feat(test): ui e2e testing, w/ pr cluster

.github/workflows/PR.yaml

@@ -66,6 +66,8 @@ jobs:
     runs-on: ubuntu-latest
     container:
       image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9
+    outputs:
+      session-secret: ${{ steps.deploy.outputs.session-secret }}
     env:
       KUBECONFIG: /github/home/artifacts/kubeconfig
       INFRA_TOKEN: ${{ secrets.INFRA_TOKEN }}
@@ -100,10 +102,26 @@ jobs:
       - name: Download artifacts
         run: |
           /github/home/.local/bin/infractl artifacts "$CLUSTER_NAME" -d /github/home/artifacts >> "$GITHUB_STEP_SUMMARY"
-          kubectl get nodes -o wide || true
+
+      - name: Wait for cluster to be ready
+        run: |
+          echo "Waiting for cluster API server to be ready..."
+          timeout 300 sh -c 'until kubectl get nodes >/dev/null 2>&1; do
+            echo "Waiting for cluster..."
+            sleep 5
+          done'
+          echo "Cluster is ready"
+          kubectl get nodes -o wide
 
       - name: Deploy infra to dev cluster
+        id: deploy
         run: |
+          # Generate random session secret for JWT signing
+          # This secret is used by both the server (for verification) and Cypress (for JWT generation)
+          SESSION_SECRET=$(openssl rand -base64 32 | tr -d '\n')
+          export SESSION_SECRET
+          echo "Generated random session secret for this PR cluster deployment"
+
           ENVIRONMENT=development TEST_MODE=true make helm-deploy
           sleep 10 # wait for old pods to disappear so the svc port-forward doesn't connect to them
           kubectl -n infra port-forward svc/infra-server-service 8443:8443 > /dev/null 2>&1 &
@@ -115,6 +133,11 @@ jobs:
 
           kill %1
 
+          # Save session secret for UI E2E tests (job output for next job)
+          echo "session-secret=$SESSION_SECRET" >> "$GITHUB_OUTPUT"
+          # Also set as env var for steps in this job
+          echo "SESSION_SECRET=$SESSION_SECRET" >> "$GITHUB_ENV"
+
       - name: Check the deployment
         run: |
           kubectl -n infra port-forward svc/infra-server-service 8443:8443 > /dev/null 2>&1 &
@@ -162,3 +185,145 @@ jobs:
           kubectl -n infra port-forward svc/infra-server-service 8443:8443 > /dev/null 2>&1 &
           sleep 5
           make go-e2e-tests
+
+  ui-e2e-test-pr-cluster:
+    needs:
+      - deploy-and-test
+    if: success() || failure()
+    runs-on: ubuntu-latest
+    # Note: This job does NOT use the apollo-ci container to avoid path issues
+    env:
+      KUBECONFIG: /tmp/kubeconfig
+      INFRA_TOKEN: ${{ secrets.INFRA_TOKEN }}
+      USE_GKE_GCLOUD_AUTH_PLUGIN: "True"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: go/src/github.com/stackrox/infra
+
+      - name: Authenticate to GCloud
+        uses: google-github-actions/auth@v3
+        with:
+          credentials_json: ${{ secrets.INFRA_CI_AUTOMATION_GCP_SA }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v3
+        with:
+          install_components: "gke-gcloud-auth-plugin"
+
+      - name: Download production infractl
+        uses: stackrox/actions/infra/install-infractl@v1
+
+      - name: Get kubeconfig for PR cluster
+        run: |
+          echo "Downloading kubeconfig for $CLUSTER_NAME..."
+          /home/runner/.local/bin/infractl artifacts "$CLUSTER_NAME" -d /tmp/artifacts
+          cp /tmp/artifacts/kubeconfig "$KUBECONFIG"
+
+          echo "Verifying cluster access..."
+          kubectl get nodes -o wide
+
+      - name: Wait for infra-server deployment
+        run: |
+          echo "Checking infra-server pods..."
+          kubectl get pods -n infra
+          kubectl wait --for=condition=ready pod -l app=infra-server -n infra --timeout=5m
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install UI dependencies
+        run: |
+          cd ui
+          npm install --legacy-peer-deps
+
+      - name: Start port-forward to PR cluster
+        run: |
+          kubectl -n infra port-forward svc/infra-server-service 8443:8443 >/dev/null 2>&1 &
+          PORT_FORWARD_PID=$!
+          echo "PORT_FORWARD_PID=$PORT_FORWARD_PID" >> "$GITHUB_ENV"
+          echo "Started port-forward with PID: $PORT_FORWARD_PID"
+          sleep 10
+
+          # Verify port-forward is working
+          echo "Verifying port-forward connectivity..."
+          timeout 30 sh -c 'until curl -k -f https://localhost:8443/v1/whoami 2>/dev/null; do
+            echo "Waiting for port-forward..."
+            sleep 2
+          done' || {
+            echo "Port-forward verification failed"
+            pgrep -a port-forward || true
+            exit 1
+          }
+          echo "Port-forward is working"
+
+      - name: Debug - Check flavors API
+        run: |
+          echo "Checking if flavors are available..."
+
+          # First try without auth (should fail with access denied)
+          echo "1. Testing without authentication:"
+          UNAUTH_RESPONSE=$(curl -k -s https://localhost:8443/v1/flavor/list || echo "API call failed")
+          echo "$UNAUTH_RESPONSE" | jq . || echo "$UNAUTH_RESPONSE"
+
+          # Check whoami endpoint
+          echo ""
+          echo "2. Testing /v1/whoami:"
+          WHOAMI=$(curl -k -s https://localhost:8443/v1/whoami || echo "whoami failed")
+          echo "$WHOAMI" | jq . || echo "$WHOAMI"
+
+          # The real issue is the UI itself - let's check if the flavors endpoint
+          # works at all. The UI must be getting an error from somewhere.
+          echo ""
+          echo "3. Checking flavors API (unauthenticated count):"
+          FLAVOR_COUNT=$(echo "$UNAUTH_RESPONSE" | jq '.flavors | length' 2>/dev/null || echo "0")
+          echo "Number of flavors available: $FLAVOR_COUNT"
+
+          if [ "$FLAVOR_COUNT" = "0" ]; then
+            echo "NOTE: Flavors API requires authentication"
+            echo "This is expected - Cypress tests use JWT authentication with randomly generated secret"
+          fi
+
+      - name: Run UI E2E tests
+        uses: cypress-io/github-action@v6
+        with:
+          working-directory: go/src/github.com/stackrox/infra/ui
+          install: false
+          start: npm run start
+          wait-on: 'http://localhost:3001'
+          wait-on-timeout: 60
+          command: npm run cypress:run:e2e
+        env:
+          BROWSER: none
+          PORT: 3001
+          # Backend is the PR cluster deployment accessed via port-forward
+          # This deployment uses ENVIRONMENT=development with real OIDC (NOT localDeploy=true)
+          INFRA_API_ENDPOINT: https://localhost:8443
+          # Session secret for JWT generation (matches what the server uses)
+          # Retrieved from deploy-and-test job output
+          CYPRESS_SESSION_SECRET: ${{ needs.deploy-and-test.outputs.session-secret }}
+
+      - name: Upload test artifacts
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: cypress-artifacts-pr-cluster-${{ github.event.pull_request.number }}
+          path: |
+            go/src/github.com/stackrox/infra/ui/cypress/videos
+            go/src/github.com/stackrox/infra/ui/cypress/screenshots
+          retention-days: 7
+
+      - name: Cleanup port-forward
+        if: always()
+        run: |
+          if [ -n "${{ env.PORT_FORWARD_PID }}" ]; then
+            echo "Cleaning up port-forward (PID: ${{ env.PORT_FORWARD_PID }})..."
+            kill ${{ env.PORT_FORWARD_PID }} 2>/dev/null || true
+          fi
+          pkill -f "kubectl port-forward.*8443:8443" 2>/dev/null || true

.github/workflows/ui.yaml

@@ -0,0 +1,128 @@
+name: UI tests
+
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+
+jobs:
+  ui-e2e-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Free disk space (delete unused tools)
+        id: delete-unused-tools
+        continue-on-error: true
+        shell: bash
+        run: |
+          free_disk_space=22
+          # delete preinstalled unused tools
+          cleanup=(
+            /usr/share/dotnet
+            /usr/share/miniconda
+            /usr/share/swift
+            /usr/share/kotlinc
+            /opt/ghc
+            /opt/hostedtoolcache/CodeQL
+            /opt/hostedtoolcache/Ruby
+            /opt/az
+            /usr/local/lib/android
+          )
+          for d in "${cleanup[@]}"; do
+            if [[ -d "$d" ]]; then
+              rm -rf -- "$d" && echo "deleted $d"
+            else
+              echo "$d not found"
+              continue
+            fi
+            free=$(df -BGB --output=avail / | tail -1)
+            if [[ ${free%GB} -ge "${free_disk_space}" ]]; then
+              echo "Reached requested free disk space ${free_disk_space} [${free} free]."
+              exit 0
+            fi
+          done
+          df -h
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Create KinD Cluster
+        uses: helm/kind-action@v1
+        with:
+          cluster_name: kind
+
+      - name: tags
+        run: |
+          echo "TAG=$(make tag)" | tee -a "$GITHUB_ENV"
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          file: image/Dockerfile
+          context: .
+          push: false
+          load: true
+          tags: quay.io/rhacs-eng/infra-server:${{ env.TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Load into KinD
+        run: |
+          # Check cluster name
+          kind get clusters
+          #docker build -t quay.io/rhacs-eng/infra-server:${{ env.TAG }} -f image/Dockerfile .
+          kind load docker-image quay.io/rhacs-eng/infra-server:${{ env.TAG }} --name kind
+          docker images | grep infra-server
+
+      - name: Deploy
+        run: make deploy-local
+
+      - name: Wait for pods
+        run: kubectl wait --for=condition=ready pod -l app=infra-server -n infra --timeout=3m
+
+      - name: Start port-forward
+        run: |
+          kubectl port-forward -n infra svc/infra-server-service 8443:8443 >/dev/null 2>&1 &
+          echo "PORT_FORWARD_PID=$!" >> "$GITHUB_ENV"
+          sleep 5
+          # Verify port-forward is working
+          timeout 10 sh -c 'until curl -k -f https://localhost:8443/v1/whoami 2>/dev/null; do sleep 1; done' || echo "Warning: Backend may not be ready"
+
+      - name: Run E2E tests
+        uses: cypress-io/github-action@v6
+        with:
+          working-directory: ui
+          start: npm run start
+          wait-on: 'http://localhost:3001'
+          wait-on-timeout: 60
+          command: npm run cypress:run:e2e
+        env:
+          BROWSER: none
+          PORT: 3001
+          # Backend uses HTTPS with self-signed cert (see scripts/deploy/helm.sh)
+          INFRA_API_ENDPOINT: https://localhost:8443
+
+      - name: Upload test artifacts
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: cypress-artifacts
+          path: |
+            ui/cypress/videos
+            ui/cypress/screenshots
+          retention-days: 7
+
+      - name: Cleanup port-forward
+        if: always()
+        run: |
+          # Kill by PID if available, otherwise kill by process name
+          if [ -n "${{ env.PORT_FORWARD_PID }}" ]; then
+            echo "Cleaning up port-forward (PID: ${{ env.PORT_FORWARD_PID }})..."
+            kill ${{ env.PORT_FORWARD_PID }} 2>/dev/null || true
+          fi
+          # Fallback: kill any remaining port-forward processes
+          pkill -f "kubectl port-forward.*8443:8443" 2>/dev/null || true

DEPLOYMENT.md

@@ -116,6 +116,12 @@ Use the environment variable `TEST_MODE` to disable certain infra service behavi
 
 This is used in the infra PR clusters to set the login referer and disable telemetry.
 
+#### Deployments for testing only (no secrets)
+
+For test clusters (such as a local KinD/Colima), you can use the deploy-local make target to skip loading secrets. The flavor provisioning actions that require secrets will not be accessible, and integrations such as with Slack will be disabled.
+
+`make deploy-local`
+
 ### Rollback
 
 Use `helm rollback infra-server <REVISION>`.

Makefile

@@ -253,6 +253,43 @@ helm-deploy: pre-check helm-dependency-update create-namespaces
 helm-diff: pre-check helm-dependency-update create-namespaces
 	@./scripts/deploy/helm.sh diff $(VERSION) $(ENVIRONMENT) $(SECRET_VERSION)
 
+## Deploy to local cluster (e.g., Colima) without GCP Secret Manager
+.PHONY: deploy-local
+deploy-local: helm-dependency-update create-namespaces
+	@echo "Generating random session secret for local deployment..."
+	$(eval SESSION_SECRET := $(shell openssl rand -base64 32 | tr -d '\n'))
+	@echo "SESSION_SECRET generated (use 'export SESSION_SECRET=<value>' for Cypress tests)"
+	@SESSION_SECRET="$(SESSION_SECRET)" TEST_MODE=true ./scripts/deploy/helm.sh deploy-local $(shell make tag) local
+	@echo ""
+	@echo "Deployment complete!"
+	@echo "To run E2E tests, export the session secret:"
+	@echo "  export SESSION_SECRET='$(SESSION_SECRET)'"
+	@echo "  make test-e2e"
+
+## Run UI E2E tests against local deployment
+.PHONY: test-e2e
+test-e2e:
+	@echo "test-e2e starting..." >&2
+	@echo "Waiting for infra-server to be ready..." >&2
+	@kubectl wait --for=condition=ready pod -l app=infra-server -n infra --timeout=3m >&2 || \
+		(echo "ERROR: infra-server pods did not become ready" >&2 && exit 1)
+	@echo "Starting port-forward and running E2E tests..." >&2
+	@kubectl port-forward -n infra svc/infra-server-service 8443:8443 >/dev/null 2>&1 & \
+	PF_PID=$$!; \
+	cleanup() { \
+		echo "" >&2; \
+		echo "Cleaning up port-forward (PID: $$PF_PID)..." >&2; \
+		kill $$PF_PID 2>/dev/null || true; \
+	}; \
+	trap cleanup EXIT; \
+	sleep 5; \
+	echo "Running Cypress E2E tests..." >&2; \
+	if [ -z "$$SESSION_SECRET" ]; then \
+		echo "WARNING: SESSION_SECRET not set. Using default for local laptop development." >&2; \
+		echo "If tests fail, make sure you exported SESSION_SECRET from deploy-local output." >&2; \
+	fi; \
+	cd ui && BROWSER=none PORT=3001 INFRA_API_ENDPOINT=http://localhost:8443 CYPRESS_SESSION_SECRET="$$SESSION_SECRET" npm run test:e2e
+
 ## Bounce pods
 .PHONY: bounce-infra-pods
 bounce-infra-pods: