NE-1953: Add experimental Gateway API group to Validating Admission Policy

alebedev87 · alebedev87 · commit 70d00ff79f9d · 2025-03-20T15:44:17.000+01:00
This commit adds "gateway.networking.x-k8s.io" to the match condition of
the operator's Validating Admission Policy. This change ensures that
modifications to experimental Gateway API CRDs can be made only by
the ingress operator.
diff --git a/manifests/01-validating-admission-policy.yaml b/manifests/01-validating-admission-policy.yaml
@@ -20,7 +20,7 @@ spec:
     # Consider only request to Gateway API CRDs.
     - name: "check-only-gateway-api-crds"
       # When the operation is DELETE, the "object" variable is null.
-      expression: "(request.operation == 'DELETE' ? oldObject : object).spec.group == 'gateway.networking.k8s.io'"
+      expression: "(request.operation == 'DELETE' ? oldObject : object).spec.group == 'gateway.networking.k8s.io' || (request.operation == 'DELETE' ? oldObject : object).spec.group == 'gateway.networking.x-k8s.io'"
   # Validations are evaluated in the the order of their declaration.
   validations:
     # Verify that the request was sent by the ingress operator's service account.
diff --git a/test/e2e/gateway_api_test.go b/test/e2e/gateway_api_test.go
@@ -47,6 +47,10 @@ var crdNames = []string{
 	"referencegrants.gateway.networking.k8s.io",
 }
 
+var xcrdNames = []string{
+	"listenersets.gateway.networking.x-k8s.io",
+}
+
 // Global variables for testing.
 // The default route name to be constructed.
 var defaultRoutename = ""
@@ -83,6 +87,13 @@ func TestGatewayAPI(t *testing.T) {
 		// TODO: Uninstall OSSM after test is completed.
 	})
 
+	// Create test experimental CRDs for the subsequent subtests.
+	// Specifically, `testGatewayAPIResourcesProtection`, which tests VAP protection
+	// for the experimental Gateway API group, needs to check the update verb.
+	// Since an API `Get` is called before the update, the CRD must exist in the cluster,
+	// just like standard Gateway API CRDs.
+	ensureExperimentalCRDs(t)
+
 	t.Run("testGatewayAPIResources", testGatewayAPIResources)
 	if gatewayAPIControllerEnabled {
 		t.Run("testGatewayAPIObjects", testGatewayAPIObjects)
@@ -195,7 +206,7 @@ func testGatewayAPIResourcesProtection(t *testing.T) {
 
 	// Create test CRDs.
 	var testCRDs []*apiextensionsv1.CustomResourceDefinition
-	for _, name := range crdNames {
+	for _, name := range append(crdNames, xcrdNames...) {
 		testCRDs = append(testCRDs, buildGWAPICRDFromName(name))
 	}
 
@@ -297,6 +308,26 @@ func deleteCRDs(t *testing.T) {
 	}
 }
 
+// ensureExperimentalCRDs creates experimental Gateway API custom resource definitions.
+// This function temporarily disables the ingress operator's VAP to allow CRD creation.
+// The VAP is re-enabled before the function returns.
+func ensureExperimentalCRDs(t *testing.T) {
+	vm := newVAPManager(t, gwapiCRDVAPName)
+	if err, recoverFn := vm.disable(); err != nil {
+		defer recoverFn()
+		t.Fatalf("failed to disable vap: %v", err)
+	}
+	defer vm.enable()
+
+	for _, crdName := range xcrdNames {
+		if _, err := createCRD(crdName); err != nil {
+			t.Fatalf("failed to create experimental crd %q: %v", crdName, err)
+		} else {
+			t.Logf("created experimental crd %q", crdName)
+		}
+	}
+}
+
 // ensureGatewayObjectCreation tests that gateway class, gateway, and http route objects can be created.
 func ensureGatewayObjectCreation(ns *corev1.Namespace) error {
 	var domain string
diff --git a/test/e2e/util_gatewayapi_test.go b/test/e2e/util_gatewayapi_test.go
@@ -271,6 +271,21 @@ func createGatewayClass(name, controllerName string) (*gatewayapiv1.GatewayClass
 	return gatewayClass, nil
 }
 
+// createCRD creates the CRD with the given name or retrieves it if already exists.
+func createCRD(name string) (*apiextensionsv1.CustomResourceDefinition, error) {
+	crd := buildGWAPICRDFromName(name)
+	if err := kclient.Create(context.Background(), crd); err != nil {
+		if kerrors.IsAlreadyExists(err) {
+			if err := kclient.Get(context.Background(), types.NamespacedName{Name: name}, crd); err != nil {
+				return nil, fmt.Errorf("failed to get crd %q: %w", name, err)
+			}
+			return crd, nil
+		}
+		return nil, fmt.Errorf("failed to create crd %q: %w", name, err)
+	}
+	return crd, nil
+}
+
 // buildGatewayClass initializes the GatewayClass and returns its address.
 func buildGatewayClass(name, controllerName string) *gatewayapiv1.GatewayClass {
 	return &gatewayapiv1.GatewayClass{
@@ -348,6 +363,12 @@ func buildGWAPICRDFromName(name string) *apiextensionsv1.CustomResourceDefinitio
 	case "referencegrants":
 		kind = "ReferenceGrant"
 		versions = []map[string]bool{{"v1beta1": true}}
+	case "listenersets":
+		kind = "ListenerSet"
+		versions = []map[string]bool{{"v1alpha1": true}}
+	case "grpcroutes":
+		kind = "GRPCRoute"
+		versions = []map[string]bool{{"v1": true}}
 	}
 
 	crd := &apiextensionsv1.CustomResourceDefinition{
