Add connectivity tests for auth #1505
Conversation
|
Commit b501de8 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
meyskens
force-pushed
the
meyskens/mtls-e2e
branch
from
b501de8
to
89a84e6
Compare
|
Commit b501de8 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
meyskens
force-pushed
the
meyskens/mtls-e2e
branch
from
89a84e6
to
ac518d3
Compare
|
Commit b501de8 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
There was a problem hiding this comment.
LGTM ✔️, I don't think there is any dependency to merge this PR in as the feature requirement is in place.
$ cilium connectivity test --test auth
...
[=] Test [echo-ingress-auth-always-fail]
........
[=] Test [echo-ingress-auth-mtls-spiffe]
........
[=] Skipping Test [dns-only]
[=] Skipping Test [to-fqdns]
✅ All 2 tests (16 actions) successful, 35 tests skipped, 0 scenarios skipped.
sayboras
added
area/servicemesh
There was a problem hiding this comment.
CI failures look related:
Running test echo-ingress-auth-always-fail: setting up test: applying network policies: policy application failed: CiliumNetworkPolicy.cilium.io "auth-ingress-fail" is invalid: spec.ingress[0].auth.type: Unsupported value: "always-fail": supported values: "null"
https://github.com/cilium/cilium-cli/actions/runs/4677138302/jobs/8284385441?pr=1505
CI is still running with Cilium v1.13 and we want keep supporting the Cilium versions listed in https://github.com/cilium/cilium-cli/blob/master/README.md#releases (i.e. Cilium ≥ 1.11).
meyskens
force-pushed
the
meyskens/mtls-e2e
branch
from
ac518d3
to
9819445
Compare
meyskens
force-pushed
the
meyskens/mtls-e2e
branch
from
9819445
to
dd5a796
Compare
meyskens
force-pushed
the
meyskens/mtls-e2e
branch
from
dd5a796
to
272f8c6
Compare
meyskens
force-pushed
the
meyskens/mtls-e2e
branch
from
272f8c6
to
2321f8b
Compare
This adds tests to validate that the auth handling in policy is working. These tests will only run on clusters with auth enabled on Cilium v1.14.0+. It uses the always-fail type to test the fail case. It will also perfom a successful test run with mTLS-SPIFFE when enabled. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
meyskens
force-pushed
the
meyskens/mtls-e2e
branch
from
2321f8b
to
e484ca8
Compare
|
(sorry forgot to push my yubikey so i thought the push worked but it didn't) |
This adds tests to validate that the auth handling in policy is working. It uses the always-fail type to test the fail case. If mTLS-SPIFFE is enabled in the cluster it will also perfom a successful test run with mTLS enabled.
The auth-fail tests will be able to run against
masterof cilium, the mTLS tests can be enabled in installation once cilium/cilium#24765 is merged