Skip to content

Issue 3138 - Conformance Tests for BackendTLSPolicy - normative #3212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Issue 3138 - Conformance Tests for BackendTLSPolicy - normative #3212

wants to merge 15 commits into from

Conversation

candita
Copy link
Contributor

@candita candita commented Jul 23, 2024

What type of PR is this?

/kind test
/area conformance

What this PR does / why we need it:

Add a normative test of Gateway API BackendTLSPolicy implementations.

Which issue(s) this PR fixes:
Fixes #3138

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/test area/conformance-test Issues or PRs related to Conformance tests. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 23, 2024
whitneygriffith
whitneygriffith reviewed Aug 1, 2024
View reviewed changes
@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 76c8e10 to 6d9ab9e Compare August 13, 2024 00:38
@candita
Copy link
Contributor Author

candita commented Aug 13, 2024

/test pull-gateway-api-verify

1 similar comment
@candita
Copy link
Contributor Author

candita commented Aug 14, 2024

/test pull-gateway-api-verify

@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 0ec34a8 to 75551a0 Compare August 19, 2024 17:12
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 19, 2024
@candita
Copy link
Contributor Author

candita commented Aug 19, 2024

/test pull-gateway-api-verify

@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 75551a0 to 7626aaa Compare August 19, 2024 18:48
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Aug 19, 2024
@candita
Copy link
Contributor Author

candita commented Aug 19, 2024

/test pull-gateway-api-verify

@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 7626aaa to 1bc71f0 Compare August 19, 2024 19:09
@candita
Copy link
Contributor Author

candita commented Aug 19, 2024

/test pull-gateway-api-verify

@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 1bc71f0 to 99e7eac Compare August 19, 2024 19:55
@candita
Copy link
Contributor Author

candita commented Aug 19, 2024

/test pull-gateway-api-verify

@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 99e7eac to b774245 Compare August 19, 2024 20:35
@candita
Copy link
Contributor Author

candita commented Aug 19, 2024

/test pull-gateway-api-verify

@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from b774245 to 91488aa Compare August 19, 2024 22:30
@candita
Copy link
Contributor Author

candita commented Aug 19, 2024

/test pull-gateway-api-verify

@candita
Copy link
Contributor Author

candita commented Aug 19, 2024

/test pull-gateway-api-test

snorwin
snorwin reviewed Jun 19, 2025
View reviewed changes
conformance/tests/backendtlspolicy.yaml
port: 443
targetPort: 8443
---
# Deployment must not be applied until after the secret is generated.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here: I think we should reuse the tls-backend. We can still create a dedicated copy of its Service for this test to avoid interference with other test cases.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This deployment has new environment variables and volume for CA cert. I didn't want to edit an existing deployment and have to try to predict whether that would cause problems in the other tests. I have limited time to work on this and running one conformance test in isolation without changing/breaking others is my preference. Again, if anyone wants to come and optimize that later, it would be great.

       - name: CA_CERT
          value: /etc/ca-volume/crt
        - name: CA_CERT_KEY
          value: /etc/ca-volume/key

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When it comes to testing workload, we should deploy them separately. I don't think we do have a precedent test that deploys workloads. If we need ad-hoc configuration for this that's fine, but we should at least deploy it as part of the infra.

snorwin
snorwin reviewed Jun 19, 2025
View reviewed changes
@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 305dee7 to dc99c42 Compare July 12, 2025 01:39
@candita
Copy link
Contributor Author

candita commented Jul 12, 2025

@snorwin @robscott @youngnick @shaneutt - there are one or two non-trivial but not necessarily critical requests remaining that I won't be able to address right away, but I would like to merge this asap so that @kl52752 can start working on subsequent conformance tests.

See #3212 (comment), and also the requests to consolidate Gateway and Deployment objects. I don't have the bandwidth to make those changes and hope we can address them later.

I also added an update to #3212 (comment) and #3212 (comment) for @shaneutt

PTAL and merge asap for @kl52752 . Thank you.

@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch 3 times, most recently from 48f5ba2 to 1d028f0 Compare July 13, 2025 18:37
@snorwin
Copy link
Member

snorwin commented Jul 14, 2025

@candita That is fine for me, I’m happy to proceed with the suggestion I proposed and will create follow-up PRs for it.

@shaneutt shaneutt self-assigned this Jul 14, 2025
@kl52752
Copy link
Contributor

kl52752 commented Jul 14, 2025

/lgtm

@k8s-ci-robot
Copy link
Contributor

@kl52752: changing LGTM is restricted to collaborators

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

mlavacca
mlavacca reviewed Jul 15, 2025
View reviewed changes
conformance/tests/backendtlspolicy.go
features.SupportHTTPRoute,
features.SupportBackendTLSPolicy,
},
Manifests: []string{"tests/backendtlspolicy.yaml"},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Manifests: []string{"tests/backendtlspolicy.yaml"},
Provisional: true
Manifests: []string{"tests/backendtlspolicy.yaml"},

Copy link
Contributor Author

@candita candita Jul 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mlavacca what does this mean? The feature is implementable and moving to standard in v1.4.

conformance/tests/backendtlspolicy.go
kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns})
gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAcceptedMultipleListeners(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with putting this off, but can we at least add a TODO comment to be sure we don't forget?

conformance/tests/backendtlspolicy.yaml
kind: Gateway
metadata:
name: gateway-backendtlspolicy
namespace: gateway-conformance-infra
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should re-use gateways very carefully because of this issue: #3233. Considering the nature of feature (still experimental) and in any case not part of the core conformance, I strongly think we should proceed with the approach proposed by @candita.

conformance/tests/backendtlspolicy.yaml
port: 443
targetPort: 8443
---
# Deployment must not be applied until after the secret is generated.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When it comes to testing workload, we should deploy them separately. I don't think we do have a precedent test that deploys workloads. If we need ad-hoc configuration for this that's fine, but we should at least deploy it as part of the infra.

pkg/features/backendtlspolicy.go

const (
// This option indicates support for BackendTLSPolicy.
SupportBackendTLSPolicy FeatureName = "BackendTLSPolicy"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we shoul consider whether to include this in the GATEWAY-HTTP profile or create a dedicated conf profile for it. I lean for the latter, but am curious to hear your opinion here.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: candita
Once this PR has been reviewed and has the lgtm label, please ask for approval from shaneutt. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

shaneutt
shaneutt approved these changes Jul 15, 2025
View reviewed changes
Copy link
Member

@shaneutt shaneutt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Following our community call today, there are individuals eager to try these tests. While we recognize there's more work to be done, we can test and iterate since this isn't user-facing.

/approve

candita and others added 15 commits July 15, 2025 17:04
@candita
Issue 3138 - add normative conformance test for
d6d78ff 
BackendTLSPolicy.
@candita
Fix where the new go module needed by echo-basic resides, but keep th…
510b035 
…e original as well.

See https://github.com/kubernetes-sigs/gateway-api/pull/2745/files#diff-cf5b4a9b433acc91f8c7cc2dc802e29aa712c8d820887742f3bc5ae45b7a9d0fR24-R28
@candita
Rebase and make requested updates.
0ab8802
@candita
Update tests after implementation testing
925922b 
conformance/base/manifests.yaml - fix yaml
conformance/tests/backendtlspolicy.yaml - fix yaml
conformance/tests/tlsroute-simple-same-namespace.go - rename cert for sharing
conformance/utils/suite/conformance.go - fix a bug in cleanup-base-resources flag application
conformance/utils/suite/suite.go - rename cert for sharing
@candita
Incorporate Shane and Flynn's feedback
38a4938
@candita
Add unit testing for generateCACert, new HTTPS
09c4bdb 
call, some debugging, and fix yaml
@candita
Update echo-basic images
fc37f1b
@candita
Fix lint errors and condition evaluation in tests
5173850
@candita
Fix yaml for httpRoute and backendTLSPolicy. Fix CA generation.
ff18f83 
Fix certificate unit test.
@candita
Refactor test, fix yaml
3143520
@candita
Fix the tests for normative BackendTLSPolicy
8a514fb 
# Conflicts:
#	conformance/utils/http/http.go
@candita
Make changes from review comments.
e3ea8f5 
Add conformance profiles to logged information.
@candita
Address further review comments
8b387de
@candita @snorwin
Address review comments:
6510dc1 
Remove echo-basic changes, fix cert building, and adjust the port used for gateways with multiple listeners

Co-authored-by: Norwin Schnyder <[email protected]>
@candita
Address the last of the review comments
2d91cd1
@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 8a88f1f to 2d91cd1 Compare July 15, 2025 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@howardjohn howardjohn howardjohn left review comments

@snorwin snorwin snorwin left review comments

@PranshuSrivastava PranshuSrivastava PranshuSrivastava left review comments

@mlavacca mlavacca mlavacca left review comments

@kl52752 kl52752 kl52752 left review comments

@shaneutt shaneutt shaneutt approved these changes

@michaelbeaumont michaelbeaumont Awaiting requested review from michaelbeaumont

@kflynn kflynn Awaiting requested review from kflynn

@robscott robscott Awaiting requested review from robscott

@youngnick youngnick Awaiting requested review from youngnick

@whitneygriffith whitneygriffith Awaiting requested review from whitneygriffith

Assignees

@shaneutt shaneutt

Labels
area/conformance-test Issues or PRs related to Conformance tests. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/test priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. release-note-none Denotes a PR that doesn't merit a release note. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. v1.4-release/subtask This indicates a subtask of a feature, bug, or smaller issue for the v1.4 release. v1.4-release/targeting-standard This issue is targeting a transition to STANDARD as part of the v1.4 release.
Projects
No open projects
Gateway API Pipeline
Status: Review
Milestone
v1.4.0
Development

Successfully merging this pull request may close these issues.

Conformance tests for BackendTLSPolicy