fix tests

pkg/test/framework/components/echo/config.go

@@ -401,6 +401,13 @@ func (c Config) IsRegularPod() bool {
 		!c.DualStack
 }
 
+// WaypointClient means the client supports HBONE and does zTunnel redirection.
+// Currently, only zTunnel captured sources do this. Eventually this might be enabled
+// for ingress and/or sidecars.
+func (c Config) WaypointClient() bool {
+	return c.ZTunnelCaptured() && !c.IsUncaptured()
+}
+
 // ZTunnelCaptured returns true in ambient enabled namespaces where there is no sidecar
 func (c Config) ZTunnelCaptured() bool {
 	haveSubsets := len(c.Subsets) > 0

pkg/test/framework/components/echo/echotest/filters.go

@@ -191,10 +191,19 @@ var ReachableDestinations CombinationFilter = func(from echo.Instance, to echo.I
 		reachableFromVM(from),
 		reachableFromProxylessGRPC(from),
 		reachableNakedDestinations(from),
-		reachableHeadlessDestinations(from)).
+		reachableHeadlessDestinations(from),
+		reachableWaypoints(from)).
 		GetMatches(to)
 }
 
+// reachableWaypoints removes waypointed targets when the client doesn't
+func reachableWaypoints(from echo.Instance) match.Matcher {
+	if from.Config().WaypointClient() {
+		return match.Any
+	}
+	return match.NotWaypoint
+}
+
 // reachableHeadlessDestinations filters out headless services that aren't in the same cluster
 // TODO(stevenctl): headless across-networks https://github.com/istio/istio/issues/38327
 func reachableHeadlessDestinations(from echo.Instance) match.Matcher {

pkg/test/framework/components/echo/match/matchers.go

@@ -172,10 +172,9 @@ func WaypointService() Matcher {
 	}
 }
 
-// add a new matcher for "captured service -> service"
-func CapturedService() Matcher {
+func AmbientCaptured() Matcher {
 	return func(i echo.Instance) bool {
-		return i.Config().ZTunnelCaptured()
+		return i.Config().ZTunnelCaptured() && !i.Config().IsUncaptured()
 	}
 }
 

tests/integration/ambient/baseline_test.go

@@ -147,8 +147,7 @@ func supportsL7(opt echo.CallOptions, src, dst echo.Instance) bool {
 // Assumption is ambient test suite sidecars will support HBONE
 // If the assumption is incorrect hboneClient may return invalid result
 func hboneClient(instance echo.Instance) bool {
-	return instance.Config().ZTunnelCaptured() ||
-		instance.Config().HasSidecar()
+	return instance.Config().ZTunnelCaptured()
 }
 
 func TestServices(t *testing.T) {
@@ -159,13 +158,6 @@ func TestServices(t *testing.T) {
 			opt.Check = tcpValidator
 		}
 
-		if !hboneClient(src) && dst.Config().HasAnyWaypointProxy() {
-			// For this case, it is broken if the src and dst are on the same node.
-			// Because client request is not captured to perform the hairpin
-			// TODO(https://github.com/istio/istio/issues/43238): fix this and remove this skip
-			t.Skip("https://github.com/istio/istio/issues/44530")
-		}
-
 		if !dst.Config().HasServiceAddressedWaypointProxy() &&
 			!src.Config().HasServiceAddressedWaypointProxy() &&
 			(src.Config().Service != dst.Config().Service) &&
@@ -176,12 +168,15 @@ func TestServices(t *testing.T) {
 			opt.Check = check.And(opt.Check, OriginalSourceCheck(t, src))
 		}
 
-		if src.Config().ZTunnelCaptured() && dst.Config().HasWorkloadAddressedWaypointProxy() {
-			// this is to svc traffic on a wl with only a workload addressed waypoint, it is going to bypass the waypoint by design
-			// we can't check http because we bypass the waypoint
-			// I don't think it makes sense to change the supportsL7 function for this case since it requires contect
-			// about how the traffic will be addressed
-			opt.Check = tcpValidator
+		// Non-HBONE clients will attempt to bypass the waypoint
+		if !src.Config().WaypointClient() && dst.Config().HasAnyWaypointProxy() {
+			opt.Check = check.Error()
+		}
+
+		// Any client will attempt to bypass a workload waypoint (not both service and workload waypoint)
+		// because this test always addresses by service.
+		if dst.Config().HasWorkloadAddressedWaypointProxy() && !dst.Config().HasServiceAddressedWaypointProxy() {
+			opt.Check = check.Error()
 		}
 
 		if src.Config().HasSidecar() && dst.Config().HasWorkloadAddressedWaypointProxy() {
@@ -217,11 +212,10 @@ func TestPodIP(t *testing.T) {
 										opt.Check = tcpValidator
 									}
 
-									if src.Config().IsUncaptured() && dst.Config().HasAnyWaypointProxy() {
-										// hairpinning isn't going to be implemented AND
-										// waypoint requirements are expressed via L4 policy which is not in place for this test:
-										// expected result is a plaintext passthrough by ztunnel
-										opt.Check = tcpValidator
+									// Uncaptured means we won't traverse the waypoint
+									// We cannot bypass the waypoint, so this fails.
+									if !hboneClient(src) && dst.Config().HasAnyWaypointProxy() {
+										opt.Check = check.Error()
 									}
 
 									if selfSend {
@@ -2209,6 +2203,13 @@ func TestIngress(t *testing.T) {
 		if opt.Scheme != scheme.HTTP {
 			return
 		}
+
+		// Ingress currently never sends to Waypoints
+		// We cannot bypass the waypoint, so this fails.
+		if dst.Config().HasAnyWaypointProxy() {
+			opt.Check = check.Error()
+		}
+
 		t.ConfigIstio().Eval(apps.Namespace.Name(), map[string]string{
 			"Destination": dst.Config().Service,
 		}, `apiVersion: networking.istio.io/v1alpha3

tests/integration/pilot/common/routing.go

@@ -4062,7 +4062,8 @@ spec:
       claim: "wrong_claim"
 ---
 `
-	matchers := []match.Matcher{match.Or(match.ServiceName(t.Apps.B.NamespacedName()), match.WaypointService(), match.CapturedService())}
+	// No waypoint here, these are all via ingress which doesn't forward to waypoint
+	matchers := []match.Matcher{match.Or(match.ServiceName(t.Apps.B.NamespacedName()), match.AmbientCaptured())}
 	headersWithToken := map[string][]string{
 		"Host":          {"foo.bar"},
 		"Authorization": {"Bearer " + jwt.TokenIssuer1WithNestedClaims1},