simplify BackendTLSPolicy test infrastructure and remove unnecessary code

snorwin · snorwin · commit a783fc462d66 · 2025-08-28T07:56:22.000+02:00
Signed-off-by: Norwin Schnyder &lt;norwin.schnyder+github@gmail.com&gt;
diff --git a/conformance/tests/backendtlspolicy.yaml b/conformance/tests/backendtlspolicy.yaml
@@ -45,7 +45,7 @@ metadata:
   namespace: gateway-conformance-infra
 spec:
   selector:
-    app: backendtlspolicy-test
+    app: tls-backend
   ports:
   - name: "btls"
     protocol: TCP
@@ -59,7 +59,7 @@ metadata:
   namespace: gateway-conformance-infra
 spec:
   selector:
-    app: backendtlspolicy-test
+    app: tls-backend
   ports:
   - name: "btls"
     protocol: TCP
@@ -74,80 +74,14 @@ metadata:
   namespace: gateway-conformance-infra
 spec:
   selector:
-    app: backendtlspolicy-test
+    app: tls-backend
   ports:
   - name: "btls"
     protocol: TCP
     appProtocol: HTTPS
     port: 443
     targetPort: 8443
 ---
-# Deployment must not be applied until after the secret is generated.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: backendtlspolicy-test
-  namespace: gateway-conformance-infra
-  labels:
-    app: backendtlspolicy-test
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: backendtlspolicy-test
-  template:
-    metadata:
-      labels:
-        app: backendtlspolicy-test
-    spec:
-      containers:
-      - name: backendtlspolicy-test
-        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd
-        volumeMounts:
-        - name: ca-volume
-          mountPath: /etc/ca-volume
-        - name: secret-volume
-          mountPath: /etc/secret-volume
-        env:
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: CA_CERT
-          value: /etc/ca-volume/crt
-        - name: CA_CERT_KEY
-          value: /etc/ca-volume/key
-        - name: TLS_SERVER_CERT
-          value: /etc/secret-volume/crt
-        - name: TLS_SERVER_PRIVKEY
-          value: /etc/secret-volume/key
-        resources:
-          requests:
-            cpu: 10m
-      volumes:
-      - name: ca-volume
-        configMap:
-          # This configMap is generated dynamically by the test suite.
-          name: backend-tls-checks-certificate
-          items:
-          - key: ca.crt
-            path: crt
-          - key: key.crt
-            path: key
-      - name: secret-volume
-        secret:
-          # This secret is generated dynamically by the test suite.
-          secretName: tls-checks-certificate
-          items:
-          - key: tls.crt
-            path: crt
-          - key: tls.key
-            path: key
----
 apiVersion: gateway.networking.k8s.io/v1alpha3
 kind: BackendTLSPolicy
 metadata:
@@ -163,8 +97,9 @@ spec:
     caCertificateRefs:
     - group: ""
       kind: ConfigMap
-      # This secret is generated dynamically by the test suite.
-      name: "backend-tls-checks-certificate"
+      # This ConfigMap is generated dynamically by the test suite.
+      # It contains the CA certificate used to sign the tls-backend serving certificate.
+      name: "tls-checks-ca-certificate"
     hostname: "abc.example.com"
 ---
 apiVersion: gateway.networking.k8s.io/v1alpha3
@@ -182,8 +117,9 @@ spec:
     caCertificateRefs:
     - group: ""
       kind: ConfigMap
-      # This secret is generated dynamically by the test suite.
-      name: "backend-tls-checks-certificate"
+      # This ConfigMap is generated dynamically by the test suite.
+      # It contains the CA certificate used to sign the tls-backend serving certificate.
+      name: "tls-checks-ca-certificate"
     hostname: "mismatch.example.com"
 ---
 apiVersion: gateway.networking.k8s.io/v1alpha3
@@ -201,6 +137,7 @@ spec:
     caCertificateRefs:
     - group: ""
       kind: ConfigMap
-      # This secret is generated dynamically by the test suite.
-      name: "backend-tls-mismatch-certificate"
+      # This ConfigMap is generated dynamically by the test suite.
+      # It contains a random, unused CA certificate to force validation to fail.
+      name: "mismatch-ca-certificate"
     hostname: "abc.example.com"
diff --git a/conformance/utils/kubernetes/certificate.go b/conformance/utils/kubernetes/certificate.go
@@ -151,12 +151,10 @@ func generateRSACert(hosts []string, keyOut, certOut io.Writer, ca *x509.Certifi
 
 // MustCreateCACertConfigMap will create a ConfigMap containing a CA Certificate, given a TLS Secret
 // for that CA certificate.  Also returns the CA certificate.
-func MustCreateCACertConfigMap(t *testing.T, namespace, configMapName string, hosts []string) (*corev1.ConfigMap, *x509.Certificate, *rsa.PrivateKey) {
-	require.NotEmpty(t, hosts, "require a non-empty hosts for Subject Alternate Name values")
-
+func MustCreateCACertConfigMap(t *testing.T, namespace, configMapName string) (*corev1.ConfigMap, *x509.Certificate, *rsa.PrivateKey) {
 	var certData, keyData bytes.Buffer
 
-	ca, caBytes, caPrivKey, err := generateCACert(hosts)
+	ca, caBytes, caPrivKey, err := generateCACert()
 	if err != nil {
 		t.Errorf("failed to generate CA certificate and key: %v", err)
 		return nil, nil, nil
@@ -187,8 +185,8 @@ func MustCreateCACertConfigMap(t *testing.T, namespace, configMapName string, ho
 	return caConfigMap, ca, caPrivKey
 }
 
-// generateCACert generates a CA and a CA-signed certificate valid for a year.
-func generateCACert(hosts []string) (*x509.Certificate, []byte, *rsa.PrivateKey, error) {
+// generateCACert generates a CA certificate valid for a year.
+func generateCACert() (*x509.Certificate, []byte, *rsa.PrivateKey, error) {
 	var caBytes []byte
 
 	// Create the CA certificate template.
@@ -212,17 +210,6 @@ func generateCACert(hosts []string) (*x509.Certificate, []byte, *rsa.PrivateKey,
 		BasicConstraintsValid: true,
 	}
 
-	// Ensure only valid hosts make it into the CA cert.
-	for _, h := range hosts {
-		if ip := net.ParseIP(h); ip != nil {
-			ca.IPAddresses = append(ca.IPAddresses, ip)
-		} else if err := validateHost(h); err == nil {
-			ca.DNSNames = append(ca.DNSNames, h)
-		} else if u, err := url.Parse(h); err == nil {
-			ca.URIs = append(ca.URIs, u)
-		}
-	}
-
 	// Generate the private key to sign certificates.
 	caPrivKey, err := rsa.GenerateKey(rand.Reader, rsaBits)
 	if err != nil {
diff --git a/conformance/utils/kubernetes/certificate_test.go b/conformance/utils/kubernetes/certificate_test.go
diff --git a/conformance/utils/suite/suite.go b/conformance/utils/suite/suite.go
@@ -388,9 +388,7 @@ func (suite *ConformanceTestSuite) Setup(t *testing.T, tests []ConformanceTest)
 		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup)
 		secret = kubernetes.MustCreateSelfSignedCertSecret(t, "gateway-conformance-app-backend", "tls-passthrough-checks-certificate", []string{"abc.example.com"})
 		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup)
-		caConfigMapBST, _, _ := kubernetes.MustCreateCACertConfigMap(t, "gateway-conformance-infra", "backend-tls-mismatch-certificate", []string{"nex.example.com"})
-		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{caConfigMapBST}, suite.Cleanup)
-		caConfigMap, ca, caPrivKey := kubernetes.MustCreateCACertConfigMap(t, "gateway-conformance-infra", "backend-tls-checks-certificate", []string{"abc.example.com"})
+		caConfigMap, ca, caPrivKey := kubernetes.MustCreateCACertConfigMap(t, "gateway-conformance-infra", "tls-checks-ca-certificate")
 		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{caConfigMap}, suite.Cleanup)
 		secret = kubernetes.MustCreateCASignedCertSecret(t, "gateway-conformance-infra", "tls-checks-certificate", []string{"abc.example.com"}, ca, caPrivKey)
 		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup)
@@ -400,6 +398,10 @@ func (suite *ConformanceTestSuite) Setup(t *testing.T, tests []ConformanceTest)
 		secret = kubernetes.MustCreateCASignedCertSecret(t, "gateway-conformance-infra", "tls-with-san-certificate", []string{"abc.example.com", "spiffe://abc.example.com/test-identity"}, ca, caPrivKey)
 		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup)
 
+		// The following CA ceritficate is used for BackendTLSPolicy testing to intentionally force TLS validation to fail.
+		caConfigMap, _, _ = kubernetes.MustCreateCACertConfigMap(t, "gateway-conformance-infra", "mismatch-ca-certificate")
+		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{caConfigMap}, suite.Cleanup)
+
 		tlog.Logf(t, "Test Setup: Ensuring Gateways and Pods from base manifests are ready")
 		namespaces := []string{
 			"gateway-conformance-infra",
