Add integration tests

Signed-off-by: Taras <9948629+taraspos@users.noreply.github.com>

Author: taraspos

tests/integration/Dockerfile

@@ -1,7 +1,7 @@
 # Using scratch base image results in `x509: certificate signed by unknown
 # authority` error.
 # Use alpine to include the necessary certificates.
-FROM alpine:3.16
+FROM alpine:3.23
 
 COPY app .
 

tests/integration/Makefile

@@ -21,6 +21,9 @@ test:
 test-aws:
 	$(MAKE) test PROVIDER_ARG="-provider aws"
 
+test-aws-git:
+	$(MAKE) test PROVIDER_ARG="-provider aws" GO_TEST_PREFIX="TestGit"
+
 test-azure:
 	$(MAKE) test PROVIDER_ARG="-provider azure"
 

tests/integration/README.md

@@ -49,7 +49,7 @@ metadata:
 ### Amazon Web Services
 
 - AWS account with access key ID and secret access key with permissions to
-    create EKS cluster and ECR repository.
+    create EKS cluster, ECR and a CodeCommit repositories.
 - AWS CLI v2.x, does not need to be configured with the AWS account.
 - Docker CLI for registry login.
 - kubectl for applying certain install manifests.
@@ -68,6 +68,13 @@ provisioning the infrastructure and running the tests:
             "Sid": "testinfra",
             "Effect": "Allow",
             "Action": [
+                "codecommit:CreateRepository",
+                "codecommit:DeleteRepository",
+                "codecommit:GetRepository",
+                "codecommit:TagResource",
+                "codecommit:UntagResource",
+                "codecommit:GitPull",
+                "codecommit:GitPush",
                 "ec2:AllocateAddress",
                 "ec2:AssociateRouteTable",
                 "ec2:AttachInternetGateway",
@@ -213,6 +220,13 @@ module "aws_gh_actions" {
   aws_policy_name        = "oci-e2e"
   aws_policy_description = "policy for OCI e2e tests"
   aws_provision_perms = [
+    "codecommit:CreateRepository",
+    "codecommit:DeleteRepository",
+    "codecommit:GetRepository",
+    "codecommit:TagResource",
+    "codecommit:UntagResource",
+    "codecommit:GitPull",
+    "codecommit:GitPush",
     "ec2:AllocateAddress",
     "ec2:AssociateRouteTable",
     "ec2:AttachInternetGateway",

tests/integration/aws_test.go

@@ -22,11 +22,15 @@ package integration
 import (
 	"context"
 	"fmt"
+	"net/url"
 
 	tfjson "github.com/hashicorp/terraform-json"
 
 	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/auth"
 	"github.com/fluxcd/pkg/auth/aws"
+	authutils "github.com/fluxcd/pkg/auth/utils"
+	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/test-infra/tftestenv"
 )
 
@@ -94,7 +98,7 @@ func registryLoginECR(ctx context.Context, output map[string]*tfjson.StateOutput
 // logged in and is capable of pushing the test images.
 func pushAppTestImagesECR(ctx context.Context, localImgs map[string]string, output map[string]*tfjson.StateOutput) (map[string]string, error) {
 	// Get the registry name and construct the image names accordingly.
-	repo := output["ecr_test_app_repo_url"].Value.(string)
+	repo := output["ecr_repository_url"].Value.(string)
 	remoteImage := repo + ":test"
 	return tftestenv.PushTestAppImagesECR(ctx, localImgs, remoteImage)
 }
@@ -138,17 +142,52 @@ func getClusterUsersAWS(output map[string]*tfjson.StateOutput) ([]string, error)
 	return []string{clusterUser}, nil
 }
 
-// When implemented, getGitTestConfigAws would return the git-specific test config for AWS
 func getGitTestConfigAWS(outputs map[string]*tfjson.StateOutput) (*gitTestConfig, error) {
-	return nil, fmt.Errorf("NotImplemented for AWS")
+	repoURL := outputs["git_repo_http_url"].Value.(string)
+	if repoURL == "" {
+		return nil, fmt.Errorf("no AWS CodeCommit repository URL in terraform output")
+	}
+
+	region := outputs["region"].Value.(string)
+	if region == "" {
+		return nil, fmt.Errorf("no AWS region in terraform output")
+	}
+
+	parsedRepoURL, err := url.Parse(repoURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse AWS CodeCommit repository URL: %w", err)
+	}
+
+	creds, err := authutils.GetGitCredentials(context.Background(), aws.ProviderName,
+		auth.WithSTSRegion(region),
+		auth.WithGitURL(*parsedRepoURL),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get AWS CodeCommit credentials: %w", err)
+	}
+
+	authOpts, err := getAuthOpts(repoURL, map[string][]byte{
+		"username": []byte(creds.Username),
+		"password": []byte(creds.Password),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &gitTestConfig{
+		defaultGitTransport:              git.HTTPS,
+		defaultAuthOpts:                  authOpts,
+		applicationRepository:            repoURL,
+		applicationRepositoryWithoutUser: repoURL,
+	}, nil
 }
 
-// When implemented, grantPermissionsToGitRepositoryAWS would grant the required permissions to AWS CodeCommit repository
 func grantPermissionsToGitRepositoryAWS(ctx context.Context, cfg *gitTestConfig, output map[string]*tfjson.StateOutput) error {
-	return fmt.Errorf("NotImplemented for AWS")
+	// Noop, CodeCommit permissions are granted via Terraform
+	return nil
 }
 
-// When implemented, revokePermissionsToGitRepositoryAWS would revoke the permissions granted to AWS CodeCommit repository
 func revokePermissionsToGitRepositoryAWS(ctx context.Context, cfg *gitTestConfig, outputs map[string]*tfjson.StateOutput) error {
-	return fmt.Errorf("NotImplemented for AWS")
+	// Noop, CodeCommit permissions are granted via Terraform
+	return nil
 }

tests/integration/git_test.go

@@ -83,7 +83,10 @@ func TestGitCloneUsingProvider(t *testing.T) {
 }
 
 func TestGitCloneUsingSSH(t *testing.T) {
-	if !testGit {
+	// Skip SSH authentication test for CodeCommit
+	// while it is possible, it is based on SSH keys attached to an IAM user
+	// which is not the recommended way.
+	if *targetProvider == "aws" || !testGit {
 		t.Skip("Skipping git test, not supported for provider")
 	}
 

tests/integration/go.mod

@@ -69,6 +69,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 // indirect
 	github.com/aws/smithy-go v1.24.0 // indirect
+	github.com/aws/smithy-go/aws-http-auth v1.1.2-0.20260302195807-5bb6ea94670a // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect

tests/integration/go.sum

@@ -73,6 +73,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 h1:5fFjR/ToSOzB2OQ/XqWpZBmNvmP/
 github.com/aws/aws-sdk-go-v2/service/sts v1.41.6/go.mod h1:qgFDZQSD/Kys7nJnVqYlWKnh0SSdMjAi0uSwON4wgYQ=
 github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk=
 github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
+github.com/aws/smithy-go/aws-http-auth v1.1.2-0.20260302195807-5bb6ea94670a h1:sN7kaGyTnpaIf0Ta59oeMjH59BYbyI+GvAs0wJgbLus=
+github.com/aws/smithy-go/aws-http-auth v1.1.2-0.20260302195807-5bb6ea94670a/go.mod h1:KL46VTjVK9De3jurMqDLBkXCP9vrAvD03zQrmyzyrQ0=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=

tests/integration/suite_test.go

@@ -432,6 +432,7 @@ func getProviderConfig(provider string) *ProviderConfig {
 			grantPermissionsToGitRepository:  grantPermissionsToGitRepositoryAWS,
 			revokePermissionsToGitRepository: revokePermissionsToGitRepositoryAWS,
 			getGitTestConfig:                 getGitTestConfigAWS,
+			supportsGit:                      true,
 		}
 	case "azure":
 		providerCfg := &ProviderConfig{

tests/integration/terraform/aws/main.tf

@@ -50,7 +50,7 @@ resource "aws_iam_role" "assume_role" {
   count       = var.enable_wi ? 1 : 0
   name        = local.name
   description = "IAM role used for testing Workload integration for OCI repositories in Flux"
-  assume_role_policy = templatefile("oidc_assume_role_policy.json", {
+  assume_role_policy = templatefile("${path.module}/oidc_assume_role_policy.json", {
     OIDC_ARN  = module.eks.cluster_oidc_arn,
     OIDC_URL  = replace(module.eks.cluster_oidc_url, "https://", ""),
     NAMESPACE = var.wi_k8s_sa_ns,
@@ -90,6 +90,14 @@ resource "aws_iam_policy" "wi_role_policy" {
         ]
         Resource = "*"
       },
+      {
+        Effect = "Allow"
+        Action = [
+          "codecommit:GitPull",
+          "codecommit:GitPush",
+        ]
+        Resource = aws_codecommit_repository.test_git.arn
+      },
     ],
   })
 }
@@ -103,3 +111,9 @@ resource "aws_eks_access_entry" "wi_access_entry" {
   principal_arn = aws_iam_role.assume_role[0].arn
   user_name     = aws_iam_role.assume_role[0].arn
 }
+
+resource "aws_codecommit_repository" "test_git" {
+  repository_name = local.name
+  description     = "Test repository for Flux integration tests"
+  tags            = var.tags
+}

tests/integration/terraform/aws/outputs.tf

@@ -47,3 +47,11 @@ output "aws_wi_iam_arn" {
 output "ecrpublic_repository_url" {
   value = aws_ecrpublic_repository.test_ecr_public.repository_uri
 }
+
+output "git_repo_http_url" {
+  value = aws_codecommit_repository.test_git.clone_url_http
+}
+
+output "git_repo_name" {
+  value = aws_codecommit_repository.test_git.repository_name
+}