Add tests for ObservabilityPolicy CEL validation

Author: shaun-nx

tests/cel/common.go

@@ -33,7 +33,7 @@ const (
 // ClientSettingsPolicy validation errors.
 const (
 	expectedTargetRefKindError       = `TargetRef Kind must be one of: Gateway, HTTPRoute, or GRPCRoute`
-	expectedTargetRefGroupError      = `TargetRef Group must be gateway.networking.k8s.io.`
+	expectedTargetRefGroupError      = `TargetRef Group must be gateway.networking.k8s.io`
 	expectedHeaderWithoutServerError = `header can only be specified if server is specified`
 )
 
@@ -44,6 +44,10 @@ const (
 	expectedMinReplicasLessThanOrEqualError = `minReplicas must be less than or equal to maxReplicas`
 )
 
+const (
+	expectedTargetRefMustBeHTTPRouteOrGrpcRouteError = `TargetRef Kind must be: HTTPRoute or GRPCRoute`
+)
+
 const (
 	defaultNamespace = "default"
 )

tests/cel/observabilitypolicy_test.go

@@ -0,0 +1,182 @@
+package cel
+
+import (
+	"testing"
+
+	controllerruntime "sigs.k8s.io/controller-runtime"
+	gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+
+	ngfAPIv1alpha1 "github.com/nginx/nginx-gateway-fabric/v2/apis/v1alpha1"
+)
+
+func TestObservabilityPoliciesTargetRefKind(t *testing.T) {
+	t.Parallel()
+	k8sClient := getKubernetesClient(t)
+
+	tests := []struct {
+		spec       ngfAPIv1alpha1.ObservabilityPolicySpec
+		name       string
+		wantErrors []string
+	}{
+		{
+			name: "Validate TargetRef of kind HTTPRoute is allowed",
+			spec: ngfAPIv1alpha1.ObservabilityPolicySpec{
+				TargetRefs: []gatewayv1alpha2.LocalPolicyTargetReference{
+					{
+						Kind:  httpRouteKind,
+						Group: gatewayGroup,
+					},
+				},
+			},
+		},
+		{
+			name: "Validate TargetRef of kind GRPCRoute is allowed",
+			spec: ngfAPIv1alpha1.ObservabilityPolicySpec{
+				TargetRefs: []gatewayv1alpha2.LocalPolicyTargetReference{
+					{
+						Kind:  grpcRouteKind,
+						Group: gatewayGroup,
+					},
+				},
+			},
+		},
+		{
+			name:       "Validate Invalid TargetRef Kind is not allowed",
+			wantErrors: []string{expectedTargetRefMustBeHTTPRouteOrGrpcRouteError},
+			spec: ngfAPIv1alpha1.ObservabilityPolicySpec{
+				TargetRefs: []gatewayv1alpha2.LocalPolicyTargetReference{
+					{
+						Kind:  invalidKind,
+						Group: gatewayGroup,
+					},
+				},
+			},
+		},
+		{
+			name:       "Validate TCPRoute TargetRef Kind is not allowed",
+			wantErrors: []string{expectedTargetRefMustBeHTTPRouteOrGrpcRouteError},
+			spec: ngfAPIv1alpha1.ObservabilityPolicySpec{
+				TargetRefs: []gatewayv1alpha2.LocalPolicyTargetReference{
+					{
+						Kind:  tcpRouteKind,
+						Group: gatewayGroup,
+					},
+				},
+			},
+		},
+		{
+			name:       "Validate TargetRef of kind Gateway is allowed",
+			wantErrors: []string{expectedTargetRefMustBeHTTPRouteOrGrpcRouteError},
+			spec: ngfAPIv1alpha1.ObservabilityPolicySpec{
+				TargetRefs: []gatewayv1alpha2.LocalPolicyTargetReference{
+					{
+						Kind:  gatewayKind,
+						Group: gatewayGroup,
+					},
+				},
+			},
+		},
+		{
+			name: "Validate ObservabilityPolicy is applied when one TargetRef is valid and another is invalid",
+			spec: ngfAPIv1alpha1.ObservabilityPolicySpec{
+				TargetRefs: []gatewayv1alpha2.LocalPolicyTargetReference{
+					{
+						Kind:  gatewayKind,
+						Group: gatewayGroup,
+					},
+					{
+						Kind:  grpcRouteKind,
+						Group: gatewayGroup,
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			spec := tt.spec
+
+			for i := range spec.TargetRefs {
+				spec.TargetRefs[i].Name = gatewayv1alpha2.ObjectName(uniqueResourceName(testTargetRefName))
+			}
+
+			observabilityPolicy := &ngfAPIv1alpha1.ObservabilityPolicy{
+				ObjectMeta: controllerruntime.ObjectMeta{
+					Name:      uniqueResourceName(testResourceName),
+					Namespace: defaultNamespace,
+				},
+				Spec: spec,
+			}
+			validateCrd(t, tt.wantErrors, observabilityPolicy, k8sClient)
+		})
+	}
+}
+
+func TestObservabilityPoliciesTargetRefGroup(t *testing.T) {
+	t.Parallel()
+	k8sClient := getKubernetesClient(t)
+
+	tests := []struct {
+		spec       ngfAPIv1alpha1.ObservabilityPolicySpec
+		name       string
+		wantErrors []string
+	}{
+		{
+			name: "Validate gateway.networking.k8s.io TargetRef Group is allowed",
+			spec: ngfAPIv1alpha1.ObservabilityPolicySpec{
+				TargetRefs: []gatewayv1alpha2.LocalPolicyTargetReference{
+					{
+						Kind:  httpRouteKind,
+						Group: gatewayGroup,
+					},
+				},
+			},
+		},
+		{
+			name:       "Validate invalid.networking.k8s.io TargetRef Group is not allowed",
+			wantErrors: []string{expectedTargetRefGroupError},
+			spec: ngfAPIv1alpha1.ObservabilityPolicySpec{
+				TargetRefs: []gatewayv1alpha2.LocalPolicyTargetReference{
+					{
+						Kind:  httpRouteKind,
+						Group: invalidGroup,
+					},
+				},
+			},
+		},
+		{
+			name:       "Validate discovery.k8s.io/v1 TargetRef Group is not allowed",
+			wantErrors: []string{expectedTargetRefGroupError},
+			spec: ngfAPIv1alpha1.ObservabilityPolicySpec{
+				TargetRefs: []gatewayv1alpha2.LocalPolicyTargetReference{
+					{
+						Kind:  httpRouteKind,
+						Group: discoveryGroup,
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			spec := tt.spec
+
+			for i := range spec.TargetRefs {
+				spec.TargetRefs[i].Name = gatewayv1alpha2.ObjectName(uniqueResourceName(testTargetRefName))
+			}
+
+			observabilityPolicy := &ngfAPIv1alpha1.ObservabilityPolicy{
+				ObjectMeta: controllerruntime.ObjectMeta{
+					Name:      uniqueResourceName(testResourceName),
+					Namespace: defaultNamespace,
+				},
+				Spec: spec,
+			}
+			validateCrd(t, tt.wantErrors, observabilityPolicy, k8sClient)
+		})
+	}
+}