Run SSI e2e tests on Amazon EKS in addition to Kind (#47143)

### What does this PR do?

Adds support for running SSI e2e tests on Amazon EKS, in addition to the existing Kind provisioner.

Key changes:
- Introduces `E2E_PROVISIONER` parameter to select the Kubernetes provisioner (`kind`, `kind-local`, `eks`)
- Adds `WithAgentDependentWorkloadApp` to the EKS scenario to ensure workloads are deployed after the Datadog agent, which guarantees the admission webhook is ready before pod creation
- Splits the `new-e2e-ssi` CI job into `new-e2e-ssi-kind` and `new-e2e-ssi-eks` to run tests on both platforms

### Motivation

https://datadoghq.atlassian.net/browse/INPLAT-917

Testing on EKS provides confidence that the admission controller injection works correctly in a real managed Kubernetes environment, not just in Kind clusters. 

### Describe how you validated your changes

- Ran the SSI test suite with `E2E_PROVISIONER=eks`

### Additional Notes

`WithAgentDependentWorkloadApp` was already implemented in the kind provisioners

Co-authored-by: luc.vieillescazes <luc.vieillescazes@datadoghq.com>

Author: iamluc

.gitlab/test/e2e/e2e.yml

@@ -939,7 +939,7 @@ new-e2e-otel:
     TEAM: otel
     ON_NIGHTLY_FIPS: "true"
 
-new-e2e-ssi:
+.new-e2e_ssi:
   extends: .new_e2e_template
   rules:
     - !reference [.on_ssi_or_e2e_changes]
@@ -952,6 +952,59 @@ new-e2e-ssi:
     TARGETS: ./tests/ssi
     TEAM: injection-platform
 
+.new-e2e_ssi_extra_distribution_init:
+  stage: e2e_init
+  extends: .new_e2e_template
+  needs:
+    - go_e2e_deps
+    - go_tools_deps
+  rules:
+    - !reference [.on_e2e_main_release_or_rc]
+    - changes:
+        paths:
+          - test/new-e2e/tests/ssi/**/*
+        compare_to: $COMPARE_TO_BRANCH
+    - !reference [.manual]
+  variables:
+    TARGETS: ./tests/ssi
+    TEAM: injection-platform
+    E2E_INIT_ONLY: "true"
+    SHOULD_RUN_IN_FLAKES_FINDER: "false"
+  allow_failure: true
+  retry: !reference [.retry_only_infra_failure, retry]
+
+.new-e2e_ssi_extra_distribution:
+  extends: .new-e2e_ssi
+  rules:
+    - !reference [.on_e2e_main_release_or_rc]
+    - changes:
+        paths:
+          - test/new-e2e/tests/ssi/**/*
+        compare_to: $COMPARE_TO_BRANCH
+    - !reference [.manual]
+
+new-e2e-ssi-kind:
+  extends: .new-e2e_ssi
+  variables:
+    E2E_PROVISIONER: kind
+    E2E_STACK_NAME_SUFFIX: kind
+
+new-e2e-ssi-eks-init:
+  extends: .new-e2e_ssi_extra_distribution_init
+  variables:
+    E2E_PROVISIONER: eks
+    E2E_STACK_NAME_SUFFIX: eks
+
+new-e2e-ssi-eks:
+  extends: .new-e2e_ssi_extra_distribution
+  needs:
+    - !reference [.new-e2e_ssi_extra_distribution, needs]
+    - new-e2e-ssi-eks-init
+  variables:
+    E2E_PROVISIONER: eks
+    E2E_STACK_NAME_SUFFIX: eks
+    E2E_PRE_INITIALIZED: "true"
+
 .new-e2e_package_signing:
   variables:
     TARGETS: ./tests/agent-platform/package-signing

test/e2e-framework/scenarios/aws/eks/run.go

@@ -204,5 +204,15 @@ func RunWithEnv(ctx *pulumi.Context, awsEnv resourcesAws.Environment, env output
 			return err
 		}
 	}
+
+	// Deploy workloads that must wait for the agent.
+	if dependsOnDDAgent != nil {
+		for _, appFunc := range params.depWorkloadAppFuncs {
+			_, err := appFunc(&awsEnv, cluster.KubeProvider, dependsOnDDAgent)
+			if err != nil {
+				return err
+			}
+		}
+	}
 	return nil
 }

test/e2e-framework/scenarios/aws/eks/run_args.go

@@ -26,16 +26,17 @@ const (
 
 // RunParams collects high-level scenario parameters for the EKS scenario.
 type RunParams struct {
-	Name               string
-	vmOptions          []ec2.VMOption
-	agentOptions       []kubernetesagentparams.Option
-	fakeintakeOptions  []fakeintake.Option
-	eksOptions         []Option
-	extraConfigParams  runner.ConfigMap
-	workloadAppFuncs   []kubecomp.WorkloadAppFunc
-	operatorOptions    []operatorparams.Option
-	operatorDDAOptions []agentwithoperatorparams.Option
-	ciliumOptions      []cilium.Option
+	Name                string
+	vmOptions           []ec2.VMOption
+	agentOptions        []kubernetesagentparams.Option
+	fakeintakeOptions   []fakeintake.Option
+	eksOptions          []Option
+	extraConfigParams   runner.ConfigMap
+	workloadAppFuncs    []kubecomp.WorkloadAppFunc
+	depWorkloadAppFuncs []kubecomp.AgentDependentWorkloadAppFunc
+	operatorOptions     []operatorparams.Option
+	operatorDDAOptions  []agentwithoperatorparams.Option
+	ciliumOptions       []cilium.Option
 
 	eksLinuxNodeGroup        bool
 	eksLinuxARMNodeGroup     bool
@@ -52,16 +53,17 @@ type RunOption = func(*RunParams) error
 
 func GetRunParams(opts ...RunOption) *RunParams {
 	params := &RunParams{
-		Name:               defaultEKSName,
-		vmOptions:          []ec2.VMOption{},
-		agentOptions:       []kubernetesagentparams.Option{},
-		fakeintakeOptions:  []fakeintake.Option{},
-		eksOptions:         []Option{},
-		extraConfigParams:  runner.ConfigMap{},
-		workloadAppFuncs:   []kubecomp.WorkloadAppFunc{},
-		operatorOptions:    []operatorparams.Option{},
-		operatorDDAOptions: []agentwithoperatorparams.Option{},
-		ciliumOptions:      []cilium.Option{},
+		Name:                defaultEKSName,
+		vmOptions:           []ec2.VMOption{},
+		agentOptions:        []kubernetesagentparams.Option{},
+		fakeintakeOptions:   []fakeintake.Option{},
+		eksOptions:          []Option{},
+		extraConfigParams:   runner.ConfigMap{},
+		workloadAppFuncs:    []kubecomp.WorkloadAppFunc{},
+		depWorkloadAppFuncs: []kubecomp.AgentDependentWorkloadAppFunc{},
+		operatorOptions:     []operatorparams.Option{},
+		operatorDDAOptions:  []agentwithoperatorparams.Option{},
+		ciliumOptions:       []cilium.Option{},
 	}
 	err := optional.ApplyOptions(params, opts)
 	if err != nil {
@@ -190,6 +192,14 @@ func WithWorkloadApp(appFunc kubecomp.WorkloadAppFunc) RunOption {
 	}
 }
 
+// WithAgentDependentWorkloadApp adds a workload app that depends on the agent being deployed first.
+func WithAgentDependentWorkloadApp(appFunc kubecomp.AgentDependentWorkloadAppFunc) RunOption {
+	return func(params *RunParams) error {
+		params.depWorkloadAppFuncs = append(params.depWorkloadAppFuncs, appFunc)
+		return nil
+	}
+}
+
 // WithAwsEnv asks the provisioner to use the given environment, it is created otherwise
 func WithAwsEnv(env *aws.Environment) RunOption {
 	return func(params *RunParams) error {

test/e2e-framework/scenarios/aws/kindvm/run.go

@@ -114,6 +114,11 @@ func RunWithEnv(ctx *pulumi.Context, awsEnv resAws.Environment, env outputs.Kube
 		return err
 	}
 
+	// If InitOnly is set, return after creating the cluster.
+	if awsEnv.InitOnly() {
+		return nil
+	}
+
 	kubeProvider, err := kubernetes.NewProvider(ctx, awsEnv.Namer.ResourceName("k8s-provider"), &kubernetes.ProviderArgs{
 		EnableServerSideApply: pulumi.Bool(true),
 		Kubeconfig:            kindCluster.KubeConfig,

test/e2e-framework/testing/runner/parameters/const.go

@@ -69,6 +69,9 @@ const (
 	DevMode StoreKey = "dev_mode"
 	// DevLocal uses local Kind cluster instead of AWS for faster development
 	DevLocal StoreKey = "dev_local"
+	// Provisioner specifies the Kubernetes provisioner to use (e.g., "kind", "kind-local", "eks").
+	// Not all tests honor this parameter.
+	Provisioner StoreKey = "provisioner"
 	// InitOnly config flag parameter name
 	InitOnly StoreKey = "init_only"
 	// TeardownOnly config flag parameter name

test/e2e-framework/testing/runner/parameters/store_config_file.go

@@ -36,15 +36,16 @@ type Config struct {
 
 // ConfigParams instance contains config relayed parameters
 type ConfigParams struct {
-	AWS       AWS    `yaml:"aws"`
-	Azure     Azure  `yaml:"azure"`
-	GCP       GCP    `yaml:"gcp"`
-	Local     Local  `yaml:"local"`
-	Agent     Agent  `yaml:"agent"`
-	OutputDir string `yaml:"outputDir"`
-	Pulumi    Pulumi `yaml:"pulumi"`
-	DevMode   string `yaml:"devMode"`
-	DevLocal  string `yaml:"devLocal"`
+	AWS         AWS    `yaml:"aws"`
+	Azure       Azure  `yaml:"azure"`
+	GCP         GCP    `yaml:"gcp"`
+	Local       Local  `yaml:"local"`
+	Agent       Agent  `yaml:"agent"`
+	OutputDir   string `yaml:"outputDir"`
+	Pulumi      Pulumi `yaml:"pulumi"`
+	DevMode     string `yaml:"devMode"`
+	DevLocal    string `yaml:"devLocal"`
+	Provisioner string `yaml:"provisioner"`
 }
 
 // AWS instance contains AWS related parameters
@@ -203,6 +204,8 @@ func (s configFileValueStore) get(key StoreKey) (string, error) {
 		value = s.config.ConfigParams.DevMode
 	case DevLocal:
 		value = s.config.ConfigParams.DevLocal
+	case Provisioner:
+		value = s.config.ConfigParams.Provisioner
 	}
 
 	if value == "" {

test/e2e-framework/testing/runner/parameters/store_env.go

@@ -42,13 +42,15 @@ var envVariablesByStoreKey = map[StoreKey]string{
 	PulumiVerboseProgressStreams: "E2E_PULUMI_VERBOSE_PROGRESS_STREAMS",
 	DevMode:                      "E2E_DEV_MODE",
 	DevLocal:                     "E2E_DEV_LOCAL",
+	Provisioner:                  "E2E_PROVISIONER",
 	InitOnly:                     "E2E_INIT_ONLY",
 	TeardownOnly:                 "E2E_TEARDOWN_ONLY",
 	MajorVersion:                 "E2E_MAJOR_VERSION",
 	PreInitialized:               "E2E_PRE_INITIALIZED",
 	FIPS:                         "E2E_FIPS",
 	CoveragePipeline:             "E2E_COVERAGE_PIPELINE",
 	CoverageOutDir:               "E2E_COVERAGE_OUT_DIR",
+	StackNameSuffix:              "E2E_STACK_NAME_SUFFIX",
 	SkipWindows:                  "E2E_SKIP_WINDOWS",
 }
 

test/new-e2e/tests/ssi/provisioner.go

@@ -6,32 +6,67 @@
 package ssi
 
 import (
+	"strings"
+
 	"github.com/DataDog/datadog-agent/test/e2e-framework/components/datadog/kubernetesagentparams"
 	kubeComp "github.com/DataDog/datadog-agent/test/e2e-framework/components/kubernetes"
+	scenarioeks "github.com/DataDog/datadog-agent/test/e2e-framework/scenarios/aws/eks"
 	"github.com/DataDog/datadog-agent/test/e2e-framework/scenarios/aws/kindvm"
 	"github.com/DataDog/datadog-agent/test/e2e-framework/testing/environments"
 	"github.com/DataDog/datadog-agent/test/e2e-framework/testing/provisioners"
+	proveks "github.com/DataDog/datadog-agent/test/e2e-framework/testing/provisioners/aws/kubernetes/eks"
 	provkindvm "github.com/DataDog/datadog-agent/test/e2e-framework/testing/provisioners/aws/kubernetes/kindvm"
 	localkind "github.com/DataDog/datadog-agent/test/e2e-framework/testing/provisioners/local/kubernetes"
 	"github.com/DataDog/datadog-agent/test/e2e-framework/testing/runner"
 	"github.com/DataDog/datadog-agent/test/e2e-framework/testing/runner/parameters"
 )
 
+// ProvisionerType represents the type of Kubernetes provisioner to use.
+type ProvisionerType string
+
+const (
+	// ProvisionerKindAWS uses Kind running on an AWS VM (default).
+	ProvisionerKindAWS ProvisionerType = "kind"
+	// ProvisionerKindLocal uses Kind running locally.
+	ProvisionerKindLocal ProvisionerType = "kind-local"
+	// ProvisionerEKS uses Amazon EKS.
+	ProvisionerEKS ProvisionerType = "eks"
+)
+
 // ProvisionerOptions contains the common options for Kubernetes provisioners.
 type ProvisionerOptions struct {
 	AgentOptions                  []kubernetesagentparams.Option
 	WorkloadAppFunc               kubeComp.WorkloadAppFunc
 	AgentDependentWorkloadAppFunc kubeComp.AgentDependentWorkloadAppFunc
 }
 
-// Provisioner returns a Kubernetes provisioner based on E2E_DEV_LOCAL parameter.
-// If E2E_DEV_LOCAL=true, returns a local Kind provisioner for faster development.
-// Otherwise, returns an AWS Kind VM provisioner.
+// Provisioner returns a Kubernetes provisioner based on E2E_PROVISIONER and E2E_DEV_LOCAL parameters.
+// Supported provisioners: "kind" (default), "kind-local", "eks".
+// E2E_DEV_LOCAL=true is a shortcut for E2E_PROVISIONER=kind-local.
 func Provisioner(opts ProvisionerOptions) provisioners.TypedProvisioner[environments.Kubernetes] {
-	if isLocalMode() {
+	provisionerType := getProvisionerType()
+	switch provisionerType {
+	case ProvisionerKindLocal:
 		return localKindProvisioner(opts)
+	case ProvisionerEKS:
+		return eksProvisioner(opts)
+	default:
+		return awsKindProvisioner(opts)
+	}
+}
+
+// getProvisionerType returns the provisioner type from E2E_PROVISIONER parameter or E2E_DEV_LOCAL.
+func getProvisionerType() ProvisionerType {
+	// Check E2E_PROVISIONER first (via env var or config file).
+	provisioner, err := runner.GetProfile().ParamStore().GetWithDefault(parameters.Provisioner, "")
+	if err == nil && provisioner != "" {
+		return ProvisionerType(strings.ToLower(provisioner))
+	}
+	// Fall back to E2E_DEV_LOCAL for backward compatibility.
+	if isLocalMode() {
+		return ProvisionerKindLocal
 	}
-	return awsKindProvisioner(opts)
+	return ProvisionerKindAWS
 }
 
 // isLocalMode returns true if E2E_DEV_LOCAL is set to "true" (via env var or config file)
@@ -72,3 +107,22 @@ func awsKindProvisioner(opts ProvisionerOptions) provisioners.TypedProvisioner[e
 	}
 	return provkindvm.Provisioner(provkindvm.WithRunOptions(runOpts...))
 }
+
+// eksProvisioner returns an Amazon EKS provisioner.
+func eksProvisioner(opts ProvisionerOptions) provisioners.TypedProvisioner[environments.Kubernetes] {
+	var runOpts []scenarioeks.RunOption
+
+	// Add a Linux node group by default.
+	runOpts = append(runOpts, scenarioeks.WithEKSOptions(scenarioeks.WithLinuxNodeGroup()))
+
+	if len(opts.AgentOptions) > 0 {
+		runOpts = append(runOpts, scenarioeks.WithAgentOptions(opts.AgentOptions...))
+	}
+	if opts.WorkloadAppFunc != nil {
+		runOpts = append(runOpts, scenarioeks.WithWorkloadApp(opts.WorkloadAppFunc))
+	}
+	if opts.AgentDependentWorkloadAppFunc != nil {
+		runOpts = append(runOpts, scenarioeks.WithAgentDependentWorkloadApp(opts.AgentDependentWorkloadAppFunc))
+	}
+	return proveks.Provisioner(proveks.WithRunOptions(runOpts...))
+}