Non-Admin Support - Webpack & Github Actions (opendatahub-io#6254)

* Fix non-admin test execution with oc user switching and optimized token refresh

- Add oc user switching in cy.visitWithLogin for localhost tests
- Implement lazy token refresh in webpack (5s cache) to avoid blocking event loop
- Add cleanup step for old test artifacts (>2 days)
- Ensure ODH_DASHBOARD_HOST is always passed to webpack
- Add IS_NON_ADMIN_RUN flag to skip admin setup hooks
- Add @ci-dashboard-set-2 tag to non-admin cluster settings test
- Pass OC_SERVER from workflow to Cypress for dynamic user switching

Fixes: Project creation and cluster storage tests that were failing due to
blocking getCurrentToken() calls breaking WebSocket connections.

* Address code review feedback: Make oc login errors fatal and fix cleanup

- Make missing OC_SERVER fatal: Throw error instead of logging warning
- Make oc login failure fatal: Throw error with exit code and output
- Remove Cypress cache cleanup: Avoid deleting binary on shared runners

These changes ensure test failures are explicit when user switching cannot
occur, rather than silently continuing with wrong permissions.

* Mask dashboard URLs and fix hostname extraction

- Add ::add-mask:: for DASHBOARD_URL to prevent exposure in logs
- Add ::add-mask:: for DASHBOARD_HOST to prevent exposure in logs
- Fix sed regex: Use -E flag for proper extended regex (https? instead of https\?)

The previous sed command was broken and extracted 'https:' instead of the
actual hostname. The -E flag enables extended regex where ? means 'optional'
rather than a literal character.

Critical: This prevents sensitive cluster URLs from appearing in CI logs.

Author: antowaddle

.github/workflows/cypress-e2e-test.yml

@@ -341,6 +341,32 @@ jobs:
           echo "PORT_INFO_FILE=$PORT_INFO_DIR/port-${WEBPACK_PORT}.run_id" >> $GITHUB_ENV
           echo "📍 Using port ${WEBPACK_PORT} for ${{ matrix.tag }} (run_id: ${{ github.run_id }})"
 
+      - name: Cleanup old test artifacts
+        continue-on-error: true
+        run: |
+          echo "🧹 Cleaning up old test artifacts (>2 days)..."
+          
+          # Clean old Cypress results/screenshots/videos from workspace (>2 days old)
+          find ${{ github.workspace }}/packages/cypress/results -type f -mtime +2 -delete 2>/dev/null || true
+          find ${{ github.workspace }}/packages/cypress/screenshots -type f -mtime +2 -delete 2>/dev/null || true
+          find ${{ github.workspace }}/packages/cypress/videos -type f -mtime +2 -delete 2>/dev/null || true
+          
+          # Clean old webpack logs (>2 days old)
+          find /tmp -name "webpack_*.log" -type f -mtime +2 -delete 2>/dev/null || true
+          
+          # Note: ~/.cache/Cypress is managed by actions/cache and should not be cleaned here
+          # to avoid removing the Cypress binary on shared self-hosted runners
+          
+          # Clean old temporary yaml files (>2 days old)
+          find /tmp -name "cypress-yaml-*.yaml" -type f -mtime +2 -delete 2>/dev/null || true
+          
+          # Clean empty directories
+          find ${{ github.workspace }}/packages/cypress/results -type d -empty -delete 2>/dev/null || true
+          find ${{ github.workspace }}/packages/cypress/screenshots -type d -empty -delete 2>/dev/null || true
+          find ${{ github.workspace }}/packages/cypress/videos -type d -empty -delete 2>/dev/null || true
+          
+          echo "✅ Cleanup complete (non-critical, continued on any errors)"
+
       - name: Checkout code
         uses: actions/checkout@v4
         with:
@@ -397,9 +423,15 @@ jobs:
         run: |
           TEST_VARS_FILE="${{ github.workspace }}/packages/cypress/test-variables.yml"
 
-          # Extract credentials
-          OC_USERNAME=$(grep -A 10 "^OCP_ADMIN_USER:" "$TEST_VARS_FILE" | grep "USERNAME:" | head -1 | sed 's/.*USERNAME: //' | tr -d ' ')
-          OC_PASSWORD=$(grep -A 10 "^OCP_ADMIN_USER:" "$TEST_VARS_FILE" | grep "PASSWORD:" | head -1 | sed 's/.*PASSWORD: //' | tr -d ' ')
+          # Extract credentials based on test type
+          if [[ "${{ matrix.tag }}" == "@NonAdmin" ]]; then
+            echo "🔑 Using non-admin credentials (TEST_USER_3) for @NonAdmin tests"
+            OC_USERNAME=$(grep -A 10 "^TEST_USER_3:" "$TEST_VARS_FILE" | grep "USERNAME:" | head -1 | sed 's/.*USERNAME: //' | tr -d ' ')
+            OC_PASSWORD=$(grep -A 10 "^TEST_USER_3:" "$TEST_VARS_FILE" | grep "PASSWORD:" | head -1 | sed 's/.*PASSWORD: //' | tr -d ' ')
+          else
+            OC_USERNAME=$(grep -A 10 "^OCP_ADMIN_USER:" "$TEST_VARS_FILE" | grep "USERNAME:" | head -1 | sed 's/.*USERNAME: //' | tr -d ' ')
+            OC_PASSWORD=$(grep -A 10 "^OCP_ADMIN_USER:" "$TEST_VARS_FILE" | grep "PASSWORD:" | head -1 | sed 's/.*PASSWORD: //' | tr -d ' ')
+          fi
           echo "::add-mask::$OC_PASSWORD"
           echo "::add-mask::$OC_USERNAME"
 
@@ -457,9 +489,17 @@ jobs:
             exit 1
           fi
 
+          # Mask dashboard URL to prevent exposure in logs
+          echo "::add-mask::$DASHBOARD_URL"
+
           # Set dashboard URL for selected cluster
           sed -i "s|^ODH_DASHBOARD_URL:.*|ODH_DASHBOARD_URL: $DASHBOARD_URL|" "$TEST_VARS_FILE"
 
+          # Export dashboard host (without protocol) for webpack ODH_DASHBOARD_HOST
+          DASHBOARD_HOST=$(echo "$DASHBOARD_URL" | sed -E 's|https?://||' | sed 's|/.*||')
+          echo "::add-mask::$DASHBOARD_HOST"
+          echo "DASHBOARD_HOST=$DASHBOARD_HOST" >> $GITHUB_ENV
+
           if [ -z "$ODH_NAMESPACES" ]; then
             echo "⚠️ ODH_NAMESPACES secret not set, skipping namespace override"
             exit 0
@@ -559,8 +599,8 @@ jobs:
           echo "✅ Port ${WEBPACK_PORT} is free and claimed by run_id: $CURRENT_RUN_ID"
           echo "🚀 Starting webpack dev server on port ${WEBPACK_PORT} ($CLUSTER_NAME)..."
 
-          # Start webpack and filter sensitive output
-          cd frontend && ODH_PORT=${WEBPACK_PORT} npm run start:dev:ext > /tmp/webpack_${WEBPACK_PORT}.log 2>&1 &
+          # Start webpack with explicit dashboard host (ensures correct proxy target for all tests)
+          cd frontend && env ODH_DASHBOARD_HOST=${DASHBOARD_HOST} ODH_PORT=${WEBPACK_PORT} npm run start:dev:ext > /tmp/webpack_${WEBPACK_PORT}.log 2>&1 &
           SERVER_PID=$!
           echo "SERVER_PID=$SERVER_PID" >> $GITHUB_ENV
           echo "$SERVER_PID" > "$PORT_INFO_DIR/port-${WEBPACK_PORT}.pid"
@@ -599,6 +639,9 @@ jobs:
           done
 
       - name: Run E2E Tests
+        env:
+          OC_SERVER_PRIMARY: ${{ secrets.OC_SERVER_PRIMARY }}
+          OC_SERVER_SECONDARY: ${{ secrets.OC_SERVER }}
         run: |
           cd frontend
 
@@ -609,8 +652,25 @@ jobs:
           export CY_RESULTS_DIR="${{ github.workspace }}/packages/cypress/results/${{ matrix.tag }}"
           mkdir -p "$CY_RESULTS_DIR"
 
+          # Determine OC_SERVER based on cluster (for oc user switching in tests)
+          if [ "$CLUSTER_NAME" = "dash-e2e-int" ]; then
+            OC_SERVER="$OC_SERVER_PRIMARY"
+          elif [ "$CLUSTER_NAME" = "dash-e2e" ]; then
+            OC_SERVER="$OC_SERVER_SECONDARY"
+          else
+            echo "⚠️ Unknown cluster: $CLUSTER_NAME, defaulting to OC_SERVER_PRIMARY"
+            OC_SERVER="$OC_SERVER_PRIMARY"
+          fi
+
+          # Set IS_NON_ADMIN_RUN flag for non-admin tests to skip admin-only setup hooks
+          EXTRA_CYPRESS_ENV="OC_SERVER=${OC_SERVER},"
+          if [[ "${{ matrix.tag }}" == "@NonAdmin" ]]; then
+            EXTRA_CYPRESS_ENV="${EXTRA_CYPRESS_ENV}IS_NON_ADMIN_RUN=true,"
+            echo "🔐 Running in non-admin mode - admin setup hooks will be skipped"
+          fi
+
           BASE_URL=http://localhost:${WEBPACK_PORT} npm run cypress:run:chrome -- \
-            --env skipTags="@Bug @Maintain @NonConcurrent",grepTags="${{ matrix.tag }}",grepFilterSpecs=true \
+            --env ${EXTRA_CYPRESS_ENV}skipTags="@Bug @Maintain @NonConcurrent",grepTags="${{ matrix.tag }}",grepFilterSpecs=true \
             --config video=true,screenshotsFolder="$CY_RESULTS_DIR/screenshots",videosFolder="$CY_RESULTS_DIR/videos"
 
       - name: Upload test results

frontend/config/webpack.dev.js

@@ -69,10 +69,11 @@ module.exports = smp.wrap(
         proxy: (() => {
           if (process.env.EXT_CLUSTER) {
             // Environment variables:
+            // - ODH_DASHBOARD_HOST: Explicit dashboard hostname (bypasses oc get routes)
             // - DEV_LEGACY=true: Forces legacy behavior for oauth-proxy clusters
             //   (uses old subdomain format and sends x-forwarded-access-token header)
             const devLegacy = process.env.DEV_LEGACY === 'true';
-            let dashboardHost;
+            let dashboardHost = process.env.ODH_DASHBOARD_HOST;
             let token;
 
             try {
@@ -87,10 +88,44 @@ module.exports = smp.wrap(
               throw new Error('Login with `oc login` prior to starting dev server.');
             }
 
+            // Token refresh mechanism (for when oc user is switched during tests)
+            // Only refreshes when token is actually used, with 5s minimum interval to avoid blocking
+            let cachedToken = token;
+            let lastTokenFetch = Date.now();
+            const TOKEN_REFRESH_MIN_INTERVAL = 5000; // Don't refresh more than once per 5 seconds
+
+            const getCurrentToken = () => {
+              const now = Date.now();
+              // Only refresh if enough time has passed since last fetch (prevents excessive blocking)
+              if (now - lastTokenFetch > TOKEN_REFRESH_MIN_INTERVAL) {
+                try {
+                  const newToken = execSync('oc whoami --show-token', {
+                    stdio: ['pipe', 'pipe', 'ignore'],
+                  })
+                    .toString()
+                    .trim();
+                  // Only update if token actually changed
+                  if (newToken !== cachedToken) {
+                    console.info('Token refreshed (oc user may have switched)');
+                    cachedToken = newToken;
+                  }
+                  lastTokenFetch = now;
+                } catch (e) {
+                  // If refresh fails, keep using cached token
+                  console.warn('Failed to refresh oc token, using cached token');
+                }
+              }
+              return cachedToken;
+            };
+
             const odhProject = process.env.OC_PROJECT || 'opendatahub';
             const app = process.env.ODH_APP || 'odh-dashboard';
             console.info('Using project:', odhProject);
 
+            if (dashboardHost) {
+              console.info('Using explicit ODH_DASHBOARD_HOST:', dashboardHost);
+            }
+
             // try to get dashboard host from HttpRoute and Gateway
             try {
               // Get the HttpRoute resource as JSON
@@ -189,6 +224,13 @@ module.exports = smp.wrap(
                 secure: false,
                 changeOrigin: true,
                 headers,
+                onProxyReq: (proxyReq) => {
+                  const currentToken = getCurrentToken();
+                  proxyReq.setHeader('Authorization', `Bearer ${currentToken}`);
+                  if (shouldFwdAccessToken) {
+                    proxyReq.setHeader('x-forwarded-access-token', currentToken);
+                  }
+                },
               },
               {
                 context: ['/wss/k8s'],
@@ -197,6 +239,13 @@ module.exports = smp.wrap(
                 ws: true,
                 changeOrigin: true,
                 headers,
+                onProxyReq: (proxyReq) => {
+                  const currentToken = getCurrentToken();
+                  proxyReq.setHeader('Authorization', `Bearer ${currentToken}`);
+                  if (shouldFwdAccessToken) {
+                    proxyReq.setHeader('x-forwarded-access-token', currentToken);
+                  }
+                },
               },
             ];
           }

packages/cypress/cypress/support/commands/application.ts

@@ -313,6 +313,60 @@ Cypress.Commands.add('visitWithLogin', (relativeUrl, credentials = HTPASSWD_CLUS
     }
     cy.step(`Navigate to: ${fullUrl}`);
 
+    // When running against localhost (webpack dev server), check if we need to switch oc user
+    const baseUrl = Cypress.config('baseUrl') || '';
+    if (baseUrl.includes('localhost') || baseUrl.includes('127.0.0.1')) {
+      cy.log('🔍 Localhost detected - checking if oc user switch is needed');
+      cy.exec('oc whoami', { failOnNonZeroExit: false, log: false }).then((result) => {
+        const currentOcUser = result.stdout.trim();
+        const requestedUser = credentials.USERNAME;
+
+        if (result.code !== 0) {
+          cy.log(
+            `⚠️ oc whoami failed (exit code: ${result.code}) - may not be logged into cluster`,
+          );
+          return cy.wrap(null);
+        }
+
+        if (currentOcUser !== requestedUser) {
+          cy.log(
+            `🔄 Switching oc user from ${currentOcUser ? '***' : 'none'} to ${
+              requestedUser ? '***' : 'none'
+            }`,
+          );
+
+          const ocServer = Cypress.env('OC_SERVER');
+          if (!ocServer) {
+            const errorMsg =
+              'OC_SERVER is required to switch oc user but was not set in Cypress env. ' +
+              'Set CYPRESS_OC_SERVER environment variable or pass via --env OC_SERVER=...';
+            cy.log(`❌ ${errorMsg}`);
+            throw new Error(errorMsg);
+          }
+
+          return cy
+            .exec(
+              `oc login -u "${requestedUser}" -p "${credentials.PASSWORD}" --server="${ocServer}" --insecure-skip-tls-verify`,
+              { failOnNonZeroExit: false, log: false },
+            )
+            .then((loginResult) => {
+              if (loginResult.code === 0) {
+                cy.log(`✅ oc user switched successfully`);
+              } else {
+                const errorMsg =
+                  `oc login failed (exit code: ${loginResult.code}). ` +
+                  `Output: ${loginResult.stdout || loginResult.stderr || 'No output'}`;
+                cy.log(`❌ ${errorMsg}`);
+                throw new Error(errorMsg);
+              }
+            });
+        }
+
+        cy.log(`✅ Already logged in as correct oc user`);
+        return cy.wrap(null);
+      });
+    }
+
     if (isBYOIDCCluster) {
       cy.log('BYOIDC cluster detected - using Keycloak authentication');
     }

packages/cypress/cypress/tests/e2e/settings/clusterSettings/testAdminClusterSettings.cy.ts

@@ -187,7 +187,7 @@ describe('Verify that only the Cluster Admin can access Cluster Settings', () =>
 
   it(
     'Test User - should not have access rights to view the Cluster Settings tab',
-    { tags: ['@Smoke', '@SmokeSet2', '@ODS-1216', '@Dashboard'] },
+    { tags: ['@Smoke', '@SmokeSet2', '@ODS-1216', '@Dashboard', '@ci-dashboard-set-2'] },
     () => {
       cy.step('Log into the application');
       cy.visitWithLogin('/', LDAP_CONTRIBUTOR_USER);

packages/cypress/cypress/utils/retryableHooks.ts

@@ -14,6 +14,14 @@ export const retryableBefore = <T>(fn: () => void | Promise<void> | Cypress.Chai
     if (this.currentTest?.isPending() || !shouldRun) {
       return;
     }
+
+    // Skip admin-only setup in non-admin mode (controlled by workflow)
+    if (Cypress.env('IS_NON_ADMIN_RUN')) {
+      cy.log('⏭️ Skipping admin setup (running in non-admin mode)');
+      shouldRun = false;
+      return;
+    }
+
     shouldRun = false;
     setupPerformed = true;
     cy.wrap(null).then(fn);