Merge pull request #38 from SimonTheLeg/front-proxy-e2e-tests

✨ Add e2e tests for frontproxy objects

Author: kcp-ci-bot

README.md

@@ -72,3 +72,12 @@ graph TB
     classDef ca color:#F77
     classDef cert color:orange
 ```
+
+### Running E2E tests locally
+
+In order to run the E2E tests locally, you will need to setup cert-manager with the sample clusterissuer:
+
+```sh
+helm upgrade --install --namespace cert-manager --create-namespace --version v1.16.2 --set crds.enabled=true cert-manager jetstack/cert-manager
+kubectl apply -n cert-manager --filename hack/ci/testdata/clusterissuer.yaml
+```

internal/controller/suite_test.go

@@ -70,7 +70,7 @@ var _ = BeforeSuite(func() {
 		// default path defined in controller-runtime which is /usr/local/kubebuilder/.
 		// Note that you must have the required binaries setup under the bin directory to perform
 		// the tests directly. When we run make test it will be setup and used automatically.
-		BinaryAssetsDirectory: filepath.Join("..", "..", "bin", "k8s",
+		BinaryAssetsDirectory: filepath.Join("..", "..", "_tools", "k8s",
 			fmt.Sprintf("1.31.0-%s-%s", runtime.GOOS, runtime.GOARCH)),
 	}
 

test/e2e/frontproxies/frontproxies_test.go

@@ -0,0 +1,92 @@
+//go:build e2e
+
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package frontproxies
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/go-logr/logr"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	ctrlruntime "sigs.k8s.io/controller-runtime"
+
+	operatorv1alpha1 "github.com/kcp-dev/kcp-operator/sdk/apis/operator/v1alpha1"
+	"github.com/kcp-dev/kcp-operator/test/utils"
+)
+
+func TestCreateFrontProxy(t *testing.T) {
+	fmt.Println()
+
+	ctrlruntime.SetLogger(logr.Discard())
+
+	client := utils.GetKubeClient(t)
+	ctx := context.Background()
+	namespace := "create-frontproxy"
+
+	utils.CreateSelfDestructingNamespace(t, ctx, client, namespace)
+
+	externalHostname := "front-proxy-front-proxy.svc.cluster.local"
+
+	// deploy rootshard
+	rootShard := utils.DeployRootShard(ctx, t, client, namespace, externalHostname)
+
+	// deploy front-proxy
+	frontProxy := utils.DeployFrontProxy(ctx, t, client, namespace, rootShard.Name, externalHostname)
+
+	// create front-proxy kubeconfig
+	configSecretName := "kubeconfig-front-proxy-e2e"
+
+	fpConfig := operatorv1alpha1.Kubeconfig{}
+	fpConfig.Name = "front-proxy"
+	fpConfig.Namespace = namespace
+	fpConfig.Spec = operatorv1alpha1.KubeconfigSpec{
+		Target: operatorv1alpha1.KubeconfigTarget{
+			FrontProxyRef: &corev1.LocalObjectReference{
+				Name: frontProxy.Name,
+			},
+		},
+		Username: "e2e",
+		Validity: metav1.Duration{Duration: 2 * time.Hour},
+		SecretRef: corev1.LocalObjectReference{
+			Name: configSecretName,
+		},
+		Groups: []string{"system:masters"},
+	}
+
+	t.Log("Creating kubeconfig for FrontProxy…")
+	if err := client.Create(ctx, &fpConfig); err != nil {
+		t.Fatal(err)
+	}
+	utils.WaitForObject(t, ctx, client, &corev1.Secret{}, types.NamespacedName{Namespace: fpConfig.Namespace, Name: fpConfig.Spec.SecretRef.Name})
+
+	// verify that we can use frontproxy kubeconfig to access rootshard workspaces
+	t.Log("Connecting to FrontProxy…")
+	kcpClient := utils.ConnectWithKubeconfig(t, ctx, client, namespace, fpConfig.Name)
+	// proof of life: list something every logicalcluster in kcp has
+	t.Log("Should be able to list Secrets.")
+	secrets := &corev1.SecretList{}
+	if err := kcpClient.List(ctx, secrets); err != nil {
+		t.Fatalf("Failed to list secrets in kcp: %v", err)
+	}
+}

test/e2e/rootshards/rootshards_test.go

@@ -42,7 +42,7 @@ func TestCreateRootShard(t *testing.T) {
 	namespace := "create-rootshard"
 
 	utils.CreateSelfDestructingNamespace(t, ctx, client, namespace)
-	rootShard := utils.DeployRootShard(ctx, t, client, namespace)
+	rootShard := utils.DeployRootShard(ctx, t, client, namespace, "example.localhost")
 
 	configSecretName := "kubeconfig"
 

test/e2e/shards/shards_test.go

@@ -47,7 +47,7 @@ func TestCreateShard(t *testing.T) {
 	utils.CreateSelfDestructingNamespace(t, ctx, client, namespace)
 
 	// deploy a root shard incl. etcd
-	rootShard := utils.DeployRootShard(ctx, t, client, namespace)
+	rootShard := utils.DeployRootShard(ctx, t, client, namespace, "example.localhost")
 
 	// deploy a 2nd shard incl. etcd
 	shardName := "aadvark"

test/utils/deploy.go

@@ -106,7 +106,7 @@ func DeployShard(ctx context.Context, t *testing.T, client ctrlruntimeclient.Cli
 	return shard
 }
 
-func DeployRootShard(ctx context.Context, t *testing.T, client ctrlruntimeclient.Client, namespace string, patches ...func(*operatorv1alpha1.RootShard)) operatorv1alpha1.RootShard {
+func DeployRootShard(ctx context.Context, t *testing.T, client ctrlruntimeclient.Client, namespace string, externalHostname string, patches ...func(*operatorv1alpha1.RootShard)) operatorv1alpha1.RootShard {
 	t.Helper()
 
 	etcd := DeployEtcd(t, "etcd-r00t", namespace)
@@ -117,7 +117,7 @@ func DeployRootShard(ctx context.Context, t *testing.T, client ctrlruntimeclient
 
 	rootShard.Spec = operatorv1alpha1.RootShardSpec{
 		External: operatorv1alpha1.ExternalConfig{
-			Hostname: "example.localhost",
+			Hostname: externalHostname,
 			Port:     6443,
 		},
 		Cache: operatorv1alpha1.CacheConfig{
@@ -155,3 +155,44 @@ func DeployRootShard(ctx context.Context, t *testing.T, client ctrlruntimeclient
 
 	return rootShard
 }
+
+func DeployFrontProxy(ctx context.Context, t *testing.T, client ctrlruntimeclient.Client, namespace string, rootShardName string, externalHostname string, patches ...func(*operatorv1alpha1.FrontProxy)) operatorv1alpha1.FrontProxy {
+	t.Helper()
+
+	frontProxy := operatorv1alpha1.FrontProxy{}
+	frontProxy.Name = "front-proxy"
+	frontProxy.Namespace = namespace
+
+	frontProxy.Spec = operatorv1alpha1.FrontProxySpec{
+		RootShard: operatorv1alpha1.RootShardConfig{
+			Reference: &corev1.LocalObjectReference{
+				Name: rootShardName,
+			},
+		},
+		ExternalHostname: externalHostname,
+		Auth: &operatorv1alpha1.AuthSpec{
+			// we need to remove the default system:masters group in order to do our testing
+			DropGroups: []string{""},
+		},
+	}
+
+	for _, patch := range patches {
+		patch(&frontProxy)
+	}
+
+	t.Logf("Creating FrontProxy %s…", frontProxy.Name)
+	if err := client.Create(ctx, &frontProxy); err != nil {
+		t.Fatal(err)
+	}
+
+	opts := []ctrlruntimeclient.ListOption{
+		ctrlruntimeclient.InNamespace(frontProxy.Namespace),
+		ctrlruntimeclient.MatchingLabels{
+			"app.kubernetes.io/component": "front-proxy",
+			"app.kubernetes.io/instance":  frontProxy.Name,
+		},
+	}
+	WaitForPods(t, ctx, client, opts...)
+
+	return frontProxy
+}

test/utils/wait.go

@@ -32,7 +32,7 @@ func WaitForPods(t *testing.T, ctx context.Context, client ctrlruntimeclient.Cli
 
 	t.Log("Waiting for pods to be available…")
 
-	err := wait.PollUntilContextTimeout(ctx, 500*time.Millisecond, 3*time.Minute, false, func(ctx context.Context) (done bool, err error) {
+	err := wait.PollUntilContextTimeout(ctx, 500*time.Millisecond, 5*time.Minute, false, func(ctx context.Context) (done bool, err error) {
 		pods := corev1.PodList{}
 		if err := client.List(ctx, &pods, listOpts...); err != nil {
 			return false, err