From 8f397d6e7028137565d0a6fcf734f5287b95b7a2 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Tue, 5 Mar 2024 09:16:57 +0100
Subject: [PATCH] e2e: use portforward to test OpenSSL frontend

---
 deployments/openssl/portforwarder.yml | 30 +++++++++++++++++++++++++++
 e2e/openssl/openssl_test.go           | 30 +++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)

diff --git a/deployments/openssl/portforwarder.yml b/deployments/openssl/portforwarder.yml
index 5e943ddf82..786ecdc3ed 100644
--- a/deployments/openssl/portforwarder.yml
+++ b/deployments/openssl/portforwarder.yml
@@ -27,3 +27,33 @@ spec:
           memory: 50Mi
         limits:
           memory: 50Mi
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: port-forwarder-openssl-frontend
+  namespace: edg-default
+  labels:
+    app.kubernetes.io/name: port-forwarder-openssl-frontend
+spec:
+  containers:
+    - name: port-forwarder
+      image: "ghcr.io/edgelesssys/nunki/port-forwarder:latest"
+      env:
+        - name: LISTEN_PORT
+          value: "443"
+        - name: FORWARD_HOST
+          value: openssl-frontend
+        - name: FORWARD_PORT
+          value: "443"
+      command:
+        - /bin/bash
+        - "-c"
+        - echo Starting port-forward with socat; exec socat -d -d TCP-LISTEN:${LISTEN_PORT},fork TCP:${FORWARD_HOST}:${FORWARD_PORT}
+      ports:
+        - containerPort: 443
+      resources:
+        requests:
+          memory: 50Mi
+        limits:
+          memory: 50Mi
diff --git a/e2e/openssl/openssl_test.go b/e2e/openssl/openssl_test.go
index 0c4ad65db0..5f9aeb037d 100644
--- a/e2e/openssl/openssl_test.go
+++ b/e2e/openssl/openssl_test.go
@@ -5,6 +5,7 @@ package openssl
 
 import (
 	"context"
+	"crypto/tls"
 	"os"
 	"testing"
 	"time"
@@ -45,3 +46,32 @@ func TestOpenSSL(t *testing.T) {
 	t.Log(stdout)
 	require.NoError(err, "stderr: %q", stderr)
 }
+
+// TestFrontend verifies the certificate used by the OpenSSL frontend comes from the coordinator.
+func TestFrontend(t *testing.T) {
+	require := require.New(t)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
+	defer cancel()
+
+	c := kubeclient.NewForTest(t)
+
+	namespace := os.Getenv(namespaceEnv)
+	require.NotEmpty(namespace, "environment variable %q must be set", namespaceEnv)
+
+	addr, cancelPortForward, err := c.PortForwardPod(ctx, namespace, "port-forwarder-openssl-frontend", "443")
+	require.NoError(err)
+	defer cancelPortForward()
+
+	// TODO(burgerdev): properly test chain to mesh root
+	dialer := &tls.Dialer{Config: &tls.Config{InsecureSkipVerify: true}}
+	conn, err := dialer.DialContext(ctx, "tcp", addr)
+	require.NoError(err)
+	tlsConn := conn.(*tls.Conn)
+
+	var names []string
+	for _, cert := range tlsConn.ConnectionState().PeerCertificates {
+		names = append(names, cert.Subject.CommonName)
+	}
+	require.Contains(names, "openssl-frontend")
+}