Add conformance test for isolation of HTTP listeners #2669
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @pleshakov. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/L
|
Thanks @pleshakov! This is going to require some careful review from multiple people. /cc @arkodg @mlavacca @sunjayBhatia |
k8s-ci-robot
added
do-not-merge/hold
k8s-ci-robot
removed
the
needs-ok-to-test
There was a problem hiding this comment.
ran this test real quick against Contour main and it does not pass, so I'll have to dig in further to see whats going on
--- FAIL: TestGatewayConformance (83.36s)
--- FAIL: TestGatewayConformance/GatewayHTTPListenerIsolation (56.27s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners (0.03s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/4_request_to_'bar.example.com/empty-hostname'_should_receive_a_404 (0.01s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/12_request_to_'abc.foo.example.com/empty-hostname'_should_receive_a_404 (0.01s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/3_request_to_'bar.com/abc-foo-example-com'_should_receive_a_404 (0.02s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/2_request_to_'bar.com/wildcard-foo-example-com'_should_receive_a_404 (0.02s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/1_request_to_'bar.com/wildcard-example-com'_should_receive_a_404 (0.03s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/8_request_to_'bar.foo.example.com/empty-hostname'_should_receive_a_404 (0.03s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/11_request_to_'bar.foo.example.com/abc-foo-example-com'_should_receive_a_404 (0.03s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/7_request_to_'bar.example.com/abc-foo-example-com'_should_receive_a_404 (0.03s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/6_request_to_'bar.example.com/wildcard-foo-example-com'_should_receive_a_404 (0.04s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/0_request_to_'bar.com/empty-hostname'_should_go_to_infra-backend-v1 (0.04s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/10_request_to_'bar.foo.example.com/wildcard-foo-example-com'_should_go_to_infra-backend-v1 (0.03s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/9_request_to_'bar.foo.example.com/wildcard-example-com'_should_receive_a_404 (0.03s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/5_request_to_'bar.example.com/wildcard-example-com'_should_go_to_infra-backend-v1 (0.02s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/14_request_to_'abc.foo.example.com/wildcard-foo-example-com'_should_receive_a_404 (0.02s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/13_request_to_'abc.foo.example.com/wildcard-example-com'_should_receive_a_404 (0.02s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/hostnames_are_configured_only_in_listeners/15_request_to_'abc.foo.example.com/abc-foo-example-com'_should_go_to_infra-backend-v1 (0.02s)
--- FAIL: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes (0.02s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/7_request_to_'bar.example.com/abc-foo-example-com'_should_receive_a_404 (0.01s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/0_request_to_'bar.com/empty-hostname'_should_go_to_infra-backend-v1 (0.01s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/5_request_to_'bar.example.com/wildcard-example-com'_should_go_to_infra-backend-v1 (0.01s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/15_request_to_'abc.foo.example.com/abc-foo-example-com'_should_go_to_infra-backend-v1 (0.02s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/6_request_to_'bar.example.com/wildcard-foo-example-com'_should_receive_a_404 (0.02s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/10_request_to_'bar.foo.example.com/wildcard-foo-example-com'_should_go_to_infra-backend-v1 (0.02s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/11_request_to_'bar.foo.example.com/abc-foo-example-com'_should_receive_a_404 (0.02s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/2_request_to_'bar.com/wildcard-foo-example-com'_should_receive_a_404 (0.01s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/3_request_to_'bar.com/abc-foo-example-com'_should_receive_a_404 (0.01s)
--- PASS: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/1_request_to_'bar.com/wildcard-example-com'_should_receive_a_404 (0.01s)
--- FAIL: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/14_request_to_'abc.foo.example.com/wildcard-foo-example-com'_should_receive_a_404 (30.00s)
--- FAIL: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/4_request_to_'bar.example.com/empty-hostname'_should_receive_a_404 (30.00s)
--- FAIL: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/13_request_to_'abc.foo.example.com/wildcard-example-com'_should_receive_a_404 (30.00s)
--- FAIL: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/12_request_to_'abc.foo.example.com/empty-hostname'_should_receive_a_404 (30.00s)
--- FAIL: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/8_request_to_'bar.foo.example.com/empty-hostname'_should_receive_a_404 (30.00s)
--- FAIL: TestGatewayConformance/GatewayHTTPListenerIsolation/intersecting_hostnames_are_configured_in_listeners_and_HTTPRoutes/9_request_to_'bar.foo.example.com/wildcard-example-com'_should_receive_a_404 (30.00s)
FAIL
| sectionName: empty-hostname | ||
| hostnames: | ||
| - "bar.com" | ||
| - "*.example.com" # request matching is prevented by the isolation wildcard-example-com listener |
There was a problem hiding this comment.
these are more tied to hostname intersection b/w listener and route, should this be part of this test or another one ?
There was a problem hiding this comment.
My interpretation is that listener intersection is about one listener and its HTTPRoutes (so it could be tested separately) --
gateway-api/apis/v1/httproute_types.go
Lines 71 to 73 in 4b1a28d
while listener isolation is about multiple listeners --
gateway-api/apis/v1/gateway_types.go
Lines 173 to 179 in 4b1a28d
Or to put it differently, correct implementation of listener intersection is required for this test, but ultimately the tests is about listener isolation.
|
thanks for adding this @pleshakov, your test approach looks good, added a minor non blocking comment |
k8s-ci-robot
added
the
approved
|
@sunjayBhatia do you want to take another look at this PR, or should we get this in ? |
|
I've been meaning to take a look at this too, sorry I lost track of it! Will aim to get some feedback in this week. /assign |
yep I'll take another look tmr 👍🏽 |
Requests should be "isolated" to the most specific Listener and it's attached routes. This means our existing logic on finding intersecting route and Listener hostnames needs an update to factor in the other Listeners on a Gateway that the route in question may not actually be attached to. Fix for conformance test: kubernetes-sigs/gateway-api#2669 kubernetes-sigs/gateway-api#2465 for spec Signed-off-by: Sunjay Bhatia <[email protected]>
k8s-ci-robot
added
the
needs-rebase
There was a problem hiding this comment.
Thanks @pleshakov! This is an incredibly detailed test with well-written + explained test cases. For what it's worth, GKE Gateway ran into the same failures that @sunjayBhatia found, but that's on us, thanks for catching our inconsistencies with the spec! A few nits here + a rebase needed but otherwise LGTM.
| kind: Gateway | ||
| metadata: | ||
| name: http-listener-isolation-with-hostname-intersection | ||
| namespace: gateway-conformance-infra |
There was a problem hiding this comment.
Do we actually need 2 new Gateways for this test? (Asking because this could significantly increase the time it takes to run conformance tests + the overall resources required).
There was a problem hiding this comment.
Do we actually need 2 new Gateways for this test? (Asking because this could significantly increase the time it takes to run conformance tests + the overall resources required).
No need for two Gateways, I can make it work with one to decrease time and required resources 👍
There was a problem hiding this comment.
That sounds great, thanks! Ping me whenever this is ready for another look
There was a problem hiding this comment.
@pleshakov do you have time to merge these Gateways?
There was a problem hiding this comment.
Hi @robscott
I didn't have enough time to dedicated to this. Apologies!
Is the idea to get the PR merged before the next Gateway API release?
One thing that worries me:
since I already got approvals and confirmations from folks running this against their implementations, although merging should not cause any changes to the test behavior, there is a slight chance for it, since I will be updating code and manifests. So another round reviews and re-runs will be needed.
conformance/tests/gateway-http-listener-isolation-with-hostname-intersection.yaml
Outdated
Show resolved
Hide resolved
- Introduce GatewayHTTPListenerIsolation extended feature - Add GatewayHTTPListenerIsolation conformance test
Co-authored-by: Rob Scott <[email protected]>
…e-intersection.yaml Co-authored-by: Rob Scott <[email protected]>
pleshakov
force-pushed
the
listener-isolation-conformance-test
branch
from
1786921
to
d6abccd
Compare
k8s-ci-robot
removed
the
needs-rebase
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: arkodg, mlavacca, pleshakov, sunjayBhatia The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-rebase
|
@robscott I'd love to see this one into v1.1, this conformance test will benefit a lot of implementations and not supporting this is lapse in security, to make some progress, can we get this into v1.1 and add a follow up to optimize manifests / resources, this test is opt in, so shouldnt negatively affect anyone by default |
|
@arkodg that makes sense to me, @pleshakov can you rebase this PR? RC2 is scheduled to go out tomorrow, if this PR is ready before that, I'll merge it. |
Takes kubernetes-sigs#2669 forward Signed-off-by: Arko Dasgupta <[email protected]>
Takes kubernetes-sigs#2669 forward Signed-off-by: Arko Dasgupta <[email protected]> Co-authored-by: Michael Pleshakov <[email protected]>
* Conformance test for listener isolation Takes #2669 forward Signed-off-by: Arko Dasgupta <[email protected]> Co-authored-by: Michael Pleshakov <[email protected]> * use features package Signed-off-by: Arko Dasgupta <[email protected]> --------- Signed-off-by: Arko Dasgupta <[email protected]> Co-authored-by: Michael Pleshakov <[email protected]>
|
Covered by #3047, closing this one out. |
Requests should be "isolated" to the most specific Listener and it's attached routes. This means our existing logic on finding intersecting route and Listener hostnames needs an update to factor in the other Listeners on a Gateway that the route in question may not actually be attached to. Fix for conformance test: kubernetes-sigs/gateway-api#2669 kubernetes-sigs/gateway-api#2465 for spec Signed-off-by: Sunjay Bhatia <[email protected]>
Requests should be "isolated" to the most specific Listener and it's attached routes. This means our existing logic on finding intersecting route and Listener hostnames needs an update to factor in the other Listeners on a Gateway that the route in question may not actually be attached to. Fix for conformance test: kubernetes-sigs/gateway-api#2669 kubernetes-sigs/gateway-api#2465 for spec Signed-off-by: Sunjay Bhatia <[email protected]>
Requests should be "isolated" to the most specific Listener and it's attached routes. This means our existing logic on finding intersecting route and Listener hostnames needs an update to factor in the other Listeners on a Gateway that the route in question may not actually be attached to. Fix for conformance test: kubernetes-sigs/gateway-api#2669 kubernetes-sigs/gateway-api#2465 for spec Signed-off-by: Sunjay Bhatia <[email protected]>
…r#6162) Requests should be "isolated" to the most specific Listener and it's attached routes. This means our existing logic on finding intersecting route and Listener hostnames needs an update to factor in the other Listeners on a Gateway that the route in question may not actually be attached to. Fix for conformance test: kubernetes-sigs/gateway-api#2669 kubernetes-sigs/gateway-api#2465 for spec Signed-off-by: Sunjay Bhatia <[email protected]> Signed-off-by: Saman Mahdanian <[email protected]>
What type of PR is this?
/kind test
/area conformance
What this PR does / why we need it:
Listener isolation was clarified in #2465
This PR adds the corresponding extended feature and the conformance test.
The test includes two subtests:
Note:
I added only tests for HTTP listeners. I believe the fix for this issue #2417 might define the tests for the isolation for HTTPS listeners - those will also involve setting SNI.
Which issue(s) this PR fixes:
Fixes #2416
Does this PR introduce a user-facing change?: