stackrox · davdhacs · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025
@@ -0,0 +1,108 @@
+name: UI tests
+
+on: [push]
+
+jobs:
+  create-cluster-with-registry:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Free disk space (delete unused tools)
+        id: delete-unused-tools
+        continue-on-error: true
+        shell: bash
+        run: |
+          free_disk_space=22
+          # delete preinstalled unused tools
+          cleanup=(
+            /usr/share/dotnet
+            /usr/share/miniconda
+            /usr/share/swift
+            /usr/share/kotlinc
+            #/opt/ghc
+            #/opt/hostedtoolcache/CodeQL
+            #/opt/hostedtoolcache/Ruby
+            #/opt/az
+            #/usr/local/lib/android
+          )
+          for d in "${cleanup[@]}"; do
+            if [[ -d "$d" ]]; then
+              rm -rf -- "$d" && echo "deleted $d"
+            else
+              echo "$d not found"
+              continue
+            fi
+            free=$(df -BGB --output=avail / | tail -1)
+            if [[ ${free%GB} -ge "${free_disk_space}" ]]; then
+              echo "Reached requested free disk space ${free_disk_space} [${free} free]."
+              exit 0
+            fi
+          done
+          df -h
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Create KinD Cluster
+        uses: helm/kind-action@v1
+        with:
+          cluster_name: kind
+
+      - name: tags
+        run: |
+          echo "TAG=$(make tag)" | tee -a "$GITHUB_ENV"
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          file: image/Dockerfile
+          context: .
+          push: false
+          load: true
+          tags: quay.io/rhacs-eng/infra-server:${{ env.TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Load into KinD
+        run: |
+          # Check cluster name
+          kind get clusters
+          #docker build -t quay.io/rhacs-eng/infra-server:${{ env.TAG }} -f image/Dockerfile .
+          kind load docker-image quay.io/rhacs-eng/infra-server:${{ env.TAG }} --name kind
+          docker images | grep infra-server
+
+      - name: Deploy
+        run: make deploy-local
+
+      - name: Wait for pods
+        run: kubectl wait --for=condition=ready pod -l app=infra-server -n infra --timeout=3m
+
+      - name: Start port-forward
+        run: |
+          kubectl port-forward -n infra svc/infra-server-service 8443:8443 >/dev/null 2>&1 &
+          echo "PORT_FORWARD_PID=$!" >> "$GITHUB_ENV"
+          sleep 3
+
+      - name: Run E2E tests
+        uses: cypress-io/github-action@v6
+        with:
+          working-directory: ui
+          start: npm run start
+          wait-on: 'http://localhost:3001'
+          wait-on-timeout: 60
+          command: npm run cypress:run:e2e
+        env:
+          BROWSER: none
+          PORT: 3001
+          INFRA_API_ENDPOINT: http://localhost:8443
+
+      - name: Cleanup port-forward
+        if: always()
+        run: |
+          if [ -n "${{ env.PORT_FORWARD_PID }}" ]; then
+            echo "Cleaning up port-forward (PID: ${{ env.PORT_FORWARD_PID }})..."
+            kill ${{ env.PORT_FORWARD_PID }} 2>/dev/null || true
+          fi
@@ -116,6 +116,14 @@ Use the environment variable `TEST_MODE` to disable certain infra service behavi
 
 This is used in the infra PR clusters to set the login referer and disable telemetry.
 
+#### Local Deploy Mode
+
+For local test clusters (such as KinD/Colima), you can use the deploy-local make target to disable authentication, skip loading secrets, and use HTTP instead of HTTPS.
+
+`make deploy-local`
+
+This is only intended for local development deployments. For remote dev clusters, use the standard deployment method.
+
 ### Rollback
 
 Use `helm rollback infra-server <REVISION>`.

@@ -253,6 +253,31 @@ helm-deploy: pre-check helm-dependency-update create-namespaces
 helm-diff: pre-check helm-dependency-update create-namespaces
 	@./scripts/deploy/helm.sh diff $(VERSION) $(ENVIRONMENT) $(SECRET_VERSION)
 
+## Deploy to local cluster (e.g., Colima) without GCP Secret Manager
+.PHONY: deploy-local
+deploy-local: helm-dependency-update create-namespaces
+	TEST_MODE=true ./scripts/deploy/helm.sh deploy-local $(shell make tag) local
+
+## Run UI E2E tests against local deployment
+.PHONY: test-e2e
+test-e2e:
+	@echo "Waiting for infra-server to be ready..." >&2
+	@kubectl wait --for=condition=ready pod -l app=infra-server -n infra --timeout=3m >&2 || \
+		(echo "ERROR: infra-server pods did not become ready" >&2 && exit 1)
+	@echo "" >&2
+	@echo "Starting port-forward and running E2E tests..." >&2
+	@kubectl port-forward -n infra svc/infra-server-service 8443:8443 >/dev/null 2>&1 & \
+	PF_PID=$$!; \
+	cleanup() { \
+		echo "" >&2; \
+		echo "Cleaning up port-forward (PID: $$PF_PID)..." >&2; \
+		kill $$PF_PID 2>/dev/null || true; \
+	}; \
+	trap cleanup EXIT; \
+	sleep 5; \
+	echo "Running Cypress E2E tests..." >&2; \
+	cd ui && BROWSER=none PORT=3001 INFRA_API_ENDPOINT=http://localhost:8443 npm run test:e2e
+
 ## Bounce pods
 .PHONY: bounce-infra-pods
 bounce-infra-pods:

@@ -0,0 +1,33 @@
+environment: local
+
+# Disable Auth0 for local development - allow anonymous access
+auth0:
+  clientID: ""
+  tenant: ""
+
+# Set local deploy mode to true for local development
+localDeploy: true
+
+# Enable test mode for faster cluster resume intervals
+testMode: true
+
+# Use local Docker images instead of pulling from registry
+imagePullPolicy: Never
+
+# Pull secrets for container registries - dummy values for local development
+pullSecrets:
+  docker:
+    registry: "docker.io"
+    username: "dummy"
+    password: "dummy"
+  quay:
+    registry: "quay.io"
+    username: "dummy"
+    password: "dummy"
+  stackrox:
+    registry: "stackrox.io"
+    username: "dummy"
+    password: "dummy"
+
+# Alertmanager configuration
+alertmanagerSlackTeam: "dummy-team"
@@ -1,4 +1,3 @@
-
 {{- define "docker-io-pull-secret" }}
   {{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.pullSecrets.docker.registry (printf "%s:%s" .Values.pullSecrets.docker.username .Values.pullSecrets.docker.password | b64enc) | b64enc }}
 {{- end }}

@@ -1,3 +1,4 @@
+{{- if not .Values.localDeploy }}
 ---
 apiVersion: v1
 kind: Secret
@@ -7,3 +8,4 @@ metadata:
 data:
   credentials.json: |-
     {{ required ".Values.google_credentials_json is undefined" .Values.google_credentials_json }}
+{{- end }}
@@ -1,3 +1,4 @@
+{{- if not .Values.localDeploy }}
 ---
 apiVersion: v1
 kind: Secret
@@ -16,3 +17,4 @@ data:
     {{ .Values.aroClusterManager.azureSPSecretVal | b64enc }}
   REDHAT_PULL_SECRET_BASE64: |-
     {{ .Values.aroClusterManager.redHatPullSecretBase64 | b64enc }}
+{{- end }}
@@ -1,3 +1,4 @@
+{{- if not .Values.localDeploy }}
 ---
 apiVersion: v1
 kind: Secret
@@ -10,3 +11,4 @@ data:
     {{ .Values.aws.accessKeyId | b64enc }}
   AWS_SECRET_ACCESS_KEY: |-
     {{ .Values.aws.secretAccessKey | b64enc }}
+{{- end }}
@@ -1,3 +1,4 @@
+{{- if not .Values.localDeploy }}
 
 ---
 
@@ -18,3 +19,4 @@ data:
     {{ .Values.azure.sp_tenant | b64enc }}
   ACR_TO_ATTACH: |-
     {{ .Values.azure.aks_attached_acr | b64enc }}
+{{- end }}
@@ -1,3 +1,4 @@
+{{- if not .Values.localDeploy }}
 ---
 
 apiVersion: v1
@@ -90,3 +91,4 @@ data:
   .dockerconfigjson: {{ template "pull-secret" .Values.pullSecrets.quay }}
 
 ---
+{{- end }}
@@ -29,13 +29,15 @@ spec:
           env:
             - name: GOOGLE_APPLICATION_CREDENTIALS
               value: /configuration/google-credentials.json
+            - name: LOCAL_DEPLOY
+              value: "{{ .Values.localDeploy }}"
             - name: TEST_MODE
               value: "{{ .Values.testMode }}"
           readinessProbe:
             httpGet:
               path: /
               port: 8443
-              scheme: HTTPS
+              scheme: {{ if eq .Values.environment "local" }}HTTP{{ else }}HTTPS{{ end }}
             initialDelaySeconds: 5
             periodSeconds: 5
           command:
@@ -47,7 +49,7 @@ spec:
               containerPort: 8443
             - name: metrics
               containerPort: 9101
-          imagePullPolicy: Always
+          imagePullPolicy: {{ .Values.imagePullPolicy | default "Always" }}
           volumeMounts:
             - mountPath: /configuration
               name: configuration

@@ -1,3 +1,4 @@
+{{- if not .Values.localDeploy }}
 ---
 
 apiVersion: v1
@@ -13,3 +14,4 @@ data:
     {{ required ".Values.gke__gke_provisioner_json is undefined" .Values.gke__gke_provisioner_json }}
 
 ---
+{{- end }}
@@ -1,3 +1,4 @@
+{{- if not .Values.localDeploy }}
 ---
 apiVersion: v1
 kind: Secret
@@ -8,3 +9,4 @@ metadata:
 data:
   IBM_ROKS_API_KEY: |-
     {{ .Values.ibmCloudSecrets.ibmRoksApiKey | b64enc }}
+{{- end }}
@@ -1,3 +1,4 @@
+{{- if not .Values.localDeploy }}
 ---
 apiVersion: v1
 kind: Secret
@@ -6,3 +7,4 @@ metadata:
   namespace: monitoring
 data:
   webhookURL: "{{ .Values.alertmanagerSlackWebhook | b64enc }}"
+{{- end }}
@@ -1,3 +1,4 @@
+{{- if not .Values.localDeploy }}
 apiVersion: v1
 kind: Secret
 type: Opaque
@@ -43,3 +44,4 @@ metadata:
 data:
   REDHAT_PULL_SECRET: |-
     {{ required ".Values.openshift_4__redhat_pull_secret_json is undefined" .Values.openshift_4__redhat_pull_secret_json }}
+{{- end }}
@@ -1,3 +1,4 @@
+{{- if not .Values.localDeploy }}
 apiVersion: v1
 kind: Secret
 type: Opaque
@@ -9,3 +10,4 @@ metadata:
 data:
   google-credentials.json: |-
     {{ required ".Values.openshift__google_credentials_json is undefined" .Values.openshift__google_credentials_json }}
+{{- end }}
@@ -1,3 +1,4 @@
+{{- if not .Values.localDeploy }}
 ---
 apiVersion: v1
 kind: Secret
@@ -19,3 +20,4 @@ data:
     {{ .Values.osdClusterManager.gcpSaCredsJsonBase64 | b64enc }}
   GCP_SERVICE_ACCOUNT_KEY_BASE64: |-
     {{ .Values.osdClusterManager.gcpServiceAccountKeyBase64 | b64enc }}
+{{- end }}