Add Conformance tests for BackendTLSPolicy validating SANs with Type dsnName #3983

kl52752 · 2025-08-11T17:02:44Z

What type of PR is this?

/kind test
What this PR does / why we need it:
Add Conformance tests for BackendTLSPolicy validating SANs set with Type dns name
Which issue(s) this PR fixes:

Relates to #3979

Does this PR introduce a user-facing change?:

NONE

k8s-ci-robot · 2025-08-11T17:02:54Z

Hi @kl52752. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

kl52752 · 2025-08-11T17:30:56Z

/assign @robscott @candita @snorwin

mikemorris · 2025-08-12T01:12:02Z

/ok-to-test

robscott

Thanks @kl52752!

robscott · 2025-08-12T05:51:03Z

conformance/tests/backendtlspolicy.go

+
+		// Verify that request sent to Service targeted by BackendTLSPolicy with mismatched SAN should failed.
+		t.Run("HTTP request send to Service targeted by BackendTLSPolicy with mismatched SAN should return HTTP error", func(t *testing.T) {
+			h.MakeRequestAndExpectFailure(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,


It seems like this will pass if any non-200 error code is returned. Can we be more specific here?

Actually the spec is a bit vague here, error codes are not constrained but it is up to implementation how to signal the error

robscott · 2025-08-12T05:56:17Z

conformance/tests/backendtlspolicy.yaml

+    subjectAltNames:
+    - type: Hostname
+      hostname: abc.example.com
+    hostname: "mismatch.example.com"


This seems like it's testing a config mismatch instead of a mismatch in the cert itself. Can we also include a test that covers a case where the config lines up but the cert served by the backend does not match either the configured hostname or the SANs?

conformance/tests/backendtlspolicy.yaml

snorwin · 2025-08-20T09:42:26Z

Thanks a lot @kl52752! I have verified the tests using the Airlock Microgateway.

@rikatz, if you wouldn’t mind verifying them with Envoy Gateway too, that would be really appreciated. Please feel free to unhold the PR afterwards.

/lgtm
/hold

snorwin · 2025-08-20T09:43:13Z

/assign @robscott

snorwin · 2025-08-20T13:45:16Z

conformance/utils/suite/suite.go

@@ -389,6 +389,11 @@ func (suite *ConformanceTestSuite) Setup(t *testing.T, tests []ConformanceTest)
 		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{caConfigMap}, suite.Cleanup)
 		secret = kubernetes.MustCreateCASignedCertSecret(t, "gateway-conformance-infra", "tls-checks-certificate", []string{"abc.example.com"}, ca, caPrivKey)
 		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup)
+		// TODO(kl52752) Merge CA certificates for Backend TLS Policy and move Deployment to common file.


@kl52752 I could take care of this, since I’m already planning a small refactoring in #3993.

rikatz · 2025-08-20T14:01:14Z

Thanks a lot @kl52752! I have verified the tests using the Airlock Microgateway.

@rikatz, if you wouldn’t mind verifying them with Envoy Gateway too, that would be really appreciated. Please feel free to unhold the PR afterwards.

can do, adding to my queue
/cc
/assign

robscott · 2025-08-20T16:49:54Z

Thanks @kl52752! @rikatz feel free to remove hold and merge if you're able to verify this with Envoy Gateway

/approve

k8s-ci-robot · 2025-08-20T16:50:03Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kl52752, robscott, snorwin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [robscott]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

rikatz · 2025-08-20T17:05:16Z

envoy gateway fails to work, checking here if it is related to the gateway itself or something with tests

    --- FAIL: TestConformance/BackendTLSPolicySANValidation (3.33s)
        --- PASS: TestConformance/BackendTLSPolicySANValidation/HTTP_request_sent_to_Service_with_valid_BackendTLSPolicy_containing_dns_SAN_should_succeed (0.02s)
        --- FAIL: TestConformance/BackendTLSPolicySANValidation/HTTP_request_sent_to_Service_targeted_by_BackendTLSPolicy_with_mismatched_dns_SAN_should_return_an_HTTP_error (0.00s)
        --- PASS: TestConformance/BackendTLSPolicySANValidation/HTTP_request_sent_to_Service_with_valid_BackendTLSPolicy_containing_uri_SAN_should_succeed (0.01s)
        --- FAIL: TestConformance/BackendTLSPolicySANValidation/HTTP_request_sent_to_Service_targeted_by_BackendTLSPolicy_with_mismatched_uri_SAN_should_return_an_HTTP_error (0.00s)
        --- PASS: TestConformance/BackendTLSPolicySANValidation/HTTP_request_sent_to_Service_with_valid_BackendTLSPolicy_containing_multi_SAN_should_succeed (0.01s)
        --- FAIL: TestConformance/BackendTLSPolicySANValidation/HTTP_request_sent_to_Service_targeted_by_BackendTLSPolicy_with_mismatched_multi_SAN_should_return_an_HTTP_error (0.00s)

rikatz · 2025-08-20T17:17:56Z

@snorwin @kl52752 from my tests it seems that the expected behavior of envoy-gateway failing to send the request to a backend because the certs don't match is not being respected by envoy gateway.

edit: just clarifying, this seems to me a lack of conformance on envoy gateway, the test seems fine. Did we tested with Istio as well?

/cc @candita
for some final thoughts

rikatz · 2025-08-20T17:45:15Z

Tried to test with Istio as well, and miserably failed (probably my own fault)

Installed with istioctl install --set profile=preview --skip-confirmation and it couldn't reconcile backendtlspolicy, maybe I should be using some nightly version

snorwin · 2025-08-20T19:04:57Z

I also tried testing it with kgateway, but without success. It seems that most implementations are not yet fully conformant with the BackendTLSPolicy specification, since we only recently began developing conformance tests.

rikatz · 2025-08-20T19:17:11Z

/lgtm
Did some tests and couldn't make it work but because the services I tried are not conformant with this validation.

Please wait for Candace's unhold :)

snorwin · 2025-08-25T19:21:40Z

/assign @shaneutt

k8s-ci-robot requested review from mikemorris and sunjayBhatia August 11, 2025 17:02

kl52752 force-pushed the san-tests branch from b2dc6d5 to 9d4b136 Compare August 11, 2025 17:10

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 11, 2025

Add Conformance tests for BackendTLSPolicy validating SANs

b2c36fe

kl52752 force-pushed the san-tests branch from 9d4b136 to b2c36fe Compare August 11, 2025 17:26

k8s-ci-robot assigned candita, robscott and snorwin Aug 11, 2025

k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 12, 2025

robscott reviewed Aug 12, 2025

View reviewed changes

snorwin reviewed Aug 12, 2025

View reviewed changes

conformance/tests/backendtlspolicy.yaml Outdated Show resolved Hide resolved

conformance/tests/backendtlspolicy.yaml Outdated Show resolved Hide resolved

kl52752 marked this pull request as draft August 12, 2025 08:37

k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 12, 2025

kl52752 force-pushed the san-tests branch from ce7540d to 1c19522 Compare August 12, 2025 15:54

kl52752 marked this pull request as ready for review August 12, 2025 15:58

k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 12, 2025

k8s-ci-robot requested review from howardjohn and LiorLieberman August 12, 2025 15:58

kl52752 force-pushed the san-tests branch from 1c19522 to 0fb183c Compare August 12, 2025 18:28

kl52752 force-pushed the san-tests branch 3 times, most recently from b4f63d3 to 34f8d3b Compare August 20, 2025 09:36

Validate URI SANs

664bb39

kl52752 force-pushed the san-tests branch from 34f8d3b to 664bb39 Compare August 20, 2025 09:37

k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Aug 20, 2025

snorwin approved these changes Aug 20, 2025

View reviewed changes

snorwin reviewed Aug 20, 2025

View reviewed changes

k8s-ci-robot assigned rikatz Aug 20, 2025

k8s-ci-robot requested a review from rikatz August 20, 2025 14:01

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 20, 2025

k8s-ci-robot requested a review from candita August 20, 2025 17:17

snorwin mentioned this pull request Aug 23, 2025

simplify BackendTLSPolicy test infrastructure and remove unnecessary code #4016

Open

k8s-ci-robot assigned shaneutt Aug 25, 2025

shaneutt added the v1.4-release/subtask This indicates a subtask of a feature, bug, or smaller issue for the v1.4 release. label Aug 25, 2025

shaneutt added this to Release v1.4.0 Aug 25, 2025

shaneutt moved this to Review in Release v1.4.0 Aug 25, 2025

shaneutt added this to the v1.4.0 milestone Aug 25, 2025

Add Conformance tests for BackendTLSPolicy validating SANs with Type dsnName #3983

Are you sure you want to change the base?

Add Conformance tests for BackendTLSPolicy validating SANs with Type dsnName #3983

Conversation

kl52752 commented Aug 11, 2025

Uh oh!

k8s-ci-robot commented Aug 11, 2025

Uh oh!

kl52752 commented Aug 11, 2025

Uh oh!

mikemorris commented Aug 12, 2025

Uh oh!

robscott left a comment

Choose a reason for hiding this comment

Uh oh!

robscott Aug 12, 2025

Choose a reason for hiding this comment

Uh oh!

kl52752 Aug 12, 2025

Choose a reason for hiding this comment

Uh oh!

robscott Aug 12, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

snorwin commented Aug 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

snorwin commented Aug 20, 2025

Uh oh!

snorwin Aug 20, 2025

Choose a reason for hiding this comment

Uh oh!

rikatz commented Aug 20, 2025

Uh oh!

robscott commented Aug 20, 2025

Uh oh!

k8s-ci-robot commented Aug 20, 2025

Uh oh!

rikatz commented Aug 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rikatz commented Aug 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rikatz commented Aug 20, 2025

Uh oh!

snorwin commented Aug 20, 2025

Uh oh!

rikatz commented Aug 20, 2025

Uh oh!

snorwin commented Aug 25, 2025

Uh oh!

Uh oh!

snorwin commented Aug 20, 2025 •

edited

Loading

rikatz commented Aug 20, 2025 •

edited

Loading

rikatz commented Aug 20, 2025 •

edited

Loading