feat(e2e): add orchestrator RBAC tests and deployment fixes #3923
Conversation
…eveloper#3802) * feat(e2e): add orchestrator RBAC tests and deployment fixes Implement comprehensive RBAC end-to-end tests for the orchestrator plugin with role-based access control validation for admin and non-admin users, workflow visibility controls, and permission enforcement. Key improvements: - Add orchestrator RBAC e2e test suite with role/policy validation - Fix OCP operator RBAC deployment test reliability - Add wait_for_deployment for showcase-runtime job to prevent race conditions that caused HTTP 503 errors when tests started before pod readiness - Enhance orchestrator workflows deployment for operator integration Signed-off-by: Chad Crum <[email protected]> * fix(e2e): prevent RBAC test interference from parallel test execution Modify the RBAC API validation test to filter out dynamically created test roles (e.g., workflowUser, workflowAdmin) that are created by orchestrator RBAC tests running in parallel. This prevents test failures when Playwright executes tests concurrently. The test now: - Filters out workflow-related roles using pattern matching - Validates that all expected predefined roles exist - Maintains parallel test execution for better performance - Includes detailed comments explaining the filtering rationale This fixes CI failures in both helm and operator deployments where the RBAC API test expected an exact role set but received additional roles from concurrent orchestrator tests. * fix(e2e): also filter workflow policies from RBAC API test Extend the previous fix to also filter out policies associated with dynamically created workflow roles. The initial fix filtered workflow roles but missed filtering their associated policies, causing the test to still fail when orchestrator tests create workflowUser/workflowAdmin policies in parallel. Now both roles and policies matching the workflow pattern are filtered to prevent test interference during parallel execution. * style(e2e): apply prettier formatting to rbac.spec.ts Fix code style issues flagged by Prettier in the RBAC test file. This includes proper line breaks for long expressions and function calls. --------- Signed-off-by: Chad Crum <[email protected]>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/ok-to-test |
|
/test e2e-ocp-operator-nightly |
|
You are above your monthly Qodo Merge usage quota. If you are a paying user, please link your GitHub/GitLab/Bitbucket account with your qodo account here to claim your seat. To allow usage organization-wide without linking, please reach to Qodo. |
|
The image is available at: /test e2e-ocp-helm |
…ent timing The previous cherry-pick removed wait_for_backstage_resource function which caused the backstage deployment to time out. The operator needs time to create the deployment after the Backstage CR is created. This restores the function and adds it back before waiting for the deployment to be ready, giving the operator time to initialize. Fixes timeout in showcase namespace deployment.
|
🚫 Image Push Skipped. The container image push was skipped because the build was skipped (either due to [skip-build] tag or no relevant changes with existing image) /test e2e-ocp-helm |
The orchestrator workflows table selector was looking for "WorkflowsNameCategoryLast" but the actual UI only displays columns: Name, Workflow Status, Last run, Last run status, Description, Actions. The "Category" column does not exist in the release-1.8 UI, causing the orchestrator RBAC tests to fail with element not found errors. This fix updates the selector to match the actual table header text "Workflows" which is present in the UI. Backported from commit f17d95b (PR redhat-developer#3406) in main branch. Fixes failing test: - Test Orchestrator RBAC > Test global orchestrator workflow access is allowed Related: FLPATH-2798
|
🚫 Image Push Skipped. The container image push was skipped because the build was skipped (either due to [skip-build] tag or no relevant changes with existing image) /test e2e-ocp-helm |
… install Add --wait --timeout=5m flags to the greeting workflow helm install command to ensure workflow pods are ready before tests execute. Without --wait, the helm command returns immediately while pods are still initializing, which can cause: - Tests to run before workflows are available - Race conditions between workflow deployment and test execution - Pods experiencing CreateContainerConfigError during startup With --wait, helm monitors the release and only returns success when all pods are Running and pass readiness probes. The 5-minute timeout provides ample time for the pods to start (observed ready time: ~90 seconds). This ensures tests only run against fully-initialized infrastructure and provides clearer failure messages if pods cannot start. Related: FLPATH-2798
|
🚫 Image Push Skipped. The container image push was skipped because the build was skipped (either due to [skip-build] tag or no relevant changes with existing image) /test e2e-ocp-helm |
|
/test e2e-ocp-helm |
|
You are above your monthly Qodo Merge usage quota. If you are a paying user, please link your GitHub/GitLab/Bitbucket account with your qodo account here to claim your seat. To allow usage organization-wide without linking, please reach to Qodo. |
…se creation Add manual database creation workaround for showcase-rbac deployment to handle SSL-required connections to external Crunchy Data PostgreSQL clusters. The helm chart's create-sonataflow-database job does not inject PGSSLMODE environment variable, causing authentication failures when connecting to external PostgreSQL instances that require SSL (Crunchy Data operator). This fix adds: - create_sonataflow_database_with_ssl() helper function - Temporary pod that runs psql with PGSSLMODE=require - Proper SSL configuration from postgres-cred secret Without SSL configuration: FATAL: no pg_hba.conf entry for host "X.X.X.X", user "janus-idp", database "postgres", no encryption This resolves CrashLoopBackOff issues in showcase-rbac namespace for: - greeting workflow - user-onboarding workflow - sonataflow-platform-data-index-service - sonataflow-platform-jobs-service Related: FLPATH-2798
|
/test e2e-ocp-operator-nightly |
|
You are above your monthly Qodo Merge usage quota. If you are a paying user, please link your GitHub/GitLab/Bitbucket account with your qodo account here to claim your seat. To allow usage organization-wide without linking, please reach to Qodo. |
The default 2Gi ephemeral volume for dynamic-plugins-root is insufficient when many plugins are enabled (orchestrator, kubernetes, tekton, techdocs, keycloak, etc.). The init container fails with "No space left on device" error during plugin extraction. Increase the volume size to 5Gi for both showcase and RBAC namespaces using the deployment.patch field in the Backstage CR. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
|
🚫 Image Push Skipped. The container image push was skipped because the build was skipped (either due to [skip-build] tag or no relevant changes with existing image) /test e2e-ocp-helm |
|
/test e2e-ocp-operator-nightly |
|
You are above your monthly Qodo Merge usage quota. If you are a paying user, please link your GitHub/GitLab/Bitbucket account with your qodo account here to claim your seat. To allow usage organization-wide without linking, please reach to Qodo. |
|
/test e2e-ocp-operator-nightly |
|
You are above your monthly Qodo Merge usage quota. If you are a paying user, please link your GitHub/GitLab/Bitbucket account with your qodo account here to claim your seat. To allow usage organization-wide without linking, please reach to Qodo. |
The default 10-second actionTimeout was being exceeded when the Keycloak popup was slow to render, causing orchestrator RBAC tests to fail during authentication setup. Add explicit waitFor with 30-second timeout before interacting with the Keycloak login form to handle slow responses. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
|
🚫 Image Push Skipped. The container image push was skipped because the build was skipped (either due to [skip-build] tag or no relevant changes with existing image) /test e2e-ocp-helm |
|
/test e2e-ocp-operator-nightly |
|
You are above your monthly Qodo Merge usage quota. If you are a paying user, please link your GitHub/GitLab/Bitbucket account with your qodo account here to claim your seat. To allow usage organization-wide without linking, please reach to Qodo. |
Commenting out the tech-radar plugin disabling logic to test if it is actually required for RBAC namespace deployments. This is a test commit - will be reverted based on results. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
|
/test e2e-ocp-operator-nightly |
|
You are above your monthly Qodo Merge usage quota. If you are a paying user, please link your GitHub/GitLab/Bitbucket account with your qodo account here to claim your seat. To allow usage organization-wide without linking, please reach to Qodo. |
|
The image is available at: /test e2e-ocp-helm |
The tech-radar backend plugin requires techRadar.url configuration which is present in app-config-rhdh.yaml but missing from app-config-rhdh-rbac.yaml. This causes the RBAC deployment to fail with: 'Missing required config value at techRadar.url in env' This reverts the temporary testing commit and adds clearer documentation explaining why the disabling is required. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
|
/test e2e-ocp-operator-nightly |
|
You are above your monthly Qodo Merge usage quota. If you are a paying user, please link your GitHub/GitLab/Bitbucket account with your qodo account here to claim your seat. To allow usage organization-wide without linking, please reach to Qodo. |
|
🚫 Image Push Skipped. The container image push was skipped because the build was skipped (either due to [skip-build] tag or no relevant changes with existing image) /test e2e-ocp-helm |
Add the missing techRadar.url configuration to app-config-rhdh-rbac.yaml that the tech-radar backend plugin requires. This is cleaner than disabling the plugin in utils.sh since both values files enable tech-radar plugins. Removed the workaround that disabled tech-radar plugins for RBAC namespace in enable_orchestrator_plugins_op(). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
|
/test e2e-ocp-operator-nightly |
|
You are above your monthly Qodo Merge usage quota. If you are a paying user, please link your GitHub/GitLab/Bitbucket account with your qodo account here to claim your seat. To allow usage organization-wide without linking, please reach to Qodo. |
|
🚫 Image Push Skipped. The container image push was skipped because the build was skipped (either due to [skip-build] tag or no relevant changes with existing image) /test e2e-ocp-helm |
|
@chadcrum: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
1 participant
Summary
Cherry-pick of orchestrator RBAC tests and deployment fixes from release-1.7 to release-1.8.
Implement comprehensive RBAC end-to-end tests for the orchestrator plugin with role-based access control validation for admin and non-admin users, workflow visibility controls, and permission enforcement.
Key Changes
Jira Issue
Related to: FLPATH-2798
Original Commits
This is a cherry-pick of commit a6af1b0 from release-1.7