Merge pull request #29597 from lihongan/gatewayapi

openshift-merge-bot[bot] · web-flow · commit addcf0c20a38 · 2025-04-01T10:06:49.000Z
NE-1968: add e2e tests for FeatureGate GatewayAPI
diff --git a/test/extended/router/gatewayapi.go b/test/extended/router/gatewayapi.go
@@ -0,0 +1,143 @@
+package router
+
+import (
+	"context"
+	"strings"
+
+	g "github.com/onsi/ginkgo/v2"
+	o "github.com/onsi/gomega"
+
+	exutil "github.com/openshift/origin/test/extended/util"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	e2e "k8s.io/kubernetes/test/e2e/framework"
+	admissionapi "k8s.io/pod-security-admission/api"
+)
+
+var _ = g.Describe("[sig-network][OCPFeatureGate:GatewayAPI][Feature:Router][apigroup:gateway.networking.k8s.io]", func() {
+	defer g.GinkgoRecover()
+	var (
+		oc       = exutil.NewCLIWithPodSecurityLevel("gateway-api", admissionapi.LevelBaseline)
+		crdNames = []string{
+			"gatewayclasses.gateway.networking.k8s.io",
+			"gateways.gateway.networking.k8s.io",
+			"httproutes.gateway.networking.k8s.io",
+			"grpcroutes.gateway.networking.k8s.io",
+			"referencegrants.gateway.networking.k8s.io",
+		}
+		errorMessage = "ValidatingAdmissionPolicy 'openshift-ingress-operator-gatewayapi-crd-admission' with binding 'openshift-ingress-operator-gatewayapi-crd-admission' denied request: Gateway API Custom Resource Definitions are managed by the Ingress Operator and may not be modified"
+	)
+
+	g.Describe("Verify Gateway API CRDs", func() {
+		g.It("and ensure required CRDs should already be installed", func() {
+			g.By("Get and check the installed CRDs")
+			for i := range crdNames {
+				crd, err := oc.AdminApiextensionsClient().ApiextensionsV1().CustomResourceDefinitions().Get(context.Background(), crdNames[i], metav1.GetOptions{})
+				o.Expect(err).NotTo(o.HaveOccurred())
+				e2e.Logf("Found the Gateway API CRD named: %v", crd.Name)
+			}
+		})
+
+		g.It("and ensure existing CRDs can not be deleted", func() {
+			g.By("Try to delete the CRDs and fail")
+			for i := range crdNames {
+				err := oc.AdminApiextensionsClient().ApiextensionsV1().CustomResourceDefinitions().Delete(context.Background(), crdNames[i], metav1.DeleteOptions{})
+				o.Expect(err).To(o.HaveOccurred())
+				o.Expect(err.Error()).To(o.ContainSubstring(errorMessage))
+			}
+		})
+
+		g.It("and ensure existing CRDs can not be updated", func() {
+			g.By("Get the CRDs firstly, add spec.names.shortNames then update CRD")
+			for i := range crdNames {
+				crd, err := oc.AdminApiextensionsClient().ApiextensionsV1().CustomResourceDefinitions().Get(context.Background(), crdNames[i], metav1.GetOptions{})
+				o.Expect(err).NotTo(o.HaveOccurred())
+				// some CRDs have a shortName but some not, just trying to add one for all
+				crd.Spec.Names.ShortNames = append(crd.Spec.Names.ShortNames, "fakename")
+				_, err = oc.AdminApiextensionsClient().ApiextensionsV1().CustomResourceDefinitions().Update(context.Background(), crd, metav1.UpdateOptions{})
+				o.Expect(err).To(o.HaveOccurred())
+				o.Expect(err.Error()).To(o.ContainSubstring(errorMessage))
+			}
+		})
+
+		g.It("and ensure CRD of standard group can not be created", func() {
+			fakeCRDName := "fakeroutes.gateway.networking.k8s.io"
+			g.By("Try to create CRD of standard group and fail")
+			fakeCRD := buildGWAPICRDFromName(fakeCRDName)
+			_, err := oc.AdminApiextensionsClient().ApiextensionsV1().CustomResourceDefinitions().Create(context.Background(), fakeCRD, metav1.CreateOptions{})
+			o.Expect(err).To(o.HaveOccurred())
+			o.Expect(err.Error()).To(o.ContainSubstring(errorMessage))
+		})
+
+		g.It("and ensure CRD of experimental group is not installed", func() {
+			g.By("Ensure no CRD of experimental group is installed")
+			crdList, err := oc.AdminApiextensionsClient().ApiextensionsV1().CustomResourceDefinitions().List(context.Background(), metav1.ListOptions{})
+			o.Expect(err).NotTo(o.HaveOccurred())
+			for _, crd := range crdList.Items {
+				if crd.Spec.Group == "gateway.networking.x-k8s.io" {
+					e2e.Failf("Found unexpected CRD named: %v", crd.Name)
+				}
+			}
+		})
+
+		g.It("and ensure CRD of experimental group can not be created", func() {
+			expCRDName := "xlistenersets.gateway.networking.x-k8s.io"
+			g.By("Try to create CRD of experimental group and fail")
+			expCRD := buildGWAPICRDFromName(expCRDName)
+			_, err := oc.AdminApiextensionsClient().ApiextensionsV1().CustomResourceDefinitions().Create(context.Background(), expCRD, metav1.CreateOptions{})
+			o.Expect(err).To(o.HaveOccurred())
+			o.Expect(err.Error()).To(o.ContainSubstring(errorMessage))
+		})
+	})
+})
+
+// buildGWAPICRDFromName initializes the fake GatewayAPI CRD deducing most of its required fields from the given name.
+func buildGWAPICRDFromName(name string) *apiextensionsv1.CustomResourceDefinition {
+	var (
+		plural   = strings.Split(name, ".")[0]
+		group, _ = strings.CutPrefix(name, plural+".")
+		// removing trailing "s"
+		singular = plural[0 : len(plural)-1]
+		kind     = strings.Title(singular)
+	)
+
+	return &apiextensionsv1.CustomResourceDefinition{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: plural + "." + group,
+			Annotations: map[string]string{
+				"api-approved.kubernetes.io": "https://github.com/kubernetes-sigs/gateway-api/pull/2466",
+			},
+		},
+		Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+			Group: group,
+			Names: apiextensionsv1.CustomResourceDefinitionNames{
+				Singular: singular,
+				Plural:   plural,
+				Kind:     kind,
+			},
+			Scope: apiextensionsv1.ClusterScoped,
+			Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+				{
+					Name:    "v1",
+					Storage: true,
+					Served:  true,
+					Schema: &apiextensionsv1.CustomResourceValidation{
+						OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+							Type: "object",
+						},
+					},
+				},
+				{
+					Name:    "v1beta1",
+					Storage: false,
+					Served:  true,
+					Schema: &apiextensionsv1.CustomResourceValidation{
+						OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+							Type: "object",
+						},
+					},
+				},
+			},
+		},
+	}
+}
diff --git a/test/extended/util/annotate/generated/zz_generated.annotations.go b/test/extended/util/annotate/generated/zz_generated.annotations.go
diff --git a/test/extended/util/client.go b/test/extended/util/client.go
@@ -75,6 +75,7 @@ import (
 	templatev1client "github.com/openshift/client-go/template/clientset/versioned"
 	userv1client "github.com/openshift/client-go/user/clientset/versioned"
 	"github.com/openshift/library-go/test/library/metrics"
+	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 )
 
 // CLI provides function to call the OpenShift CLI and Kubernetes and OpenShift
@@ -693,6 +694,10 @@ func (c *CLI) TemplateClient() templatev1client.Interface {
 	return templatev1client.NewForConfigOrDie(c.UserConfig())
 }
 
+func (c *CLI) AdminApiextensionsClient() apiextensionsclient.Interface {
+	return apiextensionsclient.NewForConfigOrDie(c.AdminConfig())
+}
+
 func (c *CLI) AdminAppsClient() appsv1client.Interface {
 	return appsv1client.NewForConfigOrDie(c.AdminConfig())
 }
diff --git a/zz_generated.manifests/test-reporting.yaml b/zz_generated.manifests/test-reporting.yaml
@@ -65,6 +65,20 @@ spec:
     tests:
     - testName: '[sig-arch][OCPFeatureGate:Example] should only run FeatureGated test
         when enabled'
+  - featureGate: GatewayAPI
+    tests:
+    - testName: '[sig-network][OCPFeatureGate:GatewayAPI][Feature:Router][apigroup:gateway.networking.k8s.io]
+        Verify Gateway API CRDs and ensure CRD of experimental group can not be created'
+    - testName: '[sig-network][OCPFeatureGate:GatewayAPI][Feature:Router][apigroup:gateway.networking.k8s.io]
+        Verify Gateway API CRDs and ensure CRD of experimental group is not installed'
+    - testName: '[sig-network][OCPFeatureGate:GatewayAPI][Feature:Router][apigroup:gateway.networking.k8s.io]
+        Verify Gateway API CRDs and ensure CRD of standard group can not be created'
+    - testName: '[sig-network][OCPFeatureGate:GatewayAPI][Feature:Router][apigroup:gateway.networking.k8s.io]
+        Verify Gateway API CRDs and ensure existing CRDs can not be deleted'
+    - testName: '[sig-network][OCPFeatureGate:GatewayAPI][Feature:Router][apigroup:gateway.networking.k8s.io]
+        Verify Gateway API CRDs and ensure existing CRDs can not be updated'
+    - testName: '[sig-network][OCPFeatureGate:GatewayAPI][Feature:Router][apigroup:gateway.networking.k8s.io]
+        Verify Gateway API CRDs and ensure required CRDs should already be installed'
   - featureGate: HardwareSpeed
     tests:
     - testName: '[sig-etcd][OCPFeatureGate:HardwareSpeed][Serial] etcd is able to

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,7 @@ import (`
`75`	`75`	`templatev1client "github.com/openshift/client-go/template/clientset/versioned"`
`76`	`76`	`userv1client "github.com/openshift/client-go/user/clientset/versioned"`
`77`	`77`	`"github.com/openshift/library-go/test/library/metrics"`
	`78`	`+ apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"`
`78`	`79`	`)`
`79`	`80`
`80`	`81`	`// CLI provides function to call the OpenShift CLI and Kubernetes and OpenShift`
`@@ -693,6 +694,10 @@ func (c *CLI) TemplateClient() templatev1client.Interface {`
`693`	`694`	`return templatev1client.NewForConfigOrDie(c.UserConfig())`
`694`	`695`	`}`
`695`	`696`
	`697`	`+func (c *CLI) AdminApiextensionsClient() apiextensionsclient.Interface {`
	`698`	`+ return apiextensionsclient.NewForConfigOrDie(c.AdminConfig())`
	`699`	`+}`
	`700`	`+`
`696`	`701`	`func (c *CLI) AdminAppsClient() appsv1client.Interface {`
`697`	`702`	`return appsv1client.NewForConfigOrDie(c.AdminConfig())`
`698`	`703`	`}`