tests: Add conformace tests for listenersets #3890
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
kind/test
release-note
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: davidjumani The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/XL
|
/test all |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
added
size/XXL
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/retest |
| // Requests to the listener with domain name conflict should not work | ||
| { | ||
| Request: http.Request{Host: "conflict.com", Path: "/gateway-route"}, | ||
| Response: http.Response{StatusCode: 404}, | ||
| }, |
There was a problem hiding this comment.
Hmm, I don't know if we were clear enough about this in the GEP, but in this case, because there is a Gateway Listener, it should win over the ListenerSet listener. (see https://gateway-api.sigs.k8s.io/geps/gep-1713/#listener-precedence for the details here)
In this and other conflict cases, there should always be one "winning" Listener from somewhere, and that Listener should end up Accepted, and traffic should flow.
The intent of that is to stop the creation of conflicts from stopping traffic flowing (that's why "oldest first wins" for ListenerSets).
There was a problem hiding this comment.
I'm confused since the GEP mentions
Implementations MUST treat the parent Gateways as having the merged list of all listeners from itself and attached ListenerSets and validation of this list of listeners MUST behave the same as if the list were part of a single Gateway with the relaxed listener name constraints.
and so I based the validation tests as though they were defined on a single gateway - My understanding was that the ordering was purely for merging them into a gateway and not validating them any different
There was a problem hiding this comment.
Okay I see #3978 has been updated. Shall I wait for it to merge before making the changes here ?
|
Thanks @youngnick @dprotaso @rikatz for your reviews! I've updated this to reflect the discussion in #3978 |
|
@youngnick @dprotaso @rikatz could you please have another look at this ? Thanks |
| port: 80 | ||
| protocol: HTTP | ||
| hostname: "hostname-conflict-listener-1.com" | ||
| allowedRoutes: |
There was a problem hiding this comment.
unrelated with this PR, but this got my attention:
@dprotaso @youngnick do we really want this kind of deep allowance on a ListenerSet? The way I see a ListenerSet, it is mostly related to "Ana" persona, allowing all of these dereference will be really hard for controllers to track.
Imagine this situation:
- Chihiro creates a Gateway and tells "I allow Listeners and routes from namespace with 'production' label"
- Then Ana creates a ListenerSet on a namespace with 'production' label but tells that the ListenerSet should accept routes from any namespace
- Erin then comes and attaches the HTTPRoute of a development namespace into a ListenerSet of production, and now can rely on a production hostname, a production certificate, etc
IMO ListenerSet should be scoped to the namespace they belong, and in case of a cross-namespace need of a Listener this should then be a case where a Route attaches not to a ListenerSet, but to a Gateway listener as it is today.
| Request: http.Request{Host: "hostname-conflict-listener-1.com", Path: "/listenerset-2-route"}, | ||
| Response: http.Response{StatusCode: 404}, | ||
| }, | ||
| // Requests to the listener with domain name conflict should work on the first listener (based on listener precedence - alphabetic / creation time) |
There was a problem hiding this comment.
I was now wondering on something on GEP that should be clarified again (sorry @davidjumani !)
I think this conflict management may be a bit unsecure. The CreationTimestamp reflects when the resource was created, but we can modify it in a way that a Listener can be stolen:
- Erin creates the ListenerSet on her namespace, with something like:
creationTimestamp: "2025-08-11T15:44:05Z" # this is set by the APIserver
- listeners:
- hostname: www.evil.tld
- Ana creates the ListenerSet on her namespace, with something like:
creationTimestamp: "2025-08-11T16:44:05Z"
- listeners:
- hostname: www.mything.tld
Now, given the situation above, Erin's ListenerSet is older than Ana's ListenerSet. We don't have a conflict here, but what happens if Erin then changes her ListenerSet to something like:
creationTimestamp: "2025-08-11T15:44:05Z" # this is set by the APIserver
- listeners:
- hostname: www.evil.tld
- hostname: www.mything.tld
I don't think we have a way to say "Erin's resource is older, but the ListenerSet inside Ana's array is older" which means effectively per the conflict management that Erin's ListenerSet will win the "conflict resolution" per the resource age, and steal www.mything.tld from Ana
Am I missing something here?
| GatewayMustHaveCondition: 180 * time.Second, | ||
| GatewayStatusMustHaveListeners: 60 * time.Second, | ||
| GatewayListenersMustHaveConditions: 60 * time.Second, | ||
| ListenerSetMustHaveCondition: 180 * time.Second, |
There was a problem hiding this comment.
isn't 3 minutes too much? The timeout above (GatewayListenersMustHaveConditions) is 1 minute, maybe we can follow the same here
There was a problem hiding this comment.
I set ListenerSetMustHaveCondition to match GatewayMustHaveCondition
ListenerSetListenersMustHaveConditions matches GatewayListenersMustHaveConditions
Do you still think it should be reduced ?
There was a problem hiding this comment.
let's see how this goes with 3 minutes, and be careful if this becomes a problem for test execution time
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
|
Thanks @rikatz for the review! Wrt the open questions, can we get the conformance tests in right now? When we amend the GEP, the conformance tests can also be updated |
|
@youngnick @dprotaso @rikatz Could you please have a look at this? Thanks |
|
This is next on my queue, will be my first thing tomorrow (thursday) |
| hostname: "listenerset-1-listener-2.com" | ||
| allowedRoutes: | ||
| namespaces: | ||
| from: All |
There was a problem hiding this comment.
interesting: do we expect this to work, if the allowedListener defines just ListenerSet of the same namespace, or not?
I think the idea is to allow, just checking
There was a problem hiding this comment.
I'm a bit confused. Are you asking if the Listener on the ListenerSet will accept routes from all namespaces if the Gateway's allowedListener is set to only listenerSets from the same namespace?
If so, it should allow since the allowedListener restricts listenersets and should have no effect on the routes
|
I still have some questions, but overall lgtm and I would like to see these tests running with other implementations. I will try to trigger it tomorrow against Istio and kgateway to see how they behave (failing is fine, as this may not be implemented yet) I have mapped some missing tests, but not for this PR:
|
|
Thanks @rikatz I've updated the PR and description with the passing run on kgateway |
|
/retest |
This reverts commit 3ec5493.
Thanks @rikatz |
6 participants
What type of PR is this?
/kind test
/area conformance-test
What this PR does / why we need it:
This PR contains an initial conformance test for listenersets. This aims to verify the following :
Run against kgateway
Which issue(s) this PR fixes:
Fixes #3785
Does this PR introduce a user-facing change?: