chore: Add e2e tests for GatewayProxy referencing Secret (#123)

Author: dspo

.golangci.yml

@@ -24,6 +24,8 @@ linters:
     revive:
       rules:
         - name: comment-spacings
+    lll:
+      line-length: 160
   exclusions:
     generated: lax
     rules:

internal/controller/consumer_controller.go

@@ -40,7 +40,15 @@ func (r *ConsumerReconciler) SetupWithManager(mgr ctrl.Manager) error {
 				predicate.NewPredicateFuncs(r.checkGatewayRef),
 			),
 		).
-		WithEventFilter(predicate.GenerationChangedPredicate{}).
+		WithEventFilter(
+			predicate.Or(
+				predicate.GenerationChangedPredicate{},
+				predicate.NewPredicateFuncs(func(obj client.Object) bool {
+					_, ok := obj.(*corev1.Secret)
+					return ok
+				}),
+			),
+		).
 		Watches(&gatewayv1.Gateway{},
 			handler.EnqueueRequestsFromMapFunc(r.listConsumersForGateway),
 			builder.WithPredicates(

internal/controller/ingress_controller.go

@@ -356,7 +356,31 @@ func (r *IngressReconciler) listIngressesBySecret(ctx context.Context, obj clien
 			})
 		}
 	}
-	return requests
+
+	gatewayProxyList := &v1alpha1.GatewayProxyList{}
+	if err := r.List(ctx, gatewayProxyList, client.MatchingFields{
+		indexer.SecretIndexRef: indexer.GenIndexKey(secret.GetNamespace(), secret.GetName()),
+	}); err != nil {
+		r.Log.Error(err, "failed to list gateway proxies by secret", "secret", secret.GetName())
+		return nil
+	}
+
+	for _, gatewayProxy := range gatewayProxyList.Items {
+		var (
+			ingressClassList networkingv1.IngressClassList
+			indexKey         = indexer.GenIndexKey(gatewayProxy.GetNamespace(), gatewayProxy.GetName())
+			matchingFields   = client.MatchingFields{indexer.IngressClassParametersRef: indexKey}
+		)
+		if err := r.List(ctx, &ingressClassList, matchingFields); err != nil {
+			r.Log.Error(err, "failed to list ingress classes for gateway proxy", "gatewayproxy", indexKey)
+			continue
+		}
+		for _, ingressClass := range ingressClassList.Items {
+			requests = append(requests, r.listIngressForIngressClass(ctx, &ingressClass)...)
+		}
+	}
+
+	return distinctRequests(requests)
 }
 
 func (r *IngressReconciler) listIngressForBackendTrafficPolicy(ctx context.Context, obj client.Object) (requests []reconcile.Request) {

internal/controller/ingressclass_controller.go

@@ -40,7 +40,15 @@ func (r *IngressClassReconciler) SetupWithManager(mgr ctrl.Manager) error {
 				predicate.NewPredicateFuncs(r.matchesController),
 			),
 		).
-		WithEventFilter(predicate.GenerationChangedPredicate{}).
+		WithEventFilter(
+			predicate.Or(
+				predicate.GenerationChangedPredicate{},
+				predicate.NewPredicateFuncs(func(obj client.Object) bool {
+					_, ok := obj.(*corev1.Secret)
+					return ok
+				}),
+			),
+		).
 		Watches(
 			&v1alpha1.GatewayProxy{},
 			handler.EnqueueRequestsFromMapFunc(r.listIngressClassesForGatewayProxy),
@@ -146,29 +154,10 @@ func (r *IngressClassReconciler) listIngressClassesForSecret(ctx context.Context
 	// 2. list ingress classes by gateway proxies
 	requests := make([]reconcile.Request, 0)
 	for _, gatewayProxy := range gatewayProxyList.Items {
-		ingressClassList := &networkingv1.IngressClassList{}
-		if err := r.List(ctx, ingressClassList, client.MatchingFields{
-			indexer.IngressClassParametersRef: indexer.GenIndexKey(gatewayProxy.GetNamespace(), gatewayProxy.GetName()),
-		}); err != nil {
-			r.Log.Error(err, "failed to list ingress classes by secret", "secret", secret.GetName())
-			return nil
-		}
-		for _, ingressClass := range ingressClassList.Items {
-			if !r.matchesController(&ingressClass) {
-				continue
-			}
-			requests = append(requests, reconcile.Request{
-				NamespacedName: client.ObjectKey{
-					Name:      ingressClass.GetName(),
-					Namespace: ingressClass.GetNamespace(),
-				},
-			})
-		}
+		requests = append(requests, r.listIngressClassesForGatewayProxy(ctx, &gatewayProxy)...)
 	}
 
-	requests = distinctRequests(requests)
-
-	return requests
+	return distinctRequests(requests)
 }
 
 func (r *IngressClassReconciler) processInfrastructure(tctx *provider.TranslateContext, ingressClass *networkingv1.IngressClass) error {

test/e2e/crds/consumer.go

@@ -2,6 +2,7 @@ package gatewayapi
 
 import (
 	"fmt"
+	"net/http"
 	"time"
 
 	. "github.com/onsi/ginkgo/v2"
@@ -310,6 +311,15 @@ metadata:
 data:
   username: c2FtcGxlLXVzZXI=
   password: c2FtcGxlLXBhc3N3b3Jk
+`
+		const basicAuthSecret2 = `
+apiVersion: v1
+kind: Secret
+metadata:
+  name: basic-auth-secret
+data:
+  username: c2FtcGxlLXVzZXI=
+  password: c2FtcGxlLXBhc3N3b3JkLW5ldw==
 `
 		var defaultConsumer = `
 apiVersion: apisix.apache.org/v1alpha1
@@ -358,6 +368,29 @@ spec:
 				Expect().
 				Status(200)
 
+			// update basic-auth password
+			err = s.CreateResourceFromString(basicAuthSecret2)
+			Expect(err).NotTo(HaveOccurred(), "creating basic-auth secret")
+
+			// use the old password will get 401
+			Eventually(func() int {
+				return s.NewAPISIXClient().
+					GET("/get").
+					WithBasicAuth("sample-user", "sample-password").
+					WithHost("httpbin.org").
+					Expect().
+					Raw().StatusCode
+			}).WithTimeout(8 * time.Second).ProbeEvery(time.Second).
+				Should(Equal(http.StatusUnauthorized))
+
+			// use the new password will get 200
+			s.NewAPISIXClient().
+				GET("/get").
+				WithBasicAuth("sample-user", "sample-password-new").
+				WithHost("httpbin.org").
+				Expect().
+				Status(http.StatusOK)
+
 			By("delete consumer")
 			err = s.DeleteResourceFromString(defaultConsumer)
 			Expect(err).NotTo(HaveOccurred(), "deleting consumer")

test/e2e/gatewayapi/gateway.go

@@ -112,7 +112,8 @@ spec:
 			Expect(gcyaml).To(ContainSubstring("message: the gatewayclass has been accepted by the api7-ingress-controller"), "checking GatewayClass condition message")
 
 			By("create Gateway")
-			err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.CurrentNamespace())
+			err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.
+				Namespace())
 			Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 			time.Sleep(5 * time.Second)
 
@@ -123,7 +124,7 @@ spec:
 			Expect(gwyaml).To(ContainSubstring("message: the gateway has been accepted by the api7-ingress-controller"), "checking Gateway condition message")
 
 			By("create Gateway with not accepted GatewayClass")
-			err = s.CreateResourceFromStringWithNamespace(noClassGateway, s.CurrentNamespace())
+			err = s.CreateResourceFromStringWithNamespace(noClassGateway, s.Namespace())
 			Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 			time.Sleep(5 * time.Second)
 
@@ -184,7 +185,7 @@ spec:
 			time.Sleep(5 * time.Second)
 
 			By("create Gateway")
-			err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.CurrentNamespace())
+			err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.Namespace())
 			Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 			time.Sleep(10 * time.Second)
 
@@ -257,7 +258,7 @@ spec:
 				time.Sleep(5 * time.Second)
 
 				By("create Gateway")
-				err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.CurrentNamespace())
+				err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.Namespace())
 				Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 				time.Sleep(10 * time.Second)
 

test/e2e/gatewayapi/gatewayclass.go

@@ -77,7 +77,7 @@ spec:
 			}).WithTimeout(8 * time.Second).ProbeEvery(time.Second).Should(ContainSubstring(`status: "True"`))
 
 			By("create a Gateway")
-			err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.CurrentNamespace())
+			err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.Namespace())
 			Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 			time.Sleep(time.Second)
 

test/e2e/gatewayapi/gatewayproxy.go

@@ -207,7 +207,7 @@ spec:
 		time.Sleep(5 * time.Second)
 
 		By("Create Gateway with GatewayProxy")
-		err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(gatewayWithProxy, gatewayClassName), s.CurrentNamespace())
+		err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(gatewayWithProxy, gatewayClassName), s.Namespace())
 		Expect(err).NotTo(HaveOccurred(), "creating Gateway with GatewayProxy")
 		time.Sleep(5 * time.Second)
 

test/e2e/gatewayapi/httproute.go

@@ -125,7 +125,7 @@ spec:
 		Expect(gcyaml).To(ContainSubstring("message: the gatewayclass has been accepted by the api7-ingress-controller"), "checking GatewayClass condition message")
 
 		By("create Gateway")
-		err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(defaultGateway, gatewayClassName), s.CurrentNamespace())
+		err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(defaultGateway, gatewayClassName), s.Namespace())
 		Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 		time.Sleep(5 * time.Second)
 
@@ -158,7 +158,7 @@ spec:
 		Expect(gcyaml).To(ContainSubstring("message: the gatewayclass has been accepted by the api7-ingress-controller"), "checking GatewayClass condition message")
 
 		By("create Gateway")
-		err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(defaultGatewayHTTPS, gatewayClassName), s.CurrentNamespace())
+		err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(defaultGatewayHTTPS, gatewayClassName), s.Namespace())
 		Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 		time.Sleep(5 * time.Second)
 

test/e2e/ingress/ingress.go

@@ -2,6 +2,7 @@ package ingress
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
 	"net/http"
 	"strings"
@@ -805,4 +806,145 @@ spec:
 				Status(200)
 		})
 	})
+
+	Context("GatewayProxy reference Secret", func() {
+		const secretSpec = `
+apiVersion: v1
+kind: Secret
+metadata:
+  name: control-plane-secret
+data:
+  admin-key: %s
+`
+		const gatewayProxySpec = `
+apiVersion: apisix.apache.org/v1alpha1
+kind: GatewayProxy
+metadata:
+  name: api7-proxy-config
+spec:
+  provider:
+    type: ControlPlane
+    controlPlane:
+      endpoints:
+      - %s
+      auth:
+        type: AdminKey
+        adminKey:
+          valueFrom:
+            secretKeyRef:
+              name: control-plane-secret
+              key: admin-key
+  plugins:
+  - name: response-rewrite
+    enabled: true
+    config: 
+      headers:
+        X-Proxy-Test: "enabled"
+`
+		const ingressClassSpec = `
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: api7-ingress-class
+spec:
+  controller: "apisix.apache.org/api7-ingress-controller"
+  parameters:
+    apiGroup: "apisix.apache.org"
+    kind: "GatewayProxy"
+    name: "api7-proxy-config"
+    namespace: %s
+    scope: "Namespace"
+`
+		const ingressSpec = `
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: api7-ingress
+spec:
+  ingressClassName: api7-ingress-class
+  rules:
+  - host: ingress.example.com
+    http:
+      paths:
+      - path: /get
+        pathType: Prefix
+        backend:
+          service:
+            name: httpbin-service-e2e-test
+            port:
+              number: 80
+`
+		var (
+			additionalGatewayGroupID string
+			err                      error
+		)
+
+		It("GatewayProxy reference Secret", func() {
+			By("create Secret")
+			err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(secretSpec, base64.StdEncoding.EncodeToString([]byte(s.AdminKey()))), s.Namespace())
+			Expect(err).NotTo(HaveOccurred(), "creating secret")
+
+			By("create GatewayProxy")
+			err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(gatewayProxySpec, framework.DashboardTLSEndpoint), s.Namespace())
+			Expect(err).NotTo(HaveOccurred(), "creating gateway proxy")
+
+			By("create IngressClass")
+			err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(ingressClassSpec, s.Namespace()), s.Namespace())
+			Expect(err).NotTo(HaveOccurred(), "creating IngressClass")
+
+			By("creat Ingress")
+			err = s.CreateResourceFromStringWithNamespace(ingressSpec, s.Namespace())
+			Expect(err).NotTo(HaveOccurred(), "creating Ingress")
+
+			By("verify Ingress works")
+			Eventually(func() int {
+				return s.NewAPISIXClient().
+					GET("/get").
+					WithHost("ingress.example.com").
+					Expect().Raw().StatusCode
+			}).WithTimeout(8 * time.Second).ProbeEvery(time.Second).
+				Should(Equal(http.StatusOK))
+			s.NewAPISIXClient().
+				GET("/get").
+				WithHost("ingress.example.com").
+				Expect().Header("X-Proxy-Test").IsEqual("enabled")
+
+			By("create additional gateway group to get new admin key")
+			additionalGatewayGroupID, _, err = s.CreateAdditionalGatewayGroup("gateway-proxy-update")
+			Expect(err).NotTo(HaveOccurred(), "creating additional gateway group")
+
+			client, err := s.NewAPISIXClientForGatewayGroup(additionalGatewayGroupID)
+			Expect(err).NotTo(HaveOccurred(), "creating APISIX client for additional gateway group")
+
+			By("Ingress not found for additional gateway group")
+			client.
+				GET("/get").
+				WithHost("ingress.example.com").
+				Expect().
+				Status(http.StatusNotFound)
+
+			resources, exists := s.GetAdditionalGatewayGroup(additionalGatewayGroupID)
+			Expect(exists).To(BeTrue(), "additional gateway group should exist")
+
+			By("update secret")
+			err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(secretSpec, base64.StdEncoding.EncodeToString([]byte(resources.AdminAPIKey))), s.Namespace())
+			Expect(err).NotTo(HaveOccurred(), "creating secret")
+
+			By("verify Ingress works for additional gateway group")
+			Eventually(func() int {
+				return client.
+					GET("/get").
+					WithHost("ingress.example.com").
+					Expect().Raw().StatusCode
+			}).WithTimeout(8 * time.Second).ProbeEvery(time.Second).
+				Should(Equal(http.StatusOK))
+			Eventually(func() string {
+				return client.
+					GET("/get").
+					WithHost("ingress.example.com").
+					Expect().Raw().Header.Get("X-Proxy-Test")
+			}).WithTimeout(8 * time.Second).ProbeEvery(time.Second).
+				Should(Equal("enabled"))
+		})
+	})
 })