docs: add CI E2E parallel execution design spec

Foo Bar · Copilot · Foo Bar · commit a5c8d8d1de4c · 2026-05-06T12:01:14.000+08:00
Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/docs/superpowers/specs/2026-05-06-ci-e2e-parallel-design.md b/docs/superpowers/specs/2026-05-06-ci-e2e-parallel-design.md
@@ -0,0 +1,186 @@
+# CI E2E Parallel Execution Design
+
+## Problem
+
+The `API7EE E2E Test` CI workflow (`e2e-test.yml`) takes ~1 hour, far exceeding the 30-minute target. The bottleneck is test case execution: ~199 E2E tests run serially, split across 3 matrix jobs (apisix.apache.org ~89 tests, networking.k8s.io ~81 tests, webhook ~28 tests).
+
+## Approach
+
+Enable ginkgo parallel execution (`--nodes=2`) within each matrix job by converting `BeforeSuite`/`AfterSuite` to ginkgo's `SynchronizedBeforeSuite`/`SynchronizedAfterSuite`. This ensures the API7EE control plane is deployed only once per job while each ginkgo node independently manages its own dashboard connection.
+
+Scope: `e2e-test.yml` only. Other workflows are not changed.
+
+## Architecture
+
+### Current (serial)
+
+```
+Kind Cluster
+├── api7-ee-e2e namespace  (BeforeSuite, once per job)
+│   ├── api7ee3-dashboard (NodePort 7080/7443)
+│   ├── api7ee3-dp-manager (7943)
+│   └── api7-postgresql
+└── ingress-apisix-e2e-tests-default-{ns} (each It() BeforeEach)
+    ├── api7ee3-apisix-gateway-mtls (data plane pod)
+    ├── api7-ingress-controller
+    └── httpbin
+
+Test process → kubectl port-forward → fixed local:{NodePort} → dashboard:7080
+```
+
+### Target (parallel, --nodes=2)
+
+```
+Kind Cluster
+├── api7-ee-e2e namespace  (SynchronizedBeforeSuite node 1, once per job)
+│   ├── api7ee3-dashboard / dp-manager / postgresql
+├── ingress-apisix-e2e-tests-default-{nsA}  (node 1 BeforeEach)
+│   ├── gateway pod, ingress controller, httpbin
+│   └── API7EE Gateway Group A (UUID)
+└── ingress-apisix-e2e-tests-default-{nsB}  (node 2 BeforeEach, concurrent)
+    ├── gateway pod, ingress controller, httpbin
+    └── API7EE Gateway Group B (UUID)
+
+ginkgo node 1 process → kubectl port-forward → local:{autoPort1} → dashboard:7080
+ginkgo node 2 process → kubectl port-forward → local:{autoPort2} → dashboard:7080
+```
+
+## Concurrency Safety Analysis
+
+| Resource | Isolation mechanism | Safe? |
+|---|---|---|
+| k8s namespace | `ingress-apisix-e2e-tests-{name}-{nanosecond}` | ✅ |
+| GatewayClass | name = namespace name (unique) | ✅ |
+| API7EE Gateway Group | `uuid.NewString()` | ✅ |
+| Ingress controller | controllerName contains namespace | ✅ |
+| Dashboard API calls | idempotent (UploadLicense, GetAdminKey) | ✅ |
+| Dashboard tunnel | fixed NodePort used as local port → conflict | ❌ **needs fix** |
+
+## Code Changes
+
+### 1. `test/e2e/e2e_test.go`
+
+Replace `BeforeSuite`/`AfterSuite` with the synchronized variants:
+
+```go
+SynchronizedBeforeSuite(f.DeployAPI7EE, f.InitNodeConnections)
+SynchronizedAfterSuite(f.CloseNodeConnections, f.TeardownInfrastructure)
+```
+
+`DeployAPI7EE` (node 1 only): deploys the API7EE control plane once.  
+`InitNodeConnections` (all nodes): each node creates its own dashboard port-forward tunnel.  
+`CloseNodeConnections` (all nodes): each node closes its own tunnel.  
+`TeardownInfrastructure` (node 1 only): no-op for now (cluster is torn down by CI).
+
+### 2. `test/e2e/framework/api7_framework.go`
+
+Split `BeforeSuite` into:
+
+**`DeployAPI7EE() []byte`** (node 1 only):
+- Init `API7EELicense` and `dashboardVersion` from env
+- Delete and recreate `api7-ee-e2e` namespace
+- Helm install `api7ee3` chart
+- Wait for pods to be ready (`time.Sleep(1 * time.Minute)`)
+- Create a temporary tunnel (with `findFreePort()`)
+- Call `UploadLicense()` and `setDpManagerEndpoints()`
+- Close the temporary tunnel
+- Return `[]byte("ready")`
+
+**`InitNodeConnections(_ []byte)`** (all nodes):
+- Init `API7EELicense` from env (needed for per-test `UploadLicense` calls)
+- Call `f.newDashboardTunnel()` to create a per-node tunnel
+
+**`CloseNodeConnections()`** (all nodes):
+- Call `f.shutdownDashboardTunnel()`
+
+**`TeardownInfrastructure()`** (node 1 only):
+- No-op (Kind cluster is deleted by `make kind-down` or CI teardown)
+
+### 3. Fix dashboard tunnel port conflict
+
+`newDashboardTunnel()` currently uses the k8s NodePort value as the local bind port. With parallel processes on the same machine, this causes `address already in use` errors.
+
+Replace fixed-port logic with a `findFreePort()` helper:
+
+```go
+func findFreePort() int {
+    ln, err := net.Listen("tcp", ":0")
+    if err != nil {
+        panic(fmt.Sprintf("finding free port: %v", err))
+    }
+    port := ln.Addr().(*net.TCPAddr).Port
+    _ = ln.Close()
+    return port
+}
+```
+
+Use `findFreePort()` for both HTTP and HTTPS tunnels:
+
+```go
+localHTTPPort := findFreePort()
+localHTTPSPort := findFreePort()
+_dashboardHTTPTunnel = k8s.NewTunnel(..., localHTTPPort, httpPort)
+_dashboardHTTPSTunnel = k8s.NewTunnel(..., localHTTPSPort, httpsPort)
+```
+
+Note: there is a small TOCTOU window between `ln.Close()` and `kubectl port-forward` binding the port. In practice this is safe on a CI machine. If it becomes an issue, retry logic can be added.
+
+### 4. `Makefile`
+
+Add `ginkgo-api7ee-e2e-test` target:
+
+```makefile
+.PHONY: ginkgo-api7ee-e2e-test
+ginkgo-api7ee-e2e-test: adc
+	@ginkgo -cover -coverprofile=coverage.txt -r --randomize-all --randomize-suites \
+		--trace --nodes=$(E2E_NODES) --label-filter="$(TEST_LABEL)" ./test/e2e/
+```
+
+### 5. `.github/workflows/e2e-test.yml`
+
+Add `install-ginkgo` step. Replace `make e2e-test` with ginkgo parallel invocation:
+
+```yaml
+- name: Install ginkgo
+  run: make install-ginkgo
+
+- name: Run E2E test suite
+  env:
+    API7_EE_LICENSE: ${{ secrets.API7_EE_LICENSE }}
+    PROVIDER_TYPE: api7ee
+    TEST_LABEL: ${{ matrix.cases_subset }}
+    TEST_ENV: CI
+  run: |
+    if [[ "${{ matrix.cases_subset }}" == "webhook" ]]; then
+      E2E_NODES=1 make ginkgo-api7ee-e2e-test
+    else
+      E2E_NODES=2 make ginkgo-api7ee-e2e-test
+    fi
+```
+
+## Expected Outcome
+
+| Job | Tests | Before | After (N=2) |
+|---|---|---|---|
+| apisix.apache.org | ~89 | ~45 min | ~22 min |
+| networking.k8s.io | ~81 | ~40 min | ~20 min |
+| webhook | ~28 | ~10 min | ~10 min (serial) |
+| **Total (longest)** | | **~60 min** | **~22-25 min** |
+
+Target of 30 minutes is achieved.
+
+## Risk and Rollback
+
+**Risk**: Resource contention on GitHub-hosted runners (2 CPUs, 7GB RAM). With 2 parallel test stacks (2 gateway pods + 2 ingress controllers + 2 httpbins) plus the shared API7EE control plane, memory usage may approach limits.
+
+**Mitigation**: Start with `E2E_NODES=2`. Monitor CI run times and failure rates. Roll back to `E2E_NODES=1` (equivalent to current behavior) if instability is observed.
+
+**Rollback**: Single line change in the workflow — set `E2E_NODES=1` for all matrix jobs, which is functionally identical to the current `make e2e-test`.
+
+## Testing
+
+After implementation, verify:
+1. All 3 matrix jobs pass with the new ginkgo invocation
+2. Each parallel node creates an independent namespace and gateway group
+3. No port conflicts in dashboard tunnel creation
+4. Serial mode (`E2E_NODES=1`) still works for webhook tests
