kubernetes-sigs · candita · Jul 23, 2024 · Aug 13, 2024 · Aug 27, 2024 · Aug 29, 2024
diff --git a/conformance/base/manifests.yaml b/conformance/base/manifests.yaml
@@ -300,7 +300,7 @@ spec:
       volumes:
       - name: secret-volume
         secret:
-          secretName: tls-passthrough-checks-certificate
+          secretName: tls-checks-certificate
           items:
           - key: tls.crt
             path: crt
@@ -730,3 +730,66 @@ data:
     foo.bar.com:53 {
       whoami
     }
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: backendtlspolicy-test
+  namespace: gateway-conformance-infra
+spec:
+  selector:
+    app: backendtlspolicy-test
+  ports:
+  - protocol: TCP
+    port: 443
+    targetPort: 8443
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backendtlspolicy-test
+  namespace: gateway-conformance-infra
+  labels:
+    app: backendtlspolicy-test
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: backendtlspolicy-test
+  template:
+    metadata:
+      labels:
+        app: backendtlspolicy-test
+    spec:
+      containers:
+      - name: backendtlspolicy-test
+        image: gcr.io/k8s-staging-gateway-api/echo-basic:v20240827-v1.1.0-121-g650e404a
+        volumeMounts:
+        - name: secret-volume
+          mountPath: /etc/secret-volume
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: CA_CERT
+          value: /etc/secret-volume/crt
+        - name: CA_CERT_KEY
+          value: /etc/secret-volume/key
+        resources:
+          requests:
+            cpu: 10m
+      volumes:
+      - name: secret-volume
+        secret:
+          # This secret is generated dynamically by the test suite.
+          secretName: backend-tls-checks-certificate
+          items:
+          - key: tls.crt
+            path: crt
+          - key: tls.key
+            path: key
diff --git a/conformance/echo-basic/.go.mod b/conformance/echo-basic/.go.mod
@@ -3,6 +3,7 @@ module sigs.k8s.io/gateway-api/conformance/echo-basic
 go 1.21
 
 require (
+	github.com/paultag/sniff v0.0.0-20200207005214-cf7e4d167732
 	golang.org/x/net v0.21.0
 	google.golang.org/grpc v1.53.0
 	google.golang.org/protobuf v1.28.1

diff --git a/conformance/echo-basic/.go.sum b/conformance/echo-basic/.go.sum
@@ -4,6 +4,8 @@ github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/paultag/sniff v0.0.0-20200207005214-cf7e4d167732 h1:nkseUkzjazCNyGhkRwnJ1OiHSwMXazsJQx+Ci+oVLEM=
+github.com/paultag/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:J3XXNGJINXLa4yIivdUT0Ad/srv2q0pSOWbbm6El2EY=
 golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=

diff --git a/conformance/echo-basic/echo-basic.go b/conformance/echo-basic/echo-basic.go
@@ -23,13 +23,15 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"os"
 	"regexp"
 	"strconv"
 	"strings"
 	"time"
 
+	"github.com/paultag/sniff/parser"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
 	"golang.org/x/net/websocket"
@@ -48,15 +50,17 @@ type RequestAssertions struct {
 	Context `json:",inline"`
 
 	TLS *TLSAssertions `json:"tls,omitempty"`
+	SNI string         `json:"sni"`
 }
 
 // TLSAssertions contains information about the TLS connection.
 type TLSAssertions struct {
-	Version            string   `json:"version"`
-	PeerCertificates   []string `json:"peerCertificates,omitempty"`
-	ServerName         string   `json:"serverName"`
-	NegotiatedProtocol string   `json:"negotiatedProtocol,omitempty"`
-	CipherSuite        string   `json:"cipherSuite"`
+	Version          string   `json:"version"`
+	PeerCertificates []string `json:"peerCertificates,omitempty"`
+	// ServerName is the name sent from the peer using SNI.
+	ServerName         string `json:"serverName"`
+	NegotiatedProtocol string `json:"negotiatedProtocol,omitempty"`
+	CipherSuite        string `json:"cipherSuite"`
 }
 
 type preserveSlashes struct {
@@ -109,6 +113,7 @@ func main() {
 	httpMux.HandleFunc("/health", healthHandler)
 	httpMux.HandleFunc("/status/", statusHandler)
 	httpMux.HandleFunc("/", echoHandler)
+	httpMux.HandleFunc("/backendTLS", echoHandler)
 	httpMux.Handle("/ws", websocket.Handler(wsHandler))
 	httpHandler := &preserveSlashes{httpMux}
 
@@ -124,11 +129,13 @@ func main() {
 
 	go runH2CServer(h2cPort, errchan)
 
-	// Enable HTTPS if certificate and private key are given.
-	if os.Getenv("TLS_SERVER_CERT") != "" && os.Getenv("TLS_SERVER_PRIVKEY") != "" {
+	// Enable HTTPS if server certificate and private key are given. (TLS_SERVER_CERT, TLS_SERVER_PRIVKEY)
+	// Enable secure backend if CA certificate and key are given. (CA_CERT, CA_CERT_KEY)
+	if os.Getenv("TLS_SERVER_CERT") != "" && os.Getenv("TLS_SERVER_PRIVKEY") != "" ||
+		os.Getenv("CA_CERT") != "" && os.Getenv("CA_CERT_KEY") != "" {
 		go func() {
 			fmt.Printf("Starting server, listening on port %s (https)\n", httpsPort)
-			err := listenAndServeTLS(fmt.Sprintf(":%s", httpsPort), os.Getenv("TLS_SERVER_CERT"), os.Getenv("TLS_SERVER_PRIVKEY"), os.Getenv("TLS_CLIENT_CACERTS"), httpHandler)
+			err := listenAndServeTLS(fmt.Sprintf(":%s", httpsPort), os.Getenv("TLS_SERVER_CERT"), os.Getenv("TLS_SERVER_PRIVKEY"), os.Getenv("CA_CERT"), httpHandler)
 			if err != nil {
 				errchan <- err
 			}
@@ -201,15 +208,29 @@ func runH2CServer(h2cPort string, errchan chan<- error) {
 }
 
 func echoHandler(w http.ResponseWriter, r *http.Request) {
+	var sni string
+
 	fmt.Printf("Echoing back request made to %s to client (%s)\n", r.RequestURI, r.RemoteAddr)
 
 	// If the request has form ?delay=[:duration] wait for duration
 	// For example, ?delay=10s will cause the response to wait 10s before responding
-	if err := delayResponse(r); err != nil {
+	err := delayResponse(r)
+	if err != nil {
 		processError(w, err, http.StatusInternalServerError)
 		return
 	}
 
+	// If the request was made to URI backendTLS, then get the server name indication and
+	// add it to the RequestAssertions.  It will be echoed back later.
+	if strings.Contains(r.RequestURI, "backendTLS") {
+		sni, err = sniffForSNI(r.RemoteAddr)
+		if err != nil {
+			// TODO: research if for some test cases there won't be SNI available.
+			processError(w, err, http.StatusBadGateway)
+			return
+		}
+	}
+
 	requestAssertions := RequestAssertions{
 		r.RequestURI,
 		r.Host,
@@ -220,6 +241,7 @@ func echoHandler(w http.ResponseWriter, r *http.Request) {
 		context,
 
 		tlsStateToAssertions(r.TLS),
+		sni,
 	}
 
 	js, err := json.MarshalIndent(requestAssertions, "", " ")
@@ -296,6 +318,41 @@ func listenAndServeTLS(addr string, serverCert string, serverPrivKey string, cli
 	return srv.ListenAndServeTLS(serverCert, serverPrivKey)
 }
 
+// sniffForSNI uses the request address to listen for the incoming TLS connection,
+// and tries to find the server name indication from that connection.
+func sniffForSNI(addr string) (string, error) {
+	var sni string
+
+	// Listen to get the SNI, and store in config.
+	listener, err := net.Listen("tcp", addr)
+	if err != nil {
+		return "", err
+	}
+	defer listener.Close()
+
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			return "", err
+		}
+		data := make([]byte, 4096)
+		_, err = conn.Read(data)
+		if err != nil {
+			return "", fmt.Errorf("could not read socket: %v", err)
+		}
+		// Take an incoming TLS Client Hello and return the SNI name.
+		sni, err = parser.GetHostname(data)
+		if err != nil {
+			return "", fmt.Errorf("error getting SNI: %v", err)
+		}
+		if sni == "" {
+			return "", fmt.Errorf("no server name indication found")
+		} else { //nolint:revive
+			return sni, nil
+		}
+	}
+}
+
 func tlsStateToAssertions(connectionState *tls.ConnectionState) *TLSAssertions {
 	if connectionState != nil {
 		var state TLSAssertions

diff --git a/conformance/tests/backendtlspolicy.go b/conformance/tests/backendtlspolicy.go
@@ -0,0 +1,65 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tests
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/types"
+
+	"sigs.k8s.io/gateway-api/conformance/utils/http"
+	"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
+	"sigs.k8s.io/gateway-api/conformance/utils/suite"
+	"sigs.k8s.io/gateway-api/pkg/features"
+)
+
+func init() {
+	ConformanceTests = append(ConformanceTests, BackendTLSPolicy)
+}
+
+var BackendTLSPolicy = suite.ConformanceTest{
+	ShortName:   "BackendTLSPolicy",
+	Description: "A single service that is targeted by a BackendTLSPolicy must successfully complete TLS termination",
+	Features: []features.FeatureName{
+		features.SupportGateway,
+		features.SupportBackendTLSPolicy,
+	},
+	Manifests: []string{"tests/backendtlspolicy.yaml"},
+	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+		ns := "gateway-conformance-infra"
+		routeNN := types.NamespacedName{Name: "gateway-conformance-infra-test", Namespace: ns}
+		gwNN := types.NamespacedName{Name: "gateway-backendtlspolicy", Namespace: ns}
+
+		kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns})
+
+		gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+
+		// Verify that the response to a call to /backendTLS will return the matching SNI.
+		t.Run("Simple request targeting BackendTLSPolicy should reach infra-backend", func(t *testing.T) {
+			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr,
+				http.ExpectedResponse{
+					Request: http.Request{
+						Path: "/backendTLS",
+					},
+					Response:   http.Response{StatusCode: 200},
+					Backend:    "infra-backend-v1",
+					Namespace:  "gateway-conformance-infra",
+					ServerName: "abc.example.com",
+				})
+		})
+	},
+}
diff --git a/conformance/tests/backendtlspolicy.yaml b/conformance/tests/backendtlspolicy.yaml
@@ -0,0 +1,57 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: gateway-backendtlspolicy
+  namespace: gateway-conformance-infra
+spec:
+  gatewayClassName: "{GATEWAY_CLASS_NAME}"
+  listeners:
+  - name: https
+    port: 443
+    protocol: HTTPS
+    tls:
+      mode: Terminate
+      certificateRefs:
+      - group: ""
+        kind: Secret
+        name: tls-checks-certificate
+    hostname: "*.example.com"
+    allowedRoutes:
+      namespaces:
+        from: Same
+      kinds:
+      - kind: HTTPRoute
+---
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
+metadata:
+  name: normative-test-backendtlspolicy
+  namespace: gateway-conformance-infra
+spec:
+  targetRefs:
+  - group: ""
+    kind: Service
+    name: "backendtlspolicy-test"
+  validation:
+    caCertificateRefs:
+    - group: ""
+      kind: Secret
+      # This secret is generated dynamically by the test suite.
+      name: "backend-tls-checks-certificate"
+    hostname: "abc.example.com"
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: gateway-conformance-infra-test
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+  - name: gateway-backendtlspolicy
+    namespace: gateway-conformance-infra
+  hostnames:
+  - abc.example.com
+  rules:
+  - backendRefs:
+    - name: tls-backend
+      port: 443
diff --git a/conformance/tests/tlsroute-simple-same-namespace.go b/conformance/tests/tlsroute-simple-same-namespace.go
@@ -49,7 +49,7 @@ var TLSRouteSimpleSameNamespace = suite.ConformanceTest{
 		ns := "gateway-conformance-infra"
 		routeNN := types.NamespacedName{Name: "gateway-conformance-infra-test", Namespace: ns}
 		gwNN := types.NamespacedName{Name: "gateway-tlsroute", Namespace: ns}
-		certNN := types.NamespacedName{Name: "tls-passthrough-checks-certificate", Namespace: ns}
+		certNN := types.NamespacedName{Name: "tls-checks-certificate", Namespace: ns}
 
 		kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns})
 

diff --git a/conformance/utils/http/http.go b/conformance/utils/http/http.go
@@ -58,6 +58,10 @@ type ExpectedResponse struct {
 
 	// User Given TestCase name
 	TestCaseName string
+
+	// ServerName indicates the hostname to which the client attempts to connect,
+	// and which is seen by the backend.
+	ServerName string
 }
 
 // Request can be used as both the request to make and a means to verify