From b2a847f2bd59a2cf1172d96b0b2a782dea71c2c3 Mon Sep 17 00:00:00 2001 From: Mattia Lavacca Date: Tue, 16 Aug 2022 10:37:07 +0200 Subject: [PATCH] conformance: listener references invalid secret A new conformance test case has been added to ensure that whenever a listener references an unexisting secret as CertificateRef, the Condition ResolvedRefs is set as failed with reason InvalidCertificateRef. Signed-off-by: Mattia Lavacca --- ...ateway-secret-missing-referenced-secret.go | 58 +++++++++++++++++++ ...eway-secret-missing-referenced-secret.yaml | 19 ++++++ 2 files changed, 77 insertions(+) create mode 100644 conformance/tests/gateway-secret-missing-referenced-secret.go create mode 100644 conformance/tests/gateway-secret-missing-referenced-secret.yaml diff --git a/conformance/tests/gateway-secret-missing-referenced-secret.go b/conformance/tests/gateway-secret-missing-referenced-secret.go new file mode 100644 index 0000000000..d41fbd3501 --- /dev/null +++ b/conformance/tests/gateway-secret-missing-referenced-secret.go @@ -0,0 +1,58 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package tests + +import ( + "testing" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + + "sigs.k8s.io/gateway-api/apis/v1alpha2" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, GatewaySecretMissingReferencedSecret) +} + +var GatewaySecretMissingReferencedSecret = suite.ConformanceTest{ + ShortName: "GatewaySecretMissingReferencedSecret", + Description: "A Gateway should fail to become ready if the Gateway has a certificateRef for a nonexistent Secret", + Manifests: []string{"tests/gateway-secret-missing-referenced-secret.yaml"}, + Test: func(t *testing.T, s *suite.ConformanceTestSuite) { + gwNN := types.NamespacedName{Name: "gateway-secret-missing-referenced-secret", Namespace: "gateway-conformance-infra"} + + t.Run("Gateway listener should have a false ResolvedRefs condition with reason InvalidCertificateRef", func(t *testing.T) { + listeners := []v1alpha2.ListenerStatus{{ + Name: v1alpha2.SectionName("https"), + SupportedKinds: []v1alpha2.RouteGroupKind{{ + Group: (*v1alpha2.Group)(&v1alpha2.GroupVersion.Group), + Kind: v1alpha2.Kind("HTTPRoute"), + }}, + Conditions: []metav1.Condition{{ + Type: string(v1alpha2.ListenerConditionResolvedRefs), + Status: metav1.ConditionFalse, + Reason: string(v1alpha2.ListenerReasonInvalidCertificateRef), + }}, + }} + + kubernetes.GatewayStatusMustHaveListeners(t, s.Client, s.TimeoutConfig, gwNN, listeners) + }) + }, +} diff --git a/conformance/tests/gateway-secret-missing-referenced-secret.yaml b/conformance/tests/gateway-secret-missing-referenced-secret.yaml new file mode 100644 index 0000000000..bfdbd2b4e6 --- /dev/null +++ b/conformance/tests/gateway-secret-missing-referenced-secret.yaml @@ -0,0 +1,19 @@ +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: Gateway +metadata: + name: gateway-secret-missing-referenced-secret + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: https + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: All + tls: + certificateRefs: + - group: "" + kind: Secret + name: nonexistent-secret