run e2e out of cluster

Author: SylvainSenechal

.github/actions/deploy/action.yaml

@@ -87,9 +87,5 @@ runs:
       if: ${{ inputs.deploy_metadata == 'true' }}
     - name: End-to-end configuration
       shell: bash
-      run: bash configure-e2e.sh "end2end" ${E2E_IMAGE_NAME}:${E2E_IMAGE_TAG} "default"
-      working-directory: ./.github/scripts/end2end
-    - name: Linting
-      shell: bash
-      run: bash run-e2e-test.sh "end2end" ${E2E_IMAGE_NAME}:${E2E_IMAGE_TAG} "lint" "default"
+      run: bash configure-e2e.sh "end2end" "default"
       working-directory: ./.github/scripts/end2end

.github/scripts/end2end/configure-e2e-ctst.sh

@@ -3,6 +3,9 @@ set -exu
 
 DIR=$(dirname "$0")
 
+# Set up ingress endpoints and /etc/hosts for out-of-cluster access
+source "$DIR/configure-e2e-endpoints.sh"
+
 # Get kafka image name and tag
 kafka_image() {
     source <( "$DIR"/../../../solution/kafka_build_vars.sh )
@@ -76,8 +79,10 @@ UUID=$(kubectl get secret -l app.kubernetes.io/name=backbeat-config,app.kubernet
 UUID=${UUID%.*}
 UUID=${UUID:1}
 
-echo "127.0.0.1 iam.zenko.local s3-local-file.zenko.local keycloak.zenko.local \
-    sts.zenko.local management.zenko.local s3.zenko.local website.mywebsite.com utilization.zenko.local" | sudo tee -a /etc/hosts
+# Ensure additional hostnames are in /etc/hosts
+if ! grep -q "s3-local-file.zenko.local" /etc/hosts 2>/dev/null; then
+    echo "127.0.0.1 s3-local-file.zenko.local website.mywebsite.com" | sudo tee -a /etc/hosts
+fi
 
 # Add bucket notification target
 envsubst < ./configs/notification_destinations.yaml | kubectl apply -f -

.github/scripts/end2end/configure-e2e-endpoints.sh

@@ -0,0 +1,137 @@
+#!/bin/bash
+# configure-e2e-endpoints.sh
+#
+# Creates ingress resources for internal services that don't have one,
+# and adds all *.zenko.local hostnames to /etc/hosts.
+#
+# This allows tests to run outside the cluster (directly on the CI runner)
+# using the same ingress-based endpoints for all Zenko services.
+#
+# Idempotent: safe to source multiple times.
+#
+# Usage:
+#   source configure-e2e-endpoints.sh         # sets ZENKO_* endpoint vars
+#   bash configure-e2e-endpoints.sh            # just creates ingresses + /etc/hosts
+
+set -eu
+
+ZENKO_NAME="${ZENKO_NAME:-end2end}"
+NAMESPACE="${NAMESPACE:-default}"
+
+# --- Create missing Ingress resources ---
+
+apply_ingress() {
+    local name="$1"
+    local host="$2"
+    local service="$3"
+
+    # Skip if an ingress already serves this host (e.g., from a prior Zenko instance in PRA)
+    if kubectl get ingress -A -o jsonpath='{.items[*].spec.rules[*].host}' | grep -qw "${host}"; then
+        echo "Ingress for ${host} already exists, skipping"
+        return
+    fi
+
+    kubectl apply -f - <<EOF
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ${name}
+  namespace: ${NAMESPACE}
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+  labels:
+    app.kubernetes.io/instance: ${ZENKO_NAME}
+    app.kubernetes.io/name: ${name##*-}
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: ${host}
+    http:
+      paths:
+      - backend:
+          service:
+            name: ${service}
+            port:
+              name: http
+        path: /
+        pathType: Prefix
+EOF
+}
+
+# Backbeat API — used by node tests (CRR) and CTST
+apply_ingress \
+    "${ZENKO_NAME}-backbeat-api-ingress" \
+    "backbeat-api.zenko.local" \
+    "${ZENKO_NAME}-management-backbeat-api"
+
+# Vault auth API — used by CTST
+apply_ingress \
+    "${ZENKO_NAME}-vault-auth-api-ingress" \
+    "vault-auth.zenko.local" \
+    "${ZENKO_NAME}-connector-vault-auth-api"
+
+# S3C (Ring) — only when metadata namespace exists (ENABLE_RING_TESTS=true)
+if kubectl get namespace metadata &>/dev/null; then
+    kubectl apply -f - <<EOF
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: s3c-ingress
+  namespace: metadata
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: s3c.local
+    http:
+      paths:
+      - backend:
+          service:
+            name: s3c-cloudserver
+            port:
+              number: 8000
+        path: /
+        pathType: Prefix
+EOF
+fi
+
+# --- Wait for ingress controller to pick them up ---
+
+if kubectl get ingress "${ZENKO_NAME}-backbeat-api-ingress" &>/dev/null; then
+    kubectl wait --for=jsonpath='{.status.loadBalancer.ingress}' \
+        ingress/${ZENKO_NAME}-backbeat-api-ingress \
+        ingress/${ZENKO_NAME}-vault-auth-api-ingress \
+        --timeout=60s 2>/dev/null || true
+fi
+
+if kubectl get ingress s3c-ingress -n metadata &>/dev/null; then
+    kubectl wait --for=jsonpath='{.status.loadBalancer.ingress}' \
+        ingress/s3c-ingress -n metadata \
+        --timeout=60s 2>/dev/null || true
+fi
+
+# --- /etc/hosts setup ---
+
+ZENKO_HOSTS="s3.zenko.local iam.zenko.local sts.zenko.local management.zenko.local keycloak.zenko.local utilization.zenko.local backbeat-api.zenko.local vault-auth.zenko.local aws-mock.zenko.local azure-mock.zenko.local devstoreaccount1.blob.azure-mock.zenko.local devstoreaccount1.queue.azure-mock.zenko.local s3c.local"
+
+if ! grep -q "backbeat-api.zenko.local" /etc/hosts 2>/dev/null; then
+    echo "127.0.0.1 ${ZENKO_HOSTS}" | sudo tee -a /etc/hosts
+fi
+
+# --- Export endpoint variables ---
+# These use the ingress hostnames, reachable from outside the cluster.
+
+export CLOUDSERVER_HOST="s3.zenko.local"
+export CLOUDSERVER_ENDPOINT="http://s3.zenko.local"
+export BACKBEAT_API_ENDPOINT="http://backbeat-api.zenko.local"
+export VAULT_ENDPOINT="http://iam.zenko.local"
+export VAULT_STS_ENDPOINT="http://sts.zenko.local"
+export VAULT_AUTH_HOST="vault-auth.zenko.local"
+
+echo "=== Endpoints configured for out-of-cluster access ==="
+echo "  S3:           ${CLOUDSERVER_ENDPOINT}"
+echo "  Backbeat API: ${BACKBEAT_API_ENDPOINT}"
+echo "  Vault IAM:    ${VAULT_ENDPOINT}"
+echo "  Vault STS:    ${VAULT_STS_ENDPOINT}"
+echo "  Vault Auth:   http://${VAULT_AUTH_HOST}"

.github/scripts/end2end/configure-e2e.sh

@@ -6,49 +6,40 @@ DIR=$(dirname "${0}")
 . "$DIR"/common.sh
 
 ZENKO_NAME=${1:-end2end}
-E2E_IMAGE=${2:-ghcr.io/scality/zenko/zenko-e2e:latest}
-NAMESPACE=${3:-default}
-
-SERVICE_ACCOUNT="${ZENKO_NAME}-config"
-POD_NAME="${ZENKO_NAME}-config"
-MANAGEMENT_ENDPOINT="http://${ZENKO_NAME}-management-orbit-api:5001"
-IAM_ENDPOINT="http://${ZENKO_NAME}-management-vault-iam-admin-api"
-STS_ENDPOINT="http://${ZENKO_NAME}-connector-vault-sts-api"
+NAMESPACE=${2:-default}
+
+# Set up ingress endpoints and /etc/hosts for out-of-cluster access
+. "$DIR/configure-e2e-endpoints.sh"
+
+# For the primary Zenko instance, use the default ingress hostnames.
+# For secondary instances (e.g., PRA), prepare-pra.sh sets ZENKO_*_INGRESS
+# env vars via GITHUB_ENV (e.g., management.dr.zenko.local). The operator
+# creates ingresses with those hostnames. We discover them from the ingress
+# resources so configure-e2e.sh stays generic.
+if [ "${ZENKO_NAME}" = "end2end" ]; then
+    MANAGEMENT_ENDPOINT="http://management.zenko.local"
+    IAM_ENDPOINT="http://iam.zenko.local"
+    STS_ENDPOINT="http://sts.zenko.local"
+else
+    # Discover management/IAM/STS hostnames from the Zenko instance's ingresses
+    MGMT_HOST=$(kubectl get ingress -n "${NAMESPACE}" -l "app.kubernetes.io/instance=${ZENKO_NAME}" \
+        -o jsonpath='{.items[*].spec.rules[*].host}' | tr ' ' '\n' | grep '^management')
+    IAM_HOST=$(kubectl get ingress -n "${NAMESPACE}" -l "app.kubernetes.io/instance=${ZENKO_NAME}" \
+        -o jsonpath='{.items[*].spec.rules[*].host}' | tr ' ' '\n' | grep '^iam')
+    STS_HOST=$(kubectl get ingress -n "${NAMESPACE}" -l "app.kubernetes.io/instance=${ZENKO_NAME}" \
+        -o jsonpath='{.items[*].spec.rules[*].host}' | tr ' ' '\n' | grep '^sts')
+    MANAGEMENT_ENDPOINT="http://${MGMT_HOST}"
+    IAM_ENDPOINT="http://${IAM_HOST}"
+    STS_ENDPOINT="http://${STS_HOST}"
+    # Add PRA-specific hostnames to /etc/hosts (for runner access)
+    PRA_HOSTS="${MGMT_HOST} ${IAM_HOST} ${STS_HOST}"
+    if ! grep -q "${MGMT_HOST}" /etc/hosts 2>/dev/null; then
+        echo "127.0.0.1 ${PRA_HOSTS}" | sudo tee -a /etc/hosts
+    fi
+fi
 UUID=$(kubectl get zenko ${ZENKO_NAME} --namespace ${NAMESPACE} -o jsonpath='{.status.instanceID}')
 TOKEN=$(get_token)
 
-cat <<EOF | kubectl apply -f -
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: ${SERVICE_ACCOUNT}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: ${SERVICE_ACCOUNT}
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - '*'
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: ${SERVICE_ACCOUNT}
-subjects:
-- kind: ServiceAccount
-  name: ${SERVICE_ACCOUNT}
-roleRef:
-  kind: Role
-  name: ${SERVICE_ACCOUNT}
-  apiGroup: rbac.authorization.k8s.io
-EOF
-
 kafka_image() {
     source <( "$DIR"/../../../solution/kafka_build_vars.sh )
     echo "$KAFKA_IMAGE:$KAFKA_TAG-$BUILD_TREE_HASH"
@@ -72,52 +63,57 @@ kubectl run kafka-topics \
     kafka-topics.sh --create --topic $NOTIF_DEST_TOPIC --bootstrap-server $KAFKA_HOST_PORT --if-not-exists ; \
     kafka-topics.sh --create --topic $NOTIF_ALT_DEST_TOPIC --bootstrap-server $KAFKA_HOST_PORT --if-not-exists"
 
-kubectl run ${POD_NAME} \
-  --image ${E2E_IMAGE} \
-  --rm \
-  --attach=True \
-  --restart=Never \
-  --pod-running-timeout=5m \
-  --namespace=${NAMESPACE} \
-  --image-pull-policy=IfNotPresent \
-  --overrides="{ \"spec\": { \"serviceAccount\": \"${SERVICE_ACCOUNT}\" }  }" \
-  --env="TOKEN=${TOKEN}" \
-  --env="UUID=${UUID}" \
-  --env="MANAGEMENT_ENDPOINT=${MANAGEMENT_ENDPOINT}" \
-  --env="IAM_ENDPOINT=${IAM_ENDPOINT}" \
-  --env="STS_ENDPOINT=${STS_ENDPOINT}" \
-  --env="NAMESPACE=${NAMESPACE}" \
-  --env=VERIFY_CERTIFICATES=false \
-  --env=ENABLE_RING_TESTS=${ENABLE_RING_TESTS} \
-  --env=RING_S3C_ACCESS_KEY=${RING_S3C_ACCESS_KEY} \
-  --env=RING_S3C_SECRET_KEY=${RING_S3C_SECRET_KEY} \
-  --env=RING_S3C_ENDPOINT=${RING_S3C_ENDPOINT} \
-  --env=RING_S3C_BACKEND_SOURCE_LOCATION=${RING_S3C_BACKEND_SOURCE_LOCATION} \
-  --env=RING_S3C_INGESTION_SRC_BUCKET_NAME=${RING_S3C_INGESTION_SRC_BUCKET_NAME} \
-  --env=RING_S3C_BACKEND_SOURCE_NON_VERSIONED_LOCATION=${RING_S3C_BACKEND_SOURCE_NON_VERSIONED_LOCATION} \
-  --env=RING_S3C_INGESTION_SRC_NON_VERSIONED_BUCKET_NAME=${RING_S3C_INGESTION_SRC_NON_VERSIONED_BUCKET_NAME} \
-  --env=RING_S3C_INGESTION_NON_VERSIONED_OBJECT_COUNT_PER_TYPE=${RING_S3C_INGESTION_NON_VERSIONED_OBJECT_COUNT_PER_TYPE} \
-  --env=AWS_ACCESS_KEY=${AWS_ACCESS_KEY} \
-  --env=AWS_SECRET_KEY=${AWS_SECRET_KEY} \
-  --env=AWS_ENDPOINT=${AWS_ENDPOINT} \
-  --env=AWS_FAIL_BUCKET_NAME=${AWS_FAIL_BUCKET_NAME} \
-  --env=AWS_REPLICATION_FAIL_CTST_BUCKET_NAME=${AWS_REPLICATION_FAIL_CTST_BUCKET_NAME} \
-  --env=AZURE_BACKEND_DESTINATION_LOCATION=${AZURE_BACKEND_DESTINATION_LOCATION} \
-  --env=AZURE_BACKEND_ENDPOINT=${AZURE_BACKEND_ENDPOINT} \
-  --env=AZURE_BACKEND_QUEUE_ENDPOINT=${AZURE_BACKEND_QUEUE_ENDPOINT} \
-  --env=AZURE_ACCOUNT_NAME=${AZURE_ACCOUNT_NAME} \
-  --env=AZURE_SECRET_KEY=${AZURE_SECRET_KEY} \
-  --env=AZURE_CRR_BUCKET_NAME=${AZURE_CRR_BUCKET_NAME} \
-  --env=AZURE_ARCHIVE_BUCKET_NAME=${AZURE_ARCHIVE_BUCKET_NAME} \
-  --env=AZURE_ARCHIVE_BUCKET_NAME_2=${AZURE_ARCHIVE_BUCKET_NAME_2} \
-  --env=AZURE_ARCHIVE_QUEUE_NAME=${AZURE_ARCHIVE_QUEUE_NAME} \
-  --env=CRR_SOURCE_LOCATION_NAME=${CRR_SOURCE_LOCATION_NAME} \
-  --env=CRR_DESTINATION_LOCATION_NAME=${CRR_DESTINATION_LOCATION_NAME} \
-  --env=CRR_SOURCE_ACCOUNT_NAME=${CRR_SOURCE_ACCOUNT_NAME} \
-  --env=CRR_DESTINATION_ACCOUNT_NAME=${CRR_DESTINATION_ACCOUNT_NAME} \
-  --env=CRR_ROLE_NAME=${CRR_ROLE_NAME} \
-  --env=DEPLOY_CRR_LOCATIONS=${DEPLOY_CRR_LOCATIONS} \
-  --command -- python3 configuration.py
+# Run configuration.py directly
+ZENKO_TESTS_DIR="$DIR/../../../tests/zenko_tests"
+pip3 install -r "$ZENKO_TESTS_DIR/requirements.txt"
+
+cd "$ZENKO_TESTS_DIR"
+
+# Generate e2e-config.yaml from template (uses original RING_S3C_ENDPOINT with port 8000 for in-cluster Zenko config)
+envsubst < e2e-config.yaml.template > e2e-config.yaml
+
+# Override RING_S3C_ENDPOINT for out-of-cluster access (via ingress on port 80)
+RING_S3C_ENDPOINT_LOCAL="${RING_S3C_ENDPOINT}"
+if kubectl get namespace metadata &>/dev/null; then
+    RING_S3C_ENDPOINT_LOCAL="http://s3c.local"
+fi
+TOKEN=${TOKEN} \
+UUID=${UUID} \
+MANAGEMENT_ENDPOINT=${MANAGEMENT_ENDPOINT} \
+IAM_ENDPOINT=${IAM_ENDPOINT} \
+STS_ENDPOINT=${STS_ENDPOINT} \
+NAMESPACE=${NAMESPACE} \
+VERIFY_CERTIFICATES=false \
+ENABLE_RING_TESTS=${ENABLE_RING_TESTS} \
+RING_S3C_ACCESS_KEY=${RING_S3C_ACCESS_KEY} \
+RING_S3C_SECRET_KEY=${RING_S3C_SECRET_KEY} \
+RING_S3C_ENDPOINT=${RING_S3C_ENDPOINT_LOCAL} \
+RING_S3C_BACKEND_SOURCE_LOCATION=${RING_S3C_BACKEND_SOURCE_LOCATION} \
+RING_S3C_INGESTION_SRC_BUCKET_NAME=${RING_S3C_INGESTION_SRC_BUCKET_NAME} \
+RING_S3C_BACKEND_SOURCE_NON_VERSIONED_LOCATION=${RING_S3C_BACKEND_SOURCE_NON_VERSIONED_LOCATION} \
+RING_S3C_INGESTION_SRC_NON_VERSIONED_BUCKET_NAME=${RING_S3C_INGESTION_SRC_NON_VERSIONED_BUCKET_NAME} \
+RING_S3C_INGESTION_NON_VERSIONED_OBJECT_COUNT_PER_TYPE=${RING_S3C_INGESTION_NON_VERSIONED_OBJECT_COUNT_PER_TYPE} \
+AWS_ACCESS_KEY=${AWS_ACCESS_KEY} \
+AWS_SECRET_KEY=${AWS_SECRET_KEY} \
+AWS_ENDPOINT=${AWS_ENDPOINT} \
+AWS_FAIL_BUCKET_NAME=${AWS_FAIL_BUCKET_NAME} \
+AWS_REPLICATION_FAIL_CTST_BUCKET_NAME=${AWS_REPLICATION_FAIL_CTST_BUCKET_NAME} \
+AZURE_BACKEND_DESTINATION_LOCATION=${AZURE_BACKEND_DESTINATION_LOCATION} \
+AZURE_BACKEND_ENDPOINT=${AZURE_BACKEND_ENDPOINT} \
+AZURE_BACKEND_QUEUE_ENDPOINT=${AZURE_BACKEND_QUEUE_ENDPOINT} \
+AZURE_ACCOUNT_NAME=${AZURE_ACCOUNT_NAME} \
+AZURE_SECRET_KEY=${AZURE_SECRET_KEY} \
+AZURE_CRR_BUCKET_NAME=${AZURE_CRR_BUCKET_NAME} \
+AZURE_ARCHIVE_BUCKET_NAME=${AZURE_ARCHIVE_BUCKET_NAME} \
+AZURE_ARCHIVE_BUCKET_NAME_2=${AZURE_ARCHIVE_BUCKET_NAME_2} \
+AZURE_ARCHIVE_QUEUE_NAME=${AZURE_ARCHIVE_QUEUE_NAME} \
+CRR_SOURCE_LOCATION_NAME=${CRR_SOURCE_LOCATION_NAME} \
+CRR_DESTINATION_LOCATION_NAME=${CRR_DESTINATION_LOCATION_NAME} \
+CRR_SOURCE_ACCOUNT_NAME=${CRR_SOURCE_ACCOUNT_NAME} \
+CRR_DESTINATION_ACCOUNT_NAME=${CRR_DESTINATION_ACCOUNT_NAME} \
+CRR_ROLE_NAME=${CRR_ROLE_NAME} \
+DEPLOY_CRR_LOCATIONS=${DEPLOY_CRR_LOCATIONS} \
+python3 configuration.py
 
 ## wait for updates to trigger zenko upgrades
 sleep 10