feat: enable E2E testing for the envoy-gateway extension server and implement selective WAF policy injection based on configuration.

Author: JoseSzycho

Makefile

@@ -81,7 +81,8 @@ test-e2e: chainsaw
 	}
 	$(KIND) get kubeconfig --name nso-standard > $(TMPDIR)/.kind-nso-standard.yaml
 	$(KIND) get kubeconfig --name nso-infra > $(TMPDIR)/.kind-nso-infra.yaml
-	$(CHAINSAW) test ./test/e2e \
+	$(CHAINSAW) test $(or $(TEST_DIR),./test/e2e) \
+	    --parallel 1 \
 		--cluster nso-standard=$(TMPDIR)/.kind-nso-standard.yaml \
 		--cluster nso-infra=$(TMPDIR)/.kind-nso-infra.yaml
 
@@ -153,7 +154,7 @@ set-image-controller: manifests kustomize
 	cd config/manager && $(KUSTOMIZE) edit set image ghcr.io/datum-cloud/network-services-operator=${IMG}
 
 .PHONY: prepare-infra-cluster
-prepare-infra-cluster: cert-manager envoy-gateway external-dns downstream-crds
+prepare-infra-cluster: cert-manager envoy-gateway external-dns downstream-crds billing-usage-collector load-image-nso-infra extension-server configure-eg-extension-manager
 
 .PHONY: downstream-crds
 downstream-crds: ## Install NSO CRDs on the downstream (infra) cluster that the replicator mirrors into it.
@@ -168,12 +169,16 @@ prepare-e2e: chainsaw set-image-controller cert-manager load-image-all deploy-e2
 prepare-dev: chainsaw set-image-controller cert-manager install
 
 .PHONY: load-image-all
-load-image-all: load-image-operator
+load-image-all: load-image-operator load-image-nso-infra
 
 .PHONY: load-image-operator
 load-image-operator: docker-build kind
 	$(KIND) load docker-image $(IMG) -n nso-standard
 
+.PHONY: load-image-nso-infra
+load-image-nso-infra: docker-build kind ## Load operator image into nso-infra kind cluster (needed by the extension server).
+	$(KIND) load docker-image $(IMG) -n nso-infra
+
 .PHONY: cert-manager
 cert-manager: cmctl
 	$(KUSTOMIZE) build --enable-helm config/tools/cert-manager | kubectl apply --server-side=true --force-conflicts -f -
@@ -187,6 +192,24 @@ envoy-gateway:
 external-dns:
 	$(KUSTOMIZE) build --enable-helm config/tools/external-dns | kubectl apply --server-side=true --force-conflicts -f -
 
+.PHONY: billing-usage-collector
+billing-usage-collector:
+	$(KUSTOMIZE) build --enable-helm config/tools/billing-usage-collector | kubectl apply --server-side=true --force-conflicts -f -
+
+.PHONY: extension-server
+extension-server: ## Deploy the NSO extension server to the infra cluster (e2e overlay with cert-manager-issued TLS).
+	$(KUSTOMIZE) build --enable-helm config/extension-server-e2e | kubectl apply --server-side=true --force-conflicts -f -
+	kubectl rollout restart deployment/network-services-operator-envoy-gateway-extension-server \
+	    -n network-services-operator-system
+	kubectl rollout status deployment/network-services-operator-envoy-gateway-extension-server \
+	    -n network-services-operator-system --timeout=5m
+
+.PHONY: configure-eg-extension-manager
+configure-eg-extension-manager: ## Patch the EG ConfigMap to enable extensionManager and restart the EG controller.
+	$(KUSTOMIZE) build --enable-helm config/tools/envoy-gateway/overlays/e2e | kubectl apply --server-side=true --force-conflicts -f -
+	kubectl rollout restart deployment/envoy-gateway -n envoy-gateway-system
+	kubectl rollout status deployment/envoy-gateway -n envoy-gateway-system --timeout=3m
+
 .PHONY: kind-standard-cluster
 kind-standard-cluster: kind
 	$(KIND) create cluster --config=config/tools/kind/standard-cluster.yaml

config/extension-server-e2e/client-cert-patch.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: envoy-gateway-extension-server-eg-client-tls
+spec:
+  issuerRef:
+    # Switch from the production placeholder ClusterIssuer to the e2e CA Issuer.
+    # kustomize propagates the namePrefix so this resolves to
+    # network-services-operator-nso-es-ca-issuer at apply time.
+    name: nso-es-ca-issuer
+    kind: Issuer
+    group: cert-manager.io

config/extension-server-e2e/deployment-patch.yaml

@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: envoy-gateway-extension-server
+spec:
+  # Single-node kind clusters can't satisfy the base DoNotSchedule topology constraint.
+  replicas: 1
+  template:
+    spec:
+      # Remove the hostname spread constraint — only 1 node in kind.
+      topologySpreadConstraints: null
+      volumes:
+        # Replace cert-manager CSI driver mount with a regular Secret volume.
+        # cert-manager Certificate nso-es-tls populates this Secret.
+        - name: tls
+          csi: null
+          secret:
+            secretName: nso-extension-server-tls
+        # Replace ConfigMap CA bundle with the same Secret; the ca.crt key holds
+        # the issuing CA cert that the extension server uses to verify EG's client cert.
+        - name: tls-ca
+          configMap: null
+          secret:
+            secretName: nso-extension-server-tls
+            items:
+              - key: ca.crt
+                path: ca.crt
+        # Extension server operator config — disables Coraza WAF injection
+        # so standard (non-contrib) Envoy images work in e2e.
+        - name: server-config
+          configMap:
+            name: extension-server-config
+      containers:
+        - name: envoy-gateway-extension-server
+          env:
+            - name: SERVER_CONFIG
+              value: /server-config/config.yaml
+          volumeMounts:
+            - name: server-config
+              mountPath: /server-config
+              readOnly: true

config/extension-server-e2e/kustomization.yaml

@@ -0,0 +1,28 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: network-services-operator-system
+namePrefix: network-services-operator-
+
+resources:
+  - namespace.yaml
+  - ../extension-server
+  - tls.yaml
+  - server-config.yaml
+
+patches:
+  # Replace CSI + ConfigMap volumes with Secret-based mounts; reduce replicas to 1 for single-node kind.
+  - path: deployment-patch.yaml
+    target:
+      kind: Deployment
+      name: envoy-gateway-extension-server
+  # Remove the PDB minAvailable constraint — kind clusters have only 1 node so minAvailable:1 prevents eviction.
+  - path: pdb-patch.yaml
+    target:
+      kind: PodDisruptionBudget
+      name: envoy-gateway-extension-server-pdb
+  # Switch the EG client cert issuer from the placeholder to the e2e CA.
+  - path: client-cert-patch.yaml
+    target:
+      kind: Certificate
+      name: envoy-gateway-extension-server-eg-client-tls

config/extension-server-e2e/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: network-services-operator-system

config/extension-server-e2e/pdb-patch.yaml

@@ -0,0 +1,8 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: envoy-gateway-extension-server-pdb
+spec:
+  # replicas=1 in e2e; minAvailable:1 would block any eviction. Set to 0 so kind
+  # cluster teardown / upgrades don't stall.
+  minAvailable: 0

config/extension-server-e2e/server-config.yaml

@@ -0,0 +1,17 @@
+---
+# ConfigMap holding the extension server operator config for e2e.
+# Disables Coraza WAF injection — e2e uses the standard Envoy image which
+# does not have the golang filter compiled in, so injecting coraza-waf causes
+# Envoy to reject the listener configuration.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: extension-server-config
+  namespace: network-services-operator-system
+data:
+  config.yaml: |
+    apiVersion: apiserver.config.datumapis.com/v1alpha1
+    kind: NetworkServicesOperator
+    gateway:
+      coraza:
+        disabled: true

config/extension-server-e2e/tls.yaml

@@ -0,0 +1,59 @@
+---
+# Self-signed bootstrap issuer; creates the e2e CA cert below.
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: nso-es-selfsigned
+spec:
+  selfSigned: {}
+---
+# CA cert. cert-manager places the CA cert+key in Secret nso-extension-server-ca
+# (in the same namespace). The CA Issuer below references that Secret.
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nso-es-ca
+spec:
+  isCA: true
+  commonName: nso-extension-server-ca
+  secretName: nso-extension-server-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: nso-es-selfsigned
+    kind: Issuer
+    group: cert-manager.io
+---
+# CA-backed issuer used by both the server cert and the EG client cert below.
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: nso-es-ca-issuer
+spec:
+  ca:
+    secretName: nso-extension-server-ca
+---
+# Extension-server TLS cert. cert-manager writes it to Secret nso-extension-server-tls,
+# which includes ca.crt = the CA cert — EG reads this field from certificateRef to verify
+# the extension server's presented cert.
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nso-es-tls
+spec:
+  secretName: nso-extension-server-tls
+  dnsNames:
+    - network-services-operator-envoy-gateway-extension-server.network-services-operator-system.svc
+    - network-services-operator-envoy-gateway-extension-server.network-services-operator-system.svc.cluster.local
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: nso-es-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+  usages:
+    - server auth
+    - digital signature
+    - key encipherment

config/tools/envoy-gateway/overlays/e2e/envoy-gateway-extension-manager-config.yaml

@@ -0,0 +1,83 @@
+---
+# Patches the Helm-managed envoy-gateway-config ConfigMap to enable the
+# extensionManager. Applied after the EG helm chart with --server-side
+# --force-conflicts so the extra field is owned by this apply, not helm.
+#
+# All other fields (extensionApis, runtimeFlags, provider image pins, etc.) are
+# reproduced verbatim from the v1.8.1 helm chart so the full ConfigMap value is
+# consistent — the data field is a single YAML string and cannot be merged at
+# field granularity by server-side apply.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: envoy-gateway-config
+  namespace: envoy-gateway-system
+data:
+  envoy-gateway.yaml: |
+    apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: EnvoyGateway
+    extensionApis:
+      enableBackend: true
+      enableEnvoyPatchPolicy: true
+    gateway:
+      controllerName: gateway.envoyproxy.io/gatewayclass-controller
+    logging:
+      level:
+        default: info
+    provider:
+      kubernetes:
+        rateLimitDeployment:
+          container:
+            image: docker.io/envoyproxy/ratelimit:ff287602
+          patch:
+            type: StrategicMerge
+            value:
+              spec:
+                template:
+                  spec:
+                    containers:
+                    - imagePullPolicy: IfNotPresent
+                      name: envoy-ratelimit
+        shutdownManager:
+          image: docker.io/envoyproxy/gateway:v1.8.1
+      type: Kubernetes
+    runtimeFlags:
+      enabled:
+      - XDSNameSchemeV2
+    extensionManager:
+      service:
+        fqdn:
+          hostname: network-services-operator-envoy-gateway-extension-server.network-services-operator-system.svc.cluster.local
+          port: 5005
+        tls:
+          # certificateRef points to the Secret created by the nso-es-tls Certificate.
+          # EG reads ca.crt from this Secret to verify the extension server's TLS cert.
+          certificateRef:
+            name: nso-extension-server-tls
+            namespace: network-services-operator-system
+          # EG presents this client cert when dialing the extension server.
+          clientCertificateRef:
+            name: envoy-gateway-extension-server-eg-client-tls
+            namespace: network-services-operator-system
+        retry:
+          maxAttempts: 4
+          initialBackoff: 100ms
+          maxBackoff: 1s
+          backoffMultiplier:
+            numerator: 200
+          retryableStatusCodes:
+            - UNAVAILABLE
+      hooks:
+        xdsTranslator:
+          post:
+            - Translation
+          translation:
+            listener:
+              includeAll: true
+            route:
+              includeAll: true
+            cluster:
+              includeAll: true
+            secret:
+              includeAll: true
+      failOpen: false

config/tools/envoy-gateway/overlays/e2e/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - envoy-gateway-extension-manager-config.yaml