Skip to content

Commit 62e0583

Browse files
ThealisyedAli Syed
Thealisyed
authored and
Ali Syed
committed
conformance: add a conformance test for BackendTLSPolicy
Changing a ConfigMap content should be reconciled by the controller.
1 parent a863bd3 commit 62e0583

File tree

1 file changed

+108
-0
lines changed

1 file changed

+108
-0
lines changed

conformance/tests/backendtlspolicy.go

Lines changed: 108 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,10 @@ package tests
1919
import (
2020
"testing"
2121

22+
"github.com/stretchr/testify/require"
23+
corev1 "k8s.io/api/core/v1"
24+
"sigs.k8s.io/controller-runtime/pkg/client"
25+
2226
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2327
"k8s.io/apimachinery/pkg/types"
2428

@@ -152,5 +156,109 @@ var BackendTLSPolicy = suite.ConformanceTest{
152156
},
153157
})
154158
})
159+
160+
// Verify that changing a ConfigMap content should be reconciled by the controller
161+
t.Run("Changing the content of a ConfigMap used by BackendTLSPolicy as CA certificate should be reconciled by the controller", func(t *testing.T) {
162+
ctx := t.Context()
163+
routeNN := types.NamespacedName{Name: "backendtlspolicy", Namespace: ns}
164+
gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
165+
validconfigmap := types.NamespacedName{Name: "tls-checks-ca-certificate", Namespace: ns}
166+
167+
kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns})
168+
gwAddr := kubernetes.GatewayAndRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), &gatewayv1.HTTPRoute{}, false, routeNN)
169+
kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN)
170+
171+
validPolicyNN := types.NamespacedName{Name: "normative-test", Namespace: ns}
172+
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validPolicyNN, gwNN, acceptedCond)
173+
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validPolicyNN, gwNN, resolvedRefsCond)
174+
175+
validcm := &corev1.ConfigMap{}
176+
err := suite.Client.Get(ctx, validconfigmap, validcm)
177+
require.NoErrorf(t, err, "failed to get valid configmap")
178+
179+
originalCAData := validcm.Data["ca.crt"]
180+
181+
t.Cleanup(func() {
182+
183+
currentCM := &corev1.ConfigMap{}
184+
err = suite.Client.Get(ctx, validconfigmap, currentCM)
185+
if err != nil {
186+
t.Logf("cleanup: error getting ConfigMap: %v", err)
187+
return
188+
}
189+
190+
if currentCM.Data["ca.crt"] != originalCAData {
191+
restored := currentCM.DeepCopy()
192+
restored.Data["ca.crt"] = originalCAData
193+
err = suite.Client.Patch(ctx, restored, client.MergeFrom(currentCM))
194+
if err != nil {
195+
t.Logf("cleanup: error restoring ConfigMap: %v", err)
196+
}
197+
}
198+
})
199+
h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
200+
h.ExpectedResponse{
201+
Namespace: ns,
202+
Request: h.Request{
203+
Host: "abc.example.com",
204+
Path: "/backendtlspolicy",
205+
},
206+
Response: h.Response{StatusCodes: []int{200}},
207+
})
208+
209+
mutatedCM := validcm.DeepCopy()
210+
mutatedCM.Data["ca.crt"] = ""
211+
err = suite.Client.Patch(ctx, mutatedCM, client.MergeFrom(validcm))
212+
require.NoErrorf(t, err, "failed to mutate ConfigMap")
213+
214+
invalidAcceptedCond := metav1.Condition{
215+
Type: string(gatewayv1.PolicyConditionAccepted),
216+
Status: metav1.ConditionFalse,
217+
Reason: string(gatewayv1.BackendTLSPolicyReasonNoValidCACertificate),
218+
}
219+
invalidResolvedRefsCond := metav1.Condition{
220+
Type: string(gatewayv1.BackendTLSPolicyConditionResolvedRefs),
221+
Status: metav1.ConditionFalse,
222+
Reason: string(gatewayv1.BackendTLSPolicyReasonInvalidCACertificateRef),
223+
}
224+
225+
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validPolicyNN, gwNN, invalidAcceptedCond)
226+
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validPolicyNN, gwNN, invalidResolvedRefsCond)
227+
228+
h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
229+
h.ExpectedResponse{
230+
Namespace: ns,
231+
Request: h.Request{
232+
Host: "abc.example.com",
233+
Path: "/backendtlspolicy",
234+
},
235+
Response: h.Response{
236+
StatusCodes: []int{500, 502, 503},
237+
},
238+
})
239+
240+
currentCM := &corev1.ConfigMap{}
241+
err = suite.Client.Get(ctx, validconfigmap, currentCM)
242+
require.NoErrorf(t, err, "failed to get valid configmap")
243+
244+
restoredCM := currentCM.DeepCopy()
245+
restoredCM.Data["ca.crt"] = originalCAData
246+
err = suite.Client.Patch(ctx, restoredCM, client.MergeFrom(currentCM))
247+
require.NoErrorf(t, err, "failed to mutate ConfigMap")
248+
249+
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validPolicyNN, gwNN, acceptedCond)
250+
kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validPolicyNN, gwNN, resolvedRefsCond)
251+
252+
h.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
253+
h.ExpectedResponse{
254+
Namespace: ns,
255+
Request: h.Request{
256+
Host: "abc.example.com",
257+
Path: "/backendtlspolicy",
258+
SNI: "abc.example.com",
259+
},
260+
Response: h.Response{StatusCodes: []int{200}},
261+
})
262+
})
155263
},
156264
}

0 commit comments

Comments
 (0)