TestHTTPS tests the use of unsigned certs with Tempo. Due to this we run the special "internal server" on port 3201 which requires us to pass custome readiness probe. Additionally we have to create custom a custom API client that uses https, but doesn't validate the certs. Finally note that we actua
(t *testing.T)
| 39 | // Finally note that we actually push over an unencrypted connection, using the default harness functions. |
| 40 | // This works b/c the TLS configuration for ingestion is configured through the OTEL receiver config. |
| 41 | func TestHTTPS(t *testing.T) { |
| 42 | km := setupCertificates(t) |
| 43 | |
| 44 | util.RunIntegrationTests(t, util.TestHarnessConfig{ |
| 45 | ConfigOverlay: configHTTPS, |
| 46 | ReadinessProbe: e2e.NewHTTPReadinessProbe(3201, "/ready", 200, 299), // this works b/c the service creation code in ../util/services.go adds a 3201 port to the services. we could also use a custom readiness probe. |
| 47 | PreStartHook: func(s *e2e.Scenario, _ map[string]any) error { |
| 48 | require.NoError(t, util.CopyFileToSharedDir(s, km.ServerCertFile, "tls.crt")) |
| 49 | require.NoError(t, util.CopyFileToSharedDir(s, km.ServerKeyFile, "tls.key")) |
| 50 | require.NoError(t, util.CopyFileToSharedDir(s, km.CaCertFile, "ca.crt")) |
| 51 | |
| 52 | return nil |
| 53 | }, |
| 54 | }, func(h *util.TempoHarness) { |
| 55 | // wait for traces to be writable |
| 56 | require.True(t, scrapeMetrics(t, h.Services[util.ServiceDistributor], tempoPort, "tempo_partition_ring_partitions{name=\"livestore-partitions\",state=\"Active\"} 1")) |
| 57 | |
| 58 | // write a trace |
| 59 | info := tempoUtil.NewTraceInfo(time.Now(), "") |
| 60 | require.NoError(t, h.WriteTraceInfo(info, "")) |
| 61 | |
| 62 | queryFrontend := h.Services[util.ServiceQueryFrontend] |
| 63 | apiClient := httpclient.New("https://"+queryFrontend.Endpoint(tempoPort), "") |
| 64 | |
| 65 | // trust bad certs |
| 66 | defaultTransport := http.DefaultTransport.(*http.Transport).Clone() |
| 67 | defaultTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} |
| 68 | apiClient.WithTransport(defaultTransport) |
| 69 | |
| 70 | util.QueryAndAssertTrace(t, apiClient, info) |
| 71 | |
| 72 | // wait for the traces to be queryable |
| 73 | require.True(t, scrapeMetrics(t, h.Services[util.ServiceLiveStoreZoneA], tempoPort, "tempo_live_store_traces_created_total{tenant=\"single-tenant\"} 1")) |
| 74 | require.True(t, scrapeMetrics(t, h.Services[util.ServiceLiveStoreZoneB], tempoPort, "tempo_live_store_traces_created_total{tenant=\"single-tenant\"} 1")) |
| 75 | |
| 76 | util.SearchTraceQLAndAssertTrace(t, apiClient, info) |
| 77 | |
| 78 | creds := credentials.NewTLS(&tls.Config{InsecureSkipVerify: true}) |
| 79 | grpcClient, err := util.NewSearchGRPCClient(queryFrontend.Endpoint(tempoPort), creds) |
| 80 | require.NoError(t, err) |
| 81 | |
| 82 | now := time.Now() |
| 83 | util.SearchStreamAndAssertTrace(t, context.Background(), grpcClient, info, now.Add(-time.Hour).Unix(), now.Unix()) |
| 84 | }) |
| 85 | } |
| 86 | |
| 87 | type keyMaterial struct { |
| 88 | CaCertFile string |
nothing calls this directly
no test coverage detected