From c50a6204bd8893bef1480f306ba8b33577d6ae8d Mon Sep 17 00:00:00 2001 From: Mattia Lavacca Date: Tue, 25 Oct 2022 16:52:39 +0200 Subject: [PATCH 1/2] invalid TLS secret, all cases tested Signed-off-by: Mattia Lavacca --- .../gateway-invalid-tls-certificateref.go | 81 +++++++++++++++++ .../gateway-invalid-tls-certificateref.yaml | 89 +++++++++++++++++++ ...ateway-secret-missing-referenced-secret.go | 58 ------------ ...eway-secret-missing-referenced-secret.yaml | 19 ---- conformance/utils/suite/suite.go | 2 + 5 files changed, 172 insertions(+), 77 deletions(-) create mode 100644 conformance/tests/gateway-invalid-tls-certificateref.go create mode 100644 conformance/tests/gateway-invalid-tls-certificateref.yaml delete mode 100644 conformance/tests/gateway-secret-missing-referenced-secret.go delete mode 100644 conformance/tests/gateway-secret-missing-referenced-secret.yaml diff --git a/conformance/tests/gateway-invalid-tls-certificateref.go b/conformance/tests/gateway-invalid-tls-certificateref.go new file mode 100644 index 0000000000..f68118bc18 --- /dev/null +++ b/conformance/tests/gateway-invalid-tls-certificateref.go @@ -0,0 +1,81 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package tests + +import ( + "testing" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + + "sigs.k8s.io/gateway-api/apis/v1beta1" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, GatewayInvalidTLSConfiguration) +} + +var GatewayInvalidTLSConfiguration = suite.ConformanceTest{ + ShortName: "GatewayInvalidTLSConfiguration", + Description: "A Gateway should fail to become ready if the Gateway has an invalid TLS configuration", + Manifests: []string{"tests/gateway-invalid-tls-certificateref.yaml"}, + Test: func(t *testing.T, s *suite.ConformanceTestSuite) { + listeners := []v1beta1.ListenerStatus{{ + Name: v1beta1.SectionName("https"), + SupportedKinds: []v1beta1.RouteGroupKind{{ + Group: (*v1beta1.Group)(&v1beta1.GroupVersion.Group), + Kind: v1beta1.Kind("HTTPRoute"), + }}, + Conditions: []metav1.Condition{{ + Type: string(v1beta1.ListenerConditionResolvedRefs), + Status: metav1.ConditionFalse, + Reason: string(v1beta1.ListenerReasonInvalidCertificateRef), + }}, + }} + + testCases := []struct { + name string + gatewayNamespacedName types.NamespacedName + }{ + { + name: "Inexistent secret referenced as CertificateRef in a Gateway listener", + gatewayNamespacedName: types.NamespacedName{Name: "gateway-certificate-inexistent-secret", Namespace: "gateway-conformance-infra"}, + }, + { + name: "Unsupported group resource referenced as CertificateRef in a Gateway listener", + gatewayNamespacedName: types.NamespacedName{Name: "gateway-certificate-unsupported-group", Namespace: "gateway-conformance-infra"}, + }, + { + name: "Unsupported kind resource referenced as CertificateRef in a Gateway listener", + gatewayNamespacedName: types.NamespacedName{Name: "gateway-certificate-unsupported-kind", Namespace: "gateway-conformance-infra"}, + }, + { + name: "Malformed secret referenced as CertificateRef in a Gateway listener", + gatewayNamespacedName: types.NamespacedName{Name: "gateway-certificate-malformed-secret", Namespace: "gateway-conformance-infra"}, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + kubernetes.GatewayStatusMustHaveListeners(t, s.Client, s.TimeoutConfig, tc.gatewayNamespacedName, listeners) + }) + } + }, +} diff --git a/conformance/tests/gateway-invalid-tls-certificateref.yaml b/conformance/tests/gateway-invalid-tls-certificateref.yaml new file mode 100644 index 0000000000..44b069a868 --- /dev/null +++ b/conformance/tests/gateway-invalid-tls-certificateref.yaml @@ -0,0 +1,89 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: gateway-certificate-inexistent-secret + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: https + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: All + tls: + certificateRefs: + - group: "" + kind: Secret + name: inexistent-certificate +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: gateway-certificate-unsupported-group + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: https + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: All + tls: + certificateRefs: + - group: wrong.group.company.io + kind: Secret + name: valid-certificate +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: gateway-certificate-unsupported-kind + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: https + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: All + tls: + certificateRefs: + - group: "" + kind: WrongKind + name: valid-certificate +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: gateway-certificate-malformed-secret + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: https + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: All + tls: + certificateRefs: + - group: "" + kind: Secret + name: malformed-certificate +--- +apiVersion: v1 +kind: Secret +metadata: + name: malformed-certificate + namespace: gateway-conformance-infra +data: + tls.crt: SGVsbG8gd29ybGQK + tls.key: SGVsbG8gd29ybGQK +type: kubernetes.io/tls diff --git a/conformance/tests/gateway-secret-missing-referenced-secret.go b/conformance/tests/gateway-secret-missing-referenced-secret.go deleted file mode 100644 index 919a21484d..0000000000 --- a/conformance/tests/gateway-secret-missing-referenced-secret.go +++ /dev/null @@ -1,58 +0,0 @@ -/* -Copyright 2022 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package tests - -import ( - "testing" - - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" - - "sigs.k8s.io/gateway-api/apis/v1beta1" - "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" - "sigs.k8s.io/gateway-api/conformance/utils/suite" -) - -func init() { - ConformanceTests = append(ConformanceTests, GatewaySecretMissingReferencedSecret) -} - -var GatewaySecretMissingReferencedSecret = suite.ConformanceTest{ - ShortName: "GatewaySecretMissingReferencedSecret", - Description: "A Gateway should fail to become ready if the Gateway has a certificateRef for a nonexistent Secret", - Manifests: []string{"tests/gateway-secret-missing-referenced-secret.yaml"}, - Test: func(t *testing.T, s *suite.ConformanceTestSuite) { - gwNN := types.NamespacedName{Name: "gateway-secret-missing-referenced-secret", Namespace: "gateway-conformance-infra"} - - t.Run("Gateway listener should have a false ResolvedRefs condition with reason InvalidCertificateRef", func(t *testing.T) { - listeners := []v1beta1.ListenerStatus{{ - Name: v1beta1.SectionName("https"), - SupportedKinds: []v1beta1.RouteGroupKind{{ - Group: (*v1beta1.Group)(&v1beta1.GroupVersion.Group), - Kind: v1beta1.Kind("HTTPRoute"), - }}, - Conditions: []metav1.Condition{{ - Type: string(v1beta1.ListenerConditionResolvedRefs), - Status: metav1.ConditionFalse, - Reason: string(v1beta1.ListenerReasonInvalidCertificateRef), - }}, - }} - - kubernetes.GatewayStatusMustHaveListeners(t, s.Client, s.TimeoutConfig, gwNN, listeners) - }) - }, -} diff --git a/conformance/tests/gateway-secret-missing-referenced-secret.yaml b/conformance/tests/gateway-secret-missing-referenced-secret.yaml deleted file mode 100644 index 8c52c8e67e..0000000000 --- a/conformance/tests/gateway-secret-missing-referenced-secret.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: Gateway -metadata: - name: gateway-secret-missing-referenced-secret - namespace: gateway-conformance-infra -spec: - gatewayClassName: "{GATEWAY_CLASS_NAME}" - listeners: - - name: https - port: 443 - protocol: HTTPS - allowedRoutes: - namespaces: - from: All - tls: - certificateRefs: - - group: "" - kind: Secret - name: nonexistent-secret diff --git a/conformance/utils/suite/suite.go b/conformance/utils/suite/suite.go index 7981232d5d..63504f4d5c 100644 --- a/conformance/utils/suite/suite.go +++ b/conformance/utils/suite/suite.go @@ -139,6 +139,8 @@ func (suite *ConformanceTestSuite) Setup(t *testing.T) { t.Logf("Test Setup: Applying programmatic resources") secret := kubernetes.MustCreateSelfSignedCertSecret(t, "gateway-conformance-web-backend", "certificate", []string{"*"}) suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) + secret = kubernetes.MustCreateSelfSignedCertSecret(t, "gateway-conformance-infra", "valid-certificate", []string{"*"}) + suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) t.Logf("Test Setup: Ensuring Gateways and Pods from base manifests are ready") namespaces := []string{ From fa67946f7853c948a35a2eaa773a5fd72bff6194 Mon Sep 17 00:00:00 2001 From: Mattia Lavacca Date: Fri, 4 Nov 2022 12:36:35 +0100 Subject: [PATCH 2/2] PR review feedbacks Signed-off-by: Mattia Lavacca --- .../tests/gateway-invalid-tls-certificateref.go | 4 ++-- .../tests/gateway-invalid-tls-certificateref.yaml | 10 ++++++---- conformance/utils/suite/suite.go | 2 +- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/conformance/tests/gateway-invalid-tls-certificateref.go b/conformance/tests/gateway-invalid-tls-certificateref.go index f68118bc18..49eb9db61b 100644 --- a/conformance/tests/gateway-invalid-tls-certificateref.go +++ b/conformance/tests/gateway-invalid-tls-certificateref.go @@ -54,8 +54,8 @@ var GatewayInvalidTLSConfiguration = suite.ConformanceTest{ gatewayNamespacedName types.NamespacedName }{ { - name: "Inexistent secret referenced as CertificateRef in a Gateway listener", - gatewayNamespacedName: types.NamespacedName{Name: "gateway-certificate-inexistent-secret", Namespace: "gateway-conformance-infra"}, + name: "Nonexistent secret referenced as CertificateRef in a Gateway listener", + gatewayNamespacedName: types.NamespacedName{Name: "gateway-certificate-nonexistent-secret", Namespace: "gateway-conformance-infra"}, }, { name: "Unsupported group resource referenced as CertificateRef in a Gateway listener", diff --git a/conformance/tests/gateway-invalid-tls-certificateref.yaml b/conformance/tests/gateway-invalid-tls-certificateref.yaml index 44b069a868..7a1a0ac6d9 100644 --- a/conformance/tests/gateway-invalid-tls-certificateref.yaml +++ b/conformance/tests/gateway-invalid-tls-certificateref.yaml @@ -1,7 +1,7 @@ apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway metadata: - name: gateway-certificate-inexistent-secret + name: gateway-certificate-nonexistent-secret namespace: gateway-conformance-infra spec: gatewayClassName: "{GATEWAY_CLASS_NAME}" @@ -16,7 +16,7 @@ spec: certificateRefs: - group: "" kind: Secret - name: inexistent-certificate + name: nonexistent-certificate --- apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway @@ -36,7 +36,7 @@ spec: certificateRefs: - group: wrong.group.company.io kind: Secret - name: valid-certificate + name: tls-validity-checks-certificate --- apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway @@ -56,7 +56,7 @@ spec: certificateRefs: - group: "" kind: WrongKind - name: valid-certificate + name: tls-validity-checks-certificate --- apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway @@ -84,6 +84,8 @@ metadata: name: malformed-certificate namespace: gateway-conformance-infra data: + # this certificate is invalid because contains an invalid pem (base64 of "Hello world"), + # and the certificate and the key are identical tls.crt: SGVsbG8gd29ybGQK tls.key: SGVsbG8gd29ybGQK type: kubernetes.io/tls diff --git a/conformance/utils/suite/suite.go b/conformance/utils/suite/suite.go index 63504f4d5c..290192a713 100644 --- a/conformance/utils/suite/suite.go +++ b/conformance/utils/suite/suite.go @@ -139,7 +139,7 @@ func (suite *ConformanceTestSuite) Setup(t *testing.T) { t.Logf("Test Setup: Applying programmatic resources") secret := kubernetes.MustCreateSelfSignedCertSecret(t, "gateway-conformance-web-backend", "certificate", []string{"*"}) suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) - secret = kubernetes.MustCreateSelfSignedCertSecret(t, "gateway-conformance-infra", "valid-certificate", []string{"*"}) + secret = kubernetes.MustCreateSelfSignedCertSecret(t, "gateway-conformance-infra", "tls-validity-checks-certificate", []string{"*"}) suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) t.Logf("Test Setup: Ensuring Gateways and Pods from base manifests are ready")