Skip to content

simplify BackendTLSPolicy test infrastructure and remove unnecessary code #4016

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 28, 2025
Merged

simplify BackendTLSPolicy test infrastructure and remove unnecessary code #4016

merged 2 commits into from
Aug 28, 2025
+162 −381

Conversation

snorwin
Copy link
Member

@snorwin snorwin commented Aug 23, 2025
edited
Loading

What type of PR is this?

/kind test
/area conformance-machinery

What this PR does / why we need it:
This PR simplifies the test infrastructure for BackendTLSPolicy by reusing the existing backend-tls Deployment instead of creating a separate backend. In addition, it fixes the CA certificate creation process as a CA certificates typically do not contain hostnames and following best practices, the CA certificate private key is now omitted from the ConfigMap.

The refactoring was validated by re-running the BackendTLSPolicy tests against Envoy Gateway and Airlock Microgateway, all of which passed successfully.

Which issue(s) this PR fixes:

Fixes #3934

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/test area/conformance-machinery Issues or PRs related to the machinery and the suite used to run conformance tests. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 23, 2025
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Aug 23, 2025
@snorwin
Copy link
Member Author

snorwin commented Aug 23, 2025

/cc @candita @kl52752

@snorwin snorwin changed the title simplify BackendTLSPolicy test infrastructure and remove unnecessary … simplify BackendTLSPolicy test infrastructure and remove unnecessary code Aug 23, 2025
@snorwin
Copy link
Member Author

snorwin commented Aug 23, 2025

In case that #3983 is merged before this PR, the changes here will also need to be applied to the BackendTLSPolicySANValidation tests.

kl52752
kl52752 suggested changes Aug 25, 2025
View reviewed changes
Copy link
Contributor

@kl52752 kl52752 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for cleaning this up! One question impacting SAN tests that are in review

@snorwin snorwin requested a review from kl52752 August 25, 2025 17:33
@snorwin
Copy link
Member Author

snorwin commented Aug 25, 2025

@shaneutt, it would be great if we could get this merged before the code freeze.

kl52752
kl52752 approved these changes Aug 26, 2025
View reviewed changes
Copy link
Contributor

@kl52752 kl52752 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, looks good now :)

@kl52752
Copy link
Contributor

kl52752 commented Aug 26, 2025

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 26, 2025
@snorwin
Copy link
Member Author

snorwin commented Aug 26, 2025

In the community meeting, we agreed to wait on merging this until #3983 is merged.
/hold
/cc @kl52752

@k8s-ci-robot k8s-ci-robot requested a review from kl52752 August 26, 2025 15:16
@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 26, 2025
@shaneutt shaneutt moved this to Review in Release v1.4.0 Aug 26, 2025
@shaneutt shaneutt added this to the v1.4.0 milestone Aug 26, 2025
@shaneutt shaneutt self-assigned this Aug 26, 2025
rikatz
rikatz reviewed Aug 26, 2025
View reviewed changes
conformance/utils/kubernetes/certificate_test.go
"github.com/stretchr/testify/require"
)

func Test_generateCACert(t *testing.T) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why remove the test? we still have the generateCACert helper function right? I mean, was this test failing or is this test not being useful?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was only for testing that the CA certificate contained the specified hostnames, which does not make sense.

@snorwin snorwin force-pushed the btlsp-cleanup-tests branch from 37defa3 to 89f8855 Compare August 28, 2025 06:44
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 28, 2025
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 28, 2025
@snorwin snorwin requested a review from rikatz August 28, 2025 06:53
@snorwin snorwin force-pushed the btlsp-cleanup-tests branch from 89f8855 to 043583d Compare August 28, 2025 07:03
@snorwin snorwin force-pushed the btlsp-cleanup-tests branch from 043583d to 9e4cf2a Compare August 28, 2025 07:32
@snorwin
Copy link
Member Author

snorwin commented Aug 28, 2025

#3983 has been merged, so I rebased this PR and applied the changes to the SAN validation tests.
/unhold

/cc @kl52752
/cc @kubernetes-sigs/gateway-api-admins

@k8s-ci-robot k8s-ci-robot requested a review from a team August 28, 2025 07:47
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 28, 2025
@kl52752
Copy link
Contributor

kl52752 commented Aug 28, 2025

#3983 has been merged, so I rebased this PR and applied the changes to the SAN validation tests. /unhold

/cc @kl52752 /cc @kubernetes-sigs/gateway-api-admins

@snorwin Can you confirm that after those changes SAN conformance tests are passing for your implementation?

@snorwin
Copy link
Member Author

snorwin commented Aug 28, 2025

@kl52752 sure, I verified the refactoring by running the BackendTLSPolicySANValidation and BackendTLSPolicy tests again.

kl52752
kl52752 approved these changes Aug 28, 2025
View reviewed changes
Copy link
Contributor

@kl52752 kl52752 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the refactoring :)

@kl52752
Copy link
Contributor

kl52752 commented Aug 28, 2025

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 28, 2025
@shaneutt shaneutt self-requested a review August 28, 2025 11:27
@rikatz
Copy link
Member

rikatz commented Aug 28, 2025

Tested locally (removing the resolvedRefs assertion for now as it is not supported by implementations), lgtm, thanks for this nice cleanup!

/lgtm

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kl52752, shaneutt, snorwin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 28, 2025
@k8s-ci-robot k8s-ci-robot merged commit 64dfa32 into kubernetes-sigs:main Aug 28, 2025
19 checks passed
@github-project-automation github-project-automation bot moved this from Review to Done in Release v1.4.0 Aug 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shaneutt shaneutt shaneutt approved these changes

@howardjohn howardjohn Awaiting requested review from howardjohn

@kflynn kflynn Awaiting requested review from kflynn

@candita candita Awaiting requested review from candita

@rikatz rikatz Awaiting requested review from rikatz

+1 more reviewer

@kl52752 kl52752 kl52752 approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@shaneutt shaneutt

@rikatz rikatz

@kl52752 kl52752

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/conformance-machinery Issues or PRs related to the machinery and the suite used to run conformance tests. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/test lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
Release v1.4.0
Status: Done
Milestone
v1.4.0
Development

Successfully merging this pull request may close these issues.

BackendTLSPolicy conformance test - re-use the tls-backend or deploy as infra
5 participants
@snorwin @kl52752 @rikatz @k8s-ci-robot @shaneutt