chore: move backend tls test resources out of the base (envoyproxy#3862)

* move backend tls test resources out of the base

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* fix lint

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* fix lint

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* add notice

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* fix test

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* fix test

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* print response body for debugging

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* print policy for debugging

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* increase timeout

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

---------

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

test/e2e/base/manifests.yaml

@@ -6,7 +6,6 @@
 # namespace):
 # - same-namespace (only supports route in same ns)
 # - all-namespaces (supports routes in all ns)
-# - backend-namespaces (supports routes in ns with backend label)
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -50,33 +49,6 @@ spec:
       name: zipkin-tracing
       namespace: envoy-gateway-system
 ---
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: backend-namespaces
-  namespace: gateway-conformance-infra
-spec:
-  gatewayClassName: "{GATEWAY_CLASS_NAME}"
-  listeners:
-  - name: https
-    port: 443
-    protocol: HTTPS
-    tls:
-      certificateRefs:
-      - group: ""
-        kind: Secret
-        name: backend-tls-certificate
-      mode: Terminate
-  - name: http
-    port: 80
-    protocol: HTTP
-    allowedRoutes:
-      namespaces:
-        from: Selector
-        selector:
-          matchLabels:
-            gateway-conformance: backend
----
 apiVersion: v1
 kind: Service
 metadata:

test/e2e/testdata/backend-tls-settings.yaml

@@ -1,3 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: backend-namespaces
+  namespace: gateway-conformance-infra
+spec:
+  gatewayClassName: "{GATEWAY_CLASS_NAME}"
+  listeners:
+    - name: https
+      port: 443
+      protocol: HTTPS
+      tls:
+        certificateRefs:
+          - group: ""
+            kind: Secret
+            name: backend-tls-certificate
+        mode: Terminate
+    - name: http
+      port: 80
+      protocol: HTTP
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              gateway-conformance: backend
+---
 apiVersion: v1
 data:
   ca.crt: |

test/e2e/tests/oidc.go

@@ -9,14 +9,17 @@
 package tests
 
 import (
+	"context"
 	"io"
 	"net/http"
 	"regexp"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
 	gwhttp "sigs.k8s.io/gateway-api/conformance/utils/http"
@@ -75,18 +78,31 @@ var OIDCTest = suite.ConformanceTest{
 			)
 			require.NoError(t, err)
 
-			// Send a request to the http route with OIDC configured.
-			// It will be redirected to the keycloak login page
-			res, err := client.Get(testURL, true)
-			require.NoError(t, err)
-			require.Equal(t, 200, res.StatusCode, "Expected 200 OK")
-
-			// Parse the response body to get the URL where the login page would post the user-entered credentials
-			require.NoError(t, client.ParseLoginForm(res.Body, keyCloakLoginFormID), "Failed to parse login form")
+			if err := wait.PollUntilContextTimeout(context.TODO(), time.Second, 5*time.Minute, true,
+				func(_ context.Context) (done bool, err error) {
+					t.Logf("sending request to %s", testURL)
+
+					// Send a request to the http route with OIDC configured.
+					// It will be redirected to the keycloak login page
+					res, err := client.Get(testURL, true)
+					require.NoError(t, err, "Failed to get the login page")
+					require.Equal(t, 200, res.StatusCode, "Expected 200 OK")
+
+					// Parse the response body to get the URL where the login page would post the user-entered credentials
+					if err := client.ParseLoginForm(res.Body, keyCloakLoginFormID); err != nil {
+						t.Logf("failed to parse login form: %v", err)
+						return false, nil
+					}
+
+					t.Log("successfully parsed login form")
+					return true, nil
+				}); err != nil {
+				t.Errorf("failed to parse login form: %v", err)
+			}
 
 			// Submit the login form to the IdP.
 			// This will authenticate and redirect back to the application
-			res, err = client.Login(map[string]string{"username": username, "password": password, "credentialId": ""})
+			res, err := client.Login(map[string]string{"username": username, "password": password, "credentialId": ""})
 			require.NoError(t, err, "Failed to login to the IdP")
 
 			// Verify that we get the expected response from the application

test/e2e/tests/oidc_testclient.go

@@ -212,7 +212,7 @@ func extractFromData(responseBody string, match formMatch, includeFromInputs boo
 	// Find the form with the specified ID or match criteria
 	form := findForm(doc, match)
 	if form == nil {
-		return "", "", nil, fmt.Errorf("%s not found", match)
+		return "", "", nil, fmt.Errorf("%s not found in %s", match, responseBody)
 	}
 
 	var (

test/e2e/tests/utils.go

@@ -93,6 +93,7 @@ func SecurityPolicyMustBeAccepted(t *testing.T, client client.Client, policyName
 		}
 
 		if policyAcceptedByAncestor(policy.Status.Ancestors, controllerName, ancestorRef) {
+			t.Logf("SecurityPolicy has been accepted: %v", policy)
 			return true, nil
 		}