skonto · skonto · Jan 21, 2025 · Jan 21, 2025 · Jan 21, 2025 · Jan 21, 2025
diff --git a/.github/workflows/kind-e2e.yaml b/.github/workflows/kind-e2e.yaml
@@ -210,21 +210,21 @@ jobs:
 
     - name: Test ${{ matrix.test-suite }}
       run: |
-        FEATURE_FLAGS="-enable-alpha -enable-beta"
-        if [[ "${{ matrix.ingress}}" == "kourier-tls" ]] && [[ "${{ matrix.test-suite }}" == "runtime" ]]; then
-          # Disabled due to flakiness: https://github.com/knative/serving/issues/15697
-          FEATURE_FLAGS="$FEATURE_FLAGS -disable-optional-api"
-        fi
         gotestsum --format testname -- \
           -race -count=1 -parallel=1 -tags=e2e \
           -timeout=30m \
           ${{ matrix.test-path }} \
           -skip-cleanup-on-fail \
           -disable-logstream \
-          $FEATURE_FLAGS \
+          -enable-alpha -enable-beta \
           --ingress-class=${{ matrix.ingress-class || matrix.ingress }}.ingress.networking.knative.dev \
           ${{ matrix.test-flags }}
 
+    - uses: mxschmitt/action-tmate@v3
+      if: ${{ failure() }}
+      with:
+        limit-access-to-actor: true
+
     - uses: chainguard-dev/actions/kind-diag@141bf225e9c19c34304ee9d06e9be9c44a6d8765 # main
       # Only upload logs on failure.
       if: ${{ failure() }}

diff --git a/.ko.yaml b/.ko.yaml
@@ -1,4 +1,4 @@
 # Use :nonroot base image for all containers
-defaultBaseImage: ghcr.io/wolfi-dev/static:alpine
+defaultBaseImage: ubuntu:latest
 baseImageOverrides:
   github.com/tsenart/vegeta/v12: ubuntu:latest
diff --git a/pkg/activator/certificate/cache.go b/pkg/activator/certificate/cache.go
@@ -111,6 +111,7 @@ func (cr *CertCache) updateCertificate(secret *corev1.Secret) {
 	defer cr.certificatesMux.Unlock()
 
 	cert, err := tls.X509KeyPair(secret.Data[certificates.CertName], secret.Data[certificates.PrivateKeyName])
+	cr.logger.Infof("cert is: %v\n", secret.Data[certificates.CertName])
 	if err != nil {
 		cr.logger.Warnf("failed to parse certificate in secret %s/%s: %v", secret.Namespace, secret.Name, zap.Error(err))
 		return
@@ -123,6 +124,7 @@ func (cr *CertCache) updateCertificate(secret *corev1.Secret) {
 func (cr *CertCache) updateTrustPool() {
 	pool := x509.NewCertPool()
 
+	cr.logger.Infof("Updating the pool")
 	cr.addSecretCAIfPresent(pool)
 	cr.addTrustBundles(pool)
 
@@ -137,6 +139,7 @@ func (cr *CertCache) updateTrustPool() {
 
 func (cr *CertCache) addSecretCAIfPresent(pool *x509.CertPool) {
 	secret, err := cr.secretInformer.Lister().Secrets(system.Namespace()).Get(netcfg.ServingRoutingCertName)
+	cr.logger.Infof("Getting the secret")
 	if err != nil {
 		cr.logger.Warnf("Failed to get secret %s/%s: %v", system.Namespace(), netcfg.ServingRoutingCertName, zap.Error(err))
 		return

diff --git a/pkg/activator/certificate/tls_context.go b/pkg/activator/certificate/tls_context.go
@@ -21,6 +21,7 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
+	"log"
 	"net"
 
 	"knative.dev/networking/pkg/certificates"
@@ -49,17 +50,20 @@ func dialTLSContext(ctx context.Context, network, addr string, cr *CertCache) (n
 	revID := handler.RevIDFrom(ctx)
 	san := certificates.DataPlaneUserSAN(revID.Namespace)
 
-	tlsConf.VerifyConnection = verifySAN(san)
+	tlsConf.VerifyConnection = verifySAN(san, revID.Name)
 	return pkgnet.DialTLSWithBackOff(ctx, network, addr, tlsConf)
 }
 
-func verifySAN(san string) func(tls.ConnectionState) error {
+func verifySAN(san, rev string) func(tls.ConnectionState) error {
 	return func(cs tls.ConnectionState) error {
+		log.Printf("In verifySAN1: %s-%s", san, rev)
 		if len(cs.PeerCertificates) == 0 {
 			return errors.New("no PeerCertificates provided")
 		}
+		log.Printf("In verifySAN2: %s-%s", san, rev)
 		for _, name := range cs.PeerCertificates[0].DNSNames {
 			if name == san {
+				log.Printf("In verifySAN3 %s-%s\n", name, rev)
 				return nil
 			}
 		}

diff --git a/pkg/activator/certificate/tls_context_test.go b/pkg/activator/certificate/tls_context_test.go
@@ -60,7 +60,7 @@ func TestVerifySAN(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			err := verifySAN(test.san)(tlsConnectionState)
+			err := verifySAN(test.san, "")(tlsConnectionState)
 			if test.expErr && err == nil {
 				t.Fatalf("failed to verify SAN")
 			}

diff --git a/pkg/queue/certificate/watcher.go b/pkg/queue/certificate/watcher.go
@@ -87,6 +87,7 @@ func (cw *CertWatcher) Stop() {
 func (cw *CertWatcher) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	cw.mux.RLock()
 	defer cw.mux.RUnlock()
+	cw.logger.Debugf("Presenting cert: %v", cw.certificate)
 	return cw.certificate, nil
 }
 
@@ -132,6 +133,7 @@ func (cw *CertWatcher) loadCert() error {
 		cw.certChecksum = certChecksum
 		cw.keyChecksum = keyChecksum
 
+		cw.logger.Debugf("Loading cert: %v", cw.certificate)
 		cw.logger.Info(CertReloadMessage)
 	}
 

diff --git a/test/conformance/runtime/readiness_probe_test.go b/test/conformance/runtime/readiness_probe_test.go
@@ -1,4 +1,4 @@
 //go:build e2e
 // +build e2e

 /*
@@ -23,15 +23,21 @@
 	"context"
 	"errors"
 	"fmt"
+	"knative.dev/serving/pkg/apis/autoscaling"
+	v1 "knative.dev/serving/pkg/apis/serving/v1"
 	"net"
 	"net/http"
 	"net/url"
+	"strconv"
+	"strings"
 	"testing"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	pkgtest "knative.dev/pkg/test"
+	"knative.dev/pkg/test/logstream"
 	"knative.dev/pkg/test/spoof"
 	v1opts "knative.dev/serving/pkg/testing/v1"
 	"knative.dev/serving/test"
@@ -110,16 +116,25 @@
 
 			t.Run(name, func(t *testing.T) {
 				t.Parallel()
+				// hack for this test only
+				if test.ServingFlags.DisableLogStream {
+					cancel := logstream.Start(t)
+					defer cancel()
+				}
 				names := test.ResourceNames{
 					Service: test.ObjectNameForTest(t),
 					Image:   test.Readiness,
 				}
 
-				test.EnsureTearDown(t, clients, &names)
+				// test.EnsureTearDown(t, clients, &names)
 
 				t.Log("Creating a new Service")
+				envs := tc.env
+				envs = append(tc.env, corev1.EnvVar{Name: "GODEBUG", Value: "http2debug=2"})
 				resources, err := v1test.CreateServiceReady(t, clients, &names,
-					v1opts.WithEnv(tc.env...),
+					withMinScale(1),
+					v1opts.WithEnv(envs...),
+					v1opts.WithConfigAnnotations(map[string]string{"autoscaling.knative.dev/target-burst-capacity": "0"}),
 					v1opts.WithReadinessProbe(
 						&corev1.Probe{
 							ProbeHandler:  tc.handler,
@@ -143,13 +158,68 @@
 					test.AddRootCAtoTransport(context.Background(), t.Logf, clients, test.ServingFlags.HTTPS),
 					spoof.WithHeader(test.ServingFlags.RequestHeader()),
 				); err != nil {
-					t.Fatalf("The endpoint for Route %s at %s didn't return success: %v", names.Route, url, err)
+					pods, err := clients.KubeClient.CoreV1().Pods(resources.Service.Namespace).List(context.Background(), metav1.ListOptions{})
+					if err == nil {
+						for _, p := range pods.Items {
+							if strings.HasPrefix(p.Name, resources.Service.Name) {
+								t.Logf("Pod %s is %s", p.Name, p.Status.Phase)
+								if err := clients.KubeClient.CoreV1().Pods(resources.Service.Namespace).Delete(context.Background(), p.Name, metav1.DeleteOptions{}); err != nil {
+									t.Logf("failed to delete pod %s: %v", p.Name, err)
+								}
+							}
+						}
+					}
+					s, err := clients.KubeClient.CoreV1().Secrets(resources.Service.Namespace).Get(context.Background(), "serving-certs", metav1.GetOptions{})
+
+					if err == nil {
+						t.Logf("Secret serving-certs: %v", s.Data)
+					}
+
+					events, err := clients.KubeClient.CoreV1().Events(resources.Service.Namespace).List(context.Background(), metav1.ListOptions{})
+					if err == nil {
+						t.Logf("Events: %v", events.Items)
+					}
+
+					endpoints, err := clients.KubeClient.CoreV1().Endpoints(resources.Service.Namespace).List(context.Background(), metav1.ListOptions{})
+					if err == nil {
+						for _, e := range endpoints.Items {
+							if strings.HasPrefix(e.Name, resources.Service.Name) {
+								t.Logf("Endpoind %s is %v", e.Name, e)
+							}
+						}
+					}
+
+					time.Sleep(45 * time.Second)
+
+					if _, err = pkgtest.CheckEndpointState(
+						context.Background(),
+						clients.KubeClient,
+						t.Logf,
+						url,
+						spoof.MatchesAllOf(spoof.IsStatusOK, spoof.MatchesBody(test.HelloWorldText)),
+						"readinessIsReady",
+						test.ServingFlags.ResolvableDomain,
+						test.AddRootCAtoTransport(context.Background(), t.Logf, clients, test.ServingFlags.HTTPS),
+						spoof.WithHeader(test.ServingFlags.RequestHeader()),
+					); err != nil {
+						t.Fatalf("The endpoint for Route %s at %s didn't return success: %v", names.Route, url, err)
+					}
+
 				}
 			})
 		}
 	}
 }
 
+func withMinScale(minScale int) func(cfg *v1.Service) {
+	return func(cfg *v1.Service) {
+		if cfg.Spec.Template.Annotations == nil {
+			cfg.Spec.Template.Annotations = make(map[string]string, 1)
+		}
+		cfg.Spec.Template.Annotations[autoscaling.MinScaleAnnotationKey] = strconv.Itoa(minScale)
+	}
+}
+
 // This test validates the behaviour of readiness probes *after* initial
 // startup. When a pod goes unready after startup and there are no other pods
 // in the revision, then there are two possible behaviors: