chore: Add e2e tests for GatewayProxy referencing Secret

Introduce comprehensive e2e tests verifying GatewayProxy's ability to reference Secrets, including scenarios for creating, updating, and validating Secrets with admin keys. Update predicate filters to watch for Secret changes and replace `CurrentNamespace()` with `Namespace()` across multiple test files for consistency. Adjust line length configuration in `.golangci.yml` to accommodate the new test cases.

Author: dspo

.golangci.yml

@@ -24,6 +24,8 @@ linters:
     revive:
       rules:
         - name: comment-spacings
+    lll:
+      line-length: 160
   exclusions:
     generated: lax
     rules:

internal/controller/consumer_controller.go

@@ -40,7 +40,15 @@ func (r *ConsumerReconciler) SetupWithManager(mgr ctrl.Manager) error {
 				predicate.NewPredicateFuncs(r.checkGatewayRef),
 			),
 		).
-		WithEventFilter(predicate.GenerationChangedPredicate{}).
+		WithEventFilter(
+			predicate.Or(
+				predicate.GenerationChangedPredicate{},
+				predicate.NewPredicateFuncs(func(obj client.Object) bool {
+					_, ok := obj.(*corev1.Secret)
+					return ok
+				}),
+			),
+		).
 		Watches(&gatewayv1.Gateway{},
 			handler.EnqueueRequestsFromMapFunc(r.listConsumersForGateway),
 			builder.WithPredicates(

internal/controller/ingressclass_controller.go

@@ -40,7 +40,15 @@ func (r *IngressClassReconciler) SetupWithManager(mgr ctrl.Manager) error {
 				predicate.NewPredicateFuncs(r.matchesController),
 			),
 		).
-		WithEventFilter(predicate.GenerationChangedPredicate{}).
+		WithEventFilter(
+			predicate.Or(
+				predicate.GenerationChangedPredicate{},
+				predicate.NewPredicateFuncs(func(obj client.Object) bool {
+					_, ok := obj.(*corev1.Secret)
+					return ok
+				}),
+			),
+		).
 		Watches(
 			&v1alpha1.GatewayProxy{},
 			handler.EnqueueRequestsFromMapFunc(r.listIngressClassesForGatewayProxy),

test/e2e/crds/consumer.go

@@ -2,6 +2,7 @@ package gatewayapi
 
 import (
 	"fmt"
+	"net/http"
 	"time"
 
 	. "github.com/onsi/ginkgo/v2"
@@ -310,6 +311,15 @@ metadata:
 data:
   username: c2FtcGxlLXVzZXI=
   password: c2FtcGxlLXBhc3N3b3Jk
+`
+		const basicAuthSecret2 = `
+apiVersion: v1
+kind: Secret
+metadata:
+  name: basic-auth-secret
+data:
+  username: c2FtcGxlLXVzZXI=
+  password: c2FtcGxlLXBhc3N3b3JkLW5ldw==
 `
 		var defaultConsumer = `
 apiVersion: apisix.apache.org/v1alpha1
@@ -358,6 +368,29 @@ spec:
 				Expect().
 				Status(200)
 
+			// update basic-auth password
+			err = s.CreateResourceFromString(basicAuthSecret2)
+			Expect(err).NotTo(HaveOccurred(), "creating basic-auth secret")
+
+			// use the old password will get 401
+			Eventually(func() int {
+				return s.NewAPISIXClient().
+					GET("/get").
+					WithBasicAuth("sample-user", "sample-password").
+					WithHost("httpbin.org").
+					Expect().
+					Raw().StatusCode
+			}).WithTimeout(8 * time.Second).ProbeEvery(time.Second).
+				Should(Equal(http.StatusUnauthorized))
+
+			// use the new password will get 200
+			s.NewAPISIXClient().
+				GET("/get").
+				WithBasicAuth("sample-user", "sample-password-new").
+				WithHost("httpbin.org").
+				Expect().
+				Status(http.StatusOK)
+
 			By("delete consumer")
 			err = s.DeleteResourceFromString(defaultConsumer)
 			Expect(err).NotTo(HaveOccurred(), "deleting consumer")

test/e2e/gatewayapi/gateway.go

@@ -112,7 +112,8 @@ spec:
 			Expect(gcyaml).To(ContainSubstring("message: the gatewayclass has been accepted by the api7-ingress-controller"), "checking GatewayClass condition message")
 
 			By("create Gateway")
-			err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.CurrentNamespace())
+			err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.
+				Namespace())
 			Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 			time.Sleep(5 * time.Second)
 
@@ -123,7 +124,7 @@ spec:
 			Expect(gwyaml).To(ContainSubstring("message: the gateway has been accepted by the api7-ingress-controller"), "checking Gateway condition message")
 
 			By("create Gateway with not accepted GatewayClass")
-			err = s.CreateResourceFromStringWithNamespace(noClassGateway, s.CurrentNamespace())
+			err = s.CreateResourceFromStringWithNamespace(noClassGateway, s.Namespace())
 			Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 			time.Sleep(5 * time.Second)
 
@@ -184,7 +185,7 @@ spec:
 			time.Sleep(5 * time.Second)
 
 			By("create Gateway")
-			err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.CurrentNamespace())
+			err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.Namespace())
 			Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 			time.Sleep(10 * time.Second)
 
@@ -257,7 +258,7 @@ spec:
 				time.Sleep(5 * time.Second)
 
 				By("create Gateway")
-				err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.CurrentNamespace())
+				err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.Namespace())
 				Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 				time.Sleep(10 * time.Second)
 

test/e2e/gatewayapi/gatewayclass.go

@@ -77,7 +77,7 @@ spec:
 			}).WithTimeout(8 * time.Second).ProbeEvery(time.Second).Should(ContainSubstring(`status: "True"`))
 
 			By("create a Gateway")
-			err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.CurrentNamespace())
+			err = s.CreateResourceFromStringWithNamespace(defaultGateway, s.Namespace())
 			Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 			time.Sleep(time.Second)
 

test/e2e/gatewayapi/gatewayproxy.go

@@ -207,7 +207,7 @@ spec:
 		time.Sleep(5 * time.Second)
 
 		By("Create Gateway with GatewayProxy")
-		err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(gatewayWithProxy, gatewayClassName), s.CurrentNamespace())
+		err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(gatewayWithProxy, gatewayClassName), s.Namespace())
 		Expect(err).NotTo(HaveOccurred(), "creating Gateway with GatewayProxy")
 		time.Sleep(5 * time.Second)
 

test/e2e/gatewayapi/httproute.go

@@ -125,7 +125,7 @@ spec:
 		Expect(gcyaml).To(ContainSubstring("message: the gatewayclass has been accepted by the api7-ingress-controller"), "checking GatewayClass condition message")
 
 		By("create Gateway")
-		err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(defaultGateway, gatewayClassName), s.CurrentNamespace())
+		err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(defaultGateway, gatewayClassName), s.Namespace())
 		Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 		time.Sleep(5 * time.Second)
 
@@ -158,7 +158,7 @@ spec:
 		Expect(gcyaml).To(ContainSubstring("message: the gatewayclass has been accepted by the api7-ingress-controller"), "checking GatewayClass condition message")
 
 		By("create Gateway")
-		err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(defaultGatewayHTTPS, gatewayClassName), s.CurrentNamespace())
+		err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(defaultGatewayHTTPS, gatewayClassName), s.Namespace())
 		Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 		time.Sleep(5 * time.Second)
 

test/e2e/ingress/ingress.go

@@ -2,6 +2,7 @@ package ingress
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
 	"net/http"
 	"strings"
@@ -805,4 +806,150 @@ spec:
 				Status(200)
 		})
 	})
+
+	Context("GatewayProxy reference Secret", func() {
+		const secretSpec = `
+apiVersion: v1
+kind: Secret
+metadata:
+  name: control-plane-secret
+data:
+  admin-key: %s
+`
+		const gatewayProxySpec = `
+apiVersion: apisix.apache.org/v1alpha1
+kind: GatewayProxy
+metadata:
+  name: api7-proxy-config
+spec:
+  provider:
+    type: ControlPlane
+    controlPlane:
+      endpoints:
+      - %s
+      auth:
+        type: AdminKey
+        adminKey:
+          valueFrom:
+            secretKeyRef:
+              name: control-plane-secret
+              key: admin-key
+`
+		const ingressClassSpec = `
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: api7-ingress-class
+spec:
+  controller: "apisix.apache.org/api7-ingress-controller"
+  parameters:
+    apiGroup: "apisix.apache.org"
+    kind: "GatewayProxy"
+    name: "api7-proxy-config"
+    namespace: %s
+    scope: "Namespace"
+`
+		const ingressSpec = `
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: api7-ingress
+spec:
+  ingressClassName: api7-ingress-class
+  rules:
+  - host: ingress.example.com
+    http:
+      paths:
+      - path: /get
+        pathType: Prefix
+        backend:
+          service:
+            name: httpbin-service-e2e-test
+            port:
+              number: 80
+`
+		const ingressSpec2 = `
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: api7-ingress
+spec:
+  ingressClassName: api7-ingress-class
+  rules:
+  - host: ingress.example.com
+    http:
+      paths:
+      - path: /put
+        pathType: Prefix
+        backend:
+          service:
+            name: httpbin-service-e2e-test
+            port:
+              number: 80
+`
+		var (
+			err error
+		)
+
+		It("GatewayProxy reference Secret", func() {
+			By("create Secret")
+			err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(secretSpec, base64.StdEncoding.EncodeToString([]byte(s.AdminKey()))), s.Namespace())
+			Expect(err).NotTo(HaveOccurred(), "creating secret")
+
+			By("create GatewayProxy")
+			err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(gatewayProxySpec, framework.DashboardTLSEndpoint), s.Namespace())
+			Expect(err).NotTo(HaveOccurred(), "creating gateway proxy")
+
+			By("create IngressClass")
+			err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(ingressClassSpec, s.Namespace()), s.Namespace())
+			Expect(err).NotTo(HaveOccurred(), "creating IngressClass")
+
+			By("creat Ingress")
+			err = s.CreateResourceFromStringWithNamespace(ingressSpec, s.Namespace())
+			Expect(err).NotTo(HaveOccurred(), "creating Ingress")
+
+			By("verify Ingress works")
+			Eventually(func() int {
+				return s.NewAPISIXClient().
+					GET("/get").
+					WithHost("ingress.example.com").
+					Expect().Raw().StatusCode
+			}).WithTimeout(8 * time.Second).ProbeEvery(time.Second).
+				Should(Equal(http.StatusOK))
+
+			// update gateway group admin-key
+			adminKey := s.GetAdminKey(s.CurrentGatewayGroupID())
+
+			// should fail to request provider service and get 401 because the admin-key is changed
+			By("create Ingress")
+			err = s.CreateResourceFromStringWithNamespace(ingressSpec2, s.Namespace())
+			s.WaitControllerManagerLog("Request failed with status code 401", 0, 10*time.Second)
+
+			// the new Ingress should not work consistently
+			Consistently(func() int {
+				return s.NewAPISIXClient().
+					GET("/put").
+					WithHost("ingress.example.com").
+					Expect().Raw().StatusCode
+			}).WithTimeout(8 * time.Second).ProbeEvery(time.Second).
+				Should(Equal(http.StatusNotFound))
+
+			By("update secret")
+			err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(secretSpec, base64.StdEncoding.EncodeToString([]byte(adminKey))), s.Namespace())
+			Expect(err).NotTo(HaveOccurred(), "creating secret")
+
+			By("create Ingress again")
+			err = s.CreateResourceFromStringWithNamespace(ingressSpec2, s.Namespace())
+			Expect(err).NotTo(HaveOccurred(), "creating Ingress with path prefix /put")
+
+			By("verify Ingress works")
+			Eventually(func() int {
+				return s.NewAPISIXClient().
+					PUT("/put").
+					WithHost("ingress.example.com").
+					Expect().Raw().StatusCode
+			}).WithTimeout(8 * time.Second).ProbeEvery(time.Second).
+				Should(Equal(http.StatusOK))
+		})
+	})
 })

test/e2e/scaffold/k8s.go

@@ -129,10 +129,6 @@ func (s *Scaffold) DeleteResourceFromStringWithNamespace(yaml, namespace string)
 	return k8s.KubectlDeleteFromStringE(s.t, s.kubectlOptions, yaml)
 }
 
-func (s *Scaffold) CurrentNamespace() string {
-	return s.kubectlOptions.Namespace
-}
-
 func (s *Scaffold) NewAPISIX() (dashboard.Dashboard, error) {
 	return dashboard.NewClient()
 }
@@ -272,7 +268,7 @@ func (s *Scaffold) ApplyDefaultGatewayResource(
 	)
 
 	By("create Gateway")
-	err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(defaultGateway, gatewayClassName), s.CurrentNamespace())
+	err = s.CreateResourceFromStringWithNamespace(fmt.Sprintf(defaultGateway, gatewayClassName), s.Namespace())
 	Expect(err).NotTo(HaveOccurred(), "creating Gateway")
 	time.Sleep(5 * time.Second)