NE-2422: Add dual-stack ingress e2e test for AWSDualStackInstall featuregate

alebedev87 · claude · alebedev87 · commit 734f097e1bd2 · 2026-03-18T23:18:05.000+01:00
Add a new test that verifies ingress is reachable over both IPv4 and IPv6
on AWS dual-stack clusters. The test creates a new IngressController shard
with an NLB, an edge-terminated route, and validates connectivity using
curl -4 and curl -6 from an exec pod.

Also extends the shard.Config to support optional LoadBalancerStrategy
parameters for configuring the IngressController's load balancer type.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/test/extended/router/dualstack.go b/test/extended/router/dualstack.go
@@ -0,0 +1,241 @@
+package router
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	g "github.com/onsi/ginkgo/v2"
+	o "github.com/onsi/gomega"
+
+	configv1 "github.com/openshift/api/config/v1"
+	operatorv1 "github.com/openshift/api/operator/v1"
+	routev1 "github.com/openshift/api/route/v1"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/wait"
+	e2e "k8s.io/kubernetes/test/e2e/framework"
+	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	e2eoutput "k8s.io/kubernetes/test/e2e/framework/pod/output"
+	admissionapi "k8s.io/pod-security-admission/api"
+	utilpointer "k8s.io/utils/pointer"
+
+	"github.com/openshift/origin/test/extended/router/shard"
+	exutil "github.com/openshift/origin/test/extended/util"
+	"github.com/openshift/origin/test/extended/util/image"
+)
+
+var _ = g.Describe("[sig-network-edge][OCPFeatureGate:AWSDualStackInstall][Feature:Router][apigroup:route.openshift.io][apigroup:operator.openshift.io][apigroup:config.openshift.io]", func() {
+	defer g.GinkgoRecover()
+
+	var oc = exutil.NewCLIWithPodSecurityLevel("router-dualstack", admissionapi.LevelBaseline)
+
+	g.It("should be reachable via IPv4 and IPv6 through a dual-stack ingress controller", func() {
+		ctx := context.Background()
+
+		g.By("Checking that the Infrastructure CR has a DualStack IPFamily")
+		infra, err := oc.AdminConfigClient().ConfigV1().Infrastructures().Get(ctx, "cluster", metav1.GetOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred(), "failed to get infrastructure CR")
+
+		if infra.Status.PlatformStatus == nil || infra.Status.PlatformStatus.Type != configv1.AWSPlatformType {
+			g.Skip("Test requires AWS platform")
+		}
+		if infra.Status.PlatformStatus.AWS == nil {
+			g.Skip("AWS platform status is not set")
+		}
+		ipFamily := infra.Status.PlatformStatus.AWS.IPFamily
+		if ipFamily != configv1.DualStackIPv4Primary && ipFamily != configv1.DualStackIPv6Primary {
+			g.Skip(fmt.Sprintf("Test requires DualStack IPFamily, got %q", ipFamily))
+		}
+
+		g.By("Getting the default ingress domain")
+		defaultDomain, err := getDefaultIngressClusterDomainName(oc, time.Minute)
+		o.Expect(err).NotTo(o.HaveOccurred(), "failed to find default domain name")
+
+		ns := oc.KubeFramework().Namespace.Name
+		shardFQDN := oc.Namespace() + "." + defaultDomain
+
+		g.By("Creating backend service")
+		service := &corev1.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "dualstack-backend",
+				Labels: map[string]string{
+					"app": "dualstack-backend",
+				},
+			},
+			Spec: corev1.ServiceSpec{
+				Selector: map[string]string{
+					"app": "dualstack-backend",
+				},
+				IPFamilyPolicy: func() *corev1.IPFamilyPolicy {
+					p := corev1.IPFamilyPolicyPreferDualStack
+					return &p
+				}(),
+				Ports: []corev1.ServicePort{
+					{
+						Name:       "http",
+						Port:       8080,
+						Protocol:   corev1.ProtocolTCP,
+						TargetPort: intstr.FromInt(8080),
+					},
+				},
+			},
+		}
+		_, err = oc.AdminKubeClient().CoreV1().Services(ns).Create(ctx, service, metav1.CreateOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred())
+
+		g.By("Creating backend pod")
+		backendPod := &corev1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "dualstack-backend",
+				Labels: map[string]string{
+					"app": "dualstack-backend",
+				},
+			},
+			Spec: corev1.PodSpec{
+				TerminationGracePeriodSeconds: utilpointer.Int64(1),
+				Containers: []corev1.Container{
+					{
+						Name:            "server",
+						Image:           image.ShellImage(),
+						ImagePullPolicy: corev1.PullIfNotPresent,
+						Command:         []string{"/bin/bash", "-c", `while true; do
+printf "HTTP/1.1 200 OK\r\nContent-Length: 2\r\nContent-Type: text/plain\r\n\r\nOK" | nc -l -p 8080 -q 1 || true
+done`},
+						Ports: []corev1.ContainerPort{
+							{
+								ContainerPort: 8080,
+								Name:          "http",
+								Protocol:      corev1.ProtocolTCP,
+							},
+						},
+					},
+				},
+			},
+		}
+		_, err = oc.AdminKubeClient().CoreV1().Pods(ns).Create(ctx, backendPod, metav1.CreateOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred())
+
+		g.By("Waiting for backend pod to be running")
+		e2e.ExpectNoError(e2epod.WaitForPodRunningInNamespaceSlow(ctx, oc.KubeClient(), "dualstack-backend", ns), "backend pod not running")
+
+		g.By("Creating an edge-terminated route")
+		routeType := oc.Namespace()
+		route := routev1.Route{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "dualstack-route",
+				Labels: map[string]string{
+					"type": routeType,
+				},
+			},
+			Spec: routev1.RouteSpec{
+				Host: "dualstack-test." + shardFQDN,
+				Port: &routev1.RoutePort{
+					TargetPort: intstr.FromInt(8080),
+				},
+				TLS: &routev1.TLSConfig{
+					Termination:                   routev1.TLSTerminationEdge,
+					InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyRedirect,
+				},
+				To: routev1.RouteTargetReference{
+					Kind:   "Service",
+					Name:   "dualstack-backend",
+					Weight: utilpointer.Int32(100),
+				},
+				WildcardPolicy: routev1.WildcardPolicyNone,
+			},
+		}
+		_, err = oc.RouteClient().RouteV1().Routes(ns).Create(ctx, &route, metav1.CreateOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred())
+
+		g.By("Deploying a new router shard with NLB")
+		shardIngressCtrl, err := shard.DeployNewRouterShard(oc, 10*time.Minute, shard.Config{
+			Domain: shardFQDN,
+			Type:   oc.Namespace(),
+			LoadBalancer: &operatorv1.LoadBalancerStrategy{
+				Scope: operatorv1.ExternalLoadBalancer,
+				ProviderParameters: &operatorv1.ProviderLoadBalancerParameters{
+					Type: operatorv1.AWSLoadBalancerProvider,
+					AWS: &operatorv1.AWSLoadBalancerParameters{
+						Type: operatorv1.AWSNetworkLoadBalancer,
+					},
+				},
+			},
+		})
+		defer func() {
+			if shardIngressCtrl != nil {
+				if err := oc.AdminOperatorClient().OperatorV1().IngressControllers(shardIngressCtrl.Namespace).Delete(ctx, shardIngressCtrl.Name, metav1.DeleteOptions{}); err != nil {
+					e2e.Logf("deleting ingress controller failed: %v\n", err)
+				}
+			}
+		}()
+		o.Expect(err).NotTo(o.HaveOccurred(), "new router shard did not rollout")
+
+		g.By("Labelling the namespace for the shard")
+		err = oc.AsAdmin().Run("label").Args("namespace", oc.Namespace(), "type="+oc.Namespace()).Execute()
+		o.Expect(err).NotTo(o.HaveOccurred())
+
+		g.By("Waiting for the route to be admitted")
+		routeHost := "dualstack-test." + shardFQDN
+		err = wait.PollImmediate(5*time.Second, 5*time.Minute, func() (bool, error) {
+			r, err := oc.RouteClient().RouteV1().Routes(ns).Get(ctx, "dualstack-route", metav1.GetOptions{})
+			if err != nil {
+				e2e.Logf("failed to get route: %v, retrying...", err)
+				return false, nil
+			}
+			for _, ingress := range r.Status.Ingress {
+				if ingress.Host == routeHost {
+					for _, condition := range ingress.Conditions {
+						if condition.Type == routev1.RouteAdmitted && condition.Status == corev1.ConditionTrue {
+							return true, nil
+						}
+					}
+				}
+			}
+			return false, nil
+		})
+		o.Expect(err).NotTo(o.HaveOccurred(), "route was not admitted")
+
+		g.By("Creating exec pod for curl tests")
+		execPod := exutil.CreateExecPodOrFail(oc.AdminKubeClient(), ns, "execpod")
+		defer func() {
+			oc.AdminKubeClient().CoreV1().Pods(ns).Delete(ctx, execPod.Name, *metav1.NewDeleteOptions(1))
+		}()
+
+		g.By("Verifying route is reachable over IPv4")
+		err = waitForDualStackRouteResponse(ns, execPod.Name, routeHost, "-4", 5*60)
+		o.Expect(err).NotTo(o.HaveOccurred(), "route not reachable over IPv4")
+
+		g.By("Verifying route is reachable over IPv6")
+		err = waitForDualStackRouteResponse(ns, execPod.Name, routeHost, "-6", 5*60)
+		o.Expect(err).NotTo(o.HaveOccurred(), "route not reachable over IPv6")
+	})
+})
+
+func waitForDualStackRouteResponse(ns, execPodName, host, ipFlag string, timeoutSeconds int) error {
+	cmd := fmt.Sprintf(`
+		STOP=$(($(date '+%%s') + %d))
+		while [ $(date '+%%s') -lt $STOP ]; do
+			rc=0
+			code=$( curl %s -k -s -m 10 -o /dev/null -w '%%{http_code}' https://%s ) || rc=$?
+			if [[ "${rc:-0}" -eq 0 ]]; then
+				echo "response code: $code"
+				if [[ $code -eq 200 ]]; then
+					exit 0
+				fi
+			else
+				echo "curl error: ${rc}" 1>&2
+			fi
+			sleep 5
+		done
+		echo "timed out waiting for 200 response"
+		exit 1
+		`, timeoutSeconds, ipFlag, host)
+	output, err := e2eoutput.RunHostCmd(ns, execPodName, cmd)
+	if err != nil {
+		return fmt.Errorf("curl %s to %s failed: %v\n%s", ipFlag, host, err, output)
+	}
+	return nil
+}
diff --git a/test/extended/router/shard/shard.go b/test/extended/router/shard/shard.go
@@ -21,6 +21,10 @@ type Config struct {
 
 	// Type is the matchSelector
 	Type string
+
+	// LoadBalancer optionally specifies LoadBalancerStrategy parameters.
+	// If nil, the default LoadBalancer configuration is used.
+	LoadBalancer *operatorv1.LoadBalancerStrategy
 }
 
 var ingressControllerNonDefaultAvailableConditions = []operatorv1.OperatorCondition{
@@ -43,7 +47,8 @@ func DeployNewRouterShard(oc *exutil.CLI, timeout time.Duration, cfg Config) (*o
 			Replicas: utilpointer.Int32(1),
 			Domain:   cfg.Domain,
 			EndpointPublishingStrategy: &operatorv1.EndpointPublishingStrategy{
-				Type: operatorv1.LoadBalancerServiceStrategyType,
+				Type:         operatorv1.LoadBalancerServiceStrategyType,
+				LoadBalancer: cfg.LoadBalancer,
 			},
 			NodePlacement: &operatorv1.NodePlacement{
 				NodeSelector: &metav1.LabelSelector{
