conformance: fix invalid BackendTLSPolicy conformance test #4105
Conversation
k8s-ci-robot
added
kind/bug
k8s-ci-robot
added
approved
| kind: ConfigMap | ||
| # This ConfigMap is generated dynamically by the test suite. | ||
| name: "backend-tls-checks-certificate" | ||
| wellKnownCACertificates: System |
There was a problem hiding this comment.
The test has nothing to do with whether caCertificateRefs or wellKnownCACertificates is used; just using wellKnownCACertificates to make a simple policy that should be Accepted. The purpose of the test does not depend on this.
We could also create the CM but its more complex for no benefit
There was a problem hiding this comment.
I would suggest to use the tls-checks-ca-certificate ConfigMap (https://github.com/kubernetes-sigs/gateway-api/blob/main/conformance/tests/backendtlspolicy.yaml#L144) as in the normative tests, since the well-known system CA certificate isn’t considered required for Core conformance.
There was a problem hiding this comment.
That's correct the system CA certificate support is implementation-specific.
One generated by the test suite here:
https://github.com/kubernetes-sigs/gateway-api/blob/main/conformance/utils/suite/suite.go#L391-L392
|
Thanks @howardjohn! |
snorwin
left a comment
snorwin
left a comment
There was a problem hiding this comment.
@howardjohn good catch! I overlooked this one in #4016.
howardjohn
left a comment
howardjohn
left a comment
There was a problem hiding this comment.
updated, thanks @snorwin !
youngnick
added
the
release-note-none
k8s-ci-robot
removed
the
do-not-merge/release-note-label-needed
|
This LGTM now but I will leave it for other reviewers to re-review. |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: howardjohn, snorwin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kl52752
left a comment
kl52752
left a comment
There was a problem hiding this comment.
Thanks for the fix,
/lgtm
|
/cherry-pick release-1.4 |
|
@snorwin: new pull request created: #4117 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
…s-sigs#4105) * conformance: fix invalid BackendTLSPolicy conformance test * Move to a real one
8 participants
What type of PR is this?
/kind bug
What this PR does / why we need it:
The BackendTLSPolicyObservedGenerationBump has
backend-tls-checks-certificatedoes not exist, nor is it created by the test suite (despite the comment).Our implementation sets Accepted=false for this, because there were no valid caCertificateRefs, therefor we cannot accept the policy. This is in line with the specification:
Which issue(s) this PR fixes:
Fixes #4103
Does this PR introduce a user-facing change?: