From b2c36fe9a06094e4cb142adbf089219d7ecd3da1 Mon Sep 17 00:00:00 2001 From: Katarzyna Lach Date: Mon, 11 Aug 2025 16:47:11 +0000 Subject: [PATCH 1/2] Add Conformance tests for BackendTLSPolicy validating SANs --- conformance/tests/backendtlspolicy.go | 33 ++++++++++ conformance/tests/backendtlspolicy.yaml | 81 +++++++++++++++++++++++-- 2 files changed, 110 insertions(+), 4 deletions(-) diff --git a/conformance/tests/backendtlspolicy.go b/conformance/tests/backendtlspolicy.go index fc6c6576eb..3cfc5ad600 100644 --- a/conformance/tests/backendtlspolicy.go +++ b/conformance/tests/backendtlspolicy.go @@ -69,6 +69,12 @@ var BackendTLSPolicy = suite.ConformanceTest{ invalidCertPolicyNN := types.NamespacedName{Name: "backendtlspolicy-cert-mismatch", Namespace: ns} kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, invalidCertPolicyNN, gwNN, policyCond) + invalidSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-san-mismatch", Namespace: ns} + kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, invalidSanPolicyNN, gwNN, policyCond) + + validSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-san", Namespace: ns} + kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validSanPolicyNN, gwNN, policyCond) + serverStr := "abc.example.com" // Verify that the request sent to Service with valid BackendTLSPolicy should succeed. @@ -130,5 +136,32 @@ var BackendTLSPolicy = suite.ConformanceTest{ }, }) }) + + // Verify that the request sent to Service with BackendTLSPolicy configured with SANs should succeed. + t.Run("HTTP request sent to Service with BackendTLSPolicy configured with SAN should succeed", func(t *testing.T) { + h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, + h.ExpectedResponse{ + Namespace: ns, + Request: h.Request{ + Host: serverStr, + Path: "/backendTLSSan", + SNI: serverStr, + }, + Response: h.Response{StatusCode: 200}, + }) + }) + + // Verify that request sent to Service targeted by BackendTLSPolicy with mismatched SAN should failed. + t.Run("HTTP request send to Service targeted by BackendTLSPolicy with mismatched SAN should return HTTP error", func(t *testing.T) { + h.MakeRequestAndExpectFailure(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, + h.ExpectedResponse{ + Namespace: ns, + Request: h.Request{ + Host: serverStr, + Path: "/backendTLSSanMismatch", + SNI: serverStr, + }, + }) + }) }, } diff --git a/conformance/tests/backendtlspolicy.yaml b/conformance/tests/backendtlspolicy.yaml index e048cc2e7b..ba1f700e9d 100644 --- a/conformance/tests/backendtlspolicy.yaml +++ b/conformance/tests/backendtlspolicy.yaml @@ -70,6 +70,24 @@ spec: - path: type: Exact value: /backendTLSCertMismatch + - backendRefs: + - group: "" + kind: Service + name: backendtlspolicy-san-mismatch-test + port: 443 + matches: + - path: + type: Exact + value: /backendTLSSanMismatch + - backendRefs: + - group: "" + kind: Service + name: backendtlspolicy-san-test + port: 443 + matches: + - path: + type: Exact + value: /backendTLSSan --- apiVersion: v1 kind: Service @@ -115,6 +133,36 @@ spec: port: 443 targetPort: 8443 --- +apiVersion: v1 +kind: Service +metadata: + name: backendtlspolicy-san-mismatch-test + namespace: gateway-conformance-infra +spec: + selector: + app: backendtlspolicy-test + ports: + - name: "btls" + protocol: TCP + appProtocol: HTTPS + port: 443 + targetPort: 8443 +--- +apiVersion: v1 +kind: Service +metadata: + name: backendtlspolicy-san-test + namespace: gateway-conformance-infra +spec: + selector: + app: backendtlspolicy-test + ports: + - name: "btls" + protocol: TCP + appProtocol: HTTPS + port: 443 + targetPort: 8443 +--- # Deployment must not be applied until after the secret is generated. apiVersion: apps/v1 kind: Deployment @@ -222,18 +270,43 @@ spec: apiVersion: gateway.networking.k8s.io/v1alpha3 kind: BackendTLSPolicy metadata: - name: backendtlspolicy-cert-mismatch + name: backendtlspolicy-san namespace: gateway-conformance-infra spec: targetRefs: - group: "" kind: Service - name: "backendtlspolicy-cert-mismatch-test" + name: "backendtlspolicy-san-test" sectionName: "btls" validation: caCertificateRefs: - group: "" kind: ConfigMap # This secret is generated dynamically by the test suite. - name: "backend-tls-mismatch-certificate" - hostname: "abc.example.com" + name: "backend-tls-certificate" + subjectAltNames: + - type: Hostname + hostname: abc.example.com + hostname: "mismatch.example.com" +--- +apiVersion: gateway.networking.k8s.io/v1alpha3 +kind: BackendTLSPolicy +metadata: + name: backendtlspolicy-san-mismatch + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: "" + kind: Service + name: "backendtlspolicy-san-mismatch-test" + sectionName: "btls" + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + # This secret is generated dynamically by the test suite. + name: "backend-tls-certificate" + subjectAltNames: + - type: Hostname + hostname: cde.example.com + hostname: "mismatch.example.com" From 190da92d1140c4a14b95a79d7f419d9403ca62e0 Mon Sep 17 00:00:00 2001 From: Katarzyna Lach Date: Tue, 12 Aug 2025 08:25:31 +0000 Subject: [PATCH 2/2] review fixes --- conformance/tests/backendtlspolicy.go | 19 +++++- conformance/tests/backendtlspolicy.yaml | 77 +++++++++++++++++++++++-- conformance/utils/kubernetes/helpers.go | 4 +- 3 files changed, 91 insertions(+), 9 deletions(-) diff --git a/conformance/tests/backendtlspolicy.go b/conformance/tests/backendtlspolicy.go index 3cfc5ad600..1af69abd11 100644 --- a/conformance/tests/backendtlspolicy.go +++ b/conformance/tests/backendtlspolicy.go @@ -20,7 +20,6 @@ import ( "testing" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" gatewayv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -75,6 +74,9 @@ var BackendTLSPolicy = suite.ConformanceTest{ validSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-san", Namespace: ns} kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validSanPolicyNN, gwNN, policyCond) + validMultiSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-multiple-sans", Namespace: ns} + kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validMultiSanPolicyNN, gwNN, policyCond) + serverStr := "abc.example.com" // Verify that the request sent to Service with valid BackendTLSPolicy should succeed. @@ -145,7 +147,19 @@ var BackendTLSPolicy = suite.ConformanceTest{ Request: h.Request{ Host: serverStr, Path: "/backendTLSSan", - SNI: serverStr, + }, + Response: h.Response{StatusCode: 200}, + }) + }) + + // Verify that the request sent to Service with BackendTLSPolicy configured with multiple SANs should succeed. + t.Run("HTTP request sent to Service with BackendTLSPolicy configured with multiple SANs should succeed", func(t *testing.T) { + h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, + h.ExpectedResponse{ + Namespace: ns, + Request: h.Request{ + Host: serverStr, + Path: "/backendTLSMultiSans", }, Response: h.Response{StatusCode: 200}, }) @@ -159,7 +173,6 @@ var BackendTLSPolicy = suite.ConformanceTest{ Request: h.Request{ Host: serverStr, Path: "/backendTLSSanMismatch", - SNI: serverStr, }, }) }) diff --git a/conformance/tests/backendtlspolicy.yaml b/conformance/tests/backendtlspolicy.yaml index ba1f700e9d..311c316e5a 100644 --- a/conformance/tests/backendtlspolicy.yaml +++ b/conformance/tests/backendtlspolicy.yaml @@ -88,6 +88,15 @@ spec: - path: type: Exact value: /backendTLSSan + - backendRefs: + - group: "" + kind: Service + name: backendtlspolicy-multiple-sans-test + port: 443 + matches: + - path: + type: Exact + value: /backendTLSMultiSans --- apiVersion: v1 kind: Service @@ -163,6 +172,21 @@ spec: port: 443 targetPort: 8443 --- +apiVersion: v1 +kind: Service +metadata: + name: backendtlspolicy-multiple-sans-test + namespace: gateway-conformance-infra +spec: + selector: + app: backendtlspolicy-test + ports: + - name: "btls" + protocol: TCP + appProtocol: HTTPS + port: 443 + targetPort: 8443 +--- # Deployment must not be applied until after the secret is generated. apiVersion: apps/v1 kind: Deployment @@ -269,6 +293,25 @@ spec: --- apiVersion: gateway.networking.k8s.io/v1alpha3 kind: BackendTLSPolicy +metadata: + name: backendtlspolicy-cert-mismatch + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: "" + kind: Service + name: "backendtlspolicy-cert-mismatch-test" + sectionName: "btls" + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + # This secret is generated dynamically by the test suite. + name: "backend-tls-mismatch-certificate" + hostname: "abc.example.com" +--- +apiVersion: gateway.networking.k8s.io/v1alpha3 +kind: BackendTLSPolicy metadata: name: backendtlspolicy-san namespace: gateway-conformance-infra @@ -283,11 +326,37 @@ spec: - group: "" kind: ConfigMap # This secret is generated dynamically by the test suite. - name: "backend-tls-certificate" + name: "backend-tls-checks-certificate" + hostname: "abc.example.com" subjectAltNames: - type: Hostname hostname: abc.example.com - hostname: "mismatch.example.com" +--- +apiVersion: gateway.networking.k8s.io/v1alpha3 +kind: BackendTLSPolicy +metadata: + name: backendtlspolicy-multiple-sans + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: "" + kind: Service + name: "backendtlspolicy-multiple-sans-test" + sectionName: "btls" + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + # This secret is generated dynamically by the test suite. + name: "backend-tls-checks-certificate" + hostname: "abc.example.com" + subjectAltNames: + - type: Hostname + hostname: abc.example.com + - type: Hostname + hostname: efg.example.com + - type: Hostname + hostname: yjh.example.com --- apiVersion: gateway.networking.k8s.io/v1alpha3 kind: BackendTLSPolicy @@ -305,8 +374,8 @@ spec: - group: "" kind: ConfigMap # This secret is generated dynamically by the test suite. - name: "backend-tls-certificate" + name: "backend-tls-checks-certificate" + hostname: "abc.example.com" subjectAltNames: - type: Hostname hostname: cde.example.com - hostname: "mismatch.example.com" diff --git a/conformance/utils/kubernetes/helpers.go b/conformance/utils/kubernetes/helpers.go index 8075132da1..4f8334f502 100644 --- a/conformance/utils/kubernetes/helpers.go +++ b/conformance/utils/kubernetes/helpers.go @@ -1003,7 +1003,7 @@ func BackendTLSPolicyMustHaveCondition(t *testing.T, client client.Client, timeo policy := &v1alpha3.BackendTLSPolicy{} err := client.Get(ctx, policyNN, policy) if err != nil { - return false, fmt.Errorf("error fetching BackendTLSPolicy: %w", err) + return false, fmt.Errorf("error fetching BackendTLSPolicy %v err: %w", policyNN, err) } for _, parent := range policy.Status.Ancestors { @@ -1024,5 +1024,5 @@ func BackendTLSPolicyMustHaveCondition(t *testing.T, client client.Client, timeo return false, nil }) - require.NoErrorf(t, waitErr, "error waiting for BackendTLSPolicy status to have a Condition %v", condition) + require.NoErrorf(t, waitErr, "error waiting for BackendTLSPolicy %v status to have a Condition %v", policyNN, condition) }