review fixes

Author: kl52752

conformance/tests/backendtlspolicy.go

@@ -20,7 +20,6 @@ import (
 	"testing"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
 	"k8s.io/apimachinery/pkg/types"
 
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
@@ -75,6 +74,9 @@ var BackendTLSPolicy = suite.ConformanceTest{
 		validSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-san", Namespace: ns}
 		kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validSanPolicyNN, gwNN, policyCond)
 
+		validMultiSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-multiple-sans-test", Namespace: ns}
+		kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validMultiSanPolicyNN, gwNN, policyCond)
+
 		serverStr := "abc.example.com"
 
 		// Verify that the request sent to Service with valid BackendTLSPolicy should succeed.
@@ -145,7 +147,19 @@ var BackendTLSPolicy = suite.ConformanceTest{
 					Request: h.Request{
 						Host: serverStr,
 						Path: "/backendTLSSan",
-						SNI:  serverStr,
+					},
+					Response: h.Response{StatusCode: 200},
+				})
+		})
+
+		// Verify that the request sent to Service with BackendTLSPolicy configured with multiple SANs should succeed.
+		t.Run("HTTP request sent to Service with BackendTLSPolicy configured with multiple SANs should succeed", func(t *testing.T) {
+			h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
+				h.ExpectedResponse{
+					Namespace: ns,
+					Request: h.Request{
+						Host: serverStr,
+						Path: "/backendTLSMultiSans",
 					},
 					Response: h.Response{StatusCode: 200},
 				})
@@ -159,7 +173,6 @@ var BackendTLSPolicy = suite.ConformanceTest{
 					Request: h.Request{
 						Host: serverStr,
 						Path: "/backendTLSSanMismatch",
-						SNI:  serverStr,
 					},
 				})
 		})

conformance/tests/backendtlspolicy.yaml

@@ -88,6 +88,15 @@ spec:
     - path:
         type: Exact
         value: /backendTLSSan
+  - backendRefs:
+    - group: ""
+      kind: Service
+      name: backendtlspolicy-multiple-sans-test
+      port: 443
+    matches:
+    - path:
+        type: Exact
+        value: /backendTLSMultiSans
 ---
 apiVersion: v1
 kind: Service
@@ -163,6 +172,21 @@ spec:
     port: 443
     targetPort: 8443
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: backendtlspolicy-multiple-sans-test
+  namespace: gateway-conformance-infra
+spec:
+  selector:
+    app: backendtlspolicy-test
+  ports:
+  - name: "btls"
+    protocol: TCP
+    appProtocol: HTTPS
+    port: 443
+    targetPort: 8443
+---
 # Deployment must not be applied until after the secret is generated.
 apiVersion: apps/v1
 kind: Deployment
@@ -269,6 +293,25 @@ spec:
 ---
 apiVersion: gateway.networking.k8s.io/v1alpha3
 kind: BackendTLSPolicy
+metadata:
+  name: backendtlspolicy-cert-mismatch
+  namespace: gateway-conformance-infra
+spec:
+  targetRefs:
+  - group: ""
+    kind: Service
+    name: "backendtlspolicy-cert-mismatch-test"
+    sectionName: "btls"
+  validation:
+    caCertificateRefs:
+    - group: ""
+      kind: ConfigMap
+      # This secret is generated dynamically by the test suite.
+      name: "backend-tls-mismatch-certificate"
+    hostname: "abc.example.com"
+---
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
 metadata:
   name: backendtlspolicy-san
   namespace: gateway-conformance-infra
@@ -283,11 +326,37 @@ spec:
     - group: ""
       kind: ConfigMap
       # This secret is generated dynamically by the test suite.
-      name: "backend-tls-certificate"
+      name: "backend-tls-checks-certificate"
+    hostname: "abc.example.com"
     subjectAltNames:
     - type: Hostname
       hostname: abc.example.com
-    hostname: "mismatch.example.com"
+---
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
+metadata:
+  name: backendtlspolicy-multiple-sans
+  namespace: gateway-conformance-infra
+spec:
+  targetRefs:
+  - group: ""
+    kind: Service
+    name: "backendtlspolicy-multiple-sans-test"
+    sectionName: "btls"
+  validation:
+    caCertificateRefs:
+    - group: ""
+      kind: ConfigMap
+      # This secret is generated dynamically by the test suite.
+      name: "backend-tls-checks-certificate"
+    hostname: "abc.example.com"
+    subjectAltNames:
+    - type: Hostname
+      hostname: abc.example.com
+    - type: Hostname
+      hostname: efg.example.com
+    - type: Hostname
+      hostname: yjh.example.com
 ---
 apiVersion: gateway.networking.k8s.io/v1alpha3
 kind: BackendTLSPolicy
@@ -305,8 +374,8 @@ spec:
     - group: ""
       kind: ConfigMap
       # This secret is generated dynamically by the test suite.
-      name: "backend-tls-certificate"
+      name: "backend-tls-checks-certificate"
+    hostname: "abc.example.com"
     subjectAltNames:
     - type: Hostname
       hostname: cde.example.com
-    hostname: "mismatch.example.com"

conformance/utils/kubernetes/helpers.go

@@ -1003,7 +1003,7 @@ func BackendTLSPolicyMustHaveCondition(t *testing.T, client client.Client, timeo
 		policy := &v1alpha3.BackendTLSPolicy{}
 		err := client.Get(ctx, policyNN, policy)
 		if err != nil {
-			return false, fmt.Errorf("error fetching BackendTLSPolicy: %w", err)
+			return false, fmt.Errorf("error fetching BackendTLSPolicy %v err: %w", policyNN, err)
 		}
 
 		for _, parent := range policy.Status.Ancestors {
@@ -1024,5 +1024,5 @@ func BackendTLSPolicyMustHaveCondition(t *testing.T, client client.Client, timeo
 		return false, nil
 	})
 
-	require.NoErrorf(t, waitErr, "error waiting for BackendTLSPolicy status to have a Condition %v", condition)
+	require.NoErrorf(t, waitErr, "error waiting for BackendTLSPolicy %v status to have a Condition %v", policyNN, condition)
 }