Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add integration TLS tests exercising SAN certs #11203

Closed
jpbetz opened this issue Oct 3, 2019 · 1 comment · Fixed by #11212
Closed

Add integration TLS tests exercising SAN certs #11203

jpbetz opened this issue Oct 3, 2019 · 1 comment · Fixed by #11212

Comments

@jpbetz
Copy link
Contributor

jpbetz commented Oct 3, 2019

#2129 added basic TLS tests, but do not cover the cases where IP or DNS name Subject Alternative Names (SANs) are set in the certs.

#11184 fixed an issue where the cert authority checks failed when using DNS names, and before #10911 fixed a similar issue but for IPs. We need test coverage.

https://github.com/jpbetz/etcd/blob/etcd-lb-dnsname-failover/reproduction.md shows how the necessary certs can be created.

We need to figure out how we can simulate the networking needed to test the DNS name and IP scenarios.

Trick is finding a clean way to simulate the required networking on localhost. I.e. how do we have endpoints="https://<hostname1>:12379,https://<hostname1>:22379,https://<hostname1>:32379" or endpoints="https://<ip1>:12379,https://<ip2>:22379,https://<ip3>:32379" resolvable on localhost for testing? Somehow injecting a customer net.Dialer into clientv3 would allow for a bunch of this to be simulated. Is there a simpler approach? Do we need to run a e2e test in some containers and simulate the networking that way.. I was hoping to avoid anything that complex..

@jpbetz jpbetz added this to the etcd-v3.5 milestone Oct 3, 2019
@gyuho
Copy link
Contributor

gyuho commented Oct 4, 2019

@jpbetz Maybe we can start moving your failover test case here https://github.com/etcd-io/etcd/tree/master/tests? I usually use https://github.com/etcd-io/etcd/tree/master/tests/docker-dns-srv for DNS SRV testing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

2 participants