add e2e test for pubsub.

Signed-off-by: Morven Cao <lcao@redhat.com>

Author: morvencao

.github/workflows/e2e.yml

@@ -128,6 +128,33 @@ jobs:
           SERVER_REPLICAS: 2
           MESSAGE_DRIVER_TYPE: grpc
           ENABLE_MAESTRO_TLS: true
+  e2e-pubsub:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Check initial disk usage
+        run: df -h /
+      - name: Free disk space (optional cleanup)
+        run: |
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /opt/hostedtoolcache
+          docker system prune -af
+          df -h /
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - name: install ginkgo
+        run: go install github.com/onsi/ginkgo/v2/ginkgo@v2.15.0
+      - name: Test E2E
+        run: |
+          make e2e-test
+        env:
+          container_tool: docker
+          SERVER_REPLICAS: 2
+          MESSAGE_DRIVER_TYPE: pubsub
+          ENABLE_MAESTRO_TLS: true
   upgrade:
     runs-on: ubuntu-22.04
     steps:

charts/maestro-agent/templates/pubsub-init-hook.yaml

@@ -0,0 +1,105 @@
+{{- if eq .Values.messageBroker.type "pubsub" }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "maestro-agent.fullname" . }}-pubsub-init
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "maestro-agent.labels" . | nindent 4 }}
+    app.kubernetes.io/component: pubsub-init
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    metadata:
+      labels:
+        {{- include "maestro-agent.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: pubsub-init
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: init
+          image: registry.access.redhat.com/ubi9/python-311
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: PUBSUB_EMULATOR_HOST
+              value: "{{ .Values.messageBroker.pubsub.endpoint }}"
+            - name: PUBSUB_PROJECT_ID
+              value: "{{ .Values.messageBroker.pubsub.projectID }}"
+            - name: CONSUMER_NAME
+              value: "{{ .Values.consumerName }}"
+          command:
+            - /bin/bash
+            - -c
+            - |
+              set -e
+              echo "Installing google-cloud-pubsub..."
+              pip install --quiet google-cloud-pubsub==2.34.0
+
+              echo "Initializing Pub/Sub agent subscriptions for consumer: ${CONSUMER_NAME}..."
+              python3 <<'PYTHON'
+              import os
+              from google.cloud import pubsub_v1
+              from google.api_core import exceptions
+
+              project_id = os.environ['PUBSUB_PROJECT_ID']
+              consumer_name = os.environ['CONSUMER_NAME']
+
+              subscriber = pubsub_v1.SubscriberClient()
+              publisher = pubsub_v1.PublisherClient()
+
+              # Extract topic names from full resource paths
+              # If using full paths like "projects/my-project/topics/sourceevents"
+              # we need to extract just the topic name
+              def extract_topic_name(topic_path):
+                  if topic_path.startswith('projects/'):
+                      # Full resource path: projects/PROJECT_ID/topics/TOPIC_NAME
+                      return topic_path.split('/')[-1]
+                  return topic_path
+
+              subscriptions = [
+                (
+                  f'sourceevents-{consumer_name}',
+                  'sourceevents',
+                  f'attributes.ce-clustername="{consumer_name}"'
+                ),
+                (
+                  f'sourcebroadcast-{consumer_name}',
+                  'sourcebroadcast',
+                  ''
+                )
+              ]
+
+              for sub_name, topic_name, filter_expr in subscriptions:
+                subscription_path = subscriber.subscription_path(project_id, sub_name)
+                topic_path = publisher.topic_path(project_id, topic_name)
+
+                try:
+                  if filter_expr:
+                    subscriber.create_subscription(
+                      request={
+                        "name": subscription_path,
+                        "topic": topic_path,
+                        "filter": filter_expr
+                      }
+                    )
+                    print(f"Created subscription: {subscription_path} with filter: {filter_expr}")
+                  else:
+                    subscriber.create_subscription(
+                      request={
+                        "name": subscription_path,
+                        "topic": topic_path
+                      }
+                    )
+                    print(f"Created subscription: {subscription_path}")
+                except exceptions.AlreadyExists:
+                  print(f"Subscription already exists: {subscription_path}")
+                except Exception as e:
+                  print(f"Error creating subscription {subscription_path}: {e}")
+                  raise
+
+              print(f"Pub/Sub agent subscriptions for '{consumer_name}' initialized successfully!")
+              PYTHON
+{{- end }}

charts/maestro-agent/templates/secret.yaml

@@ -62,6 +62,10 @@ stringData:
     {{- if .Values.messageBroker.pubsub.projectID }}
     projectID: {{ .Values.messageBroker.pubsub.projectID }}
     {{- end }}
+    {{- if .Values.messageBroker.pubsub.endpoint }}
+    endpoint: {{ .Values.messageBroker.pubsub.endpoint }}
+    {{- end }}
+    disableTLS: {{ .Values.messageBroker.pubsub.disableTLS }}
     {{- if .Values.messageBroker.pubsub.credentialsJSON }}
     credentialsFile: {{ .Values.messageBroker.pubsub.credentialsFile }}
     {{- end }}

charts/maestro-agent/values.yaml

@@ -58,6 +58,8 @@ messageBroker:
   # Google Cloud Pub/Sub configuration
   pubsub:
     projectID: ""
+    endpoint: ""
+    disableTLS: false
     credentialsJSON: ""
     credentialsFile: /secrets/pubsub/credentials.json
     # Topics configuration (use full GCP resource names)

charts/maestro-server/templates/pubsub-emulator.yaml

@@ -0,0 +1,62 @@
+{{- if .Values.pubsubEmulator.enabled -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.pubsubEmulator.service.name }}
+  labels:
+    app.kubernetes.io/component: pubsub-emulator
+  annotations:
+    template.openshift.io/expose-uri: "tcp://{.spec.clusterIP}:{.spec.ports[?(.name=='pubsub')].port}"
+spec:
+  type: ClusterIP
+  ports:
+    - name: pubsub
+      protocol: TCP
+      port: {{ .Values.pubsubEmulator.service.port }}
+      targetPort: 8085
+  selector:
+    app.kubernetes.io/component: pubsub-emulator
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.pubsubEmulator.service.name }}
+  labels:
+    app.kubernetes.io/component: pubsub-emulator
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: pubsub-emulator
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: pubsub-emulator
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      containers:
+        - name: pubsub-emulator
+          image: {{ .Values.pubsubEmulator.image }}
+          imagePullPolicy: IfNotPresent
+          command:
+            - gcloud
+            - beta
+            - emulators
+            - pubsub
+            - start
+            - --host-port=0.0.0.0:8085
+            - --project={{ .Values.pubsubEmulator.projectID }}
+          ports:
+            - containerPort: 8085
+              name: pubsub
+              protocol: TCP
+          volumeMounts:
+            - name: pubsub-persistent-storage
+              mountPath: /data
+      volumes:
+        - name: pubsub-persistent-storage
+          emptyDir: {}
+{{- end }}

charts/maestro-server/templates/pubsub-init-hook.yaml

@@ -0,0 +1,94 @@
+{{- if .Values.pubsubEmulator.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Values.pubsubEmulator.service.name }}-init
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: pubsub-init
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: pubsub-init
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      containers:
+        - name: init
+          image: registry.access.redhat.com/ubi9/python-311
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: PUBSUB_EMULATOR_HOST
+              value: "{{ .Values.pubsubEmulator.service.name }}:{{ .Values.pubsubEmulator.service.port }}"
+            - name: PUBSUB_PROJECT_ID
+              value: "{{ .Values.pubsubEmulator.projectID }}"
+          command:
+            - /bin/bash
+            - -c
+            - |
+              set -e
+              echo "Installing google-cloud-pubsub..."
+              pip install --quiet google-cloud-pubsub==2.34.0
+
+              echo "Initializing Pub/Sub topics and subscriptions..."
+              python3 <<'PYTHON'
+              import os
+              from google.cloud import pubsub_v1
+              from google.api_core import exceptions
+
+              project_id = os.environ['PUBSUB_PROJECT_ID']
+
+              # Create publisher and subscriber clients
+              publisher = pubsub_v1.PublisherClient()
+              subscriber = pubsub_v1.SubscriberClient()
+
+              # Topics to create
+              topics = ['sourceevents', 'sourcebroadcast', 'agentevents', 'agentbroadcast']
+
+              # Create topics
+              for topic_name in topics:
+                topic_path = publisher.topic_path(project_id, topic_name)
+                try:
+                  publisher.create_topic(request={"name": topic_path})
+                  print(f"Created topic: {topic_path}")
+                except exceptions.AlreadyExists:
+                  print(f"Topic already exists: {topic_path}")
+                except Exception as e:
+                  print(f"Error creating topic {topic_path}: {e}")
+                  raise
+
+              # Subscriptions to create (name:topic:filter)
+              subscriptions = [
+                ('agentevents-maestro', 'agentevents', 'attributes.ce-originalsource="maestro"'),
+                ('agentbroadcast-maestro', 'agentbroadcast', '')
+              ]
+
+              # Create subscriptions
+              for sub_name, topic_name, filter_expr in subscriptions:
+                subscription_path = subscriber.subscription_path(project_id, sub_name)
+                topic_path = publisher.topic_path(project_id, topic_name)
+                try:
+                  if filter_expr:
+                    subscriber.create_subscription(
+                      request={"name": subscription_path, "topic": topic_path, "filter": filter_expr}
+                    )
+                    print(f"Created subscription: {subscription_path} with filter: {filter_expr}")
+                  else:
+                    subscriber.create_subscription(
+                      request={"name": subscription_path, "topic": topic_path}
+                    )
+                    print(f"Created subscription: {subscription_path}")
+                except exceptions.AlreadyExists:
+                  print(f"Subscription already exists: {subscription_path}")
+                except Exception as e:
+                  print(f"Error creating subscription {subscription_path}: {e}")
+                  raise
+
+              print("Pub/Sub initialization complete!")
+              PYTHON
+{{- end }}

charts/maestro-server/templates/pubsub.yaml

@@ -11,6 +11,10 @@ stringData:
     {{- if .Values.messageBroker.pubsub.projectID }}
     projectID: {{ .Values.messageBroker.pubsub.projectID }}
     {{- end }}
+    {{- if .Values.messageBroker.pubsub.endpoint }}
+    endpoint: {{ .Values.messageBroker.pubsub.endpoint }}
+    {{- end }}
+    disableTLS: {{ .Values.messageBroker.pubsub.disableTLS }}
     {{- if .Values.messageBroker.pubsub.topics }}
     topics:
       {{- if .Values.messageBroker.pubsub.topics.sourceEvents }}

charts/maestro-server/values.yaml

@@ -85,6 +85,8 @@ messageBroker:
   # Google Cloud Pub/Sub configuration
   pubsub:
     projectID: ""
+    endpoint: ""
+    disableTLS: false
     # Topics configuration (use full GCP resource names)
     topics:
       sourceEvents: ""  # e.g., projects/my-project/topics/sourceevents
@@ -94,6 +96,15 @@ messageBroker:
       agentEvents: ""  # e.g., projects/my-project/subscriptions/agentevents-maestro
       agentBroadcast: ""  # e.g., projects/my-project/subscriptions/agentbroadcast-maestro
 
+# Pub/Sub emulator deployment (optional, for development)
+pubsubEmulator:
+  enabled: false
+  image: gcr.io/google.com/cloudsdktool/google-cloud-cli:emulators
+  projectID: maestro-test
+  service:
+    name: maestro-pubsub
+    port: 8085
+
 
 # Server configuration
 server:

test/e2e/pkg/cert_rotation_test.go

@@ -30,8 +30,27 @@ var _ = Describe("Certificate Rotation", Ordered, Label("e2e-tests-cert-rotation
 		var deployName string
 		var originalMQTTCerts map[string][]byte
 		var originalGRPCBrokerCerts map[string][]byte
+		var skip bool
 
 		BeforeAll(func() {
+			// Check if any CA secrets exist (MQTT or gRPC)
+			// Certificate rotation is only applicable for MQTT and gRPC brokers
+			// Pub/Sub emulator does not use client certificates
+			_, mqttErr := agentTestOpts.kubeClientSet.CoreV1().Secrets(agentTestOpts.agentNamespace).Get(ctx, "maestro-mqtt-ca", metav1.GetOptions{})
+			_, grpcErr := agentTestOpts.kubeClientSet.CoreV1().Secrets(agentTestOpts.agentNamespace).Get(ctx, "maestro-grpc-broker-ca", metav1.GetOptions{})
+
+			if errors.IsNotFound(mqttErr) && errors.IsNotFound(grpcErr) {
+				skip = true
+				Skip("Skipping certificate rotation tests: no CA secrets found")
+			}
+
+			if mqttErr != nil && !errors.IsNotFound(mqttErr) {
+				Expect(mqttErr).ShouldNot(HaveOccurred())
+			}
+			if grpcErr != nil && !errors.IsNotFound(grpcErr) {
+				Expect(grpcErr).ShouldNot(HaveOccurred())
+			}
+
 			workName = fmt.Sprintf("cert-rotation-%s", k8srand.String(5))
 			deployName = fmt.Sprintf("nginx-%s", k8srand.String(5))
 
@@ -102,6 +121,10 @@ var _ = Describe("Certificate Rotation", Ordered, Label("e2e-tests-cert-rotation
 		})
 
 		AfterAll(func() {
+			if skip {
+				return
+			}
+
 			By("restoring original MQTT certificate")
 			if len(originalMQTTCerts) > 0 {
 				secret, err := agentTestOpts.kubeClientSet.CoreV1().Secrets(agentTestOpts.agentNamespace).Get(ctx, "maestro-agent-certs", metav1.GetOptions{})