Issue 3138 - Conformance Tests for BackendTLSPolicy - normative #3212

candita · 2024-07-23T20:36:20Z

What type of PR is this?

/kind test
/area conformance

What this PR does / why we need it:

Add a normative test of Gateway API BackendTLSPolicy implementations.

Which issue(s) this PR fixes:
Fixes #3138

Does this PR introduce a user-facing change?:

NONE

k8s-ci-robot · 2024-07-23T20:36:22Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

conformance/echo-basic/echo-basic.go

candita · 2024-08-13T20:18:30Z

/test pull-gateway-api-verify

candita · 2024-08-14T20:02:18Z

/test pull-gateway-api-verify

candita · 2024-08-19T17:16:41Z

/test pull-gateway-api-verify

candita · 2024-08-19T18:51:48Z

/test pull-gateway-api-verify

candita · 2024-08-19T19:09:29Z

/test pull-gateway-api-verify

candita · 2024-08-19T19:56:40Z

/test pull-gateway-api-verify

candita · 2024-08-19T20:36:48Z

/test pull-gateway-api-verify

candita · 2024-08-19T22:33:00Z

/test pull-gateway-api-verify

candita · 2024-08-19T23:16:00Z

/test pull-gateway-api-test

Fix certificate unit test.

# Conflicts: # conformance/utils/http/http.go

Add conformance profiles to logged information.

Remove echo-basic changes, fix cert building, and adjust the port used for gateways with multiple listeners Co-authored-by: Norwin Schnyder <[email protected]>

robscott

Thanks for all the work on this @candita! This is a great foundation for these tests, and I'm excited to see what else we can add from here in the next couple of weeks. I'll leave a hold on here until you're able to make some follow up issues for the items we're leaving for follow ups from this PR. Please go ahead and remove that hold once we have issues in place.

/lgtm
/approve
/hold

robscott · 2025-07-16T06:25:14Z

conformance/tests/backendtlspolicy.go

+		kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns})
+		gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAcceptedMultipleListeners(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+		kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN)
+


+1, a follow up issue would be helpful

robscott · 2025-07-16T06:26:48Z

pkg/features/backendtlspolicy.go

+
+const (
+	// This option indicates support for BackendTLSPolicy.
+	SupportBackendTLSPolicy FeatureName = "BackendTLSPolicy"


An optional part of Gateway HTTP profile seems reasonable to me here, but you have more insight on how conformance profiles should work.

robscott · 2025-07-16T06:28:43Z

conformance/tests/backendtlspolicy.yaml

+    port: 443
+    targetPort: 8443
+---
+# Deployment must not be applied until after the secret is generated.


+1, would strongly prefer these workloads be deployed separately, likely as part of the base set of resources.

candita

/unhold

candita · 2025-07-15T17:42:08Z

conformance/tests/backendtlspolicy.yaml

+kind: Gateway
+metadata:
+  name: gateway-backendtlspolicy
+  namespace: gateway-conformance-infra


Fwiw, BackendTLSPolicy is moving to standard in this release.

candita · 2025-07-15T17:44:12Z

conformance/tests/backendtlspolicy.yaml

+    port: 443
+    targetPort: 8443
+---
+# Deployment must not be applied until after the secret is generated.


If you mean move this from here to conformance/base/manifests.yaml, I hope you don't mind if I do that as a followup task. I'm still not certain on the reason though.

candita · 2025-07-21T14:46:55Z

conformance/tests/backendtlspolicy.go

+		kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns})
+		gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAcceptedMultipleListeners(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+		kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN)
+


Follow up issue: #3933

candita · 2025-07-21T14:49:21Z

conformance/tests/backendtlspolicy.yaml

+    port: 443
+    targetPort: 8443
+---
+# Deployment must not be applied until after the secret is generated.


Follow up issue: #3934

candita · 2025-07-21T14:51:42Z

conformance/tests/backendtlspolicy.go

+		features.SupportHTTPRoute,
+		features.SupportBackendTLSPolicy,
+	},
+	Manifests: []string{"tests/backendtlspolicy.yaml"},


Follow up: #3935

candita · 2025-07-21T14:54:20Z

pkg/features/backendtlspolicy.go

+
+const (
+	// This option indicates support for BackendTLSPolicy.
+	SupportBackendTLSPolicy FeatureName = "BackendTLSPolicy"


Follow-up issue: #3936

candita · 2025-07-21T14:58:55Z

/label tide/merge-method-squash

k8s-ci-robot · 2025-07-21T15:30:05Z

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: candita

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

…rnetes-sigs#3212) * Issue 3138 - add normative conformance test for BackendTLSPolicy. * Fix where the new go module needed by echo-basic resides, but keep the original as well. See https://github.com/kubernetes-sigs/gateway-api/pull/2745/files#diff-cf5b4a9b433acc91f8c7cc2dc802e29aa712c8d820887742f3bc5ae45b7a9d0fR24-R28 * Rebase and make requested updates. * Update tests after implementation testing conformance/base/manifests.yaml - fix yaml conformance/tests/backendtlspolicy.yaml - fix yaml conformance/tests/tlsroute-simple-same-namespace.go - rename cert for sharing conformance/utils/suite/conformance.go - fix a bug in cleanup-base-resources flag application conformance/utils/suite/suite.go - rename cert for sharing * Incorporate Shane and Flynn's feedback * Add unit testing for generateCACert, new HTTPS call, some debugging, and fix yaml * Update echo-basic images * Fix lint errors and condition evaluation in tests * Fix yaml for httpRoute and backendTLSPolicy. Fix CA generation. Fix certificate unit test. * Refactor test, fix yaml * Fix the tests for normative BackendTLSPolicy # Conflicts: # conformance/utils/http/http.go * Make changes from review comments. Add conformance profiles to logged information. * Address further review comments * Address review comments: Remove echo-basic changes, fix cert building, and adjust the port used for gateways with multiple listeners Co-authored-by: Norwin Schnyder <[email protected]> * Address the last of the review comments --------- Co-authored-by: Norwin Schnyder <[email protected]>

k8s-ci-robot requested review from michaelbeaumont and youngnick July 23, 2024 20:36

whitneygriffith reviewed Aug 1, 2024

View reviewed changes

conformance/echo-basic/echo-basic.go Outdated Show resolved Hide resolved

candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 76c8e10 to 6d9ab9e Compare August 13, 2024 00:38

candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 0ec34a8 to 75551a0 Compare August 19, 2024 17:12

k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 19, 2024

candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 75551a0 to 7626aaa Compare August 19, 2024 18:48

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Aug 19, 2024

candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 7626aaa to 1bc71f0 Compare August 19, 2024 19:09

candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 1bc71f0 to 99e7eac Compare August 19, 2024 19:55

candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 99e7eac to b774245 Compare August 19, 2024 20:35

candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from b774245 to 91488aa Compare August 19, 2024 22:30

candita and others added 9 commits July 15, 2025 17:04

Update echo-basic images

fc37f1b

Fix lint errors and condition evaluation in tests

5173850

Fix yaml for httpRoute and backendTLSPolicy. Fix CA generation.

ff18f83

Fix certificate unit test.

Refactor test, fix yaml

3143520

Fix the tests for normative BackendTLSPolicy

8a514fb

# Conflicts: # conformance/utils/http/http.go

Make changes from review comments.

e3ea8f5

Add conformance profiles to logged information.

Address further review comments

8b387de

Address review comments:

6510dc1

Remove echo-basic changes, fix cert building, and adjust the port used for gateways with multiple listeners Co-authored-by: Norwin Schnyder <[email protected]>

Address the last of the review comments

2d91cd1

candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 8a88f1f to 2d91cd1 Compare July 15, 2025 21:06

robscott approved these changes Jul 16, 2025

View reviewed changes

k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 16, 2025

k8s-ci-robot assigned robscott Jul 16, 2025

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 16, 2025

kl52752 mentioned this pull request Jul 18, 2025

Add Conformance test for Invalid BackendTLSPolicy TLS settings #3930

Merged

candita commented Jul 21, 2025

View reviewed changes

k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 21, 2025

k8s-ci-robot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jul 21, 2025

shaneutt added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 21, 2025

shaneutt added this to Release v1.4.0 Jul 21, 2025

shaneutt moved this to Review in Release v1.4.0 Jul 21, 2025

k8s-ci-robot merged commit 0fd1805 into kubernetes-sigs:main Jul 21, 2025
13 checks passed

github-project-automation bot moved this from Review to Done in Release v1.4.0 Jul 21, 2025

Issue 3138 - Conformance Tests for BackendTLSPolicy - normative #3212

Issue 3138 - Conformance Tests for BackendTLSPolicy - normative #3212

Uh oh!

Conversation

candita commented Jul 23, 2024

Uh oh!

k8s-ci-robot commented Jul 23, 2024

Uh oh!

Uh oh!

candita commented Aug 13, 2024

Uh oh!

candita commented Aug 14, 2024

Uh oh!

candita commented Aug 19, 2024

Uh oh!

candita commented Aug 19, 2024

Uh oh!

candita commented Aug 19, 2024

Uh oh!

candita commented Aug 19, 2024

Uh oh!

candita commented Aug 19, 2024

Uh oh!

candita commented Aug 19, 2024

Uh oh!

candita commented Aug 19, 2024

Uh oh!

robscott left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

candita left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

candita commented Jul 21, 2025

Uh oh!

k8s-ci-robot commented Jul 21, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

13 participants