diff --git a/conformance/tests/backendtlspolicy.go b/conformance/tests/backendtlspolicy.go index fc6c6576eb..1af69abd11 100644 --- a/conformance/tests/backendtlspolicy.go +++ b/conformance/tests/backendtlspolicy.go @@ -20,7 +20,6 @@ import ( "testing" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" gatewayv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -69,6 +68,15 @@ var BackendTLSPolicy = suite.ConformanceTest{ invalidCertPolicyNN := types.NamespacedName{Name: "backendtlspolicy-cert-mismatch", Namespace: ns} kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, invalidCertPolicyNN, gwNN, policyCond) + invalidSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-san-mismatch", Namespace: ns} + kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, invalidSanPolicyNN, gwNN, policyCond) + + validSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-san", Namespace: ns} + kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validSanPolicyNN, gwNN, policyCond) + + validMultiSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-multiple-sans", Namespace: ns} + kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validMultiSanPolicyNN, gwNN, policyCond) + serverStr := "abc.example.com" // Verify that the request sent to Service with valid BackendTLSPolicy should succeed. @@ -130,5 +138,43 @@ var BackendTLSPolicy = suite.ConformanceTest{ }, }) }) + + // Verify that the request sent to Service with BackendTLSPolicy configured with SANs should succeed. + t.Run("HTTP request sent to Service with BackendTLSPolicy configured with SAN should succeed", func(t *testing.T) { + h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, + h.ExpectedResponse{ + Namespace: ns, + Request: h.Request{ + Host: serverStr, + Path: "/backendTLSSan", + }, + Response: h.Response{StatusCode: 200}, + }) + }) + + // Verify that the request sent to Service with BackendTLSPolicy configured with multiple SANs should succeed. + t.Run("HTTP request sent to Service with BackendTLSPolicy configured with multiple SANs should succeed", func(t *testing.T) { + h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, + h.ExpectedResponse{ + Namespace: ns, + Request: h.Request{ + Host: serverStr, + Path: "/backendTLSMultiSans", + }, + Response: h.Response{StatusCode: 200}, + }) + }) + + // Verify that request sent to Service targeted by BackendTLSPolicy with mismatched SAN should failed. + t.Run("HTTP request send to Service targeted by BackendTLSPolicy with mismatched SAN should return HTTP error", func(t *testing.T) { + h.MakeRequestAndExpectFailure(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, + h.ExpectedResponse{ + Namespace: ns, + Request: h.Request{ + Host: serverStr, + Path: "/backendTLSSanMismatch", + }, + }) + }) }, } diff --git a/conformance/tests/backendtlspolicy.yaml b/conformance/tests/backendtlspolicy.yaml index e048cc2e7b..311c316e5a 100644 --- a/conformance/tests/backendtlspolicy.yaml +++ b/conformance/tests/backendtlspolicy.yaml @@ -70,6 +70,33 @@ spec: - path: type: Exact value: /backendTLSCertMismatch + - backendRefs: + - group: "" + kind: Service + name: backendtlspolicy-san-mismatch-test + port: 443 + matches: + - path: + type: Exact + value: /backendTLSSanMismatch + - backendRefs: + - group: "" + kind: Service + name: backendtlspolicy-san-test + port: 443 + matches: + - path: + type: Exact + value: /backendTLSSan + - backendRefs: + - group: "" + kind: Service + name: backendtlspolicy-multiple-sans-test + port: 443 + matches: + - path: + type: Exact + value: /backendTLSMultiSans --- apiVersion: v1 kind: Service @@ -115,6 +142,51 @@ spec: port: 443 targetPort: 8443 --- +apiVersion: v1 +kind: Service +metadata: + name: backendtlspolicy-san-mismatch-test + namespace: gateway-conformance-infra +spec: + selector: + app: backendtlspolicy-test + ports: + - name: "btls" + protocol: TCP + appProtocol: HTTPS + port: 443 + targetPort: 8443 +--- +apiVersion: v1 +kind: Service +metadata: + name: backendtlspolicy-san-test + namespace: gateway-conformance-infra +spec: + selector: + app: backendtlspolicy-test + ports: + - name: "btls" + protocol: TCP + appProtocol: HTTPS + port: 443 + targetPort: 8443 +--- +apiVersion: v1 +kind: Service +metadata: + name: backendtlspolicy-multiple-sans-test + namespace: gateway-conformance-infra +spec: + selector: + app: backendtlspolicy-test + ports: + - name: "btls" + protocol: TCP + appProtocol: HTTPS + port: 443 + targetPort: 8443 +--- # Deployment must not be applied until after the secret is generated. apiVersion: apps/v1 kind: Deployment @@ -237,3 +309,73 @@ spec: # This secret is generated dynamically by the test suite. name: "backend-tls-mismatch-certificate" hostname: "abc.example.com" +--- +apiVersion: gateway.networking.k8s.io/v1alpha3 +kind: BackendTLSPolicy +metadata: + name: backendtlspolicy-san + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: "" + kind: Service + name: "backendtlspolicy-san-test" + sectionName: "btls" + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + # This secret is generated dynamically by the test suite. + name: "backend-tls-checks-certificate" + hostname: "abc.example.com" + subjectAltNames: + - type: Hostname + hostname: abc.example.com +--- +apiVersion: gateway.networking.k8s.io/v1alpha3 +kind: BackendTLSPolicy +metadata: + name: backendtlspolicy-multiple-sans + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: "" + kind: Service + name: "backendtlspolicy-multiple-sans-test" + sectionName: "btls" + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + # This secret is generated dynamically by the test suite. + name: "backend-tls-checks-certificate" + hostname: "abc.example.com" + subjectAltNames: + - type: Hostname + hostname: abc.example.com + - type: Hostname + hostname: efg.example.com + - type: Hostname + hostname: yjh.example.com +--- +apiVersion: gateway.networking.k8s.io/v1alpha3 +kind: BackendTLSPolicy +metadata: + name: backendtlspolicy-san-mismatch + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: "" + kind: Service + name: "backendtlspolicy-san-mismatch-test" + sectionName: "btls" + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + # This secret is generated dynamically by the test suite. + name: "backend-tls-checks-certificate" + hostname: "abc.example.com" + subjectAltNames: + - type: Hostname + hostname: cde.example.com diff --git a/conformance/utils/kubernetes/helpers.go b/conformance/utils/kubernetes/helpers.go index 8075132da1..4f8334f502 100644 --- a/conformance/utils/kubernetes/helpers.go +++ b/conformance/utils/kubernetes/helpers.go @@ -1003,7 +1003,7 @@ func BackendTLSPolicyMustHaveCondition(t *testing.T, client client.Client, timeo policy := &v1alpha3.BackendTLSPolicy{} err := client.Get(ctx, policyNN, policy) if err != nil { - return false, fmt.Errorf("error fetching BackendTLSPolicy: %w", err) + return false, fmt.Errorf("error fetching BackendTLSPolicy %v err: %w", policyNN, err) } for _, parent := range policy.Status.Ancestors { @@ -1024,5 +1024,5 @@ func BackendTLSPolicyMustHaveCondition(t *testing.T, client client.Client, timeo return false, nil }) - require.NoErrorf(t, waitErr, "error waiting for BackendTLSPolicy status to have a Condition %v", condition) + require.NoErrorf(t, waitErr, "error waiting for BackendTLSPolicy %v status to have a Condition %v", policyNN, condition) }