NE-2292: Add Gateway API OLM to NO-OLM migration upgrade test

Add upgrade test validating Gateway API migration from OLM-based Istio
to CIO-managed Sail Library during 4.21 to 4.22 upgrades.

Setup creates Gateway/HTTPRoute with OLM provisioning and tests
connectivity. Test validates migration: Gateway remains programmed,
Istiod running, Istio CRDs stay OLM-managed, GatewayClass has CIO
finalizer, Istio CR deleted, subscription persists. Teardown cleans
up all resources.

Author: gcs278

test/e2e/upgrade/upgrade.go

@@ -44,6 +44,7 @@ import (
 	"github.com/openshift/origin/test/e2e/upgrade/manifestdelete"
 	mc "github.com/openshift/origin/test/extended/machine_config"
 	"github.com/openshift/origin/test/extended/prometheus"
+	"github.com/openshift/origin/test/extended/router"
 	"github.com/openshift/origin/test/extended/util/disruption"
 	"github.com/openshift/origin/test/extended/util/operator"
 )
@@ -69,6 +70,7 @@ func AllTests() []upgrades.Test {
 		&prometheus.ImagePullsAreFast{},
 		&prometheus.MetricsAvailableAfterUpgradeTest{},
 		&dns.UpgradeTest{},
+		&router.GatewayAPIMigrationUpgradeTest{},
 	}
 }
 

test/extended/router/gatewayapi_upgrade.go

@@ -0,0 +1,307 @@
+package router
+
+import (
+	"context"
+	"strings"
+	"time"
+
+	g "github.com/onsi/ginkgo/v2"
+	o "github.com/onsi/gomega"
+
+	exutil "github.com/openshift/origin/test/extended/util"
+
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/kubernetes/test/e2e/upgrades"
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// List of Istio CRDs that should remain OLM-managed after migration
+var istioCRDNames = []string{
+	"wasmplugins.extensions.istio.io",
+	"destinationrules.networking.istio.io",
+	"envoyfilters.networking.istio.io",
+	"gateways.networking.istio.io",
+	"proxyconfigs.networking.istio.io",
+	"serviceentries.networking.istio.io",
+	"sidecars.networking.istio.io",
+	"virtualservices.networking.istio.io",
+	"workloadentries.networking.istio.io",
+	"workloadgroups.networking.istio.io",
+	"authorizationpolicies.security.istio.io",
+	"peerauthentications.security.istio.io",
+	"requestauthentications.security.istio.io",
+	"telemetries.telemetry.istio.io",
+}
+
+// GatewayAPIMigrationUpgradeTest verifies that Gateway API resources migrate
+// from OLM-based provisioning to CIO-based provisioning during upgrade
+type GatewayAPIMigrationUpgradeTest struct {
+	oc          *exutil.CLI
+	namespace   string
+	gatewayName string
+	routeName   string
+	hostname    string
+}
+
+func (t *GatewayAPIMigrationUpgradeTest) Name() string {
+	return "gateway-api-olm-to-no-olm-migration"
+}
+
+func (t *GatewayAPIMigrationUpgradeTest) DisplayName() string {
+	return "[sig-network-edge][Feature:Router][apigroup:gateway.networking.k8s.io] Verify Gateway API migration from OLM to NO-OLM during upgrade"
+}
+
+// Setup creates Gateway and HTTPRoute resources with OLM-based provisioning and tests connectivity
+func (t *GatewayAPIMigrationUpgradeTest) Setup(ctx context.Context, f *framework.Framework) {
+	g.By("Setting up Gateway API OLM to NO-OLM migration test")
+
+	t.oc = exutil.NewCLIWithFramework(f)
+	t.namespace = f.Namespace.Name
+	t.gatewayName = "upgrade-test-gateway"
+	t.routeName = "test-httproute"
+
+	configClient := t.oc.AdminConfigClient()
+
+	g.By("Checking if GatewayAPIWithoutOLM feature gate is enabled")
+	fgs, err := configClient.ConfigV1().FeatureGates().Get(ctx, "cluster", metav1.GetOptions{})
+	o.Expect(err).NotTo(o.HaveOccurred())
+
+	for _, fg := range fgs.Status.FeatureGates {
+		for _, enabledFG := range fg.Enabled {
+			if enabledFG.Name == "GatewayAPIWithoutOLM" {
+				g.Skip("Skipping upgrade test - GatewayAPIWithoutOLM is already enabled, this test requires starting from OLM-based provisioning")
+			}
+		}
+	}
+
+	g.By("Creating default GatewayClass to trigger Gateway API installation")
+	gatewayClassName := "openshift-default"
+	gatewayClassControllerName := "openshift.io/gateway-controller/v1"
+	gatewayClass := buildGatewayClass(gatewayClassName, gatewayClassControllerName)
+	_, err = t.oc.AdminGatewayApiClient().GatewayV1().GatewayClasses().Create(ctx, gatewayClass, metav1.CreateOptions{})
+	if err != nil && !apierrors.IsAlreadyExists(err) {
+		framework.Failf("Failed to create GatewayClass %q: %v", gatewayClassName, err)
+	}
+
+	g.By("Waiting for GatewayClass to be accepted")
+	err = checkGatewayClass(t.oc, gatewayClassName)
+	o.Expect(err).NotTo(o.HaveOccurred(), "GatewayClass %q was not accepted", gatewayClassName)
+
+	g.By("Getting the default domain")
+	defaultIngressDomain, err := getDefaultIngressClusterDomainName(t.oc, time.Minute)
+	o.Expect(err).NotTo(o.HaveOccurred(), "Failed to find default domain name")
+	customDomain := strings.Replace(defaultIngressDomain, "apps.", "gw-upgrade.", 1)
+	t.hostname = "test-upgrade." + customDomain
+
+	g.By("Creating Gateway with OLM-based provisioning")
+	_, err = createAndCheckGateway(t.oc, t.gatewayName, gatewayClassName, customDomain)
+	o.Expect(err).NotTo(o.HaveOccurred(), "Failed to create Gateway")
+
+	g.By("Verify the gateway's LoadBalancer service and DNSRecords")
+	assertGatewayLoadbalancerReady(t.oc, t.gatewayName, t.gatewayName+"-openshift-default")
+	assertDNSRecordStatus(t.oc, t.gatewayName)
+
+	g.By("Creating HTTPRoute with backend")
+	backendName := "echo-backend-" + t.gatewayName
+	createHttpRoute(t.oc.AsAdmin(), t.gatewayName, t.routeName, t.hostname, backendName)
+
+	g.By("Waiting for HTTPRoute to be accepted")
+	_, err = assertHttpRouteSuccessful(t.oc.AsAdmin(), t.gatewayName, t.routeName)
+	o.Expect(err).NotTo(o.HaveOccurred())
+
+	g.By("Verifying HTTP connectivity before upgrade")
+	assertHttpRouteConnection(t.hostname)
+
+	g.By("Verifying OLM-based Istio CR exists before upgrade")
+	// Check for Istio CR created by OLM (cluster-scoped, will be deleted during migration)
+	_, err = t.oc.AsAdmin().Run("get").Args("istio", "openshift-gateway").Output()
+	o.Expect(err).NotTo(o.HaveOccurred(), "Istio CR should exist before upgrade (OLM-based)")
+
+	// Check for Sail Operator subscription (will NOT be removed during migration)
+	_, err = t.oc.AsAdmin().Run("get").Args("subscription", "-n", "openshift-operators", "servicemeshoperator3").Output()
+	o.Expect(err).NotTo(o.HaveOccurred(), "Sail Operator subscription should exist before upgrade")
+
+	framework.Logf("Gateway and HTTPRoute successfully created with OLM-based provisioning, connectivity verified")
+}
+
+// Test validates that resources continue working during upgrade and migrate to CIO after upgrade
+func (t *GatewayAPIMigrationUpgradeTest) Test(ctx context.Context, f *framework.Framework, done <-chan struct{}, _ upgrades.UpgradeType) {
+	g.By("Validating Gateway API resources remain functional during upgrade")
+
+	// Validate Gateway still exists and is programmed during upgrade
+	gatewayClient := t.oc.AdminGatewayApiClient()
+	gw, err := gatewayClient.GatewayV1().Gateways(ingressNamespace).Get(ctx, t.gatewayName, metav1.GetOptions{})
+	o.Expect(err).NotTo(o.HaveOccurred())
+	o.Expect(gw).NotTo(o.BeNil())
+
+	// Block until upgrade completes
+	g.By("Waiting for upgrade to complete")
+	<-done
+
+	g.By("Sleeping for a minute to allow CIO to take over Gateway API resources")
+	time.Sleep(1 * time.Minute)
+
+	g.By("Validating migration from OLM to CIO-based provisioning after upgrade")
+
+	// Verify Gateway still exists and is programmed
+	gw, err = gatewayClient.GatewayV1().Gateways(ingressNamespace).Get(ctx, t.gatewayName, metav1.GetOptions{})
+	o.Expect(err).NotTo(o.HaveOccurred())
+	o.Expect(gw).NotTo(o.BeNil())
+
+	var isProgrammed bool
+	for _, condition := range gw.Status.Conditions {
+		if condition.Type == string(gatewayv1.GatewayConditionProgrammed) && condition.Status == metav1.ConditionTrue {
+			isProgrammed = true
+			break
+		}
+	}
+	o.Expect(isProgrammed).To(o.BeTrue(), "Gateway should remain programmed after upgrade")
+
+	g.By("Verifying Istiod control plane is running after migration")
+	// Check that Istiod deployment exists and pods are running
+	deployment, err := t.oc.AdminKubeClient().AppsV1().Deployments(ingressNamespace).Get(ctx, "istiod-openshift-gateway", metav1.GetOptions{})
+	o.Expect(err).NotTo(o.HaveOccurred(), "Istiod deployment should exist after migration")
+
+	// Verify at least one istiod pod is running
+	err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 2*time.Minute, false, func(ctx context.Context) (bool, error) {
+		pods, err := t.oc.AdminKubeClient().CoreV1().Pods(ingressNamespace).List(ctx, metav1.ListOptions{
+			LabelSelector: metav1.FormatLabelSelector(deployment.Spec.Selector),
+		})
+		if err != nil {
+			return false, nil
+		}
+		if len(pods.Items) < 1 {
+			return false, nil
+		}
+		for _, pod := range pods.Items {
+			if pod.Status.Phase == corev1.PodRunning {
+				return true, nil
+			}
+		}
+		return false, nil
+	})
+	o.Expect(err).NotTo(o.HaveOccurred(), "At least one Istiod pod should be running after migration")
+
+	g.By("Verifying Istio CRDs remain managed by OLM")
+	// Istio CRDs were installed by OLM and should remain OLM-managed (not taken over by CIO)
+	dynamicClient := t.oc.AdminDynamicClient()
+	crdResource := schema.GroupVersionResource{
+		Group:    "apiextensions.k8s.io",
+		Version:  "v1",
+		Resource: "customresourcedefinitions",
+	}
+
+	for _, crdName := range istioCRDNames {
+		crd, err := dynamicClient.Resource(crdResource).Get(ctx, crdName, metav1.GetOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred(), "Istio CRD %s should exist after migration", crdName)
+
+		// Verify OLM management label (CRDs should remain OLM-managed)
+		labels, found, err := unstructured.NestedStringMap(crd.Object, "metadata", "labels")
+		o.Expect(err).NotTo(o.HaveOccurred())
+		o.Expect(found).To(o.BeTrue())
+		o.Expect(labels).To(o.HaveKeyWithValue("olm.managed", "true"),
+			"Istio CRD %s should remain OLM-managed after migration", crdName)
+	}
+
+	g.By("Verifying CIO has taken ownership via GatewayClass")
+	// Check GatewayClass has CIO sail library finalizer
+	gwc, err := gatewayClient.GatewayV1().GatewayClasses().Get(ctx, "openshift-default", metav1.GetOptions{})
+	o.Expect(err).NotTo(o.HaveOccurred())
+
+	hasCIOFinalizer := false
+	expectedFinalizer := "openshift.io/ingress-operator-sail-finalizer"
+	for _, finalizer := range gwc.Finalizers {
+		if finalizer == expectedFinalizer {
+			hasCIOFinalizer = true
+			break
+		}
+	}
+	o.Expect(hasCIOFinalizer).To(o.BeTrue(), "GatewayClass should have CIO sail library finalizer after upgrade")
+
+	// Check GatewayClass has required CIO conditions
+	var hasControllerInstalled, hasCRDsReady bool
+	for _, condition := range gwc.Status.Conditions {
+		if condition.Type == "ControllerInstalled" && condition.Status == metav1.ConditionTrue {
+			hasControllerInstalled = true
+		}
+		if condition.Type == "CRDsReady" && condition.Status == metav1.ConditionTrue {
+			hasCRDsReady = true
+		}
+	}
+	o.Expect(hasControllerInstalled).To(o.BeTrue(), "GatewayClass should have ControllerInstalled condition after upgrade")
+	o.Expect(hasCRDsReady).To(o.BeTrue(), "GatewayClass should have CRDsReady condition after upgrade")
+
+	g.By("Verifying migration from OLM-based Istio CR to Sail Library")
+	// The OLM Subscription for Sail Operator should still exist (it's not removed during migration)
+	_, err = t.oc.AsAdmin().Run("get").Args("subscription", "-n", "openshift-operators", "servicemeshoperator3").Output()
+	o.Expect(err).NotTo(o.HaveOccurred(), "Sail Operator subscription should still exist after upgrade")
+
+	// The Istio CR created by OLM should be deleted by CIO during migration
+	_, err = t.oc.AsAdmin().Run("get").Args("istio", "openshift-gateway").Output()
+	o.Expect(err).To(o.HaveOccurred(), "Istio CR should be deleted during migration")
+	o.Expect(apierrors.IsNotFound(err)).To(o.BeTrue(), "Istio CR should return NotFound error")
+
+	// IstioRevision should also be cleaned up
+	_, err = t.oc.AsAdmin().Run("get").Args("istiorevision", "openshift-gateway").Output()
+	o.Expect(err).To(o.HaveOccurred(), "IstioRevision should be cleaned up during migration")
+	o.Expect(apierrors.IsNotFound(err)).To(o.BeTrue(), "IstioRevision should return NotFound error")
+
+	g.By("Verifying HTTPRoute still exists and is accepted after upgrade")
+	_, err = assertHttpRouteSuccessful(t.oc.AsAdmin(), t.gatewayName, t.routeName)
+	o.Expect(err).NotTo(o.HaveOccurred())
+
+	g.By("Verifying HTTP connectivity after upgrade")
+	assertHttpRouteConnection(t.hostname)
+
+	framework.Logf("Gateway API successfully migrated from Istio CR (OLM) to Sail Library (CIO Helm-based)")
+}
+
+// Teardown cleans up Gateway API resources, Istio CR, and OSSM subscription
+// This runs even if the test fails, ensuring complete cleanup
+func (t *GatewayAPIMigrationUpgradeTest) Teardown(ctx context.Context, f *framework.Framework) {
+	g.By("Deleting the Sail Operator subscription")
+	subscriptionName := "servicemeshoperator3"
+	subscriptionNamespace := "openshift-operators"
+	err := t.oc.AsAdmin().Run("delete").Args("--ignore-not-found=true", "subscription", "-n", subscriptionNamespace, subscriptionName).Execute()
+	if err != nil {
+		framework.Logf("Failed to delete Subscription %q: %v", subscriptionName, err)
+	}
+
+	g.By("Deleting the Istio CR if it exists")
+	// Delete the Istio CR explicitly (may still exist if test failed before migration completed)
+	istioName := "openshift-gateway"
+	err = t.oc.AsAdmin().Run("delete").Args("--ignore-not-found=true", "istio", istioName).Execute()
+	if err != nil {
+		framework.Logf("Failed to delete Istio CR %q: %v", istioName, err)
+	}
+
+	g.By("Deleting the Gateway")
+	err = t.oc.AdminGatewayApiClient().GatewayV1().Gateways(ingressNamespace).Delete(ctx, t.gatewayName, metav1.DeleteOptions{})
+	if err != nil && !apierrors.IsNotFound(err) {
+		framework.Logf("Failed to delete Gateway %q: %v", t.gatewayName, err)
+	}
+
+	g.By("Deleting the GatewayClass")
+	gatewayClassName := "openshift-default"
+	err = t.oc.AdminGatewayApiClient().GatewayV1().GatewayClasses().Delete(ctx, gatewayClassName, metav1.DeleteOptions{})
+	if err != nil && !apierrors.IsNotFound(err) {
+		framework.Logf("Failed to delete GatewayClass %q: %v", gatewayClassName, err)
+	}
+
+	g.By("Waiting for istiod pods to be deleted")
+	o.Eventually(func(g o.Gomega) {
+		podsList, err := t.oc.AdminKubeClient().CoreV1().Pods(ingressNamespace).List(ctx, metav1.ListOptions{
+			LabelSelector: "app=istiod",
+		})
+		g.Expect(err).NotTo(o.HaveOccurred())
+		g.Expect(podsList.Items).Should(o.BeEmpty(), "Istiod pods should be deleted")
+	}).WithTimeout(10 * time.Minute).WithPolling(10 * time.Second).Should(o.Succeed())
+
+	framework.Logf("Gateway API resources, Istio CR, and OSSM subscription successfully cleaned up")
+}