Align with BackendTLSPolicy validation #3871

ciarams87 · 2025-09-08T08:15:37Z

Proposed changes

Problem: The BackendTLSPolicy spec was updated to include specific rules around certificate validation that we were not adhering to

Solution: Update our validation and conditions to match the updated spec

Testing: Local, unit, and conformance testing

--- PASS: TestConformance/BackendTLSPolicyConflictResolution (1.19s)
--- PASS: TestConformance/BackendTLSPolicyConflictResolution/Conflicting_BackendTLSPolicies_targeting_the_same_Service_without_a_section_name (0.01s)
	--- PASS: TestConformance/BackendTLSPolicyConflictResolution/Conflicting_BackendTLSPolicies_targeting_the_same_Service_without_a_section_name/First_BackendTLSPolicy_should_be_accepted (0.00s)
	--- PASS: TestConformance/BackendTLSPolicyConflictResolution/Conflicting_BackendTLSPolicies_targeting_the_same_Service_without_a_section_name/Second_BackendTLSPolicy_should_have_a_false_Accepted_condition_with_reason_Conflicted_ (0.00s)
	--- PASS: TestConformance/BackendTLSPolicyConflictResolution/Conflicting_BackendTLSPolicies_targeting_the_same_Service_without_a_section_name/HTTP_request_sent_to_Service_using_the_accepted_BackendTLSPolicy_should_succeed (0.01s)
--- PASS: TestConformance/BackendTLSPolicyConflictResolution/Conflicting_BackendTLSPolicies_targeting_the_same_Service_with_the_same_section_name (0.01s)
	--- PASS: TestConformance/BackendTLSPolicyConflictResolution/Conflicting_BackendTLSPolicies_targeting_the_same_Service_with_the_same_section_name/First_BackendTLSPolicy_should_be_accepted (0.00s)
	--- PASS: TestConformance/BackendTLSPolicyConflictResolution/Conflicting_BackendTLSPolicies_targeting_the_same_Service_with_the_same_section_name/Second_BackendTLSPolicy_should_have_a_false_Accepted_condition_with_reason_Conflicted_ (0.00s)
	--- PASS: TestConformance/BackendTLSPolicyConflictResolution/Conflicting_BackendTLSPolicies_targeting_the_same_Service_with_the_same_section_name/HTTP_request_sent_to_Service_using_the_accepted_BackendTLSPolicy_should_succeed (0.01s)
--- PASS: TestConformance/BackendTLSPolicyConflictResolution/BackendTLSPolicies_targeting_the_same_Service_with_and_without_a_section_name (0.02s)
	--- PASS: TestConformance/BackendTLSPolicyConflictResolution/BackendTLSPolicies_targeting_the_same_Service_with_and_without_a_section_name/BackendTLSPolicy_with_section_name_should_be_accepted (0.00s)
	--- PASS: TestConformance/BackendTLSPolicyConflictResolution/BackendTLSPolicies_targeting_the_same_Service_with_and_without_a_section_name/BackendTLSPolicy_without_section_name_should_be_accepted (0.00s)
	--- PASS: TestConformance/BackendTLSPolicyConflictResolution/BackendTLSPolicies_targeting_the_same_Service_with_and_without_a_section_name/HTTP_request_sent_to_Service_using_the_BackendTLSPolicy_with_section_name_should_succeed (0.01s)
	--- PASS: TestConformance/BackendTLSPolicyConflictResolution/BackendTLSPolicies_targeting_the_same_Service_with_and_without_a_section_name/HTTP_request_sent_to_Service_using_the_BackendTLSPolicy_without_section_name_should_succeed (0.01s)
--- PASS: TestConformance/BackendTLSPolicyInvalidCACertificateRef (1.11s)
--- PASS: TestConformance/BackendTLSPolicyInvalidCACertificateRef/BackendTLSPolicy_nonexistent-ca-certificate-ref (0.01s)
	--- PASS: TestConformance/BackendTLSPolicyInvalidCACertificateRef/BackendTLSPolicy_nonexistent-ca-certificate-ref/BackendTLSPolicy_with_a_single_invalid_CACertificateRef_has_a_Accepted_Condition_with_status_False_and_Reason_NoValidCACertificate (0.00s)
	--- PASS: TestConformance/BackendTLSPolicyInvalidCACertificateRef/BackendTLSPolicy_nonexistent-ca-certificate-ref/BackendTLSPolicy_with_a_single_invalid_CACertificateRef_has_a_ResolvedRefs_Condition_with_status_False_and_Reason_InvalidCACertificateRef (0.00s)
	--- PASS: TestConformance/BackendTLSPolicyInvalidCACertificateRef/BackendTLSPolicy_nonexistent-ca-certificate-ref/HTTP_Request_to_backend_targeted_by_an_invalid_BackendTLSPolicy_receive_a_5xx (0.00s)
--- PASS: TestConformance/BackendTLSPolicyInvalidCACertificateRef/BackendTLSPolicy_malformed-ca-certificate-ref (0.00s)
	--- PASS: TestConformance/BackendTLSPolicyInvalidCACertificateRef/BackendTLSPolicy_malformed-ca-certificate-ref/BackendTLSPolicy_with_a_single_invalid_CACertificateRef_has_a_Accepted_Condition_with_status_False_and_Reason_NoValidCACertificate (0.00s)
	--- PASS: TestConformance/BackendTLSPolicyInvalidCACertificateRef/BackendTLSPolicy_malformed-ca-certificate-ref/BackendTLSPolicy_with_a_single_invalid_CACertificateRef_has_a_ResolvedRefs_Condition_with_status_False_and_Reason_InvalidCACertificateRef (0.00s)
	--- PASS: TestConformance/BackendTLSPolicyInvalidCACertificateRef/BackendTLSPolicy_malformed-ca-certificate-ref/HTTP_Request_to_backend_targeted_by_an_invalid_BackendTLSPolicy_receive_a_5xx (0.00s)
--- PASS: TestConformance/BackendTLSPolicyInvalidKind (1.07s)
--- PASS: TestConformance/BackendTLSPolicyInvalidKind/BackendTLSPolicy_with_a_single_invalid_CACertificateRef_has_a_Accepted_Condition_with_status_False_and_Reason_NoValidCACertificate (0.00s)
--- PASS: TestConformance/BackendTLSPolicyInvalidKind/BackendTLSPolicy_with_a_single_invalid_CACertificateRef_has_a_ResolvedRefs_Condition_with_status_False_and_Reason_InvalidKind (0.00s)
--- PASS: TestConformance/BackendTLSPolicyInvalidKind/HTTP_Request_to_backend_targeted_by_an_invalid_BackendTLSPolicy_receive_a_5xx (0.00s)
--- FAIL: TestConformance/BackendTLSPolicyObservedGenerationBump (60.08s)
--- FAIL: TestConformance/BackendTLSPolicyObservedGenerationBump/observedGeneration_should_increment (60.02s)
--- SKIP: TestConformance/BackendTLSPolicySANValidation (0.00s)
--- PASS: TestConformance/BackendTLSPolicy (2.24s)
--- PASS: TestConformance/BackendTLSPolicy/Re-encrypt_HTTPS_request_sent_to_Service_with_valid_BackendTLSPolicy_should_succeed (2.05s)
--- PASS: TestConformance/BackendTLSPolicy/HTTP_request_sent_to_Service_with_valid_BackendTLSPolicy_should_succeed (0.01s)
--- PASS: TestConformance/BackendTLSPolicy/HTTP_request_sent_to_Service_targeted_by_BackendTLSPolicy_with_mismatched_hostname_should_return_an_HTTP_error (0.01s)
--- PASS: TestConformance/BackendTLSPolicy/HTTP_request_send_to_Service_targeted_by_BackendTLSPolicy_with_mismatched_cert_should_return_HTTP_error (0.02s)

-> see https://github.com/nginx/nginx-gateway-fabric/actions/runs/17551266824/job/49845122033?pr=3871

NOTE: BackendTLSPolicyObservedGenerationBump/observedGeneration_should_increment is failing due to what looks like a test fixtures failure as the error is related to not being able to find the ConfigMap - this is not related to the validation changes and will be followed up I a separate ticket

Closes #3651

Checklist

Before creating a PR, run through this checklist and mark each as complete.

I have read the CONTRIBUTING doc
I have added tests that prove my fix is effective or that my feature works
I have checked that all unit tests pass after adding my changes
I have updated necessary documentation
I have rebased my branch onto main
I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

Updated BackendTLSPolicy validation to align with the updated spec.

codecov · 2025-09-08T08:24:17Z

Codecov Report

❌ Patch coverage is 50.00000% with 41 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.78%. Comparing base (2993d57) to head (30ae3c4).

Files with missing lines	Patch %	Lines
internal/controller/state/conditions/conditions.go	0.00%	28 Missing ⚠️
internal/controller/state/graph/backend_refs.go	63.63%	6 Missing and 2 partials ⚠️
...ernal/controller/state/graph/backend_tls_policy.go	84.37%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3871      +/-   ##
==========================================
- Coverage   86.99%   86.78%   -0.22%     
==========================================
  Files         128      128              
  Lines       16434    16500      +66     
  Branches       62       62              
==========================================
+ Hits        14297    14319      +22     
- Misses       1960     2001      +41     
- Partials      177      180       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

internal/controller/state/conditions/conditions.go

internal/controller/state/graph/backend_tls_policy.go

github-project-automation bot added this to NGINX Gateway Fabric Sep 8, 2025

github-project-automation bot moved this to 🆕 New in NGINX Gateway Fabric Sep 8, 2025

github-actions bot added enhancement New feature or request dependencies Pull requests that update a dependency file labels Sep 8, 2025

ciarams87 force-pushed the feat/align-btls-pol branch from 1699b66 to b9a1219 Compare September 8, 2025 08:21

github-actions bot removed the dependencies Pull requests that update a dependency file label Sep 8, 2025

Align with BackendTLSPolicy validation

b8faab1

ciarams87 force-pushed the feat/align-btls-pol branch from b9a1219 to 30ae3c4 Compare September 8, 2025 12:46

nginx-bot bot added the release-notes label Sep 8, 2025

ciarams87 force-pushed the feat/align-btls-pol branch from 30ae3c4 to b8faab1 Compare September 8, 2025 14:49

ciarams87 marked this pull request as ready for review September 8, 2025 14:49

ciarams87 requested a review from a team as a code owner September 8, 2025 14:50

sjberman reviewed Sep 8, 2025

View reviewed changes

internal/controller/state/conditions/conditions.go Show resolved Hide resolved

internal/controller/state/graph/backend_tls_policy.go Show resolved Hide resolved

sjberman approved these changes Sep 8, 2025

View reviewed changes

salonichf5 approved these changes Sep 8, 2025

View reviewed changes

ciarams87 merged commit c330d5e into main Sep 8, 2025
64 of 66 checks passed

ciarams87 deleted the feat/align-btls-pol branch September 8, 2025 20:04

github-project-automation bot moved this from 🆕 New to ✅ Done in NGINX Gateway Fabric Sep 8, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Align with BackendTLSPolicy validation #3871

Align with BackendTLSPolicy validation #3871

Uh oh!

ciarams87 commented Sep 8, 2025 •

edited

Loading

Uh oh!

codecov bot commented Sep 8, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Align with BackendTLSPolicy validation #3871

Align with BackendTLSPolicy validation #3871

Uh oh!

Conversation

ciarams87 commented Sep 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Proposed changes

Checklist

Release notes

Uh oh!

codecov bot commented Sep 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

ciarams87 commented Sep 8, 2025 •

edited

Loading

codecov bot commented Sep 8, 2025 •

edited

Loading