NE-2422: Add Classic LB test and refactor dual-stack ingress tests

Add a second test case that verifies IPv4 connectivity through a Classic
LB ingress controller on a dual-stack cluster. Extract common setup logic
(backend service/pod creation, edge route creation, route admission
waiting) into shared helper functions. Use distinct domains (nlb/clb)
for each test's ingress controller shard.

Use 2 replicas for the NLB shard to allocate addresses in multiple AZs,
mitigating instability of IPv6 hairpin traffic. Reduce curl verbosity by
only logging the successful response.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: alebedev87

test/extended/router/dualstack.go

@@ -37,33 +37,24 @@ var _ = g.Describe("[sig-network-edge][OCPFeatureGate:AWSDualStackInstall][Featu
 		ctx := context.Background()
 
 		g.By("Checking that the Infrastructure CR has a DualStack IPFamily")
-		infra, err := oc.AdminConfigClient().ConfigV1().Infrastructures().Get(ctx, "cluster", metav1.GetOptions{})
-		o.Expect(err).NotTo(o.HaveOccurred(), "failed to get infrastructure CR")
-
-		if infra.Status.PlatformStatus == nil || infra.Status.PlatformStatus.Type != configv1.AWSPlatformType {
-			g.Skip("Test requires AWS platform")
-		}
-		if infra.Status.PlatformStatus.AWS == nil {
-			g.Skip("AWS platform status is not set")
-		}
-		ipFamily := infra.Status.PlatformStatus.AWS.IPFamily
-		if ipFamily != configv1.DualStackIPv4Primary && ipFamily != configv1.DualStackIPv6Primary {
-			g.Skip(fmt.Sprintf("Test requires DualStack IPFamily, got %q", ipFamily))
-		}
+		requireAWSDualStack(ctx, oc)
 
 		g.By("Getting the default ingress domain")
 		defaultDomain, err := getDefaultIngressClusterDomainName(oc, time.Minute)
 		o.Expect(err).NotTo(o.HaveOccurred(), "failed to find default domain name")
 
 		ns := oc.KubeFramework().Namespace.Name
 		baseDomain := strings.TrimPrefix(defaultDomain, "apps.")
-		shardFQDN := "hosts." + baseDomain
+		shardFQDN := "nlb." + baseDomain
 
 		// Deploy the shard first so DNS and LB can provision while we set up the backend.
+		// Use 2 replicas so the NLB allocates addresses in multiple AZs, which
+		// mitigates instability of IPv6 hairpin traffic (cluster to cluster via LB).
 		g.By("Deploying a new router shard with NLB")
 		shardIngressCtrl, err := shard.DeployNewRouterShard(oc, 10*time.Minute, shard.Config{
-			Domain: shardFQDN,
-			Type:   oc.Namespace(),
+			Domain:   shardFQDN,
+			Type:     oc.Namespace(),
+			Replicas: 2,
 			LoadBalancer: &operatorv1.LoadBalancerStrategy{
 				Scope: operatorv1.ExternalLoadBalancer,
 				ProviderParameters: &operatorv1.ProviderLoadBalancerParameters{
@@ -87,148 +78,229 @@ var _ = g.Describe("[sig-network-edge][OCPFeatureGate:AWSDualStackInstall][Featu
 		err = oc.AsAdmin().Run("label").Args("namespace", oc.Namespace(), "type="+oc.Namespace()).Execute()
 		o.Expect(err).NotTo(o.HaveOccurred())
 
-		g.By("Creating backend service")
-		service := &corev1.Service{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: "dualstack-backend",
-				Labels: map[string]string{
-					"app": "dualstack-backend",
-				},
-			},
-			Spec: corev1.ServiceSpec{
-				Selector: map[string]string{
-					"app": "dualstack-backend",
-				},
-				IPFamilyPolicy: func() *corev1.IPFamilyPolicy {
-					p := corev1.IPFamilyPolicyPreferDualStack
-					return &p
-				}(),
-				Ports: []corev1.ServicePort{
-					{
-						Name:       "http",
-						Port:       8080,
-						Protocol:   corev1.ProtocolTCP,
-						TargetPort: intstr.FromInt(8080),
+		g.By("Creating backend service and pod")
+		createBackendServiceAndPod(ctx, oc, ns, "dualstack-backend")
+
+		g.By("Creating an edge-terminated route")
+		routeHost := "dualstack-test." + shardFQDN
+		createEdgeRoute(ctx, oc, ns, "dualstack-route", routeHost, "dualstack-backend")
+
+		g.By("Waiting for the route to be admitted")
+		waitForRouteAdmitted(ctx, oc, ns, "dualstack-route", routeHost)
+
+		g.By("Creating exec pod for curl tests")
+		execPod := exutil.CreateExecPodOrFail(oc.AdminKubeClient(), ns, "execpod")
+		defer func() {
+			oc.AdminKubeClient().CoreV1().Pods(ns).Delete(ctx, execPod.Name, *metav1.NewDeleteOptions(1))
+		}()
+
+		g.By("Verifying route is reachable over IPv4")
+		err = waitForRouteResponse(ns, execPod.Name, routeHost, "-4", 10*time.Minute)
+		o.Expect(err).NotTo(o.HaveOccurred(), "route not reachable over IPv4")
+
+		g.By("Verifying route is reachable over IPv6")
+		err = waitForRouteResponse(ns, execPod.Name, routeHost, "-6", 10*time.Minute)
+		o.Expect(err).NotTo(o.HaveOccurred(), "route not reachable over IPv6")
+	})
+
+	g.It("should be reachable via IPv4 through a Classic LB ingress controller on a dual-stack cluster", func() {
+		ctx := context.Background()
+
+		g.By("Checking that the Infrastructure CR has a DualStack IPFamily")
+		requireAWSDualStack(ctx, oc)
+
+		g.By("Getting the default ingress domain")
+		defaultDomain, err := getDefaultIngressClusterDomainName(oc, time.Minute)
+		o.Expect(err).NotTo(o.HaveOccurred(), "failed to find default domain name")
+
+		ns := oc.KubeFramework().Namespace.Name
+		baseDomain := strings.TrimPrefix(defaultDomain, "apps.")
+		shardFQDN := "clb." + baseDomain
+
+		// Deploy the shard first so DNS and LB can provision while we set up the backend.
+		g.By("Deploying a new router shard with Classic LB")
+		shardIngressCtrl, err := shard.DeployNewRouterShard(oc, 10*time.Minute, shard.Config{
+			Domain: shardFQDN,
+			Type:   oc.Namespace(),
+			LoadBalancer: &operatorv1.LoadBalancerStrategy{
+				Scope: operatorv1.ExternalLoadBalancer,
+				ProviderParameters: &operatorv1.ProviderLoadBalancerParameters{
+					Type: operatorv1.AWSLoadBalancerProvider,
+					AWS: &operatorv1.AWSLoadBalancerParameters{
+						Type: operatorv1.AWSClassicLoadBalancer,
 					},
 				},
 			},
-		}
-		_, err = oc.AdminKubeClient().CoreV1().Services(ns).Create(ctx, service, metav1.CreateOptions{})
+		})
+		defer func() {
+			if shardIngressCtrl != nil {
+				if err := oc.AdminOperatorClient().OperatorV1().IngressControllers(shardIngressCtrl.Namespace).Delete(ctx, shardIngressCtrl.Name, metav1.DeleteOptions{}); err != nil {
+					e2e.Logf("deleting ingress controller failed: %v\n", err)
+				}
+			}
+		}()
+		o.Expect(err).NotTo(o.HaveOccurred(), "new router shard did not rollout")
+
+		g.By("Labelling the namespace for the shard")
+		err = oc.AsAdmin().Run("label").Args("namespace", oc.Namespace(), "type="+oc.Namespace()).Execute()
 		o.Expect(err).NotTo(o.HaveOccurred())
 
-		g.By("Creating backend pod")
-		backendPod := &corev1.Pod{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: "dualstack-backend",
-				Labels: map[string]string{
-					"app": "dualstack-backend",
+		g.By("Creating backend service and pod")
+		createBackendServiceAndPod(ctx, oc, ns, "classic-backend")
+
+		g.By("Creating an edge-terminated route")
+		routeHost := "classic-test." + shardFQDN
+		createEdgeRoute(ctx, oc, ns, "classic-route", routeHost, "classic-backend")
+
+		g.By("Waiting for the route to be admitted")
+		waitForRouteAdmitted(ctx, oc, ns, "classic-route", routeHost)
+
+		g.By("Creating exec pod for curl tests")
+		execPod := exutil.CreateExecPodOrFail(oc.AdminKubeClient(), ns, "execpod")
+		defer func() {
+			oc.AdminKubeClient().CoreV1().Pods(ns).Delete(ctx, execPod.Name, *metav1.NewDeleteOptions(1))
+		}()
+
+		g.By("Verifying route is reachable over IPv4")
+		err = waitForRouteResponse(ns, execPod.Name, routeHost, "-4", 10*time.Minute)
+		o.Expect(err).NotTo(o.HaveOccurred(), "route not reachable over IPv4")
+	})
+})
+
+func requireAWSDualStack(ctx context.Context, oc *exutil.CLI) {
+	infra, err := oc.AdminConfigClient().ConfigV1().Infrastructures().Get(ctx, "cluster", metav1.GetOptions{})
+	o.Expect(err).NotTo(o.HaveOccurred(), "failed to get infrastructure CR")
+
+	if infra.Status.PlatformStatus == nil || infra.Status.PlatformStatus.Type != configv1.AWSPlatformType {
+		g.Skip("Test requires AWS platform")
+	}
+	if infra.Status.PlatformStatus.AWS == nil {
+		g.Skip("AWS platform status is not set")
+	}
+	ipFamily := infra.Status.PlatformStatus.AWS.IPFamily
+	if ipFamily != configv1.DualStackIPv4Primary && ipFamily != configv1.DualStackIPv6Primary {
+		g.Skip(fmt.Sprintf("Test requires DualStack IPFamily, got %q", ipFamily))
+	}
+}
+
+func createBackendServiceAndPod(ctx context.Context, oc *exutil.CLI, ns, name string) {
+	service := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   name,
+			Labels: map[string]string{"app": name},
+		},
+		Spec: corev1.ServiceSpec{
+			Selector: map[string]string{"app": name},
+			IPFamilyPolicy: func() *corev1.IPFamilyPolicy {
+				p := corev1.IPFamilyPolicyPreferDualStack
+				return &p
+			}(),
+			Ports: []corev1.ServicePort{
+				{
+					Name:       "http",
+					Port:       8080,
+					Protocol:   corev1.ProtocolTCP,
+					TargetPort: intstr.FromInt(8080),
 				},
 			},
-			Spec: corev1.PodSpec{
-				TerminationGracePeriodSeconds: utilpointer.Int64(1),
-				Containers: []corev1.Container{
-					{
-						Name:            "server",
-						Image:           image.ShellImage(),
-						ImagePullPolicy: corev1.PullIfNotPresent,
-						Command:         []string{"/bin/bash", "-c", `while true; do
+		},
+	}
+	_, err := oc.AdminKubeClient().CoreV1().Services(ns).Create(ctx, service, metav1.CreateOptions{})
+	o.Expect(err).NotTo(o.HaveOccurred())
+
+	pod := &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   name,
+			Labels: map[string]string{"app": name},
+		},
+		Spec: corev1.PodSpec{
+			TerminationGracePeriodSeconds: utilpointer.Int64(1),
+			Containers: []corev1.Container{
+				{
+					Name:            "server",
+					Image:           image.ShellImage(),
+					ImagePullPolicy: corev1.PullIfNotPresent,
+					Command: []string{"/bin/bash", "-c", `while true; do
 printf "HTTP/1.1 200 OK\r\nContent-Length: 2\r\nContent-Type: text/plain\r\n\r\nOK" | ncat -l 8080 --send-only || true
 done`},
-						Ports: []corev1.ContainerPort{
-							{
-								ContainerPort: 8080,
-								Name:          "http",
-								Protocol:      corev1.ProtocolTCP,
-							},
+					Ports: []corev1.ContainerPort{
+						{
+							ContainerPort: 8080,
+							Name:          "http",
+							Protocol:      corev1.ProtocolTCP,
 						},
 					},
 				},
 			},
-		}
-		_, err = oc.AdminKubeClient().CoreV1().Pods(ns).Create(ctx, backendPod, metav1.CreateOptions{})
-		o.Expect(err).NotTo(o.HaveOccurred())
+		},
+	}
+	_, err = oc.AdminKubeClient().CoreV1().Pods(ns).Create(ctx, pod, metav1.CreateOptions{})
+	o.Expect(err).NotTo(o.HaveOccurred())
 
-		g.By("Waiting for backend pod to be running")
-		e2e.ExpectNoError(e2epod.WaitForPodRunningInNamespaceSlow(ctx, oc.KubeClient(), "dualstack-backend", ns), "backend pod not running")
+	e2e.ExpectNoError(e2epod.WaitForPodRunningInNamespaceSlow(ctx, oc.KubeClient(), name, ns), "backend pod not running")
+}
 
-		g.By("Creating an edge-terminated route")
-		routeType := oc.Namespace()
-		route := routev1.Route{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: "dualstack-route",
-				Labels: map[string]string{
-					"type": routeType,
-				},
+func createEdgeRoute(ctx context.Context, oc *exutil.CLI, ns, name, host, serviceName string) {
+	route := routev1.Route{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+			Labels: map[string]string{
+				"type": oc.Namespace(),
 			},
-			Spec: routev1.RouteSpec{
-				Host: "dualstack-test." + shardFQDN,
-				Port: &routev1.RoutePort{
-					TargetPort: intstr.FromInt(8080),
-				},
-				TLS: &routev1.TLSConfig{
-					Termination:                   routev1.TLSTerminationEdge,
-					InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyRedirect,
-				},
-				To: routev1.RouteTargetReference{
-					Kind:   "Service",
-					Name:   "dualstack-backend",
-					Weight: utilpointer.Int32(100),
-				},
-				WildcardPolicy: routev1.WildcardPolicyNone,
+		},
+		Spec: routev1.RouteSpec{
+			Host: host,
+			Port: &routev1.RoutePort{
+				TargetPort: intstr.FromInt(8080),
 			},
-		}
-		_, err = oc.RouteClient().RouteV1().Routes(ns).Create(ctx, &route, metav1.CreateOptions{})
-		o.Expect(err).NotTo(o.HaveOccurred())
+			TLS: &routev1.TLSConfig{
+				Termination:                   routev1.TLSTerminationEdge,
+				InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyRedirect,
+			},
+			To: routev1.RouteTargetReference{
+				Kind:   "Service",
+				Name:   serviceName,
+				Weight: utilpointer.Int32(100),
+			},
+			WildcardPolicy: routev1.WildcardPolicyNone,
+		},
+	}
+	_, err := oc.RouteClient().RouteV1().Routes(ns).Create(ctx, &route, metav1.CreateOptions{})
+	o.Expect(err).NotTo(o.HaveOccurred())
+}
 
-		g.By("Waiting for the route to be admitted")
-		routeHost := "dualstack-test." + shardFQDN
-		err = wait.PollImmediate(5*time.Second, 5*time.Minute, func() (bool, error) {
-			r, err := oc.RouteClient().RouteV1().Routes(ns).Get(ctx, "dualstack-route", metav1.GetOptions{})
-			if err != nil {
-				e2e.Logf("failed to get route: %v, retrying...", err)
-				return false, nil
-			}
-			for _, ingress := range r.Status.Ingress {
-				if ingress.Host == routeHost {
-					for _, condition := range ingress.Conditions {
-						if condition.Type == routev1.RouteAdmitted && condition.Status == corev1.ConditionTrue {
-							return true, nil
-						}
+func waitForRouteAdmitted(ctx context.Context, oc *exutil.CLI, ns, name, host string) {
+	err := wait.PollImmediate(5*time.Second, 5*time.Minute, func() (bool, error) {
+		r, err := oc.RouteClient().RouteV1().Routes(ns).Get(ctx, name, metav1.GetOptions{})
+		if err != nil {
+			e2e.Logf("failed to get route: %v, retrying...", err)
+			return false, nil
+		}
+		for _, ingress := range r.Status.Ingress {
+			if ingress.Host == host {
+				for _, condition := range ingress.Conditions {
+					if condition.Type == routev1.RouteAdmitted && condition.Status == corev1.ConditionTrue {
+						return true, nil
 					}
 				}
 			}
-			return false, nil
-		})
-		o.Expect(err).NotTo(o.HaveOccurred(), "route was not admitted")
-
-		g.By("Creating exec pod for curl tests")
-		execPod := exutil.CreateExecPodOrFail(oc.AdminKubeClient(), ns, "execpod")
-		defer func() {
-			oc.AdminKubeClient().CoreV1().Pods(ns).Delete(ctx, execPod.Name, *metav1.NewDeleteOptions(1))
-		}()
-
-		g.By("Verifying route is reachable over IPv4")
-		err = waitForDualStackRouteResponse(ns, execPod.Name, routeHost, "-4", 10*time.Minute)
-		o.Expect(err).NotTo(o.HaveOccurred(), "route not reachable over IPv4")
-
-		g.By("Verifying route is reachable over IPv6")
-		err = waitForDualStackRouteResponse(ns, execPod.Name, routeHost, "-6", 10*time.Minute)
-		o.Expect(err).NotTo(o.HaveOccurred(), "route not reachable over IPv6")
+		}
+		return false, nil
 	})
-})
+	o.Expect(err).NotTo(o.HaveOccurred(), "route was not admitted")
+}
 
-func waitForDualStackRouteResponse(ns, execPodName, host, ipFlag string, timeout time.Duration) error {
+func waitForRouteResponse(ns, execPodName, host, ipFlag string, timeout time.Duration) error {
 	curlCmd := fmt.Sprintf("curl %s -k -v -m 10 --connect-timeout 5 -o /dev/null https://%s 2>&1", ipFlag, host)
 	var lastOutput string
 	err := wait.PollImmediate(5*time.Second, timeout, func() (bool, error) {
 		output, err := e2eoutput.RunHostCmd(ns, execPodName, curlCmd)
 		lastOutput = output
-		e2e.Logf("curl %s %s:\n%s", ipFlag, host, output)
 		if err != nil {
-			e2e.Logf("curl %s error: %v", ipFlag, err)
 			return false, nil
 		}
 		if strings.Contains(output, "< HTTP/1.1 200") || strings.Contains(output, "< HTTP/2 200") {
+			e2e.Logf("curl %s %s:\n%s", ipFlag, host, output)
 			return true, nil
 		}
 		return false, nil