From 6595ea7f2c060356c1afdcbfc511322245df5804 Mon Sep 17 00:00:00 2001
From: David Cheung <cheungdavid@google.com>
Date: Wed, 18 Oct 2023 20:23:46 +0000
Subject: [PATCH] Add test for ingress-https.

* Add ingress-https test. Rename ssl policy name since it has a naming
  collision with ingress-grpc recipe.
* User needs to have a valid DNS domain and specify the DNS record name
  when running this test.
---
 .../single-cluster/ingress-https/README.md    |  6 +-
 .../single-cluster/ingress-https/cleanup.sh   | 56 ++++++++++++++++++
 .../single-cluster/ingress-https/run-test.sh  | 39 ++++++++++++
 .../ingress-https/secure-ingress.yaml         |  2 +-
 ingress/single-cluster/ingress-https/setup.sh | 59 +++++++++++++++++++
 5 files changed, 158 insertions(+), 4 deletions(-)
 create mode 100755 ingress/single-cluster/ingress-https/cleanup.sh
 create mode 100755 ingress/single-cluster/ingress-https/run-test.sh
 create mode 100755 ingress/single-cluster/ingress-https/setup.sh

diff --git a/ingress/single-cluster/ingress-https/README.md b/ingress/single-cluster/ingress-https/README.md
index c86c47fe..588bc9d0 100644
--- a/ingress/single-cluster/ingress-https/README.md
+++ b/ingress/single-cluster/ingress-https/README.md
@@ -80,7 +80,7 @@ kind: FrontendConfig
 metadata:
   name: ingress-security-config
 spec:
-  sslPolicy: gke-ingress-ssl-policy
+  sslPolicy: gke-ingress-ssl-policy-https
   redirectToHttps:
     enabled: true
 ```
@@ -123,7 +123,7 @@ Created [https://www.googleapis.com/compute/v1/projects/xxx/global/addresses/gke
 4. Create an SSL policy. This policy specifies a broad set of modern ciphers and requires that clients negotiate using TLS 1.2 or higher.
 
 ```
-$ gcloud compute ssl-policies create gke-ingress-ssl-policy \
+$ gcloud compute ssl-policies create gke-ingress-ssl-policy-https \
     --profile MODERN \
     --min-tls-version 1.2
 ```
@@ -203,7 +203,7 @@ You are now ready to serve securely on the internet!
 ```bash
 $ kubectl delete -f secure-ingress.yaml
 $ gcloud compute addresses delete --global gke-foobar-public-ip
-$ gcloud compute ssl-policies delete gke-ingress-ssl-policy
+$ gcloud compute ssl-policies delete gke-ingress-ssl-policy-https
 ```
 
 ### Testing
diff --git a/ingress/single-cluster/ingress-https/cleanup.sh b/ingress/single-cluster/ingress-https/cleanup.sh
new file mode 100755
index 00000000..152070cb
--- /dev/null
+++ b/ingress/single-cluster/ingress-https/cleanup.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+test_name="ingress-https"
+context=$(get_context "${test_name}")
+
+foo_dns_record="foo.${DNS_NAME}"
+bar_dns_record="bar.${DNS_NAME}"
+
+if [[ ! -z "${context}" ]]; then
+    ingress_name="secure-ingress"
+    fr=$(get_forwarding_rule "${ingress_name}" "${test_name}" "${context}")
+    thp=$(get_target_http_proxy "${ingress_name}" "${test_name}" "${context}")
+    thsp=$(get_target_https_proxy "${ingress_name}" "${test_name}" "${context}")
+    um=$(get_url_map "${ingress_name}" "${test_name}" "${context}")
+    backends=$(get_backends "${ingress_name}" "${test_name}" "${context}")
+    negs=$(get_negs "${context}")
+
+    resource_yaml="ingress/single-cluster/ingress-https/secure-ingress.yaml"
+    kubectl --context "${context}" delete -f "${resource_yaml}" -n "${test_name}" || true
+    sed -i'.bak' "s/${foo_dns_record}/foo.\${DOMAIN}.com/g" "${resource_yaml}"
+    sed -i'.bak' "s/${bar_dns_record}/bar.\${DOMAIN}.com/g" "${resource_yaml}"
+    rm -f "${resource_yaml}".bak
+    wait_for_glbc_deletion "${fr}" "${thp}" "${thsp}" "${um}" "${backends}" "${negs}"
+    kubectl --context "${context}" delete namespace "${test_name}" || true
+fi
+
+gcloud compute ssl-policies delete gke-ingress-ssl-policy-https --quiet || true
+gcloud compute addresses delete --global gke-foobar-public-ip --quiet || true
+gcloud dns --project="${DNS_PROJECT}" record-sets delete "${foo_dns_record}" \
+    --zone="${DNS_ZONE}" \
+    --type="A" || true
+gcloud dns --project="${DNS_PROJECT}" record-sets delete "${bar_dns_record}" \
+    --zone="${DNS_ZONE}" \
+    --type="A" || true
+
+cleanup_gke_basic "${test_name}" "${ZONE}" "${REGION}"
diff --git a/ingress/single-cluster/ingress-https/run-test.sh b/ingress/single-cluster/ingress-https/run-test.sh
new file mode 100755
index 00000000..8df3a631
--- /dev/null
+++ b/ingress/single-cluster/ingress-https/run-test.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+source ./test/helper.sh
+test_name="ingress-https"
+context=$(get_context "${test_name}")
+
+if [[ -z "${context}" ]]; then
+    exit 1
+fi
+
+vip=$(wait_for_ingress_ip "secure-ingress" "${test_name}" "${context}")
+
+wait_for_managed_cert "foobar-certificate" "ingress-https" "${context}"
+
+foo_dns_record="foo.${DNS_NAME}"
+bar_dns_record="bar.${DNS_NAME}"
+check_http_status "https://${foo_dns_record}" 200
+check_http_status "https://${bar_dns_record}" 200
+check_http_status "http://${foo_dns_record}" 301
+check_http_status "http://${bar_dns_record}" 301
diff --git a/ingress/single-cluster/ingress-https/secure-ingress.yaml b/ingress/single-cluster/ingress-https/secure-ingress.yaml
index fabd880f..d10400a5 100644
--- a/ingress/single-cluster/ingress-https/secure-ingress.yaml
+++ b/ingress/single-cluster/ingress-https/secure-ingress.yaml
@@ -49,7 +49,7 @@ kind: FrontendConfig
 metadata:
   name: ingress-security-config
 spec:
-  sslPolicy: gke-ingress-ssl-policy
+  sslPolicy: gke-ingress-ssl-policy-https
   redirectToHttps:
     enabled: true
 ---
diff --git a/ingress/single-cluster/ingress-https/setup.sh b/ingress/single-cluster/ingress-https/setup.sh
new file mode 100755
index 00000000..ecd3909d
--- /dev/null
+++ b/ingress/single-cluster/ingress-https/setup.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit;
+set -o nounset;
+set -o pipefail;
+set -o xtrace;
+
+if [[ -z "${DNS_PROJECT-}" ||  -z "${DNS_ZONE-}" ||  -z "${DNS_NAME-}" ]]; then
+    echo "Required environment variables are not set. See ingress-https/REAME.md for details."
+    exit 1
+fi
+
+source ./test/helper.sh
+test_name="ingress-https"
+setup_gke_basic "${test_name}" "${ZONE}" "${REGION}"
+context=$(get_context "${test_name}")
+
+if [[ -z "${context}" ]]; then
+    exit 1
+fi
+
+kubectl --context "${context}" create namespace "${test_name}"
+
+static_ip_name=gke-foobar-public-ip
+gcloud compute addresses create --global "${static_ip_name}"
+static_ip=$(gcloud compute addresses describe --global "${static_ip_name}" --format="value(address)")
+gcloud compute ssl-policies create gke-ingress-ssl-policy-https --profile MODERN --min-tls-version 1.2
+
+foo_dns_record="foo.${DNS_NAME}"
+bar_dns_record="bar.${DNS_NAME}"
+gcloud dns --project="${DNS_PROJECT}" record-sets create "${foo_dns_record}" \
+    --zone="${DNS_ZONE}" \
+    --type="A" \
+    --ttl="14400" \
+    --rrdatas="${static_ip}"
+gcloud dns --project="${DNS_PROJECT}" record-sets create "${bar_dns_record}" \
+    --zone="${DNS_ZONE}" \
+    --type="A" \
+    --ttl="14400" \
+    --rrdatas="${static_ip}"
+
+resource_yaml="ingress/single-cluster/ingress-https/secure-ingress.yaml"
+sed -i'.bak' "s/foo.\${DOMAIN}.com/${foo_dns_record}/g" "${resource_yaml}"
+sed -i'.bak' "s/bar.\${DOMAIN}.com/${bar_dns_record}/g" "${resource_yaml}"
+kubectl --context "${context}" apply -f "${resource_yaml}" -n "${test_name}"