Skip to content

BackendTLSPolicy conformance tests for ResolvedRefs status condition #4010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 26, 2025
Merged

BackendTLSPolicy conformance tests for ResolvedRefs status condition #4010

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5ea56fc
BackendTLSPolicy conformance tests for ResolvedRefs status condition
snorwin Aug 20, 2025
749768e
Apply PR feedback
snorwin Aug 22, 2025
a8a865f
deprecate StatusCode of the excpected response in favor of StatusCodes
snorwin Aug 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 96 additions & 0 deletions conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
/*
Copyright 2025 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package tests

import (
"testing"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"

gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
gatewayv1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
h "sigs.k8s.io/gateway-api/conformance/utils/http"
"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
"sigs.k8s.io/gateway-api/conformance/utils/suite"
"sigs.k8s.io/gateway-api/pkg/features"
)

func init() {
ConformanceTests = append(ConformanceTests, BackendTLSPolicyCACertificateRefInvalidCACertificateRef)
}

var BackendTLSPolicyCACertificateRefInvalidCACertificateRef = suite.ConformanceTest{
ShortName: "BackendTLSPolicyCACertificateRefInvalidCACertificateRef",
Description: "A BackendTLSPolicy that specifies a single invalid CACertificateRef should have the Accepted and ResolvedRefs status condition set False with appropriate reasons, and HTTP requests to a backend targeted by this policy should fail with a 5xx response.",
Features: []features.FeatureName{
features.SupportGateway,
features.SupportHTTPRoute,
features.SupportBackendTLSPolicy,
},
Manifests: []string{"tests/backendtlspolicy-invalid-ca-certificate-ref.yaml"},
Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
ns := "gateway-conformance-infra"
routeNN := types.NamespacedName{Name: "backendtlspolicy-invalid-ca-certificate-ref", Namespace: ns}
gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}

serverStr := "abc.example.com"

kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns})
gwAddr := kubernetes.GatewayAndRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), &gatewayv1.HTTPRoute{}, false, routeNN)
kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this right? Per the manifest, you are applying a backend that has failure already on backendtlspolicy, resulting on the following condition on HTTPRoute

    - lastTransitionTime: "2025-08-25T20:27:03Z"
      message: |-
        Failed to process route rule 0 backendRef 0: configmap nonexistent-ca-certificate not found in namespace gateway-conformance-infra.
        Failed to process route rule 1 backendRef 0: no ca found in configmap malformed-ca-certificate.
      observedGeneration: 1
      reason: InvalidBackendTLS
      status: "False"
      type: ResolvedRefs

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty sure that is implementation specific behavior, I don't remember defining that in the BackendTLSPolicy GEP at all.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rikatz yes, there are many implementation-specific behaviors. That’s why we updated the GEP in #3909, and we’re now enforcing this new behavior through these conformance tests.

Copy link
Member Author

@snorwin snorwin Aug 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed the assertion on the HTTPRoute since it is not specified whether the invalid ResolvedRefs status condition on the BackendTLSPolicy should be propagated to the HTTPRoute or not.

Should I add an assertion that the HTTPRoute is at least accepted, or does an invalid BackendTLSPolicy also influence its acceptance? - Already done.

/cc @kl52752

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for removing that.This question requires new GEP. I think that you can just leave TODO to address this issue later.


for _, policyNN := range []types.NamespacedName{
{Name: "nonexistent-ca-certificate-ref", Namespace: ns},
{Name: "malformed-ca-certificate-ref", Namespace: ns},
} {
t.Run("BackendTLSPolicy_"+policyNN.Name, func(t *testing.T) {
t.Run("BackendTLSPolicy with a single invalid CACertificateRef has a Accepted Condition with status False and Reason NoValidCACertificate", func(t *testing.T) {
acceptedCond := metav1.Condition{
Type: string(gatewayv1alpha2.PolicyConditionAccepted),
Status: metav1.ConditionFalse,
Reason: string(gatewayv1alpha3.BackendTLSPolicyReasonNoValidCACertificate),
}

kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, policyNN, gwNN, acceptedCond)
})

t.Run("BackendTLSPolicy with a single invalid CACertificateRef has a ResolvedRefs Condition with status False and Reason InvalidCACertificateRef", func(t *testing.T) {
resolvedRefsCond := metav1.Condition{
Type: string(gatewayv1alpha3.BackendTLSPolicyConditionResolvedRefs),
Status: metav1.ConditionFalse,
Reason: string(gatewayv1alpha3.BackendTLSPolicyReasonInvalidCACertificateRef),
}

kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, policyNN, gwNN, resolvedRefsCond)
})

t.Run("HTTP Request to backend targeted by an invalid BackendTLSPolicy receive a 5xx", func(t *testing.T) {
h.MakeRequestAndExpectFailure(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
h.ExpectedResponse{
Namespace: ns,
Request: h.Request{
Host: serverStr,
Path: "/backendtlspolicy-" + policyNN.Name,
},
})
})
})
}
},
}
97 changes: 97 additions & 0 deletions conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: backendtlspolicy-invalid-ca-certificate-ref
namespace: gateway-conformance-infra
spec:
parentRefs:
- name: same-namespace
namespace: gateway-conformance-infra
hostnames:
- abc.example.com
rules:
- backendRefs:
- name: backendtlspolicy-nonexistent-ca-certificate-ref-test
port: 443
matches:
- path:
type: Exact
value: /backendtlspolicy-nonexistent-ca-certificate-ref
- backendRefs:
- name: backendtlspolicy-malformed-ca-certificate-ref-test
port: 443
matches:
- path:
type: Exact
value: /backendtlspolicy-malformed-ca-certificate-ref
---
apiVersion: v1
kind: Service
metadata:
name: backendtlspolicy-nonexistent-ca-certificate-ref-test
namespace: gateway-conformance-infra
spec:
selector:
app: tls-backend
ports:
- name: "https"
protocol: TCP
appProtocol: HTTPS
port: 443
targetPort: 8443
---
apiVersion: v1
kind: Service
metadata:
name: backendtlspolicy-malformed-ca-certificate-ref-test
namespace: gateway-conformance-infra
spec:
selector:
app: tls-backend
ports:
- name: "https"
protocol: TCP
appProtocol: HTTPS
port: 443
targetPort: 8443
---
apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
name: nonexistent-ca-certificate-ref
namespace: gateway-conformance-infra
spec:
targetRefs:
- group: ""
kind: Service
name: "backendtlspolicy-nonexistent-ca-certificate-ref-test"
validation:
caCertificateRefs:
- group: ""
kind: ConfigMap
name: "nonexistent-ca-certificate"
hostname: "abc.example.com"
---
apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
name: malformed-ca-certificate-ref
namespace: gateway-conformance-infra
spec:
targetRefs:
- group: ""
kind: Service
name: "backendtlspolicy-malformed-ca-certificate-ref-test"
validation:
caCertificateRefs:
- group: ""
kind: ConfigMap
name: "malformed-ca-certificate"
hostname: "abc.example.com"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: malformed-ca-certificate
namespace: gateway-conformance-infra
data: {}
91 changes: 91 additions & 0 deletions conformance/tests/backendtlspolicy-invalid-kind.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
/*
Copyright 2025 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package tests

import (
"testing"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"

gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
gatewayv1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
h "sigs.k8s.io/gateway-api/conformance/utils/http"
"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
"sigs.k8s.io/gateway-api/conformance/utils/suite"
"sigs.k8s.io/gateway-api/pkg/features"
)

func init() {
ConformanceTests = append(ConformanceTests, BackendTLSPolicyCACertificateRefInvalidKind)
}

var BackendTLSPolicyCACertificateRefInvalidKind = suite.ConformanceTest{
ShortName: "BackendTLSPolicyCACertificateRefInvalidKind",
Description: "A BackendTLSPolicy that specifies a single CACertificateRef with an invalid kind should have the Accepted and ResolvedRefs status condition set False with appropriate reasons, and HTTP requests to a backend targeted by this policy should fail with a 5xx response.",
Features: []features.FeatureName{
features.SupportGateway,
features.SupportHTTPRoute,
features.SupportBackendTLSPolicy,
},
Manifests: []string{"tests/backendtlspolicy-invalid-kind.yaml"},
Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
ns := "gateway-conformance-infra"
routeNN := types.NamespacedName{Name: "backendtlspolicy-invalid-kind-test", Namespace: ns}
gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}

serverStr := "abc.example.com"

kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns})
gwAddr := kubernetes.GatewayAndRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), &gatewayv1.HTTPRoute{}, false, routeNN)
kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN)

policyNN := types.NamespacedName{Name: "invalid-kind", Namespace: ns}

t.Run("BackendTLSPolicy with a single invalid CACertificateRef has a Accepted Condition with status False and Reason NoValidCACertificate", func(t *testing.T) {
acceptedCond := metav1.Condition{
Type: string(gatewayv1alpha2.PolicyConditionAccepted),
Status: metav1.ConditionFalse,
Reason: string(gatewayv1alpha3.BackendTLSPolicyReasonNoValidCACertificate),
}

kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, policyNN, gwNN, acceptedCond)
})

t.Run("BackendTLSPolicy with a single invalid CACertificateRef has a ResolvedRefs Condition with status False and Reason InvalidKind", func(t *testing.T) {
resolvedRefsCond := metav1.Condition{
Type: string(gatewayv1alpha3.BackendTLSPolicyConditionResolvedRefs),
Status: metav1.ConditionFalse,
Reason: string(gatewayv1alpha3.BackendTLSPolicyReasonInvalidKind),
}

kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, policyNN, gwNN, resolvedRefsCond)
})

t.Run("HTTP Request to backend targeted by an invalid BackendTLSPolicy receive a 5xx", func(t *testing.T) {
h.MakeRequestAndExpectFailure(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
h.ExpectedResponse{
Namespace: ns,
Request: h.Request{
Host: serverStr,
Path: "/backendtlspolicy-" + policyNN.Name,
},
})
})
},
}
51 changes: 51 additions & 0 deletions conformance/tests/backendtlspolicy-invalid-kind.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: backendtlspolicy-invalid-kind-test
namespace: gateway-conformance-infra
spec:
parentRefs:
- name: same-namespace
namespace: gateway-conformance-infra
hostnames:
- abc.example.com
rules:
- backendRefs:
- name: backendtlspolicy-invalid-kind-test
port: 443
matches:
- path:
type: Exact
value: /backendtlspolicy-invalid-kind
---
apiVersion: v1
kind: Service
metadata:
name: backendtlspolicy-invalid-kind-test
namespace: gateway-conformance-infra
spec:
selector:
app: tls-backend
ports:
- name: "https"
protocol: TCP
appProtocol: HTTPS
port: 443
targetPort: 8443
---
apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
name: invalid-kind
namespace: gateway-conformance-infra
spec:
targetRefs:
- group: ""
kind: Service
name: "backendtlspolicy-invalid-kind-test"
validation:
caCertificateRefs:
- group: invalid.io
kind: InvalidKind
name: "invalid-kind"
hostname: "abc.example.com"
Loading