stackrox
diff --git a/‎.github/workflows/PR.yaml‎
Lines changed: 211 additions & 3 deletions b/‎.github/workflows/PR.yaml‎
Lines changed: 211 additions & 3 deletions
diff --git a/‎Makefile‎
Lines changed: 14 additions & 2 deletions b/‎Makefile‎
Lines changed: 14 additions & 2 deletions
diff --git a/‎chart/infra-server/templates/secrets.yaml‎
Lines changed: 22 additions & 18 deletions b/‎chart/infra-server/templates/secrets.yaml‎
Lines changed: 22 additions & 18 deletions
diff --git a/‎chart/infra-server/test-mode-values.yaml‎
Lines changed: 4 additions & 0 deletions b/‎chart/infra-server/test-mode-values.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎cmd/infra-server/main.go‎
Lines changed: 8 additions & 2 deletions b/‎cmd/infra-server/main.go‎
Lines changed: 8 additions & 2 deletions
@@ -66,6 +66,8 @@ jobs:
     runs-on: ubuntu-latest
     container:
       image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9
+    outputs:
+      session-secret: ${{ steps.deploy.outputs.session-secret }}
     env:
       KUBECONFIG: /github/home/artifacts/kubeconfig
       INFRA_TOKEN: ${{ secrets.INFRA_TOKEN }}
@@ -100,10 +102,26 @@ jobs:
       - name: Download artifacts
         run: |
           /github/home/.local/bin/infractl artifacts "$CLUSTER_NAME" -d /github/home/artifacts >> "$GITHUB_STEP_SUMMARY"
-          kubectl get nodes -o wide || true
+
+      - name: Wait for cluster to be ready
+        run: |
+          echo "Waiting for cluster API server to be ready..."
+          timeout 300 sh -c 'until kubectl get nodes >/dev/null 2>&1; do
+            echo "Waiting for cluster..."
+            sleep 5
+          done'
+          echo "Cluster is ready"
+          kubectl get nodes -o wide
 
       - name: Deploy infra to dev cluster
+        id: deploy
         run: |
+          # Generate random session secret for JWT signing
+          # This secret is used by both the server (for verification) and Cypress (for JWT generation)
+          SESSION_SECRET=$(openssl rand -base64 32 | tr -d '\n')
+          export SESSION_SECRET
+          echo "Generated random session secret for this PR cluster deployment"
+
           ENVIRONMENT=development TEST_MODE=true make helm-deploy
           sleep 10 # wait for old pods to disappear so the svc port-forward doesn't connect to them
           kubectl -n infra port-forward svc/infra-server-service 8443:8443 > /dev/null 2>&1 &
@@ -115,6 +133,11 @@ jobs:
 
           kill %1
 
+          # Save session secret for UI E2E tests (job output for next job)
+          echo "session-secret=$SESSION_SECRET" >> "$GITHUB_OUTPUT"
+          # Also set as env var for steps in this job
+          echo "SESSION_SECRET=$SESSION_SECRET" >> "$GITHUB_ENV"
+
       - name: Check the deployment
         run: |
           kubectl -n infra port-forward svc/infra-server-service 8443:8443 > /dev/null 2>&1 &
@@ -155,9 +178,194 @@ jobs:
         run: |
           make argo-workflow-lint
 
-      - name: Run Go e2e tests
+  ui-e2e-test-pr-cluster:
+    needs:
+      - deploy-and-test
+    runs-on: ubuntu-latest
+    # Note: This job does NOT use the apollo-ci container to avoid path issues
+    env:
+      KUBECONFIG: /tmp/kubeconfig
+      INFRA_TOKEN: ${{ secrets.INFRA_TOKEN }}
+      USE_GKE_GCLOUD_AUTH_PLUGIN: "True"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: go/src/github.com/stackrox/infra
+
+      - name: Authenticate to GCloud
+        uses: google-github-actions/auth@v3
+        with:
+          credentials_json: ${{ secrets.INFRA_CI_AUTOMATION_GCP_SA }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v3
+        with:
+          install_components: "gke-gcloud-auth-plugin"
+
+      - name: Download production infractl
+        uses: stackrox/actions/infra/install-infractl@v1
+
+      - name: Get kubeconfig for PR cluster
+        run: |
+          echo "Downloading kubeconfig for $CLUSTER_NAME..."
+          /home/runner/.local/bin/infractl artifacts "$CLUSTER_NAME" -d /tmp/artifacts
+          cp /tmp/artifacts/kubeconfig "$KUBECONFIG"
+
+          echo "Verifying cluster access..."
+          kubectl get nodes -o wide
+
+      - name: Wait for infra-server deployment
+        run: |
+          echo "Checking infra-server pods..."
+          kubectl get pods -n infra
+          kubectl wait --for=condition=ready pod -l app=infra-server -n infra --timeout=5m
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install UI dependencies
+        run: |
+          cd ui
+          npm install --legacy-peer-deps
+
+      - name: Start port-forward to PR cluster
+        run: |
+          kubectl -n infra port-forward svc/infra-server-service 8443:8443 >/dev/null 2>&1 &
+          PORT_FORWARD_PID=$!
+          echo "PORT_FORWARD_PID=$PORT_FORWARD_PID" >> "$GITHUB_ENV"
+          echo "Started port-forward with PID: $PORT_FORWARD_PID"
+          sleep 10
+
+          # Verify port-forward is working
+          echo "Verifying port-forward connectivity..."
+          timeout 30 sh -c 'until curl -k -f https://localhost:8443/v1/whoami 2>/dev/null; do
+            echo "Waiting for port-forward..."
+            sleep 2
+          done' || {
+            echo "Port-forward verification failed"
+            pgrep -a port-forward || true
+            exit 1
+          }
+          echo "Port-forward is working"
+
+      - name: Debug - Check flavors API
+        run: |
+          echo "Checking if flavors are available..."
+
+          # First try without auth (should fail with access denied)
+          echo "1. Testing without authentication:"
+          UNAUTH_RESPONSE=$(curl -k -s https://localhost:8443/v1/flavor/list || echo "API call failed")
+          echo "$UNAUTH_RESPONSE" | jq . || echo "$UNAUTH_RESPONSE"
+
+          # Check whoami endpoint
+          echo ""
+          echo "2. Testing /v1/whoami:"
+          WHOAMI=$(curl -k -s https://localhost:8443/v1/whoami || echo "whoami failed")
+          echo "$WHOAMI" | jq . || echo "$WHOAMI"
+
+          # The real issue is the UI itself - let's check if the flavors endpoint
+          # works at all. The UI must be getting an error from somewhere.
+          echo ""
+          echo "3. Checking flavors API (unauthenticated count):"
+          FLAVOR_COUNT=$(echo "$UNAUTH_RESPONSE" | jq '.flavors | length' 2>/dev/null || echo "0")
+          echo "Number of flavors available: $FLAVOR_COUNT"
+
+          if [ "$FLAVOR_COUNT" = "0" ]; then
+            echo "NOTE: Flavors API requires authentication"
+            echo "This is expected - Cypress tests use JWT authentication with randomly generated secret"
+          fi
+
+      - name: Run UI E2E tests
+        uses: cypress-io/github-action@v6
+        with:
+          working-directory: go/src/github.com/stackrox/infra/ui
+          install: false
+          start: npm run start
+          wait-on: 'http://localhost:3001'
+          wait-on-timeout: 60
+          command: npm run cypress:run:e2e
         env:
-          INFRA_TOKEN: ${{ secrets.INFRA_TOKEN_DEV }}
+          BROWSER: none
+          PORT: 3001
+          # Backend is the PR cluster deployment accessed via port-forward
+          # This deployment uses ENVIRONMENT=development with real OIDC (NOT localDeploy=true)
+          INFRA_API_ENDPOINT: https://localhost:8443
+          # Session secret for JWT generation (matches what the server uses)
+          # Retrieved from deploy-and-test job output
+          CYPRESS_SESSION_SECRET: ${{ needs.deploy-and-test.outputs.session-secret }}
+
+      - name: Upload test artifacts
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: cypress-artifacts-pr-cluster-${{ github.event.pull_request.number }}
+          path: |
+            go/src/github.com/stackrox/infra/ui/cypress/videos
+            go/src/github.com/stackrox/infra/ui/cypress/screenshots
+          retention-days: 7
+
+      - name: Cleanup port-forward
+        if: always()
+        run: |
+          if [ -n "${{ env.PORT_FORWARD_PID }}" ]; then
+            echo "Cleaning up port-forward (PID: ${{ env.PORT_FORWARD_PID }})..."
+            kill ${{ env.PORT_FORWARD_PID }} 2>/dev/null || true
+          fi
+          pkill -f "kubectl port-forward.*8443:8443" 2>/dev/null || true
+
+  go-e2e-test:
+    needs:
+      - ui-e2e-test-pr-cluster
+    runs-on: ubuntu-latest
+    container:
+      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9
+    env:
+      KUBECONFIG: /github/home/artifacts/kubeconfig
+      INFRA_TOKEN: ${{ secrets.INFRA_TOKEN_DEV }}
+      INFRACTL: bin/infractl -k -e localhost:8443
+      USE_GKE_GCLOUD_AUTH_PLUGIN: "True"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: go/src/github.com/stackrox/infra
+
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go/src/github.com/stackrox/infra/go.mod
+
+      - name: Authenticate to GCloud
+        uses: google-github-actions/auth@v3
+        with:
+          credentials_json: ${{ secrets.INFRA_CI_AUTOMATION_GCP_SA }}
+
+      - name: Set up Cloud SDK
+        uses: "google-github-actions/setup-gcloud@v3"
+        with:
+          install_components: "gke-gcloud-auth-plugin"
+
+      - name: Download production infractl
+        uses: stackrox/actions/infra/install-infractl@v1
+
+      - name: Download artifacts
+        run: |
+          /github/home/.local/bin/infractl artifacts "$CLUSTER_NAME" -d /github/home/artifacts >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Verify cluster connectivity
+        run: |
+          echo "Verifying cluster is accessible..."
+          kubectl get nodes -o wide
+
+      - name: Run Go e2e tests
         run: |
           kubectl -n infra port-forward svc/infra-server-service 8443:8443 > /dev/null 2>&1 &
           sleep 5
 
@@ -256,7 +256,15 @@ helm-diff: pre-check helm-dependency-update create-namespaces
 ## Deploy to local cluster (e.g., Colima) without GCP Secret Manager
 .PHONY: deploy-local
 deploy-local: helm-dependency-update create-namespaces
-	TEST_MODE=true ./scripts/deploy/helm.sh deploy-local $(shell make tag) local
+	@echo "Generating random session secret for local deployment..."
+	$(eval SESSION_SECRET := $(shell openssl rand -base64 32 | tr -d '\n'))
+	@echo "SESSION_SECRET generated (use 'export SESSION_SECRET=<value>' for Cypress tests)"
+	@SESSION_SECRET="$(SESSION_SECRET)" TEST_MODE=true ./scripts/deploy/helm.sh deploy-local $(shell make tag) local
+	@echo ""
+	@echo "Deployment complete!"
+	@echo "To run E2E tests, export the session secret:"
+	@echo "  export SESSION_SECRET='$(SESSION_SECRET)'"
+	@echo "  make test-e2e"
 
 ## Run UI E2E tests against local deployment
 .PHONY: test-e2e
@@ -276,7 +284,11 @@ test-e2e:
 	trap cleanup EXIT; \
 	sleep 5; \
 	echo "Running Cypress E2E tests..." >&2; \
-	cd ui && BROWSER=none PORT=3001 INFRA_API_ENDPOINT=http://localhost:8443 npm run test:e2e
+	if [ -z "$$SESSION_SECRET" ]; then \
+		echo "WARNING: SESSION_SECRET not set. Using default for local laptop development." >&2; \
+		echo "If tests fail, make sure you exported SESSION_SECRET from deploy-local output." >&2; \
+	fi; \
+	cd ui && BROWSER=none PORT=3001 INFRA_API_ENDPOINT=http://localhost:8443 CYPRESS_SESSION_SECRET="$$SESSION_SECRET" npm run test:e2e
 
 ## Bounce pods
 .PHONY: bounce-infra-pods
 
@@ -1,4 +1,19 @@
-{{- if not .Values.localDeploy }}
+{{- if not (or .Values.localDeploy .Values.testMode) }}
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+
+metadata:
+  name: infra-image-registry-pull-secret
+  namespace: infra
+
+data:
+  .dockerconfigjson: {{ template "pull-secret" .Values.pullSecrets.quay }}
+
+---
+{{- end }}
+{{- if not (or .Values.localDeploy .Values.testMode) }}
 apiVersion: v1
 kind: Secret
 
@@ -101,21 +116,9 @@ data:
   test-janitor-delete.yaml: |-
     {{- tpl (.Files.Get "static/test-janitor-delete.yaml" ) . | b64enc | nindent 4 }}
 {{ end }}
-
----
-apiVersion: v1
-kind: Secret
-type: kubernetes.io/dockerconfigjson
-
-metadata:
-  name: infra-image-registry-pull-secret
-  namespace: infra
-
-data:
-  .dockerconfigjson: {{ template "pull-secret" .Values.pullSecrets.quay }}
 {{- end }}
 
-{{- if .Values.localDeploy }}
+{{- if or .Values.localDeploy .Values.testMode }}
 ---
 apiVersion: v1
 kind: Secret
@@ -127,16 +130,17 @@ metadata:
     app.kubernetes.io/name: infra-server
 
 data:
-  # Minimal config for localDeploy mode
+  # Minimal config for localDeploy and testMode
   infra.yaml: {{ printf "server:\n  port: 8443\n  cert: /configuration/cert.pem\n  key: /configuration/key.pem\n  static: /etc/infra/static\n  metricsPort: 9101" | b64enc }}
 
   # Minimal OIDC config - uses Google as a valid issuer for initialization
-  oidc.yaml: {{ printf "issuer: https://accounts.google.com\nclientID: dummy\nclientSecret: dummy\nendpoint: localhost:8443\nsessionSecret: local-dev-secret-min-32-chars-long\ntokenLifetime: 24h" | b64enc }}
+  # sessionSecret is randomly generated at deployment time for security
+  oidc.yaml: {{ printf "issuer: https://accounts.google.com\nclientID: dummy\nclientSecret: dummy\nendpoint: localhost:8443\nsessionSecret: %s\ntokenLifetime: 24h" (required ".Values.sessionSecret is required for localDeploy and testMode" .Values.sessionSecret) | b64enc }}
 
-  # Empty Google credentials - not used in localDeploy mode
+  # Empty Google credentials - not used in localDeploy or testMode
   google-credentials.json: {{ "{}" | b64enc }}
 
-  # Empty BigQuery credentials - not used in localDeploy mode
+  # Empty BigQuery credentials - not used in localDeploy or testMode
   bigquery-sa.json: {{ "{}" | b64enc }}
 
   # Self-signed TLS certificate for local development
 
@@ -0,0 +1,4 @@
+# Values for TEST_MODE deployments (PR clusters, CI testing)
+# This file explicitly sets testMode to true, overriding any values from GCloud secrets
+
+testMode: true
@@ -69,13 +69,19 @@ func mainCmd() error {
 
 	// Initialize GCS signer for signed URLs and artifact downloads.
 	// Only create signer if GOOGLE_APPLICATION_CREDENTIALS is set (production/development).
-	// Local deployments skip GCS signing entirely.
+	// Local deployments and test mode skip GCS signing entirely.
 	var gcsSigner *signer.Signer
+	testMode := os.Getenv("TEST_MODE") == "true"
 	if _, hasGCSCredentials := os.LookupEnv("GOOGLE_APPLICATION_CREDENTIALS"); hasGCSCredentials {
 		var err error
 		gcsSigner, err = signer.NewFromEnv()
 		if err != nil {
-			return errors.Wrapf(err, "failed to load GCS signing credentials")
+			if testMode {
+				log.Log(logging.WARN, "GCS signing disabled in TEST_MODE: invalid credentials", "error", err.Error())
+				gcsSigner = &signer.Signer{} // Empty signer for test mode with invalid credentials
+			} else {
+				return errors.Wrapf(err, "failed to load GCS signing credentials")
+			}
 		}
 	} else {
 		log.Log(logging.INFO, "GCS signing disabled: GOOGLE_APPLICATION_CREDENTIALS not set")