integration: standardize test infrastructure options

Make embedded DERP server and TLS the default configuration for all integration tests, replacing the per-test opt-in model that led to inconsistent and flaky test behavior. Infrastructure changes: - DefaultConfigEnv() includes embedded DERP server settings - New() auto-generates a proper CA + server TLS certificate pair - CA cert is installed into container trust stores and returned by GetCert() so clients and internal tools (curl) trust the server - CreateCertificate() now returns (caCert, cert, key) instead of discarding the CA certificate - Add WithPublicDERP() and WithoutTLS() opt-out options - Remove WithTLS(), WithEmbeddedDERPServerOnly(), and WithDERPAsIP() since all their behavior is now the default or unnecessary Test cleanup: - Remove all redundant WithTLS/WithEmbeddedDERPServerOnly/WithDERPAsIP calls from test files - Give every test a unique WithTestName by parameterizing aclScenario, sshScenario, and derpServerScenario helpers - Add WithTestName to tests that were missing it - Document all non-standard options with inline comments explaining why each is needed Updates #3139
2026-03-19 16:21:23 +01:00 · 2026-03-16 09:15:46 +00:00
parent 87b8507ac9
commit e5ebe3205a
18 changed files with 209 additions and 236 deletions
--- a/integration/integrationutil/util.go
+++ b/integration/integrationutil/util.go
@@ -120,7 +120,11 @@ func FetchPathFromContainer(
 }

 // nolint
-func CreateCertificate(hostname string) ([]byte, []byte, error) {
+// CreateCertificate generates a CA certificate and a server certificate
+// signed by that CA for the given hostname. It returns the CA certificate
+// PEM (for trust stores), server certificate PEM, and server private key
+// PEM.
+func CreateCertificate(hostname string) (caCertPEM, certPEM, keyPEM []byte, err error) {
 	// From:
 	// https://shaneutt.com/blog/golang-ca-and-signed-cert-go/

@@ -144,7 +148,27 @@ func CreateCertificate(hostname string) ([]byte, []byte, error) {

 	caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
+	}
+
+	caBytes, err := x509.CreateCertificate(
+		rand.Reader,
+		ca,
+		ca,
+		&caPrivKey.PublicKey,
+		caPrivKey,
+	)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	caPEM := new(bytes.Buffer)
+	err = pem.Encode(caPEM, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caBytes,
+	})
+	if err != nil {
+		return nil, nil, nil, err
 	}

 	cert := &x509.Certificate{
@@ -165,7 +189,7 @@ func CreateCertificate(hostname string) ([]byte, []byte, error) {

 	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}

 	certBytes, err := x509.CreateCertificate(
@@ -176,30 +200,28 @@ func CreateCertificate(hostname string) ([]byte, []byte, error) {
 		caPrivKey,
 	)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}

-	certPEM := new(bytes.Buffer)
-
-	err = pem.Encode(certPEM, &pem.Block{
+	serverCertPEM := new(bytes.Buffer)
+	err = pem.Encode(serverCertPEM, &pem.Block{
 		Type:  "CERTIFICATE",
 		Bytes: certBytes,
 	})
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}

 	certPrivKeyPEM := new(bytes.Buffer)
-
 	err = pem.Encode(certPrivKeyPEM, &pem.Block{
 		Type:  "RSA PRIVATE KEY",
 		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
 	})
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}

-	return certPEM.Bytes(), certPrivKeyPEM.Bytes(), nil
+	return caPEM.Bytes(), serverCertPEM.Bytes(), certPrivKeyPEM.Bytes(), nil
 }

 func BuildExpectedOnlineMap(all map[types.NodeID][]tailcfg.MapResponse) map[types.NodeID]map[types.NodeID]bool {