test: enhance SSL proxy test coverage with comprehensive scenarios

oyiz-michael · oyiz-michael · commit b25f95d8635e · 2025-08-12T08:36:49.000+01:00
- Implement enhanced TestSetupSSLProxy with multiple test scenarios
- Add table-driven tests for better coverage and maintainability
- Test SSL proxy with and without explicit passthrough enabling
- Test SSL proxy configuration with default backend service
- Test SSL proxy with default SSL certificate and chain completion
- Test SSL proxy with minimal configuration using default port
- Test SSL proxy with comprehensive configuration combining all features
- Add proper validation for ListenPorts.SSLProxy configuration
- Ensure SSL passthrough proxy functionality is thoroughly validated

This significantly improves test coverage for critical SSL proxy functionality
used in production environments for TLS passthrough scenarios.
diff --git a/pkg/flags/flags_test.go b/pkg/flags/flags_test.go
@@ -20,6 +20,9 @@ import (
 	"os"
 	"testing"
 	"time"
+
+	"k8s.io/ingress-nginx/internal/ingress/controller"
+	"k8s.io/ingress-nginx/internal/ingress/controller/config"
 )
 
 func TestNoMandatoryFlag(t *testing.T) {
@@ -57,28 +60,125 @@ func TestDefaults(t *testing.T) {
 
 func TestSetupSSLProxy(t *testing.T) {
 	tests := []struct {
-		name        string
-		args        []string
-		expectError bool
-		description string
+		name           string
+		args           []string
+		expectError    bool
+		description    string
+		validateConfig func(t *testing.T, showVersion bool, config *controller.Configuration)
 	}{
 		{
-			name: "valid SSL proxy configuration",
-			args: []string{"cmd", "--enable-ssl-passthrough", "--ssl-passthrough-proxy-port", "9999"},
+			name:        "valid SSL proxy configuration with passthrough enabled",
+			args:        []string{"cmd", "--enable-ssl-passthrough", "--ssl-passthrough-proxy-port", "9999"},
+			expectError: false,
+			description: "Should accept valid SSL proxy port with passthrough enabled",
+			validateConfig: func(t *testing.T, showVersion bool, cfg *controller.Configuration) {
+				if !cfg.EnableSSLPassthrough {
+					t.Error("Expected EnableSSLPassthrough to be true")
+				}
+				if cfg.ListenPorts.SSLProxy != 9999 {
+					t.Errorf("Expected SSLProxy port to be 9999, got %d", cfg.ListenPorts.SSLProxy)
+				}
+			},
+		},
+		{
+			name:        "SSL proxy port without explicit passthrough enabling",
+			args:        []string{"cmd", "--ssl-passthrough-proxy-port", "8443"},
 			expectError: false,
-			description: "Should accept valid SSL proxy port",
+			description: "Should accept SSL proxy port configuration without explicit passthrough enable",
+			validateConfig: func(t *testing.T, showVersion bool, cfg *controller.Configuration) {
+				if cfg.ListenPorts.SSLProxy != 8443 {
+					t.Errorf("Expected SSLProxy port to be 8443, got %d", cfg.ListenPorts.SSLProxy)
+				}
+			},
 		},
 		{
-			name: "SSL proxy without enabling passthrough",
-			args: []string{"cmd", "--ssl-passthrough-proxy-port", "9999"},
+			name:        "SSL proxy with default backend service",
+			args:        []string{"cmd", "--enable-ssl-passthrough", "--default-backend-service", "default/backend", "--ssl-passthrough-proxy-port", "9000"},
 			expectError: false,
-			description: "Should accept SSL proxy port even without explicit passthrough enable",
+			description: "Should work with default backend service and SSL passthrough",
+			validateConfig: func(t *testing.T, showVersion bool, cfg *controller.Configuration) {
+				if !cfg.EnableSSLPassthrough {
+					t.Error("Expected EnableSSLPassthrough to be true")
+				}
+				if cfg.DefaultService != "default/backend" {
+					t.Errorf("Expected DefaultService to be 'default/backend', got %s", cfg.DefaultService)
+				}
+				if cfg.ListenPorts.SSLProxy != 9000 {
+					t.Errorf("Expected SSLProxy port to be 9000, got %d", cfg.ListenPorts.SSLProxy)
+				}
+			},
 		},
 		{
-			name: "SSL proxy with default backend",
-			args: []string{"cmd", "--enable-ssl-passthrough", "--default-backend-service", "default/backend"},
+			name:        "SSL proxy with default SSL certificate",
+			args:        []string{"cmd", "--enable-ssl-passthrough", "--default-ssl-certificate", "default/tls-cert", "--ssl-passthrough-proxy-port", "8080"},
 			expectError: false,
-			description: "Should work with default backend service",
+			description: "Should work with default SSL certificate and passthrough",
+			validateConfig: func(t *testing.T, showVersion bool, cfg *controller.Configuration) {
+				if !cfg.EnableSSLPassthrough {
+					t.Error("Expected EnableSSLPassthrough to be true")
+				}
+				if cfg.DefaultSSLCertificate != "default/tls-cert" {
+					t.Errorf("Expected DefaultSSLCertificate to be 'default/tls-cert', got %s", cfg.DefaultSSLCertificate)
+				}
+				if cfg.ListenPorts.SSLProxy != 8080 {
+					t.Errorf("Expected SSLProxy port to be 8080, got %d", cfg.ListenPorts.SSLProxy)
+				}
+			},
+		},
+		{
+			name:        "SSL proxy with chain completion enabled",
+			args:        []string{"cmd", "--enable-ssl-passthrough", "--enable-ssl-chain-completion", "--ssl-passthrough-proxy-port", "7443"},
+			expectError: false,
+			description: "Should work with SSL chain completion and passthrough",
+			validateConfig: func(t *testing.T, showVersion bool, cfg *controller.Configuration) {
+				if !cfg.EnableSSLPassthrough {
+					t.Error("Expected EnableSSLPassthrough to be true")
+				}
+				if !config.EnableSSLChainCompletion {
+					t.Error("Expected EnableSSLChainCompletion to be true")
+				}
+				if cfg.ListenPorts.SSLProxy != 7443 {
+					t.Errorf("Expected SSLProxy port to be 7443, got %d", cfg.ListenPorts.SSLProxy)
+				}
+			},
+		},
+		{
+			name:        "SSL proxy with minimal configuration",
+			args:        []string{"cmd", "--enable-ssl-passthrough"},
+			expectError: false,
+			description: "Should work with minimal SSL passthrough configuration using default port",
+			validateConfig: func(t *testing.T, showVersion bool, cfg *controller.Configuration) {
+				if !cfg.EnableSSLPassthrough {
+					t.Error("Expected EnableSSLPassthrough to be true")
+				}
+				// Default port should be 442
+				if cfg.ListenPorts.SSLProxy != 442 {
+					t.Errorf("Expected default SSLProxy port to be 442, got %d", cfg.ListenPorts.SSLProxy)
+				}
+			},
+		},
+		{
+			name:        "SSL proxy with comprehensive configuration",
+			args:        []string{"cmd", "--enable-ssl-passthrough", "--enable-ssl-chain-completion", "--default-ssl-certificate", "kube-system/default-cert", "--default-backend-service", "kube-system/default-backend", "--ssl-passthrough-proxy-port", "10443"},
+			expectError: false,
+			description: "Should work with comprehensive SSL proxy configuration",
+			validateConfig: func(t *testing.T, showVersion bool, cfg *controller.Configuration) {
+				if !cfg.EnableSSLPassthrough {
+					t.Error("Expected EnableSSLPassthrough to be true")
+				}
+				if !config.EnableSSLChainCompletion {
+					t.Error("Expected EnableSSLChainCompletion to be true")
+				}
+				if cfg.DefaultSSLCertificate != "kube-system/default-cert" {
+					t.Errorf("Expected DefaultSSLCertificate to be 'kube-system/default-cert', got %s", cfg.DefaultSSLCertificate)
+				}
+				if cfg.DefaultService != "kube-system/default-backend" {
+					t.Errorf("Expected DefaultService to be 'kube-system/default-backend', got %s", cfg.DefaultService)
+				}
+				if cfg.ListenPorts.SSLProxy != 10443 {
+					t.Errorf("Expected SSLProxy port to be 10443, got %d", cfg.ListenPorts.SSLProxy)
+				}
+			},
 		},
 	}
 
@@ -91,13 +191,18 @@ func TestSetupSSLProxy(t *testing.T) {
 
 			os.Args = tt.args
 
-			_, _, err := ParseFlags()
+			showVersion, config, err := ParseFlags()
 			if tt.expectError && err == nil {
 				t.Fatalf("Expected error for %s, but got none", tt.description)
 			}
 			if !tt.expectError && err != nil {
 				t.Fatalf("Expected no error for %s, got: %v", tt.description, err)
 			}
+
+			// Run additional validation if provided and no error occurred
+			if !tt.expectError && tt.validateConfig != nil {
+				tt.validateConfig(t, showVersion, config)
+			}
 		})
 	}
 }
