test: add e2e test for reaching nodeport from outside with L7 policy

This commit adds e2e test to cover issue cilium#21954.

Test cases for IPv6 are deleted and PR cilium#24882 will take care of them.

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>

test/k8s/service_helpers.go

@@ -492,17 +492,6 @@ func testNodePort(kubectl *helpers.Kubectl, ni *helpers.NodesInfo, bpfNodePort,
 			getHTTPLink(ni.K8s2IP, data.Spec.Ports[0].NodePort),
 			getTFTPLink(ni.K8s2IP, data.Spec.Ports[1].NodePort),
 		}
-
-		if helpers.DualStackSupported() {
-			testURLsFromOutside = append(testURLsFromOutside,
-				getHTTPLink(ni.PrimaryK8s1IPv6, v6Data.Spec.Ports[0].NodePort),
-				getTFTPLink(ni.PrimaryK8s1IPv6, v6Data.Spec.Ports[1].NodePort),
-
-				getHTTPLink(ni.PrimaryK8s2IPv6, v6Data.Spec.Ports[0].NodePort),
-				getTFTPLink(ni.PrimaryK8s2IPv6, v6Data.Spec.Ports[1].NodePort),
-			)
-		}
-
 	}
 
 	count := 10

test/k8s/services.go

@@ -596,6 +596,28 @@ Secondary Interface %s :: IPv4: (%s, %s), IPv6: (%s, %s)`,
 			})
 		})
 
+		SkipContextIf(func() bool {
+			return helpers.DoesNotRunWithKubeProxyReplacement() || helpers.RunsOnAKS() || helpers.DoesNotExistNodeWithoutCilium()
+		}, "with L7 policy", func() {
+			var demoPolicyL7 string
+
+			BeforeAll(func() {
+				demoPolicyL7 = helpers.ManifestGet(kubectl.BasePath(), "l7-policy-demo.yaml")
+			})
+
+			AfterAll(func() {
+				kubectl.Delete(demoPolicyL7)
+				// Same reason as in other L7 test above
+				kubectl.CiliumExecMustSucceedOnAll(context.TODO(),
+					"cilium bpf ct flush global", "Unable to flush CT maps")
+			})
+
+			It("Tests NodePort with L7 Policy from outside", func() {
+				applyPolicy(kubectl, demoPolicyL7)
+				testNodePort(kubectl, ni, false, true, 0)
+			})
+		})
+
 		It("ClusterIP cannot be accessed externally when access is disabled",
 			func() {
 				Expect(curlClusterIPFromExternalHost(kubectl, ni)).