Add Conformance tests for BackendTLSPolicy validating SANs

kl52752 · kl52752 · commit b2dc6d5d1c29 · 2025-08-11T16:58:18.000Z
diff --git a/conformance/tests/backendtlspolicy.go b/conformance/tests/backendtlspolicy.go
@@ -69,6 +69,12 @@ var BackendTLSPolicy = suite.ConformanceTest{
 		invalidCertPolicyNN := types.NamespacedName{Name: "backendtlspolicy-cert-mismatch", Namespace: ns}
 		kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, invalidCertPolicyNN, gwNN, policyCond)
 
+		invalidSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-san-mismatch", Namespace: ns}
+		kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, invalidSanPolicyNN, gwNN, policyCond)
+
+		validSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-san", Namespace: ns}
+		kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validSanPolicyNN, gwNN, policyCond)
+
 		serverStr := "abc.example.com"
 
 		// Verify that the request sent to Service with valid BackendTLSPolicy should succeed.
@@ -130,5 +136,32 @@ var BackendTLSPolicy = suite.ConformanceTest{
 					},
 				})
 		})
+
+		// Verify that the request sent to Service with BackendTLSPolicy configured with SANs should succeed.
+		t.Run("HTTP request sent to Service with BackendTLSPolicy configured with SAN should succeed", func(t *testing.T) {
+			h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
+				h.ExpectedResponse{
+					Namespace: ns,
+					Request: h.Request{
+						Host: serverStr,
+						Path: "/backendTLSSan",
+						SNI:  serverStr,
+					},
+					Response: h.Response{StatusCode: 200},
+				})
+		})
+
+		// Verify that request sent to Service targeted by BackendTLSPolicy with mismatched SAN should failed.
+		t.Run("HTTP request send to Service targeted by BackendTLSPolicy with mismatched SAN should return HTTP error", func(t *testing.T) {
+			h.MakeRequestAndExpectFailure(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
+				h.ExpectedResponse{
+					Namespace: ns,
+					Request: h.Request{
+						Host: serverStr,
+						Path: "/backendTLSSanMismatch",
+						SNI:  serverStr,
+					},
+				})
+		})
 	},
 }
diff --git a/conformance/tests/backendtlspolicy.yaml b/conformance/tests/backendtlspolicy.yaml
@@ -70,6 +70,24 @@ spec:
     - path:
         type: Exact
         value: /backendTLSCertMismatch
+  - backendRefs:
+    - group: ""
+      kind: Service
+      name: backendtlspolicy-san-mismatch-test
+      port: 443
+    matches:
+    - path:
+        type: Exact
+        value: /backendTLSSanMismatch
+  - backendRefs:
+    - group: ""
+      kind: Service
+      name: backendtlspolicy-san-test
+      port: 443
+    matches:
+    - path:
+        type: Exact
+        value: /backendTLSSan
 ---
 apiVersion: v1
 kind: Service
@@ -115,6 +133,21 @@ spec:
     port: 443
     targetPort: 8443
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: backendtlspolicy-san-mismatch-test
+  namespace: gateway-conformance-infra
+spec:
+  selector:
+    app: backendtlspolicy-test
+  ports:
+  - name: "btls"
+    protocol: TCP
+    appProtocol: HTTPS
+    port: 443
+    targetPort: 8443
+---
 # Deployment must not be applied until after the secret is generated.
 apiVersion: apps/v1
 kind: Deployment
@@ -222,18 +255,41 @@ spec:
 apiVersion: gateway.networking.k8s.io/v1alpha3
 kind: BackendTLSPolicy
 metadata:
-  name: backendtlspolicy-cert-mismatch
+  name: backendtlspolicy-san
   namespace: gateway-conformance-infra
 spec:
   targetRefs:
   - group: ""
     kind: Service
-    name: "backendtlspolicy-cert-mismatch-test"
+    name: "backendtlspolicy-san-test"
     sectionName: "btls"
   validation:
     caCertificateRefs:
     - group: ""
       kind: ConfigMap
       # This secret is generated dynamically by the test suite.
-      name: "backend-tls-mismatch-certificate"
-    hostname: "abc.example.com"
+      name: "backend-tls-certificate"
+    SubjectAltNames:
+    - Type: Hostname
+      Hostname: abc.example.com
+---
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
+metadata:
+  name: backendtlspolicy-san-mismatch
+  namespace: gateway-conformance-infra
+spec:
+  targetRefs:
+  - group: ""
+    kind: Service
+    name: "backendtlspolicy-san-mismatch-test"
+    sectionName: "btls"
+  validation:
+    caCertificateRefs:
+    - group: ""
+      kind: ConfigMap
+      # This secret is generated dynamically by the test suite.
+      name: "backend-tls-certificate"
+    SubjectAltNames:
+    - Type: Hostname
+      Hostname: cde.example.com
