Skip to content

conformance: added tests for invalid backend TLS configuration #4389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
snorwin wants to merge 1 commit into
base: main
Choose a base branch
from
Open

conformance: added tests for invalid backend TLS configuration #4389

snorwin wants to merge 1 commit into from

Conversation

@snorwin
Copy link
Member

@snorwin snorwin commented Dec 29, 2025
edited
Loading

What type of PR is this?

/kind test
/area conformance-test

What this PR does / why we need it:
This PR follows up on #4195 and #4123 by implementing conformance tests that validate the behavior of an invalid ClientCertificateRef and the ResolvedRefs condition on the Gateway.

Which issue(s) this PR fixes:

Fixes #

Does this PR introduce a user-facing change?:

Added conformance tests for invalid backend TLS configurations and the Gateway ResolvedRefs condition

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/test area/conformance-test Issues or PRs related to Conformance tests. labels Dec 29, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Dec 29, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: snorwin
Once this PR has been reviewed and has the lgtm label, please assign sunjaybhatia for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Dec 29, 2025
@snorwin
Copy link
Member Author

snorwin commented Dec 29, 2025

@sjberman has NGINX already implemented the ResolvedRefs condition on the Gateway as specified in #4123? If so, I’d really appreciate it if you could run these new conformance tests against NGINX to help verify them as well.

@snorwin
Copy link
Member Author

snorwin commented Dec 29, 2025

/cc @rikatz @kl52752

@snorwin snorwin changed the title conformance: added tests for invalid backend TLS configuration and Ga… conformance: added tests for invalid backend TLS configuration Dec 29, 2025
@snorwin snorwin mentioned this pull request Dec 29, 2025
Open
3 tasks
@snorwin snorwin force-pushed the conformance-tests-invalid-backend-tls branch from e5b6cd2 to 3c48b29 Compare December 29, 2025 09:48
kl52752
kl52752 reviewed Dec 29, 2025
View reviewed changes
Copy link
Contributor

@kl52752 kl52752 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one nit otherwise LGTM :)

@snorwin
conformance: added tests for invalid backend TLS configuration and Ga…
8afa32e 
…teway ResolvedRefs condition

Signed-off-by: Norwin Schnyder <[email protected]>
@snorwin snorwin force-pushed the conformance-tests-invalid-backend-tls branch from 3c48b29 to 8afa32e Compare December 29, 2025 12:13
@snorwin
Copy link
Member Author

snorwin commented Dec 29, 2025

/test pull-gateway-api-verify

@sjberman
Copy link
Contributor

sjberman commented Dec 29, 2025

@snorwin Will test after the holidays.

@sjberman
Copy link
Contributor

sjberman commented Jan 5, 2026

@snorwin Looks like we have a couple issues on the NGINX side that we need to fix regarding these conditions.

sjberman
sjberman reviewed Jan 5, 2026
View reviewed changes
conformance/tests/gateway-invalid-tls-backend-configuration.go

kubernetes.GatewayMustHaveCondition(t, s.Client, s.TimeoutConfig, tc.gatewayNamespacedName, metav1.Condition{
Type: string(gatewayv1.GatewayConditionAccepted),
Status: metav1.ConditionTrue,
Copy link
Contributor

@sjberman sjberman Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So even with an invalid configuration, the Gateway is still Accepted?

Copy link
Member Author

@snorwin snorwin Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This condition does not directly impact the Gateway's Accepted or Programmed conditions.

https://github.com/kubernetes-sigs/gateway-api/blob/main/apis/v1/gateway_types.go#L1265

Given the semantics we defined, yes this is the main reason we introduced a dedicated ResolvedRefs status condition.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@candita candita Awaiting requested review from candita

@howardjohn howardjohn Awaiting requested review from howardjohn

@rikatz rikatz Awaiting requested review from rikatz

2 more reviewers

@sjberman sjberman sjberman left review comments

@kl52752 kl52752 kl52752 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/conformance-test Issues or PRs related to Conformance tests. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/test release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@snorwin @k8s-ci-robot @sjberman @kl52752