fix(e2e): wait for DNSNameResolver ready before CNP connectivity checks (#6349)

* fix(e2e): wait for DNSNameResolver ready before CNP connectivity checks

The CNP domain-based e2e test was flaky because connectivity checks
started before the async DNS resolution chain completed. When CNP rules
are created/updated, the OVN ACL address sets may be empty initially
since the external dnsnameresolver component needs time to resolve
domains and populate DNSNameResolver CR Status.

Add waitForDNSResolversReady() to explicitly wait for all DNSNameResolver
CRs to have resolved addresses before running connectivity checks.
Also increase default retry parameters from 20×2s to 30×3s as a safety
net for slow DNS resolution.

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>

* fix(e2e): wait for DNSNameResolver CR creation instead of status population

The dnsnameresolver CoreDNS plugin populates Status.ResolvedNames
reactively (only when actual DNS queries flow through CoreDNS), not
proactively. The previous waitForDNSResolversReady checked for non-empty
Status.ResolvedNames before any connectivity test, creating a deadlock:
no DNS query happens → Status never populated → 60s timeout → test fails.

Replace with waitForDNSResolversCreated that only verifies the CR exists,
ensuring the controller has processed the CNP. The connectivity retry
logic (30 attempts × 3s) naturally handles the async chain:
  DNS query → plugin intercepts → Status updated → address set updated → ACL applied.

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>

---------

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: oilbeater

test/e2e/cnp-domain/e2e_test.go

@@ -111,7 +111,32 @@ var _ = framework.SerialDescribe("[group:cluster-network-policy]", func() {
 	}
 
 	testNetworkConnectivity := func(target string, shouldSucceed bool, description string) {
-		testNetworkConnectivityWithRetry(target, shouldSucceed, description, 20, 2*time.Second)
+		testNetworkConnectivityWithRetry(target, shouldSucceed, description, 30, 3*time.Second)
+	}
+
+	// waitForDNSResolversCreated waits for DNSNameResolver CRs associated with a CNP
+	// to be created. This ensures the controller has processed the CNP and created the
+	// DNSNameResolver CRs, so the CoreDNS dnsnameresolver plugin can intercept DNS
+	// queries for the configured domains.
+	// Note: We intentionally do NOT check Status.ResolvedNames here because the
+	// dnsnameresolver CoreDNS plugin populates it reactively (only when actual DNS
+	// queries flow through CoreDNS), not proactively. The connectivity retry logic
+	// in testNetworkConnectivity handles the async chain:
+	//   DNS query → plugin intercepts → Status updated → address set updated → ACL applied.
+	waitForDNSResolversCreated := func(name string, expectedCount int) {
+		ginkgo.By(fmt.Sprintf("Waiting for %d DNSNameResolver(s) to be created for CNP %s", expectedCount, name))
+		dnsClient := f.DNSNameResolverClient()
+		labelSelector := fmt.Sprintf("anp=%s", name)
+
+		framework.WaitUntil(2*time.Second, 30*time.Second, func(_ context.Context) (bool, error) {
+			resolverList := dnsClient.ListByLabel(labelSelector)
+			if len(resolverList.Items) < expectedCount {
+				framework.Logf("Found %d/%d DNSNameResolver(s) for CNP %s", len(resolverList.Items), expectedCount, name)
+				return false, nil
+			}
+			framework.Logf("All %d DNSNameResolver(s) created for CNP %s", expectedCount, name)
+			return true, nil
+		}, fmt.Sprintf("DNSNameResolvers for CNP %s to be created", name))
 	}
 
 	framework.ConformanceIt("should create CNP with domainName deny rule and verify connectivity behavior", func() {
@@ -158,6 +183,7 @@ var _ = framework.SerialDescribe("[group:cluster-network-policy]", func() {
 		framework.ExpectEqual(cnp.Spec.Priority, int32(55))
 		framework.ExpectEqual(cnp.Spec.Subject.Namespaces.MatchLabels["kubernetes.io/metadata.name"], namespaceName)
 
+		waitForDNSResolversCreated(cnpName, 1)
 		testNetworkConnectivity("https://www.baidu.com", false, "Testing connectivity to baidu.com after applying CNP (should be blocked)")
 
 		ginkgo.By("Deleting ClusterNetworkPolicy " + cnpName)
@@ -229,6 +255,8 @@ var _ = framework.SerialDescribe("[group:cluster-network-policy]", func() {
 		framework.ExpectEqual(string(peer2.DomainNames[0]), "*.google.com.")
 		framework.ExpectEqual(cnp2.Spec.Priority, int32(45))
 
+		waitForDNSResolversCreated(cnpName, 1)
+		waitForDNSResolversCreated(cnpName2, 1)
 		testNetworkConnectivity("https://www.baidu.com", false, "Testing connectivity to baidu.com after applying both CNPs (should be blocked)")
 		testNetworkConnectivity("https://www.google.com", true, "Testing connectivity to google.com after applying both CNPs (should be allowed)")
 
@@ -288,6 +316,7 @@ var _ = framework.SerialDescribe("[group:cluster-network-policy]", func() {
 		updatedCNP, _ := cnpClient.Update(context.TODO(), createdCNP, metav1.UpdateOptions{})
 		framework.Logf("Successfully updated ClusterNetworkPolicy with baidu.com deny rule: %s", updatedCNP.Name)
 
+		waitForDNSResolversCreated(cnpName, 1)
 		testNetworkConnectivity("https://www.baidu.com", false, "Testing connectivity to baidu.com after adding deny rule (should be blocked)")
 		testNetworkConnectivity("https://www.google.com", true, "Testing connectivity to google.com after adding baidu.com deny rule (should still succeed)")
 
@@ -299,6 +328,8 @@ var _ = framework.SerialDescribe("[group:cluster-network-policy]", func() {
 		updatedcnp2, _ := cnpClient.Update(context.TODO(), updatedCNP, metav1.UpdateOptions{})
 		framework.Logf("Successfully updated ClusterNetworkPolicy with both deny rules: %s", updatedcnp2.Name)
 
+		waitForDNSResolversCreated(cnpName, 2)
+
 		testNetworkConnectivity("https://www.baidu.com", false, "Testing connectivity to baidu.com after adding both deny rules (should be blocked)")
 		testNetworkConnectivity("https://www.google.com", false, "Testing connectivity to google.com after adding both deny rules (should be blocked)")
 
@@ -373,6 +404,7 @@ var _ = framework.SerialDescribe("[group:cluster-network-policy]", func() {
 		framework.ExpectEqual(len(cnp.Spec.Egress), 2)
 		framework.ExpectEqual(cnp.Spec.Priority, int32(80))
 
+		waitForDNSResolversCreated(cnpName, 1)
 		testNetworkConnectivity("https://www.baidu.com", false, "Testing connectivity to baidu.com after applying cnp (should be blocked)")
 		testNetworkConnectivity("https://www.google.com", true, "Testing connectivity to google.com after applying cnp (should be allowed)")
 		testNetworkConnectivity("https://8.8.8.8", false, "Testing connectivity to 8.8.8.8 after applying cnp (should be blocked by CIDR rule)")
@@ -421,6 +453,7 @@ var _ = framework.SerialDescribe("[group:cluster-network-policy]", func() {
 		framework.ExpectEqual(len(cnp.Spec.Egress), 1)
 		framework.ExpectEqual(cnp.Spec.Priority, int32(85))
 
+		waitForDNSResolversCreated(cnpName, 1)
 		testNetworkConnectivity("https://www.baidu.com", false, "Testing connectivity to www.baidu.com after applying cnp (should be blocked by wildcard)")
 		testNetworkConnectivity("https://api.baidu.com", false, "Testing connectivity to api.baidu.com after applying cnp (should be blocked by wildcard)")
 		testNetworkConnectivity("https://news.baidu.com", false, "Testing connectivity to news.baidu.com after applying cnp (should be blocked by wildcard)")