test: Add negative test case for TLS SNI #37122

sayboras · 2025-01-21T11:54:11Z

Please refer to individual commit for more details. The first commit is to simplify the current policy, and pave the way for the second one.

sayboras · 2025-01-21T12:03:18Z

/test

sayboras · 2025-01-21T13:57:38Z

/test

jrajahalme

Suggestion for improvement.

cilium-cli/connectivity/tests/errors.go

sayboras · 2025-01-22T22:55:30Z

/test

sayboras · 2025-01-23T10:18:18Z

Rebased to pick up the fix for ci-eks #37184

We don't really need to toFQDNs rule for as the feature under test is TLS SNI. Signed-off-by: Tam Mach <tam.mach@cilium.io>

This commit is to add the negative test case for TLS SNI feature with another external target (e.g. cilium.io). There should be no policy dropped but SSL error from curl command. ``` $ kex -n cilium-test-1 client-645b68dcf7-n4xx7 -- curl -v https://cilium.io * Host cilium.io:443 was resolved. * IPv6: (none) * IPv4: 104.198.14.52 * Trying 104.198.14.52:443... * Connected to cilium.io (104.198.14.52) port 443 * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * Recv failure: Connection reset by peer * OpenSSL SSL_connect: Connection reset by peer in connection to cilium.io:443 * Closing connection curl: (35) Recv failure: Connection reset by peer command terminated with exit code 35 ``` Signed-off-by: Tam Mach <tam.mach@cilium.io>

sayboras · 2025-01-23T10:18:39Z

/test

The current SNI denied test sends request to cilium.io with serverNames as one.one.one.one, and expects TLS error. However, cilium.io might not be as reliable compared to one.one.one.one, hence causes timeout issue (e.g. 28) instead of expected SSL error code (e.g. 35) as observed in cilium#37381. This commit is to reverse the test to use one.one.one.one as external target, however, new CNP client-egress-tls-sni-other will only allow serverNames with ExternalOtherTarget (defaults to cilium.io). Relates: cilium#37122, cilium#37381 Signed-off-by: Tam Mach <tam.mach@cilium.io>

The current SNI denied test sends request to cilium.io with serverNames as one.one.one.one, and expects TLS error. However, cilium.io might not be as reliable compared to one.one.one.one, hence causes timeout issue (e.g. 28) instead of expected SSL error code (e.g. 35) as observed in the issue cilium#37381. This commit is to reverse the test to use one.one.one.one as external target, however, new CNP client-egress-tls-sni-other will only allow serverNames with ExternalOtherTarget (defaults to cilium.io). Relates: cilium#37122, cilium#37381 Signed-off-by: Tam Mach <tam.mach@cilium.io>

The current SNI denied test sends request to cilium.io with serverNames as one.one.one.one, and expects TLS error. However, cilium.io might not be as reliable compared to one.one.one.one, hence causes timeout issue (e.g. 28) instead of expected SSL error code (e.g. 35) as observed in the issue #37381. This commit is to reverse the test to use one.one.one.one as external target, however, new CNP client-egress-tls-sni-other will only allow serverNames with ExternalOtherTarget (defaults to cilium.io). Relates: #37122, #37381 Signed-off-by: Tam Mach <tam.mach@cilium.io>

The current SNI denied test sends request to cilium.io with serverNames as one.one.one.one, and expects TLS error. However, cilium.io might not be as reliable compared to one.one.one.one, hence causes timeout issue (e.g. 28) instead of expected SSL error code (e.g. 35) as observed in the issue cilium#37381. This commit is to reverse the test to use one.one.one.one as external target, however, new CNP client-egress-tls-sni-other will only allow serverNames with ExternalOtherTarget (defaults to cilium.io). Relates: cilium#37122, cilium#37381 Signed-off-by: Tam Mach <tam.mach@cilium.io>

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 21, 2025

github-actions bot added cilium-cli This PR contains changes related with cilium-cli cilium-cli-exclusive This PR only impacts cilium-cli binary labels Jan 21, 2025

sayboras added the release-note/ci This PR makes changes to the CI. label Jan 21, 2025

maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 21, 2025

sayboras marked this pull request as ready for review January 21, 2025 11:54

sayboras requested a review from a team as a code owner January 21, 2025 11:54

sayboras requested review from christarazi and jrajahalme January 21, 2025 11:54

sayboras force-pushed the pr/tammach/tls-sni branch from cb81b4e to 000d799 Compare January 21, 2025 12:57

sayboras requested review from a team as code owners January 21, 2025 12:57

sayboras force-pushed the pr/tammach/tls-sni branch from 000d799 to c285d1d Compare January 21, 2025 13:03

jrajahalme reviewed Jan 21, 2025

View reviewed changes

cilium-cli/connectivity/tests/errors.go Outdated Show resolved Hide resolved

sayboras force-pushed the pr/tammach/tls-sni branch from c285d1d to bba9788 Compare January 22, 2025 00:18

sayboras requested a review from jrajahalme January 22, 2025 00:18

christarazi approved these changes Jan 22, 2025

View reviewed changes

sayboras enabled auto-merge January 22, 2025 22:56

sayboras added 2 commits January 23, 2025 21:18

test: Simplify TLS SNI related test

452b0e3

We don't really need to toFQDNs rule for as the feature under test is TLS SNI. Signed-off-by: Tam Mach <tam.mach@cilium.io>

sayboras force-pushed the pr/tammach/tls-sni branch from bba9788 to 05cdc50 Compare January 23, 2025 10:18

sayboras added this pull request to the merge queue Jan 23, 2025

Merged via the queue into main with commit e4e5f91 Jan 23, 2025
210 of 212 checks passed

sayboras deleted the pr/tammach/tls-sni branch January 23, 2025 11:45

sayboras mentioned this pull request Jan 24, 2025

docs: Add SNI policy example #37234

Merged

sayboras mentioned this pull request Jan 31, 2025

test: Update negative test case for TLS SNI #37386

Merged

github-actions bot mentioned this pull request Feb 3, 2025

Bump ciliumcli from v0.16.0 to v0.18.3 kokyhm/kubespray_dependency_upgrade_test#153

Open

sayboras mentioned this pull request Mar 14, 2025

test: Add negative test case for TLS SNI + Inception #38194

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

test: Add negative test case for TLS SNI #37122

test: Add negative test case for TLS SNI #37122

Uh oh!

sayboras commented Jan 21, 2025

Uh oh!

sayboras commented Jan 21, 2025

Uh oh!

sayboras commented Jan 21, 2025

Uh oh!

jrajahalme left a comment

Uh oh!

Uh oh!

sayboras commented Jan 22, 2025

Uh oh!

sayboras commented Jan 23, 2025

Uh oh!

sayboras commented Jan 23, 2025

Uh oh!

Uh oh!

Uh oh!

test: Add negative test case for TLS SNI #37122

test: Add negative test case for TLS SNI #37122

Uh oh!

Conversation

sayboras commented Jan 21, 2025

Uh oh!

sayboras commented Jan 21, 2025

Uh oh!

sayboras commented Jan 21, 2025

Uh oh!

jrajahalme left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

sayboras commented Jan 22, 2025

Uh oh!

sayboras commented Jan 23, 2025

Uh oh!

sayboras commented Jan 23, 2025

Uh oh!

Uh oh!

Uh oh!