BackendTLSPolicy conformance tests for ResolvedRefs status condition (#4010)

* BackendTLSPolicy conformance tests for ResolvedRefs status condition

Signed-off-by: Norwin Schnyder <[email protected]>

* Apply PR feedback

Signed-off-by: Norwin Schnyder <[email protected]>

* deprecate StatusCode of the excpected response in favor of StatusCodes

Signed-off-by: Norwin Schnyder <[email protected]>

---------

Signed-off-by: Norwin Schnyder <[email protected]>

Author: snorwin

conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.go

@@ -0,0 +1,98 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tests
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+	gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+	gatewayv1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
+	h "sigs.k8s.io/gateway-api/conformance/utils/http"
+	"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
+	"sigs.k8s.io/gateway-api/conformance/utils/suite"
+	"sigs.k8s.io/gateway-api/pkg/features"
+)
+
+func init() {
+	ConformanceTests = append(ConformanceTests, BackendTLSPolicyInvalidCACertificateRef)
+}
+
+var BackendTLSPolicyInvalidCACertificateRef = suite.ConformanceTest{
+	ShortName:   "BackendTLSPolicyInvalidCACertificateRef",
+	Description: "A BackendTLSPolicy that specifies a single invalid CACertificateRef should have the Accepted and ResolvedRefs status condition set False with appropriate reasons, and HTTP requests to a backend targeted by this policy should fail with a 5xx response.",
+	Features: []features.FeatureName{
+		features.SupportGateway,
+		features.SupportHTTPRoute,
+		features.SupportBackendTLSPolicy,
+	},
+	Manifests: []string{"tests/backendtlspolicy-invalid-ca-certificate-ref.yaml"},
+	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+		ns := "gateway-conformance-infra"
+		routeNN := types.NamespacedName{Name: "backendtlspolicy-invalid-ca-certificate-ref", Namespace: ns}
+		gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
+
+		serverStr := "abc.example.com"
+
+		kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns})
+		gwAddr := kubernetes.GatewayAndRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), &gatewayv1.HTTPRoute{}, false, routeNN)
+
+		for _, policyNN := range []types.NamespacedName{
+			{Name: "nonexistent-ca-certificate-ref", Namespace: ns},
+			{Name: "malformed-ca-certificate-ref", Namespace: ns},
+		} {
+			t.Run("BackendTLSPolicy_"+policyNN.Name, func(t *testing.T) {
+				t.Run("BackendTLSPolicy with a single invalid CACertificateRef has a Accepted Condition with status False and Reason NoValidCACertificate", func(t *testing.T) {
+					acceptedCond := metav1.Condition{
+						Type:   string(gatewayv1alpha2.PolicyConditionAccepted),
+						Status: metav1.ConditionFalse,
+						Reason: string(gatewayv1alpha3.BackendTLSPolicyReasonNoValidCACertificate),
+					}
+
+					kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, policyNN, gwNN, acceptedCond)
+				})
+
+				t.Run("BackendTLSPolicy with a single invalid CACertificateRef has a ResolvedRefs Condition with status False and Reason InvalidCACertificateRef", func(t *testing.T) {
+					resolvedRefsCond := metav1.Condition{
+						Type:   string(gatewayv1alpha3.BackendTLSPolicyConditionResolvedRefs),
+						Status: metav1.ConditionFalse,
+						Reason: string(gatewayv1alpha3.BackendTLSPolicyReasonInvalidCACertificateRef),
+					}
+
+					kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, policyNN, gwNN, resolvedRefsCond)
+				})
+
+				t.Run("HTTP Request to backend targeted by an invalid BackendTLSPolicy receive a 5xx", func(t *testing.T) {
+					h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
+						h.ExpectedResponse{
+							Namespace: ns,
+							Request: h.Request{
+								Host: serverStr,
+								Path: "/backendtlspolicy-" + policyNN.Name,
+							},
+							Response: h.Response{
+								StatusCodes: []int{500, 502, 503},
+							},
+						})
+				})
+			})
+		}
+	},
+}

conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.yaml

@@ -0,0 +1,97 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: backendtlspolicy-invalid-ca-certificate-ref
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+    - name: same-namespace
+      namespace: gateway-conformance-infra
+  hostnames:
+    - abc.example.com
+  rules:
+    - backendRefs:
+        - name: backendtlspolicy-nonexistent-ca-certificate-ref-test
+          port: 443
+      matches:
+        - path:
+            type: Exact
+            value: /backendtlspolicy-nonexistent-ca-certificate-ref
+    - backendRefs:
+        - name: backendtlspolicy-malformed-ca-certificate-ref-test
+          port: 443
+      matches:
+        - path:
+            type: Exact
+            value: /backendtlspolicy-malformed-ca-certificate-ref
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: backendtlspolicy-nonexistent-ca-certificate-ref-test
+  namespace: gateway-conformance-infra
+spec:
+  selector:
+    app: tls-backend
+  ports:
+    - name: "https"
+      protocol: TCP
+      appProtocol: HTTPS
+      port: 443
+      targetPort: 8443
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: backendtlspolicy-malformed-ca-certificate-ref-test
+  namespace: gateway-conformance-infra
+spec:
+  selector:
+    app: tls-backend
+  ports:
+    - name: "https"
+      protocol: TCP
+      appProtocol: HTTPS
+      port: 443
+      targetPort: 8443
+---
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
+metadata:
+  name: nonexistent-ca-certificate-ref
+  namespace: gateway-conformance-infra
+spec:
+  targetRefs:
+    - group: ""
+      kind: Service
+      name: "backendtlspolicy-nonexistent-ca-certificate-ref-test"
+  validation:
+    caCertificateRefs:
+      - group: ""
+        kind: ConfigMap
+        name: "nonexistent-ca-certificate"
+    hostname: "abc.example.com"
+---
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
+metadata:
+  name: malformed-ca-certificate-ref
+  namespace: gateway-conformance-infra
+spec:
+  targetRefs:
+    - group: ""
+      kind: Service
+      name: "backendtlspolicy-malformed-ca-certificate-ref-test"
+  validation:
+    caCertificateRefs:
+      - group: ""
+        kind: ConfigMap
+        name: "malformed-ca-certificate"
+    hostname: "abc.example.com"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: malformed-ca-certificate
+  namespace: gateway-conformance-infra
+data: {}

conformance/tests/backendtlspolicy-invalid-kind.go

@@ -0,0 +1,93 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tests
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+	gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+	gatewayv1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
+	h "sigs.k8s.io/gateway-api/conformance/utils/http"
+	"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
+	"sigs.k8s.io/gateway-api/conformance/utils/suite"
+	"sigs.k8s.io/gateway-api/pkg/features"
+)
+
+func init() {
+	ConformanceTests = append(ConformanceTests, BackendTLSPolicyInvalidKind)
+}
+
+var BackendTLSPolicyInvalidKind = suite.ConformanceTest{
+	ShortName:   "BackendTLSPolicyInvalidKind",
+	Description: "A BackendTLSPolicy that specifies a single CACertificateRef with an invalid kind should have the Accepted and ResolvedRefs status condition set False with appropriate reasons, and HTTP requests to a backend targeted by this policy should fail with a 5xx response.",
+	Features: []features.FeatureName{
+		features.SupportGateway,
+		features.SupportHTTPRoute,
+		features.SupportBackendTLSPolicy,
+	},
+	Manifests: []string{"tests/backendtlspolicy-invalid-kind.yaml"},
+	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+		ns := "gateway-conformance-infra"
+		routeNN := types.NamespacedName{Name: "backendtlspolicy-invalid-kind-test", Namespace: ns}
+		gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
+
+		serverStr := "abc.example.com"
+
+		kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns})
+		gwAddr := kubernetes.GatewayAndRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), &gatewayv1.HTTPRoute{}, false, routeNN)
+
+		policyNN := types.NamespacedName{Name: "invalid-kind", Namespace: ns}
+
+		t.Run("BackendTLSPolicy with a single invalid CACertificateRef has a Accepted Condition with status False and Reason NoValidCACertificate", func(t *testing.T) {
+			acceptedCond := metav1.Condition{
+				Type:   string(gatewayv1alpha2.PolicyConditionAccepted),
+				Status: metav1.ConditionFalse,
+				Reason: string(gatewayv1alpha3.BackendTLSPolicyReasonNoValidCACertificate),
+			}
+
+			kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, policyNN, gwNN, acceptedCond)
+		})
+
+		t.Run("BackendTLSPolicy with a single invalid CACertificateRef has a ResolvedRefs Condition with status False and Reason InvalidKind", func(t *testing.T) {
+			resolvedRefsCond := metav1.Condition{
+				Type:   string(gatewayv1alpha3.BackendTLSPolicyConditionResolvedRefs),
+				Status: metav1.ConditionFalse,
+				Reason: string(gatewayv1alpha3.BackendTLSPolicyReasonInvalidKind),
+			}
+
+			kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, policyNN, gwNN, resolvedRefsCond)
+		})
+
+		t.Run("HTTP Request to backend targeted by an invalid BackendTLSPolicy receive a 5xx", func(t *testing.T) {
+			h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
+				h.ExpectedResponse{
+					Namespace: ns,
+					Request: h.Request{
+						Host: serverStr,
+						Path: "/backendtlspolicy-" + policyNN.Name,
+					},
+					Response: h.Response{
+						StatusCodes: []int{500, 502, 503},
+					},
+				})
+		})
+	},
+}

conformance/tests/backendtlspolicy-invalid-kind.yaml

@@ -0,0 +1,51 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: backendtlspolicy-invalid-kind-test
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+    - name: same-namespace
+      namespace: gateway-conformance-infra
+  hostnames:
+    - abc.example.com
+  rules:
+    - backendRefs:
+        - name: backendtlspolicy-invalid-kind-test
+          port: 443
+      matches:
+        - path:
+            type: Exact
+            value: /backendtlspolicy-invalid-kind
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: backendtlspolicy-invalid-kind-test
+  namespace: gateway-conformance-infra
+spec:
+  selector:
+    app: tls-backend
+  ports:
+    - name: "https"
+      protocol: TCP
+      appProtocol: HTTPS
+      port: 443
+      targetPort: 8443
+---
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
+metadata:
+  name: invalid-kind
+  namespace: gateway-conformance-infra
+spec:
+  targetRefs:
+    - group: ""
+      kind: Service
+      name: "backendtlspolicy-invalid-kind-test"
+  validation:
+    caCertificateRefs:
+      - group: invalid.io
+        kind: InvalidKind
+        name: "invalid-kind"
+    hostname: "abc.example.com"