Add conformance tests for ReferencePolicy #1081
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
Hi @mikemorris. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Thanks for the work on these tests @mikemorris! This is a great addition and matches what I was thinking for testing ReferencePolicy. In the future we may also want to add additional tests for cross-namespace Secret references from Gateways, but this is a great start.
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
mikemorris
force-pushed
the
conformance/reference-policy
branch
from
4f5dc45 to
c0379bc
Compare
This reverts commit 72ee68b.
…"" This reverts commit b59c8f0.
mikemorris
force-pushed
the
conformance/reference-policy
branch
from
7dea9bc to
ac69c07
Compare
…rcement (#142) * update rbac * checkpoint, wip * Take a first pass at implementing HTTPRoute validation * Regenerate mock client * Stub additional function in client to conform to interface * Early out if no reference policies in namespace * Working test verifying failed validation if no reference policies * Implement test coverage for reconciler w/ valid reference policy * Reduce scope of RBAC permissions for reference policies * Add test coverage for HTTPRoute validator * Use rebased version of kubernetes-sigs/gateway-api#1081 * Add TODO noting performance edge case * Extend route + backend validation to TCPRoutes * Fix unit test coverage for utils.go * working get reference policy by namespace * added soe logging * Add test coverage for util func w/ TCPRoute * tmate session * Log route + backend validation instead of returning error * fix workflow * Add test coverage for unspecified backendRef namespace * Use in-namespace opt for reference policy list instead of label selector * Use consul-k8s ref w/ updated RBAC for ReferencePolicy * Revert "Use rebased version of kubernetes-sigs/gateway-api#1081" This reverts commit 72ee68b. * use updated conforance/reference-policy PR branch * Revert "use updated conforance/reference-policy PR branch" This reverts commit 41c6b0d. * Revert "Revert "Use rebased version of kubernetes-sigs/gateway-api#1081"" This reverts commit b59c8f0. * Default group + kind for backend ref when checking ReferencePolicy Co-Authored-By: Mike Morris <mikemorris@users.noreply.github.com> * Clean up implementation, add comments for followup work * Remove tmate from conformance workflow * Restore non-experimental conformance tests, add TODO for consul-k8s * Remove stray debug log * Remove unused function added earlier * Only log and fall through for now if ReferencePolicy would be enforced * Remove consul-k8s PR ref for conformance * Remove unnecessary check for IsNotFound on List operation Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
| t.Run("Gateway should have 0 Routes attached", func(t *testing.T) { | ||
| gw := &v1alpha2.Gateway{} | ||
| err := s.Client.Get(context.TODO(), gwNN, gw) | ||
| require.NoError(t, err, "error fetching Gateway") | ||
| // There are two valid ways to represent this: | ||
| // 1. No listeners in status | ||
| // 2. One listener in status with 0 attached routes | ||
| if len(gw.Status.Listeners) == 0 { | ||
| // No listeners in status. | ||
| } else if len(gw.Status.Listeners) == 1 { | ||
| require.Equal(t, int32(0), gw.Status.Listeners[0].AttachedRoutes) | ||
| } else { | ||
| t.Errorf("Expected no more than 1 listener in status, got %d", len(gw.Status.Listeners)) | ||
| } |
There was a problem hiding this comment.
Is there a canonical definition for "Attached"? In this case, if I'm not mistaken, the route should still result in app-backend-v1 being programmed with 90% weight, with a 10% weight being applied to a 503 response for the app-backend-v2 backend that's not covered by a ReferencePolicy, based on https://github.com/kubernetes-sigs/gateway-api/blob/master/apis/v1alpha2/httproute_types.go#L191-L196. We (contour) had been considering the route to be "Attached" in this case since it's being at least partially programmed, but I'm not seeing a clear definition one way or another.
There was a problem hiding this comment.
Agreed that the spec could be more clear on how these situations are intended to be handled - it's potentially more complicated when either resource changes after having been iniitally accepted too (and so is potentially actively routing traffic). I added a discussion topic for the weekly meeting later today to hopefully hear perspectives from various implementations.
There was a problem hiding this comment.
@skriss I updated this test to instead check for ResolvedRefs { status: False, reason: RefNotPermitted } conditions on both the Route and ListenerStatus, and added a check that HTTP requests eventually start returning 503 status codes - does this match your expected behavior?
There was a problem hiding this comment.
Definitely makes sense for the HTTPRoute - our implementation is currently using a different reason, but it's wrong & should be switched to RefNotPermitted.
We're not currently setting that condition on the Listener status, though - I do see in the API docs that the RefNotPermitted listener condition reason says "This reason is used with the “ResolvedRefs” condition when one of the Listener’s Routes has a BackendRef to an object in another namespace, where the object in the other namespace does not have a ReferencePolicy explicitly allowing the reference.", so I guess we should be, though I also wonder why this condition is needed on the Listener (where it could be relevant to any one of the listener's routes) rather than just on the HTTPRoute itself. Looks like this has already been raised in #1112 (specifically in #1112 (comment)).
Thanks for digging into all this!
There was a problem hiding this comment.
Thanks for the detail @skriss! I skipped the listener check for now to hopefully get this merge-able and can follow up on that later once we can reach consensus across implementations on expected behavior.
There was a problem hiding this comment.
Opened #1143 to track updating this test to explicitly check for partial acceptance.
k8s-ci-robot
added
size/XL
|
Pushed up some relatively significant logical changes in response to reviews and discussion, also extracted #1114 for adding |
mikemorris
changed the title
…rossNamespaceBackendRef test
…f.go Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com>
Co-authored-by: Steve Kriss <stephen.kriss@gmail.com>
mikemorris
force-pushed
the
conformance/reference-policy
branch
from
d8f1946 to
d3b6e1b
Compare
k8s-ci-robot
removed
the
needs-rebase
There was a problem hiding this comment.
Thanks @mikemorris! One more tiny nit otherwise LGTM.
/approve
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mikemorris, robscott The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
conformance/tests/httproute-invalid-cross-namespace-backend-ref.go
Outdated
Show resolved
Hide resolved
Co-authored-by: Rob Scott <rob.scott87@gmail.com>
|
Thanks @mikemorris! /lgtm |
k8s-ci-robot
added
the
lgtm
* conformance: add test for reference policy * conformance: add test for missing ReferencePolicy preventing route attachment * conformance: add tests for improperly configured ReferencePolicy * conformance: update ReferencePolicy tests to expect eventually consistent response conformance: removed unused imports from httproute-reference-policy test * conformance: update ReferencePolicy tests to expect an Accepted: False route parent status condition * conformance: add ExtendedSupport field to ConformanceTest struct, bump to Go 1.18 for slice.Contains * conformance: opt in to ReferencePolicy tests in conformance_test.go * conformance: fixup slices module dep usage * conformance: reimplement opt-in as SupportedFeature slice on ConformanceTestSuite and ConformanceTest * fixup: remove unusued slices dep import * fixup: fix routeNN for HTTPRouteInvalidReferencePolicy * conformance(reference-policy): don't require namespace for HTTPRouteMustHaveParents check for routes in same namesapce as gateway * Update conformance/utils/suite/suite.go Co-authored-by: Steve Kriss <stephen.kriss@gmail.com> * conformance: add conditionsMatch helper func * conformance: add GatewayStatusMustHaveListeners and listenersMatch helper funcs * conformance: update InvalidReferencePolicy test to check for ResolvedRefs RefNotPermitted status * fixup: remove unused imports for HTTPRouteInvalidReferencePolicy * conformance: rename HTTPRouteMissingReferencePolicy test to HTTPRouteInvalidCrossNamespaceBackendRef update test to check for ReslovedRefs RefNotPermitted condition on Route * conformance: rename HTTPRouteInvalidCrossNamespace test to HTTPRouteInvalidCrossNamespaceParentRef * conformance: add Exemptions field to ConformanceTest struct and associated handling * conformance: add ExemptReferencePolicy exemption to HTTPRouteInvalidCrossNamespaceBackendRef test * fixup: HTTPRouteInvalidCrossNamespaceBackendRef boilerplate * conformance: skip Listener ResolvedRefs check, add TODO notes * Update conformance/tests/httproute-invalid-cross-namespace-backend-ref.go Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com> * Update conformance/utils/kubernetes/helpers.go Co-authored-by: Steve Kriss <stephen.kriss@gmail.com> * Update conformance/utils/kubernetes/helpers.go * conformance: fixup ExemptReferencePolicy description * Update conformance/tests/httproute-invalid-cross-namespace-backend-ref.go * Update conformance/tests/httproute-invalid-reference-policy.go Co-authored-by: Rob Scott <rob.scott87@gmail.com> Co-authored-by: Steve Kriss <stephen.kriss@gmail.com> Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com> Co-authored-by: Rob Scott <rob.scott87@gmail.com>
What type of PR is this?
/kind feature
What this PR does / why we need it:
Adds conformance tests for ReferencePolicy. Given that ReferencePolicy is not among the resources graduating to v1beta1, we may need to add some ability fro implementations to opt-in to conformance tests for specific experimental or alpha features, similar to the functionality proposed in #482
TheHTTPRouteMissingReferencePolicytest could likely be consolidated into the primary validHTTPRouteReferencePolicytestI plan to handle lifecycle behavior such as validating a mutation like deleting a ReferencePolicy causing an HTTPRoute (and associated Listener?) to switch their
ResolvedRefsstatus toRefNotPermittedand stop sending traffic in a follow-up PR once we get alignment on expected behavior and if we want to mutate Kubernetes objects like that inside these tests before implementing.Which issue(s) this PR fixes:
Refs #20
Does this PR introduce a user-facing change?: