ci: add Branch Helm E2E workflow with test:e2e-helm gate#1162
Merged
TaylorMutch merged 9 commits intotmutch/kube-e2efrom May 5, 2026
Merged
ci: add Branch Helm E2E workflow with test:e2e-helm gate#1162TaylorMutch merged 9 commits intotmutch/kube-e2efrom
TaylorMutch merged 9 commits intotmutch/kube-e2efrom
Conversation
Collaborator
Author
|
/ok to test 5a8e33a |
* Add support for grpcRoute from Kubernetes Gateway API spec * Add pkiInitJob to initialize mTLS resources * Add sshHandshake init job * Test integration with Envoy Gateway * Add keycloak integration testing with Skaffold
… setup Add a TLS behaviour section explaining that values-skaffold.yaml disables TLS by default, and a port-forward connection guide covering both plaintext and mTLS modes with the exact commands to extract client certs from the cluster PKI secret.
Re-add the openshell.issuerSelfSigned helper, the mutual-exclusion guard in pki-hook.yaml, and the certManager condition in the statefulset volume mount. Add server.disableTls: false to values-cert-manager.yaml so the overlay correctly overrides the skaffold dev default. Tested end-to-end with cert-manager issuing mTLS certs and sandbox create over port-forward.
Use port 8090 for direct port-forward to avoid colliding with the k3d LB binding on 8080 when Envoy Gateway is active. Check both server and client TLS secrets before skipping PKI generation. Previously only the server secret was checked, which would silently skip generation if a partial cleanup left one half of the pair behind. Now emits a clear error with a recovery command when partial state is detected.
Consolidates values overlays into deploy/helm/openshell/ci/, adds a helm:lint matrix task that validates all configuration variants, and introduces a helm-e2e.sh script that creates a k3d cluster, builds images via docker buildx, deploys via Helm, and runs the Rust and Python e2e suites. Tests that require Docker-native host networking (host.openshell.internal SSRF) are skipped on the Kubernetes path.
* ci: add helm lint workflow triggered on helm chart changes * chore: trigger helm lint CI test * Revert "chore: trigger helm lint CI test" This reverts commit 6b6b0a5.
TaylorMutch
force-pushed
the
tmutch/kube-e2e
branch
from
d15cafe to
e362228
Compare
TaylorMutch
requested review from
derekwaynecarr,
maxamillion and
mrunalp
as code owners
TaylorMutch
force-pushed
the
tmutch/helm-e2e-ci
branch
from
5a8e33a to
58ec5b0
Compare
TaylorMutch
force-pushed
the
tmutch/kube-e2e
branch
from
e362228 to
82f9730
Compare
|
🌿 Preview your docs: https://nvidia-preview-pr-1162.docs.buildwithfern.com/openshell |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
branch-helm-e2e.yml— a label-gated workflow that runs the Helm e2e test suite on PRs taggedtest:e2e-helme2e-gate.yml,e2e-label-help.yml)Related Issue
Stacked on #1159 (which introduces
tasks/scripts/helm-e2e.shand thee2e:helm:*mise tasks this workflow calls).Changes
.github/workflows/branch-helm-e2e.yml— new guarded workflow: gates ontest:e2e-helm, runshelm-e2e-rustandhelm-e2e-pythonas separate parallel jobs onlinux-amd64-cpu8runners (60-min timeout each); privileged container with Docker socket for k3d; uniqueHELM_E2E_CLUSTER_NAMEper run to prevent collisions.github/workflows/e2e-gate.yml— addsBranch Helm E2Eto theworkflow_runtrigger and adds ahelm-e2egate check job (label:test:e2e-helm, workflow:branch-helm-e2e.yml).github/workflows/e2e-label-help.yml— extends the job condition andcaseswitch to handletest:e2e-helm, posting the correct next-step comment when the label is appliedDesign notes
helm-e2e.shbuilds gateway and supervisor images internally viadocker buildx build --loadand imports them into k3d — simpler than thebranch-e2e.ymlpatternmise install --lockedprovisions k3d, helm, and kubectl frommise.toml; no CI image changes neededgit config safe.directoryis required becausehelm-e2e.shcallsgit rev-parseto derive the default cluster name, and GHA container user/UID mismatch causes git to refuse the workspace otherwiseTesting
test:e2e-helmto a PR and verify the label-help comment posts correctlyBranch Helm E2Efires and bothHelm E2E (rust)andHelm E2E (python)jobs runE2E Gateposts aHelm E2Echeck that goes green once both jobs passChecklist