e2e: add test for RecomputeRoute in ExtAuth (envoyproxy#4222)

Signed-off-by: zirain <zirain2009@gmail.com>
guydc · Sep 19, 2024 · 9cf7828 · 9cf7828
1 parent d5eb231
commit 9cf7828
Show file tree

Hide file tree

Showing 2 changed files with 106 additions and 24 deletions.
diff --git a/test/e2e/testdata/ext-auth-http-backend-securitypolicy.yaml b/test/e2e/testdata/ext-auth-http-backend-securitypolicy.yaml
@@ -6,16 +6,39 @@ metadata:
   namespace: gateway-conformance-infra
 spec:
   parentRefs:
-  - name: same-namespace
+    - name: same-namespace
   hostnames: ["www.example.com"]
   rules:
-  - matches:
-    - path:
-        type: PathPrefix
-        value: /myapp              # This is the path that will be protected by ext auth
-    backendRefs:
-    - name: infra-backend-v1
-      port: 8080
+    - matches:
+        - path:
+            type: PathPrefix
+            # This is the path that will be protected by ext auth
+            value: /myapp
+          headers:
+            - name: x-current-user
+              value: user2
+      backendRefs:
+        - name: infra-backend-v2
+          port: 8080
+    - matches:
+        - path:
+            type: PathPrefix
+            # This is the path that will be protected by ext auth
+            value: /myapp
+          headers:
+            - name: x-current-user
+              value: user3
+      backendRefs:
+        - name: infra-backend-v3
+          port: 8080
+    - matches:
+        - path:
+            type: PathPrefix
+            # This is the path that will be protected by ext auth
+            value: /myapp
+      backendRefs:
+        - name: infra-backend-v1
+          port: 8080
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
@@ -24,16 +47,17 @@ metadata:
   namespace: gateway-conformance-infra
 spec:
   parentRefs:
-  - name: same-namespace
+    - name: same-namespace
   hostnames: ["www.example.com"]
   rules:
-  - matches:
-    - path:
-        type: PathPrefix
-        value: /public            # This is the path that will be public
-    backendRefs:
-    - name: infra-backend-v1
-      port: 8080
+    - matches:
+        - path:
+            type: PathPrefix
+            # This is the path that will be public
+            value: /public
+      backendRefs:
+        - name: infra-backend-v1
+          port: 8080
 ---
 apiVersion: gateway.envoyproxy.io/v1alpha1
 kind: SecurityPolicy
@@ -42,15 +66,17 @@ metadata:
   namespace: gateway-conformance-infra
 spec:
   targetRefs:
-  - group: gateway.networking.k8s.io
-    kind: HTTPRoute
-    name: http-ext-auth-backend
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: http-ext-auth-backend
   extAuth:
+    recomputeRoute: true
     http:
       backendRefs:
-      - name: backend-fqdn   # should add namespace here because envoy will locate in envoy-gateway-system namespace
-        kind: Backend
-        group: gateway.envoyproxy.io
-        namespace: gateway-conformance-infra
-        port: 9002
+        # should add namespace here because envoy will locate in envoy-gateway-system namespace
+        - name: backend-fqdn
+          kind: Backend
+          group: gateway.envoyproxy.io
+          namespace: gateway-conformance-infra
+          port: 9002
       headersToBackend: ["x-current-user"]
diff --git a/test/e2e/tests/ext_auth_http_backend.go b/test/e2e/tests/ext_auth_http_backend.go
@@ -152,5 +152,61 @@ var HTTPBackendExtAuthTest = suite.ConformanceTest{
 				t.Errorf("failed to compare request and response: %v", err)
 			}
 		})
+
+		t.Run("route base on headersToBackend", func(t *testing.T) {
+			v2ExpectedResponse := http.ExpectedResponse{
+				Request: http.Request{
+					Host: "www.example.com",
+					Path: "/myapp",
+					Headers: map[string]string{
+						"Authorization": "Bearer token2",
+					},
+				},
+				Backend: "infra-backend-v2",
+				// Verify that the http headers returned by the ext auth service
+				// are added to the original request before sending it to the backend
+				ExpectedRequest: &http.ExpectedRequest{
+					Request: http.Request{
+						Host: "www.example.com",
+						Path: "/myapp",
+						Headers: map[string]string{
+							"x-current-user": "user2",
+						},
+					},
+				},
+				Response: http.Response{
+					StatusCode: 200,
+				},
+				Namespace: ns,
+			}
+			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, v2ExpectedResponse)
+
+			v3ExpectedResponse := http.ExpectedResponse{
+				Request: http.Request{
+					Host: "www.example.com",
+					Path: "/myapp",
+					Headers: map[string]string{
+						"Authorization": "Bearer token3",
+					},
+				},
+				// Verify that the http headers returned by the ext auth service
+				// are added to the original request before sending it to the backend
+				ExpectedRequest: &http.ExpectedRequest{
+					Request: http.Request{
+						Host: "www.example.com",
+						Path: "/myapp",
+						Headers: map[string]string{
+							"x-current-user": "user3",
+						},
+					},
+				},
+				Backend: "infra-backend-v3",
+				Response: http.Response{
+					StatusCode: 200,
+				},
+				Namespace: ns,
+			}
+			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, v3ExpectedResponse)
+		})
 	},
 }