-
Notifications
You must be signed in to change notification settings - Fork 482
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue 3138 - Conformance Tests for BackendTLSPolicy - normative #3212
base: main
Are you sure you want to change the base?
Issue 3138 - Conformance Tests for BackendTLSPolicy - normative #3212
Conversation
Skipping CI for Draft Pull Request. |
76c8e10
to
6d9ab9e
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: candita The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test pull-gateway-api-verify |
1 similar comment
/test pull-gateway-api-verify |
0ec34a8
to
75551a0
Compare
/test pull-gateway-api-verify |
75551a0
to
7626aaa
Compare
/test pull-gateway-api-verify |
7626aaa
to
1bc71f0
Compare
/test pull-gateway-api-verify |
1bc71f0
to
99e7eac
Compare
/test pull-gateway-api-verify |
99e7eac
to
b774245
Compare
/test pull-gateway-api-verify |
b774245
to
91488aa
Compare
/test pull-gateway-api-verify |
0ad1310
to
63b3c23
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good! Thanks @candita!!! Mostly minor comments.
Also I was digging into the test details a bit when I got pulled away from a meeting so I still need to come back and do another round of review here, but please check my comments and LMKWYT 👍
BackendTLSPolicy.
conformance/base/manifests.yaml - fix yaml conformance/tests/backendtlspolicy.yaml - fix yaml conformance/tests/tlsroute-simple-same-namespace.go - rename cert for sharing conformance/utils/suite/conformance.go - fix a bug in cleanup-base-resources flag application conformance/utils/suite/suite.go - rename cert for sharing
63b3c23
to
19ff922
Compare
if strings.Contains(r.RequestURI, "backendTLS") { | ||
sni, err = sniffForSNI(r.RemoteAddr) | ||
if err != nil { | ||
// TODO: research if for some test cases there won't be SNI available. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For this TODO we should either:
a) resolve it
b) make sure it has an issue (or is part of some issue) somewhere that we can link here
Ideally, we resolve it but iterative PRs are OK too as long as we have good follow-ups between them.
// sniffForSNI uses the request address to listen for the incoming TLS connection, | ||
// and tries to find the server name indication from that connection. | ||
func sniffForSNI(addr string) (string, error) { | ||
var sni string | ||
|
||
// Listen to get the SNI, and store in config. | ||
listener, err := net.Listen("tcp", addr) | ||
if err != nil { | ||
return "", err | ||
} | ||
defer listener.Close() | ||
|
||
for { | ||
conn, err := listener.Accept() | ||
if err != nil { | ||
return "", err | ||
} | ||
data := make([]byte, 4096) | ||
_, err = conn.Read(data) | ||
if err != nil { | ||
return "", fmt.Errorf("could not read socket: %v", err) | ||
} | ||
// Take an incoming TLS Client Hello and return the SNI name. | ||
sni, err = parser.GetHostname(data) | ||
if err != nil { | ||
return "", fmt.Errorf("error getting SNI: %v", err) | ||
} | ||
if sni == "" { | ||
return "", fmt.Errorf("no server name indication found") | ||
} else { //nolint:revive | ||
return sni, nil | ||
} | ||
} | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we potentially wanna use http.ListenAndServeTLS here instead of a TCP listener so that we can record (and then assert) the client payload?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I understand. Right now all we want is the SNI in this function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So take this as a question not a statement, but what I was getting at was: wouldn't we want to verify receipt of the payload we sent (which should be unique), in addition to the SNI such that we can be certain the request received was the one intended?
call, some debugging, and fix yaml
7b08c84
to
556c048
Compare
d27d78c
to
a785d3b
Compare
a785d3b
to
cade4a1
Compare
716b6da
to
e58e8bc
Compare
Fix certificate unit test.
e58e8bc
to
0a929ad
Compare
What type of PR is this?
/kind test
/area conformance
What this PR does / why we need it:
Add a normative test of Gateway API BackendTLSPolicy implementations.
Which issue(s) this PR fixes:
Fixes #3138
Does this PR introduce a user-facing change?: