Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue 3138 - Conformance Tests for BackendTLSPolicy - normative #3212

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Issue 3138 - Conformance Tests for BackendTLSPolicy - normative #3212

wants to merge 9 commits into from

Conversation

candita
Copy link
Contributor

@candita candita commented Jul 23, 2024

What type of PR is this?

/kind test
/area conformance

What this PR does / why we need it:

Add a normative test of Gateway API BackendTLSPolicy implementations.

Which issue(s) this PR fixes:
Fixes #3138

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/test area/conformance cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 23, 2024
@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 76c8e10 to 6d9ab9e Compare August 13, 2024 00:38
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: candita
Once this PR has been reviewed and has the lgtm label, please assign mlavacca for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@candita
Copy link
Contributor Author

candita commented Aug 13, 2024

/test pull-gateway-api-verify

1 similar comment
@candita
Copy link
Contributor Author

candita commented Aug 14, 2024

/test pull-gateway-api-verify

@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 0ec34a8 to 75551a0 Compare August 19, 2024 17:12
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 19, 2024
@candita
Copy link
Contributor Author

candita commented Aug 19, 2024

/test pull-gateway-api-verify

@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 75551a0 to 7626aaa Compare August 19, 2024 18:48
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Aug 19, 2024
@candita
Copy link
Contributor Author

candita commented Aug 19, 2024

/test pull-gateway-api-verify

@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 7626aaa to 1bc71f0 Compare August 19, 2024 19:09
@candita
Copy link
Contributor Author

candita commented Aug 19, 2024

/test pull-gateway-api-verify

@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 1bc71f0 to 99e7eac Compare August 19, 2024 19:55
@candita
Copy link
Contributor Author

candita commented Aug 19, 2024

/test pull-gateway-api-verify

@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 99e7eac to b774245 Compare August 19, 2024 20:35
@candita
Copy link
Contributor Author

candita commented Aug 19, 2024

/test pull-gateway-api-verify

@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from b774245 to 91488aa Compare August 19, 2024 22:30
@candita
Copy link
Contributor Author

candita commented Aug 19, 2024

/test pull-gateway-api-verify

@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 0ad1310 to 63b3c23 Compare August 29, 2024 17:07
shaneutt
shaneutt reviewed Aug 30, 2024
View reviewed changes
Copy link
Member

@shaneutt shaneutt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! Thanks @candita!!! Mostly minor comments.

Also I was digging into the test details a bit when I got pulled away from a meeting so I still need to come back and do another round of review here, but please check my comments and LMKWYT 👍

conformance/base/manifests.yaml Outdated Show resolved Hide resolved
conformance/echo-basic/echo-basic.go Outdated Show resolved Hide resolved
conformance/echo-basic/echo-basic.go Outdated Show resolved Hide resolved
conformance/tests/backendtlspolicy.yaml Show resolved Hide resolved
conformance/utils/http/http.go Outdated Show resolved Hide resolved
conformance/utils/kubernetes/certificate.go Show resolved Hide resolved
conformance/utils/suite/conformance.go Show resolved Hide resolved
pkg/features/features.go Outdated Show resolved Hide resolved
conformance/tests/backendtlspolicy.go Outdated Show resolved Hide resolved
conformance/tests/backendtlspolicy.go Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 4, 2024
@shaneutt shaneutt added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Sep 18, 2024
@shaneutt shaneutt added this to the v1.3.0 milestone Sep 18, 2024
@candita
Issue 3138 - add normative conformance test for
0084b12 
BackendTLSPolicy.
@candita
Fix where the new go module needed by echo-basic resides, but keep th…
0322d1c 
…e original as well.

See https://github.com/kubernetes-sigs/gateway-api/pull/2745/files#diff-cf5b4a9b433acc91f8c7cc2dc802e29aa712c8d820887742f3bc5ae45b7a9d0fR24-R28
@candita
Rebase and make requested updates.
ec1ca0e
@candita
Update tests after implementation testing
19ff922 
conformance/base/manifests.yaml - fix yaml
conformance/tests/backendtlspolicy.yaml - fix yaml
conformance/tests/tlsroute-simple-same-namespace.go - rename cert for sharing
conformance/utils/suite/conformance.go - fix a bug in cleanup-base-resources flag application
conformance/utils/suite/suite.go - rename cert for sharing
@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 63b3c23 to 19ff922 Compare September 26, 2024 19:05
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 26, 2024
shaneutt
shaneutt reviewed Oct 7, 2024
View reviewed changes
conformance/echo-basic/echo-basic.go
if strings.Contains(r.RequestURI, "backendTLS") {
sni, err = sniffForSNI(r.RemoteAddr)
if err != nil {
// TODO: research if for some test cases there won't be SNI available.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this TODO we should either:

a) resolve it
b) make sure it has an issue (or is part of some issue) somewhere that we can link here

Ideally, we resolve it but iterative PRs are OK too as long as we have good follow-ups between them.

conformance/tests/backendtlspolicy.go Show resolved Hide resolved
shaneutt
shaneutt reviewed Oct 7, 2024
View reviewed changes
conformance/echo-basic/echo-basic.go
Comment on lines +321 to +355
// sniffForSNI uses the request address to listen for the incoming TLS connection,
// and tries to find the server name indication from that connection.
func sniffForSNI(addr string) (string, error) {
var sni string

// Listen to get the SNI, and store in config.
listener, err := net.Listen("tcp", addr)
if err != nil {
return "", err
}
defer listener.Close()

for {
conn, err := listener.Accept()
if err != nil {
return "", err
}
data := make([]byte, 4096)
_, err = conn.Read(data)
if err != nil {
return "", fmt.Errorf("could not read socket: %v", err)
}
// Take an incoming TLS Client Hello and return the SNI name.
sni, err = parser.GetHostname(data)
if err != nil {
return "", fmt.Errorf("error getting SNI: %v", err)
}
if sni == "" {
return "", fmt.Errorf("no server name indication found")
} else { //nolint:revive
return sni, nil
}
}
}

Copy link
Member

@shaneutt shaneutt Oct 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we potentially wanna use http.ListenAndServeTLS here instead of a TCP listener so that we can record (and then assert) the client payload?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understand. Right now all we want is the SNI in this function.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So take this as a question not a statement, but what I was getting at was: wouldn't we want to verify receipt of the payload we sent (which should be unique), in addition to the SNI such that we can be certain the request received was the one intended?

@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 8, 2024
@candita
Add unit testing for generateCACert, new HTTPS
556c048 
call, some debugging, and fix yaml
@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 7b08c84 to 556c048 Compare October 8, 2024 23:27
@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from d27d78c to a785d3b Compare October 9, 2024 22:10
@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from a785d3b to cade4a1 Compare October 10, 2024 18:55
@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from 716b6da to e58e8bc Compare November 4, 2024 23:27
@candita candita force-pushed the issue3138-BackendTLSPolicy-echoserver branch from e58e8bc to 0a929ad Compare November 9, 2024 00:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mlavacca mlavacca mlavacca left review comments

@shaneutt shaneutt shaneutt left review comments

@michaelbeaumont michaelbeaumont Awaiting requested review from michaelbeaumont

@kflynn kflynn Awaiting requested review from kflynn

@robscott robscott Awaiting requested review from robscott

@howardjohn howardjohn Awaiting requested review from howardjohn

@youngnick youngnick Awaiting requested review from youngnick

@whitneygriffith whitneygriffith Awaiting requested review from whitneygriffith

Assignees
No one assigned
Labels
area/conformance cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/test priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
Post-GA Refinement
Status: Review
Milestone
v1.3.0
Development

Successfully merging this pull request may close these issues.

Conformance tests for BackendTLSPolicy
8 participants
@candita @k8s-ci-robot @howardjohn @kflynn @shaneutt @youngnick @whitneygriffith @mlavacca