diff --git a/conformance/base/manifests.yaml b/conformance/base/manifests.yaml index e415e16e21..444500a577 100644 --- a/conformance/base/manifests.yaml +++ b/conformance/base/manifests.yaml @@ -138,8 +138,8 @@ spec: spec: containers: - name: infra-backend-v1 - # From https://github.com/kubernetes-sigs/ingress-controller-conformance/tree/master/images/echoserver - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd + # Originally from https://github.com/kubernetes-sigs/ingress-controller-conformance/tree/master/images/echoserver + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9 env: - name: POD_NAME valueFrom: @@ -185,7 +185,7 @@ spec: spec: containers: - name: infra-backend-v2 - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9 env: - name: POD_NAME valueFrom: @@ -231,7 +231,7 @@ spec: spec: containers: - name: infra-backend-v3 - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9 env: - name: POD_NAME valueFrom: @@ -277,7 +277,7 @@ spec: spec: containers: - name: tls-backend - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd + image: echo-basic:2.7 volumeMounts: - name: secret-volume mountPath: /etc/secret-volume @@ -300,7 +300,7 @@ spec: volumes: - name: secret-volume secret: - secretName: tls-passthrough-checks-certificate + secretName: tls-checks-certificate items: - key: tls.crt path: crt @@ -346,7 +346,7 @@ spec: spec: containers: - name: tls-backend - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd + image: echo-basic:2.7 volumeMounts: - name: secret-volume mountPath: /etc/secret-volume @@ -408,7 +408,7 @@ spec: spec: containers: - name: app-backend-v1 - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9 env: - name: POD_NAME valueFrom: @@ -454,7 +454,7 @@ spec: spec: containers: - name: app-backend-v2 - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9 env: - name: POD_NAME valueFrom: @@ -507,7 +507,7 @@ spec: spec: containers: - name: web-backend - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9 env: - name: POD_NAME valueFrom: @@ -554,7 +554,7 @@ spec: spec: containers: - name: grpc-infra-backend-v1 - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9 env: - name: POD_NAME valueFrom: @@ -603,7 +603,7 @@ spec: spec: containers: - name: grpc-infra-backend-v2 - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9 env: - name: POD_NAME valueFrom: @@ -652,7 +652,7 @@ spec: spec: containers: - name: grpc-infra-backend-v3 - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240412-v1.0.0-394-g40c666fd + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20241007-v1.2.0-6-g9f820af9 env: - name: POD_NAME valueFrom: diff --git a/conformance/echo-basic/echo-basic.go b/conformance/echo-basic/echo-basic.go index 98f8de5a7a..5b9fade908 100644 --- a/conformance/echo-basic/echo-basic.go +++ b/conformance/echo-basic/echo-basic.go @@ -18,7 +18,6 @@ package main import ( "crypto/tls" - "crypto/x509" "encoding/json" "encoding/pem" "fmt" @@ -37,7 +36,18 @@ import ( g "sigs.k8s.io/gateway-api/conformance/echo-basic/grpc" ) -// RequestAssertions contains information about the request and the Ingress +type preserveSlashes struct { + mux http.Handler +} + +func (s *preserveSlashes) ServeHTTP(w http.ResponseWriter, r *http.Request) { + r.URL.Path = strings.ReplaceAll(r.URL.Path, "//", "/") + s.mux.ServeHTTP(w, r) +} + +var context Context + +// RequestAssertions contains information about the request and the Ingress. type RequestAssertions struct { Path string `json:"path"` Host string `json:"host"` @@ -48,27 +58,20 @@ type RequestAssertions struct { Context `json:",inline"` TLS *TLSAssertions `json:"tls,omitempty"` + SNI string `json:"sni"` } // TLSAssertions contains information about the TLS connection. type TLSAssertions struct { - Version string `json:"version"` - PeerCertificates []string `json:"peerCertificates,omitempty"` - ServerName string `json:"serverName"` - NegotiatedProtocol string `json:"negotiatedProtocol,omitempty"` - CipherSuite string `json:"cipherSuite"` -} - -type preserveSlashes struct { - mux http.Handler + Version string `json:"version"` + PeerCertificates []string `json:"peerCertificates,omitempty"` + // ServerName is the name sent from the peer using SNI. + ServerName string `json:"serverName"` + NegotiatedProtocol string `json:"negotiatedProtocol,omitempty"` + CipherSuite string `json:"cipherSuite"` } -func (s *preserveSlashes) ServeHTTP(w http.ResponseWriter, r *http.Request) { - r.URL.Path = strings.ReplaceAll(r.URL.Path, "//", "/") - s.mux.ServeHTTP(w, r) -} - -// Context contains information about the context where the echoserver is running +// Context contains information about the context where the echoserver is running. type Context struct { Namespace string `json:"namespace"` Ingress string `json:"ingress"` @@ -76,8 +79,6 @@ type Context struct { Pod string `json:"pod"` } -var context Context - func main() { if os.Getenv("GRPC_ECHO_SERVER") != "" { g.Main() @@ -88,6 +89,7 @@ func main() { if httpPort == "" { httpPort = "3000" } + h2cPort := os.Getenv("H2C_PORT") if h2cPort == "" { h2cPort = "3001" @@ -124,17 +126,23 @@ func main() { go runH2CServer(h2cPort, errchan) - // Enable HTTPS if certificate and private key are given. + // Enable HTTPS if server certificate and private key are given. (TLS_SERVER_CERT, TLS_SERVER_PRIVKEY) if os.Getenv("TLS_SERVER_CERT") != "" && os.Getenv("TLS_SERVER_PRIVKEY") != "" { go func() { fmt.Printf("Starting server, listening on port %s (https)\n", httpsPort) - err := listenAndServeTLS(fmt.Sprintf(":%s", httpsPort), os.Getenv("TLS_SERVER_CERT"), os.Getenv("TLS_SERVER_PRIVKEY"), os.Getenv("TLS_CLIENT_CACERTS"), httpHandler) + err := listenAndServeTLS(fmt.Sprintf(":%s", httpsPort), os.Getenv("TLS_SERVER_CERT"), os.Getenv("TLS_SERVER_PRIVKEY"), httpHandler) if err != nil { errchan <- err } }() } + // Enable secure backend if CA certificate is given. (CA_CERT) + if os.Getenv("CA_CERT") != "" { + // Start the backend server and listen on port 9443. + go runBackendTLSServer("9443", errchan) + } + if err := <-errchan; err != nil { panic(fmt.Sprintf("Failed to start listening: %s\n", err.Error())) } @@ -200,12 +208,95 @@ func runH2CServer(h2cPort string, errchan chan<- error) { } } +// Global variable to store the SNI retrieved at a different level. +var globalsni string + +func runBackendTLSServer(port string, errchan chan<- error) { + // This handler function runs within the backend server to find the SNI + // and return it in the RequestAssertions. + handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if strings.Contains(r.RequestURI, "backendTLS") { + // Find the sni in the global (or if needed, a channel/mutex?). + if globalsni == "" { + err := fmt.Errorf("error finding SNI: SNI is empty") + // If there are some test cases without SNI, then they must handle this error properly. + processError(w, err, http.StatusBadRequest) + } + requestAssertions := RequestAssertions{ + r.RequestURI, + r.Host, + r.Method, + r.Proto, + r.Header, + + context, + + tlsStateToAssertions(r.TLS), + globalsni, + } + processRequestAssertions(requestAssertions, w, r) + } else { + // This should never happen, but just in case. + processError(w, fmt.Errorf("backend server called without correct uri"), http.StatusBadRequest) + } + }) + + config, err := makeTLSConfig(os.Getenv("CA_CERT")) + if err != nil { + errchan <- err + } + btlsServer := &http.Server{ + Addr: fmt.Sprintf(":%s", port), + Handler: handler, + ReadHeaderTimeout: time.Second, + TLSConfig: config, + } + fmt.Printf("Starting server, listening on port %s (btls)\n", port) + err = btlsServer.ListenAndServeTLS(os.Getenv("CA_CERT"), os.Getenv("CA_CERT_KEY")) + if err != nil { + fmt.Printf("Failed to start server: %v\n", err) + errchan <- err + } +} + +func makeTLSConfig(cacert string) (*tls.Config, error) { + var config tls.Config + + if cacert == "" { + return &config, fmt.Errorf("empty CA cert specified") + } + cert, err := tls.LoadX509KeyPair(cacert, os.Getenv("CA_CERT_KEY")) + if err != nil { + return &config, fmt.Errorf("failed to load key pair: %v", err) + } + certs := []tls.Certificate{cert} + + // Verify certificate against given CA but also allow unauthenticated connections. + config.ClientAuth = tls.VerifyClientCertIfGiven + config.Certificates = certs + config.GetConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) { + if info != nil { + // Store the SNI from the ClientHello into a global variable. + globalsni = info.ServerName + if globalsni == "" { + return nil, fmt.Errorf("no SNI specified") + } + return nil, nil + } + return nil, fmt.Errorf("no client hello available") + } + + return &config, nil +} + func echoHandler(w http.ResponseWriter, r *http.Request) { fmt.Printf("Echoing back request made to %s to client (%s)\n", r.RequestURI, r.RemoteAddr) // If the request has form ?delay=[:duration] wait for duration // For example, ?delay=10s will cause the response to wait 10s before responding - if err := delayResponse(r); err != nil { + err := delayResponse(r) + if err != nil { + fmt.Printf("error : %v\n", err) processError(w, err, http.StatusInternalServerError) return } @@ -220,8 +311,12 @@ func echoHandler(w http.ResponseWriter, r *http.Request) { context, tlsStateToAssertions(r.TLS), + "", } + processRequestAssertions(requestAssertions, w, r) +} +func processRequestAssertions(requestAssertions RequestAssertions, w http.ResponseWriter, r *http.Request) { js, err := json.MarshalIndent(requestAssertions, "", " ") if err != nil { processError(w, err, http.StatusInternalServerError) @@ -267,30 +362,10 @@ func processError(w http.ResponseWriter, err error, code int) { //nolint:unparam _, _ = w.Write(body) } -func listenAndServeTLS(addr string, serverCert string, serverPrivKey string, clientCA string, handler http.Handler) error { - var config tls.Config - - // Optionally enable client certificate validation when client CA certificates are given. - if clientCA != "" { - ca, err := os.ReadFile(clientCA) - if err != nil { - return err - } - - certPool := x509.NewCertPool() - if ok := certPool.AppendCertsFromPEM(ca); !ok { - return fmt.Errorf("unable to append certificate in %q to CA pool", clientCA) - } - - // Verify certificate against given CA but also allow unauthenticated connections. - config.ClientAuth = tls.VerifyClientCertIfGiven - config.ClientCAs = certPool - } - +func listenAndServeTLS(addr string, serverCert, serverPrivKey string, handler http.Handler) error { srv := &http.Server{ //nolint:gosec - Addr: addr, - Handler: handler, - TLSConfig: &config, + Addr: addr, + Handler: handler, } return srv.ListenAndServeTLS(serverCert, serverPrivKey) diff --git a/conformance/tests/backendtlspolicy.go b/conformance/tests/backendtlspolicy.go new file mode 100644 index 0000000000..4faa6c6ef1 --- /dev/null +++ b/conformance/tests/backendtlspolicy.go @@ -0,0 +1,124 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package tests + +import ( + "context" + "encoding/json" + "fmt" + "io" + "net/http" + "testing" + "time" + + "k8s.io/apimachinery/pkg/types" + + h "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/roundtripper" + "sigs.k8s.io/gateway-api/conformance/utils/suite" + "sigs.k8s.io/gateway-api/pkg/features" +) + +func init() { + ConformanceTests = append(ConformanceTests, BackendTLSPolicy) +} + +var BackendTLSPolicy = suite.ConformanceTest{ + ShortName: "BackendTLSPolicy", + Description: "A single service that is targeted by a BackendTLSPolicy must successfully complete TLS termination", + Features: []features.FeatureName{ + features.SupportGateway, + features.SupportBackendTLSPolicy, + }, + Manifests: []string{"tests/backendtlspolicy.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "gateway-conformance-infra-test", Namespace: ns} + gwNN := types.NamespacedName{Name: "gateway-backendtlspolicy", Namespace: ns} + + kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns}) + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN) + + serverStr := "abc.example.com" + headers := make(map[string]string) + headers["Host"] = serverStr + + // Verify that the response to a call to /backendTLS will return the matching SNI. + t.Run("Simple request targeting BackendTLSPolicy should reach infra-backend", func(t *testing.T) { + expected := h.ExpectedResponse{ + Request: h.Request{ + Headers: headers, + Host: serverStr, + Path: "/backendTLS", + }, + Response: h.Response{StatusCode: 200}, + } + req := h.MakeRequest(t, &expected, gwAddr, "HTTPS", "https") + + if found, err := sameSNI(req, serverStr); err != nil || !found { + t.Errorf("no SNI found for request: %v", err) + } + }) + }, +} + +func sameSNI(request roundtripper.Request, sni string) (bool, error) { + client := &http.Client{} + assertions := &kubernetes.RequestAssertions{} + + method := "GET" + if request.Method != "" { + method = request.Method + } + + ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second) + defer cancel() + req, err := http.NewRequestWithContext(ctx, method, request.URL.String(), nil) + if err != nil { + return false, fmt.Errorf("error creating request: %v", err) + } + + if request.Host != "" { + req.Host = request.Host + } + + if request.Headers != nil { + for name, value := range request.Headers { + req.Header.Set(name, value[0]) + } + } + + resp, err := client.Do(req) + if err != nil { + return false, fmt.Errorf("request %v caused an error %v", req, err) + } + defer resp.Body.Close() + + body, err := io.ReadAll(resp.Body) + if err != nil { + return false, fmt.Errorf("failed to read response body: %v", err) + } + + err = json.Unmarshal(body, assertions) + if err != nil { + return false, fmt.Errorf("unexpected error reading response: %w", err) + } + + return assertions.SNI == sni, nil +} diff --git a/conformance/tests/backendtlspolicy.yaml b/conformance/tests/backendtlspolicy.yaml new file mode 100644 index 0000000000..ac13ef45a4 --- /dev/null +++ b/conformance/tests/backendtlspolicy.yaml @@ -0,0 +1,144 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: gateway-backendtlspolicy + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: https + port: 443 + protocol: HTTPS + tls: + mode: Terminate + certificateRefs: + - group: "" + kind: Secret + name: tls-checks-certificate + hostname: "abc.example.com" + allowedRoutes: + namespaces: + from: Same + kinds: + - kind: HTTPRoute +--- +apiVersion: gateway.networking.k8s.io/v1alpha3 +kind: BackendTLSPolicy +metadata: + name: normative-test-backendtlspolicy + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: "" + kind: Service + name: "backendtlspolicy-test" + sectionName: "btls" + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + # This secret is generated dynamically by the test suite. + name: "backend-tls-checks-certificate" + hostname: "abc.example.com" +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: gateway-conformance-infra-test + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: gateway-backendtlspolicy + namespace: gateway-conformance-infra + hostnames: + - abc.example.com + rules: + - backendRefs: + - group: "" + kind: Service + name: backendtlspolicy-test + port: 443 + matches: + - path: + type: Exact + value: /backendTLS +--- +apiVersion: v1 +kind: Service +metadata: + name: backendtlspolicy-test + namespace: gateway-conformance-infra +spec: + selector: + app: backendtlspolicy-test + ports: + - name: "btls" + protocol: TCP + port: 443 + targetPort: 9443 +--- +# Deployment must not be applied until after the secret is generated. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backendtlspolicy-test + namespace: gateway-conformance-infra + labels: + app: backendtlspolicy-test +spec: + replicas: 1 + selector: + matchLabels: + app: backendtlspolicy-test + template: + metadata: + labels: + app: backendtlspolicy-test + spec: + containers: + - name: backendtlspolicy-test + image: echo-basic:2.7 + volumeMounts: + - name: ca-volume + mountPath: /etc/ca-volume + - name: secret-volume + mountPath: /etc/secret-volume + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CA_CERT + value: /etc/ca-volume/crt + - name: CA_CERT_KEY + value: /etc/ca-volume/key + - name: TLS_SERVER_CERT + value: /etc/secret-volume/crt + - name: TLS_SERVER_PRIVKEY + value: /etc/secret-volume/key + resources: + requests: + cpu: 10m + volumes: + - name: ca-volume + configMap: + # This configMap is generated dynamically by the test suite. + name: backend-tls-checks-certificate + items: + - key: ca.crt + path: crt + - key: key.crt + path: key + - name: secret-volume + secret: + # This secret is generated dynamically by the test suite. + secretName: tls-checks-certificate + items: + - key: tls.crt + path: crt + - key: tls.key + path: key diff --git a/conformance/tests/tlsroute-simple-same-namespace.go b/conformance/tests/tlsroute-simple-same-namespace.go index 51db62aeff..b8704c4b8b 100644 --- a/conformance/tests/tlsroute-simple-same-namespace.go +++ b/conformance/tests/tlsroute-simple-same-namespace.go @@ -49,7 +49,7 @@ var TLSRouteSimpleSameNamespace = suite.ConformanceTest{ ns := "gateway-conformance-infra" routeNN := types.NamespacedName{Name: "gateway-conformance-infra-test", Namespace: ns} gwNN := types.NamespacedName{Name: "gateway-tlsroute", Namespace: ns} - certNN := types.NamespacedName{Name: "tls-passthrough-checks-certificate", Namespace: ns} + certNN := types.NamespacedName{Name: "tls-checks-certificate", Namespace: ns} kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns}) diff --git a/conformance/utils/http/http.go b/conformance/utils/http/http.go index 3e5fd211e0..2a84d52fec 100644 --- a/conformance/utils/http/http.go +++ b/conformance/utils/http/http.go @@ -58,6 +58,10 @@ type ExpectedResponse struct { // User Given TestCase name TestCaseName string + + // ServerName indicates the hostname to which the client attempts to connect, + // and which is seen by the backend. + ServerName string } // Request can be used as both the request to make and a means to verify @@ -106,6 +110,19 @@ func MakeRequestAndExpectEventuallyConsistentResponse(t *testing.T, r roundtripp WaitForConsistentResponse(t, r, req, expected, timeoutConfig.RequiredConsecutiveSuccesses, timeoutConfig.MaxTimeToConsistency) } +// MakeHTTPSRequestAndExpectEventuallyConsistentResponse makes a request with the given parameters, +// understanding that the request may fail for some amount of time. +// +// Once the request succeeds consistently with the response having the expected status code, make +// additional assertions on the response body using the provided ExpectedResponse. +func MakeHTTPSRequestAndExpectEventuallyConsistentResponse(t *testing.T, r roundtripper.RoundTripper, timeoutConfig config.TimeoutConfig, gwAddr string, expected ExpectedResponse) { + t.Helper() + + req := MakeRequest(t, &expected, gwAddr, "HTTPS", "https") + // fmt.Printf("DEBUG req: %v\n", req) + WaitForConsistentResponse(t, r, req, expected, timeoutConfig.RequiredConsecutiveSuccesses, timeoutConfig.MaxTimeToConsistency) +} + func MakeRequest(t *testing.T, expected *ExpectedResponse, gwAddr, protocol, scheme string) roundtripper.Request { t.Helper() @@ -124,7 +141,7 @@ func MakeRequest(t *testing.T, expected *ExpectedResponse, gwAddr, protocol, sch path, query, _ := strings.Cut(expected.Request.Path, "?") reqURL := url.URL{Scheme: scheme, Host: CalculateHost(t, gwAddr, scheme), Path: path, RawQuery: query} - tlog.Logf(t, "Making %s request to %s", expected.Request.Method, reqURL.String()) + tlog.Logf(t, "Making %s request to host %s via %s", expected.Request.Method, expected.Request.Host, reqURL.String()) req := roundtripper.Request{ T: t, @@ -233,6 +250,7 @@ func WaitForConsistentResponse(t *testing.T, r roundtripper.RoundTripper, req ro cReq, cRes, err := r.CaptureRoundTrip(req) if err != nil { tlog.Logf(t, "Request failed, not ready yet: %v (after %v)", err.Error(), elapsed) + // tlog.Logf(t, "Debug: Request: %v, Response: %v", cReq, cRes) return false } diff --git a/conformance/utils/kubernetes/certificate.go b/conformance/utils/kubernetes/certificate.go index f7b3b5b924..ebe9fe38d7 100644 --- a/conformance/utils/kubernetes/certificate.go +++ b/conformance/utils/kubernetes/certificate.go @@ -27,12 +27,14 @@ import ( "io" "math/big" "net" + "strings" "testing" "time" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + kvalidation "k8s.io/apimachinery/pkg/util/validation" ) const ( @@ -97,7 +99,7 @@ func generateRSACert(hosts []string, keyOut, certOut io.Writer) error { for _, h := range hosts { if ip := net.ParseIP(h); ip != nil { template.IPAddresses = append(template.IPAddresses, ip) - } else { + } else if err = validateHost(h); err == nil { template.DNSNames = append(template.DNSNames, h) } } @@ -117,3 +119,116 @@ func generateRSACert(hosts []string, keyOut, certOut io.Writer) error { return nil } + +// MustCreateCASignedCertConfigMap will create a ConfigMap containing a CA Certificate, given a TLS Secret +// for that CA certificate. +func MustCreateCASignedCertConfigMap(t *testing.T, namespace, configMapName string, hosts []string) *corev1.ConfigMap { + require.NotEmpty(t, hosts, "require a non-empty hosts for Subject Alternate Name values") + + caBytes, caPrivKey, err := generateCACert(hosts) + if err != nil { + t.Errorf("failed to generate CA certificate and key: %v", err) + return nil + } + + var certData bytes.Buffer + if err := pem.Encode(&certData, &pem.Block{Type: "CERTIFICATE", Bytes: caBytes}); err != nil { + t.Errorf("failed creating cert: %v", err) + return nil + } + + var keyData bytes.Buffer + if err := pem.Encode(&keyData, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey)}); err != nil { + t.Errorf("failed creating key: %v", err) + return nil + } + + // Store the certificate in a ConfigMap. + caConfigMap := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: configMapName, + }, + Data: map[string]string{ + "ca.crt": certData.String(), + "key.crt": keyData.String(), + }, + } + return caConfigMap +} + +// generateCACert generates a ConfigMap containing a CA Certificate signed certificate valid for a year. +func generateCACert(hosts []string) ([]byte, *rsa.PrivateKey, error) { + var caBytes []byte + + // Create the CA certificate template. + ca := &x509.Certificate{ + SerialNumber: big.NewInt(2024), + Subject: pkix.Name{ + Organization: []string{"Kubernetes Gateway API"}, + Country: []string{"US"}, + CommonName: "gatewayapi", + }, + Issuer: pkix.Name{ + Organization: []string{"Kubernetes Gateway API"}, + Country: []string{"US"}, + CommonName: "kubernetes", + }, + NotBefore: time.Now(), + NotAfter: time.Now().AddDate(1, 0, 0), + IsCA: true, // Indicates this is a CA Certificate. + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign | x509.KeyUsageKeyEncipherment, + BasicConstraintsValid: true, + } + + // Ensure only valid hosts make it into the CA cert. + for _, h := range hosts { + if ip := net.ParseIP(h); ip != nil { + ca.IPAddresses = append(ca.IPAddresses, ip) + } else if err := validateHost(h); err == nil { + ca.DNSNames = append(ca.DNSNames, h) + } + } + + // Generate the private key to sign certificates. + caPrivKey, err := rsa.GenerateKey(rand.Reader, rsaBits) + if err != nil { + return caBytes, caPrivKey, fmt.Errorf("error generating key for CA: %v", err) + } + + // Create the self-signed certificate using the CA certificate. + caBytes, err = x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey) + if err != nil { + return caBytes, caPrivKey, fmt.Errorf("error creating CA: %v", err) + } + + return caBytes, caPrivKey, nil +} + +// validateHost ensures that the host name length is no more than 253 characters. +// The only characters allowed in host name are alphanumeric characters, '-' or '.', +// and it must start and end with an alphanumeric character. A trailing dot is NOT allowed. +// The host name must in addition consist of one or more labels, with each label no more +// than 63 characters from the character set described above, and each label must start and +// end with an alphanumeric character. Wildcards are handled specially. +// DO NOT USE for general validation purposes, this is just for the hostnames set up for +// conformance testing. +func validateHost(host string) error { + // Remove wildcard if present. + host, _ = strings.CutPrefix(host, "*.") + + errs := kvalidation.IsDNS1123Subdomain(host) + if len(errs) != 0 { + return fmt.Errorf("host %s must conform to DNS naming conventions: %v", host, errs) + } + + labels := strings.Split(host, ".") + for _, l := range labels { + errs := kvalidation.IsDNS1123Label(l) + if len(errs) != 0 { + return fmt.Errorf("label %s in host %s must conform to DNS naming conventions: %v", l, host, errs) + } + } + return nil +} diff --git a/conformance/utils/kubernetes/certificate_test.go b/conformance/utils/kubernetes/certificate_test.go new file mode 100644 index 0000000000..555145a4ae --- /dev/null +++ b/conformance/utils/kubernetes/certificate_test.go @@ -0,0 +1,101 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kubernetes + +import ( + "bytes" + "crypto/x509" + "encoding/pem" + "testing" + + "github.com/stretchr/testify/require" +) + +func Test_generateCACert(t *testing.T) { + tests := []struct { + name string + hosts []string + expectedErr []string + }{ + { + name: "one host generates cert with no host", + hosts: []string{}, + }, + { + name: "one host generates cert for same host", + hosts: []string{"abc.example.com"}, + }, + { + name: "wildcard generates cert for same host", + hosts: []string{"*.example.com"}, + }, + { + name: "two hosts generates cert for both hosts", + hosts: []string{"abc.example.com", "def.example.com"}, + }, + { + name: "bad host generates cert for no host", + hosts: []string{"--abc.example.com"}, + expectedErr: []string{"x509: certificate is not valid for any names, but wanted to match --abc.example.com"}, + }, + { + name: "one good host and one bad host generates cert for only good host", + hosts: []string{"---.example.com", "def.example.com"}, + expectedErr: []string{"x509: certificate is valid xxx for def.example.com, not ---.example.com", ""}, + }, + } + + var serverKey, serverCert bytes.Buffer + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + serverCert.Reset() + serverKey.Reset() + // Test the function generateCACert. We can only test normative function + // and hostnames, everything else is hardcoded. + caBytes, caPrivKey, err := generateCACert(tc.hosts) + require.NoError(t, err, "unexpected error generating RSA certificate") + + var certData bytes.Buffer + if err := pem.Encode(&certData, &pem.Block{Type: "CERTIFICATE", Bytes: caBytes}); err != nil { + require.NoError(t, err, "failed to create certificater") + } + + var keyData bytes.Buffer + if err := pem.Encode(&keyData, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey)}); err != nil { + require.NoError(t, err, "failed to create key") + } + + // Test that the CA certificate is decodable, parseable, and has the configured hostname/s. + block, _ := pem.Decode(certData.Bytes()) + if block == nil { + require.FailNow(t, "failed to decode PEM block containing cert") + } else if block.Type == "CERTIFICATE" { + cert, err := x509.ParseCertificate(block.Bytes) + require.NoError(t, err, "failed to parse certificate") + for idx, h := range tc.hosts { + err = cert.VerifyHostname(h) + if err != nil && len(tc.expectedErr) > 0 && tc.expectedErr[idx] == "" { + require.EqualValues(t, tc.expectedErr[idx], err.Error(), "certificate verification failed") + } else if err == nil && len(tc.expectedErr) > 0 && tc.expectedErr[idx] != "" { + require.EqualValues(t, tc.expectedErr[idx], err, "expected an error but certification verification succeeded") + } + } + } + }) + } +} diff --git a/conformance/utils/kubernetes/helpers.go b/conformance/utils/kubernetes/helpers.go index 9134a2c441..624055de61 100644 --- a/conformance/utils/kubernetes/helpers.go +++ b/conformance/utils/kubernetes/helpers.go @@ -72,6 +72,38 @@ func NewGatewayRef(nn types.NamespacedName, listenerNames ...string) GatewayRef } } +// RequestAssertions contains information about the request and the Ingress. +type RequestAssertions struct { + Path string `json:"path"` + Host string `json:"host"` + Method string `json:"method"` + Proto string `json:"proto"` + Headers map[string][]string `json:"headers"` + + Context `json:",inline"` + + TLS *TLSAssertions `json:"tls,omitempty"` + SNI string `json:"sni"` +} + +// TLSAssertions contains information about the TLS connection. +type TLSAssertions struct { + Version string `json:"version"` + PeerCertificates []string `json:"peerCertificates,omitempty"` + // ServerName is the name sent from the peer using SNI. + ServerName string `json:"serverName"` + NegotiatedProtocol string `json:"negotiatedProtocol,omitempty"` + CipherSuite string `json:"cipherSuite"` +} + +// Context contains information about the context where the echoserver is running. +type Context struct { + Namespace string `json:"namespace"` + Ingress string `json:"ingress"` + Service string `json:"service"` + Pod string `json:"pod"` +} + // GWCMustHaveAcceptedConditionTrue waits until the specified GatewayClass has an Accepted condition set with a status value equal to True. func GWCMustHaveAcceptedConditionTrue(t *testing.T, c client.Client, timeoutConfig config.TimeoutConfig, gwcName string) string { return gwcMustBeAccepted(t, c, timeoutConfig, gwcName, string(metav1.ConditionTrue)) diff --git a/conformance/utils/roundtripper/roundtripper.go b/conformance/utils/roundtripper/roundtripper.go index c37f4500aa..d5314bb7b7 100644 --- a/conformance/utils/roundtripper/roundtripper.go +++ b/conformance/utils/roundtripper/roundtripper.go @@ -221,6 +221,18 @@ func (d *DefaultRoundTripper) defaultRoundTrip(request Request, transport http.R resp, err := client.Do(req) if err != nil { + if d.Debug { + var dump []byte + if resp != nil { + dump, err = httputil.DumpResponse(resp, true) + if err != nil { + return nil, nil, err + } + tlog.Logf(request.T, "Error sending request:\n%s\n\n", formatDump(dump, "< ")) + } else { + tlog.Logf(request.T, "Error sending request: %v (no response)\n", err) + } + } return nil, nil, err } defer resp.Body.Close() diff --git a/conformance/utils/suite/conformance.go b/conformance/utils/suite/conformance.go index 3bbbbc1c23..7f80abc58a 100644 --- a/conformance/utils/suite/conformance.go +++ b/conformance/utils/suite/conformance.go @@ -70,7 +70,7 @@ func (test *ConformanceTest) Run(t *testing.T, suite *ConformanceTestSuite) { for _, manifestLocation := range test.Manifests { tlog.Logf(t, "Applying %s", manifestLocation) - suite.Applier.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, manifestLocation, true) + suite.Applier.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, manifestLocation, suite.Cleanup) } if featuresInfo != "" { diff --git a/conformance/utils/suite/suite.go b/conformance/utils/suite/suite.go index dad285050d..e8b7c1fded 100644 --- a/conformance/utils/suite/suite.go +++ b/conformance/utils/suite/suite.go @@ -357,10 +357,12 @@ func (suite *ConformanceTestSuite) Setup(t *testing.T, tests []ConformanceTest) suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) secret = kubernetes.MustCreateSelfSignedCertSecret(t, "gateway-conformance-infra", "tls-validity-checks-certificate", []string{"*", "*.org"}) suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) - secret = kubernetes.MustCreateSelfSignedCertSecret(t, "gateway-conformance-infra", "tls-passthrough-checks-certificate", []string{"abc.example.com"}) + secret = kubernetes.MustCreateSelfSignedCertSecret(t, "gateway-conformance-infra", "tls-checks-certificate", []string{"abc.example.com"}) suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) secret = kubernetes.MustCreateSelfSignedCertSecret(t, "gateway-conformance-app-backend", "tls-passthrough-checks-certificate", []string{"abc.example.com"}) suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) + caConfigMap := kubernetes.MustCreateCASignedCertConfigMap(t, "gateway-conformance-infra", "backend-tls-checks-certificate", []string{"abc.example.com"}) + suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{caConfigMap}, suite.Cleanup) tlog.Logf(t, "Test Setup: Ensuring Gateways and Pods from base manifests are ready") namespaces := []string{ diff --git a/docker/Dockerfile.echo-basic b/docker/Dockerfile.echo-basic index ed6081fb33..55d9b47055 100644 --- a/docker/Dockerfile.echo-basic +++ b/docker/Dockerfile.echo-basic @@ -13,7 +13,7 @@ # limitations under the License. # Build -FROM golang:1.22.2 as builder +FROM golang:1.22.2 AS builder ENV CGO_ENABLED=0 @@ -23,9 +23,10 @@ COPY ./conformance/echo-basic ./ # If left as go.mod and go.sum in the external repo, these files would # interfere with the ability to use reuse the protobuf/gRPC generated code -# for the test client in the conformance tests. -RUN mv .go.mod go.mod -RUN mv .go.sum go.sum +# for the test client in the conformance tests. Add -f in case previous run +# is aborted and not cleaned up. +RUN mv -f .go.mod go.mod +RUN mv -f .go.sum go.sum RUN go build -trimpath -ldflags="-buildid= -s -w" -o echo-basic . diff --git a/pkg/features/backendtlspolicy.go b/pkg/features/backendtlspolicy.go new file mode 100644 index 0000000000..8763b32dd1 --- /dev/null +++ b/pkg/features/backendtlspolicy.go @@ -0,0 +1,40 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package features + +import "k8s.io/apimachinery/pkg/util/sets" + +// ----------------------------------------------------------------------------- +// Features - BackendTLSPolicy Conformance (Core) +// ----------------------------------------------------------------------------- + +const ( + // This option indicates support for BackendTLSPolicy. + SupportBackendTLSPolicy FeatureName = "BackendTLSPolicy" +) + +// TLSRouteFeature contains metadata for the TLSRoute feature. +var BackendTLSPolicyFeature = Feature{ + Name: SupportBackendTLSPolicy, + Channel: FeatureChannelExperimental, +} + +// BackendTLSPolicyCoreFeatures includes all the supported features for the +// BackendTLSPolicy API at a Core level of support. +var BackendTLSPolicyCoreFeatures = sets.New( + BackendTLSPolicyFeature, +) diff --git a/pkg/features/features.go b/pkg/features/features.go index 8406c4b891..2a67d0065f 100644 --- a/pkg/features/features.go +++ b/pkg/features/features.go @@ -60,7 +60,8 @@ var ( Insert(TLSRouteCoreFeatures.UnsortedList()...). Insert(MeshCoreFeatures.UnsortedList()...). Insert(MeshExtendedFeatures.UnsortedList()...). - Insert(GRPCRouteCoreFeatures.UnsortedList()...) + Insert(GRPCRouteCoreFeatures.UnsortedList()...). + Insert(BackendTLSPolicyCoreFeatures.UnsortedList()...) featureMap = map[FeatureName]Feature{} ) diff --git a/pkg/test/cel/grpcroute_experimental_test.go b/pkg/test/cel/grpcroute_experimental_test.go index 781a1947c0..4897e5c137 100644 --- a/pkg/test/cel/grpcroute_experimental_test.go +++ b/pkg/test/cel/grpcroute_experimental_test.go @@ -55,7 +55,7 @@ func TestGRPCRequestMirrorFilterExperimental(t *testing.T) { rules []gatewayv1.GRPCRouteRule }{ { - name: "GRPCRoute - Invalid because both percent and fraction are specified", + name: "GRPCRoute - Invalid because both percent and fraction are specified", wantErrors: []string{"Only one of percent or fraction may be specified in HTTPRequestMirrorFilter"}, rules: []gatewayv1.GRPCRouteRule{{ Filters: []gatewayv1.GRPCRouteFilter{{ @@ -67,7 +67,7 @@ func TestGRPCRequestMirrorFilterExperimental(t *testing.T) { }, Percent: &percent, Fraction: &gatewayv1.Fraction{ - Numerator: 83, + Numerator: 83, Denominator: &denominator, }, }, @@ -75,7 +75,7 @@ func TestGRPCRequestMirrorFilterExperimental(t *testing.T) { }}, }, { - name: "GRPCRoute - Invalid fraction - numerator greater than denominator", + name: "GRPCRoute - Invalid fraction - numerator greater than denominator", wantErrors: []string{"numerator must be less than or equal to denominator"}, rules: []gatewayv1.GRPCRouteRule{{ Filters: []gatewayv1.GRPCRouteFilter{{ @@ -86,7 +86,7 @@ func TestGRPCRequestMirrorFilterExperimental(t *testing.T) { Port: ptrTo(gatewayv1.PortNumber(8081)), }, Fraction: &gatewayv1.Fraction{ - Numerator: 1001, + Numerator: 1001, Denominator: &denominator, }, }, @@ -94,7 +94,7 @@ func TestGRPCRequestMirrorFilterExperimental(t *testing.T) { }}, }, { - name: "GRPCRoute - Invalid fraction - denominator is 0", + name: "GRPCRoute - Invalid fraction - denominator is 0", wantErrors: []string{"spec.rules[0].filters[0].requestMirror.fraction.denominator in body should be greater than or equal to 1"}, rules: []gatewayv1.GRPCRouteRule{{ Filters: []gatewayv1.GRPCRouteFilter{{ @@ -105,7 +105,7 @@ func TestGRPCRequestMirrorFilterExperimental(t *testing.T) { Port: ptrTo(gatewayv1.PortNumber(8081)), }, Fraction: &gatewayv1.Fraction{ - Numerator: 0, + Numerator: 0, Denominator: &bad_denominator, }, }, @@ -113,7 +113,7 @@ func TestGRPCRequestMirrorFilterExperimental(t *testing.T) { }}, }, { - name: "GRPCRoute - Invalid fraction - numerator is negative", + name: "GRPCRoute - Invalid fraction - numerator is negative", wantErrors: []string{"spec.rules[0].filters[0].requestMirror.fraction.numerator in body should be greater than or equal to 0"}, rules: []gatewayv1.GRPCRouteRule{{ Filters: []gatewayv1.GRPCRouteFilter{{ @@ -124,7 +124,7 @@ func TestGRPCRequestMirrorFilterExperimental(t *testing.T) { Port: ptrTo(gatewayv1.PortNumber(8081)), }, Fraction: &gatewayv1.Fraction{ - Numerator: -1, + Numerator: -1, Denominator: &denominator, }, }, @@ -157,7 +157,7 @@ func TestGRPCRequestMirrorFilterExperimental(t *testing.T) { Port: ptrTo(gatewayv1.PortNumber(8081)), }, Fraction: &gatewayv1.Fraction{ - Numerator: 83, + Numerator: 83, Denominator: &denominator, }, }, diff --git a/pkg/test/cel/httproute_experimental_test.go b/pkg/test/cel/httproute_experimental_test.go index a141899e37..f6ff0d455b 100644 --- a/pkg/test/cel/httproute_experimental_test.go +++ b/pkg/test/cel/httproute_experimental_test.go @@ -444,7 +444,7 @@ func TestHTTPRequestMirrorFilterExperimental(t *testing.T) { rules []gatewayv1.HTTPRouteRule }{ { - name: "HTTPRoute - Invalid because both percent and fraction are specified", + name: "HTTPRoute - Invalid because both percent and fraction are specified", wantErrors: []string{"Only one of percent or fraction may be specified in HTTPRequestMirrorFilter"}, rules: []gatewayv1.HTTPRouteRule{{ Filters: []gatewayv1.HTTPRouteFilter{{ @@ -456,7 +456,7 @@ func TestHTTPRequestMirrorFilterExperimental(t *testing.T) { }, Percent: &percent, Fraction: &gatewayv1.Fraction{ - Numerator: 83, + Numerator: 83, Denominator: &denominator, }, }, @@ -464,7 +464,7 @@ func TestHTTPRequestMirrorFilterExperimental(t *testing.T) { }}, }, { - name: "HTTPRoute - Invalid fraction - numerator greater than denominator", + name: "HTTPRoute - Invalid fraction - numerator greater than denominator", wantErrors: []string{"numerator must be less than or equal to denominator"}, rules: []gatewayv1.HTTPRouteRule{{ Filters: []gatewayv1.HTTPRouteFilter{{ @@ -475,7 +475,7 @@ func TestHTTPRequestMirrorFilterExperimental(t *testing.T) { Port: ptrTo(gatewayv1.PortNumber(8081)), }, Fraction: &gatewayv1.Fraction{ - Numerator: 1001, + Numerator: 1001, Denominator: &denominator, }, }, @@ -483,7 +483,7 @@ func TestHTTPRequestMirrorFilterExperimental(t *testing.T) { }}, }, { - name: "HTTPRoute - Invalid fraction - denominator is 0", + name: "HTTPRoute - Invalid fraction - denominator is 0", wantErrors: []string{"spec.rules[0].filters[0].requestMirror.fraction.denominator in body should be greater than or equal to 1"}, rules: []gatewayv1.HTTPRouteRule{{ Filters: []gatewayv1.HTTPRouteFilter{{ @@ -494,7 +494,7 @@ func TestHTTPRequestMirrorFilterExperimental(t *testing.T) { Port: ptrTo(gatewayv1.PortNumber(8081)), }, Fraction: &gatewayv1.Fraction{ - Numerator: 0, + Numerator: 0, Denominator: &bad_denominator, }, }, @@ -502,7 +502,7 @@ func TestHTTPRequestMirrorFilterExperimental(t *testing.T) { }}, }, { - name: "HTTPRoute - Invalid fraction - numerator is negative", + name: "HTTPRoute - Invalid fraction - numerator is negative", wantErrors: []string{"spec.rules[0].filters[0].requestMirror.fraction.numerator in body should be greater than or equal to 0"}, rules: []gatewayv1.HTTPRouteRule{{ Filters: []gatewayv1.HTTPRouteFilter{{ @@ -513,7 +513,7 @@ func TestHTTPRequestMirrorFilterExperimental(t *testing.T) { Port: ptrTo(gatewayv1.PortNumber(8081)), }, Fraction: &gatewayv1.Fraction{ - Numerator: -1, + Numerator: -1, Denominator: &denominator, }, }, @@ -546,7 +546,7 @@ func TestHTTPRequestMirrorFilterExperimental(t *testing.T) { Port: ptrTo(gatewayv1.PortNumber(8081)), }, Fraction: &gatewayv1.Fraction{ - Numerator: 83, + Numerator: 83, Denominator: &denominator, }, },