name: E2E Tests

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  workflow_dispatch:

permissions:
  contents: read

# Only one E2E run at a time: the shared E2E_RELEASE (headlamp-e2e) in
# headlamp-dev cannot be shared across concurrent runs.
# cancel-in-progress: false (queue, don't cancel) — cancelling in-flight
# runs may skip the if:always() teardown, leaving dangling cluster resources.
concurrency:
  group: e2e-${{ github.repository }}
  cancel-in-progress: false

env:
  E2E_NAMESPACE: headlamp-dev
  E2E_RELEASE: headlamp-e2e
  # Pin to a known-good Headlamp version. Using :latest is risky because
  # the tag can change between CI runs, causing flaky failures when a newer
  # image is pulled on some nodes but not others (IfNotPresent pull policy).
  # Update this when Headlamp is upgraded in production (kube-system).
  HEADLAMP_VERSION: v0.40.1

jobs:
  e2e:
    runs-on: runners-privilegedescalation
    timeout-minutes: 15

    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: '22'
          cache: 'npm'

      - name: Setup kubectl
        uses: azure/setup-kubectl@v4

      - name: Get kubeconfig
        run: |
          set -euo pipefail
          echo "=== Runner environment diagnostic ==="
          echo "HOME=${HOME:-}"
          echo "KUBECONFIG=${KUBECONFIG:-}"
          echo "ACTIONS_KUBECONFIG=${ACTIONS_KUBECONFIG:-}"
          echo "RUNNER_CONFIG=${RUNNER_CONFIG:-}"
          echo "RUNNER_CONFIG_DIR=${RUNNER_CONFIG_DIR:-}"
          echo ""
          echo "=== Checking known kubeconfig locations ==="
          for path in /runner/config /home/runner/.kube/config "${HOME:-}/.kube/config" "${HOME:-}/.kube"; do
            if [ -f "$path" ]; then
              echo "FOUND kubeconfig at: $path"
            elif [ -d "$path" ]; then
              echo "DIR exists at: $path, contents:"
              ls -la "$path" 2>&1 || echo "  (cannot list)"
            else
              echo "NOT FOUND: $path"
            fi
          done
          echo ""
          echo "=== In-cluster service account check ==="
          in_cluster=false
          if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]; then
            echo "Service account token present — in-cluster mode available"
            echo "KUBERNETES_SERVICE_HOST=${KUBERNETES_SERVICE_HOST:-}"
            echo "KUBERNETES_SERVICE_PORT=${KUBERNETES_SERVICE_PORT:-}"
            in_cluster=true
          else
            echo "No service account token at /var/run/secrets/kubernetes.io/serviceaccount/"
          fi
          echo ""
          if [ -f /runner/config ]; then
            echo "KUBECONFIG=/runner/config" >> "$GITHUB_ENV"
            echo "Using kubeconfig from /runner/config"
          elif [ -f /home/runner/.kube/config ]; then
            echo "KUBECONFIG=/home/runner/.kube/config" >> "$GITHUB_ENV"
            echo "Using kubeconfig from /home/runner/.kube/config"
          elif [ -f "${HOME:-}/.kube/config" ]; then
            echo "KUBECONFIG=${HOME:-}/.kube/config" >> "$GITHUB_ENV"
            echo "Using kubeconfig from HOME"
          elif [ "$in_cluster" = true ]; then
            echo "No static kubeconfig found — generating in-cluster kubeconfig"
            KUBECFG_DIR="${HOME:-}/.kube"
            mkdir -p "$KUBECFG_DIR"
            kubectl config set-cluster in-cluster \
              --server="https://${KUBERNETES_SERVICE_HOST:-kubernetes.default.svc}:${KUBERNETES_SERVICE_PORT:-443}" \
              --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
              --embed-certs=true \
              --kubeconfig="$KUBECFG_DIR/config" 2>&1
            kubectl config set-credentials in-cluster \
              --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
              --kubeconfig="$KUBECFG_DIR/config" 2>&1
            kubectl config set-context in-cluster \
              --cluster=in-cluster \
              --user=in-cluster \
              --kubeconfig="$KUBECFG_DIR/config" 2>&1
            kubectl config use-context in-cluster \
              --kubeconfig="$KUBECFG_DIR/config" 2>&1
            echo "KUBECONFIG=$KUBECFG_DIR/config" >> "$GITHUB_ENV"
            echo "Generated in-cluster kubeconfig at $KUBECFG_DIR/config"
          else
            echo "::error::No kubeconfig found in /runner/config, /home/runner/.kube/config, HOME, or in-cluster service account"
            exit 1
          fi

      - name: Apply RBAC for E2E pipeline
        run: |
          set -x
          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml --dry-run=server 2>&1 || true
          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml 2>&1
          echo "exit code: $?"
          echo "Waiting for RBAC propagation..."
          sleep 5
          echo "Verifying RBAC resources were created..."
          kubectl get role e2e-ci-runner -n headlamp-dev 2>&1 | tail -3
          kubectl get role e2e-ci-runner-polaris -n headlamp-dev 2>&1 | tail -3
          kubectl get rolebinding e2e-ci-runner-binding -n headlamp-dev 2>&1 | tail -3
          set +x

      - name: Apply Polaris dashboard RBAC
        run: kubectl apply -f deployment/polaris-rbac.yaml

      - name: RBAC pre-flight check
        run: |
          echo "Checking RBAC resources..."
          MISSING=0
          kubectl get role polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1
          kubectl get rolebinding polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1
          kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" 2>/dev/null || MISSING=1
          if [ "$MISSING" -eq 0 ]; then
            echo "RBAC pre-flight check passed."
          else
            echo "::error::RBAC pre-flight check failed. Missing required permissions."
            exit 1
          fi

      - name: Install dependencies
        run: npm ci

      - name: Build plugin
        run: npx @kinvolk/headlamp-plugin build

      - name: Deploy E2E Headlamp instance
        run: scripts/deploy-e2e-headlamp.sh

      - name: Load E2E environment
        run: |
          if [ -f .env.e2e ]; then
            cat .env.e2e >> "$GITHUB_ENV"
          else
            echo "::error::deploy-e2e-headlamp.sh did not produce .env.e2e"
            exit 1
          fi

      - name: Install Playwright browsers
        run: npx playwright install --with-deps chromium

      - name: Run E2E tests
        run: npm run e2e
        env:
          HEADLAMP_URL: ${{ env.HEADLAMP_URL }}
          HEADLAMP_TOKEN: ${{ env.HEADLAMP_TOKEN }}

      - name: Collect deployment diagnostics on failure
        if: failure()
        run: |
          echo "=== Pod state ==="
          kubectl get pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
          echo "=== Pod describe ==="
          kubectl describe pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
          echo "=== Recent namespace events ==="
          kubectl get events -n "$E2E_NAMESPACE" --sort-by='.lastTimestamp' 2>&1 | tail -20 || true

      - name: Teardown E2E instance
        if: always()
        run: scripts/teardown-e2e-headlamp.sh

      - name: Upload Playwright report
        uses: actions/upload-artifact@v7
        if: failure()
        with:
          name: playwright-report
          path: playwright-report/
          retention-days: 7

      - name: Upload test results
        uses: actions/upload-artifact@v7
        if: failure()
        with:
          name: test-results
          path: test-results/
          retention-days: 7