Remove the dependency of openssl library in antrea-controller image

Configured a toolbox pod to run the  e2e test
TestAntreaApiserverTLSConfig.

Signed-off-by: Pulkit Jain <jainpu@vmware.com>

test/e2e/tls_test.go

@@ -53,10 +53,13 @@ func TestAntreaApiserverTLSConfig(t *testing.T) {
 
 	controllerPod, err := data.getAntreaController()
 	assert.NoError(t, err, "failed to get Antrea Controller Pod")
-	controllerPodName := controllerPod.Name
-	controlPlaneNode := controlPlaneNodeName()
-	agentPodName, err := data.getAntreaPodOnNode(controlPlaneNode)
-	assert.NoError(t, err, "failed to get Antrea Agent Pod Name on Control Plane Node")
+	controllerPodNode := controllerPod.Spec.NodeName
+	node := getNodeByName(controllerPodNode)
+	assert.NotNil(t, node, "failed to get the Node")
+	nodeIPv4 := node.ipv4Addr
+	nodeIPv6 := node.ipv6Addr
+	toolboxPodName, _, cleanupFunc := createAndWaitForPod(t, data, data.createToolboxPodOnNode, "clientpod", controllerPodNode, antreaNamespace, true)
+	defer cleanupFunc()
 
 	tests := []struct {
 		name          string
@@ -65,14 +68,14 @@ func TestAntreaApiserverTLSConfig(t *testing.T) {
 		apiserver     int
 		apiserverStr  string
 	}{
-		{"ControllerApiserver", controllerPodName, controllerContainerName, apis.AntreaControllerAPIPort, "Controller"},
-		{"AgentApiserver", agentPodName, agentContainerName, apis.AntreaAgentAPIPort, "Agent"},
+		{"ControllerApiserver", toolboxPodName, "toolbox", apis.AntreaControllerAPIPort, "Controller"},
+		{"AgentApiserver", toolboxPodName, "toolbox", apis.AntreaAgentAPIPort, "Agent"},
 	}
 	for _, tc := range tests {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
-			data.checkTLS(t, tc.podName, tc.containerName, tc.apiserver, tc.apiserverStr)
+			data.checkTLS(t, tc.podName, tc.containerName, tc.apiserver, tc.apiserverStr, nodeIPv4, nodeIPv6)
 		})
 	}
 }
@@ -99,13 +102,13 @@ func (data *TestData) configureTLS(t *testing.T, cipherSuites []uint16, tlsMinVe
 	}
 }
 
-func (data *TestData) checkTLS(t *testing.T, podName string, containerName string, apiserver int, apiserverStr string) {
+func (data *TestData) checkTLS(t *testing.T, podName string, containerName string, apiserver int, apiserverStr string, nodeIPv4, nodeIPv6 string) {
 	// 1. TLSMaxVersion unset, then a TLS1.3 Cipher Suite should be used.
-	stdouts := data.opensslConnect(t, podName, containerName, false, apiserver)
+	stdouts := data.opensslConnect(t, podName, containerName, false, apiserver, nodeIPv4, nodeIPv6)
 	for _, stdout := range stdouts {
 		oneTLS13CS := false
 		for _, cs := range opensslTLS13CipherSuites {
-			if strings.Contains(stdout, fmt.Sprintf("New, TLSv1.3, Cipher is %s", cs)) {
+			if strings.Contains(stdout, fmt.Sprintf("SSL connection using TLSv1.3 / %s", cs)) {
 				oneTLS13CS = true
 				break
 			}
@@ -115,14 +118,15 @@ func (data *TestData) checkTLS(t *testing.T, podName string, containerName strin
 	}
 
 	// 2. Set TLSMaxVersion to TLS1.2, then TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 should be used
-	stdouts = data.opensslConnect(t, podName, containerName, true, apiserver)
+	stdouts = data.opensslConnect(t, podName, containerName, true, apiserver, nodeIPv4, nodeIPv6)
 	for _, stdout := range stdouts {
-		assert.True(t, strings.Contains(stdout, fmt.Sprintf("New, TLSv1.2, Cipher is %s", cipherSuiteStr)),
+		fmt.Sprintf("Output is %s", stdout)
+		assert.True(t, strings.Contains(stdout, fmt.Sprintf("SSL connection using TLSv1.2 / %s", cipherSuiteStr)),
 			"Cipher Suite used by %s apiserver should be the TLS1.2 one '%s', output: %s", apiserverStr, cipherSuiteStr, stdout)
 	}
 }
 
-func (data *TestData) opensslConnect(t *testing.T, pod string, container string, tls12 bool, port int) []string {
+func (data *TestData) opensslConnect(t *testing.T, pod string, container string, tls12 bool, port int, nodeIPv4, nodeIPv6 string) []string {
 	var stdouts []string
 	opensslConnectCommands := []struct {
 		enabled bool
@@ -131,27 +135,30 @@ func (data *TestData) opensslConnect(t *testing.T, pod string, container string,
 	}{
 		{
 			clusterInfo.podV4NetworkCIDR != "",
-			"127.0.0.1",
+			nodeIPv4,
 			"-4",
 		},
 		{
 			clusterInfo.podV6NetworkCIDR != "",
-			"::1",
+			nodeIPv6,
 			"-6",
 		},
 	}
 	for _, c := range opensslConnectCommands {
 		if !c.enabled {
 			continue
 		}
-		cmd := []string{"timeout", "1", "openssl", "s_client", "-connect", net.JoinHostPort(c.ip, fmt.Sprint(port)), c.option}
+		cmd := []string{"curl", "-k", "-v", fmt.Sprintf("https://%s", net.JoinHostPort(c.ip, fmt.Sprint(port)))}
 		if tls12 {
-			cmd = append(cmd, "-tls1_2")
+			cmd = append(cmd, "--tls-max", "1.2", "--tlsv1.2")
 		}
 		stdout, stderr, err := data.RunCommandFromPod(antreaNamespace, pod, container, cmd)
-		assert.NoError(t, err, "failed to run openssl command on Pod '%s'\nstderr: %s", pod, stderr)
+		assert.NoError(t, err, "failed to run openssl command on Pod '%s'\nstderr: %s", pod, stdout)
 		t.Logf("Ran '%s' on Pod %s", strings.Join(cmd, " "), pod)
-		stdouts = append(stdouts, stdout)
+		// Appended stderr to stdouts because when we curl for the antrea-agent or antrea-controller
+		// apiserver URL, the connection is established but we get a 403 forbidden message because of
+		// all the cipher related details are present in stderr.
+		stdouts = append(stdouts, stderr)
 	}
 	return stdouts
 }