test(dns): Verify DNS Endpoint Provider aggregation logic

[fabikova]

Description

This PR implements the test scenarios defined in issue #811 to verify the new DNS Endpoint Provider functionality.

It validates the aggregation workflow where multiple "Source" DNSRecords (acting as endpoint feeders) merge their endpoints into a single central "Destination" DNSRecord (acting as a Zone), which then propagates the records to an upstream provider (e.g., AWS).

Scenarios covered:

1. Creation of a Destination DNSRecord pointing to a real provider (AWS) with the required zone label.
2. Creation of multiple Source DNSRecords pointing to the endpoint provider.
3. Verification that source endpoints are correctly merged into the destination record by the operator.
4. Verification that the merged records are successfully resolved via external DNS.

Closes #811

Changes

• New Test: Added testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py which implements the test cases specified in the issue.
• Helper Methods: Updated DNSRecord class in testsuite/kuadrant/policy/dns.py with:
  • wait_for_endpoints_merged
  • wait_until_resolves

Summary by CodeRabbit

• Tests

  • Added tests validating DNS endpoint provider aggregation, ensuring DNS records created with a shared provider resolve to their expected IPs.

• Chores

  • Minor import formatting cleanup.

[coderabbitai]

Warning

Review limit reached

@fabikova, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 30 minutes and 33 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 14189dc6-47bc-498d-a2cc-6aa34bd8babd

📥 Commits

Reviewing files that changed from the base of the PR and between 5348a3a and a2f50f5.

📒 Files selected for processing (3)

• testsuite/kuadrant/policy/dns.py
• testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/__init__.py
• testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py

📝 Walkthrough

Walkthrough

Adds a pytest module that creates an endpoint provider Secret, a destination DNSRecord (zone), two source DNSRecords referencing the same provider, commits them, waits for readiness, and verifies DNS resolves each source hostname to its expected IP.

Changes

DNS Endpoint Provider Aggregation Test

Layer / File(s)	Summary
Import whitespace tidy testsuite/kuadrant/policy/dns.py	Whitespace-only adjustment in the import block; no behavioural code changes.
Module setup and imports testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py	Module docstring, pytest and dns.resolver imports, test helpers, IP constants, and dnspolicy marker.
Endpoint provider secret fixture testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py	endpoint_provider_secret fixture creates an endpoint-credential Secret (ENDPOINT_GVK and zone label), commits it, registers cleanup, and returns its name.
Destination DNSRecord (zone) fixture testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py	destination_dnsrecord creates the zone DNSRecord with provider_ref_name set to the provider secret and applies zone-record labels.
Source DNSRecords fixtures testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py	source_dnsrecords creates two source DNSRecords (src1.*, src2.*) each with a single A endpoint targeting distinct IPs and both referencing the same provider_ref_name.
Commit fixture and readiness testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py	Autouse commit fixture applies destination and source records, registers deletion cleanup, and waits for each record to become ready.
DNS resolution verification test testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py	test_records_accessible resolves each source hostname with dns.resolver, asserts a single A record per name, and verifies the resolved address matches the expected IP.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

Test case, DNS

Suggested reviewers

• trepel
• azgabur

Poem

🐰 A rabbit hops where tests are sown,
Secrets and zones are gently grown,
Two tiny records, each a different lane,
Resolved to their IPs — clear and plain,
Hooray, the DNS dance is shown!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'test(dns): Verify DNS Endpoint Provider aggregation logic' follows the conventional commit format with type 'test' and scope 'dns', and accurately describes the main change of adding DNS endpoint provider tests.
Description check	✅ Passed	The PR description provides a comprehensive overview with a detailed description section, clear list of changes, and issue closure reference, matching the template structure requirements.
Linked Issues check	✅ Passed	The PR implementation directly addresses all four test case requirements from issue #811: endpoint provider secret creation, destination DNSRecord setup, source DNSRecords with different IPs, and verification of record accessibility.
Out of Scope Changes check	✅ Passed	All changes are within scope: the new test file implements issue #811 requirements, and the whitespace-only change in dns.py is a minor formatting adjustment unrelated to functionality.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py (2)

95-98: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

DNS verification is too weak and timing-sensitive.

Single-shot resolution plus membership-only checks can be flaky and can miss over-aggregation. Please poll for resolution and assert exactly one A record per source hostname.

Suggested tightening

+import time
 ...
 def test_records_accessible(hostname):
     """Verify that endpoints are merged and accessible via DNS"""
-    assert SOURCE_IP1 in {r.address for r in dns.resolver.resolve(f"src1.{hostname.hostname}")}
-    assert SOURCE_IP2 in {r.address for r in dns.resolver.resolve(f"src2.{hostname.hostname}")}
+    for expected_ip, host in (
+        (SOURCE_IP1, f"src1.{hostname.hostname}"),
+        (SOURCE_IP2, f"src2.{hostname.hostname}"),
+    ):
+        answers = None
+        for _ in range(30):
+            try:
+                answers = list(dns.resolver.resolve(host, "A"))
+                if expected_ip in {r.address for r in answers}:
+                    break
+            except dns.resolver.DNSException:
+                pass
+            time.sleep(2)
+
+        assert answers is not None, f"{host} did not resolve"
+        addresses = [r.address for r in answers]
+        assert addresses == [expected_ip], f"Unexpected A records for {host}: {addresses}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py`
around lines 95 - 98, The current test_records_accessible uses a single-shot
membership check which is flaky; modify test_records_accessible to poll (with a
short timeout/retry loop) calling dns.resolver.resolve for
f"src1.{hostname.hostname}" and f"src2.{hostname.hostname}" until each returns
exactly one A record, then assert that the single record's address equals
SOURCE_IP1 and SOURCE_IP2 respectively (i.e., replace the set-membership asserts
with length==1 checks and exact address equality), using the same
dns.resolver.resolve call sites and the SOURCE_IP1/SOURCE_IP2 and
hostname.hostname identifiers to locate and update the logic.

---

21-31: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Endpoint-provider secret payload does not match the endpoint-provider contract.

This fixture writes AWS credential keys, but the endpoint-provider flow is expected to use endpoint-provider config keys (e.g., GVR/zone-label settings). As written, the test can miss the intended aggregation path.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py`
around lines 21 - 31, The fixture endpoint_provider_secret is creating AWS
credential keys but should supply the endpoint-provider config keys used by the
endpoint-provider contract; update the secret_data passed to
Secret.create_instance in endpoint_provider_secret to include the expected
endpoint-provider fields (e.g., provider, gvr and zone-label/zone_label or
equivalent keys used by your endpoint-provider implementation) instead of
AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY so tests exercise the endpoint-provider
aggregation path correctly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In
`@testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py`:
- Around line 95-98: The current test_records_accessible uses a single-shot
membership check which is flaky; modify test_records_accessible to poll (with a
short timeout/retry loop) calling dns.resolver.resolve for
f"src1.{hostname.hostname}" and f"src2.{hostname.hostname}" until each returns
exactly one A record, then assert that the single record's address equals
SOURCE_IP1 and SOURCE_IP2 respectively (i.e., replace the set-membership asserts
with length==1 checks and exact address equality), using the same
dns.resolver.resolve call sites and the SOURCE_IP1/SOURCE_IP2 and
hostname.hostname identifiers to locate and update the logic.
- Around line 21-31: The fixture endpoint_provider_secret is creating AWS
credential keys but should supply the endpoint-provider config keys used by the
endpoint-provider contract; update the secret_data passed to
Secret.create_instance in endpoint_provider_secret to include the expected
endpoint-provider fields (e.g., provider, gvr and zone-label/zone_label or
equivalent keys used by your endpoint-provider implementation) instead of
AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY so tests exercise the endpoint-provider
aggregation path correctly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8b8a1f6a-ba8f-4422-8f86-89ae5e313c6b

📥 Commits

Reviewing files that changed from the base of the PR and between 85a3fb6 and 07ed93e.

📒 Files selected for processing (3)

• testsuite/kuadrant/policy/dns.py
• testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/__init__.py
• testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py

💤 Files with no reviewable changes (1)

• testsuite/kuadrant/policy/dns.py

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py (1)

23-25: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use ENDPOINT_GVR instead of ENDPOINT_GVK in the endpoint provider secret payload.

Line 23 uses ENDPOINT_GVK, but this flow expects the endpoint provider config key ENDPOINT_GVR. With the wrong key, aggregation can silently fail because source records are not mapped to the provider contract.

Suggested fix

     secret_data = {
-        "ENDPOINT_GVK": "kuadrant.io/v1alpha1.DNSRecord",
+        "ENDPOINT_GVR": "kuadrant.io/v1alpha1.dnsrecords",
         "ENDPOINT_ZONE_RECORD_LABEL": "kuadrant.io/zone-record=true"
     }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py`
around lines 23 - 25, The secret payload uses the wrong key name: replace the
ENDPOINT_GVK entry with ENDPOINT_GVR so the endpoint provider config uses the
expected contract key; specifically update the payload map that currently
contains "ENDPOINT_GVK" to instead use "ENDPOINT_GVR" (preserving the same value
"kuadrant.io/v1alpha1.DNSRecord") so aggregation maps source records to the
provider contract correctly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py`:
- Around line 94-103: The test_records_accessible(hostname) currently does
one-shot DNS resolves for src1.{hostname.hostname} and src2.{hostname.hostname}
(src1_answers, src2_answers) which can flake; change it to poll with a bounded
timeout/retry loop (or call the existing DNSRecord wait helper) until the
answers stabilize before doing the final assertions. Specifically, replace the
direct dns.resolver.resolve calls with a retry loop that re-resolves both
hostnames, sleeps between attempts, and exits early when each query returns an A
record whose address equals SOURCE_IP1 and SOURCE_IP2 respectively (or when
timeout is reached), then run the len(...) and address equality asserts.

---

Duplicate comments:
In
`@testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py`:
- Around line 23-25: The secret payload uses the wrong key name: replace the
ENDPOINT_GVK entry with ENDPOINT_GVR so the endpoint provider config uses the
expected contract key; specifically update the payload map that currently
contains "ENDPOINT_GVK" to instead use "ENDPOINT_GVR" (preserving the same value
"kuadrant.io/v1alpha1.DNSRecord") so aggregation maps source records to the
provider contract correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8c941ffe-d3f4-4562-be03-ebca0d0dc763

📥 Commits

Reviewing files that changed from the base of the PR and between 07ed93e and 5348a3a.

📒 Files selected for processing (3)

• testsuite/kuadrant/policy/dns.py
• testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/__init__.py
• testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py

💤 Files with no reviewable changes (1)

• testsuite/kuadrant/policy/dns.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid one-shot DNS lookups for this e2e assertion path.

The test performs a single resolve per hostname (Lines 96-97). External DNS propagation is eventually consistent, so this can cause intermittent failures even when records are correct. Add a bounded wait/poll step (or reuse the DNSRecord wait helper introduced in this PR) before final equality assertions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@testsuite/tests/singlecluster/gateway/dnspolicy/dns_records/test_dns_endpoint_provider.py`
around lines 94 - 103, The test_records_accessible(hostname) currently does
one-shot DNS resolves for src1.{hostname.hostname} and src2.{hostname.hostname}
(src1_answers, src2_answers) which can flake; change it to poll with a bounded
timeout/retry loop (or call the existing DNSRecord wait helper) until the
answers stabilize before doing the final assertions. Specifically, replace the
direct dns.resolver.resolve calls with a retry loop that re-resolves both
hostnames, sleeps between attempts, and exits early when each query returns an A
record whose address equals SOURCE_IP1 and SOURCE_IP2 respectively (or when
timeout is reached), then run the len(...) and address equality asserts.