e2e test

Signed-off-by: omar <omar.hammami@solo.io>

Author: puertomontt

test/e2e/emitters/kgateway/e2e_test.go

@@ -203,8 +203,17 @@ func TestIngress2GatewayE2E(t *testing.T) {
 				host = hr
 			}
 
-			// Curl via Gateway.
-			requireHTTP200Eventually(t, ctx, host, fmt.Sprintf("http://%s:80/", gwAddr), 1*time.Minute)
+			// Special handling for SSL redirect test case
+			if name == "ssl_redirect" {
+				// Test HTTP redirect (308) to HTTPS
+				requireHTTPRedirectEventually(t, ctx, host, fmt.Sprintf("http://%s:80/", gwAddr), 1*time.Minute)
+
+				// Test HTTPS connectivity (200) with insecure flag
+				requireHTTPS200Eventually(t, ctx, host, fmt.Sprintf("https://%s:443/", gwAddr), 1*time.Minute)
+			} else {
+				// Standard HTTP test for other cases
+				requireHTTP200Eventually(t, ctx, host, fmt.Sprintf("http://%s:80/", gwAddr), 1*time.Minute)
+			}
 		})
 	}
 }

test/e2e/emitters/kgateway/testdata/input/ssl_redirect.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ssl-redirect-tls
+  namespace: default
+type: kubernetes.io/tls
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVS1E2anF1NXk3d1hNLytWWGRheGI0cG1HN0Frd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RWhNQjhHQTFVRUF3d1ljM05zTFhKbFpHbHlaV04wTG14dlkyRnNaR1YyTG0xbE1CNFhEVEkxTVRJeApOakU0TXpjd09Gb1hEVEkyTVRJeE5qRTRNemN3T0Zvd0l6RWhNQjhHQTFVRUF3d1ljM05zTFhKbFpHbHlaV04wCkxteHZZMkZzWkdWMkxtMWxNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW5TZ2MKeFFqSzBySFZYT3Y1TDgxeDFza0RycTI0K29IcXRhQ3JDbC8rZm5tajdIbzI1M3JZMCtjUkZPTWpZV1I4SFF2eApHMUR3NDEvSjRKNUNwbDlJbnl1WXBBS0ZLUk94MXhSLzkxamQ5WmFxQnhGeVAzWTRPSEZ2R0dlVncrWi93R3JECnhTSmJ2WXVHazhiWEYwU3YvRmdkdDAxZWdOYUNNUG04RytIQUJ2dEJYWVlwaFZHSnZBWmdjMkwrR1ZDSk50dVIKeWJjVjVJVUNHR2pOa2dlbU5vNjlNeHVSY1FMOGJ5WGxrbmZQaytTYU1WM2pUZE1UWmFyTHRVN1J5cGFRVHJjKwpYckNQMVZWOFlkQXNSNEhKRWFmUUVhMEV6NTZLK0hQT0pRVXovaUVMTmk4R29EaDFEcnFLWWFRRFptWFdKNzVsCmtFZEJWV1o3dEpoZ25xbnE1UUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVd3M2RFlzblNCTlhXeTFxNmErU1AKVGZzTitDOHdId1lEVlIwakJCZ3dGb0FVd3M2RFlzblNCTlhXeTFxNmErU1BUZnNOK0M4d0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFIY2g2VjFZZHp2a0pLak1JMG9hUXE4ZDFrZFBQCll0WkhKU0RsQlNQaDdEeUxST0hEcFh6L2hqaHNYSHR6bTJUU3ZBOUhzYU1hcjdKVGtkdTBsTUJqanlpaWxJbnUKanZzVGVRNnpVMUNVR3Q2L05FNFdQVm9EdHVld28zcFhoQjBhbEdJMTF1bnBWLzBuYjFLMmVrUDN5NDRuazZaZQp3ekZGemRzdnlNVXV4ckpmdGxyOEIxb1ZheTJRQjY4dWp3U21Wdzd1S3FjMklOWG1hSFdIMzVtK0pTZHJlc01oCnV2TDhVK2c0YmYrcjY2bmhqWjZOcjJEZVlqVElqOTBtOG1yb08yaWNTeDMwU1krQk0yOHNqN014YWNheFoxb0UKMGN1aEoyWkFqUHNMYTJBdFd5ZUprQmhwUEJhZHpPbTAvN01uUHdQcXFCbWRTL0dUWURGUHRtTE5NQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ2RLQnpGQ01yU3NkVmMKNi9rdnpYSFd5UU91cmJqNmdlcTFvS3NLWC81K2VhUHNlamJuZXRqVDV4RVU0eU5oWkh3ZEMvRWJVUERqWDhuZwpua0ttWDBpZks1aWtBb1VwRTdIWEZILzNXTjMxbHFvSEVYSS9kamc0Y1c4WVo1WEQ1bi9BYXNQRklsdTlpNGFUCnh0Y1hSSy84V0IyM1RWNkExb0l3K2J3YjRjQUcrMEZkaGltRlVZbThCbUJ6WXY0WlVJazIyNUhKdHhYa2hRSVkKYU0yU0I2WTJqcjB6RzVGeEF2eHZKZVdTZDgrVDVKb3hYZU5OMHhObHFzdTFUdEhLbHBCT3R6NWVzSS9WVlh4aAowQ3hIZ2NrUnA5QVJyUVRQbm9yNGM4NGxCVFArSVFzMkx3YWdPSFVPdW9waHBBTm1aZFludm1XUVIwRlZabnUwCm1HQ2VxZXJsQWdNQkFBRUNnZ0VBRWYxYmZicUo3U0JxT2g3UkFZWFUrQzgrZXFwc09GRFMyME92RUpyNGVPWFgKdStRcGtNbmhORENKSmdqeUxkM2d6enBrdVNuRXlXSlhxNXl5S0hWVHpOU2l2bk9EWnJaWWJ6UnJpWmJrb1k1RApuRmVFNm5yUDZMWWpiM204RFJhL25Qa2J1OTg0L1RPUmppeit4aTBZc0J3dUdxT0NvK0RxT2t6OEdYejRERlJjCm8rRHN0ZXZoQWxMdGYvaVVHaHVJdTl3b3Mvb0o1R1Z3WVNRL2J5MVd4aHBMenl6WmV4MjJDcHovazErZ0NOOEIKNFpWZHFvT3NiQzlrMzdsZ2JBZEhHK3MybjQ5aU52S01NM1VDWGhLV0tTYXNUalRUMWJ0U1VoZkU5Y0JEV2t5LwpEK0w0OWwvRVQrUEZXQ3EwaUVTRDY3R0xBWElDbkJER1ZQT0NHWnV6YVFLQmdRRFR6Z3BkUXNSZmlPcklET0JqCk42ZXJOL1NxeTB1aUw3V0t3ZGwxU1ZOc25kcEJrQVlMMGRTdUZ4aForRDVPYTVHZDhvQTJQNkJIUkE5UlUweUMKME4zQVAwZkVFZkhXN1BmcnM2QW91ZGdJOW9za1kvQ3B2eVRTTTBSVmRBUFZQRUw1dVJWcTExZXUvTmFaZURQWQpZVm1OUUlBY1dtNHN6OFVMQTY5czBmcFR4d0tCZ1FDOTh1KzdYNnhrRVVJNjNvNTZUYldaMWc4VTJpZU1taVhwCkZxaHd6Z2o5d3Z1SVdXdm04ZjVzb3B6dHpKNklUb0g3bkhYVDB4NG5oVk1aT2lTelk2ZGUzUTZkV21UN3RpMUcKT0o5VlJ6SzNsWFA2bkxRSEt2d1RGVHpoWnFRYTVpd1pIR1FKNUVuOVMydklHZllNTk5xNjN3RG9JSmFKT1dzSQpXVGRWZmtaejh3S0JnR0MzUnhoSzhxekZNcUJpOE51ZGdGeTQwbXBqSm9oS3pOVXRxNFRaRk5VV1I2R0VpSjVCCkZLTGlQT1pvYXRzWVY0Z09RZW1EcUVhaWwzUUZXM3lvcjNtbjY3ZG1razRZS3lWZ0FwUldPSVh2UHA1QlhKWEcKaUtQTGNUcXNIVXZ6bG9tOXNELzNVVHpBaTZYTXM2L3MxQjJpQkYzdUZUMDFLcjdhMGZJWTkvdmxBb0dBQ2ZicQptSnZHUVdHZVpkUXpDVHQyWVdHWFhQS3N6SFZ4czY2YW00QlRmR3gwSVl6L1doZ3J6cXNoTEdCbG1LVDFzS3RlCml3UXlPc1NGdlhjTllkUENmZmwrd01aek1iazIyczR4blpta2tYam5vcWdCMGJaeGp0YTRZT0t2alRHeDhvZEkKd0RRWHBaQUZVWFA3TWx5N2RMNHFJQU5Gb21FK3VpdGorYm9zRy8wQ2dZQWZUR1QwN09EVm9pSTR0TlhrYXUyWApzaTRaWTR5SVR5enppN3UxanZlaEdLbFVucDBQMGNFVWJlQ0NyNnc4M3BYdmpQUVd3ckZMMyt3VUtyNE1UeWhuCkRBLzNPcHR0MFVaR29XT0ZvTFNmN3ExQlBuK1hCWURSZ2F3aHRZWW5WQ09xbzgzaHVaekE4VzUvb3c5bzVERXYKbmpyRlhvQlVZcnpXM0xaVnV4NWhsZz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+  name: ssl-redirect-localhost
+  namespace: default
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - ssl-redirect.localdev.me
+    secretName: ssl-redirect-tls
+  rules:
+  - host: ssl-redirect.localdev.me
+    http:
+      paths:
+      - backend:
+          service:
+            name: echo-backend
+            port:
+              number: 8080
+        path: /
+        pathType: Prefix
+

test/e2e/emitters/kgateway/testdata/output/ssl_redirect.yaml

@@ -0,0 +1,74 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: nginx
+  namespace: default
+spec:
+  gatewayClassName: kgateway
+  listeners:
+  - hostname: ssl-redirect.localdev.me
+    name: ssl-redirect-localdev-me-http
+    port: 80
+    protocol: HTTP
+  - hostname: ssl-redirect.localdev.me
+    name: ssl-redirect-localdev-me-https
+    port: 443
+    protocol: HTTPS
+    tls:
+      certificateRefs:
+      - group: null
+        kind: null
+        name: ssl-redirect-tls
+status: {}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: ssl-redirect-localhost-ssl-redirect-localdev-me-https
+  namespace: default
+spec:
+  hostnames:
+  - ssl-redirect.localdev.me
+  parentRefs:
+  - name: nginx
+    sectionName: ssl-redirect-localdev-me-https
+  rules:
+  - backendRefs:
+    - name: echo-backend
+      port: 8080
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+status:
+  parents: []
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: ssl-redirect-localhost-ssl-redirect-localdev-me-http-redirect
+  namespace: default
+spec:
+  hostnames:
+  - ssl-redirect.localdev.me
+  parentRefs:
+  - name: nginx
+    sectionName: ssl-redirect-localdev-me-http
+  rules:
+  - filters:
+    - requestRedirect:
+        scheme: https
+        statusCode: 308
+      type: RequestRedirect
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+status:
+  parents: []

test/e2e/emitters/kgateway/wait.go

@@ -149,6 +149,58 @@ func curlHTTPCodeFromClient(ctx context.Context, host, url string) (code string,
 	return strings.TrimSpace(out), out, nil
 }
 
+// curlHTTPRedirectFromClient executes curl and returns the HTTP status code and Location header.
+// It does NOT follow redirects (no -L flag) so we can see the redirect response.
+func curlHTTPRedirectFromClient(ctx context.Context, host, url string) (code string, location string, out string, err error) {
+	// Use -i to include headers, -s for silent, but keep stderr for errors
+	// Extract status code and Location header
+	script := `set -o pipefail; curl -sSi --connect-timeout 2 --max-time 5 -H "Host: $1" "$2" 2>&1 || echo "000"`
+	out, err = kubectl(ctx, "-n", "default", "exec", "deploy/curl", "--",
+		"sh", "-c", script, "_", host, url,
+	)
+	if err != nil {
+		return "000", "", out, err
+	}
+
+	// Parse status code from HTTP/1.1 308 Permanent Redirect
+	lines := strings.Split(out, "\n")
+	code = "000"
+	location = ""
+	for _, line := range lines {
+		lineLower := strings.ToLower(line)
+		if strings.HasPrefix(line, "HTTP/") {
+			// Extract status code from "HTTP/1.1 308 Permanent Redirect"
+			parts := strings.Fields(line)
+			if len(parts) >= 2 {
+				code = parts[1]
+			}
+		}
+		if strings.HasPrefix(lineLower, "location:") {
+			// Extract Location header value (case-insensitive)
+			// Handle both "Location: https://..." and "location: https://..."
+			idx := strings.Index(lineLower, "location:")
+			if idx != -1 {
+				location = strings.TrimSpace(line[idx+9:])
+			}
+		}
+	}
+
+	return code, location, out, nil
+}
+
+// curlHTTPS200FromClient executes curl with -k (insecure) flag for HTTPS requests.
+func curlHTTPS200FromClient(ctx context.Context, host, url string) (code string, out string, err error) {
+	// Use -k to skip certificate verification for self-signed certs
+	script := `set -o pipefail; curl -k -sS -o /dev/null -w "%{http_code}" --connect-timeout 2 --max-time 5 -H "Host: $1" "$2" || echo 000`
+	out, err = kubectl(ctx, "-n", "default", "exec", "deploy/curl", "--",
+		"sh", "-c", script, "_", host, url,
+	)
+	if err != nil {
+		return "000", out, err
+	}
+	return strings.TrimSpace(out), out, nil
+}
+
 func debugCurlVerbose(t *testing.T, ctx context.Context, host, url string) error {
 	t.Helper()
 	script := `curl -v --connect-timeout 2 --max-time 5 -H "Host: $1" "$2" || true`
@@ -159,6 +211,80 @@ func debugCurlVerbose(t *testing.T, ctx context.Context, host, url string) error
 	return err
 }
 
+// requireHTTPRedirectEventually waits for an HTTP redirect response (308 status code)
+// and verifies the Location header contains https:// scheme.
+func requireHTTPRedirectEventually(t *testing.T, ctx context.Context, host, url string, timeout time.Duration) {
+	t.Helper()
+
+	deadline := time.Now().Add(timeout)
+	interval := 2 * time.Second
+
+	var lastCode string
+	var lastLocation string
+	var lastOut string
+	var lastErr error
+
+	for attempt := 1; time.Now().Before(deadline); attempt++ {
+		code, location, out, err := curlHTTPRedirectFromClient(ctx, host, url)
+		lastCode, lastLocation, lastOut, lastErr = code, location, out, err
+
+		if err == nil && strings.TrimSpace(code) == "308" {
+			// Verify Location header contains https://
+			if strings.HasPrefix(strings.ToLower(location), "https://") {
+				return
+			}
+		}
+
+		if attempt == 1 || attempt%10 == 0 {
+			t.Logf("waiting for HTTP 308 redirect (attempt=%d host=%s url=%s): code=%q location=%q err=%v",
+				attempt, host, url, strings.TrimSpace(code), location, err)
+		}
+		time.Sleep(interval)
+	}
+
+	_ = debugCurlVerbose(t, ctx, host, url)
+
+	t.Fatalf("timed out waiting for HTTP 308 redirect (host=%s url=%s timeout=%s). lastCode=%q lastLocation=%q lastErr=%v lastOut=%s",
+		host, url, timeout, strings.TrimSpace(lastCode), lastLocation, lastErr, lastOut)
+}
+
+// requireHTTPS200Eventually waits for an HTTPS 200 response using insecure curl (-k flag).
+func requireHTTPS200Eventually(t *testing.T, ctx context.Context, host, url string, timeout time.Duration) {
+	t.Helper()
+
+	deadline := time.Now().Add(timeout)
+	interval := 2 * time.Second
+
+	var lastCode string
+	var lastOut string
+	var lastErr error
+
+	for attempt := 1; time.Now().Before(deadline); attempt++ {
+		code, out, err := curlHTTPS200FromClient(ctx, host, url)
+		lastCode, lastOut, lastErr = code, out, err
+
+		if err == nil && strings.TrimSpace(code) == "200" {
+			return
+		}
+
+		if attempt == 1 || attempt%10 == 0 {
+			t.Logf("waiting for HTTPS 200 (attempt=%d host=%s url=%s): code=%q err=%v",
+				attempt, host, url, strings.TrimSpace(code), err)
+		}
+		time.Sleep(interval)
+	}
+
+	// Debug with verbose curl
+	script := `curl -kv --connect-timeout 2 --max-time 5 -H "Host: $1" "$2" || true`
+	out, _ := kubectl(ctx, "-n", "default", "exec", "deploy/curl", "--",
+		"sh", "-c", script, "_", host, url,
+	)
+	t.Logf("debug curl -kv output:\n%s", out)
+
+	t.Fatalf("timed out waiting for HTTPS 200 (host=%s url=%s timeout=%s). lastCode=%q lastErr=%v lastOut=%s",
+		host, url, timeout, strings.TrimSpace(lastCode), lastErr, lastOut)
+}
+
 func waitForGatewayAddress(ctx context.Context, ns, gwName string, timeout time.Duration) (string, error) {
 	deadline := time.Now().Add(timeout)
 	for time.Now().Before(deadline) {