Add conformance tests for ReferencePolicy (#1081)

* conformance: add test for reference policy

* conformance: add test for missing ReferencePolicy preventing route attachment

* conformance: add tests for improperly configured ReferencePolicy

* conformance: update ReferencePolicy tests to expect eventually consistent response

conformance: removed unused imports from httproute-reference-policy test

* conformance: update ReferencePolicy tests to expect an Accepted: False route parent status condition

* conformance: add ExtendedSupport field to ConformanceTest struct, bump to Go 1.18 for slice.Contains

* conformance: opt in to ReferencePolicy tests in conformance_test.go

* conformance: fixup slices module dep usage

* conformance: reimplement opt-in as SupportedFeature slice on ConformanceTestSuite and ConformanceTest

* fixup: remove unusued slices dep import

* fixup: fix routeNN for HTTPRouteInvalidReferencePolicy

* conformance(reference-policy): don't require namespace for HTTPRouteMustHaveParents check for routes in same namesapce as gateway

* Update conformance/utils/suite/suite.go

Co-authored-by: Steve Kriss <[email protected]>

* conformance: add conditionsMatch helper func

* conformance: add GatewayStatusMustHaveListeners and listenersMatch helper funcs

* conformance: update InvalidReferencePolicy test to check for ResolvedRefs RefNotPermitted status

* fixup: remove unused imports for HTTPRouteInvalidReferencePolicy

* conformance: rename HTTPRouteMissingReferencePolicy test to HTTPRouteInvalidCrossNamespaceBackendRef

update test to check for ReslovedRefs RefNotPermitted condition on Route

* conformance: rename HTTPRouteInvalidCrossNamespace test to HTTPRouteInvalidCrossNamespaceParentRef

* conformance: add Exemptions field to ConformanceTest struct and associated handling

* conformance: add ExemptReferencePolicy exemption to HTTPRouteInvalidCrossNamespaceBackendRef test

* fixup: HTTPRouteInvalidCrossNamespaceBackendRef boilerplate

* conformance: skip Listener ResolvedRefs check, add TODO notes

* Update conformance/tests/httproute-invalid-cross-namespace-backend-ref.go

Co-authored-by: Nathan Coleman <[email protected]>

* Update conformance/utils/kubernetes/helpers.go

Co-authored-by: Steve Kriss <[email protected]>

* Update conformance/utils/kubernetes/helpers.go

* conformance: fixup ExemptReferencePolicy description

* Update conformance/tests/httproute-invalid-cross-namespace-backend-ref.go

* Update conformance/tests/httproute-invalid-reference-policy.go

Co-authored-by: Rob Scott <[email protected]>

Co-authored-by: Steve Kriss <[email protected]>
Co-authored-by: Nathan Coleman <[email protected]>
Co-authored-by: Rob Scott <[email protected]>

Author: 4 people

Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.17 AS build-env
+FROM golang:1.18 AS build-env
 RUN mkdir -p /go/src/sig.k8s.io/gateway-api
 WORKDIR /go/src/sig.k8s.io/gateway-api
 COPY  . .

conformance/conformance_test.go

@@ -48,6 +48,9 @@ func TestConformance(t *testing.T) {
 		GatewayClassName:     *flags.GatewayClassName,
 		Debug:                *flags.ShowDebug,
 		CleanupBaseResources: *flags.CleanupBaseResources,
+		SupportedFeatures: []suite.SupportedFeature{
+			suite.SupportReferencePolicy,
+		},
 	})
 	cSuite.Setup(t)
 	cSuite.Run(t, tests.ConformanceTests)

conformance/tests/httproute-invalid-cross-namespace-backend-ref.go

@@ -0,0 +1,75 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tests
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	"sigs.k8s.io/gateway-api/apis/v1alpha2"
+	"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
+	"sigs.k8s.io/gateway-api/conformance/utils/suite"
+)
+
+func init() {
+	ConformanceTests = append(ConformanceTests, HTTPRouteInvalidCrossNamespaceBackendRef)
+}
+
+var HTTPRouteInvalidCrossNamespaceBackendRef = suite.ConformanceTest{
+	ShortName:   "HTTPRouteInvalidCrossNamespaceBackendRef",
+	Description: "A single HTTPRoute in the gateway-conformance-infra namespace should set a ResolvedRefs status False with reason RefNotPermitted when attempting to bind to a Gateway in the same namespace if the route has a BackendRef Service in the gateway-conformance-web-backend namespace and a ReferencePolicy granting permission to route to that Service does not exist",
+	Exemptions: []suite.ExemptFeature{
+		suite.ExemptReferencePolicy,
+	},
+	Manifests: []string{"tests/httproute-invalid-cross-namespace-backend-ref.yaml"},
+	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+		routeNN := types.NamespacedName{Name: "invalid-cross-namespace-backend-ref", Namespace: "gateway-conformance-infra"}
+		gwNN := types.NamespacedName{Name: "same-namespace", Namespace: "gateway-conformance-infra"}
+
+		ns := v1alpha2.Namespace(gwNN.Namespace)
+		kind := v1alpha2.Kind("Gateway")
+
+		// TODO(mikemorris): Add check for Accepted condition once
+		// https://github.com/kubernetes-sigs/gateway-api/issues/1112
+		// has been resolved
+		t.Run("Route status should have a route parent status with a ResolvedRefs condition with status False and reason RefNotPermitted", func(t *testing.T) {
+			parents := []v1alpha2.RouteParentStatus{{
+				ParentRef: v1alpha2.ParentReference{
+					Group:     (*v1alpha2.Group)(&v1alpha2.GroupVersion.Group),
+					Kind:      &kind,
+					Name:      v1alpha2.ObjectName(gwNN.Name),
+					Namespace: &ns,
+				},
+				ControllerName: v1alpha2.GatewayController(suite.ControllerName),
+				Conditions: []metav1.Condition{{
+					Type:   string(v1alpha2.RouteConditionResolvedRefs),
+					Status: metav1.ConditionFalse,
+					Reason: string(v1alpha2.RouteReasonRefNotPermitted),
+				}},
+			}}
+
+			kubernetes.HTTPRouteMustHaveParents(t, suite.Client, routeNN, parents, false, 60)
+		})
+
+		// TODO(mikemorris): Add check for Listener attached routes or
+		// Listener ResolvedRefs RefNotPermitted condition once
+		// https://github.com/kubernetes-sigs/gateway-api/issues/1112
+		// has been resolved
+	},
+}

conformance/tests/httproute-invalid-cross-namespace-backend-ref.yaml

@@ -0,0 +1,13 @@
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+  name: invalid-cross-namespace-backend-ref
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+  - name: same-namespace
+  rules:
+  - backendRefs:
+    - name: web-backend
+      namespace: gateway-conformance-web-backend
+      port: 8080

conformance/tests/httproute-invalid-cross-namespace.go renamed to conformance/tests/httproute-invalid-cross-namespace-parent-ref.go

@@ -29,15 +29,15 @@ import (
 )
 
 func init() {
-	ConformanceTests = append(ConformanceTests, HTTPRouteInvalidCrossNamespace)
+	ConformanceTests = append(ConformanceTests, HTTPRouteInvalidCrossNamespaceParentRef)
 }
 
-var HTTPRouteInvalidCrossNamespace = suite.ConformanceTest{
-	ShortName:   "HTTPRouteInvalidCrossNamespace",
+var HTTPRouteInvalidCrossNamespaceParentRef = suite.ConformanceTest{
+	ShortName:   "HTTPRouteInvalidCrossNamespaceParentRef",
 	Description: "A single HTTPRoute in the gateway-conformance-web-backend namespace should fail to attach to a Gateway in another namespace that it is not allowed to",
-	Manifests:   []string{"tests/httproute-invalid-cross-namespace.yaml"},
+	Manifests:   []string{"tests/httproute-invalid-cross-namespace-parent-ref.yaml"},
 	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
-		routeName := types.NamespacedName{Name: "invalid-cross-namespace", Namespace: "gateway-conformance-web-backend"}
+		routeName := types.NamespacedName{Name: "invalid-cross-namespace-parent-ref", Namespace: "gateway-conformance-web-backend"}
 		gwName := types.NamespacedName{Name: "same-namespace", Namespace: "gateway-conformance-infra"}
 
 		// TODO: Determine if this is actually what we want. It is likely

conformance/tests/httproute-invalid-cross-namespace.yaml renamed to conformance/tests/httproute-invalid-cross-namespace-parent-ref.yaml

@@ -1,7 +1,7 @@
 apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: HTTPRoute
 metadata:
-  name: invalid-cross-namespace
+  name: invalid-cross-namespace-parent-ref
   namespace: gateway-conformance-web-backend
 spec:
   parentRefs:

conformance/tests/httproute-invalid-reference-policy.go

@@ -0,0 +1,110 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tests
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	"sigs.k8s.io/gateway-api/apis/v1alpha2"
+	"sigs.k8s.io/gateway-api/conformance/utils/http"
+	"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
+	"sigs.k8s.io/gateway-api/conformance/utils/suite"
+)
+
+func init() {
+	ConformanceTests = append(ConformanceTests, HTTPRouteInvalidReferencePolicy)
+}
+
+var HTTPRouteInvalidReferencePolicy = suite.ConformanceTest{
+	ShortName:   "HTTPRouteInvalidReferencePolicy",
+	Description: "A single HTTPRoute in the gateway-conformance-infra namespace should fail to attach to a Gateway in the same namespace if the route has a backendRef Service in the gateway-conformance-app-backend namespace and a ReferencePolicy exists but does not grant permission to route to that specific Service",
+	Features: []suite.SupportedFeature{
+		suite.SupportReferencePolicy,
+	},
+	Manifests: []string{"tests/httproute-invalid-reference-policy.yaml"},
+	Test: func(t *testing.T, s *suite.ConformanceTestSuite) {
+		routeNN := types.NamespacedName{Name: "invalid-reference-policy", Namespace: "gateway-conformance-infra"}
+		gwNN := types.NamespacedName{Name: "same-namespace", Namespace: "gateway-conformance-infra"}
+
+		ns := v1alpha2.Namespace(gwNN.Namespace)
+		gwKind := v1alpha2.Kind("Gateway")
+
+		// TODO(mikemorris): Add check for Accepted condition once
+		// https://github.com/kubernetes-sigs/gateway-api/issues/1112
+		// has been resolved
+		t.Run("Route status should have a route parent status with a ResolvedRefs condition with status False and reason RefNotPermitted", func(t *testing.T) {
+			parents := []v1alpha2.RouteParentStatus{{
+				ParentRef: v1alpha2.ParentReference{
+					Group:     (*v1alpha2.Group)(&v1alpha2.GroupVersion.Group),
+					Kind:      &gwKind,
+					Name:      v1alpha2.ObjectName(gwNN.Name),
+					Namespace: &ns,
+				},
+				ControllerName: v1alpha2.GatewayController(s.ControllerName),
+				Conditions: []metav1.Condition{{
+					Type:   string(v1alpha2.RouteConditionResolvedRefs),
+					Status: metav1.ConditionFalse,
+					Reason: string(v1alpha2.RouteReasonRefNotPermitted),
+				}},
+			}}
+
+			kubernetes.HTTPRouteMustHaveParents(t, s.Client, routeNN, parents, false, 60)
+		})
+
+		// TODO(mikemorris): Un-skip check for Listener ResolvedRefs
+		// RefNotPermitted condition and/or add check for attached
+		// routes and any expected Listener conditions once
+		// https://github.com/kubernetes-sigs/gateway-api/issues/1112
+		// has been resolved
+		t.Skip("Gateway listener should have a ResolvedRefs condition with status False and reason RefNotPermitted", func(t *testing.T) {
+			listeners := []v1alpha2.ListenerStatus{{
+				Name: v1alpha2.SectionName("http"),
+				SupportedKinds: []v1alpha2.RouteGroupKind{{
+					Group: (*v1alpha2.Group)(&v1alpha2.GroupVersion.Group),
+					Kind:  v1alpha2.Kind("HTTPRoute"),
+				}},
+				Conditions: []metav1.Condition{{
+					Type:   string(v1alpha2.RouteConditionResolvedRefs),
+					Status: metav1.ConditionFalse,
+					Reason: string(v1alpha2.RouteReasonRefNotPermitted),
+				}},
+			}}
+
+			kubernetes.GatewayStatusMustHaveListeners(t, s.Client, gwNN, listeners, 60)
+		})
+
+		gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeReady(t, s.Client, s.ControllerName, gwNN, routeNN)
+
+		// TODO(mikemorris): Add check for HTTP requests successfully reaching
+		// app-backend-v1 at path "/" if it is determined that a Route with at
+		// at least one allowed BackendRef should be accepted by a Gateway
+		// and partially configured.
+
+		t.Run("Simple HTTP request should not reach app-backend-v2", func(t *testing.T) {
+			http.MakeRequestAndExpectEventuallyConsistentResponse(t, s.RoundTripper, gwAddr, http.ExpectedResponse{
+				Request: http.ExpectedRequest{
+					Method: "GET",
+					Path:   "/v2",
+				},
+				StatusCode: 503,
+			})
+		})
+	},
+}

conformance/tests/httproute-invalid-reference-policy.yaml

@@ -0,0 +1,35 @@
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: ReferencePolicy
+metadata:
+  name: invalid-reference-policy
+  namespace: gateway-conformance-app-backend
+spec:
+  from:
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      namespace: gateway-conformance-infra
+  to:
+    - group: ""
+      kind: Service
+      name: app-backend-v1
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+  name: invalid-reference-policy
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+  - name: same-namespace
+  rules:
+  - matches:
+    - path:
+      value: "/v2"
+    backendRefs:
+    - name: app-backend-v2
+      namespace: gateway-conformance-app-backend
+      port: 8080
+  - backendRefs:
+    - name: app-backend-v1
+      namespace: gateway-conformance-app-backend
+      port: 8080

conformance/tests/httproute-reference-policy.go

@@ -0,0 +1,57 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tests
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/types"
+
+	"sigs.k8s.io/gateway-api/conformance/utils/http"
+	"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
+	"sigs.k8s.io/gateway-api/conformance/utils/suite"
+)
+
+func init() {
+	ConformanceTests = append(ConformanceTests, HTTPRouteReferencePolicy)
+}
+
+var HTTPRouteReferencePolicy = suite.ConformanceTest{
+	ShortName:   "HTTPRouteReferencePolicy",
+	Description: "A single HTTPRoute in the gateway-conformance-infra namespace, with a backendRef in the gateway-conformance-web-backend namespace, should attach to Gateway in the gateway-conformance-infra namespace",
+	Features: []suite.SupportedFeature{
+		suite.SupportReferencePolicy,
+	},
+	Manifests: []string{"tests/httproute-reference-policy.yaml"},
+	Test: func(t *testing.T, s *suite.ConformanceTestSuite) {
+		routeNN := types.NamespacedName{Name: "reference-policy", Namespace: "gateway-conformance-infra"}
+		gwNN := types.NamespacedName{Name: "same-namespace", Namespace: "gateway-conformance-infra"}
+		gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeReady(t, s.Client, s.ControllerName, gwNN, routeNN)
+
+		t.Run("Simple HTTP request should reach web-backend", func(t *testing.T) {
+			http.MakeRequestAndExpectEventuallyConsistentResponse(t, s.RoundTripper, gwAddr, http.ExpectedResponse{
+				Request: http.ExpectedRequest{
+					Method: "GET",
+					Path:   "/",
+				},
+				StatusCode: 200,
+				Backend:    "web-backend",
+				Namespace:  "gateway-conformance-web-backend",
+			})
+		})
+	},
+}

conformance/tests/httproute-reference-policy.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: ReferencePolicy
+metadata:
+  name: reference-policy
+  namespace: gateway-conformance-web-backend
+spec:
+  from:
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      namespace: gateway-conformance-infra
+  to:
+    - group: ""
+      kind: Service
+      name: web-backend
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+  name: reference-policy
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+  - name: same-namespace
+  rules:
+  - backendRefs:
+    - name: web-backend
+      namespace: gateway-conformance-web-backend
+      port: 8080