test(controler): add tests for handling network policy disablement (#140)

Adds behavioral test for handling disabled NetworkPolicy.


Approved-by: rhdedgar

Author: mfleader

controllers/llamastackdistribution_controller_test.go

@@ -3,6 +3,7 @@ package controllers_test
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"io"
 	"net/http"
 	"strings"
@@ -453,3 +454,56 @@ func TestLlamaStackProviderAndVersionInfo(t *testing.T) {
 		updatedInstance.Status.Version.LlamaStackServerVersion,
 		"server version should match the mock response")
 }
+
+func TestNetworkPolicyConfiguration(t *testing.T) {
+	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
+
+	tests := []struct {
+		name  string
+		setup func(t *testing.T, instance *llamav1alpha1.LlamaStackDistribution)
+	}{
+		{
+			name: "enabled then disabled deletes NetworkPolicy",
+			setup: func(t *testing.T, instance *llamav1alpha1.LlamaStackDistribution) {
+				t.Helper()
+				// ensure NetworkPolicy exists by reconciling with feature enabled.
+				ReconcileDistribution(t, instance, true)
+				waitForResource(t, k8sClient, instance.Namespace, instance.Name+"-network-policy", &networkingv1.NetworkPolicy{})
+			},
+		},
+		{
+			name: "disabled from start leaves NetworkPolicy absent",
+			setup: func(t *testing.T, instance *llamav1alpha1.LlamaStackDistribution) {
+				// no setup needed - NetworkPolicy doesn't exist
+				t.Helper()
+			},
+		},
+	}
+
+	for i, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// --- arrange ---
+			operatorNamespaceName := "test-operator-namespace"
+			t.Setenv("OPERATOR_NAMESPACE", operatorNamespaceName)
+
+			namespace := createTestNamespace(t, "test-networkpolicy")
+			instance := NewDistributionBuilder().
+				WithName(fmt.Sprintf("np-config-%d", i)).
+				WithNamespace(namespace.Name).
+				WithDistribution("starter").
+				Build()
+			require.NoError(t, k8sClient.Create(context.Background(), instance))
+			t.Cleanup(func() { _ = k8sClient.Delete(context.Background(), instance) })
+
+			// preconditions for this scenario
+			tt.setup(t, instance)
+
+			// --- act ---
+			ReconcileDistribution(t, instance, false)
+
+			// --- assert ---
+			npKey := types.NamespacedName{Name: instance.Name + "-network-policy", Namespace: instance.Namespace}
+			AssertNetworkPolicyAbsent(t, k8sClient, npKey)
+		})
+	}
+}

controllers/testing_support_test.go

@@ -15,6 +15,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -381,6 +382,16 @@ func AssertNetworkPolicyIsIngressOnly(t *testing.T, networkPolicy *networkingv1.
 	require.Equal(t, expectedPolicyTypes, networkPolicy.Spec.PolicyTypes, "NetworkPolicy should be ingress-only")
 }
 
+// AssertNetworkPolicyAbsent verifies that a NetworkPolicy with the given key does not exist.
+func AssertNetworkPolicyAbsent(t *testing.T, c client.Client, key types.NamespacedName) {
+	t.Helper()
+	require.Eventually(t, func() bool {
+		var np networkingv1.NetworkPolicy
+		err := c.Get(context.Background(), key, &np)
+		return apierrors.IsNotFound(err)
+	}, testTimeout, testInterval, "NetworkPolicy %s/%s should not exist", key.Namespace, key.Name)
+}
+
 func AssertServiceAccountDeploymentAlign(t *testing.T, deployment *appsv1.Deployment, serviceAccount *corev1.ServiceAccount) {
 	t.Helper()
 	require.Equal(t, serviceAccount.Name, deployment.Spec.Template.Spec.ServiceAccountName,