From 5255ebd6c71741eef6433278414fb198329de6d5 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Tue, 6 May 2025 04:34:07 +0000 Subject: [PATCH] e2e test for dynamic resolver backend using system ca for TLS Signed-off-by: Huabing (Robin) Zhao --- ...c-resolver-backend-with-tls-system-ca.yaml | 33 +++++++++++++++++++ ...httproute_with_dynamic_resolver_backend.go | 22 +++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 test/e2e/testdata/httproute-with-dynamic-resolver-backend-with-tls-system-ca.yaml diff --git a/test/e2e/testdata/httproute-with-dynamic-resolver-backend-with-tls-system-ca.yaml b/test/e2e/testdata/httproute-with-dynamic-resolver-backend-with-tls-system-ca.yaml new file mode 100644 index 0000000000..45ce6a40db --- /dev/null +++ b/test/e2e/testdata/httproute-with-dynamic-resolver-backend-with-tls-system-ca.yaml @@ -0,0 +1,33 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: httproute-with-dynamic-resolver-backend-tls-system-trust-store + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-dynamic-resolver-tls-system-trust-store + matches: + - path: + type: PathPrefix + value: /with-tls-system-trust-store + filters: + - type: URLRewrite # rewrite the path to /, as we use gateway.envoyproxy.io to test the dynamic resolver, and this path is not available + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: / +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-dynamic-resolver-tls-system-trust-store + namespace: gateway-conformance-infra +spec: + type: DynamicResolver + tls: + wellKnownCACertificates: System diff --git a/test/e2e/tests/httproute_with_dynamic_resolver_backend.go b/test/e2e/tests/httproute_with_dynamic_resolver_backend.go index d7509b0777..9168431c46 100644 --- a/test/e2e/tests/httproute_with_dynamic_resolver_backend.go +++ b/test/e2e/tests/httproute_with_dynamic_resolver_backend.go @@ -26,6 +26,7 @@ var DynamicResolverBackendTest = suite.ConformanceTest{ Manifests: []string{ "testdata/httproute-with-dynamic-resolver-backend.yaml", "testdata/httproute-with-dynamic-resolver-backend-with-tls.yaml", + "testdata/httproute-with-dynamic-resolver-backend-with-tls-system-ca.yaml", }, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { ns := "gateway-conformance-infra" @@ -80,5 +81,26 @@ var DynamicResolverBackendTest = suite.ConformanceTest{ http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) }) + t.Run("route to service with TLS using system CA", func(t *testing.T) { + routeNN := types.NamespacedName{Name: "httproute-with-dynamic-resolver-backend-tls-system-trust-store", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + BackendMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "backend-dynamic-resolver-tls-system-trust-store", Namespace: ns}) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Host: "gateway.envoyproxy.io:443", + Path: "/with-tls-system-trust-store", + }, + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Host: "", + }, + }, + Response: http.Response{ + StatusCode: 200, + }, + } + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) }, }