Test traefik with kubernetes.ingress.localhost-only #5151
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
bats/tests/k8s/traefik.bats
Outdated
| try --max 30 --delay 10 curl_exe --head --insecure "https://localhost:443" | ||
| assert_success | ||
| assert_output --regexp 'HTTP/[0-9.]* 404' | ||
| # traefik should not be accessible on other interfacec |
Check failure
Code scanning / check-spelling
Unrecognized Spelling
Nino-K
force-pushed
the
add-bats-traefik-test
branch
2 times, most recently
from
ae0c61c
to
fc8ca34
Compare
Nino-K
force-pushed
the
add-bats-traefik-test
branch
4 times, most recently
from
07d669c
to
02a6509
Compare
bats/tests/k8s/traefik.bats
Outdated
| curl_exe_http_traefik() { | ||
| local HTTP_URL=$1 | ||
| try --max 30 --delay 10 curl.exe --head "$HTTP_URL" | ||
| assert_success | ||
| assert_output --regexp 'HTTP/[0-9.]* 404' | ||
| } |
There was a problem hiding this comment.
You could generalize this slightly and get rid of curl_exe_https_traefik:
| curl_exe_http_traefik() { | |
| local HTTP_URL=$1 | |
| try --max 30 --delay 10 curl.exe --head "$HTTP_URL" | |
| assert_success | |
| assert_output --regexp 'HTTP/[0-9.]* 404' | |
| } | |
| curl_exe_traefik() { | |
| try --max 30 --delay 10 curl.exe --head "$@" | |
| assert_success | |
| assert_output --regexp 'HTTP/[0-9.]* 404' | |
| } |
And then call it:
curl_exe_traefik "http://$(wsl_ip):80"
curl_exe_traefik --insecure "https://$(wsl_ip):443"
bats/tests/k8s/traefik.bats
Outdated
| run try --max 30 --delay 10 curl --head "http://localhost:80" | ||
| assert_success | ||
| assert_output --regexp 'HTTP/[0-9.]* 404' | ||
| run try --max 30 --delay 10 curl --head --insecure "https://$(get_host):443" | ||
| run try --max 30 --delay 10 curl --head --insecure "https://localhost:443" | ||
| assert_success | ||
| assert_output --regexp 'HTTP/[0-9.]* 404' |
There was a problem hiding this comment.
Wouldn't all this turn into:
curl_exe_traefik "http://localhost:80"
curl_exe_traefik --insecure "https://localhost:443"
There was a problem hiding this comment.
That one is calling curl, basically, curl from inside the distro.
bats/tests/k8s/traefik.bats
Outdated
| wait_for_apiserver | ||
| # Check if the traefik pods come up | ||
| try --max 30 --delay 10 assert_traefik_pods_are_up | ||
| assert_success |
There was a problem hiding this comment.
You don't need assert_success because you did't use run.
bats/tests/k8s/traefik.bats
Outdated
|
|
||
| # traefik should not be accessible on other interface | ||
| run curl.exe --head "http://$(wsl_ip):80" | ||
| assert_output --partial "Couldn't connect to server" |
There was a problem hiding this comment.
I can't make up my mind if there should be an assert_success before testing $output, but I guess it doesn't matter, as we don't test how curl itself behaves.
Nino-K
force-pushed
the
add-bats-traefik-test
branch
from
02a6509
to
1486a30
Compare
bats/tests/k8s/traefik.bats
Outdated
| try --max 30 --delay 10 assert_traefik_pods_are_up | ||
| } | ||
|
|
||
| @test 'curl traefik endpoints from Windows Host while kubernetes.ingress.localhost-only is true' { |
There was a problem hiding this comment.
This test needs a if ! is_windows check
Nino-K
force-pushed
the
add-bats-traefik-test
branch
3 times, most recently
from
a784566
to
6a628f1
Compare
| @@ -45,18 +41,15 @@ assert_traefik_pods_are_down() { | |||
| } | |||
|
|
|||
| assert_traefik_pods_are_up() { | |||
| run kubectl get --all-namespaces pods | |||
| ip_regex="^([0-9]{1,3}\.){3}[0-9]{1,3}$" | |||
| run kubectl -n kube-system get service traefik -o jsonpath="{.status.loadBalancer.ingress[0].ip}" | |||
There was a problem hiding this comment.
Probably should be followed by assert_success. The regex match would fail anyways, but I think it would be clearer to show that kubectl itself failed.
Nino-K
force-pushed
the
add-bats-traefik-test
branch
from
6a628f1
to
55190b6
Compare
There was a problem hiding this comment.
The test seems to hang indefinitely on Windows with RD_USE_NETWORKING_TUNNEL=1 RD_USE_WINDOWS_EXE=0:
✗ start k8s
(from function `assert' in file bats-assert/src/assert.bash, line 40,
from function `wait_for_apiserver' in file tests/helpers/kubernetes.bash, line 6,
in test file tests/k8s/traefik.bats, line 83)
`wait_for_apiserver' failed
time="2023-08-01T15:26:36-07:00" level=info msg="About to launch C:\\Program Files\\Rancher Desktop\\Rancher Desktop.exe --application.debug=true --application.updater.enabled=false --containerEngine.name containerd --kubernetes.version 1.22.7 --kubernetes.enabled=true --kubernetes.options.traefik=true --experimental.virtualMachine.networkingTunnel=true ...\n"
(node:4652) [DEP0123] DeprecationWarning: Setting the TLS ServerName to an IP address is not permitted by RFC 6066. This will be ignored in a future version.
(Use `Rancher Desktop --trace-deprecation ...` to show where the warning was created)
-- assertion failed --
expression : [ 1690929396 -lt 1690929396 ]
--
If the tests are not (yet) expected to work in this combination, then they should be skipped.
Other than this, everything looks fine.
This combination needs to be skipped or cannot run right now due to the wsl integration. The |
Signed-off-by: Nino Kodabande <nkodabande@suse.com>
Nino-K
force-pushed
the
add-bats-traefik-test
branch
from
55190b6
to
6062685
Compare
ericpromislow
dismissed
jandubois’s stale review
The test now skips when RD_USE_NETWORKING_TUNNEL=1 and RD_USE_WINDOWS_EXE=0
Adds additional tests to test the
kubernetes.ingress.localhost-onlysetting.