Skip to content

Commit 9e4cf2a

Browse files
snorwinsnorwin
committed
rebase to 'origin/main' and refactor BackendTLSPolicy validation and normative tests
1 parent a783fc4 commit 9e4cf2a

File tree

6 files changed

+142
-186
lines changed

6 files changed

+142
-186
lines changed

conformance/base/manifests.yaml

Lines changed: 0 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -95,39 +95,6 @@ spec:
9595
matchLabels:
9696
gateway-conformance: backend
9797
---
98-
apiVersion: gateway.networking.k8s.io/v1
99-
kind: Gateway
100-
metadata:
101-
name: gateway-backendtlspolicy
102-
namespace: gateway-conformance-infra
103-
spec:
104-
gatewayClassName: "{GATEWAY_CLASS_NAME}"
105-
listeners:
106-
- name: http
107-
port: 80
108-
protocol: HTTP
109-
hostname: "abc.example.com"
110-
allowedRoutes:
111-
namespaces:
112-
from: Same
113-
kinds:
114-
- kind: HTTPRoute
115-
- name: https
116-
port: 443
117-
protocol: HTTPS
118-
tls:
119-
mode: Terminate
120-
certificateRefs:
121-
- group: ""
122-
kind: Secret
123-
name: tls-checks-certificate
124-
hostname: "abc.example.com"
125-
allowedRoutes:
126-
namespaces:
127-
from: Same
128-
kinds:
129-
- kind: HTTPRoute
130-
---
13198
apiVersion: v1
13299
kind: Service
133100
metadata:

conformance/tests/backendtlspolicy-san.go

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -46,8 +46,8 @@ var BackendTLSPolicySANValidation = suite.ConformanceTest{
4646
Manifests: []string{"tests/backendtlspolicy-san.yaml"},
4747
Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
4848
ns := "gateway-conformance-infra"
49-
routeNN := types.NamespacedName{Name: "route-backendtlspolicy-san-test", Namespace: ns}
50-
gwNN := types.NamespacedName{Name: "gateway-backendtlspolicy", Namespace: ns}
49+
routeNN := types.NamespacedName{Name: "backendtlspolicy-san-test", Namespace: ns}
50+
gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
5151

5252
kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns})
5353
gwAddr := kubernetes.GatewayAndRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), &gatewayv1.HTTPRoute{}, false, routeNN)
@@ -63,98 +63,98 @@ var BackendTLSPolicySANValidation = suite.ConformanceTest{
6363

6464
// Verify that the request sent to Service with valid BackendTLSPolicy containing dns SAN should succeed.
6565
t.Run("HTTP request sent to Service with valid BackendTLSPolicy containing dns SAN should succeed", func(t *testing.T) {
66-
policyNN := types.NamespacedName{Name: "backendtlspolicy-san-dns", Namespace: ns}
66+
policyNN := types.NamespacedName{Name: "san-dns", Namespace: ns}
6767
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, policyNN, gwNN, policyCond)
6868

6969
h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
7070
h.ExpectedResponse{
7171
Namespace: ns,
7272
Request: h.Request{
7373
Host: serverStr,
74-
Path: "/backendTLSSanDns",
74+
Path: "/backendtlspolicy-san-dns",
7575
SNI: serverStr,
7676
},
77-
Response: h.Response{StatusCode: 200},
77+
Response: h.Response{StatusCodes: []int{200}},
7878
})
7979
})
8080

8181
// Verify that the request sent to a Service targeted by a BackendTLSPolicy with mismatched dns SAN should fail.
8282
t.Run("HTTP request sent to Service targeted by BackendTLSPolicy with mismatched dns SAN should return an HTTP error", func(t *testing.T) {
83-
policyNN := types.NamespacedName{Name: "backendtlspolicy-san-dns-mismatch", Namespace: ns}
83+
policyNN := types.NamespacedName{Name: "san-dns-mismatch", Namespace: ns}
8484
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, policyNN, gwNN, policyCond)
8585

8686
h.MakeRequestAndExpectFailure(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
8787
h.ExpectedResponse{
8888
Namespace: ns,
8989
Request: h.Request{
9090
Host: serverStr,
91-
Path: "/backendTLSSanDnsMismatch",
91+
Path: "/backendtlspolicy-san-dns-mismatch",
9292
SNI: serverStr,
9393
},
9494
})
9595
})
9696

9797
// Verify that the request sent to Service with valid BackendTLSPolicy containing uri SAN should succeed.
9898
t.Run("HTTP request sent to Service with valid BackendTLSPolicy containing uri SAN should succeed", func(t *testing.T) {
99-
policyNN := types.NamespacedName{Name: "backendtlspolicy-san-uri", Namespace: ns}
99+
policyNN := types.NamespacedName{Name: "san-uri", Namespace: ns}
100100
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, policyNN, gwNN, policyCond)
101101

102102
h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
103103
h.ExpectedResponse{
104104
Namespace: ns,
105105
Request: h.Request{
106106
Host: serverStr,
107-
Path: "/backendTLSSanUri",
107+
Path: "/backendtlspolicy-san-uri",
108108
SNI: serverStr,
109109
},
110-
Response: h.Response{StatusCode: 200},
110+
Response: h.Response{StatusCodes: []int{200}},
111111
})
112112
})
113113

114114
// Verify that the request sent to a Service targeted by a BackendTLSPolicy with mismatched uri SAN should fail.
115115
t.Run("HTTP request sent to Service targeted by BackendTLSPolicy with mismatched uri SAN should return an HTTP error", func(t *testing.T) {
116-
policyNN := types.NamespacedName{Name: "backendtlspolicy-san-uri-mismatch", Namespace: ns}
116+
policyNN := types.NamespacedName{Name: "san-uri-mismatch", Namespace: ns}
117117
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, policyNN, gwNN, policyCond)
118118

119119
h.MakeRequestAndExpectFailure(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
120120
h.ExpectedResponse{
121121
Namespace: ns,
122122
Request: h.Request{
123123
Host: serverStr,
124-
Path: "/backendTLSSanUriMismatch",
124+
Path: "/backendtlspolicy-san-uri-mismatch",
125125
SNI: serverStr,
126126
},
127127
})
128128
})
129129

130130
// Verify that the request sent to Service with valid BackendTLSPolicy containing multi SANs should succeed.
131131
t.Run("HTTP request sent to Service with valid BackendTLSPolicy containing multi SAN should succeed", func(t *testing.T) {
132-
policyNN := types.NamespacedName{Name: "backendtlspolicy-multiple-sans", Namespace: ns}
132+
policyNN := types.NamespacedName{Name: "multiple-sans", Namespace: ns}
133133
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, policyNN, gwNN, policyCond)
134134

135135
h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
136136
h.ExpectedResponse{
137137
Namespace: ns,
138138
Request: h.Request{
139139
Host: serverStr,
140-
Path: "/backendTLSMultiSans",
140+
Path: "/backendtlspolicy-multiple-sans",
141141
SNI: serverStr,
142142
},
143-
Response: h.Response{StatusCode: 200},
143+
Response: h.Response{StatusCodes: []int{200}},
144144
})
145145
})
146146

147147
// Verify that the request sent to a Service targeted by a BackendTLSPolicy with mismatched multi SAN should fail.
148148
t.Run("HTTP request sent to Service targeted by BackendTLSPolicy with mismatched multi SAN should return an HTTP error", func(t *testing.T) {
149-
policyNN := types.NamespacedName{Name: "backendtlspolicy-multiple-mismatch-sans", Namespace: ns}
149+
policyNN := types.NamespacedName{Name: "multiple-mismatch-sans", Namespace: ns}
150150
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, policyNN, gwNN, policyCond)
151151

152152
h.MakeRequestAndExpectFailure(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
153153
h.ExpectedResponse{
154154
Namespace: ns,
155155
Request: h.Request{
156156
Host: serverStr,
157-
Path: "/backendTLSMultiMismatchSans",
157+
Path: "/backendtlspolicy-multiple-mismatch-sans",
158158
SNI: serverStr,
159159
},
160160
})

0 commit comments

Comments
 (0)