From 4a7ea58ed203c66035c0a7ede0fa1d5114724ac0 Mon Sep 17 00:00:00 2001
From: gray <gray.liang@isovalent.com>
Date: Thu, 27 Apr 2023 16:48:57 +0800
Subject: [PATCH] connectivity: add test for accessing NodePort from outside
 with L7 policy

This test case covers https://github.com/cilium/cilium/issues/21954. The
test is for accessing NodePort from outside with L7 policy."

The echo-ingress-l7-http policy is updated to allow HTTP GET from outside,
instead of only from 'other' client pods.

Use `cilium connectivity test --test north-south-loadbalancing --datapath`
to run this test.

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
---
 connectivity/manifests/echo-ingress-l7-http.yaml | 4 +++-
 connectivity/suite.go                            | 6 ++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/connectivity/manifests/echo-ingress-l7-http.yaml b/connectivity/manifests/echo-ingress-l7-http.yaml
index 400f760093..4473545097 100644
--- a/connectivity/manifests/echo-ingress-l7-http.yaml
+++ b/connectivity/manifests/echo-ingress-l7-http.yaml
@@ -9,9 +9,11 @@ spec:
     matchLabels:
       kind: echo
   ingress:
-  # Only allow 'other' client to make a GET /public requests.
+  # Only allow 'other' client or world to make a GET /public requests.
   # Allow GET /private' only if a particular HTTP header is set.
   # Disallow L3 traffic for now, flow matcher doesn't yet support L7 drops.
+  - fromEntities:
+    - world
   - fromEndpoints:
     - matchLabels:
         other: client
diff --git a/connectivity/suite.go b/connectivity/suite.go
index f40cd088a2..ebb4c9c5eb 100644
--- a/connectivity/suite.go
+++ b/connectivity/suite.go
@@ -192,6 +192,12 @@ func Run(ctx context.Context, ct *check.ConnectivityTest) error {
 			WithScenarios(
 				tests.OutsideToNodePort(),
 			)
+		ct.NewTest("north-south-loadbalancing-with-l7-policy").
+			WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureNodeWithoutCilium)).
+			WithCiliumPolicy(echoIngressL7HTTPPolicyYAML).
+			WithScenarios(
+				tests.OutsideToNodePort(),
+			)
 		ct.NewTest("pod-to-pod-encryption").
 			WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureEncryptionPod)).
 			WithScenarios(