Skip to content

Add Conformance tests for BackendTLSPolicy validating SANs with Type dsnName #3983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+191 −3
Open

Add Conformance tests for BackendTLSPolicy validating SANs with Type dsnName #3983

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b2c36fe
Add Conformance tests for BackendTLSPolicy validating SANs
kl52752 Aug 11, 2025
190da92
review fixes
kl52752 Aug 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 47 additions & 1 deletion conformance/tests/backendtlspolicy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import (
"testing"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

"k8s.io/apimachinery/pkg/types"

gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
Expand Down Expand Up @@ -69,6 +68,15 @@ var BackendTLSPolicy = suite.ConformanceTest{
invalidCertPolicyNN := types.NamespacedName{Name: "backendtlspolicy-cert-mismatch", Namespace: ns}
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, invalidCertPolicyNN, gwNN, policyCond)

invalidSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-san-mismatch", Namespace: ns}
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, invalidSanPolicyNN, gwNN, policyCond)

validSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-san", Namespace: ns}
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validSanPolicyNN, gwNN, policyCond)

validMultiSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-multiple-sans", Namespace: ns}
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validMultiSanPolicyNN, gwNN, policyCond)

serverStr := "abc.example.com"

// Verify that the request sent to Service with valid BackendTLSPolicy should succeed.
Expand Down Expand Up @@ -130,5 +138,43 @@ var BackendTLSPolicy = suite.ConformanceTest{
},
})
})

// Verify that the request sent to Service with BackendTLSPolicy configured with SANs should succeed.
t.Run("HTTP request sent to Service with BackendTLSPolicy configured with SAN should succeed", func(t *testing.T) {
h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
h.ExpectedResponse{
Namespace: ns,
Request: h.Request{
Host: serverStr,
Path: "/backendTLSSan",
},
Response: h.Response{StatusCode: 200},
})
})

// Verify that the request sent to Service with BackendTLSPolicy configured with multiple SANs should succeed.
t.Run("HTTP request sent to Service with BackendTLSPolicy configured with multiple SANs should succeed", func(t *testing.T) {
h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
h.ExpectedResponse{
Namespace: ns,
Request: h.Request{
Host: serverStr,
Path: "/backendTLSMultiSans",
},
Response: h.Response{StatusCode: 200},
})
})

// Verify that request sent to Service targeted by BackendTLSPolicy with mismatched SAN should failed.
t.Run("HTTP request send to Service targeted by BackendTLSPolicy with mismatched SAN should return HTTP error", func(t *testing.T) {
h.MakeRequestAndExpectFailure(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like this will pass if any non-200 error code is returned. Can we be more specific here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually the spec is a bit vague here, error codes are not constrained but it is up to implementation how to signal the error

h.ExpectedResponse{
Namespace: ns,
Request: h.Request{
Host: serverStr,
Path: "/backendTLSSanMismatch",
},
})
})
},
}
142 changes: 142 additions & 0 deletions conformance/tests/backendtlspolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,33 @@ spec:
- path:
type: Exact
value: /backendTLSCertMismatch
- backendRefs:
- group: ""
kind: Service
name: backendtlspolicy-san-mismatch-test
port: 443
matches:
- path:
type: Exact
value: /backendTLSSanMismatch
- backendRefs:
- group: ""
kind: Service
name: backendtlspolicy-san-test
port: 443
matches:
- path:
type: Exact
value: /backendTLSSan
- backendRefs:
- group: ""
kind: Service
name: backendtlspolicy-multiple-sans-test
port: 443
matches:
- path:
type: Exact
value: /backendTLSMultiSans
---
apiVersion: v1
kind: Service
Expand Down Expand Up @@ -115,6 +142,51 @@ spec:
port: 443
targetPort: 8443
---
apiVersion: v1
kind: Service
metadata:
name: backendtlspolicy-san-mismatch-test
namespace: gateway-conformance-infra
spec:
selector:
app: backendtlspolicy-test
ports:
- name: "btls"
protocol: TCP
appProtocol: HTTPS
port: 443
targetPort: 8443
---
apiVersion: v1
kind: Service
metadata:
name: backendtlspolicy-san-test
namespace: gateway-conformance-infra
spec:
selector:
app: backendtlspolicy-test
ports:
- name: "btls"
protocol: TCP
appProtocol: HTTPS
port: 443
targetPort: 8443
---
apiVersion: v1
kind: Service
metadata:
name: backendtlspolicy-multiple-sans-test
namespace: gateway-conformance-infra
spec:
selector:
app: backendtlspolicy-test
ports:
- name: "btls"
protocol: TCP
appProtocol: HTTPS
port: 443
targetPort: 8443
---
# Deployment must not be applied until after the secret is generated.
apiVersion: apps/v1
kind: Deployment
Expand Down Expand Up @@ -237,3 +309,73 @@ spec:
# This secret is generated dynamically by the test suite.
name: "backend-tls-mismatch-certificate"
hostname: "abc.example.com"
---
apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
name: backendtlspolicy-san
namespace: gateway-conformance-infra
spec:
targetRefs:
- group: ""
kind: Service
name: "backendtlspolicy-san-test"
sectionName: "btls"
validation:
caCertificateRefs:
- group: ""
kind: ConfigMap
# This secret is generated dynamically by the test suite.
name: "backend-tls-checks-certificate"
hostname: "abc.example.com"
subjectAltNames:
- type: Hostname
hostname: abc.example.com
---
apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
name: backendtlspolicy-multiple-sans
namespace: gateway-conformance-infra
spec:
targetRefs:
- group: ""
kind: Service
name: "backendtlspolicy-multiple-sans-test"
sectionName: "btls"
validation:
caCertificateRefs:
- group: ""
kind: ConfigMap
# This secret is generated dynamically by the test suite.
name: "backend-tls-checks-certificate"
hostname: "abc.example.com"
subjectAltNames:
- type: Hostname
hostname: abc.example.com
- type: Hostname
hostname: efg.example.com
- type: Hostname
hostname: yjh.example.com
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you also plan to add some test with SAN type URI?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes but I wanted to do this in next PR, because there will be more changes related to certificate creation.

---
apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
name: backendtlspolicy-san-mismatch
namespace: gateway-conformance-infra
spec:
targetRefs:
- group: ""
kind: Service
name: "backendtlspolicy-san-mismatch-test"
sectionName: "btls"
validation:
caCertificateRefs:
- group: ""
kind: ConfigMap
# This secret is generated dynamically by the test suite.
name: "backend-tls-checks-certificate"
hostname: "abc.example.com"
subjectAltNames:
- type: Hostname
hostname: cde.example.com
4 changes: 2 additions & 2 deletions conformance/utils/kubernetes/helpers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1003,7 +1003,7 @@ func BackendTLSPolicyMustHaveCondition(t *testing.T, client client.Client, timeo
policy := &v1alpha3.BackendTLSPolicy{}
err := client.Get(ctx, policyNN, policy)
if err != nil {
return false, fmt.Errorf("error fetching BackendTLSPolicy: %w", err)
return false, fmt.Errorf("error fetching BackendTLSPolicy %v err: %w", policyNN, err)
}

for _, parent := range policy.Status.Ancestors {
Expand All @@ -1024,5 +1024,5 @@ func BackendTLSPolicyMustHaveCondition(t *testing.T, client client.Client, timeo
return false, nil
})

require.NoErrorf(t, waitErr, "error waiting for BackendTLSPolicy status to have a Condition %v", condition)
require.NoErrorf(t, waitErr, "error waiting for BackendTLSPolicy %v status to have a Condition %v", policyNN, condition)
}