E2E tests for Kuadrant policies on Egress Gateway

[averevki]

Summary

Add e2e tests validating that Kuadrant's AuthPolicy and RateLimitPolicy work on egress traffic flowing through an Istio egress gateway, as described in the Egress Gateway Support RFC (architecture#145).

The RFC's core hypothesis is that existing policies should work for egress without code changes — the topology builder watches all Gateways regardless of direction, and the wasm-shim operates on standard HTTP attributes. E2E tests need to validate this.

Motivation

Kuadrant currently only has e2e tests for ingress traffic. The egress gateway use case (rate limiting outbound API calls, authorizing workloads, injecting credentials into outbound requests) requires dedicated test coverage to confirm policies work in this context.

Test Cases

1. RateLimitPolicy on Egress Gateway

• Attach RateLimitPolicy to an egress Gateway or HTTPRoute
• Verify outbound requests are rate limited (200 → 429 after limit exceeded)
• Per-workload rate limits on external API consumption

2. AuthPolicy on Egress Gateway

• Attach AuthPolicy to an egress Gateway or HTTPRoute
• Verify workload authorization on outbound requests (authorized → 200, unauthorized → 401/403)
• Credential injection via AuthPolicy response section — inject API keys or bearer tokens into outbound requests as headers, verify the external service receives the injected credentials

3. AuthPolicy + RateLimitPolicy Combination

• Both policies attached to the same egress Gateway/HTTPRoute
• Verify auth is enforced first, then rate limiting applies to authorized requests

Testsuite Interface Additions

ServiceEntry

Add a ServiceEntry resource wrapper to the testsuite for registering external services in Istio's service registry:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
spec:
  hosts:
    - api.example.com
  ports:
    - number: 443
      name: https
      protocol: HTTPS
  location: MESH_EXTERNAL
  resolution: DNS

DestinationRule

Add a DestinationRule resource wrapper for configuring TLS origination to external services:

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
spec:
  host: api.example.com
  trafficPolicy:
    tls:
      mode: SIMPLE
      sni: api.example.com

Both are Istio-specific resources configured by the user — the testsuite needs to create and manage them as part of the egress test fixtures.

Egress Test Setup

Each test requires the following fixture chain:

1. Egress Gateway — a standard Gateway resource with an HTTP listener
2. ServiceEntry — registers the external service hostname
3. DestinationRule — configures TLS origination
4. HTTPRoute — routes traffic from the egress gateway to the external service (via ServiceEntry)
5. AuthPolicy / RateLimitPolicy — attached to the Gateway or HTTPRoute

The "external service" in tests can be an in-cluster httpbin deployed in a separate namespace, reached via ServiceEntry as if it were external.

Dependencies

• Egress Gateway RFC: architecture#144
• Tracking issue: architecture#145
• kuadrant-operator: Validation that policies work on egress (RFC Stage 1 tasks)
• Istio/OSSM: Egress gateway support

Tasks

• Implement ServiceEntry and DestinationRule resource wrappers in the testsuite
• Implement RateLimitPolicy on egress gateway test
• Implement AuthPolicy on egress gateway test
• Implement AuthPolicy credential injection (response section) on egress test
• Implement combined AuthPolicy + RateLimitPolicy on egress test

References

• Egress Gateway Support RFC
• Tracking Issue architecture#145
• Istio Egress Gateway Documentation
• MCP Gateway External Server Guide