add functional tests for upstreamSettings policy

apis/v1alpha1/policy_methods.go

@@ -31,3 +31,7 @@ func (p *ObservabilityPolicy) GetPolicyStatus() v1alpha2.PolicyStatus {
 func (p *ObservabilityPolicy) SetPolicyStatus(status v1alpha2.PolicyStatus) {
 	p.Status = status
 }
+
+func (p *UpstreamSettingsPolicy) GetTargetRefs() []v1alpha2.LocalPolicyTargetReference {
+	return p.Spec.TargetRefs
+}

config/crd/bases/gateway.nginx.org_upstreamsettingspolicies.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.2
+    controller-gen.kubebuilder.io/version: v0.16.5
   labels:
     gateway.networking.k8s.io/policy: direct
   name: upstreamsettingspolicies.gateway.nginx.org
@@ -76,13 +76,13 @@ spec:
                       Time defines the maximum time during which requests can be processed through one keep-alive connection.
                       After this time is reached, the connection is closed following the subsequent request processing.
                       Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_time
-                    pattern: ^\d{1,4}(ms|s)?$
+                    pattern: ^[0-9]{1,4}(ms|s|m|h)?$
                     type: string
                   timeout:
                     description: |-
                       Timeout defines the keep-alive timeout for upstreams.
                       Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_timeout
-                    pattern: ^\d{1,4}(ms|s)?$
+                    pattern: ^[0-9]{1,4}(ms|s|m|h)?$
                     type: string
                 type: object
               targetRefs:

tests/framework/crossplane.go

@@ -30,6 +30,8 @@ type ExpectedNginxField struct {
 	Location string
 	// Servers are the server names that the directive should exist in.
 	Servers []string
+	// Upstream are the upstream names that the directive should exist in.
+	Upstreams []string
 	// ValueSubstringAllowed allows the expected value to be a substring of the real value.
 	// This makes it easier for cases when real values are complex file names or contain things we
 	// don't care about, and we just want to check if a substring exists.
@@ -64,6 +66,8 @@ func ValidateNginxFieldExists(conf *Payload, expFieldCfg ExpectedNginxField) err
 					}
 				}
 			}
+
+			return validateUpstreamDirectives(expFieldCfg, directive)
 		}
 	}
 
@@ -75,6 +79,19 @@ func ValidateNginxFieldExists(conf *Payload, expFieldCfg ExpectedNginxField) err
 	return fmt.Errorf("field not found; expected: %+v\nNGINX conf: %s", expFieldCfg, string(b))
 }
 
+func validateUpstreamDirectives(expFieldCfg ExpectedNginxField, directive *Directive) error {
+	for _, upstreamName := range expFieldCfg.Upstreams {
+		if directive.Directive == "upstream" && directive.Args[0] == upstreamName {
+			for _, upstreamDirective := range directive.Block {
+				if expFieldCfg.fieldFound(upstreamDirective) {
+					return nil
+				}
+			}
+		}
+	}
+	return nil
+}
+
 func getServerName(serverBlock Directives) string {
 	for _, directive := range serverBlock {
 		if directive.Directive == "server_name" {

tests/suite/manifests/upstream-settings-policy/cafe.yaml

@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coffee
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: coffee
+  template:
+    metadata:
+      labels:
+        app: coffee
+    spec:
+      containers:
+      - name: coffee
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: coffee
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: coffee
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tea
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: tea
+  template:
+    metadata:
+      labels:
+        app: tea
+    spec:
+      containers:
+      - name: tea
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tea
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: tea
+---

tests/suite/manifests/upstream-settings-policy/gateway.yaml

@@ -0,0 +1,11 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: gateway
+spec:
+  gatewayClassName: nginx
+  listeners:
+  - name: http
+    port: 80
+    protocol: HTTP
+    hostname: "*.example.com"

tests/suite/manifests/upstream-settings-policy/grpc-backend.yaml

@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: grpc-backend
+spec:
+  selector:
+    app: grpc-backend
+  ports:
+  - protocol: TCP
+    port: 8080
+    targetPort: 50051
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: grpc-backend
+  labels:
+    app: grpc-backend
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: grpc-backend
+  template:
+    metadata:
+      labels:
+        app: grpc-backend
+    spec:
+      containers:
+      - name: grpc-backend
+        image: ghcr.io/nginxinc/kic-test-grpc-server:0.2.3
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        resources:
+          requests:
+            cpu: 10m

tests/suite/manifests/upstream-settings-policy/invalid-usps.yaml

@@ -0,0 +1,84 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: gateway-httproute-allowed
+spec:
+  gatewayClassName: nginx
+  listeners:
+  - name: http
+    port: 80
+    protocol: HTTP
+    hostname: "soda.example.com"
+    allowedRoutes:
+      namespaces:
+        from: All
+      kinds:
+        kind: GRPCRoute
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: soda
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: soda
+  template:
+    metadata:
+      labels:
+        app: soda
+    spec:
+      containers:
+      - name: soda
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: soda
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: soda
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: soda
+spec:
+  parentRefs:
+  - name: gateway-httproute-allowed
+    sectionName: http
+  hostnames:
+  - "soda.example.com"
+  rules:
+  - matches:
+    - path:
+        type: Exact
+        value: /soda
+    backendRefs:
+    - name: soda
+      port: 80
+---
+apiVersion: gateway.nginx.org/v1alpha1
+kind: UpstreamSettingsPolicy
+metadata:
+  name: soda-svc-usp
+spec:
+  zoneSize: 512k
+  targetRefs:
+  - group: core
+    kind: Service
+    name: soda
+  keepAlive:
+    connections: 10
+    requests: 3
+    time: 10s
+    timeout: 50s

tests/suite/manifests/upstream-settings-policy/routes.yaml

@@ -0,0 +1,35 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: coffee
+spec:
+  parentRefs:
+    - name: gateway
+      sectionName: http
+  hostnames:
+    - "cafe.example.com"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /coffee
+      backendRefs:
+        - name: coffee
+          port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: GRPCRoute
+metadata:
+  name: grpc-route
+spec:
+  parentRefs:
+    - name: gateway
+      sectionName: http
+  rules:
+    - matches:
+        - method:
+            service: helloworld.Greeter
+            method: SayHello
+      backendRefs:
+        - name: grpc-backend
+          port: 8080

tests/suite/manifests/upstream-settings-policy/valid-merge-usps.yaml

@@ -0,0 +1,25 @@
+apiVersion: gateway.nginx.org/v1alpha1
+kind: UpstreamSettingsPolicy
+metadata:
+  name: coffee-svc-usp-1
+spec:
+  zoneSize: 64k
+  targetRefs:
+    - group: core
+      kind: Service
+      name: coffee
+---
+apiVersion: gateway.nginx.org/v1alpha1
+kind: UpstreamSettingsPolicy
+metadata:
+  name: coffee-svc-usp-2
+spec:
+  targetRefs:
+    - group: core
+      kind: Service
+      name: coffee
+  keepAlive:
+    connections: 100
+    requests: 55
+    time: 1m
+    timeout: 5h

tests/suite/manifests/upstream-settings-policy/valid-usps-first-wins.yaml

@@ -0,0 +1,21 @@
+apiVersion: gateway.nginx.org/v1alpha1
+kind: UpstreamSettingsPolicy
+metadata:
+  name: coffee-svc-usp-1
+spec:
+  zoneSize: 64k
+  targetRefs:
+    - group: core
+      kind: Service
+      name: coffee
+---
+apiVersion: gateway.nginx.org/v1alpha1
+kind: UpstreamSettingsPolicy
+metadata:
+  name: coffee-svc-usp-2
+spec:
+  zoneSize: 128k
+  targetRefs:
+    - group: core
+      kind: Service
+      name: coffee