Address the last of the review comments

Author: candita

conformance/base/manifests.yaml

@@ -139,7 +139,7 @@ spec:
       containers:
       - name: infra-backend-v1
         # Originally from https://github.com/kubernetes-sigs/ingress-controller-conformance/tree/master/images/echoserver
-        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9
+        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd
         env:
         - name: POD_NAME
           valueFrom:
@@ -185,7 +185,7 @@ spec:
     spec:
       containers:
       - name: infra-backend-v2
-        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9
+        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd
         env:
         - name: POD_NAME
           valueFrom:
@@ -231,7 +231,7 @@ spec:
     spec:
       containers:
       - name: infra-backend-v3
-        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9
+        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd
         env:
         - name: POD_NAME
           valueFrom:
@@ -277,7 +277,7 @@ spec:
     spec:
       containers:
       - name: tls-backend
-        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9
+        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd
         volumeMounts:
         - name: secret-volume
           mountPath: /etc/secret-volume
@@ -346,7 +346,7 @@ spec:
     spec:
       containers:
       - name: tls-backend
-        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9
+        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd
         volumeMounts:
         - name: secret-volume
           mountPath: /etc/secret-volume
@@ -408,7 +408,7 @@ spec:
     spec:
       containers:
       - name: app-backend-v1
-        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9
+        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd
         env:
         - name: POD_NAME
           valueFrom:
@@ -454,7 +454,7 @@ spec:
     spec:
       containers:
       - name: app-backend-v2
-        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9
+        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd
         env:
         - name: POD_NAME
           valueFrom:
@@ -507,7 +507,7 @@ spec:
     spec:
       containers:
       - name: web-backend
-        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9
+        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd
         env:
         - name: POD_NAME
           valueFrom:
@@ -554,7 +554,7 @@ spec:
     spec:
       containers:
       - name: grpc-infra-backend-v1
-        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9
+        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd
         env:
         - name: POD_NAME
           valueFrom:
@@ -603,7 +603,7 @@ spec:
     spec:
       containers:
       - name: grpc-infra-backend-v2
-        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9
+        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd
         env:
         - name: POD_NAME
           valueFrom:
@@ -652,7 +652,7 @@ spec:
     spec:
       containers:
       - name: grpc-infra-backend-v3
-        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9
+        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd
         env:
         - name: POD_NAME
           valueFrom:

conformance/conformance.go

@@ -144,6 +144,7 @@ func logOptions(t *testing.T, opts suite.ConformanceOptions) {
 	t.Logf("  Enable All Features: %t", opts.EnableAllSupportedFeatures)
 	t.Logf("  Supported Features: %v", opts.SupportedFeatures.UnsortedList())
 	t.Logf("  ExemptFeatures: %v", opts.ExemptFeatures.UnsortedList())
+	t.Logf("  ConformanceProfiles: %v", opts.ConformanceProfiles.UnsortedList())
 }
 
 func writeReport(logf func(string, ...any), report confv1.ConformanceReport, output string) error {

conformance/tests/backendtlspolicy.go

@@ -21,6 +21,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/types"
 
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
 	h "sigs.k8s.io/gateway-api/conformance/utils/http"
 	"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
 	"sigs.k8s.io/gateway-api/conformance/utils/suite"
@@ -47,7 +48,7 @@ var BackendTLSPolicy = suite.ConformanceTest{
 		gwNN := types.NamespacedName{Name: "gateway-backendtlspolicy", Namespace: ns}
 
 		kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns})
-		gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAcceptedMultipleListeners(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+		gwAddr := kubernetes.GatewayAndRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), &gatewayv1.HTTPRoute{}, false, routeNN)
 		kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN)
 
 		serverStr := "abc.example.com"
@@ -66,7 +67,7 @@ var BackendTLSPolicy = suite.ConformanceTest{
 				})
 		})
 
-		// For the re-encrypt case, we  need to use the cert for the frontend tls listener.
+		// For the re-encrypt case, we need to use the cert for the frontend tls listener.
 		certNN := types.NamespacedName{Name: "tls-checks-certificate", Namespace: ns}
 		cPem, keyPem, err := GetTLSSecret(suite.Client, certNN)
 		if err != nil {

conformance/utils/kubernetes/certificate.go

@@ -146,9 +146,9 @@ func generateRSACert(hosts []string, keyOut, certOut io.Writer, ca *x509.Certifi
 	return nil
 }
 
-// MustCreateCASignedCertConfigMap will create a ConfigMap containing a CA Certificate, given a TLS Secret
+// MustCreateCACertConfigMap will create a ConfigMap containing a CA Certificate, given a TLS Secret
 // for that CA certificate.  Also returns the CA certificate.
-func MustCreateCASignedCertConfigMap(t *testing.T, namespace, configMapName string, hosts []string) (*corev1.ConfigMap, *x509.Certificate, *rsa.PrivateKey) {
+func MustCreateCACertConfigMap(t *testing.T, namespace, configMapName string, hosts []string) (*corev1.ConfigMap, *x509.Certificate, *rsa.PrivateKey) {
 	require.NotEmpty(t, hosts, "require a non-empty hosts for Subject Alternate Name values")
 
 	var certData, keyData bytes.Buffer
@@ -176,7 +176,8 @@ func MustCreateCASignedCertConfigMap(t *testing.T, namespace, configMapName stri
 			Name:      configMapName,
 		},
 		Data: map[string]string{
-			"ca.crt":  certData.String(),
+			"ca.crt": certData.String(),
+			// Don't do this in production, this is just for conformance testing.
 			"key.crt": keyData.String(),
 		},
 	}

conformance/utils/kubernetes/helpers.go

@@ -332,24 +332,20 @@ func MeshNamespacesMustBeReady(t *testing.T, c client.Client, timeoutConfig conf
 //
 // The test will fail if these conditions are not met before the timeouts.
 // Note that this also returns a Gateway address to use, but it takes the port
-// from the first listener it finds. Therefore, if the Gateway has multiple listeners,
-// don't use this function unless you can ignore the port and allow the url
-// scheme to determine the default port to use in a URL. Set parameter `usePort` to
-// false if there are multiple listeners, and true if there is only one listener.
+// from the first listener it finds.  Set parameter `usePort` to false if there
+// are multiple listeners, and true if there is only one listener.
 func GatewayAndRoutesMustBeAccepted(t *testing.T, c client.Client, timeoutConfig config.TimeoutConfig, controllerName string, gw GatewayRef, routeType any, usePort bool, routeNNs ...types.NamespacedName) string {
 	t.Helper()
 
-	var err error
-	var gwAddr string
-
 	RouteTypeMustHaveParentsField(t, routeType)
+	gwAddr, err := WaitForGatewayAddress(t, c, timeoutConfig, gw)
+	require.NoErrorf(t, err, "timed out waiting for Gateway address to be assigned")
+
 	// If the Gateway has multiple listeners, get a portless gwAddr.
+	// Otherwise, you get the first listener's port, which might not be the one you want.
 	if !usePort {
-		gwAddr, err = WaitForGatewayAddressMultipleListeners(t, c, timeoutConfig, gw)
-	} else {
-		gwAddr, err = WaitForGatewayAddress(t, c, timeoutConfig, gw)
+		gwAddr, _, _ = strings.Cut(gwAddr, ":")
 	}
-	require.NoErrorf(t, err, "timed out waiting for Gateway address to be assigned")
 
 	ns := gatewayv1.Namespace(gw.Namespace)
 	kind := gatewayv1.Kind("Gateway")
@@ -416,12 +412,6 @@ func GatewayAndHTTPRoutesMustBeAccepted(t *testing.T, c client.Client, timeoutCo
 	return GatewayAndRoutesMustBeAccepted(t, c, timeoutConfig, controllerName, gw, &gatewayv1.HTTPRoute{}, true, routeNNs...)
 }
 
-// GatewayAndHTTPRoutesMustBeAcceptedMultipleListeners is the same as GatewayAndHTTPRoutesMustBeAccepted except it does not
-// return the port in the gateway string.  With multiple listeners, port varies and some tests can't succeed using the returned port.
-func GatewayAndHTTPRoutesMustBeAcceptedMultipleListeners(t *testing.T, c client.Client, timeoutConfig config.TimeoutConfig, controllerName string, gw GatewayRef, routeNNs ...types.NamespacedName) string {
-	return GatewayAndRoutesMustBeAccepted(t, c, timeoutConfig, controllerName, gw, &gatewayv1.HTTPRoute{}, false, routeNNs...)
-}
-
 // GatewayAndUDPRoutesMustBeAccepted waits until the specified Gateway has an IP
 // address assigned to it and the UDPRoute has a ParentRef referring to the
 // Gateway. The test will fail if these conditions are not met before the
@@ -431,8 +421,7 @@ func GatewayAndUDPRoutesMustBeAccepted(t *testing.T, c client.Client, timeoutCon
 }
 
 // WaitForGatewayAddress waits until at least one IP Address has been set in the
-// status of the specified Gateway.  Use when there is only one listener in the
-// Gateway.
+// status of the specified Gateway.
 func WaitForGatewayAddress(t *testing.T, client client.Client, timeoutConfig config.TimeoutConfig, gwRef GatewayRef) (string, error) {
 	t.Helper()
 
@@ -467,34 +456,6 @@ func WaitForGatewayAddress(t *testing.T, client client.Client, timeoutConfig con
 	return net.JoinHostPort(ipAddr, port), waitErr
 }
 
-// WaitForGatewayAddressMultipleListeners waits until at least one IP Address has been set in the
-// status of the specified Gateway and returns it without a port. A port interferes when
-// there are multiple listeners, e.g if the first listener is HTTP/80 but we want to be using another
-// listener with HTTPS/443, we can't send a request to https://gwaddr:80.  But we can send a request
-// to https://gwaddr and expect it to succeed by using the default port for HTTPS.
-func WaitForGatewayAddressMultipleListeners(t *testing.T, client client.Client, timeoutConfig config.TimeoutConfig, gwRef GatewayRef) (string, error) {
-	t.Helper()
-
-	var ipAddr string
-	waitErr := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, timeoutConfig.GatewayMustHaveAddress, true, func(ctx context.Context) (bool, error) {
-		gw, err := getGatewayStatus(t, ctx, client, gwRef)
-		if gw == nil {
-			// The returned error is nil if the Gateway conditions don't have the latest observed generation.
-			return false, err
-		}
-
-		for _, address := range gw.Status.Addresses {
-			if address.Type != nil && (*address.Type == gatewayv1.IPAddressType || *address.Type == v1alpha2.HostnameAddressType) {
-				ipAddr = address.Value
-				return true, nil
-			}
-		}
-		return false, nil
-	})
-	require.NoErrorf(t, waitErr, "error waiting for Gateway to have at least one IP address in status")
-	return ipAddr, waitErr
-}
-
 func getGatewayStatus(t *testing.T, ctx context.Context, client client.Client, gwRef GatewayRef) (*gatewayv1.Gateway, error) {
 	gw := &gatewayv1.Gateway{}
 	err := client.Get(ctx, gwRef.NamespacedName, gw)

conformance/utils/suite/suite.go

@@ -370,7 +370,7 @@ func (suite *ConformanceTestSuite) Setup(t *testing.T, tests []ConformanceTest)
 		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup)
 		secret = kubernetes.MustCreateSelfSignedCertSecret(t, "gateway-conformance-app-backend", "tls-passthrough-checks-certificate", []string{"abc.example.com"})
 		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup)
-		caConfigMap, ca, caPrivKey := kubernetes.MustCreateCASignedCertConfigMap(t, "gateway-conformance-infra", "backend-tls-checks-certificate", []string{"abc.example.com"})
+		caConfigMap, ca, caPrivKey := kubernetes.MustCreateCACertConfigMap(t, "gateway-conformance-infra", "backend-tls-checks-certificate", []string{"abc.example.com"})
 		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{caConfigMap}, suite.Cleanup)
 		secret = kubernetes.MustCreateCASignedCertSecret(t, "gateway-conformance-infra", "tls-checks-certificate", []string{"abc.example.com"}, ca, caPrivKey)
 		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup)