diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml deleted file mode 100644 index 0363889..0000000 --- a/.github/workflows/e2e.yaml +++ /dev/null @@ -1,23 +0,0 @@ -name: E2E Tests - -on: - push: - branches: [main] - pull_request: - branches: [main] - workflow_dispatch: - -permissions: - contents: read - -concurrency: - group: e2e-${{ github.repository }} - cancel-in-progress: false - -jobs: - e2e: - uses: privilegedescalation/.github/.github/workflows/plugin-e2e.yaml@main - with: - node-version: "22" - headlamp-version: v0.40.1 - e2e-namespace: headlamp-dev diff --git a/e2e/.auth/.gitkeep b/e2e/.auth/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/e2e/auth.setup.ts b/e2e/auth.setup.ts deleted file mode 100644 index 1823f81..0000000 --- a/e2e/auth.setup.ts +++ /dev/null @@ -1,81 +0,0 @@ -import { test as setup, expect, Page } from '@playwright/test'; - -const AUTH_STATE_PATH = 'e2e/.auth/state.json'; - -async function authenticateWithOIDC(page: Page, username: string, password: string): Promise { - // Navigate to login — Headlamp redirects / to /c/main/login - await page.goto('/'); - await page.waitForURL('**/login'); - - // Click "Sign In" and capture the Authentik popup - const popupPromise = page.waitForEvent('popup'); - await page.getByRole('button', { name: /sign in/i }).click(); - const popup = await popupPromise; - - // Wait for the Authentik popup to fully load before interacting - await popup.waitForLoadState('domcontentloaded'); - await popup.waitForLoadState('networkidle'); - - // Authentik step 1: fill username — wait for the form to render - const usernameField = popup.getByRole('textbox', { name: /email or username/i }); - await usernameField.waitFor({ state: 'visible', timeout: 15_000 }); - await usernameField.fill(username); - await popup.getByRole('button', { name: /log in/i }).click(); - - // Authentik step 2: fill password — wait for the next step to load - await popup.waitForLoadState('networkidle'); - const passwordField = popup.getByRole('textbox', { name: /password/i }); - await passwordField.waitFor({ state: 'visible', timeout: 15_000 }); - await passwordField.fill(password); - await popup.getByRole('button', { name: /continue|log in/i }).click(); - - // Wait for the popup to close (Authentik redirects back, Headlamp processes callback) - await popup.waitForEvent('close', { timeout: 15_000 }); - - // Original page should now be authenticated — wait for sidebar - await expect(page.getByRole('navigation', { name: 'Navigation' })).toBeVisible({ - timeout: 15_000, - }); -} - -async function authenticateWithToken(page: Page, token: string): Promise { - await page.goto('/'); - // Headlamp goes to /token directly when no OIDC is configured, - // or through /login when OIDC is configured - await page.waitForURL(/\/(login|token)$/); - - if (page.url().includes('/login')) { - // OIDC login page — click "use a token" to reach token auth. - const useTokenBtn = page.getByRole('button', { name: /use a token/i }); - await useTokenBtn.waitFor({ state: 'visible', timeout: 15_000 }); - await useTokenBtn.click(); - await page.waitForURL('**/token'); - } - - // Fill the "ID token" field and submit - await page.getByRole('textbox', { name: /id token/i }).fill(token); - await page.getByRole('button', { name: /authenticate/i }).click(); - - // Wait for the main UI to load - await expect(page.getByRole('navigation', { name: 'Navigation' })).toBeVisible({ - timeout: 15_000, - }); -} - -setup('authenticate with Headlamp', async ({ page }) => { - const username = process.env.AUTHENTIK_USERNAME; - const password = process.env.AUTHENTIK_PASSWORD; - const token = process.env.HEADLAMP_TOKEN; - - if (username && password) { - await authenticateWithOIDC(page, username, password); - } else if (token) { - await authenticateWithToken(page, token); - } else { - throw new Error( - 'Set AUTHENTIK_USERNAME + AUTHENTIK_PASSWORD for OIDC auth, or HEADLAMP_TOKEN for token auth' - ); - } - - await page.context().storageState({ path: AUTH_STATE_PATH }); -}); diff --git a/e2e/sealed-secrets.spec.ts b/e2e/sealed-secrets.spec.ts deleted file mode 100644 index 2af5e91..0000000 --- a/e2e/sealed-secrets.spec.ts +++ /dev/null @@ -1,88 +0,0 @@ -import { test, expect } from '@playwright/test'; - -test.describe('Sealed Secrets plugin smoke tests', () => { - test('sidebar contains sealed-secrets entry', async ({ page }) => { - await page.goto('/'); - const sidebar = page.getByRole('navigation', { name: 'Navigation' }); - await expect(sidebar).toBeVisible({ timeout: 15_000 }); - await expect(sidebar.getByRole('button', { name: /sealed.secrets/i })).toBeVisible(); - }); - - test('sidebar sealed-secrets entry is clickable and navigates to list view', async ({ page }) => { - await page.goto('/'); - const sidebar = page.getByRole('navigation', { name: 'Navigation' }); - await expect(sidebar).toBeVisible({ timeout: 15_000 }); - - const sealedSecretsEntry = sidebar.getByRole('button', { name: /sealed.secrets/i }); - await expect(sealedSecretsEntry).toBeVisible(); - await sealedSecretsEntry.click(); - - await expect(page).toHaveURL(/\/sealedsecrets/); - await expect(page.getByRole('heading', { name: /sealed.secrets/i })).toBeVisible(); - }); - - test('sealed secrets list page renders table or empty state', async ({ page }) => { - await page.goto('/c/main/sealedsecrets'); - - await expect(page.getByRole('heading', { name: /sealed.secrets/i })).toBeVisible({ - timeout: 15_000, - }); - - // Either a populated table or an empty-state indicator must be visible - const hasTable = await page.locator('table').first().isVisible().catch(() => false); - const hasEmptyState = await page - .locator('text=/no.*sealed|no.*secret|0 item|empty/i') - .first() - .isVisible() - .catch(() => false); - expect(hasTable || hasEmptyState).toBe(true); - }); - - test('sealing keys page renders table or empty state', async ({ page }) => { - await page.goto('/c/main/sealedsecrets/keys'); - - await expect(page.getByRole('heading', { name: /sealing.key/i })).toBeVisible({ - timeout: 15_000, - }); - - const hasTable = await page.locator('table').first().isVisible().catch(() => false); - const hasEmptyState = await page - .locator('text=/no.*key|0 item|empty/i') - .first() - .isVisible() - .catch(() => false); - expect(hasTable || hasEmptyState).toBe(true); - }); - - test('navigation between sealed-secrets views works', async ({ page }) => { - await page.goto('/c/main/sealedsecrets'); - await expect(page.getByRole('heading', { name: /sealed.secrets/i })).toBeVisible({ - timeout: 15_000, - }); - - // Navigate to Sealing Keys via sidebar - const sidebar = page.getByRole('navigation', { name: 'Navigation' }); - const keysLink = sidebar.getByRole('link', { name: /sealing.key/i }); - await expect(keysLink).toBeVisible(); - await keysLink.click(); - - await expect(page).toHaveURL(/\/sealedsecrets\/keys$/); - await expect(page.getByRole('heading', { name: /sealing.key/i })).toBeVisible(); - - // Navigate back to All Sealed Secrets - const allSecretsLink = sidebar.getByRole('link', { name: /all sealed secrets/i }); - await expect(allSecretsLink).toBeVisible(); - await allSecretsLink.click(); - - await expect(page).toHaveURL(/\/sealedsecrets(?!\/keys)/); - await expect(page.getByRole('heading', { name: /sealed.secrets/i })).toBeVisible(); - }); - - test('plugin settings page shows sealed-secrets plugin entry', async ({ page }) => { - await page.goto('/settings/plugins'); - - // Wait for plugin list to load — plugin scripts load asynchronously - const pluginEntry = page.locator('text=sealed-secrets').first(); - await expect(pluginEntry).toBeVisible({ timeout: 30_000 }); - }); -}); diff --git a/package.json b/package.json index 941f81d..2e46804 100644 --- a/package.json +++ b/package.json @@ -29,8 +29,6 @@ "format:check": "prettier --check src/", "test": "vitest run", "test:watch": "vitest", - "e2e": "playwright test", - "e2e:headed": "playwright test --headed", "storybook": "headlamp-plugin storybook", "storybook-build": "headlamp-plugin storybook-build", "i18n": "headlamp-plugin i18n", @@ -61,7 +59,6 @@ }, "devDependencies": { "@headlamp-k8s/eslint-config": "^0.6.0", - "@playwright/test": "^1.58.2", "@iconify/react": "^6.0.2", "@kinvolk/headlamp-plugin": "^0.13.0", "@mui/material": "^5.15.14", diff --git a/playwright.config.ts b/playwright.config.ts deleted file mode 100644 index b916edf..0000000 --- a/playwright.config.ts +++ /dev/null @@ -1,27 +0,0 @@ -import { defineConfig, devices } from '@playwright/test'; - -export default defineConfig({ - testDir: './e2e', - timeout: 30_000, - expect: { timeout: 10_000 }, - fullyParallel: false, - forbidOnly: !!process.env.CI, - retries: process.env.CI ? 1 : 0, - reporter: 'list', - use: { - baseURL: process.env.HEADLAMP_URL || (() => { throw new Error('HEADLAMP_URL is required — run scripts/deploy-e2e-headlamp.sh first'); })(), - trace: 'on-first-retry', - screenshot: 'only-on-failure', - }, - projects: [ - { name: 'setup', testMatch: /auth\.setup\.ts/, timeout: 60_000 }, - { - name: 'chromium', - use: { - ...devices['Desktop Chrome'], - storageState: 'e2e/.auth/state.json', - }, - dependencies: ['setup'], - }, - ], -}); diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh deleted file mode 100755 index 288f2f8..0000000 --- a/scripts/deploy-e2e-headlamp.sh +++ /dev/null @@ -1,207 +0,0 @@ -#!/usr/bin/env bash -# deploy-e2e-headlamp.sh -# -# Deploys a stock Headlamp instance with the sealed-secrets plugin loaded via -# a ConfigMap volume mount. No custom Docker images — the plugin is built -# in CI and injected as a ConfigMap. -# -# E2E resources are deployed to the `privilegedescalation-dev` namespace. Nothing -# persists beyond the test run — teardown cleans up all created resources. -# -# Prerequisites: -# - Plugin built (dist/ exists with plugin-main.js + package.json) -# - kubectl configured with cluster access -# RBAC is managed via Flux from privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml. -# The infra repo is the source of truth — do not apply this file directly. -# Apply RBAC first: kubectl apply -f privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml -# -# Environment: -# E2E_NAMESPACE — namespace for E2E Headlamp (default: privilegedescalation-dev) -# E2E_RELEASE — release/resource name prefix (default: headlamp-e2e) -# HEADLAMP_VERSION — Headlamp image tag (default: latest) -set -euo pipefail - -REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" -DIST_DIR="$REPO_ROOT/dist" - -E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}" -E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" -HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}" - -if [ ! -d "$DIST_DIR" ]; then - echo "ERROR: dist/ not found. Run 'pnpm build' first." >&2 - exit 1 -fi - -# --- Preflight: verify RBAC before touching the cluster --- -echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..." -if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then - echo "ERROR: Missing RBAC — cannot delete configmaps in namespace '${E2E_NAMESPACE}'." >&2 - echo " Apply RBAC first: kubectl apply -f privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml" >&2 - exit 1 -fi - -echo "=== E2E Headlamp Deployment ===" -echo " Image: ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}" -echo " Namespace: $E2E_NAMESPACE" -echo " Release: $E2E_RELEASE" - -# --- Create ConfigMap from built plugin --- -echo "" -echo "Creating ConfigMap with plugin files..." - -# Delete existing ConfigMap if present (idempotent redeploy) -kubectl delete configmap headlamp-sealed-secrets-plugin \ - -n "$E2E_NAMESPACE" --ignore-not-found - -# Create ConfigMap from dist/ contents and package.json -kubectl create configmap headlamp-sealed-secrets-plugin \ - -n "$E2E_NAMESPACE" \ - --from-file="$DIST_DIR" \ - --from-file=package.json="$REPO_ROOT/package.json" - -# --- Tear down any existing E2E deployment for a clean start --- -echo "" -echo "Removing any existing E2E deployment (clean-start)..." -kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait -kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait -kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait - -# --- Deploy Headlamp via kubectl apply --- -echo "" -echo "Deploying Headlamp E2E instance..." - -kubectl apply -f - </dev/null; do - ATTEMPTS=$((ATTEMPTS + 1)) - if [ "$ATTEMPTS" -ge "$MAX_ATTEMPTS" ]; then - echo "ERROR: ${SVC_URL} not reachable after $((MAX_ATTEMPTS * 5))s" >&2 - exit 1 - fi - echo " [${ATTEMPTS}/${MAX_ATTEMPTS}] not yet reachable, retrying in 5s..." - sleep 5 -done -echo "" -echo "E2E Headlamp is ready at: ${SVC_URL}" -echo " export HEADLAMP_URL=${SVC_URL}" - -# --- Generate a token for test auth --- -echo "" -echo "Creating service account token for E2E auth..." -kubectl create serviceaccount headlamp-e2e-test \ - -n "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f - - -TOKEN=$(kubectl create token headlamp-e2e-test -n "$E2E_NAMESPACE" --duration=1h 2>/dev/null || echo "") -if [ -n "$TOKEN" ]; then - echo " export HEADLAMP_TOKEN=" - echo "" - echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e" - echo "HEADLAMP_TOKEN=${TOKEN}" >> "$REPO_ROOT/.env.e2e" - echo "Wrote .env.e2e with HEADLAMP_URL and HEADLAMP_TOKEN" -else - echo " WARNING: Could not generate token. Set HEADLAMP_TOKEN manually or use OIDC." -fi - -echo "" -echo "E2E deployment complete." diff --git a/scripts/teardown-e2e-headlamp.sh b/scripts/teardown-e2e-headlamp.sh deleted file mode 100755 index d59bb7e..0000000 --- a/scripts/teardown-e2e-headlamp.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/env bash -# teardown-e2e-headlamp.sh -# -# Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh. -# -# RBAC is managed via Flux from privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml. -# The infra repo is the source of truth — do not apply this file directly. -# -# Environment: -# E2E_NAMESPACE — namespace to clean up (default: privilegedescalation-dev) -# E2E_RELEASE — release/resource name prefix (default: headlamp-e2e) -set -euo pipefail - -REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" - -E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}" -E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" - -echo "=== E2E Headlamp Teardown ===" -echo " Namespace: $E2E_NAMESPACE" -echo " Release: $E2E_RELEASE" - -echo "Removing Headlamp Deployment, Service, and ServiceAccount..." -kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found -kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found -kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found - -echo "Cleaning up ConfigMap..." -kubectl delete configmap headlamp-sealed-secrets-plugin -n "$E2E_NAMESPACE" --ignore-not-found - -echo "Cleaning up test service account..." -kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found - -# Clean up .env.e2e if present -if [ -f "$REPO_ROOT/.env.e2e" ]; then - rm "$REPO_ROOT/.env.e2e" - echo "Removed .env.e2e" -fi - -echo "" -echo "E2E teardown complete."