Description
Note: #870 — wait for that PR to be merged before starting work on this.
When spec.mtls.enable: true is set in the Kuadrant CR, the Envoy cluster patches for Authorino and Limitador include a TLS transport_socket (via Istio SDS). This causes the gateway's Envoy proxy to
generate additional client-side spans (authorino.kuadrant-system and limitador.kuadrant-system) in traces that are not present without mTLS.
The current data plane tracing tests assume a non-mTLS environment. If mTLS is unexpectedly enabled on the cluster, these tests will fail due to the additional service spans in traces.
Proposed change
Add a precondition check to data plane tracing tests that reads the Kuadrant CR and skips the test if spec.mtls.enable is true, with a message indicating that mTLS tracing is not covered by these
tests.
(Separate mTLS-specific tracing integration tests can be added later.)
Description
Note: #870 — wait for that PR to be merged before starting work on this.
When
spec.mtls.enable: trueis set in the Kuadrant CR, the Envoy cluster patches for Authorino and Limitador include a TLStransport_socket(via Istio SDS). This causes the gateway's Envoy proxy togenerate additional client-side spans (
authorino.kuadrant-systemandlimitador.kuadrant-system) in traces that are not present without mTLS.The current data plane tracing tests assume a non-mTLS environment. If mTLS is unexpectedly enabled on the cluster, these tests will fail due to the additional service spans in traces.
Proposed change
Add a precondition check to data plane tracing tests that reads the Kuadrant CR and skips the test if
spec.mtls.enableistrue, with a message indicating that mTLS tracing is not covered by thesetests.
(Separate mTLS-specific tracing integration tests can be added later.)