From e72a5e01ae511a2dacdffcd45efe3e3d1aa1ab94 Mon Sep 17 00:00:00 2001 From: Chotiwat Chawannakul Date: Thu, 15 Feb 2024 17:51:53 -0800 Subject: [PATCH 1/7] fix e2e deployment missing custom env vars --- test/e2e/framework/deployment.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index 08a5353b24..dffa7bcfd3 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -527,7 +527,7 @@ func newDeployment(name, namespace, image string, port int32, replicas int32, co { Name: name, Image: image, - Env: []corev1.EnvVar{}, + Env: env, Ports: []corev1.ContainerPort{ { Name: "http", From d07907eedda7556dc7262646c209b68162235782 Mon Sep 17 00:00:00 2001 From: Chotiwat Chawannakul Date: Fri, 16 Feb 2024 01:38:01 -0800 Subject: [PATCH 2/7] add e2e tests --- test/e2e/framework/httpexpect/request.go | 35 ++- test/e2e/settings/ssl_passthrough.go | 294 +++++++++++++++-------- 2 files changed, 221 insertions(+), 108 deletions(-) diff --git a/test/e2e/framework/httpexpect/request.go b/test/e2e/framework/httpexpect/request.go index 0ae85dd793..0c1a38d028 100644 --- a/test/e2e/framework/httpexpect/request.go +++ b/test/e2e/framework/httpexpect/request.go @@ -80,22 +80,41 @@ func (h *HTTPRequest) ForceResolve(ip string, port uint16) *HTTPRequest { h.chain.fail(fmt.Sprintf("invalid ip address: %s", ip)) return h } - dialer := &net.Dialer{ - Timeout: h.client.Timeout, - KeepAlive: h.client.Timeout, - DualStack: true, - } resolveAddr := fmt.Sprintf("%s:%d", ip, int(port)) + return h.WithDialContextMiddleware(func(next DialContextFunc) DialContextFunc { + return func(ctx context.Context, network, addr string) (net.Conn, error) { + return next(ctx, network, resolveAddr) + } + }) +} + +// DialContextFunc is the function signature for `DialContext` +type DialContextFunc func(ctx context.Context, network, addr string) (net.Conn, error) + +// WithDialContextMiddleware sets the `DialContext` function of the client +// transport with a new function returns from `fn`. An existing `DialContext` +// is passed into `fn` so the new function can act as a middleware by calling +// the old one. +func (h *HTTPRequest) WithDialContextMiddleware(fn func(next DialContextFunc) DialContextFunc) *HTTPRequest { oldTransport, ok := h.client.Transport.(*http.Transport) if !ok { h.chain.fail("invalid old transport address") return h } - newTransport := oldTransport.Clone() - newTransport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) { - return dialer.DialContext(ctx, network, resolveAddr) + var nextDialContext DialContextFunc + if oldTransport.DialContext != nil { + nextDialContext = oldTransport.DialContext + } else { + dialer := &net.Dialer{ + Timeout: h.client.Timeout, + KeepAlive: h.client.Timeout, + DualStack: true, + } + nextDialContext = dialer.DialContext } + newTransport := oldTransport.Clone() + newTransport.DialContext = fn(nextDialContext) h.client.Transport = newTransport return h } diff --git a/test/e2e/settings/ssl_passthrough.go b/test/e2e/settings/ssl_passthrough.go index b10511bde4..2aa11eb070 100644 --- a/test/e2e/settings/ssl_passthrough.go +++ b/test/e2e/settings/ssl_passthrough.go @@ -27,10 +27,10 @@ import ( "github.com/stretchr/testify/assert" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/test/e2e/framework" + "k8s.io/ingress-nginx/test/e2e/framework/httpexpect" ) var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { @@ -75,114 +75,208 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { Status(http.StatusNotFound) }) - ginkgo.It("should pass unknown traffic to default backend and handle known traffic", func() { + ginkgo.Context("when handling traffic", func() { + var tlsConfig *tls.Config host := "testpassthrough.com" echoName := "echopass" + secretName := host + + ginkgo.BeforeEach(func() { + /* Even with enable-ssl-passthrough enabled, only annotated ingresses may receive the traffic */ + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/ssl-passthrough": "true", + } - /* Even with enable-ssl-passthrough enabled, only annotated ingresses may receive the traffic */ - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/ssl-passthrough": "true", - } - - ingressDef := framework.NewSingleIngressWithTLS(host, - "/", - host, - []string{host}, - f.Namespace, - echoName, - 80, - annotations) - tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet, - ingressDef.Spec.TLS[0].Hosts, - ingressDef.Spec.TLS[0].SecretName, - ingressDef.Namespace) - - volumeMount := []corev1.VolumeMount{ - { - Name: "certs", - ReadOnly: true, - MountPath: "/certs", - }, - } - volume := []corev1.Volume{ - { - Name: "certs", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: ingressDef.Spec.TLS[0].SecretName, + ingressDef := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + echoName, + 80, + annotations) + var err error + tlsConfig, err = framework.CreateIngressTLSSecret(f.KubeClientSet, + []string{host}, + secretName, + ingressDef.Namespace) + + volumeMount := []corev1.VolumeMount{ + { + Name: "certs", + ReadOnly: true, + MountPath: "/certs", + }, + } + volume := []corev1.Volume{ + { + Name: "certs", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: secretName, + }, }, }, - }, - } - envs := []corev1.EnvVar{ - { - Name: "HTTPBUN_SSL_CERT", - Value: "/certs/tls.crt", - }, - { - Name: "HTTPBUN_SSL_KEY", - Value: "/certs/tls.key", - }, - } - - f.NewDeploymentWithOpts("echopass", - framework.HTTPBunImage, - 80, - 1, - nil, - nil, - envs, - volumeMount, - volume, - false) - - f.EnsureIngress(ingressDef) - - assert.Nil(ginkgo.GinkgoT(), err) - framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "listen 442") - }) + } + envs := []corev1.EnvVar{ + { + Name: "HTTPBUN_SSL_CERT", + Value: "/certs/tls.crt", + }, + { + Name: "HTTPBUN_SSL_KEY", + Value: "/certs/tls.key", + }, + } - /* This one should not receive traffic as it does not contain passthrough annotation */ - hostBad := "noannotationnopassthrough.com" - ingBad := f.EnsureIngress(framework.NewSingleIngressWithTLS(hostBad, - "/", - hostBad, - []string{hostBad}, - f.Namespace, - echoName, - 80, - nil)) - tlsConfigBad, err := framework.CreateIngressTLSSecret(f.KubeClientSet, - ingBad.Spec.TLS[0].Hosts, - ingBad.Spec.TLS[0].SecretName, - ingBad.Namespace) - assert.Nil(ginkgo.GinkgoT(), err) - framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfigBad) - - f.WaitForNginxServer(hostBad, - func(server string) bool { - return strings.Contains(server, "listen 442") + f.NewDeploymentWithOpts("echopass", + framework.HTTPBunImage, + 80, + 1, + nil, + nil, + envs, + volumeMount, + volume, + false) + + f.EnsureIngress(ingressDef) + + assert.Nil(ginkgo.GinkgoT(), err) + framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "listen 442") + }) + }) + + ginkgo.It("should pass unknown traffic to default backend and handle known traffic", func() { + /* This one should not receive traffic as it does not contain passthrough annotation */ + hostBad := "noannotationnopassthrough.com" + ingBad := f.EnsureIngress(framework.NewSingleIngressWithTLS(hostBad, + "/", + hostBad, + []string{hostBad}, + f.Namespace, + echoName, + 80, + nil)) + tlsConfigBad, err := framework.CreateIngressTLSSecret(f.KubeClientSet, + ingBad.Spec.TLS[0].Hosts, + ingBad.Spec.TLS[0].SecretName, + ingBad.Namespace) + assert.Nil(ginkgo.GinkgoT(), err) + framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfigBad) + + f.WaitForNginxServer(hostBad, + func(server string) bool { + return strings.Contains(server, "listen 442") + }) + + //nolint:gosec // Ignore the gosec error in testing + f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). + GET("/"). + WithURL("https://"+net.JoinHostPort(host, "443")). + ForceResolve(f.GetNginxIP(), 443). + Expect(). + Status(http.StatusOK) + + //nolint:gosec // Ignore the gosec error in testing + f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: hostBad, InsecureSkipVerify: true}). + GET("/"). + WithURL("https://"+net.JoinHostPort(hostBad, "443")). + ForceResolve(f.GetNginxIP(), 443). + Expect(). + Status(http.StatusNotFound) + + //nolint:gosec // Ignore the gosec error in testing + f.HTTPTestClientWithTLSConfig(tlsConfig). + GET("/"). + WithURL("https://"+net.JoinHostPort(host, "443")). + ForceResolve(f.GetNginxIP(), 443). + Expect(). + Status(http.StatusOK) + + //nolint:gosec // Ignore the gosec error in testing + f.HTTPTestClientWithTLSConfig(tlsConfigBad). + GET("/"). + WithURL("https://"+net.JoinHostPort(hostBad, "443")). + ForceResolve(f.GetNginxIP(), 443). + Expect(). + Status(http.StatusNotFound) + }) + + ginkgo.Context("on throttled connections", func() { + throttleMiddleware := func(next httpexpect.DialContextFunc) httpexpect.DialContextFunc { + return func(ctx context.Context, network, addr string) (net.Conn, error) { + // Wrap the connection with a throttled writer to simulate real + // world traffic where streaming data may arrive in chunks + conn, err := next(ctx, network, addr) + return &writeThrottledConn{ + Conn: conn, + chunkSize: 50, + }, err + } + } + tries := 3 + + ginkgo.It("should handle known traffic without Host header", func() { + for i := 0; i < tries; i++ { + //nolint:gosec // Ignore the gosec error in testing + f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). + GET("/"). + WithURL("https://"+net.JoinHostPort(host, "443")). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) + } }) - //nolint:gosec // Ignore the gosec error in testing - f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). - GET("/"). - WithURL("https://"+net.JoinHostPort(host, "443")). - ForceResolve(f.GetNginxIP(), 443). - Expect(). - Status(http.StatusOK) + ginkgo.It("should handle known traffic with Host header", func() { + for i := 0; i < tries; i++ { + //nolint:gosec // Ignore the gosec error in testing + f.HTTPTestClientWithTLSConfig(tlsConfig). + GET("/"). + WithURL("https://"+net.JoinHostPort(host, "443")). + WithHeader("Host", host). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) + } + }) - //nolint:gosec // Ignore the gosec error in testing - f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: hostBad, InsecureSkipVerify: true}). - GET("/"). - WithURL("https://"+net.JoinHostPort(hostBad, "443")). - ForceResolve(f.GetNginxIP(), 443). - Expect(). - Status(http.StatusNotFound) + ginkgo.It("should handle insecure traffic with Host header", func() { + for i := 0; i < tries; i++ { + //nolint:gosec // Ignore the gosec error in testing + f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). + GET("/"). + WithURL("https://"+net.JoinHostPort(host, "443")). + WithHeader("Host", host). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) + } + }) + }) }) }) }) + +type writeThrottledConn struct { + net.Conn + chunkSize int +} + +// Write writes data to the connection `chunkSize` bytes (or less) at a time. +func (c *writeThrottledConn) Write(b []byte) (n int, err error) { + for i := 0; i < len(b); i += c.chunkSize { + n, err := c.Conn.Write(b[i:min(i+c.chunkSize, len(b))]) + if err != nil { + return i + n, err + } + } + return len(b), nil +} From 7b79029048d453f87985bc5d470264bd4bd55a8d Mon Sep 17 00:00:00 2001 From: Chotiwat Chawannakul Date: Fri, 16 Feb 2024 01:56:17 -0800 Subject: [PATCH 3/7] fix lint --- test/e2e/settings/ssl_passthrough.go | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/test/e2e/settings/ssl_passthrough.go b/test/e2e/settings/ssl_passthrough.go index 2aa11eb070..51a64991a0 100644 --- a/test/e2e/settings/ssl_passthrough.go +++ b/test/e2e/settings/ssl_passthrough.go @@ -78,6 +78,7 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { ginkgo.Context("when handling traffic", func() { var tlsConfig *tls.Config host := "testpassthrough.com" + url := "https://" + net.JoinHostPort(host, "443") echoName := "echopass" secretName := host @@ -153,6 +154,7 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { ginkgo.It("should pass unknown traffic to default backend and handle known traffic", func() { /* This one should not receive traffic as it does not contain passthrough annotation */ hostBad := "noannotationnopassthrough.com" + urlBad := "https://" + net.JoinHostPort(hostBad, "443") ingBad := f.EnsureIngress(framework.NewSingleIngressWithTLS(hostBad, "/", hostBad, @@ -173,34 +175,30 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { return strings.Contains(server, "listen 442") }) - //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). GET("/"). - WithURL("https://"+net.JoinHostPort(host, "443")). + WithURL(url). ForceResolve(f.GetNginxIP(), 443). Expect(). Status(http.StatusOK) - //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: hostBad, InsecureSkipVerify: true}). GET("/"). - WithURL("https://"+net.JoinHostPort(hostBad, "443")). + WithURL(urlBad). ForceResolve(f.GetNginxIP(), 443). Expect(). Status(http.StatusNotFound) - //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(tlsConfig). GET("/"). - WithURL("https://"+net.JoinHostPort(host, "443")). + WithURL(url). ForceResolve(f.GetNginxIP(), 443). Expect(). Status(http.StatusOK) - //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(tlsConfigBad). GET("/"). - WithURL("https://"+net.JoinHostPort(hostBad, "443")). + WithURL(urlBad). ForceResolve(f.GetNginxIP(), 443). Expect(). Status(http.StatusNotFound) @@ -222,10 +220,9 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { ginkgo.It("should handle known traffic without Host header", func() { for i := 0; i < tries; i++ { - //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). GET("/"). - WithURL("https://"+net.JoinHostPort(host, "443")). + WithURL(url). ForceResolve(f.GetNginxIP(), 443). WithDialContextMiddleware(throttleMiddleware). Expect(). @@ -235,10 +232,9 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { ginkgo.It("should handle known traffic with Host header", func() { for i := 0; i < tries; i++ { - //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(tlsConfig). GET("/"). - WithURL("https://"+net.JoinHostPort(host, "443")). + WithURL(url). WithHeader("Host", host). ForceResolve(f.GetNginxIP(), 443). WithDialContextMiddleware(throttleMiddleware). @@ -249,10 +245,9 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { ginkgo.It("should handle insecure traffic with Host header", func() { for i := 0; i < tries; i++ { - //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). GET("/"). - WithURL("https://"+net.JoinHostPort(host, "443")). + WithURL(url). WithHeader("Host", host). ForceResolve(f.GetNginxIP(), 443). WithDialContextMiddleware(throttleMiddleware). From 0d80011edae9e0806aebaa1210448ceb39a5e5ae Mon Sep 17 00:00:00 2001 From: Chotiwat Chawannakul Date: Fri, 16 Feb 2024 02:00:38 -0800 Subject: [PATCH 4/7] fix tests --- test/e2e/settings/ssl_passthrough.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/test/e2e/settings/ssl_passthrough.go b/test/e2e/settings/ssl_passthrough.go index 51a64991a0..bde53c557d 100644 --- a/test/e2e/settings/ssl_passthrough.go +++ b/test/e2e/settings/ssl_passthrough.go @@ -175,6 +175,7 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { return strings.Contains(server, "listen 442") }) + //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). GET("/"). WithURL(url). @@ -182,6 +183,7 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { Expect(). Status(http.StatusOK) + //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: hostBad, InsecureSkipVerify: true}). GET("/"). WithURL(urlBad). @@ -220,6 +222,19 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { ginkgo.It("should handle known traffic without Host header", func() { for i := 0; i < tries; i++ { + f.HTTPTestClientWithTLSConfig(tlsConfig). + GET("/"). + WithURL(url). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) + } + }) + + ginkgo.It("should handle insecure traffic without Host header", func() { + for i := 0; i < tries; i++ { + //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). GET("/"). WithURL(url). @@ -245,6 +260,7 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { ginkgo.It("should handle insecure traffic with Host header", func() { for i := 0; i < tries; i++ { + //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). GET("/"). WithURL(url). From d344404577878e124c5c8fbae46207bfa6aea868 Mon Sep 17 00:00:00 2001 From: Chotiwat Chawannakul Date: Fri, 16 Feb 2024 02:24:33 -0800 Subject: [PATCH 5/7] use MustPassRepeatedly --- test/e2e/settings/ssl_passthrough.go | 80 +++++++++++++--------------- 1 file changed, 36 insertions(+), 44 deletions(-) diff --git a/test/e2e/settings/ssl_passthrough.go b/test/e2e/settings/ssl_passthrough.go index bde53c557d..2421d4a906 100644 --- a/test/e2e/settings/ssl_passthrough.go +++ b/test/e2e/settings/ssl_passthrough.go @@ -220,56 +220,48 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { } tries := 3 - ginkgo.It("should handle known traffic without Host header", func() { - for i := 0; i < tries; i++ { - f.HTTPTestClientWithTLSConfig(tlsConfig). - GET("/"). - WithURL(url). - ForceResolve(f.GetNginxIP(), 443). - WithDialContextMiddleware(throttleMiddleware). - Expect(). - Status(http.StatusOK) - } + ginkgo.It("should handle known traffic without Host header", ginkgo.MustPassRepeatedly(tries), func() { + f.HTTPTestClientWithTLSConfig(tlsConfig). + GET("/"). + WithURL(url). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) }) - ginkgo.It("should handle insecure traffic without Host header", func() { - for i := 0; i < tries; i++ { - //nolint:gosec // Ignore the gosec error in testing - f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). - GET("/"). - WithURL(url). - ForceResolve(f.GetNginxIP(), 443). - WithDialContextMiddleware(throttleMiddleware). - Expect(). - Status(http.StatusOK) - } + ginkgo.It("should handle insecure traffic without Host header", ginkgo.MustPassRepeatedly(tries), func() { + //nolint:gosec // Ignore the gosec error in testing + f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). + GET("/"). + WithURL(url). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) }) - ginkgo.It("should handle known traffic with Host header", func() { - for i := 0; i < tries; i++ { - f.HTTPTestClientWithTLSConfig(tlsConfig). - GET("/"). - WithURL(url). - WithHeader("Host", host). - ForceResolve(f.GetNginxIP(), 443). - WithDialContextMiddleware(throttleMiddleware). - Expect(). - Status(http.StatusOK) - } + ginkgo.It("should handle known traffic with Host header", ginkgo.MustPassRepeatedly(tries), func() { + f.HTTPTestClientWithTLSConfig(tlsConfig). + GET("/"). + WithURL(url). + WithHeader("Host", host). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) }) - ginkgo.It("should handle insecure traffic with Host header", func() { - for i := 0; i < tries; i++ { - //nolint:gosec // Ignore the gosec error in testing - f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). - GET("/"). - WithURL(url). - WithHeader("Host", host). - ForceResolve(f.GetNginxIP(), 443). - WithDialContextMiddleware(throttleMiddleware). - Expect(). - Status(http.StatusOK) - } + ginkgo.It("should handle insecure traffic with Host header", ginkgo.MustPassRepeatedly(tries), func() { + //nolint:gosec // Ignore the gosec error in testing + f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). + GET("/"). + WithURL(url). + WithHeader("Host", host). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) }) }) }) From 2794f56c0ab66f88137a0907c2ce9847102ea7b1 Mon Sep 17 00:00:00 2001 From: Chotiwat Chawannakul Date: Fri, 16 Feb 2024 15:09:07 -0800 Subject: [PATCH 6/7] Revert "use MustPassRepeatedly" This reverts commit d344404577878e124c5c8fbae46207bfa6aea868. --- test/e2e/settings/ssl_passthrough.go | 80 +++++++++++++++------------- 1 file changed, 44 insertions(+), 36 deletions(-) diff --git a/test/e2e/settings/ssl_passthrough.go b/test/e2e/settings/ssl_passthrough.go index 2421d4a906..bde53c557d 100644 --- a/test/e2e/settings/ssl_passthrough.go +++ b/test/e2e/settings/ssl_passthrough.go @@ -220,48 +220,56 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { } tries := 3 - ginkgo.It("should handle known traffic without Host header", ginkgo.MustPassRepeatedly(tries), func() { - f.HTTPTestClientWithTLSConfig(tlsConfig). - GET("/"). - WithURL(url). - ForceResolve(f.GetNginxIP(), 443). - WithDialContextMiddleware(throttleMiddleware). - Expect(). - Status(http.StatusOK) + ginkgo.It("should handle known traffic without Host header", func() { + for i := 0; i < tries; i++ { + f.HTTPTestClientWithTLSConfig(tlsConfig). + GET("/"). + WithURL(url). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) + } }) - ginkgo.It("should handle insecure traffic without Host header", ginkgo.MustPassRepeatedly(tries), func() { - //nolint:gosec // Ignore the gosec error in testing - f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). - GET("/"). - WithURL(url). - ForceResolve(f.GetNginxIP(), 443). - WithDialContextMiddleware(throttleMiddleware). - Expect(). - Status(http.StatusOK) + ginkgo.It("should handle insecure traffic without Host header", func() { + for i := 0; i < tries; i++ { + //nolint:gosec // Ignore the gosec error in testing + f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). + GET("/"). + WithURL(url). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) + } }) - ginkgo.It("should handle known traffic with Host header", ginkgo.MustPassRepeatedly(tries), func() { - f.HTTPTestClientWithTLSConfig(tlsConfig). - GET("/"). - WithURL(url). - WithHeader("Host", host). - ForceResolve(f.GetNginxIP(), 443). - WithDialContextMiddleware(throttleMiddleware). - Expect(). - Status(http.StatusOK) + ginkgo.It("should handle known traffic with Host header", func() { + for i := 0; i < tries; i++ { + f.HTTPTestClientWithTLSConfig(tlsConfig). + GET("/"). + WithURL(url). + WithHeader("Host", host). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) + } }) - ginkgo.It("should handle insecure traffic with Host header", ginkgo.MustPassRepeatedly(tries), func() { - //nolint:gosec // Ignore the gosec error in testing - f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). - GET("/"). - WithURL(url). - WithHeader("Host", host). - ForceResolve(f.GetNginxIP(), 443). - WithDialContextMiddleware(throttleMiddleware). - Expect(). - Status(http.StatusOK) + ginkgo.It("should handle insecure traffic with Host header", func() { + for i := 0; i < tries; i++ { + //nolint:gosec // Ignore the gosec error in testing + f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). + GET("/"). + WithURL(url). + WithHeader("Host", host). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) + } }) }) }) From 052643e1cf333cea72bb5405642c234642ca335d Mon Sep 17 00:00:00 2001 From: Chotiwat Chawannakul Date: Fri, 16 Feb 2024 15:36:10 -0800 Subject: [PATCH 7/7] make chunkSize < len(host) and remove retries --- test/e2e/settings/ssl_passthrough.go | 75 ++++++++++++---------------- 1 file changed, 33 insertions(+), 42 deletions(-) diff --git a/test/e2e/settings/ssl_passthrough.go b/test/e2e/settings/ssl_passthrough.go index bde53c557d..75f50e4aac 100644 --- a/test/e2e/settings/ssl_passthrough.go +++ b/test/e2e/settings/ssl_passthrough.go @@ -214,62 +214,53 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { conn, err := next(ctx, network, addr) return &writeThrottledConn{ Conn: conn, - chunkSize: 50, + chunkSize: len(host) / 3, }, err } } - tries := 3 ginkgo.It("should handle known traffic without Host header", func() { - for i := 0; i < tries; i++ { - f.HTTPTestClientWithTLSConfig(tlsConfig). - GET("/"). - WithURL(url). - ForceResolve(f.GetNginxIP(), 443). - WithDialContextMiddleware(throttleMiddleware). - Expect(). - Status(http.StatusOK) - } + f.HTTPTestClientWithTLSConfig(tlsConfig). + GET("/"). + WithURL(url). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) }) ginkgo.It("should handle insecure traffic without Host header", func() { - for i := 0; i < tries; i++ { - //nolint:gosec // Ignore the gosec error in testing - f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). - GET("/"). - WithURL(url). - ForceResolve(f.GetNginxIP(), 443). - WithDialContextMiddleware(throttleMiddleware). - Expect(). - Status(http.StatusOK) - } + //nolint:gosec // Ignore the gosec error in testing + f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). + GET("/"). + WithURL(url). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) }) ginkgo.It("should handle known traffic with Host header", func() { - for i := 0; i < tries; i++ { - f.HTTPTestClientWithTLSConfig(tlsConfig). - GET("/"). - WithURL(url). - WithHeader("Host", host). - ForceResolve(f.GetNginxIP(), 443). - WithDialContextMiddleware(throttleMiddleware). - Expect(). - Status(http.StatusOK) - } + f.HTTPTestClientWithTLSConfig(tlsConfig). + GET("/"). + WithURL(url). + WithHeader("Host", host). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) }) ginkgo.It("should handle insecure traffic with Host header", func() { - for i := 0; i < tries; i++ { - //nolint:gosec // Ignore the gosec error in testing - f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). - GET("/"). - WithURL(url). - WithHeader("Host", host). - ForceResolve(f.GetNginxIP(), 443). - WithDialContextMiddleware(throttleMiddleware). - Expect(). - Status(http.StatusOK) - } + //nolint:gosec // Ignore the gosec error in testing + f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). + GET("/"). + WithURL(url). + WithHeader("Host", host). + ForceResolve(f.GetNginxIP(), 443). + WithDialContextMiddleware(throttleMiddleware). + Expect(). + Status(http.StatusOK) }) }) })