tests/e2e: add test for certificate protected metrics

Signed-off-by: Gladkov Alexey <agladkov@redhat.com>
etcd-io · Feb 27, 2019 · 112b962 · 112b962
1 parent d4bccd4
commit 112b962
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 0 deletions.
diff --git a/tests/e2e/cluster_test.go b/tests/e2e/cluster_test.go
@@ -90,6 +90,13 @@ var (
 		initialToken:  "new",
 		authTokenOpts: "jwt,pub-key=../../integration/fixtures/server.crt,priv-key=../../integration/fixtures/server.key.insecure,sign-method=RS256,ttl=1s",
 	}
+	configMetricsTLS = etcdProcessClusterConfig{
+		clusterSize:      1,
+		clientTLS:        clientTLS,
+		initialToken:     "new",
+		metricsURLScheme: "https",
+		isMetricsTLS:     true,
+	}
 )
 
 func configStandalone(cfg etcdProcessClusterConfig) *etcdProcessClusterConfig {
@@ -123,6 +130,8 @@ type etcdProcessClusterConfig struct {
 	isPeerAutoTLS         bool
 	isClientAutoTLS       bool
 	isClientCRL           bool
+	isMetricsTLS          bool
+	isMetricsAutoTLS      bool
 	noCN                  bool
 
 	cipherSuites []string
@@ -313,6 +322,19 @@ func (cfg *etcdProcessClusterConfig) tlsArgs() (args []string) {
 		}
 	}
 
+	if cfg.isMetricsTLS {
+		if cfg.isMetricsAutoTLS {
+			args = append(args, "--metrics-auto-tls")
+		} else {
+			tlsMetricsArgs := []string{
+				"--metrics-cert-file", certPath4,
+				"--metrics-key-file", privateKeyPath4,
+				"--metrics-trusted-ca-file", caPath,
+			}
+			args = append(args, tlsMetricsArgs...)
+		}
+	}
+
 	if cfg.isClientCRL {
 		args = append(args, "--client-crl-file", crlPath, "--client-cert-auth")
 	}

diff --git a/tests/e2e/main_test.go b/tests/e2e/main_test.go
@@ -27,6 +27,9 @@ var (
 	certPath3       string
 	privateKeyPath3 string
 
+	certPath4       string
+	privateKeyPath4 string
+
 	crlPath               string
 	revokedCertPath       string
 	revokedPrivateKeyPath string
@@ -55,6 +58,9 @@ func TestMain(m *testing.M) {
 	certPath3 = certDir + "/server3.crt"
 	privateKeyPath3 = certDir + "/server3.key.insecure"
 
+	certPath4 = certDir + "/server4.crt"
+	privateKeyPath4 = certDir + "/server4.key.insecure"
+
 	v := m.Run()
 	if v == 0 && testutil.CheckLeakedGoroutine() {
 		os.Exit(1)

diff --git a/tests/e2e/metrics_test.go b/tests/e2e/metrics_test.go
@@ -36,6 +36,10 @@ func TestV3MetricsInsecure(t *testing.T) {
 	testCtl(t, metricsTest)
 }
 
+func TestV3MetricsSecureTLSCertAuth(t *testing.T) {
+	testCtl(t, metricsTestCertAuth, withCfg(configMetricsTLS))
+}
+
 func metricsTest(cx ctlCtx) {
 	if err := ctlV3Put(cx, "k", "v", ""); err != nil {
 		cx.t.Fatal(err)
@@ -57,3 +61,44 @@ func metricsTest(cx ctlCtx) {
 		cx.t.Fatalf("failed get with curl (%v)", err)
 	}
 }
+
+func metricsTestCertAuth(cx ctlCtx) {
+	//	fmt.Printf("%#+v\n", cx.epc.procs[0].Config())
+	//	fmt.Printf("\n")
+	//	return
+
+	if err := ctlV3Put(cx, "k", "v", ""); err != nil {
+		cx.t.Fatal(err)
+	}
+	if err := cURLGet(cx.epc, cURLReq{endpoint: "/metrics", expected: `etcd_debugging_mvcc_keys_total 1`, metricsURLScheme: cx.cfg.metricsURLScheme, useCertAuth: true}); err != nil {
+		cx.t.Fatalf("failed get with curl (%v)", err)
+	}
+	if err := cURLGet(cx.epc, cURLReq{endpoint: "/metrics", expected: fmt.Sprintf(`etcd_server_version{server_version="%s"} 1`, version.Version), metricsURLScheme: cx.cfg.metricsURLScheme, useCertAuth: true}); err != nil {
+		cx.t.Fatalf("failed get with curl (%v)", err)
+	}
+	ver := version.Version
+	if strings.HasSuffix(ver, "+git") {
+		ver = strings.Replace(ver, "+git", "", 1)
+	}
+	if err := cURLGet(cx.epc, cURLReq{endpoint: "/metrics", expected: fmt.Sprintf(`etcd_cluster_version{cluster_version="%s"} 1`, ver), metricsURLScheme: cx.cfg.metricsURLScheme, useCertAuth: true}); err != nil {
+		cx.t.Fatalf("failed get with curl (%v)", err)
+	}
+	if err := cURLGet(cx.epc, cURLReq{endpoint: "/health", expected: `{"health":"true"}`, metricsURLScheme: cx.cfg.metricsURLScheme, useCertAuth: true}); err != nil {
+		cx.t.Fatalf("failed get with curl (%v)", err)
+	}
+
+	req := cURLReq{endpoint: "/metrics", metricsURLScheme: cx.cfg.metricsURLScheme}
+
+	expectErr := []string{
+		"curl: (60) SSL certificate problem: unable to get local issuer certificate",
+		"More details here: https://curl.haxx.se/docs/sslcerts.html",
+		"",
+		"curl failed to verify the legitimacy of the server and therefore could not",
+		"establish a secure connection to it. To learn more about this situation and",
+		"how to fix it, please visit the web page mentioned above.",
+	}
+
+	if err := spawnWithExpects(cURLPrefixArgs(cx.epc, "GET", req), expectErr...); err != nil {
+		cx.t.Fatalf("failed get with curl (%v)", err)
+	}
+}
diff --git a/tests/e2e/v2_curl_test.go b/tests/e2e/v2_curl_test.go
@@ -130,6 +130,7 @@ type cURLReq struct {
 	header   string
 
 	metricsURLScheme string
+	useCertAuth      bool
 
 	ciphers string
 }
@@ -155,6 +156,8 @@ func cURLPrefixArgs(clus *etcdProcessCluster, method string, req cURLReq) []stri
 				cmdArgs = append(cmdArgs, "--cacert", caPath, "--cert", certPath3, "--key", privateKeyPath3)
 			}
 		}
+	} else if req.useCertAuth {
+		cmdArgs = append(cmdArgs, "--cacert", caPath, "--cert", certPath4, "--key", privateKeyPath4)
 	}
 	if req.metricsURLScheme != "" {
 		acurl = clus.procs[rand.Intn(clus.cfg.clusterSize)].EndpointsMetrics()[0]