From e85f1ea1bc04579ee9a70d5acc08476c7e4003b9 Mon Sep 17 00:00:00 2001
From: Joao Morais <jomorais@redhat.com>
Date: Tue, 27 Jan 2026 17:20:17 -0300
Subject: [PATCH] fix DCM tests

Some fixes to the DCM e2e test.

* fix secret name used on the secure endpoint pod
* manually update Route resources created via oc expose service, since
it seems to be ignoring --labels command-line option.
* change router namespace policy to privileged
* add IPv6 binding on router and secure-service

Jira: https://issues.redhat.com/browse/NE-906
---
 test/extended/router/config_manager.go | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/test/extended/router/config_manager.go b/test/extended/router/config_manager.go
index 1b15d2561a79..30e6413da3d5 100644
--- a/test/extended/router/config_manager.go
+++ b/test/extended/router/config_manager.go
@@ -16,6 +16,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/wait"
 	e2eoutput "k8s.io/kubernetes/test/e2e/framework/pod/output"
+	"k8s.io/pod-security-admission/api"
 	utilpointer "k8s.io/utils/pointer"
 
 	routev1 "github.com/openshift/api/route/v1"
@@ -46,12 +47,9 @@ var _ = g.Describe("[sig-network][Feature:Router][apigroup:route.openshift.io]",
 		}
 	})
 
-	oc = exutil.NewCLI("router-config-manager")
+	oc = exutil.NewCLIWithPodSecurityLevel("router-config-manager", api.LevelPrivileged)
 
 	g.BeforeEach(func() {
-		// the test has been skipped since July 2018 because it was flaking.
-		// TODO: Fix the test and re-enable it in https://issues.redhat.com/browse/NE-906.
-		g.Skip("HAProxy dynamic config manager tests skipped in 4.x")
 		ns = oc.Namespace()
 
 		routerImage, err := exutil.FindRouterImage(oc)
@@ -89,8 +87,8 @@ daemon off;
 events { }
 http {
   server {
-      listen 8443;
-      ssl    on;
+      listen 8443 ssl;
+      listen [::]:8443 ssl;
       ssl_certificate     /etc/serving-cert/tls.crt;
       ssl_certificate_key    /etc/serving-cert/tls.key;
       server_name  "*.svc";
@@ -350,6 +348,10 @@ http {
 										},
 									},
 								},
+								{
+									Name:  "ROUTER_IP_V4_V6_MODE",
+									Value: "v4v6",
+								},
 							},
 							Args: []string{
 								"--namespace=$(POD_NAMESPACE)",
@@ -462,7 +464,7 @@ http {
 							Name: "cert",
 							VolumeSource: corev1.VolumeSource{
 								Secret: &corev1.SecretVolumeSource{
-									SecretName: "service-cert",
+									SecretName: "serving-cert",
 								},
 							},
 						},
@@ -491,9 +493,6 @@ http {
 
 	g.Describe("The HAProxy router", func() {
 		g.It("should serve the correct routes when running with the haproxy config manager", func() {
-			// the test has been skipped since July 2018 because it was flaking.
-			// TODO: Fix the test and re-enable it in https://issues.redhat.com/browse/NE-906.
-			g.Skip("HAProxy dynamic config manager tests skipped in 4.x")
 			ns := oc.KubeFramework().Namespace.Name
 			execPod := exutil.CreateExecPodOrFail(oc.AdminKubeClient(), ns, "execpod")
 			defer func() {
@@ -532,7 +531,10 @@ http {
 			for i := 0; i < 16; i++ {
 				name := fmt.Sprintf("hapcm-stress-insecure-%d", i)
 				hostName := fmt.Sprintf("stress.insecure-%d.hapcm.test", i)
-				err := oc.AsAdmin().Run("expose").Args("service", "insecure-service", "--name", name, "--hostname", hostName, "--labels", "select=haproxy-cfgmgr").Execute()
+				err := oc.AsAdmin().Run("expose").Args("service", "insecure-service", "--name", name, "--hostname", hostName).Execute()
+				o.Expect(err).NotTo(o.HaveOccurred())
+				// --labels on `oc expose` (above) does not override the ones coming from service's selector.
+				err = oc.AsAdmin().Run("label").Args("route", name, "select=haproxy-cfgmgr").Execute()
 				o.Expect(err).NotTo(o.HaveOccurred())
 
 				err = waitForRouteToRespond(ns, execPod.Name, "http", hostName, "/", routerIP, 0)