Add Knative provider

integration/fixtures/knative/01-rbac.yml

@@ -0,0 +1,50 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: knative-networking-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.internal.knative.dev
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.internal.knative.dev
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: traefik
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: knative-networking-role
+subjects:
+  - kind: ServiceAccount
+    name: traefik
+    namespace: traefik

integration/fixtures/knative/02-traefik.yml

@@ -0,0 +1,102 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: traefik
+
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: traefik
+  namespace: traefik
+
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: traefik
+  namespace: traefik
+  labels:
+    app: traefik
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik
+  template:
+    metadata:
+      labels:
+        app: traefik
+    spec:
+      serviceAccountName: traefik
+      containers:
+        - name: traefik
+          image: traefik/traefik:latest
+          imagePullPolicy: Never
+          args:
+            - --api.insecure
+            - --log.level=debug
+            - --entrypoints.pweb.address=:80
+            - --entrypoints.pwebsecure.address=:443
+            - --entrypoints.privweb.address=:8080
+            - --entrypoints.privwebsecure.address=:4443
+            - --entrypoints.traefik.address=:9000
+            - --experimental.knative
+            - --providers.knative.publicEntrypoints=pweb,pwebsecure
+            - --providers.knative.publicService.namespace=traefik
+            - --providers.knative.publicService.name=traefik
+            - --providers.knative.privateEntrypoints=privweb,privwebsecure
+            - --providers.knative.privateService.namespace=traefik
+            - --providers.knative.privateService.name=privtraefik
+            - --providers.knative.throttleduration=2s
+
+          ports:
+            - name: pweb
+              containerPort: 80
+            - name: pwebsecure
+              containerPort: 443
+            - name: privweb
+              containerPort: 8080
+            - name: privwebsecure
+              containerPort: 4443
+            - name: traefik
+              containerPort: 9000
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  type: LoadBalancer
+  selector:
+    app: traefik
+  ports:
+    - port: 80
+      name: web
+      targetPort: pweb
+    - port: 443
+      name: websecure
+      targetPort: pwebsecure
+    - port: 9000
+      name: traefik
+      targetPort: traefik
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: privtraefik
+  namespace: traefik
+spec:
+  selector:
+    app: traefik
+  ports:
+    - port: 80
+      name: web
+      targetPort: privweb
+    - port: 443
+      name: websecure
+      targetPort: privwebsecure

integration/fixtures/knative/04-serving-tests-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: serving-tests

integration/fixtures/knative/tools.go

@@ -0,0 +1,14 @@
+//go:build tools
+
+package tools
+
+// The following dependencies are required by the Knative conformance tests.
+// They allow to download the test_images when calling "go mod vendor".
+import (
+	_ "knative.dev/networking/test/test_images/grpc-ping"
+	_ "knative.dev/networking/test/test_images/httpproxy"
+	_ "knative.dev/networking/test/test_images/retry"
+	_ "knative.dev/networking/test/test_images/runtime"
+	_ "knative.dev/networking/test/test_images/timeout"
+	_ "knative.dev/networking/test/test_images/wsserver"
+)

integration/fixtures/knative/upload-test-images.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# Copyright 2020 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+
+function upload_test_images() {
+  echo ">> Publishing test images"
+  (
+    # Script needs to be executed from repo root
+    cd "$( dirname "$0")/../../../"
+    echo "Current working directory: $(pwd)"
+    local image_dir="vendor/knative.dev/networking/test/test_images"
+    local docker_tag=$1
+    local tag_option=""
+    if [ -n "${docker_tag}" ]; then
+      tag_option="--tags $docker_tag,latest"
+    fi
+
+    # ko resolve is being used for the side-effect of publishing images,
+    # so the resulting yaml produced is ignored.
+    # shellcheck disable=SC2086
+    ko resolve --jobs=4 ${tag_option} -RBf "${image_dir}" > /dev/null
+  )
+}
+
+: "${KO_DOCKER_REPO:?"You must set 'KO_DOCKER_REPO', see DEVELOPMENT.md"}"
+
+upload_test_images "$@"

integration/integration_test.go

@@ -42,7 +42,13 @@ var (
 	k8sConformanceTraefikVersion = flag.String("k8sConformanceTraefikVersion", "dev", "specify the Traefik version for the K8s Gateway API conformance report")
 )
 
-const tailscaleSecretFilePath = "tailscale.secret"
+const (
+	k3sImage                = "docker.io/rancher/k3s:v1.32.9-k3s1"
+	traefikImage            = "traefik/traefik:latest"
+	traefikDeployment       = "deployments/traefik"
+	traefikNamespace        = "traefik"
+	tailscaleSecretFilePath = "tailscale.secret"
+)
 
 type composeConfig struct {
 	Services map[string]composeService `yaml:"services"`

integration/k8s_conformance_test.go

@@ -37,13 +37,6 @@ import (
 	"sigs.k8s.io/yaml"
 )
 
-const (
-	k3sImage          = "docker.io/rancher/k3s:v1.29.3-k3s1"
-	traefikImage      = "traefik/traefik:latest"
-	traefikDeployment = "deployments/traefik"
-	traefikNamespace  = "traefik"
-)
-
 // K8sConformanceSuite tests suite.
 type K8sConformanceSuite struct {
 	BaseSuite

integration/knative_conformance_test.go

@@ -0,0 +1,178 @@
+// Use a build tag to include and run Knative conformance tests.
+// The Knative conformance toolkit redefines the skip-tests flag,
+// which conflicts with the testing library and causes a panic.
+//go:build knativeConformance
+
+package integration
+
+import (
+	"flag"
+	"io"
+	"os"
+	"slices"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
+	"github.com/testcontainers/testcontainers-go"
+	"github.com/testcontainers/testcontainers-go/modules/k3s"
+	"github.com/testcontainers/testcontainers-go/network"
+	"github.com/traefik/traefik/v3/integration/try"
+	"knative.dev/networking/test/conformance/ingress"
+	klog "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+)
+
+const knativeNamespace = "knative-serving"
+
+var imageNames = []string{
+	traefikImage,
+	"ko.local/grpc-ping:latest",
+	"ko.local/httpproxy:latest",
+	"ko.local/retry:latest",
+	"ko.local/runtime:latest",
+	"ko.local/wsserver:latest",
+	"ko.local/timeout:latest",
+}
+
+type KnativeConformanceSuite struct {
+	BaseSuite
+
+	k3sContainer *k3s.K3sContainer
+}
+
+func TestKnativeConformanceSuite(t *testing.T) {
+	suite.Run(t, new(KnativeConformanceSuite))
+}
+
+func (s *KnativeConformanceSuite) SetupSuite() {
+	s.BaseSuite.SetupSuite()
+
+	// Avoid panic.
+	klog.SetLogger(zap.New())
+
+	provider, err := testcontainers.ProviderDocker.GetProvider()
+	if err != nil {
+		s.T().Fatal(err)
+	}
+
+	ctx := s.T().Context()
+
+	// Ensure image is available locally.
+	images, err := provider.ListImages(ctx)
+	if err != nil {
+		s.T().Fatal(err)
+	}
+
+	if !slices.ContainsFunc(images, func(img testcontainers.ImageInfo) bool {
+		return img.Name == traefikImage
+	}) {
+		s.T().Fatal("Traefik image is not present")
+	}
+
+	s.k3sContainer, err = k3s.Run(ctx,
+		k3sImage,
+		k3s.WithManifest("./fixtures/knative/00-knative-crd-v1.19.0.yml"),
+		k3s.WithManifest("./fixtures/knative/01-rbac.yml"),
+		k3s.WithManifest("./fixtures/knative/02-traefik.yml"),
+		k3s.WithManifest("./fixtures/knative/03-knative-serving-v1.19.0.yaml"),
+		k3s.WithManifest("./fixtures/knative/04-serving-tests-namespace.yaml"),
+		network.WithNetwork(nil, s.network),
+	)
+	if err != nil {
+		s.T().Fatal(err)
+	}
+
+	for _, imageName := range imageNames {
+		if err = s.k3sContainer.LoadImages(ctx, imageName); err != nil {
+			s.T().Fatal(err)
+		}
+	}
+
+	exitCode, _, err := s.k3sContainer.Exec(ctx, []string{"kubectl", "wait", "-n", traefikNamespace, traefikDeployment, "--for=condition=Available", "--timeout=10s"})
+	if err != nil || exitCode > 0 {
+		s.T().Fatalf("Traefik pod is not ready: %v", err)
+	}
+
+	exitCode, _, err = s.k3sContainer.Exec(ctx, []string{"kubectl", "wait", "-n", knativeNamespace, "deployment/activator", "--for=condition=Available", "--timeout=10s"})
+	if err != nil || exitCode > 0 {
+		s.T().Fatalf("Activator pod is not ready: %v", err)
+	}
+
+	exitCode, _, err = s.k3sContainer.Exec(ctx, []string{"kubectl", "wait", "-n", knativeNamespace, "deployment/controller", "--for=condition=Available", "--timeout=10s"})
+	if err != nil || exitCode > 0 {
+		s.T().Fatalf("Controller pod is not ready: %v", err)
+	}
+
+	exitCode, _, err = s.k3sContainer.Exec(ctx, []string{"kubectl", "wait", "-n", knativeNamespace, "deployment/autoscaler", "--for=condition=Available", "--timeout=10s"})
+	if err != nil || exitCode > 0 {
+		s.T().Fatalf("Autoscaler pod is not ready: %v", err)
+	}
+
+	exitCode, _, err = s.k3sContainer.Exec(ctx, []string{"kubectl", "wait", "-n", knativeNamespace, "deployment/webhook", "--for=condition=Available", "--timeout=10s"})
+	if err != nil || exitCode > 0 {
+		s.T().Fatalf("Webhook pod is not ready: %v", err)
+	}
+}
+
+func (s *KnativeConformanceSuite) TearDownSuite() {
+	ctx := s.T().Context()
+
+	if s.T().Failed() || *showLog {
+		k3sLogs, err := s.k3sContainer.Logs(ctx)
+		if err == nil {
+			if res, err := io.ReadAll(k3sLogs); err == nil {
+				s.T().Log(string(res))
+			}
+		}
+
+		exitCode, result, err := s.k3sContainer.Exec(ctx, []string{"kubectl", "logs", "-n", traefikNamespace, traefikDeployment})
+		if err == nil || exitCode == 0 {
+			if res, err := io.ReadAll(result); err == nil {
+				s.T().Log(string(res))
+			}
+		}
+	}
+
+	if err := s.k3sContainer.Terminate(ctx); err != nil {
+		s.T().Fatal(err)
+	}
+
+	s.BaseSuite.TearDownSuite()
+}
+
+func (s *KnativeConformanceSuite) TestKnativeConformance() {
+	// Wait for traefik to start
+	k3sContainerIP, err := s.k3sContainer.ContainerIP(s.T().Context())
+	require.NoError(s.T(), err)
+
+	err = try.GetRequest("http://"+k3sContainerIP+":9000/api/entrypoints", 10*time.Second, try.BodyContains(`"name":"pweb"`))
+	require.NoError(s.T(), err)
+
+	kubeconfig, err := s.k3sContainer.GetKubeConfig(s.T().Context())
+	if err != nil {
+		s.T().Fatal(err)
+	}
+
+	// Write the kubeconfig.yaml in a temp file.
+	kubeconfigFile := s.T().TempDir() + "/kubeconfig.yaml"
+
+	if err = os.WriteFile(kubeconfigFile, kubeconfig, 0o644); err != nil {
+		s.T().Fatal(err)
+	}
+
+	if err = flag.CommandLine.Set("kubeconfig", kubeconfigFile); err != nil {
+		s.T().Fatal(err)
+	}
+
+	if err = flag.CommandLine.Set("ingressClass", "traefik.ingress.networking.knative.dev"); err != nil {
+		s.T().Fatal(err)
+	}
+
+	if err = flag.CommandLine.Set("skip-tests", "headers/probe"); err != nil {
+		s.T().Fatal(err)
+	}
+
+	ingress.RunConformance(s.T())
+}