fix e2e

Signed-off-by: zirain <zirain2009@gmail.com>

Author: zirain

test/e2e/e2e_test.go

@@ -71,6 +71,12 @@ func TestE2E(t *testing.T) {
 		)
 	}
 
+	enabledFeatures := sets.New(features.SupportGateway)
+	if tests.EnabledClusterTrustBundle() {
+		tlog.Logf(t, "ClusterTrustBundle feature is enabled")
+		enabledFeatures.Insert(tests.ClusterTrustBundleFeature)
+	}
+
 	cSuite, err := suite.NewConformanceTestSuite(suite.ConformanceOptions{
 		Client:               c,
 		RestConfig:           cfg,
@@ -81,7 +87,7 @@ func TestE2E(t *testing.T) {
 		RunTest:              *flags.RunTest,
 		// SupportedFeatures cannot be empty, so we set it to SupportGateway
 		// All e2e tests should leave Features empty.
-		SupportedFeatures: sets.New(features.SupportGateway),
+		SupportedFeatures: enabledFeatures,
 		SkipTests:         skipTests,
 		AllowCRDsMismatch: *flags.AllowCRDsMismatch,
 		Hook:              Hook,

test/e2e/testdata/backend-tls-clustertrustbundle.yaml

@@ -33,7 +33,7 @@ metadata:
   namespace: gateway-conformance-infra
 spec:
   parentRefs:
-    - name: same-namespace
+    - name: all-namespaces
   rules:
     - matches:
         - path:

test/e2e/testdata/httproute-with-dynamic-resolver-backend-with-clustertrustbundle.yaml

@@ -1,3 +1,21 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: httproute-clustertrustbundle
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+    - name: all-namespaces
+  rules:
+    - backendRefs:
+        - group: gateway.envoyproxy.io
+          kind: Backend
+          name: backend-clustertrustbundle
+      matches:
+        - path:
+            type: PathPrefix
+            value: /with-clustertrustbundle
+---
 # keep this same as configmap backend-ca-certificate
 apiVersion: certificates.k8s.io/v1beta1
 kind: ClusterTrustBundle
@@ -29,7 +47,7 @@ spec:
 apiVersion: gateway.envoyproxy.io/v1alpha1
 kind: Backend
 metadata:
-  name: backend-dynamic-resolver-clustertrustbundle
+  name: backend-clustertrustbundle
   namespace: gateway-conformance-infra
 spec:
   type: DynamicResolver

test/e2e/testdata/httproute-with-dynamic-resolver-backend-with-tls.yaml

@@ -15,14 +15,6 @@ spec:
     - path:
         type: PathPrefix
         value: /with-tls
-  - backendRefs:
-    - group: gateway.envoyproxy.io
-      kind: Backend
-      name: backend-dynamic-resolver-clustertrustbundle
-    matches:
-    - path:
-        type: PathPrefix
-        value: /with-clustertrustbundle
 ---
 apiVersion: gateway.envoyproxy.io/v1alpha1
 kind: Backend

test/e2e/tests/backend_tls.go

@@ -14,23 +14,17 @@ import (
 	"sigs.k8s.io/gateway-api/conformance/utils/http"
 	"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
 	"sigs.k8s.io/gateway-api/conformance/utils/suite"
+	"sigs.k8s.io/gateway-api/pkg/features"
 )
 
-var backendTLSTestManifests []string
-
 func init() {
-	ConformanceTests = append(ConformanceTests, BackendTLSTest)
-
-	backendTLSTestManifests = []string{"testdata/backend-tls.yaml"}
-	if EnabledClusterTrustBundle() {
-		backendTLSTestManifests = append(backendTLSTestManifests, "testdata/backend-tls-clustertrustbundle.yaml")
-	}
+	ConformanceTests = append(ConformanceTests, BackendTLSTest, BackendClusterTrustBundleTest)
 }
 
 var BackendTLSTest = suite.ConformanceTest{
 	ShortName:   "BackendTLS",
 	Description: "Connect to backend with TLS",
-	Manifests:   backendTLSTestManifests,
+	Manifests:   []string{"testdata/backend-tls.yaml"},
 	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
 		gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ConformanceInfraNamespace}
 		t.Run("with a backend TLS Policy", func(t *testing.T) {
@@ -109,12 +103,21 @@ var BackendTLSTest = suite.ConformanceTest{
 
 			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse)
 		})
+	},
+}
 
+var BackendClusterTrustBundleTest = suite.ConformanceTest{
+	ShortName:   "BackendTLSClusterTrustBundle",
+	Description: "Connect to backend with TLS",
+	Manifests: []string{
+		"testdata/backend-tls-clustertrustbundle.yaml",
+	},
+	Features: []features.FeatureName{
+		ClusterTrustBundleFeature,
+	},
+	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+		gwNN := types.NamespacedName{Name: AllNamespacesGateway, Namespace: ConformanceInfraNamespace}
 		t.Run("with ClusterTrustBundle", func(t *testing.T) {
-			if !EnabledClusterTrustBundle() {
-				t.Skipf("Skipping test as ClusterTrustBundle is not enabled")
-			}
-
 			routeNN := types.NamespacedName{Name: "http-with-backend-tls-trust-bundle", Namespace: ConformanceInfraNamespace}
 			gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
 

test/e2e/tests/client_mtls.go

@@ -24,23 +24,17 @@ import (
 	"sigs.k8s.io/gateway-api/conformance/utils/roundtripper"
 	"sigs.k8s.io/gateway-api/conformance/utils/suite"
 	"sigs.k8s.io/gateway-api/conformance/utils/tlog"
+	"sigs.k8s.io/gateway-api/pkg/features"
 )
 
-var clientMTLSTestManifests []string
-
 func init() {
-	ConformanceTests = append(ConformanceTests, ClientMTLSTest)
-
-	clientMTLSTestManifests = []string{"testdata/client-mtls.yaml"}
-	if EnabledClusterTrustBundle() {
-		clientMTLSTestManifests = append(clientMTLSTestManifests, "testdata/client-mtls-trustbundle.yaml")
-	}
+	ConformanceTests = append(ConformanceTests, ClientMTLSTest, ClientMTLSClusterTrustBundleTest)
 }
 
 var ClientMTLSTest = suite.ConformanceTest{
 	ShortName:   "ClientMTLS",
 	Description: "Use Gateway with Client MTLS policy",
-	Manifests:   clientMTLSTestManifests,
+	Manifests:   []string{"testdata/client-mtls.yaml"},
 	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
 		t.Run("Client MTLS with ClusterTrustBundle", func(t *testing.T) {
 			if !EnabledClusterTrustBundle() {
@@ -204,6 +198,58 @@ var ClientMTLSTest = suite.ConformanceTest{
 	},
 }
 
+var ClientMTLSClusterTrustBundleTest = suite.ConformanceTest{
+	ShortName:   "ClientMTLSClusterTrustBundle",
+	Description: "Use Gateway with Client MTLS policy",
+	Manifests:   []string{"testdata/client-mtls-trustbundle.yaml"},
+	Features: []features.FeatureName{
+		ClusterTrustBundleFeature,
+	},
+	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+		t.Run("Client MTLS with ClusterTrustBundle", func(t *testing.T) {
+			ns := "gateway-conformance-infra"
+			routeNN := types.NamespacedName{Name: "client-mtls-clustertrustbundle", Namespace: ns}
+			gwNN := types.NamespacedName{Name: "client-mtls-clustertrustbundle", Namespace: ns}
+			gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+			certNN := types.NamespacedName{Name: "client-example-com", Namespace: ns}
+
+			expected := http.ExpectedResponse{
+				Request: http.Request{
+					Host: "www.example.com",
+					Path: "/cluster-trust-bundle",
+				},
+				ExpectedRequest: &http.ExpectedRequest{
+					Request: http.Request{
+						Host: "www.example.com",
+						Path: "/cluster-trust-bundle",
+						Headers: map[string]string{
+							"X-Forwarded-Client-Cert": "Hash=42a13e4b02c8a6d2ae5bf2fdaa032e24fdbabbaa79b6017fd0db6c077e6999e0;Subject=\"O=example organization,CN=client.example.com\"",
+						},
+					},
+				},
+				Response: http.Response{
+					StatusCode: 200,
+				},
+				Namespace: ns,
+			}
+
+			req := http.MakeRequest(t, &expected, gwAddr, "HTTPS", "https")
+
+			// This test uses the same key/cert pair as both a client cert and server cert
+			// Both backend and client treat the self-signed cert as a trusted CA
+			cPem, keyPem, caPem, err := GetTLSSecret(suite.Client, certNN)
+			if err != nil {
+				t.Fatalf("unexpected error finding TLS secret: %v", err)
+			}
+
+			combined := string(cPem) + "\n" + string(caPem)
+
+			WaitForConsistentMTLSResponse(t, suite.RoundTripper, req, expected, suite.TimeoutConfig.RequiredConsecutiveSuccesses, suite.TimeoutConfig.MaxTimeToConsistency,
+				[]byte(combined), keyPem, "www.example.com")
+		})
+	},
+}
+
 func WaitForConsistentMTLSResponse(t *testing.T, r roundtripper.RoundTripper, req roundtripper.Request, expected http.ExpectedResponse, threshold int, maxTimeToConsistency time.Duration, cPem, keyPem []byte, server string) {
 	http.AwaitConvergence(t, threshold, maxTimeToConsistency, func(elapsed time.Duration) bool {
 		req.KeyPem = keyPem

test/e2e/tests/httproute_with_dynamic_resolver_backend.go

@@ -14,23 +14,15 @@ import (
 	"sigs.k8s.io/gateway-api/conformance/utils/http"
 	"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
 	"sigs.k8s.io/gateway-api/conformance/utils/suite"
+	"sigs.k8s.io/gateway-api/pkg/features"
 )
 
-var dynamicResolverBackendWithTLSTestManifests []string
-
 func init() {
 	ConformanceTests = append(ConformanceTests,
 		DynamicResolverBackendTest,
-		DynamicResolverBackendWithTLSTest)
+		DynamicResolverBackendWithTLSTest,
+		DynamicResolverBackendWithClusterTrustBundleTest)
 
-	dynamicResolverBackendWithTLSTestManifests = []string{
-		"testdata/httproute-with-dynamic-resolver-backend-with-tls.yaml",
-		"testdata/httproute-with-dynamic-resolver-backend-with-tls-system-ca.yaml",
-	}
-	if EnabledClusterTrustBundle() {
-		dynamicResolverBackendWithTLSTestManifests = append(dynamicResolverBackendWithTLSTestManifests,
-			"testdata/httproute-with-dynamic-resolver-backend-with-clustertrustbundle.yaml")
-	}
 }
 
 var DynamicResolverBackendTest = suite.ConformanceTest{
@@ -111,32 +103,13 @@ var DynamicResolverBackendTest = suite.ConformanceTest{
 var DynamicResolverBackendWithTLSTest = suite.ConformanceTest{
 	ShortName:   "DynamicResolverBackendWithTLS",
 	Description: "Routes with a backend ref to a dynamic resolver backend",
-	Manifests:   dynamicResolverBackendWithTLSTestManifests,
+	Manifests: []string{
+		"testdata/httproute-with-dynamic-resolver-backend-with-tls.yaml",
+		"testdata/httproute-with-dynamic-resolver-backend-with-tls-system-ca.yaml",
+	},
 	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
 		ns := "gateway-conformance-infra"
 		gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
-		t.Run("ClusterTrustBundle", func(t *testing.T) {
-			if !EnabledClusterTrustBundle() {
-				t.Skipf("Skipping test as ClusterTrustBundle is not enabled")
-			}
-
-			routeNN := types.NamespacedName{Name: "httproute-with-dynamic-resolver-backend-tls", Namespace: ns}
-			gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
-			BackendMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "backend-dynamic-resolver-clustertrustbundle", Namespace: ns})
-
-			expectedResponse := http.ExpectedResponse{
-				Request: http.Request{
-					Host: "backend-dynamic-resolver-tls.gateway-conformance-infra.svc.cluster.local:443",
-					Path: "/with-clustertrustbundle",
-				},
-				Response: http.Response{
-					StatusCode: 200,
-				},
-				Namespace: ns,
-			}
-
-			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse)
-		})
 		t.Run("TLS", func(t *testing.T) {
 			routeNN := types.NamespacedName{Name: "httproute-with-dynamic-resolver-backend-tls", Namespace: ns}
 			gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
@@ -178,3 +151,37 @@ var DynamicResolverBackendWithTLSTest = suite.ConformanceTest{
 		})
 	},
 }
+
+var DynamicResolverBackendWithClusterTrustBundleTest = suite.ConformanceTest{
+	ShortName:   "DynamicResolverBackendWithClusterTrustBundle",
+	Description: "Routes with a backend ref to a dynamic resolver backend",
+	Manifests: []string{
+		"testdata/httproute-with-dynamic-resolver-backend-with-tls.yaml",
+		"testdata/httproute-with-dynamic-resolver-backend-with-clustertrustbundle.yaml",
+	},
+	Features: []features.FeatureName{
+		ClusterTrustBundleFeature,
+	},
+	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+		ns := "gateway-conformance-infra"
+		gwNN := types.NamespacedName{Name: AllNamespacesGateway, Namespace: ns}
+		t.Run("ClusterTrustBundle", func(t *testing.T) {
+			routeNN := types.NamespacedName{Name: "httproute-clustertrustbundle", Namespace: ns}
+			gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+			BackendMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "backend-clustertrustbundle", Namespace: ns})
+
+			expectedResponse := http.ExpectedResponse{
+				Request: http.Request{
+					Host: "backend-dynamic-resolver-tls.gateway-conformance-infra.svc.cluster.local:443",
+					Path: "/with-clustertrustbundle",
+				},
+				Response: http.Response{
+					StatusCode: 200,
+				},
+				Namespace: ns,
+			}
+
+			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse)
+		})
+	},
+}

test/e2e/tests/utils.go

@@ -42,6 +42,7 @@ import (
 	k8sutils "sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
 	"sigs.k8s.io/gateway-api/conformance/utils/suite"
 	"sigs.k8s.io/gateway-api/conformance/utils/tlog"
+	"sigs.k8s.io/gateway-api/pkg/features"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/kubernetes"
@@ -60,8 +61,12 @@ var (
 )
 
 const (
+	ClusterTrustBundleFeature features.FeatureName = "ClusterTrustBundle"
+
 	ConformanceInfraNamespace = "gateway-conformance-infra"
 
+	AllNamespacesGateway = "all-namespaces"
+
 	defaultServiceStartupTimeout = 5 * time.Minute
 )