Issue #1579 TLSRoute Passthrough Conformance Test (normative)

[candita]

Issue #1579 TLSRoute Passthrough Conformance Test (normative)

What type of PR is this?
/area conformance

What this PR does / why we need it:
This is the first test specified in the TLSRoute Passthrough Conformance Test suite, the normative test. This test may be used as reference to learn more about designing conformance tests, particularly for TLSRoute Passthrough.

Which issue(s) this PR fixes:
This addresses part of Issue #1579

Does this PR introduce a user-facing change?:

NONE

[k8s-ci-robot]

Hi @candita. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mikemorris]

/ok-to-test

[howardjohn]

Did you test this on any implementations?

[howardjohn]

Do we need a 4th backend (with 2 replicas)? Or can we just add TLS to the existing ones?

[robscott]

Agree that reusing an existing backend would be ideal here if we can.

[candita]

To conveniently use the existing echoserver image, I created a new backend with the environment variables TLS_SERVER_CERT and TLS_SERVER_PRIVKEY for this image to serve certificates. See https://github.com/kubernetes-sigs/ingress-controller-conformance/blob/master/images/echoserver/echoserver.go#L109.

I also had to supply access to a new secret that is created during test Setup.

[candita]

Please let me know if this is ok.

[robscott]

I think this could likely be added to an existing backend without breaking any conformance tests. Would be worth trying at least.

[candita]

The TLS backend, infra-backend-v4, is the only one using port/targetPort 443/8443. It is also the only one setup with env variables TLS_SERVER_CERT and TLS_SERVER_PRIVKEY, which as mentioned directs it to validate certs in the echoserver app.

It works fine with 1 replica for now, and will be reused for the rest of the TLSRoute Passthrough conformance tests. I think putting all of this together, that TLSRoute Passthrough should have its own configuration with non-standard ports and env variables.

I will rename it from infra-backend-v4 to tls-backend so that it is clear that this is a specially configured backend.

[robscott]

I'm OK with a new backend here, but can we add this TLS listener to an existing Gateway instead of adding a new Gateway just for this test?

[robscott]

Thanks for all the work on this @candita! Looks like a great start.

[robscott]

Agree that reusing an existing backend would be ideal here if we can.

[candita]

Did you test this on any implementations?

Yes, I tested on Istio, but had to tweak it to make it get past some of the condition naming updates in Gateway API.

[robscott]

Thanks @candita! I haven't had a chance to run this test yet, but this looks promising from what I can tell.

[robscott]

I think this could likely be added to an existing backend without breaking any conformance tests. Would be worth trying at least.

[skriss]

JFYI, I was able to run this test and have it pass against Contour's implementation which has support for TLS passthrough. I haven't reviewed the code yet but will try to do so soon. Thanks!

[robscott]

Thanks @candita! This change LGTM, but would like someone else to sign off on this as well.

/cc @skriss @arkodg @shaneutt

Do any of you have time to run through this as well?

/approve

[k8s-ci-robot]

@robscott: GitHub didn't allow me to request PR reviews from the following users: arkodg.

Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

Thanks @candita! This change LGTM, but would like someone else to sign off on this as well.

/cc @skriss @arkodg @shaneutt

Do any of you have time to run through this as well?

/approve

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[arkodg]

nit: should this knob live closer to where maxTimeToConsistency is defined since its applies to the conformance suite in general

[candita]

Sure. It was used in http.go as well, so I made it a global parameter of timeoutConfig in timeout.go

[arkodg]

nit: maybe stick to the neutral my-class string ?

[candita]

You're right. When I began this, I wasn't sure if I needed to create a new gatewayClass, and it was helpful for me to get the example for one implementation. I reworded the rest of this in an attempt to make it clearer to newcomers. Maybe at some point we could list all the gateway-class names.

[arkodg]

can the Host field be reused ?

[candita]

I considered Host and Server to be different. Server is one of the TLSRoute.Spec.Hostnames that aligns with CertPem and KeyPem, and is passed as the TLSClientConfig.ServerName. Since TLSRoute.Spec.Hostnames can contain wildcards, it might not match the host. Ie, we could have a TLS server *.example.com but a request host abc.example.com.

[gyohuangxin]

We can use flag supported-features to specify the tests to run, for example:

go test ./conformance/... -supported-features=TLSRoute -gateway-class=my-class

[candita]

In this case, I wanted to explain how to run a single test case by name. I haven't quite figured out how to use the supported-features flag to my advantage, so I would ask for someone else to document that.

[sunjayBhatia]

test works with contour and from a quick look seems correct 👍🏽

[candita]

@robscott @arkodg thanks for the review. I made some more changes and responded to your comments on changes I didn't make. Could you PTAL when you get a chance ?

[arkodg]

LGTM thanks !

[candita]

@skriss @shaneutt this has been /approved by @robscott and LGTM by @arkodg. It passes for Istio and Contour. Could one of you please give it the /lgtm and allow to merge?

[candita]

/label tide/merge-method-squash

[shaneutt]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: arkodg, candita, robscott, shaneutt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [robscott,shaneutt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

@candita: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-gateway-api-verify	7be6387	link	unknown	/test pull-gateway-api-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[shaneutt]

/retest