From dfe558190b60487a452a74539ee0b8edda2c688e Mon Sep 17 00:00:00 2001 From: phuhung273 Date: Tue, 30 Sep 2025 15:11:19 +0700 Subject: [PATCH 1/7] conformance: TLSRoute simple Terminate mode --- ...lsroute-terminate-simple-same-namespace.go | 70 +++++++++++++++++++ ...route-terminate-simple-same-namespace.yaml | 37 ++++++++++ 2 files changed, 107 insertions(+) create mode 100644 conformance/tests/tlsroute-terminate-simple-same-namespace.go create mode 100644 conformance/tests/tlsroute-terminate-simple-same-namespace.yaml diff --git a/conformance/tests/tlsroute-terminate-simple-same-namespace.go b/conformance/tests/tlsroute-terminate-simple-same-namespace.go new file mode 100644 index 0000000000..9634fb6e8a --- /dev/null +++ b/conformance/tests/tlsroute-terminate-simple-same-namespace.go @@ -0,0 +1,70 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package tests + +import ( + "testing" + + "k8s.io/apimachinery/pkg/types" + + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" + "sigs.k8s.io/gateway-api/conformance/utils/tls" + "sigs.k8s.io/gateway-api/pkg/features" +) + +func init() { + ConformanceTests = append(ConformanceTests, TLSRouteTerminateSimpleSameNamespace) +} + +var TLSRouteTerminateSimpleSameNamespace = suite.ConformanceTest{ + ShortName: "TLSRouteTerminateSimpleSameNamespace", + Description: "A single TLSRoute in the gateway-conformance-infra namespace attaches to a Gateway using Terminate mode in the same namespace", + Features: []features.FeatureName{ + features.SupportGateway, + features.SupportTLSRoute, + }, + Manifests: []string{"tests/tlsroute-terminate-simple-same-namespace.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "gateway-conformance-infra-test", Namespace: ns} + gwNN := types.NamespacedName{Name: "gateway-tlsroute-terminate", Namespace: ns} + certNN := types.NamespacedName{Name: "tls-checks-certificate", Namespace: ns} + + kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns}) + + gwAddr, hostnames := kubernetes.GatewayAndTLSRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + if len(hostnames) != 1 { + t.Fatalf("unexpected error in test configuration, found %d hostnames", len(hostnames)) + } + serverStr := string(hostnames[0]) + + cPem, keyPem, err := GetTLSSecret(suite.Client, certNN) + if err != nil { + t.Fatalf("unexpected error finding TLS secret: %v", err) + } + t.Run("Simple TLS request matching TLSRoute should reach infra-backend", func(t *testing.T) { + tls.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, cPem, keyPem, serverStr, + http.ExpectedResponse{ + Request: http.Request{Host: serverStr, Path: "/"}, + Backend: "infra-backend-v2", + Namespace: "gateway-conformance-infra", + }) + }) + }, +} diff --git a/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml b/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml new file mode 100644 index 0000000000..b1ec56341c --- /dev/null +++ b/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml @@ -0,0 +1,37 @@ +apiVersion: gateway.networking.k8s.io/v1alpha3 +kind: TLSRoute +metadata: + name: gateway-conformance-infra-test + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: gateway-tlsroute-terminate + namespace: gateway-conformance-infra + hostnames: + - abc.example.com + rules: + - backendRefs: + - name: infra-backend-v2 + port: 8080 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: gateway-tlsroute-terminate + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: https + port: 443 + protocol: TLS + hostname: abc.example.com + allowedRoutes: + namespaces: + from: Same + kinds: + - kind: TLSRoute + tls: + mode: Terminate + certificateRefs: + - name: tls-checks-certificate From bf188847a4be18babcd40038b0fafa832f6c9eab Mon Sep 17 00:00:00 2001 From: phuhung273 Date: Tue, 30 Sep 2025 15:52:15 +0700 Subject: [PATCH 2/7] add feature --- ...lsroute-terminate-simple-same-namespace.go | 1 + conformance/utils/suite/profiles.go | 5 +++- pkg/features/features.go | 1 + pkg/features/tlsroute.go | 27 +++++++++++++++---- 4 files changed, 28 insertions(+), 6 deletions(-) diff --git a/conformance/tests/tlsroute-terminate-simple-same-namespace.go b/conformance/tests/tlsroute-terminate-simple-same-namespace.go index 9634fb6e8a..0849c67ac1 100644 --- a/conformance/tests/tlsroute-terminate-simple-same-namespace.go +++ b/conformance/tests/tlsroute-terminate-simple-same-namespace.go @@ -38,6 +38,7 @@ var TLSRouteTerminateSimpleSameNamespace = suite.ConformanceTest{ Features: []features.FeatureName{ features.SupportGateway, features.SupportTLSRoute, + features.SupportTLSRouteModeTerminate, }, Manifests: []string{"tests/tlsroute-terminate-simple-same-namespace.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/conformance/utils/suite/profiles.go b/conformance/utils/suite/profiles.go index 996fe346dd..f7e21f7f6c 100644 --- a/conformance/utils/suite/profiles.go +++ b/conformance/utils/suite/profiles.go @@ -93,7 +93,10 @@ var ( features.SupportReferenceGrant, features.SupportTLSRoute, ), - ExtendedFeatures: features.SetsToNamesSet(features.GatewayExtendedFeatures), + ExtendedFeatures: features.SetsToNamesSet( + features.GatewayExtendedFeatures, + features.TLSRouteExtendedFeatures, + ), } // GatewayGRPCConformanceProfile is a ConformanceProfile that covers testing GRPC diff --git a/pkg/features/features.go b/pkg/features/features.go index 1fbf43f0e6..52e58cc8c2 100644 --- a/pkg/features/features.go +++ b/pkg/features/features.go @@ -58,6 +58,7 @@ var ( Insert(HTTPRouteCoreFeatures.UnsortedList()...). Insert(HTTPRouteExtendedFeatures.UnsortedList()...). Insert(TLSRouteCoreFeatures.UnsortedList()...). + Insert(TLSRouteExtendedFeatures.UnsortedList()...). Insert(MeshCoreFeatures.UnsortedList()...). Insert(MeshExtendedFeatures.UnsortedList()...). Insert(GRPCRouteCoreFeatures.UnsortedList()...). diff --git a/pkg/features/tlsroute.go b/pkg/features/tlsroute.go index 90d68c3d34..b0dd499fba 100644 --- a/pkg/features/tlsroute.go +++ b/pkg/features/tlsroute.go @@ -25,16 +25,33 @@ import "k8s.io/apimachinery/pkg/util/sets" const ( // This option indicates support for TLSRoute SupportTLSRoute FeatureName = "TLSRoute" + + // This option indicates support for TLSRoute mode Terminate (extended conformance) + SupportTLSRouteModeTerminate FeatureName = "TLSRouteModeTerminate" ) -// TLSRouteFeature contains metadata for the TLSRoute feature. -var TLSRouteFeature = Feature{ - Name: SupportTLSRoute, - Channel: FeatureChannelExperimental, -} +var ( + // TLSRouteFeature contains metadata for the TLSRoute feature. + TLSRouteFeature = Feature{ + Name: SupportTLSRoute, + Channel: FeatureChannelExperimental, + } + // TLSRouteModeTerminate contains metadata for the TLSRouteModeTerminate feature. + TLSRouteModeTerminateFeature = Feature{ + Name: SupportTLSRouteModeTerminate, + Channel: FeatureChannelExperimental, + } +) // TLSCoreFeatures includes all the supported features for the TLSRoute API at // a Core level of support. var TLSRouteCoreFeatures = sets.New( TLSRouteFeature, ) + +// TLSRouteExtendedFeatures includes all extended features for TLSRoute +// conformance and can be used to opt-in to run all TLSRoute extended features tests. +// This does not include any Core Features. +var TLSRouteExtendedFeatures = sets.New( + TLSRouteModeTerminateFeature, +) From 2e8847d0c102fc4ffac4f37b5f340a1ac5f26733 Mon Sep 17 00:00:00 2001 From: phuhung273 Date: Sun, 12 Oct 2025 17:55:16 +0700 Subject: [PATCH 3/7] mqtt, use different cert hostname --- ...lsroute-terminate-simple-same-namespace.go | 48 +++++++++---- ...route-terminate-simple-same-namespace.yaml | 72 +++++++++++++++++-- conformance/utils/kubernetes/helpers.go | 14 ++++ conformance/utils/suite/suite.go | 4 ++ go.mod | 1 + go.sum | 2 + 6 files changed, 122 insertions(+), 19 deletions(-) diff --git a/conformance/tests/tlsroute-terminate-simple-same-namespace.go b/conformance/tests/tlsroute-terminate-simple-same-namespace.go index 0849c67ac1..08d3c8a157 100644 --- a/conformance/tests/tlsroute-terminate-simple-same-namespace.go +++ b/conformance/tests/tlsroute-terminate-simple-same-namespace.go @@ -17,15 +17,19 @@ limitations under the License. package tests import ( + "crypto/tls" + "crypto/x509" + "fmt" "testing" "k8s.io/apimachinery/pkg/types" - "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" "sigs.k8s.io/gateway-api/conformance/utils/suite" - "sigs.k8s.io/gateway-api/conformance/utils/tls" + "sigs.k8s.io/gateway-api/conformance/utils/tlog" "sigs.k8s.io/gateway-api/pkg/features" + + mqtt "github.com/eclipse/paho.mqtt.golang" ) func init() { @@ -43,9 +47,9 @@ var TLSRouteTerminateSimpleSameNamespace = suite.ConformanceTest{ Manifests: []string{"tests/tlsroute-terminate-simple-same-namespace.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { ns := "gateway-conformance-infra" - routeNN := types.NamespacedName{Name: "gateway-conformance-infra-test", Namespace: ns} + routeNN := types.NamespacedName{Name: "gateway-conformance-mqtt-test", Namespace: ns} gwNN := types.NamespacedName{Name: "gateway-tlsroute-terminate", Namespace: ns} - certNN := types.NamespacedName{Name: "tls-checks-certificate", Namespace: ns} + caCertNN := types.NamespacedName{Name: "tls-checks-ca-certificate", Namespace: ns} kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{ns}) @@ -55,17 +59,37 @@ var TLSRouteTerminateSimpleSameNamespace = suite.ConformanceTest{ } serverStr := string(hostnames[0]) - cPem, keyPem, err := GetTLSSecret(suite.Client, certNN) + caConfigMap, err := kubernetes.GetConfigMapData(suite.Client, caCertNN) if err != nil { t.Fatalf("unexpected error finding TLS secret: %v", err) } - t.Run("Simple TLS request matching TLSRoute should reach infra-backend", func(t *testing.T) { - tls.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, cPem, keyPem, serverStr, - http.ExpectedResponse{ - Request: http.Request{Host: serverStr, Path: "/"}, - Backend: "infra-backend-v2", - Namespace: "gateway-conformance-infra", - }) + caString, ok := caConfigMap["ca.crt"] + if !ok { + t.Fatalf("ca.crt not found in configmap: %s/%s", caCertNN.Namespace, caCertNN.Name) + } + + t.Run("Simple MQTT TLS request matching TLSRoute should reach mqtt-backend", func(t *testing.T) { + tlog.Logf(t, "Establishing MQTT connection to host %s via %s", serverStr, gwAddr) + + certpool := x509.NewCertPool() + if !certpool.AppendCertsFromPEM([]byte(caString)) { + t.Fatal("Failed to append CA certificate") + } + + opts := mqtt.NewClientOptions() + opts.AddBroker(fmt.Sprintf("tls://%s", gwAddr)) + opts.SetTLSConfig(&tls.Config{ + RootCAs: certpool, + ServerName: serverStr, + MinVersion: tls.VersionTLS13, + }) + opts.SetConnectRetry(true) + + client := mqtt.NewClient(opts) + token := client.Connect() + if token.Wait() && token.Error() != nil { + t.Fatalf("Connection failed: %v", token.Error()) + } }) }, } diff --git a/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml b/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml index b1ec56341c..ea653b196f 100644 --- a/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml +++ b/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml @@ -1,17 +1,17 @@ apiVersion: gateway.networking.k8s.io/v1alpha3 kind: TLSRoute metadata: - name: gateway-conformance-infra-test + name: gateway-conformance-mqtt-test namespace: gateway-conformance-infra spec: parentRefs: - name: gateway-tlsroute-terminate namespace: gateway-conformance-infra hostnames: - - abc.example.com + - tls.terminate.com rules: - backendRefs: - - name: infra-backend-v2 + - name: mqtt-backend port: 8080 --- apiVersion: gateway.networking.k8s.io/v1 @@ -22,10 +22,10 @@ metadata: spec: gatewayClassName: "{GATEWAY_CLASS_NAME}" listeners: - - name: https - port: 443 + - name: mqtt + port: 1883 protocol: TLS - hostname: abc.example.com + hostname: tls.terminate.com allowedRoutes: namespaces: from: Same @@ -34,4 +34,62 @@ spec: tls: mode: Terminate certificateRefs: - - name: tls-checks-certificate + - name: tls-terminate-checks-certificate +--- +apiVersion: v1 +kind: Service +metadata: + name: mqtt-backend + namespace: gateway-conformance-infra +spec: + selector: + app: mqtt-backend + ports: + - protocol: TCP + port: 8080 + targetPort: 1883 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mqtt-backend + namespace: gateway-conformance-infra + labels: + app: mqtt-backend +spec: + replicas: 1 + selector: + matchLabels: + app: mqtt-backend + template: + metadata: + labels: + app: mqtt-backend + spec: + containers: + - name: mqtt-backend + # https://hub.docker.com/_/eclipse-mosquitto + image: eclipse-mosquitto:2 + volumeMounts: + - name: config + mountPath: /mosquitto/config/mosquitto.conf + subPath: mosquitto.conf + ports: + - containerPort: 1883 + resources: + requests: + cpu: 10m + volumes: + - name: config + configMap: + name: mosquitto-config +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: mosquitto-config + namespace: gateway-conformance-infra +data: + mosquitto.conf: | + listener 1883 + allow_anonymous true diff --git a/conformance/utils/kubernetes/helpers.go b/conformance/utils/kubernetes/helpers.go index d32899e20e..f395bb06bf 100644 --- a/conformance/utils/kubernetes/helpers.go +++ b/conformance/utils/kubernetes/helpers.go @@ -1037,3 +1037,17 @@ func BackendTLSPolicyMustHaveLatestConditions(t *testing.T, r *gatewayv1.Backend } } } + +// GetConfigMapData fetches the named ConfigMap +func GetConfigMapData(client client.Client, name types.NamespacedName) (map[string]string, error) { + ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) + defer cancel() + + configMap := &v1.ConfigMap{} + err := client.Get(ctx, name, configMap) + if err != nil { + return nil, fmt.Errorf("error fetching ConfigMap: %w", err) + } + + return configMap.Data, nil +} diff --git a/conformance/utils/suite/suite.go b/conformance/utils/suite/suite.go index 5df2c722d9..65a529e9df 100644 --- a/conformance/utils/suite/suite.go +++ b/conformance/utils/suite/suite.go @@ -384,6 +384,10 @@ func (suite *ConformanceTestSuite) Setup(t *testing.T, tests []ConformanceTest) secret = kubernetes.MustCreateCASignedCertSecret(t, "gateway-conformance-infra", "tls-checks-certificate", []string{"abc.example.com", "spiffe://abc.example.com/test-identity", "other.example.com"}, ca, caPrivKey) suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) + // The following secret is used for TLSRoute mode Terminate validation + secret = kubernetes.MustCreateCASignedCertSecret(t, "gateway-conformance-infra", "tls-terminate-checks-certificate", []string{"tls.terminate.com"}, ca, caPrivKey) + suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) + // The following CA ceritficate is used for BackendTLSPolicy testing to intentionally force TLS validation to fail. caConfigMap, _, _ = kubernetes.MustCreateCACertConfigMap(t, "gateway-conformance-infra", "mismatch-ca-certificate") suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{caConfigMap}, suite.Cleanup) diff --git a/go.mod b/go.mod index 0536504b04..1808f801f7 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,7 @@ module sigs.k8s.io/gateway-api go 1.24.0 require ( + github.com/eclipse/paho.mqtt.golang v1.5.1 github.com/miekg/dns v1.1.68 github.com/stretchr/testify v1.11.1 golang.org/x/net v0.46.0 diff --git a/go.sum b/go.sum index d4c3b81a6c..0bff497b03 100644 --- a/go.sum +++ b/go.sum @@ -10,6 +10,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/eclipse/paho.mqtt.golang v1.5.1 h1:/VSOv3oDLlpqR2Epjn1Q7b2bSTplJIeV2ISgCl2W7nE= +github.com/eclipse/paho.mqtt.golang v1.5.1/go.mod h1:1/yJCneuyOoCOzKSsOTUc0AJfpsItBGWvYpBLimhArU= github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes= github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= From 0ea5d63e702f31c77e17fd224be7e25815a62caa Mon Sep 17 00:00:00 2001 From: Hung Tran <40334379+phuhung273@users.noreply.github.com> Date: Mon, 13 Oct 2025 03:40:58 -0700 Subject: [PATCH 4/7] Apply suggestions from code review Co-authored-by: Mike Morris --- .../tests/tlsroute-terminate-simple-same-namespace.yaml | 4 ++-- conformance/utils/suite/suite.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml b/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml index ea653b196f..f18c7b382c 100644 --- a/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml +++ b/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml @@ -8,7 +8,7 @@ spec: - name: gateway-tlsroute-terminate namespace: gateway-conformance-infra hostnames: - - tls.terminate.com + - tls.example.com rules: - backendRefs: - name: mqtt-backend @@ -25,7 +25,7 @@ spec: - name: mqtt port: 1883 protocol: TLS - hostname: tls.terminate.com + hostname: tls.example.com allowedRoutes: namespaces: from: Same diff --git a/conformance/utils/suite/suite.go b/conformance/utils/suite/suite.go index 65a529e9df..dd3a3cd87c 100644 --- a/conformance/utils/suite/suite.go +++ b/conformance/utils/suite/suite.go @@ -385,7 +385,7 @@ func (suite *ConformanceTestSuite) Setup(t *testing.T, tests []ConformanceTest) suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) // The following secret is used for TLSRoute mode Terminate validation - secret = kubernetes.MustCreateCASignedCertSecret(t, "gateway-conformance-infra", "tls-terminate-checks-certificate", []string{"tls.terminate.com"}, ca, caPrivKey) + secret = kubernetes.MustCreateCASignedCertSecret(t, "gateway-conformance-infra", "tls-terminate-checks-certificate", []string{"tls.example.com"}, ca, caPrivKey) suite.Applier.MustApplyObjectsWithCleanup(t, suite.Client, suite.TimeoutConfig, []client.Object{secret}, suite.Cleanup) // The following CA ceritficate is used for BackendTLSPolicy testing to intentionally force TLS validation to fail. From 25443f5f4d3a78321f5e0ac4b7a4ee114dcd434c Mon Sep 17 00:00:00 2001 From: phuhung273 Date: Tue, 14 Oct 2025 17:43:39 +0700 Subject: [PATCH 5/7] mqtt round-trip test --- ...lsroute-terminate-simple-same-namespace.go | 41 +++++++++++++++++-- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/conformance/tests/tlsroute-terminate-simple-same-namespace.go b/conformance/tests/tlsroute-terminate-simple-same-namespace.go index 08d3c8a157..912692fb6a 100644 --- a/conformance/tests/tlsroute-terminate-simple-same-namespace.go +++ b/conformance/tests/tlsroute-terminate-simple-same-namespace.go @@ -20,13 +20,14 @@ import ( "crypto/tls" "crypto/x509" "fmt" + "sync" "testing" + "time" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" "sigs.k8s.io/gateway-api/conformance/utils/suite" - "sigs.k8s.io/gateway-api/conformance/utils/tlog" "sigs.k8s.io/gateway-api/pkg/features" mqtt "github.com/eclipse/paho.mqtt.golang" @@ -69,7 +70,7 @@ var TLSRouteTerminateSimpleSameNamespace = suite.ConformanceTest{ } t.Run("Simple MQTT TLS request matching TLSRoute should reach mqtt-backend", func(t *testing.T) { - tlog.Logf(t, "Establishing MQTT connection to host %s via %s", serverStr, gwAddr) + t.Logf("Establishing MQTT connection to host %s via %s", serverStr, gwAddr) certpool := x509.NewCertPool() if !certpool.AppendCertsFromPEM([]byte(caString)) { @@ -85,11 +86,43 @@ var TLSRouteTerminateSimpleSameNamespace = suite.ConformanceTest{ }) opts.SetConnectRetry(true) + var wg sync.WaitGroup + wg.Add(1) + + topic := "test/tlsroute-terminate" + opts.OnConnect = func(c mqtt.Client) { + t.Log("Connected to MQTT broker") + + if token := c.Subscribe(topic, 0, func(_ mqtt.Client, msg mqtt.Message) { + t.Logf("Received message: %s\n", string(msg.Payload())) + wg.Done() + }); token.Wait() && token.Error() != nil { + t.Fatalf("Failed to subscribe: %v", token.Error()) + } + + t.Log("Subscribed, publishing test message...") + if token := c.Publish(topic, 0, false, "Hello TLSRoute Terminate MQTT!"); token.Wait() && token.Error() != nil { + t.Fatalf("Failed to publish: %v", token.Error()) + } + } + client := mqtt.NewClient(opts) - token := client.Connect() - if token.Wait() && token.Error() != nil { + if token := client.Connect(); token.Wait() && token.Error() != nil { t.Fatalf("Connection failed: %v", token.Error()) } + + waitCh := make(chan struct{}) + go func() { + wg.Wait() + close(waitCh) + }() + + select { + case <-waitCh: + t.Log("Round-trip test succeeded") + case <-time.After(5 * time.Second): + t.Fatal("Timed out waiting for message") + } }) }, } From 0531cee868edfd831d23f7fc068b0874b8bd98d0 Mon Sep 17 00:00:00 2001 From: phuhung273 Date: Mon, 20 Oct 2025 23:22:17 +0700 Subject: [PATCH 6/7] adjust confusing port --- .../tests/tlsroute-terminate-simple-same-namespace.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml b/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml index f18c7b382c..00b8e6fee1 100644 --- a/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml +++ b/conformance/tests/tlsroute-terminate-simple-same-namespace.yaml @@ -12,7 +12,7 @@ spec: rules: - backendRefs: - name: mqtt-backend - port: 8080 + port: 1883 --- apiVersion: gateway.networking.k8s.io/v1 kind: Gateway @@ -23,7 +23,7 @@ spec: gatewayClassName: "{GATEWAY_CLASS_NAME}" listeners: - name: mqtt - port: 1883 + port: 8883 protocol: TLS hostname: tls.example.com allowedRoutes: @@ -46,7 +46,7 @@ spec: app: mqtt-backend ports: - protocol: TCP - port: 8080 + port: 1883 targetPort: 1883 --- apiVersion: apps/v1 From 1e374ed3af438936f5f9a9bab68665920569c248 Mon Sep 17 00:00:00 2001 From: phuhung273 Date: Thu, 30 Oct 2025 17:41:50 +0700 Subject: [PATCH 7/7] make test Provisional Signed-off-by: phuhung273 --- conformance/tests/tlsroute-terminate-simple-same-namespace.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/conformance/tests/tlsroute-terminate-simple-same-namespace.go b/conformance/tests/tlsroute-terminate-simple-same-namespace.go index 912692fb6a..2ff96d9c4b 100644 --- a/conformance/tests/tlsroute-terminate-simple-same-namespace.go +++ b/conformance/tests/tlsroute-terminate-simple-same-namespace.go @@ -45,7 +45,8 @@ var TLSRouteTerminateSimpleSameNamespace = suite.ConformanceTest{ features.SupportTLSRoute, features.SupportTLSRouteModeTerminate, }, - Manifests: []string{"tests/tlsroute-terminate-simple-same-namespace.yaml"}, + Provisional: true, + Manifests: []string{"tests/tlsroute-terminate-simple-same-namespace.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { ns := "gateway-conformance-infra" routeNN := types.NamespacedName{Name: "gateway-conformance-mqtt-test", Namespace: ns}