Skip to content

Add Conformance tests for BackendTLSPolicy validating SANs with Type dsnName #3983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+191 −3
Open

Add Conformance tests for BackendTLSPolicy validating SANs with Type dsnName #3983

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b2c36fe
Add Conformance tests for BackendTLSPolicy validating SANs
kl52752 Aug 11, 2025
190da92
review fixes
kl52752 Aug 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions conformance/tests/backendtlspolicy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,12 @@ var BackendTLSPolicy = suite.ConformanceTest{
invalidCertPolicyNN := types.NamespacedName{Name: "backendtlspolicy-cert-mismatch", Namespace: ns}
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, invalidCertPolicyNN, gwNN, policyCond)

invalidSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-san-mismatch", Namespace: ns}
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, invalidSanPolicyNN, gwNN, policyCond)

validSanPolicyNN := types.NamespacedName{Name: "backendtlspolicy-san", Namespace: ns}
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validSanPolicyNN, gwNN, policyCond)

serverStr := "abc.example.com"

// Verify that the request sent to Service with valid BackendTLSPolicy should succeed.
Expand Down Expand Up @@ -130,5 +136,32 @@ var BackendTLSPolicy = suite.ConformanceTest{
},
})
})

// Verify that the request sent to Service with BackendTLSPolicy configured with SANs should succeed.
t.Run("HTTP request sent to Service with BackendTLSPolicy configured with SAN should succeed", func(t *testing.T) {
h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
h.ExpectedResponse{
Namespace: ns,
Request: h.Request{
Host: serverStr,
Path: "/backendTLSSan",
SNI: serverStr,
},
Response: h.Response{StatusCode: 200},
})
})

// Verify that request sent to Service targeted by BackendTLSPolicy with mismatched SAN should failed.
t.Run("HTTP request send to Service targeted by BackendTLSPolicy with mismatched SAN should return HTTP error", func(t *testing.T) {
h.MakeRequestAndExpectFailure(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like this will pass if any non-200 error code is returned. Can we be more specific here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually the spec is a bit vague here, error codes are not constrained but it is up to implementation how to signal the error

h.ExpectedResponse{
Namespace: ns,
Request: h.Request{
Host: serverStr,
Path: "/backendTLSSanMismatch",
SNI: serverStr,
},
})
})
},
}
81 changes: 77 additions & 4 deletions conformance/tests/backendtlspolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,24 @@ spec:
- path:
type: Exact
value: /backendTLSCertMismatch
- backendRefs:
- group: ""
kind: Service
name: backendtlspolicy-san-mismatch-test
port: 443
matches:
- path:
type: Exact
value: /backendTLSSanMismatch
- backendRefs:
- group: ""
kind: Service
name: backendtlspolicy-san-test
port: 443
matches:
- path:
type: Exact
value: /backendTLSSan
---
apiVersion: v1
kind: Service
Expand Down Expand Up @@ -115,6 +133,36 @@ spec:
port: 443
targetPort: 8443
---
apiVersion: v1
kind: Service
metadata:
name: backendtlspolicy-san-mismatch-test
namespace: gateway-conformance-infra
spec:
selector:
app: backendtlspolicy-test
ports:
- name: "btls"
protocol: TCP
appProtocol: HTTPS
port: 443
targetPort: 8443
---
apiVersion: v1
kind: Service
metadata:
name: backendtlspolicy-san-test
namespace: gateway-conformance-infra
spec:
selector:
app: backendtlspolicy-test
ports:
- name: "btls"
protocol: TCP
appProtocol: HTTPS
port: 443
targetPort: 8443
---
# Deployment must not be applied until after the secret is generated.
apiVersion: apps/v1
kind: Deployment
Expand Down Expand Up @@ -222,18 +270,43 @@ spec:
apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
name: backendtlspolicy-cert-mismatch
name: backendtlspolicy-san
namespace: gateway-conformance-infra
spec:
targetRefs:
- group: ""
kind: Service
name: "backendtlspolicy-cert-mismatch-test"
name: "backendtlspolicy-san-test"
sectionName: "btls"
validation:
caCertificateRefs:
- group: ""
kind: ConfigMap
# This secret is generated dynamically by the test suite.
name: "backend-tls-mismatch-certificate"
hostname: "abc.example.com"
name: "backend-tls-certificate"
subjectAltNames:
- type: Hostname
hostname: abc.example.com
hostname: "mismatch.example.com"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like it's testing a config mismatch instead of a mismatch in the cert itself. Can we also include a test that covers a case where the config lines up but the cert served by the backend does not match either the configured hostname or the SANs?

---
apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
name: backendtlspolicy-san-mismatch
namespace: gateway-conformance-infra
spec:
targetRefs:
- group: ""
kind: Service
name: "backendtlspolicy-san-mismatch-test"
sectionName: "btls"
validation:
caCertificateRefs:
- group: ""
kind: ConfigMap
# This secret is generated dynamically by the test suite.
name: "backend-tls-certificate"
subjectAltNames:
- type: Hostname
hostname: cde.example.com
hostname: "mismatch.example.com"