - driver.LoadTestData("testdata/listener/server.yaml.tmpl"), - }, - Secrets: []string{ - driver.LoadTestData("testdata/secret/server.yaml.tmpl"), - }, - } + updateServer := &driver.Update{Node: "server", Version: "{{ .N }}", + Clusters: []string{ + driver.LoadTestData("testdata/cluster/internal_inbound.yaml.tmpl"), + }, + Listeners: []string{ + driver.LoadTestData("testdata/listener/terminate_connect.yaml.tmpl"), + driver.LoadTestData("testdata/listener/server.yaml.tmpl"), + }, + Secrets: []string{ + driver.LoadTestData("testdata/secret/server.yaml.tmpl"), + }, + } - if err := (&driver.Scenario{ - Steps: []driver.Step{ - &driver.XDS{}, - updateClient, updateServer, - &driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/client.yaml.tmpl")}, - &driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/server.yaml.tmpl")}, - &driver.Sleep{Duration: 1 * time.Second}, - driver.Get(params.Ports.ClientPort, "hello, world!"), - // xDS load generator: - // &driver.Repeat{ - // Duration: time.Second * 20, - // Step: &driver.Scenario{ - // []driver.Step{ - // &driver.Sleep{10000 * time.Millisecond}, - // updateClient, updateServer, - // // may need short delay so we don't eat all the CPU - // }, - // }, - // }, - }, - }).Run(params); err != nil { - t.Fatal(err) + if err := (&driver.Scenario{ + Steps: []driver.Step{ + &driver.XDS{}, + updateClient, updateServer, + &driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/client.yaml.tmpl")}, + &driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/server.yaml.tmpl")}, + &driver.Sleep{Duration: 1 * time.Second}, + driver.Get(params.Ports.ClientPort, "hello, world!"), + // xDS load generator: + // &driver.Repeat{ + // Duration: time.Second * 20, + // Step: &driver.Scenario{ + // []driver.Step{ + // &driver.Sleep{10000 * time.Millisecond}, + // updateClient, updateServer, + // // may need short delay so we don't eat all the CPU + // }, + // }, + // }, + }, + }).Run(params); err != nil { + t.Fatal(err) + } + }) } } diff --git a/test/envoye2e/driver/envoy.go b/test/envoye2e/driver/envoy.go index 2930b12ad86..0bb56b1e646 100644 --- a/test/envoye2e/driver/envoy.go +++ b/test/envoye2e/driver/envoy.go @@ -81,7 +81,8 @@ func (e *Envoy) Run(p *Params) error { } log.Printf("envoy bootstrap:\n%s\n", bootstrap) - e.adminPort, err = getAdminPort(bootstrap) + var node string + e.adminPort, node, err = getAdminPortAndNode(bootstrap) if err != nil { return err } @@ -105,6 +106,7 @@ func (e *Envoy) Run(p *Params) error { concurrency = fmt.Sprint(e.Concurrency) } args := []string{ + "--log-format", "[" + node + ` %T.%e][%t][%l][%n] [%g:%#] %v`, "-c", e.tmpFile, "-l", debugLevel, "--concurrency", concurrency, @@ -171,23 +173,28 @@ func (e *Envoy) Cleanup() { } } -func getAdminPort(bootstrap string) (uint32, error) { +func getAdminPortAndNode(bootstrap string) (port uint32, node string, err error) { pb := &bootstrap_v3.Bootstrap{} - if err := ReadYAML(bootstrap, pb); err != nil { - return 0, err + if err = ReadYAML(bootstrap, pb); err != nil { + return } if pb.Admin == nil || pb.Admin.Address == nil { - return 0, fmt.Errorf("missing admin section in bootstrap: %v", bootstrap) + err = fmt.Errorf("missing admin section in bootstrap: %v", bootstrap) + return } socket, ok := pb.Admin.Address.Address.(*core.Address_SocketAddress) if !ok { - return 0, fmt.Errorf("missing socket in bootstrap: %v", bootstrap) + err = fmt.Errorf("missing socket in bootstrap: %v", bootstrap) + return } - port, ok := socket.SocketAddress.PortSpecifier.(*core.SocketAddress_PortValue) + portValue, ok := socket.SocketAddress.PortSpecifier.(*core.SocketAddress_PortValue) if !ok { - return 0, fmt.Errorf("missing port in bootstrap: %v", bootstrap) + err = fmt.Errorf("missing port in bootstrap: %v", bootstrap) + return } - return port.PortValue, nil + node = pb.Node.Id + port = portValue.PortValue + return } // downloads env based on the given branch name. Return location of downloaded envoy. diff --git a/test/envoye2e/inventory.go b/test/envoye2e/inventory.go index 74c7dc83cd6..28c2c271a40 100644 --- a/test/envoye2e/inventory.go +++ b/test/envoye2e/inventory.go @@ -31,7 +31,8 @@ func init() { "TestBasicHTTPGateway", "TestBasicHTTPwithTLS", "TestBasicTCPFlow", - "TestBasicCONNECT", + "TestBasicCONNECT/quic", + "TestBasicCONNECT/h2", "TestHTTPExchange", "TestHTTPLocalRatelimit", "TestStackdriverAccessLog/AllClientErrorRequestsGetsLoggedOnNoMxAndError", diff --git a/testdata/listener/terminate_connect.yaml.tmpl b/testdata/listener/terminate_connect.yaml.tmpl index 2422b085c93..0d0653a0b8a 100644 --- a/testdata/listener/terminate_connect.yaml.tmpl +++ b/testdata/listener/terminate_connect.yaml.tmpl @@ -15,10 +15,14 @@ udp_listener_config: filter_chains: - filters: # Capture SSL info for the internal listener passthrough +{{ if eq .Vars.quic "true" }} +# TODO: accessing uriSanPeerCertificates() triggers a crash in quiche version. +{{ else }} - name: capture_tls typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: istio.tls_passthrough.v1.CaptureTLS +{{ end }} - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager @@ -72,6 +76,7 @@ filter_chains: resource_api_version: V3 validation_context: trusted_ca: { filename: "testdata/certs/root.cert" } + require_client_certificate: true # XXX: This setting is ignored ATM per @danzh. {{ else }} name: tls typed_config: