Add aditional mutual auth tests

This adds two new mutual auth tests. The first one is a test for an L7 policy with mutual auth enabled. The second one is a normal traffic tests but with an egress policy. Signed-off-by: Maartje Eyskens <[email protected]>
cilium · Oct 25, 2023 · 32199fe · 32199fe
1 parent 0245001
commit 32199fe
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 0 deletions.
diff --git a/connectivity/manifests/echo-egress-mutual-authentication.yaml b/connectivity/manifests/echo-egress-mutual-authentication.yaml
@@ -0,0 +1,19 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: echo-egress-mutual-authentication
+spec:
+  description: "Allow other client to contact echo after mutual authentication"
+  endpointSelector:
+    matchLabels:
+      kind: client
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        kind: echo
+    toPorts:
+    - ports:
+      - port: "8080"
+        protocol: TCP
+    authentication:
+      mode: required
diff --git a/connectivity/manifests/echo-ingress-l7-http-mutual-auth.yaml b/connectivity/manifests/echo-ingress-l7-http-mutual-auth.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: echo-ingress-l7-http
+spec:
+  description: "Allow other client to GET on echo"
+  endpointSelector:
+    matchLabels:
+      kind: echo
+  ingress:
+  # Only allow 'other' client to make a GET /public requests.
+  # Allow GET /private' only if a particular HTTP header is set.
+  # Disallow L3 traffic for now, flow matcher doesn't yet support L7 drops.
+  - fromEndpoints:
+    - matchLabels:
+        other: client
+    toPorts:
+    - ports:
+      - port: "8080"
+        protocol: TCP
+      rules:
+        http:
+        - method: "GET"
+          path: "/$"
+        - method: "GET"
+          path: "/public$"
+        - method: "GET"
+          path: "/private$"
+          headers:
+          - "X-Very-Secret-Token: 42"
+    authentication:
+      mode: required
diff --git a/connectivity/suite.go b/connectivity/suite.go
@@ -140,6 +140,9 @@ var (
 	//go:embed manifests/echo-ingress-l7-http.yaml
 	echoIngressL7HTTPPolicyYAML string
 
+	//go:embed manifests/echo-ingress-l7-http-mutual-auth.yaml
+	echoIngressL7HTTPMutualAuthPolicyYAML string
+
 	//go:embed manifests/echo-ingress-l7-http-from-anywhere.yaml
 	echoIngressL7HTTPFromAnywherePolicyYAML string
 
@@ -161,6 +164,9 @@ var (
 	//go:embed manifests/echo-ingress-mutual-authentication.yaml
 	echoIngressMutualAuthPolicyYAML string
 
+	//go:embed manifests/echo-egress-mutual-authentication.yaml
+	echoEgressMutualAuthPolicyYAML string
+
 	//go:embed manifests/egress-gateway-policy.yaml
 	egressGatewayPolicyYAML string
 
@@ -828,6 +834,29 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
 			return check.ResultDrop, check.ResultDefaultDenyIngressDrop
 		})
 
+	ct.NewTest("echo-ingress-l7-mutual-auth").
+		WithFeatureRequirements(features.RequireEnabled(features.L7Proxy), features.RequireEnabled(features.AuthSpiffe)).
+		WithCiliumPolicy(echoIngressL7HTTPMutualAuthPolicyYAML). // L7 allow policy with HTTP introspection
+		WithScenarios(
+			tests.PodToPodWithEndpoints(),
+		).
+		WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
+			if a.Source().HasLabel("other", "client") { // Only client2 is allowed to make HTTP calls.
+				// Trying to access private endpoint without "secret" header set
+				// should lead to a drop.
+				if a.Destination().Path() == "/private" && !a.Destination().HasLabel("X-Very-Secret-Token", "42") {
+					return check.ResultDropCurlHTTPError, check.ResultNone
+				}
+				egress = check.ResultOK
+				// Expect all curls from client2 to be proxied and to be GET calls.
+				egress.HTTP = check.HTTP{
+					Method: "GET",
+				}
+				return egress, check.ResultNone
+			}
+			return check.ResultDrop, check.ResultDefaultDenyIngressDrop
+		})
+
 	// Test L7 HTTP introspection using an ingress policy on echo pods.
 	ct.NewTest("echo-ingress-l7-named-port").
 		WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)).
@@ -1007,6 +1036,12 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
 			tests.PodToPod(),
 		)
 
+	ct.NewTest("echo-egress-mutual-auth-spiffe").WithCiliumPolicy(echoEgressMutualAuthPolicyYAML).
+		WithFeatureRequirements(features.RequireEnabled(features.AuthSpiffe)).
+		WithScenarios(
+			tests.PodToPod(),
+		)
+
 	// Test Ingress controller
 	ct.NewTest("pod-to-ingress-service").
 		WithFeatureRequirements(features.RequireEnabled(features.IngressController)).