Skip to content

ci(helm): add kube gateway e2e tests and gated CI workflow#1251

Open
TaylorMutch wants to merge 2 commits intomainfrom
tmutch/kube-e2e-ci-take2
Open

ci(helm): add kube gateway e2e tests and gated CI workflow#1251
TaylorMutch wants to merge 2 commits intomainfrom
tmutch/kube-e2e-ci-take2

Conversation

@TaylorMutch
Copy link
Copy Markdown
Collaborator

@TaylorMutch TaylorMutch commented May 7, 2026

Summary

Adds a Helm-backed Kubernetes e2e harness (mise run e2e:helm) and a Branch Helm E2E workflow gated on the test:e2e-helm label, so Helm chart and gateway packaging changes can be exercised end-to-end on demand against a real kind cluster.

This is take 2 of the kube e2e CI work; the previous k3d-in-container attempt (commit 4b5961fe) hit nested-Docker / kubeconfig issues, so this version uses a bare runner with helm/kind-action and side-loads images into kind.

Related Issue

N/A — infrastructure follow-up to the earlier kube gateway e2e work.

Changes

  • New e2e/with-kube-gateway.sh wrapper:
    • If OPENSHELL_E2E_KUBE_CONTEXT is set, installs the chart into an ephemeral namespace on the existing context (CI path).
    • Otherwise creates a local k3d cluster via tasks/scripts/helm-k3s-local.sh and tears it down on exit (dev path).
    • Imports locally available gateway/supervisor images, helm-installs with ci/values-tls-disabled.yaml, port-forwards svc/openshell, registers a plaintext gateway, and runs the supplied command with OPENSHELL_E2E_DRIVER=kubernetes.
    • Captures pod state, events, gateway logs, and port-forward logs on failure for debugging.
  • New e2e/rust/e2e-helm.sh that builds openshell-cli and runs the Rust smoke e2e test through the wrapper.
  • New e2e:helm mise task wired up in tasks/test.toml.
  • New .github/workflows/branch-helm-e2e.yml:
    • Triggers on pull-request/* push and workflow_dispatch.
    • Gates via ./.github/actions/pr-gate on test:e2e-helm.
    • Builds gateway and supervisor Docker images via the reusable docker-build.yml workflow.
    • Provisions a kind cluster with helm/kind-action, materializes the kubeconfig at the mise-expected path, side-loads images tagged with ${{ github.sha }}, and runs mise run --no-deps --skip-deps e2e:helm.
  • Extends .github/workflows/e2e-label-help.yml to post the next-step hint when test:e2e-helm is applied.

Testing

  • mise run pre-commit passes
  • Unit tests added/updated — N/A (CI/test infrastructure only)
  • E2E tests added/updated — this PR adds the harness; the test:e2e-helm label is applied so the new Branch Helm E2E workflow runs on this PR

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable) — N/A

@TaylorMutch TaylorMutch added the test:e2e-helm Requires Helm end-to-end coverage label May 7, 2026
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 7, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@TaylorMutch TaylorMutch force-pushed the tmutch/kube-e2e-ci-take2 branch 3 times, most recently from 5142e05 to d124c57 Compare May 8, 2026 00:07
TaylorMutch added 2 commits May 7, 2026 19:01
@TaylorMutch
test(helm): Add kube gateway e2e tests
d7577f1 
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
@TaylorMutch
ci(helm): add Branch Helm E2E workflow gated on test:e2e-helm
e8be9a2 
Adds a label-gated GitHub Actions workflow that exercises the Helm
chart end-to-end against the Rust e2e suite via `mise run e2e:helm`.

Pipeline:
- pr_metadata gates on the `test:e2e-helm` label via the pr-gate action.
- build-gateway / build-supervisor build and push Docker images using
  the reusable docker-build.yml workflow.
- helm-e2e (bare runner): apt-installs z3 build deps so cargo can
  compile the openshell-policy crate's z3-sys backend, creates a kind
  cluster via helm/kind-action, materializes the kind kubeconfig at the
  path mise's [env] block expects, side-loads the freshly built
  gateway/supervisor images, applies
  deploy/kube/manifests/agent-sandbox.yaml so the
  sandboxes.agents.x-k8s.io CRD and reconciling StatefulSet are in
  place, and finally runs `mise run e2e:helm`.

Also expands the `e2e:helm` task to run the full Rust e2e suite
(matching `e2e:podman`) instead of only the smoke test, with
OPENSHELL_E2E_KUBE_TEST as an opt-in single-test override for local
debugging.

Extends the e2e-label-help workflow so applying `test:e2e-helm` posts
the next-step hint pointing at this workflow.

Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
@TaylorMutch TaylorMutch force-pushed the tmutch/kube-e2e-ci-take2 branch from d124c57 to e8be9a2 Compare May 8, 2026 02:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

test:e2e-helm Requires Helm end-to-end coverage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TaylorMutch