Switch logic on path type validation and setting it to false (#9543)

* update path type validation to be false and update e2e test scripts

Signed-off-by: James Strong <strong.james.e@gmail.com>

* update to make tests clear

Signed-off-by: James Strong <strong.james.e@gmail.com>

* update test params

Signed-off-by: James Strong <strong.james.e@gmail.com>

* Adding else per pr comments

Signed-off-by: James Strong <james.strong@chainguard.dev>

---------

Signed-off-by: James Strong <strong.james.e@gmail.com>
Signed-off-by: James Strong <james.strong@chainguard.dev>

test/e2e/admission/admission.go

@@ -160,9 +160,22 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error")
 	})
 
-	ginkgo.It("should reject ingress with bad characters and pathType != ImplementationSpecific", func() {
+	ginkgo.It("ADMISSION should not validate characters on ingress when validation of pathType is disabled", func() {
 		host := "admission-test"
 
+		f.UpdateNginxConfigMapData("enable-pathtype-validation", "false")
+
+		firstIngress := framework.NewSingleIngress("first-ingress", "/xpto*", host, f.Namespace, framework.EchoService, 80, nil)
+		firstIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathPrefix
+		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
+		assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with regex chars on path and pathType validation disabled should be accepted")
+	})
+
+	ginkgo.It("ADMISSION should reject ingress with bad characters and pathType != ImplementationSpecific", func() {
+		host := "admission-test"
+
+		f.UpdateNginxConfigMapData("enable-pathtype-validation", "true")
+
 		firstIngress := framework.NewSingleIngress("first-ingress", "/xpto*", host, f.Namespace, framework.EchoService, 80, nil)
 		firstIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathPrefix
 		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
@@ -175,18 +188,7 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 
 	})
 
-	ginkgo.It("should not validate characters on ingress when validation of pathType is disabled", func() {
-		host := "admission-test"
-
-		f.UpdateNginxConfigMapData("disable-pathtype-validation", "true")
-
-		firstIngress := framework.NewSingleIngress("first-ingress", "/xpto*", host, f.Namespace, framework.EchoService, 80, nil)
-		firstIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathPrefix
-		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
-		assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with regex chars on path and pathType validation disabled should be accepted")
-	})
-
-	ginkgo.It("should return an error if there is a forbidden value in some annotation", func() {
+	ginkgo.It("ADMISSION should return an error if there is a forbidden value in some annotation", func() {
 		host := "admission-test"
 
 		annotations := map[string]string{

test/e2e/run-e2e-suite.sh

@@ -0,0 +1,127 @@
+#!/bin/bash
+
+# Copyright 2018 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ -n "$DEBUG" ]; then
+	set -x
+else
+  trap cleanup EXIT
+fi
+
+function cleanup {
+  kubectl delete pod e2e 2>/dev/null || true
+}
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+RED='\e[35m'
+NC='\e[0m'
+BGREEN='\e[32m'
+
+declare -a mandatory
+mandatory=(
+  E2E_NODES
+)
+
+missing=false
+for var in "${mandatory[@]}"; do
+  if [[ -z "${!var:-}" ]]; then
+    echo -e "${RED}Environment variable $var must be set${NC}"
+    missing=true
+  fi
+done
+
+if [ "$missing" = true ]; then
+  exit 1
+fi
+
+E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS:-}
+FOCUS=${FOCUS:-.*}
+
+BASEDIR=$(dirname "$0")
+NGINX_BASE_IMAGE=$(cat $BASEDIR/../../NGINX_BASE)
+
+export E2E_CHECK_LEAKS
+export FOCUS
+
+echo -e "${BGREEN}Granting permissions to ingress-nginx e2e service account...${NC}"
+kubectl create serviceaccount ingress-nginx-e2e || true
+kubectl create clusterrolebinding permissive-binding \
+  --clusterrole=cluster-admin \
+  --user=admin \
+  --user=kubelet \
+  --serviceaccount=default:ingress-nginx-e2e || true
+
+
+VER=$(kubectl version  --client=false -o json |jq '.serverVersion.minor |tonumber')
+if [ $VER -lt 24 ]; then
+  echo -e "${BGREEN}Waiting service account...${NC}"; \
+  until kubectl get secret | grep -q -e ^ingress-nginx-e2e-token; do \
+    echo -e "waiting for api token"; \
+    sleep 3; \
+  done
+fi
+
+
+echo -e "Starting the e2e test pod"
+
+kubectl run --rm \
+  --attach \
+  --restart=Never \
+  --env="E2E_NODES=${E2E_NODES}" \
+  --env="FOCUS=${FOCUS}" \
+  --env="E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS}" \
+  --env="NGINX_BASE_IMAGE=${NGINX_BASE_IMAGE}" \
+  --overrides='{ "apiVersion": "v1", "spec":{"serviceAccountName": "ingress-nginx-e2e"}}' \
+  e2e --image=nginx-ingress-controller:e2e
+
+# Get the junit-reports stored in the configMaps created during e2etests
+echo "Getting the report files out now.."
+reportsDir="test/junitreports"
+reportFileName="report-e2e-test-suite"
+[ ! -e ${reportsDir} ] && mkdir $reportsDir
+cd $reportsDir
+
+# TODO: Seeking Rikatz help here to extract in a loop. Tried things like below without success
+#for cmName in `k get cm -l junitreport=true -o json | jq  '.items[].binaryData | keys[]' | tr '\"' ' '`
+#do
+#
+#
+# kubectl get cm -l junitreport=true -o json | jq -r  '[.items[].binaryData | to_entries[] | {"key": .key, "value": .value  }] | from_entries'
+#
+
+# Below lines successfully extract the report but they are one line per report.
+# We only have 3 ginkgo reports so its ok for now
+# But still, ideally this should be a loop as talked about in comments a few lines above
+kubectl get cm $reportFileName.xml.gz -o "jsonpath={.binaryData['report-e2e-test-suite\.xml\.gz']}" > $reportFileName.xml.gz.base64
+kubectl get cm $reportFileName-serial.xml.gz -o "jsonpath={.binaryData['report-e2e-test-suite-serial\.xml\.gz']}" > $reportFileName-serial.xml.gz.base64
+
+cat $reportFileName.xml.gz.base64 | base64 -d > $reportFileName.xml.gz
+cat $reportFileName-serial.xml.gz.base64 | base64 -d > $reportFileName-serial.xml.gz
+
+gzip -d $reportFileName.xml.gz
+gzip -d $reportFileName-serial.xml.gz
+
+rm *.base64
+cd ../..
+
+# TODO Temporary: if condition to check if the memleak cm exists and only then try the extract for the memleak report
+#
+#kubectl get cm $reportFileName-serial  -o "jsonpath={.data['report-e2e-test-suite-memleak\.xml\.gz']}" > $reportFileName-memleak.base64
+#cat $reportFileName-memleak.base64 | base64 -d > $reportFileName-memleak.xml.gz
+#gzip -d $reportFileName-memleak.xml.gz
+echo "done getting the reports files out.."

test/e2e/run-kind-e2e.sh

@@ -14,13 +14,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-KIND_LOG_LEVEL="1"
-
-if ! [ -z $DEBUG ]; then
-  set -x
-  KIND_LOG_LEVEL="6"
-fi
-
 set -o errexit
 set -o nounset
 set -o pipefail
@@ -31,45 +24,56 @@ cleanup() {
   fi
 
   kind delete cluster \
-    --verbosity=${KIND_LOG_LEVEL} \
-    --name ${KIND_CLUSTER_NAME}
+    --verbosity="${KIND_LOG_LEVEL}" \
+    --name "${KIND_CLUSTER_NAME}"
 }
 
-trap cleanup EXIT
+DEBUG=${DEBUG:=false}
 
+if [ "${DEBUG}" = "true" ]; then
+  set -x
+  KIND_LOG_LEVEL="6"
+else
+  trap cleanup EXIT
+fi
+
+KIND_LOG_LEVEL="1"
+IS_CHROOT="${IS_CHROOT:-false}"
 export KIND_CLUSTER_NAME=${KIND_CLUSTER_NAME:-ingress-nginx-dev}
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+# Use 1.0.0-dev to make sure we use the latest configuration in the helm template
+export TAG=1.0.0-dev
+export ARCH=${ARCH:-amd64}
+export REGISTRY=ingress-controller
+NGINX_BASE_IMAGE=$(cat "$DIR"/../../NGINX_BASE)
+export NGINX_BASE_IMAGE=$NGINX_BASE_IMAGE
+export DOCKER_CLI_EXPERIMENTAL=enabled
+export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/kind-config-$KIND_CLUSTER_NAME}"
+SKIP_INGRESS_IMAGE_CREATION="${SKIP_INGRESS_IMAGE_CREATION:-false}"
+SKIP_E2E_IMAGE_CREATION="${SKIP_E2E_IMAGE_CREATION:=false}"
+SKIP_CLUSTER_CREATION="${SKIP_CLUSTER_CREATION:-false}"
 
 if ! command -v kind --version &> /dev/null; then
   echo "kind is not installed. Use the package manager or visit the official site https://kind.sigs.k8s.io/"
   exit 1
 fi
 
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-# Use 1.0.0-dev to make sure we use the latest configuration in the helm template
-export TAG=1.0.0-dev
-export ARCH=${ARCH:-amd64}
-export REGISTRY=ingress-controller
-
-NGINX_BASE_IMAGE=$(cat $DIR/../../NGINX_BASE)
-
 echo "Running e2e with nginx base image ${NGINX_BASE_IMAGE}"
 
-export NGINX_BASE_IMAGE=$NGINX_BASE_IMAGE
-
-export DOCKER_CLI_EXPERIMENTAL=enabled
-
-export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/kind-config-$KIND_CLUSTER_NAME}"
-
-if [ "${SKIP_CLUSTER_CREATION:-false}" = "false" ]; then
+if [ "${SKIP_CLUSTER_CREATION}" = "false" ]; then
   echo "[dev-env] creating Kubernetes cluster with kind"
 
   export K8S_VERSION=${K8S_VERSION:-v1.25.2@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace}
 
+  # delete the cluster if it exists
+  if kind get clusters | grep "${KIND_CLUSTER_NAME}"; then
+    kind delete cluster --name "${KIND_CLUSTER_NAME}"
+  fi
+
   kind create cluster \
-    --verbosity=${KIND_LOG_LEVEL} \
-    --name ${KIND_CLUSTER_NAME} \
-    --config ${DIR}/kind.yaml \
+    --verbosity="${KIND_LOG_LEVEL}" \
+    --name "${KIND_CLUSTER_NAME}" \
+    --config "${DIR}"/kind.yaml \
     --retain \
     --image "kindest/node:${K8S_VERSION}"
 
@@ -77,16 +81,26 @@ if [ "${SKIP_CLUSTER_CREATION:-false}" = "false" ]; then
   kubectl get nodes -o wide
 fi
 
-if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then
+if [ "${SKIP_INGRESS_IMAGE_CREATION}" = "false" ]; then
+  echo "[dev-env] building image"
+  if [ "${IS_CHROOT}" = "true" ]; then
+    make -C "${DIR}"/../../ clean-image build image-chroot
+    docker tag ${REGISTRY}/controller-chroot:${TAG} ${REGISTRY}/controller:${TAG}
+  else
+    make -C "${DIR}"/../../ clean-image build image
+  fi
+
+  echo "[dev-env] .. done building controller images"
+fi
+
+if [ "${SKIP_E2E_IMAGE_CREATION}" = "false" ]; then
   if ! command -v ginkgo &> /dev/null; then
     go get github.com/onsi/ginkgo/v2/ginkgo@v2.6.1
   fi
 
-  echo "[dev-env] building image"
-  make -C ${DIR}/../../ clean-image build image image-chroot
   echo "[dev-env] .. done building controller images"
   echo "[dev-env] now building e2e-image.."
-  make -C ${DIR}/../e2e-image image
+  make -C "${DIR}"/../e2e-image image
   echo "[dev-env] ..done building e2e-image"
 fi
 
@@ -95,13 +109,7 @@ KIND_WORKERS=$(kind get nodes --name="${KIND_CLUSTER_NAME}" | grep worker | awk
 
 echo "[dev-env] copying docker images to cluster..."
 
-kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes=${KIND_WORKERS} nginx-ingress-controller:e2e
-
-if [ "${IS_CHROOT:-false}" = "true" ]; then
-   docker tag ${REGISTRY}/controller-chroot:${TAG} ${REGISTRY}/controller:${TAG}
-fi
-
-kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes=${KIND_WORKERS} ${REGISTRY}/controller:${TAG}
-
+kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes="${KIND_WORKERS}" nginx-ingress-controller:e2e
+kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes="${KIND_WORKERS}" "${REGISTRY}"/controller:"${TAG}"
 echo "[dev-env] running e2e tests..."
-make -C ${DIR}/../../ e2e-test
+make -C "${DIR}"/../../ e2e-test