Automate un-/deployment & test of the ACL examples.

eda65773 · Geoff Simmons · f6684104 · eda65773 · eda65773 · eda65773
Commit eda65773 authored Feb 07, 2020 by Geoff Simmons
Showing with 101 additions and 3 deletions

acl.yaml examples/acl/acl.yaml +6 -3

cafe.vtc examples/acl/cafe.vtc +50 -0

deploy.sh examples/acl/deploy.sh +7 -0

undeploy.sh examples/acl/undeploy.sh +22 -0

verify.sh examples/acl/verify.sh +16 -0

No files found.
--- a/examples/acl/acl.yaml
+++ b/examples/acl/acl.yaml
@@ -17,8 +17,9 @@ spec:
  # failure status is matched, or all of them run without failing.
  acl:
-    # This ACL defines the address ranges for private IPv4 networks:
+    # This ACL defines the address ranges for IPv4 loopback addresses
-    # 10.0.0.0/24, 172.16.0.0/12 and 192.168.0.0/16
+    # and private networks:
+    # 127.0.0.0/8, 10.0.0.0/24, 172.16.0.0/12 and 192.168.0.0/16
    #
    # comparand is the default: client.ip, as interpreted in VCL
    # (either the client IP forwarded by the PROXY protocol, or
@@ -31,8 +32,10 @@ spec:
    #
    # The conditions field is not defined -- this ACL is matched for
    # all client requests.
-    - name: private-ip4
+    - name: local-private-ip4
      addrs:
+      - addr: 127.0.0.0
+        mask-bits: 8
      - addr: 10.0.0.0
        mask-bits: 24
      - addr: 172.16.0.0

--- a/examples/acl/cafe.vtc
+++ b/examples/acl/cafe.vtc
+# looks like -*- vcl -*-
+varnishtest "cafe example, access control lists"
+client c1 -connect "${localhost} ${localport}" {
+	txreq -url /tea -hdr "Host: cafe.example.com"
+	rxresp
+	expect resp.status == 403
+	expect resp.reason == "Forbidden"
+	txreq -url /tea -hdr "Host: cafe.example.com" \
+		-hdr "X-Real-IP: 198.51.100.47"
+	rxresp
+	expect resp.status == 403
+	expect resp.reason == "Forbidden"
+	txreq -url /tea -hdr "Host: cafe.example.com" \
+		-hdr "X-Real-IP: 192.0.2.120"
+	rxresp
+	expect resp.status == 200
+	txreq -url /coffee/black -hdr "Host: cafe.example.com"
+	rxresp
+	expect resp.status == 200
+	txreq -url /coffee/black -hdr "Host: cafe.example.com" \
+		-hdr "X-Forwarded-For: 203.0.113.47, 192.0.2.11"
+	rxresp
+	expect resp.status == 200
+	txreq -url /coffee/black -hdr "Host: cafe.example.com" \
+		-hdr "X-Forwarded-For: 192.0.2.11"
+	rxresp
+	expect resp.status == 404
+	txreq -url /coffee -hdr "Host: cafe.example.com" \
+		-hdr "X-Forwarded-For: 203.0.113.47, 192.0.2.11"
+	rxresp
+	expect resp.status == 200
+	txreq -url /coffee -hdr "Host: cafe.example.com" \
+		-hdr "X-Forwarded-For: 203.0.113.47"
+	rxresp
+	expect resp.status == 403
+	expect resp.reason == "Forbidden"
+	txreq -url /coffee -hdr "Host: cafe.example.com"
+	rxresp
+	expect resp.status == 200
+} -run
--- a/examples/acl/deploy.sh
+++ b/examples/acl/deploy.sh
+#! /bin/bash -ex
+kubectl apply -f ../hello/cafe.yaml
+kubectl apply -f ../hello/cafe-ingress.yaml
+kubectl apply -f acl.yaml
--- a/examples/acl/undeploy.sh
+++ b/examples/acl/undeploy.sh
+#! /bin/bash -ex
+kubectl delete -f acl.yaml
+kubectl delete -f ../hello/cafe-ingress.yaml
+kubectl delete -f ../hello/cafe.yaml
+echo "Waiting until varnish-ingress Pods are not ready"
+N=0
+until [ $N -ge 120 ]
+do
+    if kubectl get pods -l app=varnish-ingress | grep -q ' 1/1'; then
+        sleep 10
+        N=$(( N + 10 ))
+        continue
+    fi
+    exit 0
+done
+echo "Giving up"
+exit 1
--- a/examples/acl/verify.sh
+++ b/examples/acl/verify.sh
+#! /bin/bash -ex
+function killforward {
+    kill $KUBEPID
+}
+LOCALPORT=${LOCALPORT:-8888}
+kubectl wait --timeout=2m pod -l app=varnish-ingress --for=condition=Ready
+kubectl port-forward svc/varnish-ingress ${LOCALPORT}:80 >/dev/null &
+KUBEPID=$!
+trap killforward EXIT
+sleep 1
+varnishtest ${TESTOPTS} -Dlocalport=${LOCALPORT} cafe.vtc