Conformance tests for BackendTLSPolicy

[candita]

What would you like to be added: Conformance tests for BackendTLSPolicy. Comment below if you're interested in working on covering any of these areas.

Core Capabilities:

• [ ] Valid BackendTLSPolicy with 1 targetRef/service using CACertificateRef and matching hostname
• [ ] Invalid: hostname doesn't match the hostname in the certificate served by the backend
• [ ] Invalid BackendTLSPolicy performs no default forwarding
• [ ] ~Valid BackendTLSPolicy with 1 targetRef/service using WellKnownCACertificates and matching hostname~
• [ ] ~Invalid: targetRef in different namespace~
• [ ] ~Invalid: both CACertificateRef and WellKnownCACertificates is specified~
• [ ] ~Invalid: SNI hostname invalid - not RFC1123 (should be caught by validation)~
• [ ] ~Invalid: Namespace (of targetRef) not set~

Why this is needed: This is needed in order for BackendTLSPolicy to graduate from v1alpha3 to v1.

[candita]

cc @whitneygriffith @mlavacca

[whitneygriffith]

1897

[mlavacca]

Invalid: both CACertificateRef and WellKnownCACertificates is specified

I think this test cannot be implemented, as this rule is directly enforced by CEL:

https://github.com/kubernetes-sigs/gateway-api/blob/d49ae960279b7022c8f7e041221df306ef64094d/apis/v1alpha3/backendtlspolicy_types.go#L81

[mlavacca]

Valid BackendTLSPolicy with 1 targetRef/service using WellKnownCACertificates and matching hostname

WellKnownCACertificates is an implementation-specific feature, therefore I think we should either:

• leave it out of conformance tests, or
• accept that the implementation set the Accepted condition to false, as stated in https://github.com/kubernetes-sigs/gateway-api/blob/d49ae960279b7022c8f7e041221df306ef64094d/apis/v1alpha3/backendtlspolicy_types.go#L115-L118

If we go the second way, though, in my opinion, this is beyond the bare minimum set of conformance tests needed for graduation.

[mlavacca]

Invalid: targetRef in different namespace

The TargetRef is a LocalPolicyTargetReference, there is no namespace field in it. I think that a TargetRef in a different namespace is impossible, given the current API state.

https://github.com/kubernetes-sigs/gateway-api/blob/86c06a0b62587a627a9929d5943c5894a608ad62/apis/v1alpha2/policy_types.go#L39-L48

[keithmattix]

/assign @candita @whitneygriffith

[whitneygriffith]

Invalid: targetRef in different namespace The TargetRef is a LocalPolicyTargetReference, there is no namespace field in it. I think that a TargetRef in a different namespace is impossible, given the current API state.

I agree, we don't need a conformance test for this case. The same applies for Invalid: Namespace (of targetRef) not set.

[whitneygriffith]

Updated test cases:

• [ ] Valid BackendTLSPolicy with 1 targetRef/service using CACertificateRef and matching hostname
• [ ] Invalid: hostname doesn't match the hostname in the certificate served by the backend
• [ ] Invalid: if an implementation doesn't claim support for BackendTLSPolicy, it rejects forwarding to Services with a BackendTLSPolicy attached.

Removed test cases:

• Valid BackendTLSPolicy with 1 targetRef/service using WellKnownCACertificates and matching hostname (WellKnownCACertificates is an implementation-specific feature and is beyond the minimum set of tests needed for graduation)
• Invalid: targetRef in different namespace (targetRef is of type LocalPolicyTargetReference which does not have a namespace field)
• Invalid: both CACertificateRef and WellKnownCACertificates is specified (enforced by CEL)
• Invalid: SNI hostname invalid - not RFC1123 (should be caught by validation)
• Invalid BackendTLSPolicy performs no default forwarding as all the required fields are set (enforced by validation)
• Invalid: Namespace (of targetRef) not set (targetRef is of type LocalPolicyTargetReference which does not have a namespace field)