mqtt, use different cert hostname

Author: phuhung273

conformance/tests/tlsroute-terminate-simple-same-namespace.go

@@ -17,15 +17,19 @@ limitations under the License.
 package tests
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
 	"testing"
 
 	"k8s.io/apimachinery/pkg/types"
 
-	"sigs.k8s.io/gateway-api/conformance/utils/http"
 	"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
 	"sigs.k8s.io/gateway-api/conformance/utils/suite"
-	"sigs.k8s.io/gateway-api/conformance/utils/tls"
+	"sigs.k8s.io/gateway-api/conformance/utils/tlog"
 	"sigs.k8s.io/gateway-api/pkg/features"
+
+	mqtt "github.com/eclipse/paho.mqtt.golang"
 )
 
 func init() {
@@ -43,9 +47,9 @@ var TLSRouteTerminateSimpleSameNamespace = suite.ConformanceTest{
 	Manifests: []string{"tests/tlsroute-terminate-simple-same-namespace.yaml"},
 	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
 		ns := "gateway-conformance-infra"
-		routeNN := types.NamespacedName{Name: "gateway-conformance-infra-test", Namespace: ns}
+		routeNN := types.NamespacedName{Name: "gateway-conformance-mqtt-test", Namespace: ns}
 		gwNN := types.NamespacedName{Name: "gateway-tlsroute-terminate", Namespace: ns}
-		certNN := types.NamespacedName{Name: "tls-checks-certificate", Namespace: ns}
+		caCertNN := types.NamespacedName{Name: "tls-checks-ca-certificate", Namespace: ns}
 
 		kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns})
 
@@ -55,17 +59,36 @@ var TLSRouteTerminateSimpleSameNamespace = suite.ConformanceTest{
 		}
 		serverStr := string(hostnames[0])
 
-		cPem, keyPem, err := GetTLSSecret(suite.Client, certNN)
+		caConfigMap, err := kubernetes.GetConfigMapData(suite.Client, caCertNN)
 		if err != nil {
 			t.Fatalf("unexpected error finding TLS secret: %v", err)
 		}
-		t.Run("Simple TLS request matching TLSRoute should reach infra-backend", func(t *testing.T) {
-			tls.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, cPem, keyPem, serverStr,
-				http.ExpectedResponse{
-					Request:   http.Request{Host: serverStr, Path: "/"},
-					Backend:   "infra-backend-v2",
-					Namespace: "gateway-conformance-infra",
-				})
+		caString, ok := caConfigMap["ca.crt"]
+		if !ok {
+			t.Fatalf("ca.crt not found in configmap: %s/%s", caCertNN.Namespace, caCertNN.Name)
+		}
+
+		t.Run("Simple MQTT TLS request matching TLSRoute should reach mqtt-backend", func(t *testing.T) {
+			tlog.Logf(t, "Establishing MQTT connection to host %s via %s", serverStr, gwAddr)
+
+			certpool := x509.NewCertPool()
+			if !certpool.AppendCertsFromPEM([]byte(caString)) {
+				t.Fatal("Failed to append CA certificate")
+			}
+
+			opts := mqtt.NewClientOptions()
+			opts.AddBroker(fmt.Sprintf("tls://%s", gwAddr))
+			opts.SetTLSConfig(&tls.Config{
+				RootCAs:    certpool,
+				ServerName: serverStr,
+			})
+			opts.SetConnectRetry(true)
+
+			client := mqtt.NewClient(opts)
+			token := client.Connect()
+			if token.Wait() && token.Error() != nil {
+				t.Fatalf("Connection failed: %v", token.Error())
+			}
 		})
 	},
 }

conformance/tests/tlsroute-terminate-simple-same-namespace.yaml

@@ -1,17 +1,17 @@
 apiVersion: gateway.networking.k8s.io/v1alpha3
 kind: TLSRoute
 metadata:
-  name: gateway-conformance-infra-test
+  name: gateway-conformance-mqtt-test
   namespace: gateway-conformance-infra
 spec:
   parentRefs:
   - name: gateway-tlsroute-terminate
     namespace: gateway-conformance-infra
   hostnames:
-  - abc.example.com
+  - tls.terminate.com
   rules:
   - backendRefs:
-    - name: infra-backend-v2
+    - name: mqtt-backend
       port: 8080
 ---
 apiVersion: gateway.networking.k8s.io/v1
@@ -22,10 +22,10 @@ metadata:
 spec:
   gatewayClassName: "{GATEWAY_CLASS_NAME}"
   listeners:
-  - name: https
-    port: 443
+  - name: mqtt
+    port: 1883
     protocol: TLS
-    hostname: abc.example.com
+    hostname: tls.terminate.com
     allowedRoutes:
       namespaces:
         from: Same
@@ -34,4 +34,62 @@ spec:
     tls:
       mode: Terminate
       certificateRefs:
-      - name: tls-checks-certificate
+      - name: tls-terminate-checks-certificate
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mqtt-backend
+  namespace: gateway-conformance-infra
+spec:
+  selector:
+    app: mqtt-backend
+  ports:
+  - protocol: TCP
+    port: 8080
+    targetPort: 1883
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mqtt-backend
+  namespace: gateway-conformance-infra
+  labels:
+    app: mqtt-backend
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mqtt-backend
+  template:
+    metadata:
+      labels:
+        app: mqtt-backend
+    spec:
+      containers:
+      - name: mqtt-backend
+        # https://hub.docker.com/_/eclipse-mosquitto
+        image: eclipse-mosquitto:2
+        volumeMounts:
+        - name: config
+          mountPath: /mosquitto/config/mosquitto.conf
+          subPath: mosquitto.conf
+        ports:
+        - containerPort: 1883
+        resources:
+          requests:
+            cpu: 10m
+      volumes:
+      - name: config
+        configMap:
+          name: mosquitto-config
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mosquitto-config
+  namespace: gateway-conformance-infra
+data:
+  mosquitto.conf: |
+    listener 1883
+    allow_anonymous true

conformance/utils/kubernetes/helpers.go

@@ -1037,3 +1037,17 @@ func BackendTLSPolicyMustHaveLatestConditions(t *testing.T, r *gatewayv1.Backend
 		}
 	}
 }
+
+// GetConfigMapData fetches the named ConfigMap
+func GetConfigMapData(client client.Client, name types.NamespacedName) (map[string]string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	configMap := &v1.ConfigMap{}
+	err := client.Get(ctx, name, configMap)
+	if err != nil {
+		return nil, fmt.Errorf("error fetching ConfigMap: %w", err)
+	}
+
+	return configMap.Data, nil
+}

conformance/utils/suite/suite.go

@@ -384,6 +384,10 @@ func (suite *ConformanceTestSuite) Setup(t *testing.T, tests []ConformanceTest)
 		secret = kubernetes.MustCreateCASignedCertSecret(t, "gateway-conformance-infra", "tls-checks-certificate", []string{"abc.example.com", "spiffe://abc.example.com/test-identity", "other.example.com"}, ca, caPrivKey)
 		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup)
 
+		// The following secret is used for TLSRoute mode Terminate validation
+		secret = kubernetes.MustCreateCASignedCertSecret(t, "gateway-conformance-infra", "tls-terminate-checks-certificate", []string{"tls.terminate.com"}, ca, caPrivKey)
+		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup)
+
 		// The following CA ceritficate is used for BackendTLSPolicy testing to intentionally force TLS validation to fail.
 		caConfigMap, _, _ = kubernetes.MustCreateCACertConfigMap(t, "gateway-conformance-infra", "mismatch-ca-certificate")
 		suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{caConfigMap}, suite.Cleanup)

go.mod

@@ -3,6 +3,7 @@ module sigs.k8s.io/gateway-api
 go 1.24.0
 
 require (
+	github.com/eclipse/paho.mqtt.golang v1.5.1
 	github.com/elastic/crd-ref-docs v0.2.0
 	github.com/miekg/dns v1.1.68
 	github.com/stretchr/testify v1.11.1

go.sum

@@ -23,6 +23,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/eclipse/paho.mqtt.golang v1.5.1 h1:/VSOv3oDLlpqR2Epjn1Q7b2bSTplJIeV2ISgCl2W7nE=
+github.com/eclipse/paho.mqtt.golang v1.5.1/go.mod h1:1/yJCneuyOoCOzKSsOTUc0AJfpsItBGWvYpBLimhArU=
 github.com/elastic/crd-ref-docs v0.2.0 h1:U17MyGX71j4qfKTvYxbR4qZGoA1hc2thy7kseGYmP+o=
 github.com/elastic/crd-ref-docs v0.2.0/go.mod h1:0bklkJhTG7nC6AVsdDi0wt5bGoqvzdZSzMMQkilZ6XM=
 github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes=