gateway-api icon indicating copy to clipboard operation
gateway-api copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Conformance - Support for TLS-Encrypted Test Cases in GRPCRoute

Open tao12345666333 opened this issue 2 months ago • 8 comments

What happened:

As we integrate and evolve our implementation to align with the Gateway API's standards, we have encountered a notable scenario that I believe warrants consideration for the broader community and the future direction of GRPCRoute conformance tests.

Background: In the course of updating our implementation KIC to support the latest iterations of Gateway API, specifically around GRPCRoute, we have observed that the current conformance tests predominantly anticipate unencrypted (plaintext) gRPC traffic.

This observation is based on the default behavior in our own, where the default protocol for GRPCRoute has been set to grpcs to accommodate secure communication practices, which is a deviation from what the current conformance tests seem to expect.

Reference to our implementation details can be found here: KIC GRPCRoute Translation

What you expected to happen:

Given the increasing adoption of TLS/SSL to secure gRPC traffic in production environments, we propose the inclusion of TLS-encrypted test cases within the GRPCRoute conformance testing suite. This addition would not only reflect the real-world usage scenarios more accurately but also encourage implementations to support secure gRPC communication.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

  • The gRPC client used in conformance test https://github.com/kubernetes-sigs/gateway-api/blob/400e36da6929b98674e1d71bdd7eb65ca72e7438/conformance/utils/grpc/grpc.go#L144-L160
  • The GRPCRoute GEP-1016 methioned that the H2C (gRPC without TLS Encrypted) is more for testing. The protocol that is not mandatory to use in the standard is grpc or grpcs.
  • I noticed that some implementations (e.g. cilium, envoy-gateway) have passed the GRPCRoute conformance test, which is because they default to support H2C.

tao12345666333 avatar Apr 11 '24 19:04 tao12345666333