make epp tls configurable, update conformance workflow

Author: salonichf5

.github/workflows/conformance.yml

@@ -198,3 +198,26 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: gh release upload ${{ github.ref_name }} conformance-profile.yaml --clobber
         working-directory: ./tests
+
+      # The same setup works for inference conformance tests
+      # and inference extension flag is enabled
+      - name: Run inference conformance tests
+        run: |
+          make run-inference-conformance-tests CONFORMANCE_TAG=${{ github.sha }} NGF_VERSION=${{ github.ref_name }} CLUSTER_NAME=${{ github.run_id }}
+          core_result=$(cat conformance-inference-profile.yaml | yq '.profiles[0].core.result')
+          if [ "${core_result}" == "failure" ] ]; then echo "Inference Conformance test failed, see above for details." && exit 2; fi
+        working-directory: ./tests
+
+      - name: Upload profile to GitHub
+        if: ${{ inputs.enable-inference-extension }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: conformance-inference-profile-${{ inputs.image }}-${{ inputs.k8s-version }}-${{ steps.ngf-meta.outputs.version }}
+          path: ./tests/conformance-inference-profile.yaml
+
+      - name: Upload profile to release
+        if: ${{ inputs.production-release && inputs.enable-inference-extension }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release upload ${{ github.ref_name }} conformance-inference-profile.yaml --clobber
+        working-directory: ./tests

.github/workflows/lint.yml

@@ -125,6 +125,8 @@ jobs:
         uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
         with:
           version: 3.14.0 # renovate: datasource=github-tags depName=helm/chart-testing
+          # v6.0.0 resolved the compatibility issue with Python > 3.13. may be removed after the action itself is updated
+          yamale_version: "6.0.0"
 
       - name: Run chart-testing
         run: ct lint --print-config --config .ct.yaml

cmd/gateway/commands.go

@@ -758,15 +758,37 @@ func createSleepCommand() *cobra.Command {
 }
 
 func createEndpointPickerCommand() *cobra.Command {
+	var (
+		endpointPickerEnableTLSFlag                               = "endpoint-picker-enable-tls"
+		endpointPickerInsecureSkipVerifyFlag                      = "endpoint-picker-insecure-skip-verify"
+		endpointPickerEnableTLS, endpointPickerInsecureSkipVerify bool
+	)
+
 	cmd := &cobra.Command{
 		Use:   "endpoint-picker",
 		Short: "Shim server for communication between NGINX and the Gateway API Inference Extension Endpoint Picker",
 		RunE: func(_ *cobra.Command, _ []string) error {
 			logger := ctlrZap.New().WithName("endpoint-picker-shim")
-			handler := createEndpointPickerHandler(realExtProcClientFactory(), logger)
+			handler := createEndpointPickerHandler(
+				realExtProcClientFactory(endpointPickerEnableTLS, endpointPickerInsecureSkipVerify),
+				logger,
+			)
 			return endpointPickerServer(handler)
 		},
 	}
+	cmd.Flags().BoolVar(
+		&endpointPickerEnableTLS,
+		endpointPickerEnableTLSFlag,
+		false,
+		"Enable TLS for gRPC connections to the EndpointPicker extension.",
+	)
+
+	cmd.Flags().BoolVar(
+		&endpointPickerInsecureSkipVerify,
+		endpointPickerInsecureSkipVerifyFlag,
+		true,
+		"Disable client verification of the EndpointPicker extension's server certificate.",
+	)
 
 	return cmd
 }

cmd/gateway/commands_test.go

@@ -924,3 +924,51 @@ func TestUsageReportConfig(t *testing.T) {
 		})
 	}
 }
+
+func TestEndpointPickerCommand(t *testing.T) {
+	t.Parallel()
+	tests := []flagTestCase{
+		{
+			name: "valid flags",
+			args: []string{
+				"--endpoint-picker-enable-tls=false",
+				"--endpoint-picker-insecure-skip-verify=true",
+			},
+			wantErr: false,
+		},
+		{
+			name: "flags have updated values",
+			args: []string{
+				"--endpoint-picker-enable-tls=true",
+				"--endpoint-picker-insecure-skip-verify=false",
+			},
+			wantErr: false,
+		},
+		{
+			name: "invalid flag values",
+			args: []string{
+				"--endpoint-picker-enable-tls=non-bool-value",
+			},
+			wantErr: true,
+			expectedErrPrefix: `invalid argument "non-bool-value" for "--endpoint-picker-enable-tls" flag:` +
+				` strconv.ParseBool: parsing "non-bool-value": invalid syntax`,
+		},
+		{
+			name: "invalid flag values",
+			args: []string{
+				"--endpoint-picker-insecure-skip-verify=non-bool-value",
+			},
+			wantErr: true,
+			expectedErrPrefix: `invalid argument "non-bool-value" for "--endpoint-picker-insecure-skip-verify" flag:` +
+				` strconv.ParseBool: parsing "non-bool-value": invalid syntax`,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			cmd := createEndpointPickerCommand()
+			testFlag(t, cmd, test)
+		})
+	}
+}

cmd/gateway/endpoint_picker.go

@@ -15,6 +15,7 @@ import (
 	"github.com/go-logr/logr"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
 	eppMetadata "sigs.k8s.io/gateway-api-inference-extension/pkg/epp/metadata"
 
 	"github.com/nginx/nginx-gateway-fabric/v2/internal/framework/types"
@@ -34,13 +35,19 @@ func endpointPickerServer(handler http.Handler) error {
 }
 
 // realExtProcClientFactory returns a factory that creates a new gRPC connection and client per request.
-func realExtProcClientFactory() extProcClientFactory {
+func realExtProcClientFactory(endpointPickerEnableTLS, endpointPickerInsecureSkipVerify bool) extProcClientFactory {
 	return func(target string) (extprocv3.ExternalProcessorClient, func() error, error) {
-		creds := credentials.NewTLS(&tls.Config{
-			// add RootCAs or, if you have a self-signed server cert:
-			InsecureSkipVerify: true, //nolint:gosec
-		})
-		conn, err := grpc.NewClient(target, grpc.WithTransportCredentials(creds))
+		var opts []grpc.DialOption
+
+		if !endpointPickerEnableTLS {
+			opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials()))
+		} else {
+			creds := credentials.NewTLS(&tls.Config{
+				InsecureSkipVerify: endpointPickerInsecureSkipVerify, //nolint:gosec
+			})
+			opts = append(opts, grpc.WithTransportCredentials(creds))
+		}
+		conn, err := grpc.NewClient(target, opts...)
 		if err != nil {
 			return nil, nil, err
 		}

internal/controller/nginx/conf/nginx-plus.conf

@@ -12,8 +12,8 @@ events {
 http {
   include /etc/nginx/conf.d/*.conf;
   include /etc/nginx/mime.types;
-  js_import /usr/lib/nginx/modules/njs/httpmatches.js;
-  js_import /usr/lib/nginx/modules/njs/epp.js;
+  js_import modules/njs/httpmatches.js;
+  js_import modules/njs/epp.js;
 
   default_type application/octet-stream;
 

internal/controller/nginx/conf/nginx.conf

@@ -12,8 +12,8 @@ events {
 http {
   include /etc/nginx/conf.d/*.conf;
   include /etc/nginx/mime.types;
-  js_import /usr/lib/nginx/modules/njs/httpmatches.js;
-  js_import /usr/lib/nginx/modules/njs/epp.js;
+  js_import modules/njs/httpmatches.js;
+  js_import modules/njs/epp.js;
 
   default_type application/octet-stream;