test: add L4RoutePolicy e2e tests for TCPRoute

AlinsRan · Copilot · AlinsRan · commit cbea9a4ff14a · 2026-05-15T08:48:40.000+08:00
- Add L4RoutePolicyMustHaveCondition and PollUntilL4RoutePolicyHaveStatus
  framework helpers (mirroring HTTPRoutePolicy pattern)
- Add ApplyL4RoutePolicy scaffold helper
- Add e2e test 'L4RoutePolicy blocks traffic via ip-restriction plugin':
  1. Create TCPRoute, verify traffic works
  2. Apply L4RoutePolicy with ip-restriction blacklist 0.0.0.0/0
  3. Verify traffic is blocked
  4. Delete L4RoutePolicy, verify traffic recovers

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/test/e2e/framework/assertion.go b/test/e2e/framework/assertion.go
@@ -102,6 +102,38 @@ func PollUntilHTTPRoutePolicyHaveStatus(cli client.Client, timeout time.Duration
 	return genericPollResource(new(v1alpha1.HTTPRoutePolicy), cli, timeout, hrpNN, f)
 }
 
+func L4RoutePolicyMustHaveCondition(t testing.TestingT, client client.Client, timeout time.Duration, refNN, policyNN types.NamespacedName,
+	condition metav1.Condition) {
+	err := PollUntilL4RoutePolicyHaveStatus(client, timeout, policyNN, func(policy *v1alpha1.L4RoutePolicy) bool {
+		for _, ancestor := range policy.Status.Ancestors {
+			if err := kubernetes.ConditionsHaveLatestObservedGeneration(policy, ancestor.Conditions); err != nil {
+				log.Printf("L4RoutePolicy %s (ancestorRef=%v) %v", policyNN, parentRefToString(ancestor.AncestorRef), err)
+				return false
+			}
+
+			if ancestor.AncestorRef.Name == gatewayv1.ObjectName(refNN.Name) &&
+				(refNN.Namespace == "" || (ancestor.AncestorRef.Namespace != nil && string(*ancestor.AncestorRef.Namespace) == refNN.Namespace)) {
+				if findConditionInList(ancestor.Conditions, condition) {
+					log.Printf("found condition %v in list %v for %s reference %s", condition, ancestor.Conditions, policyNN, refNN)
+					return true
+				}
+				log.Printf("NOT FOUND condition %v in %v for %s reference %s", condition, ancestor.Conditions, policyNN, refNN)
+			}
+		}
+		return false
+	})
+
+	require.NoError(t, err, "error waiting for L4RoutePolicy %s status to have a Condition matching %+v", policyNN, condition)
+}
+
+func PollUntilL4RoutePolicyHaveStatus(cli client.Client, timeout time.Duration, policyNN types.NamespacedName,
+	f func(policy *v1alpha1.L4RoutePolicy) bool) error {
+	if err := v1alpha1.AddToScheme(cli.Scheme()); err != nil {
+		return err
+	}
+	return genericPollResource(new(v1alpha1.L4RoutePolicy), cli, timeout, policyNN, f)
+}
+
 func APIv2MustHaveCondition(t testing.TestingT, cli client.Client, timeout time.Duration, nn types.NamespacedName, obj client.Object, cond metav1.Condition) {
 	f := func(object client.Object) bool {
 		value := reflect.Indirect(reflect.ValueOf(object))
diff --git a/test/e2e/gatewayapi/tcproute.go b/test/e2e/gatewayapi/tcproute.go
@@ -23,6 +23,9 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
 
 	"github.com/apache/apisix-ingress-controller/test/e2e/scaffold"
 )
@@ -105,4 +108,95 @@ spec:
 			s.HTTPOverTCPConnectAssert(false, time.Minute*3)
 		})
 	})
+
+	Context("TCPRoute With L4RoutePolicy", func() {
+		var tcpGateway = `
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: %s
+spec:
+  gatewayClassName: %s
+  listeners:
+  - name: tcp
+    protocol: TCP
+    port: 80
+    allowedRoutes:
+      kinds:
+      - kind: TCPRoute
+  infrastructure:
+    parametersRef:
+      group: apisix.apache.org
+      kind: GatewayProxy
+      name: apisix-proxy-config
+`
+
+		var tcpRoute = `
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TCPRoute
+metadata:
+  name: tcp-l4policy
+spec:
+  parentRefs:
+  - name: %s
+    sectionName: tcp
+  rules:
+  - backendRefs:
+    - name: httpbin-service-e2e-test
+      port: 80
+`
+
+		// ip-restriction with blacklist covering all IPv4 addresses blocks all TCP connections.
+		var l4RoutePolicyBlockAll = `
+apiVersion: apisix.apache.org/v1alpha1
+kind: L4RoutePolicy
+metadata:
+  name: tcp-block-all
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: TCPRoute
+    name: tcp-l4policy
+  plugins:
+  - name: ip-restriction
+    config:
+      blacklist:
+      - "0.0.0.0/0"
+`
+
+		BeforeEach(func() {
+			Expect(s.CreateResourceFromString(s.GetGatewayProxySpec())).NotTo(HaveOccurred(), "creating GatewayProxy")
+			Expect(s.CreateResourceFromString(s.GetGatewayClassYaml())).NotTo(HaveOccurred(), "creating GatewayClass")
+			Expect(s.CreateResourceFromString(fmt.Sprintf(tcpGateway, s.Namespace(), s.Namespace()))).
+				NotTo(HaveOccurred(), "creating Gateway")
+		})
+
+		It("L4RoutePolicy blocks traffic via ip-restriction plugin", func() {
+			By("creating TCPRoute")
+			s.ResourceApplied("TCPRoute", "tcp-l4policy", fmt.Sprintf(tcpRoute, s.Namespace()), 1)
+
+			By("verifying TCP traffic works before applying L4RoutePolicy")
+			s.HTTPOverTCPConnectAssert(true, time.Minute*3)
+
+			By("applying L4RoutePolicy with ip-restriction blacklist")
+			s.ApplyL4RoutePolicy(
+				types.NamespacedName{Name: s.Namespace()},
+				types.NamespacedName{Namespace: s.Namespace(), Name: "tcp-block-all"},
+				l4RoutePolicyBlockAll,
+				metav1.Condition{
+					Type:   string(gatewayv1alpha2.PolicyConditionAccepted),
+					Status: metav1.ConditionTrue,
+				},
+			)
+
+			By("verifying TCP traffic is blocked by the L4RoutePolicy")
+			s.HTTPOverTCPConnectAssert(false, time.Minute*3)
+
+			By("deleting L4RoutePolicy")
+			Expect(s.DeleteResource("L4RoutePolicy", "tcp-block-all")).NotTo(HaveOccurred(), "deleting L4RoutePolicy")
+
+			By("verifying TCP traffic recovers after L4RoutePolicy deletion")
+			s.HTTPOverTCPConnectAssert(true, time.Minute*3)
+		})
+	})
 })
diff --git a/test/e2e/scaffold/k8s.go b/test/e2e/scaffold/k8s.go
@@ -292,6 +292,22 @@ func (s *Scaffold) ApplyHTTPRoutePolicy(refNN, hrpNN types.NamespacedName, spec
 	}
 }
 
+func (s *Scaffold) ApplyL4RoutePolicy(refNN, policyNN types.NamespacedName, spec string, conditions ...metav1.Condition) {
+	err := s.CreateResourceFromString(spec)
+	Expect(err).NotTo(HaveOccurred(), "creating L4RoutePolicy %s", policyNN)
+	if len(conditions) == 0 {
+		conditions = []metav1.Condition{
+			{
+				Type:   string(v1alpha2.PolicyConditionAccepted),
+				Status: metav1.ConditionTrue,
+			},
+		}
+	}
+	for _, condition := range conditions {
+		framework.L4RoutePolicyMustHaveCondition(s.GinkgoT, s.K8sClient, 8*time.Second, refNN, policyNN, condition)
+	}
+}
+
 func (s *Scaffold) GetGatewayProxySpec() string {
 	var gatewayProxyYaml = `
 apiVersion: apisix.apache.org/v1alpha1
