ci: minimal CI changes for faster tests

.github/actions/kubernetes-e2e-tests/action.yaml

@@ -30,6 +30,8 @@ runs:
       CLUSTER_NAME: ${{ inputs.cluster-name }}
       ISTIO_VERSION: ${{ inputs.istio-version }}
       TEST_PKG: ./test/e2e/tests
+      # Doesn't really matter, but using the same as `go build` means we can re-use the same Go cache.
+      CGO_ENABLED: 0
     shell: bash
     run: make e2e-test
   - name: Archive bug report directory on failure

.github/actions/prep-go-runner/action.yaml

@@ -23,13 +23,6 @@ runs:
         docker system df -v
 
         # https://github.com/actions/runner-images/discussions/3242 github runners are bad at cleanup
-        echo "Removing large packages"
-        time sudo apt-get remove -y '^dotnet-.*' '^llvm-.*' 'php.*' '^mongodb-.*' '^mysql-.*' azure-cli google-chrome-stable \
-          firefox powershell mono-devel libgl1-mesa-dri || true
-        time sudo apt-get autoremove -y || true
-        time sudo apt-get clean -y || true
-        echo "Done removing large packages"
-        df -h
 
         # Clean up pre-installed tools
         # For some reason, GHA often takes minutes (up to 20min observed) to clean up somehow.
@@ -85,4 +78,4 @@ runs:
     - name: Install Dependencies
       if: steps.cache.outputs.cache-hit != 'true'
       shell: bash
-      run: make mod-download
+      run: time make mod-download

.github/actions/setup-kind-cluster/action.yaml

@@ -27,6 +27,10 @@ inputs:
     required: false
     default: "false"
     description: Whether to install localstack
+  agentgateway:
+    required: false
+    default: "false"
+    description: Whether this test only needs agentgateway
 
 runs:
   using: "composite"
@@ -44,6 +48,7 @@ runs:
         CONFORMANCE_VERSION: ${{ inputs.gateway-api-version }}
         CONFORMANCE_CHANNEL: ${{ inputs.gateway-api-channel }}
         LOCALSTACK: ${{ inputs.localstack }}
+        AGENTGATEWAY: ${{ inputs.agentgateway }}
         CONFORMANCE: true
       run: |
         ./hack/kind/setup-kind.sh

.github/workflows/e2e.yaml

@@ -75,6 +75,7 @@ jobs:
         - cluster-name: 'agent-gateway-cluster'
           go-test-args: '-timeout=25m'
           go-test-run-regex: '^TestAgentgatewayIntegration'
+          agentgateway: 'true'
         # August 29, 2025: ~3 minutes
         - cluster-name: 'api-validation'
           go-test-args: '-timeout=10m'
@@ -105,6 +106,7 @@ jobs:
         kubectl-version: ${{ steps.dotenv.outputs.kubectl_version }}
         istio-version: ${{ steps.dotenv.outputs.istio_version }}
         localstack: ${{ matrix.test.localstack }}
+        agentgateway: ${{ matrix.test.agentgateway }}
     - id: run-tests
       uses: ./.github/actions/kubernetes-e2e-tests
       with:
@@ -118,4 +120,3 @@ jobs:
       run: |
         echo "After job disk space:"
         df -h
-        docker system df -v

Makefile

@@ -219,7 +219,8 @@ endif
 endif
 
 # Skip -race on e2e. This requires building the codebase twice, and provides no value as the only code executed is test code.
-E2E_GO_TEST_ARGS ?= -timeout=25m -cpu=4 -outputdir=$(OUTPUT_DIR)
+# Skip -vet; we already run it on the linter step and its very slow.
+E2E_GO_TEST_ARGS ?= -vet=off -timeout=25m -outputdir=$(OUTPUT_DIR)
 # Testing flags: https://pkg.go.dev/cmd/go#hdr-Testing_flags
 # The default timeout for a suite is 10 minutes, but this can be overridden by setting the -timeout flag. Currently set
 # to 25 minutes based on the time it takes to run the longest test setup (kgateway_test).
@@ -430,15 +431,26 @@ kgateway: $(CONTROLLER_OUTPUT_DIR)/kgateway-linux-$(GOARCH)
 $(CONTROLLER_OUTPUT_DIR)/Dockerfile: cmd/kgateway/Dockerfile
 	cp $< $@
 
+$(CONTROLLER_OUTPUT_DIR)/Dockerfile.agentgateway: cmd/kgateway/Dockerfile.agentgateway
+	cp $< $@
+
 $(CONTROLLER_OUTPUT_DIR)/.docker-stamp-$(VERSION)-$(GOARCH): $(CONTROLLER_OUTPUT_DIR)/kgateway-linux-$(GOARCH) $(CONTROLLER_OUTPUT_DIR)/Dockerfile
 	$(BUILDX_BUILD) --load $(PLATFORM) $(CONTROLLER_OUTPUT_DIR) -f $(CONTROLLER_OUTPUT_DIR)/Dockerfile \
 		--build-arg GOARCH=$(GOARCH) \
 		--build-arg ENVOY_IMAGE=$(ENVOY_IMAGE) \
 		-t $(IMAGE_REGISTRY)/$(CONTROLLER_IMAGE_REPO):$(VERSION)
 	@touch $@
 
+$(CONTROLLER_OUTPUT_DIR)/.docker-stamp-agentgateway-$(VERSION)-$(GOARCH): $(CONTROLLER_OUTPUT_DIR)/kgateway-linux-$(GOARCH) $(CONTROLLER_OUTPUT_DIR)/Dockerfile.agentgateway
+	$(BUILDX_BUILD) --load $(PLATFORM) $(CONTROLLER_OUTPUT_DIR) -f $(CONTROLLER_OUTPUT_DIR)/Dockerfile.agentgateway \
+		--build-arg GOARCH=$(GOARCH) \
+		-t $(IMAGE_REGISTRY)/$(CONTROLLER_IMAGE_REPO):$(VERSION)
+	@touch $@
+
 .PHONY: kgateway-docker
 kgateway-docker: $(CONTROLLER_OUTPUT_DIR)/.docker-stamp-$(VERSION)-$(GOARCH)
+.PHONY: kgateway-agentgateway-docker
+kgateway-agentgateway-docker: $(CONTROLLER_OUTPUT_DIR)/.docker-stamp-agentgateway-$(VERSION)-$(GOARCH)
 
 #----------------------------------------------------------------------------------
 # SDS Server - gRPC server for serving Secret Discovery Service config
@@ -717,6 +729,7 @@ kind-load-%:
 # Depends on: IMAGE_REGISTRY, VERSION, CLUSTER_NAME
 # Envoy image may be specified via ENVOY_IMAGE on the command line or at the top of this file
 kind-build-and-load-%: %-docker kind-load-% ; ## Use to build specified image and load it into kind
+kind-build-and-load-kgateway-agentgateway: kgateway-agentgateway-docker kind-load-kgateway ; ## Use to build specified image and load it into kind
 
 # Update the docker image used by a deployment
 # This works for most of our deployments because the deployment name and container name both match

cmd/kgateway/Dockerfile.agentgateway

@@ -0,0 +1,9 @@
+FROM cgr.dev/chainguard/static
+
+ARG GOARCH=amd64
+
+COPY kgateway-linux-$GOARCH /usr/local/bin/kgateway
+
+USER 10101
+
+ENTRYPOINT ["/usr/local/bin/kgateway"]

hack/kind/setup-kind.sh

@@ -56,36 +56,43 @@ function create_kind_cluster_or_skip() {
   fi
 }
 
+function create_and_setup() {
+  create_kind_cluster_or_skip
+
+  # 5. Apply the Kubernetes Gateway API CRDs
+  kubectl apply --server-side -f "https://github.com/kubernetes-sigs/gateway-api/releases/download/$CONFORMANCE_VERSION/$CONFORMANCE_CHANNEL-install.yaml"
+
+  # 6. Apply the Kubernetes Gateway API Inference Extension CRDs
+  kubectl apply --kustomize "https://github.com/kubernetes-sigs/gateway-api-inference-extension/config/crd?ref=$GIE_CRD_VERSION"
+
+  . $SCRIPT_DIR/setup-metalllb-on-kind.sh
+}
+
 # 1. Create a kind cluster (or skip creation if a cluster with name=CLUSTER_NAME already exists)
 # This config is roughly based on: https://kind.sigs.k8s.io/docs/user/ingress/
-create_kind_cluster_or_skip
+create_and_setup &
+KIND_PID=$!
 
 if [[ $SKIP_DOCKER == 'true' ]]; then
   # TODO(tim): refactor the Makefile & CI scripts so we're loading local
   # charts to real helm repos, and then we can remove this block.
   echo "SKIP_DOCKER=true, not building images or chart"
 else
   # 2. Make all the docker images and load them to the kind cluster
-  VERSION=$VERSION CLUSTER_NAME=$CLUSTER_NAME make kind-build-and-load
+  if [[ $AGENTGATEWAY == 'true' ]]; then
+    # Skip expensive envoy build
+    VERSION=$VERSION CLUSTER_NAME=$CLUSTER_NAME make kind-build-and-load-kgateway-agentgateway
+  else
+    VERSION=$VERSION CLUSTER_NAME=$CLUSTER_NAME make kind-build-and-load
+  fi
 
   # 3. Build the test helm chart, ensuring we have a chart in the `_test` folder
   VERSION=$VERSION make package-kgateway-charts
-
 fi
 
-# 5. Apply the Kubernetes Gateway API CRDs
-kubectl apply --server-side -f "https://github.com/kubernetes-sigs/gateway-api/releases/download/$CONFORMANCE_VERSION/$CONFORMANCE_CHANNEL-install.yaml"
-
-# 6. Apply the Kubernetes Gateway API Inference Extension CRDs
-kubectl apply --kustomize "https://github.com/kubernetes-sigs/gateway-api-inference-extension/config/crd?ref=$GIE_CRD_VERSION"
-
-# 7. Conformance test setup
-if [[ $CONFORMANCE == "true" ]]; then
-  echo "Running conformance test setup"
-  . $SCRIPT_DIR/setup-metalllb-on-kind.sh
-fi
+wait "$KIND_PID"
 
-# 9. Setup localstack
+# 7. Setup localstack
 if [[ $LOCALSTACK == "true" ]]; then
   echo "Setting up localstack"
   . $SCRIPT_DIR/setup-localstack.sh

test/e2e/test.go

@@ -9,9 +9,12 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
-	"runtime"
 	"testing"
 
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
 	"github.com/kgateway-dev/kgateway/v2/pkg/utils/helmutils"
 	"github.com/kgateway-dev/kgateway/v2/test/e2e/testutils/actions"
 	"github.com/kgateway-dev/kgateway/v2/test/e2e/testutils/assertions"
@@ -78,7 +81,9 @@ func CreateTestInstallationForCluster(
 		// between TestInstallation outputs per CI run
 		GeneratedFiles: MustGeneratedFiles(installContext.InstallNamespace, clusterContext.Name),
 	}
-	runtime.SetFinalizer(installation, func(i *TestInstallation) { i.finalize() })
+	testutils.Cleanup(t, func() {
+		installation.finalize()
+	})
 	return installation
 }
 
@@ -159,7 +164,7 @@ func (i *TestInstallation) InstallKgatewayCRDsFromLocalChart(ctx context.Context
 
 	// Check if we should skip installation if the release already exists (PERSIST_INSTALL or FAIL_FAST_AND_PERSIST mode)
 	if testutils.ShouldPersistInstall() || testutils.ShouldFailFastAndPersist() {
-		if i.Actions.Helm().ReleaseExists(ctx, helmutils.CRDChartName, i.Metadata.InstallNamespace) {
+		if i.releaseExists(ctx, helmutils.CRDChartName, i.Metadata.InstallNamespace) {
 			return
 		}
 	}
@@ -185,7 +190,7 @@ func (i *TestInstallation) InstallKgatewayCoreFromLocalChart(ctx context.Context
 
 	// Check if we should skip installation if the release already exists (PERSIST_INSTALL or FAIL_FAST_AND_PERSIST mode)
 	if testutils.ShouldPersistInstall() || testutils.ShouldFailFastAndPersist() {
-		if i.Actions.Helm().ReleaseExists(ctx, helmutils.ChartName, i.Metadata.InstallNamespace) {
+		if i.releaseExists(ctx, helmutils.ChartName, i.Metadata.InstallNamespace) {
 			return
 		}
 	}
@@ -309,3 +314,16 @@ func MustGeneratedFiles(tmpDirId, clusterId string) GeneratedFiles {
 		FailureDir: failureDir,
 	}
 }
+func (i *TestInstallation) releaseExists(ctx context.Context, releaseName, namespace string) bool {
+	l := &corev1.SecretList{}
+	if err := i.ClusterContext.Client.List(ctx, l, &client.ListOptions{
+		Namespace: namespace,
+		LabelSelector: labels.SelectorFromSet(map[string]string{
+			"owner": "helm",
+			"name":  releaseName,
+		}),
+	}); err != nil {
+		return false
+	}
+	return len(l.Items) > 0
+}

test/e2e/tests/base/base_suite.go

@@ -443,7 +443,7 @@ func (s *BaseTestingSuite) ApplyManifests(testCase *TestCase) {
 		s.TestInstallation.Assertions.EventuallyPodsRunning(s.Ctx, ns, metav1.ListOptions{
 			LabelSelector: fmt.Sprintf("%s=%s", defaults.WellKnownAppLabel, name),
 			// Provide a longer timeout as the pod needs to be pulled and pass HCs
-		}, time.Second*60, time.Second*2)
+		}, time.Second*60, time.Second)
 	}
 }
 

test/e2e/testutils/cluster/istio.go

@@ -198,7 +198,7 @@ func downloadIstio(version string) (string, error) {
 
 func UninstallIstio(istioctlBinary, kubeContext string) error {
 	// sh -c yes | istioctl uninstall —purge —context <kube-context>
-	cmd := exec.Command("sh", "-c", fmt.Sprintf("yes | %s uninstall --purge --context %s", istioctlBinary, kubeContext)) //nolint:gosec // G204: controlled istioctl uninstall command in tests
+	cmd := exec.Command("sh", "-c", fmt.Sprintf("yes | %s uninstall --purge --context '%s'", istioctlBinary, kubeContext)) //nolint:gosec // G204: controlled istioctl uninstall command in tests
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	if err := cmd.Run(); err != nil {

test/e2e/testutils/cluster/kind.go

@@ -3,7 +3,6 @@
 package cluster
 
 import (
-	"fmt"
 	"os"
 
 	"k8s.io/apimachinery/pkg/runtime"
@@ -31,10 +30,6 @@ func MustKindContextWithScheme(clusterName string, scheme *runtime.Scheme) *Cont
 	}
 
 	kubeCtx := os.Getenv(testutils.KubeCtx)
-	if len(kubeCtx) == 0 {
-		kubeCtx = fmt.Sprintf("kind-%s", clusterName)
-	}
-
 	restCfg, err := kubeutils.GetRestConfigWithKubeContext(kubeCtx)
 	if err != nil {
 		panic(err)

test/helpers/kube_dump.go

@@ -21,13 +21,17 @@ import (
 	"github.com/kgateway-dev/kgateway/v2/pkg/utils/threadsafe"
 	kgatewayAdminCli "github.com/kgateway-dev/kgateway/v2/test/controllerutils/admincli"
 	"github.com/kgateway-dev/kgateway/v2/test/envoyutils/admincli"
+	"github.com/kgateway-dev/kgateway/v2/test/testutils"
 )
 
 // StandardKgatewayDumpOnFail creates a dump of the kubernetes state and certain envoy data from
 // the admin interface when a test fails.
 // Look at `KubeDumpOnFail` && `EnvoyDumpOnFail` for more details
 func StandardKgatewayDumpOnFail(outLog io.Writer, kubectlCli *kubectl.Cli, outDir string, namespaces []string) func() {
 	return func() {
+		if os.Getenv(testutils.SkipDump) == "true" {
+			return
+		}
 		fmt.Printf("Test failed. Dumping state from %s...\n", strings.Join(namespaces, ", "))
 
 		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)

test/testutils/env.go

@@ -42,6 +42,9 @@ const (
 	// loop if it litters.
 	SkipAllTeardown = "SKIP_ALL_TEARDOWN"
 
+	// SkipDump, if true, disables test dumping
+	SkipDump = "SKIP_DUMP"
+
 	// InstallNamespace is the namespace in which kgateway is installed
 	InstallNamespace = "INSTALL_NAMESPACE"