try code coverage script

Mladen Rusev · Mladen Rusev · commit e66450ec5a98 · 2025-09-30T11:48:13.000+03:00
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -64,6 +64,12 @@ jobs:
 
       - run: make -j test-unit test-helm
 
+      - name: Upload test artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: unit-artifacts
+          path: _bin/artifacts
+
   test-e2e:
     if: contains(github.event.pull_request.labels.*.name, 'test-e2e')
     runs-on: ubuntu-latest
@@ -125,6 +131,11 @@ jobs:
           CLOUDSDK_COMPUTE_ZONE: europe-west1-b
           CLUSTER_NAME: ${{ steps.timestamp.outputs.cluster_name }}
 
+      - name: Setup upterm session
+        uses: owenthereal/action-upterm@v1
+        with:
+          limit-access-to-actor: true
+
       - name: Delete GKE Cluster
         # 'always()' - Run this step regardless of success or failure.
         # '!contains(...)' - AND only run if the list of PR labels DOES NOT contain 'keep-e2e-cluster'.
@@ -136,3 +147,9 @@ jobs:
             --project=machineidentitysecurity-jsci-e \
             --zone=europe-west1-b \
             --quiet
+
+      - name: Upload test artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: e2e-artifacts
+          path: _bin/artifacts
diff --git a/hack/e2e/test.sh b/hack/e2e/test.sh
@@ -83,6 +83,19 @@ if ! gcloud container clusters get-credentials "${CLUSTER_NAME}"; then
 fi
 kubectl create ns venafi || true
 
+kubectl apply -n venafi -f - <<EOF
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: coverage-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+EOF
+
 # Pull secret for Venafi OCI registry
 # IMPORTANT: we pick the first team as the owning team for the registry and
 # workload identity service account as it doesn't matter.
@@ -123,10 +136,13 @@ venctl components kubernetes apply \
   --venafi-kubernetes-agent \
   --venafi-kubernetes-agent-version "${RELEASE_HELM_CHART_VERSION}" \
   --venafi-kubernetes-agent-values-files "${script_dir}/values.venafi-kubernetes-agent.yaml" \
+  --venafi-kubernetes-agent-values-files "${script_dir}/values.coverage-pvc.yaml" \
   --venafi-kubernetes-agent-custom-image-registry "${OCI_BASE}/images" \
   --venafi-kubernetes-agent-custom-chart-repository "oci://${OCI_BASE}/charts"
 
 kubectl apply -n venafi -f venafi-components.yaml
+kubectl set env deployments/venafi-kubernetes-agent -n venafi GOCOVERDIR=/coverage
+kubectl rollout status deployment/venafi-kubernetes-agent -n venafi --timeout=2m
 
 subject="system:serviceaccount:venafi:venafi-components"
 audience="https://${VEN_API_HOST}"
@@ -233,3 +249,47 @@ getCertificate() {
 
 # Wait 5 minutes for the certificate to appear.
 for ((i=0;;i++)); do if getCertificate; then exit 0; fi; sleep 30; done | timeout -v -- 5m cat
+
+echo "Identifying the agent pod to terminate..."
+export AGENT_POD_NAME=$(kubectl get pods -n venafi -l app.kubernetes.io/name=venafi-kubernetes-agent -o jsonpath="{.items[0].metadata.name}")
+
+echo "Gracefully deleting agent pod '${AGENT_POD_NAME}' to flush coverage to the PVC..."
+kubectl delete pod -n venafi "${AGENT_POD_NAME}" --grace-period=30
+echo "Waiting for agent pod to terminate..."
+kubectl wait --for=delete pod/${AGENT_POD_NAME} -n venafi --timeout=90s
+
+kubectl apply -n venafi -f - <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: coverage-helper-pod
+spec:
+  containers:
+  - name: helper
+    image: alpine:latest
+    command: ["sleep", "infinity"]
+    volumeMounts:
+    - name: coverage-storage
+      mountPath: /coverage-data
+  volumes:
+  - name: coverage-storage
+    persistentVolumeClaim:
+      claimName: coverage-pvc
+EOF
+
+echo "Waiting for the helper pod to be ready..."
+kubectl wait --for=condition=Ready pod/coverage-helper-pod -n venafi --timeout=2m
+
+echo "Copying coverage files from the helper pod..."
+mkdir -p $COVERAGE_HOST_PATH
+# We copy from the helper pod's mount path.
+kubectl cp -n venafi "coverage-helper-pod:/coverage-data/." $COVERAGE_HOST_PATH
+
+echo "Coverage files retrieved. Listing contents:"
+ls -la $COVERAGE_HOST_PATH
+
+# --- MANDATORY CLEANUP ---
+#echo "Cleaning up helper pod and PersistentVolumeClaim..."
+#kubectl delete pod coverage-helper-pod -n venafi
+#kubectl delete pvc coverage-pvc -n venafi
+#echo "Cleanup complete."
diff --git a/hack/e2e/values.coverage-pvc.yaml b/hack/e2e/values.coverage-pvc.yaml
@@ -0,0 +1,8 @@
+volumes:
+  - name: coverage-storage
+    persistentVolumeClaim:
+      claimName: coverage-pvc
+
+volumeMounts:
+  - name: coverage-storage
+    mountPath: /coverage
diff --git a/make/00_mod.mk b/make/00_mod.mk
@@ -13,6 +13,13 @@ kind_cluster_config := $(bin_dir)/scratch/kind_cluster.yaml
 
 build_names := preflight
 
+# HACK: The test-unit and test-e2e targets require the go binary to be built with the -cover flag set.
+# This allows us to do coverage reporting for our end-to-end tests.
+ifeq ($(findstring test-,$(MAKECMDGOALS)),test-)
+go_preflight_flags := -cover
+endif
+COVERAGE_HOST_PATH := $(CURDIR)/$(bin_dir)/artifacts
+
 go_preflight_main_dir := .
 go_preflight_mod_dir := .
 go_preflight_ldflags := \
