add e2e for route rule level sp

kkk777-7 · kkk777-7 · commit 0104bd0c14d7 · 2025-07-22T00:34:01.000+09:00
Signed-off-by: kkk777-7 &lt;kota.kimura0725@gmail.com&gt;
diff --git a/test/e2e/testdata/api-key-auth.yaml b/test/e2e/testdata/api-key-auth.yaml
@@ -70,6 +70,32 @@ spec:
         - name: infra-backend-v1
           port: 8080
 ---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-with-api-key-auth-header-section-scoped
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+    - name: same-namespace
+  rules:
+    - name: policy-attached
+      matches:
+        - path:
+            type: Exact
+            value: /api-key-auth-header-attached
+      backendRefs:
+        - name: infra-backend-v1
+          port: 8080
+    - name: policy-non-attached
+      matches:
+        - path:
+            type: Exact
+            value: /api-key-auth-header-non-attached
+      backendRefs:
+        - name: infra-backend-v1
+          port: 8080
+---
 apiVersion: gateway.envoyproxy.io/v1alpha1
 kind: SecurityPolicy
 metadata:
@@ -121,3 +147,21 @@ spec:
     credentialRefs:
       - name: "api-key-auth-users-secret-1"
       - name: "api-key-auth-users-secret-2"
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+  name: api-key-auth-header-section-scoped
+  namespace: gateway-conformance-infra
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: http-with-api-key-auth-header-section-scoped
+      sectionName: policy-attached
+  apiKeyAuth:
+    extractFrom:
+      - headers: ["X-API-KEY"]
+    credentialRefs:
+      - name: "api-key-auth-users-secret-1"
+      - name: "api-key-auth-users-secret-2"
diff --git a/test/e2e/tests/api_key_auth.go b/test/e2e/tests/api_key_auth.go
@@ -154,6 +154,52 @@ var APIKeyAuthTest = suite.ConformanceTest{
 				Namespace: ns,
 			}
 
+			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse)
+		})
+		t.Run("section scoped api-key auth with header", func(t *testing.T) {
+			ns := "gateway-conformance-infra"
+			routeNN := types.NamespacedName{Name: "http-with-api-key-auth-header-section-scoped", Namespace: ns}
+			gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
+			gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+
+			ancestorRef := gwapiv1a2.ParentReference{
+				Group:     gatewayapi.GroupPtr(gwapiv1.GroupName),
+				Kind:      gatewayapi.KindPtr(resource.KindGateway),
+				Namespace: gatewayapi.NamespacePtr(gwNN.Namespace),
+				Name:      gwapiv1.ObjectName(gwNN.Name),
+			}
+			SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "api-key-auth-header-section-scoped", Namespace: ns}, suite.ControllerName, ancestorRef)
+
+			// Invalid key request for a route rule with policy attached will fail.
+			expectedResponse := http.ExpectedResponse{
+				Request: http.Request{
+					Path: "/api-key-auth-header-attached",
+					Headers: map[string]string{
+						"X-API-KEY": "invalid",
+					},
+				},
+				Response: http.Response{
+					StatusCode: 401,
+				},
+				Namespace: ns,
+			}
+
+			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse)
+
+			// Invalid key request for a route rule with policy not attached will success.
+			expectedResponse = http.ExpectedResponse{
+				Request: http.Request{
+					Path: "/api-key-auth-header-non-attached",
+					Headers: map[string]string{
+						"X-API-KEY": "invalid",
+					},
+				},
+				Response: http.Response{
+					StatusCode: 200,
+				},
+				Namespace: ns,
+			}
+
 			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse)
 		})
 	},
