make epp tls configurable, update conformance workflow

Author: salonichf5

.github/workflows/conformance.yml

@@ -198,3 +198,26 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: gh release upload ${{ github.ref_name }} conformance-profile.yaml --clobber
         working-directory: ./tests
+
+      # The same setup works for inference conformance tests
+      # and inference extension flag is enabled
+      - name: Run inference conformance tests
+        run: |
+          make run-inference-conformance-tests CONFORMANCE_TAG=${{ github.sha }} NGF_VERSION=${{ github.ref_name }} CLUSTER_NAME=${{ github.run_id }}
+          core_result=$(cat conformance-inference-profile.yaml | yq '.profiles[0].core.result')
+          if [ "${core_result}" == "failure" ] ]; then echo "Inference Conformance test failed, see above for details." && exit 2; fi
+        working-directory: ./tests
+
+      - name: Upload profile to GitHub
+        if: ${{ inputs.enable-inference-extension }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: conformance-profile-inference-${{ inputs.image }}-${{ inputs.k8s-version }}-${{ steps.ngf-meta.outputs.version }}
+          path: ./tests/conformance-profile-inference.yaml
+
+      - name: Upload profile to release
+        if: ${{ inputs.production-release && inputs.enable-inference-extension }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release upload ${{ github.ref_name }} conformance-profile-inference.yaml --clobber
+        working-directory: ./tests

.github/workflows/lint.yml

@@ -125,6 +125,8 @@ jobs:
         uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
         with:
           version: 3.14.0 # renovate: datasource=github-tags depName=helm/chart-testing
+          # v6.0.0 resolved the compatibility issue with Python > 3.13. may be removed after the action itself is updated
+          yamale_version: "6.0.0"
 
       - name: Run chart-testing
         run: ct lint --print-config --config .ct.yaml

cmd/gateway/commands.go

@@ -758,15 +758,37 @@ func createSleepCommand() *cobra.Command {
 }
 
 func createEndpointPickerCommand() *cobra.Command {
+	var (
+		endpointPickerEnableTLSFlag                               = "endpoint-picker-enable-tls"
+		endpointPickerInsecureSkipVerifyFlag                      = "endpoint-picker-insecure-skip-verify"
+		endpointPickerEnableTLS, endpointPickerInsecureSkipVerify bool
+	)
+
 	cmd := &cobra.Command{
 		Use:   "endpoint-picker",
 		Short: "Shim server for communication between NGINX and the Gateway API Inference Extension Endpoint Picker",
 		RunE: func(_ *cobra.Command, _ []string) error {
 			logger := ctlrZap.New().WithName("endpoint-picker-shim")
-			handler := createEndpointPickerHandler(realExtProcClientFactory(), logger)
+			handler := createEndpointPickerHandler(
+				realExtProcClientFactory(endpointPickerEnableTLS, endpointPickerInsecureSkipVerify),
+				logger,
+			)
 			return endpointPickerServer(handler)
 		},
 	}
+	cmd.Flags().BoolVar(
+		&endpointPickerEnableTLS,
+		endpointPickerEnableTLSFlag,
+		false,
+		"Enable TLS for gRPC connections to the EndpointPicker extension.",
+	)
+
+	cmd.Flags().BoolVar(
+		&endpointPickerInsecureSkipVerify,
+		endpointPickerInsecureSkipVerifyFlag,
+		true,
+		"Disable client verification of the EndpointPicker extension's server certificate.",
+	)
 
 	return cmd
 }

cmd/gateway/commands_test.go

@@ -924,3 +924,51 @@ func TestUsageReportConfig(t *testing.T) {
 		})
 	}
 }
+
+func TestEndpointPickerCommand(t *testing.T) {
+	t.Parallel()
+	tests := []flagTestCase{
+		{
+			name: "valid flags",
+			args: []string{
+				"--endpoint-picker-enable-tls=false",
+				"--endpoint-picker-insecure-skip-verify=true",
+			},
+			wantErr: false,
+		},
+		{
+			name: "flags have updated values",
+			args: []string{
+				"--endpoint-picker-enable-tls=true",
+				"--endpoint-picker-insecure-skip-verify=false",
+			},
+			wantErr: false,
+		},
+		{
+			name: "invalid flag values",
+			args: []string{
+				"--endpoint-picker-enable-tls=non-bool-value",
+			},
+			wantErr: true,
+			expectedErrPrefix: `invalid argument "non-bool-value" for "--endpoint-picker-enable-tls" flag:` +
+				` strconv.ParseBool: parsing "non-bool-value": invalid syntax`,
+		},
+		{
+			name: "invalid flag values",
+			args: []string{
+				"--endpoint-picker-insecure-skip-verify=non-bool-value",
+			},
+			wantErr: true,
+			expectedErrPrefix: `invalid argument "non-bool-value" for "--endpoint-picker-insecure-skip-verify" flag:` +
+				` strconv.ParseBool: parsing "non-bool-value": invalid syntax`,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			cmd := createEndpointPickerCommand()
+			testFlag(t, cmd, test)
+		})
+	}
+}

cmd/gateway/endpoint_picker.go

@@ -15,6 +15,7 @@ import (
 	"github.com/go-logr/logr"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
 	eppMetadata "sigs.k8s.io/gateway-api-inference-extension/pkg/epp/metadata"
 
 	"github.com/nginx/nginx-gateway-fabric/v2/internal/framework/types"
@@ -34,13 +35,19 @@ func endpointPickerServer(handler http.Handler) error {
 }
 
 // realExtProcClientFactory returns a factory that creates a new gRPC connection and client per request.
-func realExtProcClientFactory() extProcClientFactory {
+func realExtProcClientFactory(endpointPickerEnableTLS, endpointPickerInsecureSkipVerify bool) extProcClientFactory {
 	return func(target string) (extprocv3.ExternalProcessorClient, func() error, error) {
-		creds := credentials.NewTLS(&tls.Config{
-			// add RootCAs or, if you have a self-signed server cert:
-			InsecureSkipVerify: true, //nolint:gosec
-		})
-		conn, err := grpc.NewClient(target, grpc.WithTransportCredentials(creds))
+		var opts []grpc.DialOption
+
+		if !endpointPickerEnableTLS {
+			opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials()))
+		} else {
+			creds := credentials.NewTLS(&tls.Config{
+				InsecureSkipVerify: endpointPickerInsecureSkipVerify, //nolint:gosec
+			})
+			opts = append(opts, grpc.WithTransportCredentials(creds))
+		}
+		conn, err := grpc.NewClient(target, opts...)
 		if err != nil {
 			return nil, nil, err
 		}

internal/controller/nginx/conf/nginx-plus.conf

@@ -12,8 +12,8 @@ events {
 http {
   include /etc/nginx/conf.d/*.conf;
   include /etc/nginx/mime.types;
-  js_import /usr/lib/nginx/modules/njs/httpmatches.js;
-  js_import /usr/lib/nginx/modules/njs/epp.js;
+  js_import modules/njs/httpmatches.js;
+  js_import modules/njs/epp.js;
 
   default_type application/octet-stream;
 

internal/controller/nginx/conf/nginx.conf

@@ -12,8 +12,8 @@ events {
 http {
   include /etc/nginx/conf.d/*.conf;
   include /etc/nginx/mime.types;
-  js_import /usr/lib/nginx/modules/njs/httpmatches.js;
-  js_import /usr/lib/nginx/modules/njs/epp.js;
+  js_import modules/njs/httpmatches.js;
+  js_import modules/njs/epp.js;
 
   default_type application/octet-stream;
 

tests/Makefile

@@ -1,6 +1,7 @@
 CI ?= false
 CLUSTER_NAME ?= kind
 CONFORMANCE_PREFIX = conformance-test-runner## Prefix for the conformance test runner image
+CONFORMANCE_INFERENCE_PREFIX = conformance-inference-test-runner## Prefix for the conformance test runner image
 CONFORMANCE_TAG = latest## Tag for the conformance test runner image
 GATEWAY_CLASS = nginx## Gateway class to use
 GINKGO_FLAGS =
@@ -46,6 +47,10 @@ update-go-modules: ## Update the gateway-api go modules to latest main version
 build-test-runner-image: ## Build conformance test runner image
 	docker build --platform $(GOOS)/$(GOARCH) -t $(CONFORMANCE_PREFIX):$(CONFORMANCE_TAG) -f conformance/Dockerfile .
 
+.PHONY: build-test-runner-image-for-inference
+build-test-runner-image-for-inference: ## Build conformance test runner image for inference extension
+	docker build --platform $(GOOS)/$(GOARCH) -t $(CONFORMANCE_INFERENCE_PREFIX):$(CONFORMANCE_TAG) -f conformance/Dockerfile .
+
 .PHONY: build-crossplane-image
 build-crossplane-image: ## Build the crossplane image
 	docker build --platform $(GOOS)/$(GOARCH) --build-arg NGINX_CONF_DIR=$(NGINX_CONF_DIR) -t nginx-crossplane:latest -f framework/crossplane/Dockerfile ..
@@ -60,7 +65,7 @@ run-conformance-tests: ## Run conformance tests
 		--restart=Never -- sh -c "go test -v . -tags conformance,experimental -args --gateway-class=$(GATEWAY_CLASS) \
 						        --supported-features=$(SUPPORTED_EXTENDED_FEATURES) --version=$(NGF_VERSION) --skip-tests=$(SKIP_TESTS) --conformance-profiles=$(CONFORMANCE_PROFILES) \
 								--report-output=output.txt; cat output.txt" | tee output.txt
-	./scripts/check-pod-exit-code.sh
+	./scripts/check-pod-exit-code.sh conformance
 	sed -e '1,/CONFORMANCE PROFILE/d' output.txt > conformance-profile.yaml
 	grpc_core_result=`yq '.profiles[0].core.result' conformance-profile.yaml`; \
 	http_core_result=`yq '.profiles[1].core.result' conformance-profile.yaml`; \
@@ -80,7 +85,7 @@ run-conformance-tests-openshift: ## Run conformance tests on OpenShift (skips te
 		--restart=Never -- sh -c "go test -v . -tags conformance,experimental -args --gateway-class=$(GATEWAY_CLASS) \
 						        --supported-features=$(SUPPORTED_EXTENDED_FEATURES_OPENSHIFT) --version=$(NGF_VERSION) --skip-tests=$(SKIP_TESTS_OPENSHIFT) --conformance-profiles=$(CONFORMANCE_PROFILES) \
 								--service-type=$(GW_SERVICE_TYPE) --report-output=output.txt; cat output.txt" | tee output.txt
-	./scripts/check-pod-exit-code.sh
+	./scripts/check-pod-exit-code.sh conformance
 	sed -e '1,/CONFORMANCE PROFILE/d' output.txt > conformance-profile.yaml
 	rm output.txt
 	grpc_core_result=`yq '.profiles[0].core.result' conformance-profile.yaml`; \
@@ -94,18 +99,18 @@ run-conformance-tests-openshift: ## Run conformance tests on OpenShift (skips te
 
 .PHONY: run-inference-conformance-tests
 run-inference-conformance-tests: ## Run inference conformance tests
-	kind load docker-image $(CONFORMANCE_PREFIX):$(CONFORMANCE_TAG) --name $(CLUSTER_NAME)
+	kind load docker-image $(CONFORMANCE_INFERENCE_PREFIX):$(CONFORMANCE_TAG) --name $(CLUSTER_NAME)
 	kubectl apply -f conformance/conformance-rbac.yaml
-	kubectl run -i conformance \
-		--image=$(CONFORMANCE_PREFIX):$(CONFORMANCE_TAG) --image-pull-policy=Never \
+	kubectl run -i conformance-inference \
+		--image=$(CONFORMANCE_INFERENCE_PREFIX):$(CONFORMANCE_TAG) --image-pull-policy=Never \
 		--overrides='{ "spec": { "serviceAccountName": "conformance" }	}' \
 		--restart=Never -- sh -c "go test -v . -tags conformance -args --gateway-class=$(GATEWAY_CLASS) \
 		--version=$(NGF_VERSION) \
 		--skip-tests=$(INFERENCE_SKIP_TESTS) \
 		--supported-features=$(INFERENCE_SUPPORTED_FEATURES) \
 		--report-output=output.txt; cat output.txt" | tee output.txt
-	./scripts/check-pod-exit-code.sh
-	sed -e '1,/CONFORMANCE PROFILE/d' output.txt > conformance-profile-inference.yaml
+	./scripts/check-pod-exit-code.sh conformance-inference
+	sed -e '1,/GatewayAPIInferenceExtensionVersion/d' output.txt > conformance-profile-inference.yaml
 	rm output.txt
 	core_result=`yq '.profiles[0].core.result' conformance-profile-inference.yaml`; \
 	if [ "$$core_result" != "failure" ] ; then \
@@ -117,6 +122,12 @@ run-inference-conformance-tests: ## Run inference conformance tests
 .PHONY: cleanup-conformance-tests
 cleanup-conformance-tests: ## Clean up conformance tests fixtures
 	kubectl delete pod conformance
+	kubectl delete pod conformance-inference
+	kubectl delete -f conformance/conformance-rbac.yaml
+
+.PHONY: cleanup-conformance-inference-tests
+cleanup-conformance-inference-tests: ## Clean up conformance inference tests fixtures
+	kubectl delete pod conformance-inference
 	kubectl delete -f conformance/conformance-rbac.yaml
 
 .PHONY: reset-go-modules

tests/conformance-profile-inference.yaml

@@ -0,0 +1,24 @@
+apiVersion: gateway.networking.k8s.io/v1
+date: "2025-10-16T01:03:45Z"
+gatewayAPIChannel: experimental
+gatewayAPIVersion: v1.3.0
+implementation:
+  contact:
+  - https://github.com/nginx/nginx-gateway-fabric/discussions/new/choose
+  organization: nginx
+  project: nginx-gateway-fabric
+  url: https://github.com/nginx/nginx-gateway-fabric
+  version: edge
+kind: ConformanceReport
+mode: default
+profiles:
+- core:
+    result: partial
+    skippedTests:
+    - InferencePoolResolvedRefsCondition
+    statistics:
+      Failed: 0
+      Passed: 8
+      Skipped: 1
+  name: Gateway
+  summary: Core tests partially succeeded with 1 test skips.

tests/scripts/check-pod-exit-code.sh

@@ -2,7 +2,16 @@
 
 set -eo pipefail
 
-CODE=$(kubectl get pod conformance -o jsonpath='{.status.containerStatuses[].state.terminated.exitCode}')
+# Check if a pod name is provided as an argument
+if [ "$#" -ne 1 ]; then
+    echo "Provide pod name: $0"
+    exit 1
+fi
+
+POD_NAME=$1
+
+# Get the exit code of the specified pod
+CODE=$(kubectl get pod "${POD_NAME}" -o jsonpath='{.status.containerStatuses[].state.terminated.exitCode}')
 if [ "${CODE}" -ne 0 ]; then
     exit 2
 fi