Tests that when AutoHostSNI is enabled for a Logical DNS cluster, the SNI is resolved from the DNSHostName in the cluster configuration. It verifies that the TLS handshake succeeds when the DNSHostName matches the server's certificate SAN.
(t *testing.T)
| 769 | // the TLS handshake succeeds when the DNSHostName matches the server's |
| 770 | // certificate SAN. |
| 771 | func (s) TestClientSideXDS_AutoHostSNI_LogicalDNS(t *testing.T) { |
| 772 | testutils.SetEnvConfig(t, &envconfig.XDSSNIEnabled, true) |
| 773 | |
| 774 | // Spin up an xDS management server. |
| 775 | mgmtServer, nodeID, _, xdsResolver := setup.ManagementServerAndResolver(t) |
| 776 | |
| 777 | // Create test backend |
| 778 | serverCreds := testutils.CreateServerTLSCredentials(t, tls.RequireAndVerifyClientCert) |
| 779 | server := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds)) |
| 780 | defer server.Stop() |
| 781 | |
| 782 | // Replace DNS resolver with a manual resolver. |
| 783 | dnsR := manual.NewBuilderWithScheme("dns") |
| 784 | originalDNS := resolver.Get("dns") |
| 785 | resolver.Register(dnsR) |
| 786 | t.Cleanup(func() { resolver.Register(originalDNS) }) |
| 787 | |
| 788 | dnsR.UpdateState(resolver.State{Endpoints: []resolver.Endpoint{{Addresses: []resolver.Address{{Addr: server.Address}}}}}) |
| 789 | |
| 790 | // Configure client side xDS resources on the management server. |
| 791 | const serviceName = "my-service-client-side-xds" |
| 792 | const routeConfigName = "route-" + serviceName |
| 793 | const clusterName = "cluster-" + serviceName |
| 794 | |
| 795 | listeners := []*v3listenerpb.Listener{e2e.DefaultClientListener(serviceName, routeConfigName)} |
| 796 | routes := []*v3routepb.RouteConfiguration{e2e.DefaultRouteConfig(routeConfigName, serviceName, clusterName)} |
| 797 | |
| 798 | // Cluster of Type LogicalDNS. with DNSHostName set to match the server's cert |
| 799 | // SAN. |
| 800 | cluster := e2e.ClusterResourceWithOptions(e2e.ClusterOptions{ |
| 801 | Type: e2e.ClusterTypeLogicalDNS, |
| 802 | ClusterName: clusterName, |
| 803 | DNSHostName: validSNI, |
| 804 | DNSPort: uint32(testutils.ParsePort(t, server.Address)), |
| 805 | SecurityLevel: e2e.SecurityLevelMTLS, |
| 806 | }) |
| 807 | cluster.TransportSocket.ConfigType.(*v3corepb.TransportSocket_TypedConfig).TypedConfig = testutils.MarshalAny(t, &v3tlspb.UpstreamTlsContext{ |
| 808 | AutoHostSni: true, |
| 809 | AutoSniSanValidation: true, |
| 810 | CommonTlsContext: &v3tlspb.CommonTlsContext{ |
| 811 | ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContextCertificateProviderInstance{ |
| 812 | ValidationContextCertificateProviderInstance: &v3tlspb.CommonTlsContext_CertificateProviderInstance{ |
| 813 | InstanceName: e2e.ClientSideCertProviderInstance, |
| 814 | }, |
| 815 | }, |
| 816 | TlsCertificateCertificateProviderInstance: &v3tlspb.CommonTlsContext_CertificateProviderInstance{ |
| 817 | InstanceName: e2e.ClientSideCertProviderInstance, |
| 818 | }, |
| 819 | }, |
| 820 | }) |
| 821 | |
| 822 | resources := e2e.UpdateOptions{ |
| 823 | NodeID: nodeID, |
| 824 | Listeners: listeners, |
| 825 | Routes: routes, |
| 826 | Clusters: []*v3clusterpb.Cluster{cluster}, |
| 827 | } |
| 828 |
nothing calls this directly
no test coverage detected