kumahq · NawafSwe · Jan 9, 2026 · Jan 9, 2026 · Jan 10, 2026 · Jan 10, 2026
@@ -3,6 +3,7 @@ package builders
 import (
 	"context"
 
+	"google.golang.org/protobuf/types/known/wrapperspb"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/yaml"
 
@@ -67,6 +68,41 @@ func (m *MeshBuilder) WithBuiltinMTLSBackend(name string) *MeshBuilder {
 	return m.AddBuiltinMTLSBackend(name)
 }
 
+func (m *MeshBuilder) WithNetworkingPassThrough(b bool) *MeshBuilder {
+	if m.res.Spec.Networking == nil {
+		m.res.Spec.Networking = &mesh_proto.Networking{
+			Outbound: &mesh_proto.Networking_Outbound{
+				Passthrough: &wrapperspb.BoolValue{Value: b},
+			},
+		}
+	}
+	return m
+}
+
+func (m *MeshBuilder) WithRoutingZoneEgress(b bool) *MeshBuilder {
+	if m.res.Spec.Routing == nil {
+		m.res.Spec.Routing = &mesh_proto.Routing{}
+	}
+	m.res.Spec.Routing.ZoneEgress = b
+	return m
+}
+
+func (m *MeshBuilder) WithRoutingLocalityAwareLoadBalancing(b bool) *MeshBuilder {
+	if m.res.Spec.Routing == nil {
+		m.res.Spec.Routing = &mesh_proto.Routing{}
+	}
+	m.res.Spec.Routing.LocalityAwareLoadBalancing = b
+	return m
+}
+
+func (m *MeshBuilder) WithRoutingDefaultForbidMeshExternalServiceAccess(b bool) *MeshBuilder {
+	if m.res.Spec.Routing == nil {
+		m.res.Spec.Routing = &mesh_proto.Routing{}
+	}
+	m.res.Spec.Routing.DefaultForbidMeshExternalServiceAccess = b
+	return m
+}
+
 func (m *MeshBuilder) WithoutBackendValidation() *MeshBuilder {
 	if m.res.Spec.Mtls == nil {
 		m.res.Spec.Mtls = &mesh_proto.Mesh_Mtls{}

@@ -4,35 +4,28 @@ import (
 	"fmt"
 	"net"
 
-	. "github.com/onsi/ginkgo/v2"
-	. "github.com/onsi/gomega"
-	"golang.org/x/sync/errgroup"
-
 	config_core "github.com/kumahq/kuma/v2/pkg/config/core"
+	core_mesh "github.com/kumahq/kuma/v2/pkg/core/resources/apis/mesh"
+	"github.com/kumahq/kuma/v2/pkg/test/resources/builders"
 	. "github.com/kumahq/kuma/v2/test/framework"
 	"github.com/kumahq/kuma/v2/test/framework/client"
 	"github.com/kumahq/kuma/v2/test/framework/deployments/democlient"
 	"github.com/kumahq/kuma/v2/test/framework/deployments/testserver"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"golang.org/x/sync/errgroup"
 )
 
 const nonDefaultMesh = "non-default"
 
 func HybridUniversalGlobal() {
-	meshMTLSOn := `
-type: Mesh
-name: %s
-mtls:
-  enabledBackend: ca-1
-  backends:
-  - name: ca-1
-    type: builtin
-networking:
-  outbound:
-    passthrough: %s
-routing:
-  zoneEgress: %s
-`
-
+	meshMTLOnFn := func(name string, enableNetworkOutBound, enableZoneIngress bool) *core_mesh.MeshResource {
+		return builders.Mesh().WithName(nonDefaultMesh).WithBuiltinMTLSBackend("ca-1").
+			WithEgressRoutingEnabled().
+			WithNetworkingPassThrough(enableNetworkOutBound).
+			WithRoutingZoneEgress(enableZoneIngress).
+			Build()
+	}
 	externalService1 := `
 type: ExternalService
 mesh: %s
@@ -86,7 +79,7 @@ conf:
 
 		Expect(NewClusterSetup().
 			Install(Kuma(config_core.Global)).
-			Install(YamlUniversal(fmt.Sprintf(meshMTLSOn, nonDefaultMesh, "true", "true"))).
+			Install(ResourceUniversal(meshMTLOnFn(nonDefaultMesh, true, true))).
 			Install(MeshTrafficPermissionAllowAllUniversal(nonDefaultMesh)).
 			Install(YamlUniversal(ptWaitForWarmOnInit)).
 			Install(YamlUniversal(fmt.Sprintf(externalService1, nonDefaultMesh))).
@@ -159,7 +152,7 @@ conf:
 	})
 
 	It("passthrough false with zoneegress false", func() {
-		Expect(YamlUniversal(fmt.Sprintf(meshMTLSOn, nonDefaultMesh, "false", "false"))(global)).To(Succeed())
+		Expect(ResourceUniversal(meshMTLOnFn(nonDefaultMesh, false, false))(global)).To(Succeed())
 
 		By("reaching external service from k8s")
 		Eventually(func(g Gomega) {
@@ -192,7 +185,7 @@ conf:
 	})
 
 	It("passthrough false with zoneegress true", func() {
-		Expect(YamlUniversal(fmt.Sprintf(meshMTLSOn, nonDefaultMesh, "false", "true"))(global)).To(Succeed())
+		Expect(ResourceUniversal(meshMTLOnFn(nonDefaultMesh, false, true))(global)).To(Succeed())
 
 		By("not reaching external service from k8s when zone egress is down")
 		Eventually(func(g Gomega) {

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"sync"
 
+	"github.com/kumahq/kuma/v2/pkg/test/resources/builders"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"google.golang.org/protobuf/types/known/wrapperspb"
@@ -20,20 +21,11 @@ import (
 )
 
 func ExternalServicesOnMultizoneUniversal() {
-	meshDefaulMtlsOn := `
-type: Mesh
-name: default
-mtls:
-  enabledBackend: ca-1
-  backends:
-  - name: ca-1
-    type: builtin
-networking:
-  outbound:
-    passthrough: true
-routing:
-  localityAwareLoadBalancing: %s
-`
+	meshDefaultMTLSOn := builders.
+		Mesh().
+		WithName("default").
+		WithBuiltinMTLSBackend("ca-1").
+		WithNetworkingPassThrough(true)
 
 	externalServiceRes := func(service, address string, tls bool, caCert []byte) *core_mesh.ExternalServiceResource {
 		res := &core_mesh.ExternalServiceResource{
@@ -98,7 +90,7 @@ routing:
 		global = NewUniversalCluster(NewTestingT(), clusterName1, Silent)
 		err = NewClusterSetup().
 			Install(Kuma(core.Global)).
-			Install(YamlUniversal(fmt.Sprintf(meshDefaulMtlsOn, "false"))).
+			Install(ResourceUniversal(meshDefaultMTLSOn.WithRoutingLocalityAwareLoadBalancing(false).Build())).
 			Setup(global)
 		Expect(err).ToNot(HaveOccurred())
 
@@ -270,7 +262,7 @@ networking:
 		)
 
 		// when locality-aware lb is enabled
-		Expect(YamlUniversal(fmt.Sprintf(meshDefaulMtlsOn, "true"))(global)).To(Succeed())
+		Expect(ResourceUniversal(meshDefaultMTLSOn.WithRoutingLocalityAwareLoadBalancing(true).Build())(global)).To(Succeed())
 		// then
 		Eventually(func() (map[string]int, error) {
 			return client.CollectResponsesByInstance(zone1, "demo-client", "es-for-zones.mesh")

@@ -19,21 +19,6 @@ import (
 	"github.com/kumahq/kuma/v2/test/framework/envs/multizone"
 )
 
-func MTLSMeshUniversalEgress(name string) InstallFunc {
-	mesh := fmt.Sprintf(`
-type: Mesh
-name: %s
-mtls:
-  enabledBackend: ca-1
-  backends:
-    - name: ca-1
-      type: builtin
-routing:
-  zoneEgress: true
-`, name)
-	return YamlUniversal(mesh)
-}
-
 func CrossMeshGatewayOnMultizone() {
 	const gatewayClientNamespaceOtherMesh = "cross-mesh-kuma-client-other"
 	const gatewayClientNamespaceSameMesh = "cross-mesh-kuma-client"

@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"net"
 
+	"github.com/kumahq/kuma/v2/pkg/core/resources/apis/mesh"
+	"github.com/kumahq/kuma/v2/pkg/test/resources/builders"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"golang.org/x/sync/errgroup"
@@ -15,21 +17,13 @@ import (
 	"github.com/kumahq/kuma/v2/test/framework/envs/multizone"
 )
 
-func MeshMTLSOnAndZoneEgressAndNoPassthrough(mesh string, zoneEgress string) string {
-	return fmt.Sprintf(`
-type: Mesh
-name: %s
-mtls:
-  enabledBackend: ca-1
-  backends:
-  - name: ca-1
-    type: builtin
-networking:
-  outbound:
-    passthrough: false
-routing:
-  zoneEgress: %s
-`, mesh, zoneEgress)
+func MeshMTLSOnAndZoneEgressAndNoPassthrough(mesh string, zoneEgress bool) *mesh.MeshResource {
+	return builders.Mesh().
+		WithName(mesh).
+		WithBuiltinMTLSBackend("ca-1").
+		WithNetworkingPassThrough(false).
+		WithRoutingZoneEgress(zoneEgress).
+		Build()
 }
 
 func externalService(mesh string, ip string) string {
@@ -77,8 +71,8 @@ networking:
 	BeforeAll(func() {
 		// Global
 		Expect(NewClusterSetup().
-			Install(YamlUniversal(MeshMTLSOnAndZoneEgressAndNoPassthrough(mesh, "true"))).
-			Install(YamlUniversal(MeshMTLSOnAndZoneEgressAndNoPassthrough(meshNoZoneEgress, "false"))).
+			Install(ResourceUniversal(MeshMTLSOnAndZoneEgressAndNoPassthrough(mesh, true))).
+			Install(ResourceUniversal(MeshMTLSOnAndZoneEgressAndNoPassthrough(meshNoZoneEgress, false))).
 			Install(MeshTrafficPermissionAllowAllUniversal(mesh)).
 			Install(MeshTrafficPermissionAllowAllUniversal(meshNoZoneEgress)).
 			Setup(multizone.Global)).To(Succeed())

@@ -33,7 +33,7 @@ networking:
 	BeforeAll(func() {
 		// Global
 		Expect(NewClusterSetup().
-			Install(YamlUniversal(MeshMTLSOnAndZoneEgressAndNoPassthrough(mesh, "false"))).
+			Install(ResourceUniversal(MeshMTLSOnAndZoneEgressAndNoPassthrough(mesh, false))).
 			Install(MeshTrafficPermissionAllowAllUniversal(mesh)).
 			Setup(multizone.Global)).To(Succeed())
 		Expect(WaitForMesh(mesh, multizone.Zones())).To(Succeed())

@@ -1,6 +1,8 @@
 package localityawarelb
 
 import (
+	core_meta "github.com/kumahq/kuma/v2/pkg/core/metadata"
+	"github.com/kumahq/kuma/v2/pkg/test/resources/builders"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"golang.org/x/sync/errgroup"
@@ -20,23 +22,13 @@ func MeshMzService() {
 		Expect(NewClusterSetup().
 			Install(MTLSMeshWithMeshServicesUniversal(meshName, "Everywhere")).
 			Install(MeshTrafficPermissionAllowAllUniversal(meshName)).
-			Install(YamlUniversal(`
-type: MeshMultiZoneService
-name: test-server
-mesh: mlb-mzms
-labels:
-  test-name: mzmsconnectivity
-spec:
-  selector:
-    meshService:
-      matchLabels:
-        kuma.io/display-name: test-server
-  ports:
-  - name: "80"
-    port: 80
-    appProtocol: http
-`)).
-			Setup(multizone.Global)).To(Succeed())
+			Install(ResourceUniversal(builders.MeshMultiZoneService().
+				WithName("test-server").
+				WithMesh(meshName).
+				WithLabels(map[string]string{"test-name": "mzmsconnectivity"}).
+				WithServiceLabelSelector(map[string]string{"kuma.io/display-name": "test-server"}).
+				AddIntPortWithName(80, core_meta.ProtocolHTTP, "80").
+				Build())).Setup(multizone.Global)).To(Succeed())
 		Expect(WaitForMesh(meshName, multizone.Zones())).To(Succeed())
 
 		group := errgroup.Group{}

@@ -3,6 +3,8 @@ package meshhttproute
 import (
 	"fmt"
 
+	core_meta "github.com/kumahq/kuma/v2/pkg/core/metadata"
+	"github.com/kumahq/kuma/v2/pkg/test/resources/builders"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"golang.org/x/sync/errgroup"
@@ -18,28 +20,19 @@ import (
 func MeshService() {
 	meshName := "meshhttproutems"
 	namespace := "meshhttproutems"
-
+	meshMultiZone := builders.MeshMultiZoneService().
+		WithMesh(meshName).
+		WithName("test-server").
+		WithLabels(map[string]string{"test-name": meshName}).
+		WithServiceLabelSelector(map[string]string{"kuma.io/display-name": "test-server",
+			"k8s.kuma.io/namespace": namespace,
+			"kuma.io/zone":          "kuma-2"}).
+		AddIntPortWithName(80, core_meta.ProtocolHTTP, "80").Build()
 	BeforeAll(func() {
 		err := NewClusterSetup().
 			Install(MTLSMeshWithMeshServicesUniversal(meshName, "Exclusive")).
 			Install(MeshTrafficPermissionAllowAllUniversal(meshName)).
-			Install(YamlUniversal(`
-type: MeshMultiZoneService
-name: test-server
-mesh: meshhttproutems
-labels:
-  test-name: meshhttproutems
-spec:
-  selector:
-    meshService:
-      matchLabels:
-        kuma.io/display-name: test-server
-        k8s.kuma.io/namespace: meshhttproutems
-        kuma.io/zone: kuma-2 # pick specific zone so we do not rely on default fallback
-  ports:
-  - port: 80
-    appProtocol: http
-`)).
+			Install(ResourceUniversal(meshMultiZone)).
 			Setup(multizone.Global)
 		Expect(err).ToNot(HaveOccurred())
 		Expect(WaitForMesh(meshName, multizone.Zones())).To(Succeed())

@@ -3,6 +3,8 @@ package meshmultizoneservice
 import (
 	"fmt"
 
+	core_meta "github.com/kumahq/kuma/v2/pkg/core/metadata"
+	"github.com/kumahq/kuma/v2/pkg/test/resources/builders"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/onsi/gomega/types"
@@ -20,26 +22,17 @@ func Connectivity() {
 	namespace := "mzmsconnectivity"
 	clientNamespace := "mzmsconnectivity-client"
 	meshName := "mzmsconnectivity"
-
+	mesh := builders.MeshMultiZoneService().
+		WithName("test-server").
+		WithLabels(map[string]string{"test-name": meshName}).
+		WithServiceLabelSelector(map[string]string{"kuma.io/display-name": "test-server"}).
+		AddIntPortWithName(80, core_meta.ProtocolHTTP, "80").
+		WithMesh(meshName).Build()
 	BeforeAll(func() {
 		Expect(NewClusterSetup().
 			Install(MTLSMeshWithMeshServicesUniversal(meshName, "Everywhere")).
 			Install(MeshTrafficPermissionAllowAllUniversal(meshName)).
-			Install(YamlUniversal(`
-type: MeshMultiZoneService
-name: test-server
-mesh: mzmsconnectivity
-labels:
-  test-name: mzmsconnectivity
-spec:
-  selector:
-    meshService:
-      matchLabels:
-        kuma.io/display-name: test-server
-  ports:
-  - port: 80
-    appProtocol: http
-`)).
+			Install(ResourceUniversal(mesh)).
 			Setup(multizone.Global)).To(Succeed())
 		Expect(WaitForMesh(meshName, multizone.Zones())).To(Succeed())