Issue 3138 - Conformance Tests for BackendTLSPolicy - normative #3212
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
release-note-none
candita
force-pushed
the
issue3138-BackendTLSPolicy-echoserver
branch
from
76c8e10 to
6d9ab9e
Compare
|
/test pull-gateway-api-verify |
1 similar comment
|
/test pull-gateway-api-verify |
candita
force-pushed
the
issue3138-BackendTLSPolicy-echoserver
branch
from
0ec34a8 to
75551a0
Compare
k8s-ci-robot
added
size/XL
|
/test pull-gateway-api-verify |
candita
force-pushed
the
issue3138-BackendTLSPolicy-echoserver
branch
from
75551a0 to
7626aaa
Compare
k8s-ci-robot
added
size/L
|
/test pull-gateway-api-verify |
candita
force-pushed
the
issue3138-BackendTLSPolicy-echoserver
branch
from
7626aaa to
1bc71f0
Compare
|
/test pull-gateway-api-verify |
candita
force-pushed
the
issue3138-BackendTLSPolicy-echoserver
branch
from
1bc71f0 to
99e7eac
Compare
|
/test pull-gateway-api-verify |
candita
force-pushed
the
issue3138-BackendTLSPolicy-echoserver
branch
from
99e7eac to
b774245
Compare
|
/test pull-gateway-api-verify |
candita
force-pushed
the
issue3138-BackendTLSPolicy-echoserver
branch
from
b774245 to
91488aa
Compare
|
/test pull-gateway-api-verify |
|
/test pull-gateway-api-test |
| # From https://github.com/kubernetes-sigs/ingress-controller-conformance/tree/master/images/echoserver | ||
| image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd | ||
| # Originally from https://github.com/kubernetes-sigs/ingress-controller-conformance/tree/master/images/echoserver | ||
| image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9 |
There was a problem hiding this comment.
nit: there is newer version of this image
gcr.io/k8s-staging-gateway-api/echo-basic:v20250605-v1.3.0-25-g77baa438
There was a problem hiding this comment.
Thanks. This version will need to be updated for all once the changes for echo-basic are accepted. Then, I will split this PR, merge the echo-basic changes, and it will give me a new version to use. Then I will change all the images to use the new version.
There was a problem hiding this comment.
I will not be updating echo-basic after all. We've not made any changes to echo-basic that we need to pick up, since March 2024.
conformance/base/manifests.yaml
Outdated
| @@ -346,7 +346,7 @@ spec: | |||
| spec: | |||
| containers: | |||
| - name: tls-backend | |||
| image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd | |||
| image: echo-basic:2.7 | |||
There was a problem hiding this comment.
why different image for this container?
There was a problem hiding this comment.
This is how to test changes to echo-basic locally. I build the echo-basic image, tag it with my own version number, and load that image to my kind cluster. Then when I run this test it will pick up the local version with my changes. The versions will be fixed later, as described in #3212 (comment).
conformance/echo-basic/echo-basic.go
Outdated
| var config tls.Config | ||
|
|
||
| if cacert == "" { | ||
| return &config, fmt.Errorf("empty CA cert specified") |
There was a problem hiding this comment.
I think it is good practice to return nil object on error. When you return error from the function it should be a strong signal not to use this variable
There was a problem hiding this comment.
Here I think I don't want to return nil in a pointer like *tls.Config. Am I wrong about that?
There was a problem hiding this comment.
If you return the error then the other object which was returned should not be used and this is recommended to return nil.
If you want to cover case where client haven't has certs then I suggest to split or refactor the func (the function cannot return default config and error you can have one or another).
There was a problem hiding this comment.
This file will be removed.
conformance/utils/suite/suite.go
Outdated
| suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) | ||
| secret = kubernetes.MustCreateSelfSignedCertSecret(t, "gateway-conformance-app-backend", "tls-passthrough-checks-certificate", []string{"abc.example.com"}) | ||
| suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) | ||
| caConfigMap := kubernetes.MustCreateCASignedCertConfigMap(t, "gateway-conformance-infra", "backend-tls-checks-certificate", []string{"abc.example.com"}) |
There was a problem hiding this comment.
I think this CA certificate should be used to create the server certificate of the backend otherwise the verification will never pass.
There was a problem hiding this comment.
I saw that you mean the 'tls-checks-certificate' that needs to be created with the CA cert, and I tested it and that is the only way it works. But why can't tls-checks-certificate and backend-tls-checks-certificate be separately signed certs?
There was a problem hiding this comment.
The CA certificate configured in the BackendTLSPolicy is used to validate the backend’s certificate during the TLS handshake. For this validation to succeed, the backend certificate must be signed by the specified CA, or by a CA derived from it (i.e., a CA in the same trust chain).
Documentation for caCertificateRefs in BackendTLSPolicy:
CACertificateRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod.
| }, | ||
| Data: map[string]string{ | ||
| "ca.crt": certData.String(), | ||
| "key.crt": keyData.String(), |
There was a problem hiding this comment.
nit: I don’t think we should store the private key of the CA certificate in the ConfigMap, as this is against best practices and isn’t necessary for certificate validation.
|
|
||
| // MustCreateCASignedCertConfigMap will create a ConfigMap containing a CA Certificate, given a TLS Secret | ||
| // for that CA certificate. | ||
| func MustCreateCASignedCertConfigMap(t *testing.T, namespace, configMapName string, hosts []string) *corev1.ConfigMap { |
There was a problem hiding this comment.
| func MustCreateCASignedCertConfigMap(t *testing.T, namespace, configMapName string, hosts []string) *corev1.ConfigMap { | |
| func MustCreateCACertConfigMap(t *testing.T, namespace, configMapName string, hosts []string) *corev1.ConfigMap { |
Despite the name, this function creates a CA certificate, not a CA-signed certificate.
There was a problem hiding this comment.
Although the suggestion may be outdated, the comment remains valid.
conformance/utils/suite/suite.go
Outdated
| suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) | ||
| secret = kubernetes.MustCreateSelfSignedCertSecret(t, "gateway-conformance-app-backend", "tls-passthrough-checks-certificate", []string{"abc.example.com"}) | ||
| suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) | ||
| caConfigMap := kubernetes.MustCreateCASignedCertConfigMap(t, "gateway-conformance-infra", "backend-tls-checks-certificate", []string{"abc.example.com"}) |
There was a problem hiding this comment.
The CA certificate configured in the BackendTLSPolicy is used to validate the backend’s certificate during the TLS handshake. For this validation to succeed, the backend certificate must be signed by the specified CA, or by a CA derived from it (i.e., a CA in the same trust chain).
Documentation for caCertificateRefs in BackendTLSPolicy:
CACertificateRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod.
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
added
the
do-not-merge/work-in-progress
candita
force-pushed
the
issue3138-BackendTLSPolicy-echoserver
branch
2 times, most recently
from
2970c69 to
efe1338
Compare
BackendTLSPolicy.
conformance/base/manifests.yaml - fix yaml conformance/tests/backendtlspolicy.yaml - fix yaml conformance/tests/tlsroute-simple-same-namespace.go - rename cert for sharing conformance/utils/suite/conformance.go - fix a bug in cleanup-base-resources flag application conformance/utils/suite/suite.go - rename cert for sharing
call, some debugging, and fix yaml
Fix certificate unit test.
# Conflicts: # conformance/utils/http/http.go
Add conformance profiles to logged information.
Remove echo-basic changes, fix cert building, and adjust the port used for gateways with multiple listeners Co-authored-by: Norwin Schnyder <[email protected]>
candita
force-pushed
the
issue3138-BackendTLSPolicy-echoserver
branch
from
efe1338 to
967e2b9
Compare
k8s-ci-robot
removed
the
needs-rebase
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
@candita: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns}) | ||
| gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAcceptedMultipleListeners(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) | ||
| kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN) | ||
|
|
There was a problem hiding this comment.
I think we’re also missing an assertion here to verify that the BackendTLSPolicy has been accepted, with the appropriate ancestor references and statusconditions set.
| port: 443 | ||
| targetPort: 8443 | ||
| --- | ||
| # Deployment must not be applied until after the secret is generated. |
There was a problem hiding this comment.
Same here: I think we should reuse the tls-backend. We can still create a dedicated copy of its Service for this test to avoid interference with other test cases.
|
|
||
| RouteTypeMustHaveParentsField(t, routeType) | ||
| // If the Gateway has multiple listeners, get a portless gwAddr. | ||
| if !usePort { |
There was a problem hiding this comment.
For better readability, it might be preferable to always return the address including the port, and strip the port only in the few cases where it isn’t needed.
What type of PR is this?
/kind test
/area conformance
What this PR does / why we need it:
Add a normative test of Gateway API BackendTLSPolicy implementations.
Which issue(s) this PR fixes:
Fixes #3138
Does this PR introduce a user-facing change?: