From b0afd71432cb003a9ca26f36e4a16bf94d295acb Mon Sep 17 00:00:00 2001
From: gray <greyschwinger@gmail.com>
Date: Thu, 11 Jul 2024 16:24:25 +0800
Subject: [PATCH] connectivity: Add
 echo-ingress-l7-via-hostport-with-encryption

This is to cover the fixed issue https://github.com/cilium/cilium/issues/32899.

Signed-off-by: gray <gray.liang@isovalent.com>
---
 connectivity/builder/echo_ingress_l7.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/connectivity/builder/echo_ingress_l7.go b/connectivity/builder/echo_ingress_l7.go
index 3d3f737029..e4790c8f33 100644
--- a/connectivity/builder/echo_ingress_l7.go
+++ b/connectivity/builder/echo_ingress_l7.go
@@ -40,4 +40,20 @@ func (t echoIngressL7) build(ct *check.ConnectivityTest, _ map[string]string) {
 		WithCiliumPolicy(echoIngressL7HTTPPolicyYAML). // L7 allow policy with HTTP introspection
 		WithScenarios(tests.PodToPodWithEndpoints()).
 		WithExpectations(expectation)
+
+	newTest("echo-ingress-l7-via-hostport-with-encryption", ct).
+		WithCondition(func() bool { return !ct.Params().SingleNode }).
+		WithFeatureRequirements(
+			features.RequireEnabled(features.L7Proxy),
+			// Once https://github.com/cilium/cilium/issues/33168 is fixed, we
+			// can enable for IPsec too.
+			features.RequireMode(features.EncryptionPod, "wireguard"),
+			// Otherwise pod->hostport traffic will be policy
+			// denied on the ingress of dest node when
+			// routing=vxlan + kpr=1 + bpf_masq=1
+			features.RequireEnabled(features.EncryptionNode),
+		).
+		WithCiliumPolicy(echoIngressL7HTTPPolicyYAML). // L7 allow policy with HTTP introspection
+		WithScenarios(tests.PodToHostPort()).
+		WithExpectations(expectation)
 }