test(conformance):Add BackendTLSPolicy conformance test for GRPCRoute by Thealisyed · Pull Request #4882 · kubernetes-sigs/gateway-api

Thealisyed · 2026-05-19T15:48:11Z

/kind test
/area conformance-test

What this PR does / why we need it:
Add BackendTLSPolicy conformance test for GRPCRoute

Add conformance tests verifying that BackendTLSPolicy works correctly with GRPCRoute, covering valid TLS configuration, hostname mismatch and CA certificate mismatch scenarios.

Also adds MakeRequestAndExpectEventuallyConsistentFailure to the gRPC test utilities and registers BackendTLSPolicy features in the GATEWAY-GRPC conformance profile.

Which issue(s) this PR fixes:
Fixes #4754

Does this PR introduce a user-facing change?:

NONE

k8s-ci-robot · 2026-05-19T15:48:22Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Thealisyed
Once this PR has been reviewed and has the lgtm label, please assign kflynn for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

conformance/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot · 2026-05-19T15:48:24Z

Hi @Thealisyed. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Add BackendTLSPolicy conformance test for GRPCRoute Add conformance tests verifying that BackendTLSPolicy works correctly with GRPCRoute, covering valid TLS configuration, hostname mismatch and CA certificate mismatch scenarios. Also adds MakeRequestAndExpectEventuallyConsistentFailure to the gRPC test utilities and registers BackendTLSPolicy features in the GATEWAY-GRPC conformance profile. Ai tool was used to assist Signed-off-by: Ali Syed <thealisyed@gmail.com>

Thealisyed · 2026-05-19T15:57:23Z

Istio results:

  
  === RUN   TestConformance/BackendTLSPolicyGRPCRoute
      --- FAIL: TestConformance/BackendTLSPolicyGRPCRoute/gRPC_request_sent_to_Service_with_valid_BackendTLSPolicy_should_succeed
          Response expectation failed: received Unavailable (connection termination)
          Root cause: Istio does not negotiate h2 ALPN on upstream TLS
          connections for BackendTLSPolicy, sending HTTP/1.1 to a gRPC
          backend that requires HTTP/2.
      --- PASS: TestConformance/BackendTLSPolicyGRPCRoute/gRPC_request_sent_to_Service_targeted_by_BackendTLSPolicy_with_mismatched_hostname_should_fail
      --- PASS: TestConformance/BackendTLSPolicyGRPCRoute/gRPC_request_sent_to_Service_targeted_by_BackendTLSPolicy_with_mismatched_cert_should_fail

davidjumani

/lgtm

davidjumani · 2026-05-25T20:35:39Z

+    spec:
+      containers:
+      - name: grpc-tls-backend
+        image: registry.k8s.io/gateway-api/echo-basic:v1.5.1


Would this need to be updated when new releases are cut ?

yes, we may want to sync all of them soon

rikatz · 2026-05-26T19:40:16Z

@@ -0,0 +1,199 @@
+apiVersion: apps/v1


Instead of creating a new deployment, why not just update the ones existing on conformance/base/manifests.yaml to also set a TLS endpoint for GRPC? You can even pick just one and use it

but grps is served on the same port as https? 8443, I guess we need a different port

Ack, will add TLS to the existing grpc-infra-backend-v1 in base/manifests.yaml on port 8443

rikatz · 2026-05-26T20:01:27Z

@Thealisyed I am not getting it passing on Istio, maybe we need to investigate why better and if this is related to the test or not.

The negative mismatched tests not passing is fine, as something is erroring. But I wanted to have at least one scenario where this passes. Maybe test with other implementations as well (envoy gateway, or kgateway) and see if this is a problem of implementation or a problem of Istio? :)

kl52752 · 2026-05-28T11:36:11Z

+	Features: []features.FeatureName{
+		features.SupportGateway,
+		features.SupportGRPCRoute,
+		features.SupportBackendTLSPolicy,


I think we should use different tag for this SupportBckendTLSPolicyForGRPC?

Our test requires both SupportGRPCRoute and SupporttBackendTLSPolicy so only implementations that claim both would run it. If we implement the per route type feature then it would be introducing a new pattern and be problematic maybe?

@kl52752 this is based on the Union feature concept. When an implementation claims to support GRPCRoute and to support BackendTLSPolicy they must support both.

kl52752 · 2026-05-28T11:38:33Z

@@ -0,0 +1,199 @@
+apiVersion: apps/v1


but grps is served on the same port as https? 8443, I guess we need a different port

k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. kind/test area/conformance-test Issues or PRs related to Conformance tests. labels May 19, 2026

k8s-ci-robot requested review from candita and kl52752 May 19, 2026 15:48

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 19, 2026

k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label May 19, 2026

Thealisyed force-pushed the backendtlspolicy-grpcroute-conformance branch from 51b323d to 3c1d305 Compare May 19, 2026 15:48

k8s-ci-robot removed the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label May 19, 2026

davidjumani reviewed May 25, 2026

View reviewed changes

k8s-ci-robot assigned davidjumani May 25, 2026

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 25, 2026

rikatz reviewed May 26, 2026

View reviewed changes

kl52752 reviewed May 28, 2026

View reviewed changes

Conversation

Thealisyed commented May 19, 2026

Uh oh!

k8s-ci-robot commented May 19, 2026

Uh oh!

k8s-ci-robot commented May 19, 2026

Uh oh!

Thealisyed commented May 19, 2026

Uh oh!

davidjumani left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

rikatz commented May 26, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants