From 605ab47d5c70a1ec665e65f7768c04c5324ce985 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Fri, 23 May 2025 02:56:50 +0000 Subject: [PATCH 01/12] fix wasm file cache directory permission Signed-off-by: Huabing (Robin) Zhao --- tools/docker/envoy-gateway/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index a21dee5c92..bc835e971f 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -1,13 +1,13 @@ FROM busybox@sha256:37f7b378a29ceb4c551b1b5582e27747b855bbfaa73fa11914fe0df028dc581f AS source # Create the data directory for eg -RUN mkdir -p /var/lib/eg +RUN mkdir -p /var/lib/eg && chmod -R 0777 /var/lib/eg # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details FROM gcr.io/distroless/base-nossl:nonroot@sha256:ecbab76d6a504ddf7c58a9d786e70f1f1731fa546b1ac0b20dab35c6fc2f3138 ARG TARGETPLATFORM COPY --chown=65532:65532 $TARGETPLATFORM/envoy-gateway /usr/local/bin/ -COPY --from=source --chown=65532:65532 /var/lib /var/lib +COPY --from=source /var/lib /var/lib USER 65532:65532 From 854d4bc71db0c247268f15fc71d988f0e9328347 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Wed, 28 May 2025 09:59:16 +0800 Subject: [PATCH 02/12] Update tools/docker/envoy-gateway/Dockerfile Co-authored-by: Arko Dasgupta Signed-off-by: Huabing (Robin) Zhao --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index bc835e971f..f9e126994d 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -1,6 +1,6 @@ FROM busybox@sha256:37f7b378a29ceb4c551b1b5582e27747b855bbfaa73fa11914fe0df028dc581f AS source # Create the data directory for eg -RUN mkdir -p /var/lib/eg && chmod -R 0777 /var/lib/eg +RUN mkdir -p /var/lib/eg && chmod -R 0660 /var/lib/eg # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details From c8b4bbd6e5b85111f37f6bf62a98422c4be47019 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Wed, 28 May 2025 09:42:20 +0000 Subject: [PATCH 03/12] we need execute permission to create files inside the cache dir Signed-off-by: Huabing (Robin) Zhao --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index f9e126994d..51d67a2701 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -1,6 +1,6 @@ FROM busybox@sha256:37f7b378a29ceb4c551b1b5582e27747b855bbfaa73fa11914fe0df028dc581f AS source # Create the data directory for eg -RUN mkdir -p /var/lib/eg && chmod -R 0660 /var/lib/eg +RUN mkdir -p /var/lib/eg && chmod -R 0770 /var/lib/eg # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details From 4877e6c3de22f904a154f28d83db368d1e18b74b Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Wed, 28 May 2025 10:52:51 +0000 Subject: [PATCH 04/12] change permision Signed-off-by: Huabing (Robin) Zhao --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 51d67a2701..5abb7c776e 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -1,6 +1,6 @@ FROM busybox@sha256:37f7b378a29ceb4c551b1b5582e27747b855bbfaa73fa11914fe0df028dc581f AS source # Create the data directory for eg -RUN mkdir -p /var/lib/eg && chmod -R 0770 /var/lib/eg +RUN mkdir -p /var/lib/eg && chmod -R 0666 /var/lib/eg # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details From c052579779acded08b1c75bae281ddd2fc05aa79 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Wed, 28 May 2025 11:55:48 +0000 Subject: [PATCH 05/12] change permision Signed-off-by: Huabing (Robin) Zhao --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 5abb7c776e..bc835e971f 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -1,6 +1,6 @@ FROM busybox@sha256:37f7b378a29ceb4c551b1b5582e27747b855bbfaa73fa11914fe0df028dc581f AS source # Create the data directory for eg -RUN mkdir -p /var/lib/eg && chmod -R 0666 /var/lib/eg +RUN mkdir -p /var/lib/eg && chmod -R 0777 /var/lib/eg # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details From 903e1ee7c606079bb77bfcac38e181d045f6a771 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Thu, 29 May 2025 01:49:59 +0000 Subject: [PATCH 06/12] address comment Signed-off-by: Huabing (Robin) Zhao --- ...stom-container-security-contex-userid.yaml | 44 +++++++++++++++++ ...ute_with_custom_security_context_userid.go | 49 +++++++++++++++++++ tools/docker/envoy-gateway/Dockerfile | 2 +- 3 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 test/e2e/testdata/custom-container-security-contex-userid.yaml create mode 100644 test/e2e/tests/httproute_with_custom_security_context_userid.go diff --git a/test/e2e/testdata/custom-container-security-contex-userid.yaml b/test/e2e/testdata/custom-container-security-contex-userid.yaml new file mode 100644 index 0000000000..573371ab9c --- /dev/null +++ b/test/e2e/testdata/custom-container-security-contex-userid.yaml @@ -0,0 +1,44 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: custom-container-security-contex-userid-envoyproxy + namespace: gateway-conformance-infra +spec: + provider: + type: Kubernetes + kubernetes: + envoyDeployment: + container: + securityContext: + runAsUser: 65534 + runAsGroup: 65534 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: custom-container-security-contex-userid-gateway + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: http + port: 80 + protocol: HTTP + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: custom-container-security-contex-userid-envoyproxy +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: custom-container-security-contex-userid-route + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: custom-container-security-contex-userid-gateway + rules: + - backendRefs: + - name: infra-backend-v1 + port: 8080 diff --git a/test/e2e/tests/httproute_with_custom_security_context_userid.go b/test/e2e/tests/httproute_with_custom_security_context_userid.go new file mode 100644 index 0000000000..c2213e522d --- /dev/null +++ b/test/e2e/tests/httproute_with_custom_security_context_userid.go @@ -0,0 +1,49 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e + +package tests + +import ( + "testing" + + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, EnvoyGatewayCustomSecurityContextUseridTest) +} + +var EnvoyGatewayCustomSecurityContextUseridTest = suite.ConformanceTest{ + ShortName: "EnvoyGatewayCustomSecurityContextUserid", + Description: "Envoy proxy container with custom security context user id", + Manifests: []string{ + "testdata/custom-container-security-contex-userid.yaml", + }, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("route with custom security context user id", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "custom-container-security-contex-userid-route", Namespace: ns} + gwNN := types.NamespacedName{Name: "custom-container-security-contex-userid-gateway", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/", + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + }, +} diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index bc835e971f..88d59f486d 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -6,7 +6,7 @@ RUN mkdir -p /var/lib/eg && chmod -R 0777 /var/lib/eg # Refer to https://github.com/GoogleContainerTools/distroless for more details FROM gcr.io/distroless/base-nossl:nonroot@sha256:ecbab76d6a504ddf7c58a9d786e70f1f1731fa546b1ac0b20dab35c6fc2f3138 ARG TARGETPLATFORM -COPY --chown=65532:65532 $TARGETPLATFORM/envoy-gateway /usr/local/bin/ +COPY $TARGETPLATFORM/envoy-gateway /usr/local/bin/ COPY --from=source /var/lib /var/lib USER 65532:65532 From d0cab2b11f6404adb8558fc8046715360d94c7ae Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Thu, 29 May 2025 02:49:10 +0000 Subject: [PATCH 07/12] fix lint Signed-off-by: Huabing (Robin) Zhao --- .../testdata/custom-container-security-contex-userid.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/e2e/testdata/custom-container-security-contex-userid.yaml b/test/e2e/testdata/custom-container-security-contex-userid.yaml index 573371ab9c..8f13925873 100644 --- a/test/e2e/testdata/custom-container-security-contex-userid.yaml +++ b/test/e2e/testdata/custom-container-security-contex-userid.yaml @@ -37,8 +37,8 @@ metadata: namespace: gateway-conformance-infra spec: parentRefs: - - name: custom-container-security-contex-userid-gateway + - name: custom-container-security-contex-userid-gateway rules: - - backendRefs: - - name: infra-backend-v1 - port: 8080 + - backendRefs: + - name: infra-backend-v1 + port: 8080 From a2279537ae6940ac6f13a2983b68ff24c0b40dff Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Fri, 30 May 2025 02:31:48 +0000 Subject: [PATCH 08/12] address comment Signed-off-by: Huabing (Robin) Zhao --- ...stom-container-security-contex-userid.yaml | 22 +---------- ...ute_with_custom_security_context_userid.go | 39 +++++++++++++++++++ 2 files changed, 41 insertions(+), 20 deletions(-) diff --git a/test/e2e/testdata/custom-container-security-contex-userid.yaml b/test/e2e/testdata/custom-container-security-contex-userid.yaml index 8f13925873..13e205c86b 100644 --- a/test/e2e/testdata/custom-container-security-contex-userid.yaml +++ b/test/e2e/testdata/custom-container-security-contex-userid.yaml @@ -1,18 +1,5 @@ -apiVersion: gateway.envoyproxy.io/v1alpha1 -kind: EnvoyProxy -metadata: - name: custom-container-security-contex-userid-envoyproxy - namespace: gateway-conformance-infra -spec: - provider: - type: Kubernetes - kubernetes: - envoyDeployment: - container: - securityContext: - runAsUser: 65534 - runAsGroup: 65534 ---- +# This test is to verify that the basic http route works with EG having custom security context user id +# The custom security context user id is set to 65534 in the test go code apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: @@ -24,11 +11,6 @@ spec: - name: http port: 80 protocol: HTTP - infrastructure: - parametersRef: - group: gateway.envoyproxy.io - kind: EnvoyProxy - name: custom-container-security-contex-userid-envoyproxy --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute diff --git a/test/e2e/tests/httproute_with_custom_security_context_userid.go b/test/e2e/tests/httproute_with_custom_security_context_userid.go index c2213e522d..390a1a4f9e 100644 --- a/test/e2e/tests/httproute_with_custom_security_context_userid.go +++ b/test/e2e/tests/httproute_with_custom_security_context_userid.go @@ -8,9 +8,14 @@ package tests import ( + "context" "testing" + "github.com/stretchr/testify/require" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" + "k8s.io/utils/ptr" "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" "sigs.k8s.io/gateway-api/conformance/utils/suite" @@ -28,6 +33,40 @@ var EnvoyGatewayCustomSecurityContextUseridTest = suite.ConformanceTest{ }, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("route with custom security context user id", func(t *testing.T) { + // update envoy-gateway deployment with custom security context user id + egDeployment := &appsv1.Deployment{} + err := suite.Client.Get( + context.Background(), + types.NamespacedName{Name: "envoy-gateway", Namespace: "envoy-gateway-system"}, + egDeployment) + require.NoError(t, err) + egDeployment.Spec.Template.Spec.SecurityContext.RunAsUser = ptr.To(int64(65534)) + egDeployment.Spec.Template.Spec.SecurityContext.RunAsGroup = ptr.To(int64(65534)) + err = suite.Client.Update(context.Background(), egDeployment) + require.NoError(t, err) + // test that envoy-gateway pod is running with custom security context user id + WaitForPods(t, suite.Client, "envoy-gateway-system", map[string]string{"control-plane": "envoy-gateway"}, corev1.PodRunning, PodReady) + + // test that envoy-gateway deployment is updated with custom security context user id + egDeployment = &appsv1.Deployment{} + err = suite.Client.Get( + context.Background(), + types.NamespacedName{Name: "envoy-gateway", Namespace: "envoy-gateway-system"}, + egDeployment) + require.NoError(t, err) + require.Equal(t, int64(65534), *egDeployment.Spec.Template.Spec.SecurityContext.RunAsUser, "envoy-gateway deployment is not updated with custom security context user id") + require.Equal(t, int64(65534), *egDeployment.Spec.Template.Spec.SecurityContext.RunAsGroup, "envoy-gateway deployment is not updated with custom security context group id") + + // reset envoy-gateway deployment to default security context user id + t.Cleanup(func() { + egDeployment.Spec.Template.Spec.SecurityContext.RunAsUser = ptr.To(int64(65532)) + egDeployment.Spec.Template.Spec.SecurityContext.RunAsGroup = ptr.To(int64(65532)) + err = suite.Client.Update(context.Background(), egDeployment) + require.NoError(t, err) + WaitForPods(t, suite.Client, "envoy-gateway-system", map[string]string{"control-plane": "envoy-gateway"}, corev1.PodRunning, PodReady) + }) + + // test a simple http route ns := "gateway-conformance-infra" routeNN := types.NamespacedName{Name: "custom-container-security-contex-userid-route", Namespace: ns} gwNN := types.NamespacedName{Name: "custom-container-security-contex-userid-gateway", Namespace: ns} From 606940bc4a98ae4a604a1f618d37fb51f8b8163d Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Wed, 4 Jun 2025 04:06:57 +0000 Subject: [PATCH 09/12] fix the test Signed-off-by: Huabing (Robin) Zhao --- ...stom-container-security-contex-userid.yaml | 16 +---- ...ute_with_custom_security_context_userid.go | 72 +++++++++---------- 2 files changed, 38 insertions(+), 50 deletions(-) diff --git a/test/e2e/testdata/custom-container-security-contex-userid.yaml b/test/e2e/testdata/custom-container-security-contex-userid.yaml index 13e205c86b..3272a4eb74 100644 --- a/test/e2e/testdata/custom-container-security-contex-userid.yaml +++ b/test/e2e/testdata/custom-container-security-contex-userid.yaml @@ -1,25 +1,13 @@ # This test is to verify that the basic http route works with EG having custom security context user id # The custom security context user id is set to 65534 in the test go code apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: custom-container-security-contex-userid-gateway - namespace: gateway-conformance-infra -spec: - gatewayClassName: "{GATEWAY_CLASS_NAME}" - listeners: - - name: http - port: 80 - protocol: HTTP ---- -apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: - name: custom-container-security-contex-userid-route + name: custom-eg-security-context-userid namespace: gateway-conformance-infra spec: parentRefs: - - name: custom-container-security-contex-userid-gateway + - name: same-namespace rules: - backendRefs: - name: infra-backend-v1 diff --git a/test/e2e/tests/httproute_with_custom_security_context_userid.go b/test/e2e/tests/httproute_with_custom_security_context_userid.go index 390a1a4f9e..fc41274c08 100644 --- a/test/e2e/tests/httproute_with_custom_security_context_userid.go +++ b/test/e2e/tests/httproute_with_custom_security_context_userid.go @@ -27,49 +27,19 @@ func init() { var EnvoyGatewayCustomSecurityContextUseridTest = suite.ConformanceTest{ ShortName: "EnvoyGatewayCustomSecurityContextUserid", - Description: "Envoy proxy container with custom security context user id", + Description: "Envoy Gateway container with custom security context user id", Manifests: []string{ "testdata/custom-container-security-contex-userid.yaml", }, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("route with custom security context user id", func(t *testing.T) { - // update envoy-gateway deployment with custom security context user id - egDeployment := &appsv1.Deployment{} - err := suite.Client.Get( - context.Background(), - types.NamespacedName{Name: "envoy-gateway", Namespace: "envoy-gateway-system"}, - egDeployment) - require.NoError(t, err) - egDeployment.Spec.Template.Spec.SecurityContext.RunAsUser = ptr.To(int64(65534)) - egDeployment.Spec.Template.Spec.SecurityContext.RunAsGroup = ptr.To(int64(65534)) - err = suite.Client.Update(context.Background(), egDeployment) - require.NoError(t, err) - // test that envoy-gateway pod is running with custom security context user id - WaitForPods(t, suite.Client, "envoy-gateway-system", map[string]string{"control-plane": "envoy-gateway"}, corev1.PodRunning, PodReady) + // set envoy-gateway deployment security context user id to 65534 to test custom user has the necessary permissions + // to run the envoy-gateway container + setEGSecurityContextUserID(t, suite, 65534) - // test that envoy-gateway deployment is updated with custom security context user id - egDeployment = &appsv1.Deployment{} - err = suite.Client.Get( - context.Background(), - types.NamespacedName{Name: "envoy-gateway", Namespace: "envoy-gateway-system"}, - egDeployment) - require.NoError(t, err) - require.Equal(t, int64(65534), *egDeployment.Spec.Template.Spec.SecurityContext.RunAsUser, "envoy-gateway deployment is not updated with custom security context user id") - require.Equal(t, int64(65534), *egDeployment.Spec.Template.Spec.SecurityContext.RunAsGroup, "envoy-gateway deployment is not updated with custom security context group id") - - // reset envoy-gateway deployment to default security context user id - t.Cleanup(func() { - egDeployment.Spec.Template.Spec.SecurityContext.RunAsUser = ptr.To(int64(65532)) - egDeployment.Spec.Template.Spec.SecurityContext.RunAsGroup = ptr.To(int64(65532)) - err = suite.Client.Update(context.Background(), egDeployment) - require.NoError(t, err) - WaitForPods(t, suite.Client, "envoy-gateway-system", map[string]string{"control-plane": "envoy-gateway"}, corev1.PodRunning, PodReady) - }) - - // test a simple http route ns := "gateway-conformance-infra" - routeNN := types.NamespacedName{Name: "custom-container-security-contex-userid-route", Namespace: ns} - gwNN := types.NamespacedName{Name: "custom-container-security-contex-userid-gateway", Namespace: ns} + routeNN := types.NamespacedName{Name: "custom-eg-security-context-userid", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) expectedResponse := http.ExpectedResponse{ @@ -83,6 +53,36 @@ var EnvoyGatewayCustomSecurityContextUseridTest = suite.ConformanceTest{ } http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + + // we don't set the envoy-gateway deployment security context user id back to default because this will + // cause the envoy proxies failed to be deleted after the Gateway resources in the base are deleted. + // This is acceptable because this won't affect the later tests in the same suite. }) }, } + +func setEGSecurityContextUserID(t *testing.T, suite *suite.ConformanceTestSuite, uid int64) { + // update envoy-gateway deployment with custom security context user id + egDeployment := &appsv1.Deployment{} + err := suite.Client.Get( + context.Background(), + types.NamespacedName{Name: "envoy-gateway", Namespace: "envoy-gateway-system"}, + egDeployment) + require.NoError(t, err) + egDeployment.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser = ptr.To(uid) + egDeployment.Spec.Template.Spec.Containers[0].SecurityContext.RunAsGroup = ptr.To(uid) + err = suite.Client.Update(context.Background(), egDeployment) + require.NoError(t, err) + // test that envoy-gateway pod is running with custom security context user id + WaitForPods(t, suite.Client, "envoy-gateway-system", map[string]string{"control-plane": "envoy-gateway"}, corev1.PodRunning, PodReady) + + // test that envoy-gateway deployment is updated with custom security context user id + egDeployment = &appsv1.Deployment{} + err = suite.Client.Get( + context.Background(), + types.NamespacedName{Name: "envoy-gateway", Namespace: "envoy-gateway-system"}, + egDeployment) + require.NoError(t, err) + require.Equal(t, uid, *egDeployment.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser, "envoy-gateway deployment is not updated with custom security context user id") + require.Equal(t, uid, *egDeployment.Spec.Template.Spec.Containers[0].SecurityContext.RunAsGroup, "envoy-gateway deployment is not updated with custom security context group id") +} From bc443ec89b51b571bae99c6f89478c38849e0acd Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Wed, 4 Jun 2025 10:17:59 +0000 Subject: [PATCH 10/12] fix test Signed-off-by: Huabing (Robin) Zhao --- ...ute_with_custom_security_context_userid.go | 23 ++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/test/e2e/tests/httproute_with_custom_security_context_userid.go b/test/e2e/tests/httproute_with_custom_security_context_userid.go index fc41274c08..2cd9c06eec 100644 --- a/test/e2e/tests/httproute_with_custom_security_context_userid.go +++ b/test/e2e/tests/httproute_with_custom_security_context_userid.go @@ -16,6 +16,7 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" "sigs.k8s.io/gateway-api/conformance/utils/suite" @@ -54,9 +55,25 @@ var EnvoyGatewayCustomSecurityContextUseridTest = suite.ConformanceTest{ http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) - // we don't set the envoy-gateway deployment security context user id back to default because this will - // cause the envoy proxies failed to be deleted after the Gateway resources in the base are deleted. - // This is acceptable because this won't affect the later tests in the same suite. + // reset envoy-gateway deployment security context user id to the default value 65532 + setEGSecurityContextUserID(t, suite, 65532) + // We have to manually delete the envoy proxy deployment to ensure that the test suite can clean up properly. + // This is because the rollout restart of the envoy-gateway deployment may cause Envoy Gateway fail to delete + // the envoy proxy deployments after the Gateway resources are deleted in ControllerNamspace mod, which can + // lead to failure of the upgrade test. + if suite.Cleanup { + proxies := appsv1.DeploymentList{} + err := suite.Client.List( + context.Background(), + &proxies, + client.InNamespace("envoy-gateway-system"), + client.MatchingLabels{"app.kubernetes.io/component": "proxy", "app.kubernetes.io/managed-by": "envoy-gateway"}) + require.NoError(t, err, "failed to list envoy proxy deployments") + for _, proxy := range proxies.Items { + err = suite.Client.Delete(context.Background(), &proxy) + require.NoError(t, err, "failed to delete envoy proxy deployment %s", proxy.Name) + } + } }) }, } From 73cd33cf6943506ae4e8342824fb686d603d9942 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Wed, 4 Jun 2025 15:36:02 +0000 Subject: [PATCH 11/12] disable dump Signed-off-by: Huabing (Robin) Zhao --- test/e2e/hook.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/test/e2e/hook.go b/test/e2e/hook.go index db3d644452..5d522fa183 100644 --- a/test/e2e/hook.go +++ b/test/e2e/hook.go @@ -10,13 +10,10 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "sigs.k8s.io/gateway-api/conformance/utils/tlog" - - "github.com/envoyproxy/gateway/test/e2e/tests" ) var Hook = func(t *testing.T, test suite.ConformanceTest, suite *suite.ConformanceTestSuite) { if t.Failed() { tlog.Logf(t, "Test %s failed, collecting and dumping resources", test.ShortName) - tests.CollectAndDump(t, suite.RestConfig) } } From 8df558d0926c0cc4e5155f262986fa1e7182d92c Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Thu, 5 Jun 2025 00:38:25 +0000 Subject: [PATCH 12/12] Revert "disable dump" This reverts commit 73cd33cf6943506ae4e8342824fb686d603d9942. --- test/e2e/hook.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/e2e/hook.go b/test/e2e/hook.go index 5d522fa183..db3d644452 100644 --- a/test/e2e/hook.go +++ b/test/e2e/hook.go @@ -10,10 +10,13 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "sigs.k8s.io/gateway-api/conformance/utils/tlog" + + "github.com/envoyproxy/gateway/test/e2e/tests" ) var Hook = func(t *testing.T, test suite.ConformanceTest, suite *suite.ConformanceTestSuite) { if t.Failed() { tlog.Logf(t, "Test %s failed, collecting and dumping resources", test.ShortName) + tests.CollectAndDump(t, suite.RestConfig) } }