jfrog · RobinDuhan · Feb 22, 2026
diff --git a/.github/workflows/helm.test.yml b/.github/workflows/helm.test.yml
@@ -0,0 +1,118 @@
+name: Helm E2E Tests
+
+on:
+  workflow_dispatch:
+    inputs:
+      download_url:
+        description: 'Binary download URL (architecture suffix appended automatically)'
+        required: true
+        default: 'https://releases.jfrog.io/artifactory/run/jfrog-credentials-provider/0.1.0-beta.6/jfrog-credential-provider-linux'
+        type: string
+      provider:
+        description: 'Cloud provider to test'
+        required: true
+        default: 'all'
+        type: choice
+        options:
+          - all
+          - aws
+          - azure
+          - gcp
+  push:
+    branches:
+      - feature/INST-19278
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  test-aws:
+    name: AWS E2E Tests
+    # if: inputs.provider == 'all' || inputs.provider == 'aws'
+    runs-on: self-hosted
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4.1.0
+        with:
+          role-to-assume: arn:aws:iam::095132750011:role/github-actions-kubelet-ci-role
+          role-session-name: kubelettestcisession
+          aws-region: ap-northeast-3
+
+      - name: Install tools
+        run: |
+          command -v helm  >/dev/null || { curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash; }
+          command -v yq    >/dev/null || { sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 && sudo chmod +x /usr/local/bin/yq; }
+
+      - name: Run AWS E2E tests
+        env:
+          AWS_NODE_ROLE_ARN: ${{ secrets.AWS_NODE_ROLE_ARN }}
+          AWS_SUBNET_IDS: ${{ secrets.AWS_SUBNET_IDS }}
+        run: |
+          source build/test/env
+          export DOWNLOAD_URL="${{ inputs.download_url }}"
+          bash build/test/aws.sh
+
+  test-azure:
+    name: Azure E2E Tests
+    # if: inputs.provider == 'all' || inputs.provider == 'azure'
+    runs-on: self-hosted
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_APP_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_APP_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_APP_SUBSCRIPTION_ID }}
+
+      - name: Install tools
+        run: |
+          command -v helm  >/dev/null || { curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash; }
+          command -v yq    >/dev/null || { sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 && sudo chmod +x /usr/local/bin/yq; }
+
+      - name: Run Azure E2E tests
+        env:
+          AZURE_APP_CLIENT_ID: ${{ secrets.AZURE_HELM_TEST_APP_CLIENT_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_APP_TENANT_ID }}
+          # user assigned identity that has access to the app registration
+          AZURE_NODEPOOL_CLIENT_ID: ${{ secrets.AZURE_HELM_TEST_NODEPOOL_CLIENT_ID }}
+        run: |
+          source build/test/env
+          export DOWNLOAD_URL="${{ inputs.download_url }}"
+          export JFROG_OIDC_PROVIDER_NAME="${AZURE_JFROG_OIDC_PROVIDER_NAME}"
+          bash build/test/azure.sh
+
+  test-gcp:
+    name: GCP E2E Tests
+    if: inputs.provider == 'all' || inputs.provider == 'gcp'
+    runs-on: self-hosted
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Authenticate to GCP
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }}
+
+      - name: Set up gcloud CLI
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Install tools
+        run: |
+          command -v helm  >/dev/null || { curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash; }
+          command -v yq    >/dev/null || { sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 && sudo chmod +x /usr/local/bin/yq; }
+
+      - name: Run GCP E2E tests
+        env:
+          GCP_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }}
+        run: |
+          source build/test/env
+          export DOWNLOAD_URL="${{ inputs.download_url }}"
+          export JFROG_OIDC_PROVIDER_NAME="${GCP_JFROG_OIDC_PROVIDER_NAME}"
+          bash build/test/gcp.sh
+
diff --git a/build/test/aws.sh b/build/test/aws.sh
@@ -0,0 +1,133 @@
+#!/bin/bash
+# aws.sh - E2E tests for AWS (assume_role + cognito_oidc)
+# Expects the following env vars to be set by the caller (GitHub Actions workflow):
+#   EKS_CLUSTER_NAME, AWS_REGION, AWS_SUBNET_IDS, AWS_NODE_ROLE_ARN
+#   ARTIFACTORY_URL, MATCH_IMAGES, TEST_IMAGE, HELM_CHART_VERSION
+#   AWS_ROLE_NAME (for assume_role)
+#   AWS_COGNITO_SECRET_NAME, AWS_COGNITO_USER_POOL_NAME,
+#   AWS_COGNITO_RESOURCE_SERVER_NAME, AWS_COGNITO_USER_POOL_RESOURCE_SCOPE,
+#   JFROG_OIDC_PROVIDER_NAME (for cognito_oidc)
+#   DOWNLOAD_URL for custom binary url
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/helper.sh"
+
+RUN_ID="${GITHUB_RUN_ID:-$(date +%s)}"
+
+# ---------------------------------------------------------------------------
+# assume_role test
+# ---------------------------------------------------------------------------
+test_aws_assume_role() {
+    local ng_name="jfrog-ar-${RUN_ID}"
+    local release_name="jfrog-cp-assume-role"
+    local namespace="jfrog-assume-role"
+    local node_label_value="aws-assume-role"
+    local values_file="/tmp/values-aws-assume-role.yaml"
+
+    log_step "TEST: AWS assume_role"
+
+    cleanup_assume_role() {
+        log_step "Cleanup: AWS assume_role"
+        cleanup_helm_test "${release_name}" "${namespace}" || true
+        delete_node_group_aws "${EKS_CLUSTER_NAME}" "${ng_name}" || true
+    }
+    trap cleanup_assume_role EXIT
+
+    create_node_group_aws \
+        "${EKS_CLUSTER_NAME}" \
+        "${ng_name}" \
+        "jfrog-test=${node_label_value},credentialsProviderEnabled=true" \
+        "t4g.medium" \
+        "${AWS_SUBNET_IDS}" \
+        "AL2023_ARM_64_STANDARD" \
+        "${AWS_NODE_ROLE_ARN}"
+
+    generate_values "${REPO_ROOT}/examples/aws-values.yaml" "${values_file}" \
+        ".providerConfig[0].artifactoryUrl = \"${ARTIFACTORY_URL}\"" \
+        ".providerConfig[0].matchImages[0] = \"${MATCH_IMAGES}\"" \
+        ".providerConfig[0].aws.aws_role_name = \"${AWS_ROLE_NAME}\"" \
+        ".downloadUrl = \"${DOWNLOAD_URL}\""
+
+    run_helm_test \
+        "${release_name}" \
+        "${namespace}" \
+        "${values_file}" \
+        "${TEST_IMAGE}" \
+        "jfrog-test" \
+        "${node_label_value}" \
+        "false" \
+
+    log_info "TEST PASSED: AWS assume_role"
+
+    cleanup_assume_role
+    trap - EXIT
+}
+
+# ---------------------------------------------------------------------------
+# cognito_oidc test
+# ---------------------------------------------------------------------------
+test_aws_projected_sa() {
+    local ng_name="jfrog-co-${RUN_ID}"
+    local release_name="jfrog-cp-projected-sa"
+    local namespace="jfrog-projected-sa"
+    local node_label_value="aws-projecte-token"
+    local values_file="/tmp/values-aws-projected-sa.yaml"
+
+    log_step "TEST: AWS projected_sa"
+
+    cleanup_projected_sa() {
+        log_step "Cleanup: AWS projected_sa"
+        cleanup_helm_test "${release_name}" "${namespace}" || true
+        delete_node_group_aws "${EKS_CLUSTER_NAME}" "${ng_name}" || true
+    }
+    trap cleanup_cognito EXIT
+
+    create_node_group_aws \
+        "${EKS_CLUSTER_NAME}" \
+        "${ng_name}" \
+        "jfrog-test=${node_label_value},credentialsProviderEnabled=true" \
+        "t4g.small" \
+        "${AWS_SUBNET_IDS}" \
+        "${AWS_NODE_ROLE_ARN}"
+
+    generate_values "${REPO_ROOT}/examples/aws-projected-sa-values.yaml" "${values_file}" \
+        ".providerConfig[0].artifactoryUrl = \"${ARTIFACTORY_URL}\"" \
+        ".providerConfig[0].matchImages[0] = \"${MATCH_IMAGES}\"" \
+        ".providerConfig[0].aws.enabled = true" \
+        ".providerConfig[0].aws.aws_auth_method = \"assume_role\"" \
+        ".providerConfig[0].aws.aws_role_name = \"${AWS_ROLE_NAME}\"" \
+        ".providerConfig[0].tokenAttributes.enabled = true" \
+        ".downloadUrl = \"${DOWNLOAD_URL}\""
+
+    run_helm_test \
+        "${release_name}" \
+        "${namespace}" \
+        "${values_file}" \
+        "${TEST_IMAGE}" \
+        "jfrog-test" \
+        "${node_label_value}" \
+        "true" \
+
+    log_info "TEST PASSED: AWS cognito_oidc"
+
+    cleanup_cognito
+    trap - EXIT
+}
+
+# ---------------------------------------------------------------------------
+# Main
+# ---------------------------------------------------------------------------
+main() {
+    log_step "Starting AWS E2E tests (run: ${RUN_ID})"
+
+    connect_cluster_aws "${EKS_CLUSTER_NAME}" "${AWS_REGION}"
+
+    test_aws_assume_role
+    # test_aws_cognito_oidc
+
+    log_step "All AWS E2E tests PASSED"
+}
+
+main "$@"
diff --git a/build/test/azure.sh b/build/test/azure.sh
@@ -0,0 +1,82 @@
+#!/bin/bash
+# azure.sh - E2E tests for Azure (azure_oidc)
+# Expects the following env vars to be set by the caller (GitHub Actions workflow):
+#   AKS_CLUSTER_NAME, AKS_RESOURCE_GROUP
+#   ARTIFACTORY_URL, MATCH_IMAGES, TEST_IMAGE
+#   AZURE_APP_CLIENT_ID, AZURE_TENANT_ID, AZURE_NODEPOOL_CLIENT_ID,
+#   JFROG_OIDC_PROVIDER_NAME
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/helper.sh"
+
+RUN_ID="${GITHUB_RUN_ID:-$(date +%s)}"
+
+# ---------------------------------------------------------------------------
+# azure_oidc test
+# ---------------------------------------------------------------------------
+test_azure_oidc() {
+    local ng_name="jfrogazoidc${RUN_ID}"
+    # Azure node pool names must be <= 12 chars alphanumeric; truncate RUN_ID
+    ng_name="jfaz${RUN_ID: -8}"
+    local release_name="jfrog-cp-azure-oidc"
+    local namespace="jfrog-azure-oidc"
+    local node_label_value="azure-oidc"
+    local values_file="/tmp/values-azure-oidc.yaml"
+
+    log_step "TEST: Azure OIDC"
+
+    cleanup_azure() {
+        log_step "Cleanup: Azure OIDC"
+        cleanup_helm_test "${release_name}" "${namespace}" || true
+        delete_node_group_azure "${AKS_CLUSTER_NAME}" "${AKS_RESOURCE_GROUP}" "${ng_name}" || true
+    }
+    trap cleanup_azure EXIT
+
+    create_node_group_azure \
+        "${AKS_CLUSTER_NAME}" \
+        "${AKS_RESOURCE_GROUP}" \
+        "${ng_name}" \
+        "jfrog-test=${node_label_value},credentialsProviderEnabled=true" \
+        "${AZURE_NODE_VM_SIZE:-Standard_D2pds_v5}" \
+        "${AZURE_NODE_COUNT:-1}" \
+        "${AZURE_NODEPOOL_CLIENT_ID}"
+
+    generate_values "${REPO_ROOT}/examples/azure-values.yaml" "${values_file}" \
+        ".providerConfig[0].artifactoryUrl = \"${ARTIFACTORY_URL}\"" \
+        ".providerConfig[0].matchImages[0] = \"${MATCH_IMAGES}\"" \
+        ".providerConfig[0].azure.azure_app_client_id = \"${AZURE_APP_CLIENT_ID}\"" \
+        ".providerConfig[0].azure.azure_tenant_id = \"${AZURE_TENANT_ID}\"" \
+        ".providerConfig[0].azure.azure_nodepool_client_id = \"${AZURE_NODEPOOL_CLIENT_ID}\"" \
+        ".providerConfig[0].azure.jfrog_oidc_provider_name = \"${JFROG_OIDC_PROVIDER_NAME}\"" \
+
+    run_helm_test \
+        "${release_name}" \
+        "${namespace}" \
+        "${values_file}" \
+        "${TEST_IMAGE}" \
+        "jfrog-test" \
+        "${node_label_value}" \
+        "false" \
+
+    log_info "TEST PASSED: Azure OIDC"
+
+    cleanup_azure
+    trap - EXIT
+}
+
+# ---------------------------------------------------------------------------
+# Main
+# ---------------------------------------------------------------------------
+main() {
+    log_step "Starting Azure E2E tests (run: ${RUN_ID})"
+
+    connect_cluster_azure "${AKS_CLUSTER_NAME}" "${AKS_RESOURCE_GROUP}"
+
+    test_azure_oidc
+
+    log_step "All Azure E2E tests PASSED"
+}
+
+main "$@"
diff --git a/build/test/env b/build/test/env
@@ -0,0 +1,46 @@
+# build/test/env - Non-sensitive test configuration
+# Source this file before running test scripts.
+#
+# Required GitHub Actions secrets (not stored here):
+#   AWS_ROLE_TO_ASSUME         - IAM role ARN for GitHub Actions OIDC auth to AWS
+#   AWS_NODE_ROLE_ARN          - IAM role ARN for EKS node groups
+#   AWS_SUBNET_IDS             - Space-separated subnet IDs for EKS node groups
+#   AZURE_APP_CLIENT_ID        - Azure AD app registration client ID
+#   AZURE_TENANT_ID            - Azure AD tenant ID
+#   AZURE_SUBSCRIPTION_ID      - Azure subscription ID
+#   AZURE_NODEPOOL_CLIENT_ID   - Managed identity client ID for AKS node pool
+#   GCP_WORKLOAD_IDENTITY_PROVIDER - Workload Identity Federation provider for GitHub Actions OIDC auth to GCP
+#   GCP_SERVICE_ACCOUNT_EMAIL  - GCP service account email for node pools and GH Actions auth
+
+# ---------------------------------------------------------------------------
+# Shared
+# ---------------------------------------------------------------------------
+export ARTIFACTORY_URL="partnership.jfrog.io"
+export MATCH_IMAGES="partnership*.jfrog.io"
+export TEST_IMAGE="partnership-docker-remote-test.jfrog.io/busybox:latest"
+
+# ---------------------------------------------------------------------------
+# AWS
+# ---------------------------------------------------------------------------
+export EKS_CLUSTER_NAME="aws-operator-jfrog"
+export AWS_REGION="ap-northeast-3"
+export AWS_ROLE_NAME="OperatorSelfManagedWorkerNodeRole"
+
+# ---------------------------------------------------------------------------
+# Azure
+# ---------------------------------------------------------------------------
+export AKS_CLUSTER_NAME="robind-test-v1"
+export AKS_RESOURCE_GROUP="infra-robin-test"
+export AZURE_JFROG_OIDC_PROVIDER_NAME="azure-aks-oidc-provider"
+export AZURE_APP_AUDIENCE="api://AzureADTokenExchange"
+export AZURE_IDENTITY_NAME="kep-identity"
+
+# ---------------------------------------------------------------------------
+# GCP
+# ---------------------------------------------------------------------------
+export GKE_CLUSTER_NAME="jfrog-inst-credentials-cluster"
+export GCP_PROJECT="jfrog-dev"
+export GCP_ZONE="asia-south1-a"
+export GCP_MACHINE_TYPE="e2-medium"
+export GCP_OIDC_AUDIENCE="jfrog-dev"
+export GCP_JFROG_OIDC_PROVIDER_NAME="gcp-gke-oidc-provider"