integration: standardize test infrastructure options

Make embedded DERP server and TLS the default configuration for all integration tests, replacing the per-test opt-in model that led to inconsistent and flaky test behavior. Infrastructure changes: - DefaultConfigEnv() includes embedded DERP server settings - New() auto-generates a proper CA + server TLS certificate pair - CA cert is installed into container trust stores and returned by GetCert() so clients and internal tools (curl) trust the server - CreateCertificate() now returns (caCert, cert, key) instead of discarding the CA certificate - Add WithPublicDERP() and WithoutTLS() opt-out options - Remove WithTLS(), WithEmbeddedDERPServerOnly(), and WithDERPAsIP() since all their behavior is now the default or unnecessary Test cleanup: - Remove all redundant WithTLS/WithEmbeddedDERPServerOnly/WithDERPAsIP calls from test files - Give every test a unique WithTestName by parameterizing aclScenario, sshScenario, and derpServerScenario helpers - Add WithTestName to tests that were missing it - Document all non-standard options with inline comments explaining why each is needed Updates #3139
2026-04-23 00:58:43 +02:00 · 2026-03-16 09:15:46 +00:00
parent 87b8507ac9
commit e5ebe3205a
18 changed files with 209 additions and 236 deletions
--- a/integration/hsic/config.go
+++ b/integration/hsic/config.go
@@ -28,11 +28,24 @@ func DefaultConfigEnv() map[string]string {
 		"HEADSCALE_PRIVATE_KEY_PATH":                  "/tmp/private.key",
 		"HEADSCALE_NOISE_PRIVATE_KEY_PATH":            "/tmp/noise_private.key",
 		"HEADSCALE_METRICS_LISTEN_ADDR":               "0.0.0.0:9090",
-		"HEADSCALE_DERP_URLS":                         "https://controlplane.tailscale.com/derpmap/default",
-		"HEADSCALE_DERP_AUTO_UPDATE_ENABLED":          "false",
-		"HEADSCALE_DERP_UPDATE_FREQUENCY":             "1m",
 		"HEADSCALE_DEBUG_PORT":                        "40000",

+		// Embedded DERP is the default for test isolation.
+		// Tests should not depend on external DERP infrastructure.
+		// Use WithPublicDERP() to opt out for tests that explicitly
+		// need public DERP relays.
+		"HEADSCALE_DERP_URLS":                    "",
+		"HEADSCALE_DERP_AUTO_UPDATE_ENABLED":     "false",
+		"HEADSCALE_DERP_UPDATE_FREQUENCY":        "1m",
+		"HEADSCALE_DERP_SERVER_ENABLED":          "true",
+		"HEADSCALE_DERP_SERVER_REGION_ID":        "999",
+		"HEADSCALE_DERP_SERVER_REGION_CODE":      "headscale",
+		"HEADSCALE_DERP_SERVER_REGION_NAME":      "Headscale Embedded DERP",
+		"HEADSCALE_DERP_SERVER_STUN_LISTEN_ADDR": "0.0.0.0:3478",
+		"HEADSCALE_DERP_SERVER_PRIVATE_KEY_PATH": "/tmp/derp.key",
+		"DERP_DEBUG_LOGS":                        "true",
+		"DERP_PROBER_DEBUG_LOGS":                 "true",
+
 		// a bunch of tests (ACL/Policy) rely on predictable IP alloc,
 		// so ensure the sequential alloc is used by default.
 		"HEADSCALE_PREFIXES_ALLOCATION": string(types.IPAllocationStrategySequential),