ci: scaffold e2e testing framework infrastructure (#763)

* ci: scaffold e2e testing framework infrastructure

This commit establishes the foundational infrastructure for end-to-end
testing of the workspaces components.

While some of the scripts appear redundant with the developing/
directory, a deliberate decision was made to keep this logic
mutually exclusive to be more flexible.  For instance, the
testing/ directory has a need to deploy a Gateway that is not
necessary for developing.  Keeping everything separate for now
makes it easier to evolve independently.

Changes include:

- Add new `testing/` directory with Makefile and setup scripts:
* `setup-kind.sh`: Automated Kind cluster creation and configuration
* `setup-cert-manager.sh`: Cert-manager installation (v1.12.13 LTS)
* `setup-istio.sh`: Istio service mesh installation with Gateway
  and TLS certificate provisioning via cert-manager
* `check-kind-context.sh`: Safety check to prevent accidental
  deployment to non-Kind clusters
* `sanity-check.sh`: Post-deploy verification including rollout
  status, TLS handshake (webhook), HTTP health endpoints, and
  Istio gateway routing for backend and frontend
* `gateway.yaml`: Istio Gateway (HTTP + HTTPS) for kubeflow-gateway
* `gateway-cert.yaml`: Self-signed ClusterIssuer and Certificate
  for gateway TLS termination
* Makefile targets: setup-cluster, deploy-all, sanity-check,
  teardown-cluster, clean, and local-e2e (placeholder)

- Add GitHub Actions workflow (`.github/workflows/ws-e2e-test.yml`):
* Triggers on pushes to main branches and PRs affecting workspaces
* Pipeline: setup-cluster -> deploy-all -> sanity-check -> local-e2e

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Andy Stoneberg <astonebe@redhat.com>

* chore: address PR feedback

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Andy Stoneberg <astonebe@redhat.com>

* chore: address PR feedback

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Andy Stoneberg <astonebe@redhat.com>

* mathew: 1

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

* mathew: 2

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

---------

Signed-off-by: Andy Stoneberg <astonebe@redhat.com>
Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

Author: 3 people

.github/workflows/ws-controller-test.yml

@@ -92,10 +92,9 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Kind
-        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
         with:
-          version: v0.23.0
-          node_image: kindest/node:v1.25.16@sha256:5da57dfc290ac3599e775e63b8b6c49c0c85d3fec771cd7d55b45fae14b38d3b
+          config: ./testing/kind-1-35.yaml
           cluster_name: kind
 
       - name: Set up Go

.github/workflows/ws-e2e-test.yml

@@ -0,0 +1,42 @@
+name: E2E Tests
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - main
+      - notebooks-v2
+      - v*-branch
+  pull_request:
+    paths:
+      - workspaces/**
+
+jobs:
+  e2e-test:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: testing
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Kind
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
+        with:
+          config: ./testing/kind-1-35.yaml
+          cluster_name: "local-e2e"
+
+      - name: Install Cluster Dependencies
+        run: make setup-cluster
+
+      - name: Deploy Kubeflow Workspaces
+        run: make deploy-all
+
+      - name: Verify Deployment
+        run: make sanity-check
+
+      - name: Run local-e2e tests
+        run: make local-e2e

developing/scripts/kind.yaml

@@ -13,6 +13,6 @@ kubeadmConfigPatches:
         "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key"
 nodes:
 - role: control-plane
-  image: kindest/node:v1.33.1@sha256:050072256b9a903bd914c0b2866828150cb229cea0efe5892e2b644d5dd3b34f
+  image: kindest/node:v1.35.0@sha256:452d707d4862f52530247495d180205e029056831160e22870e37e3f6c1ac31f
 - role: worker
-  image: kindest/node:v1.33.1@sha256:050072256b9a903bd914c0b2866828150cb229cea0efe5892e2b644d5dd3b34f
+  image: kindest/node:v1.35.0@sha256:452d707d4862f52530247495d180205e029056831160e22870e37e3f6c1ac31f

developing/scripts/setup-cert-manager.sh

@@ -1,12 +1,16 @@
 #!/usr/bin/env bash
+
 # Setup script for cert-manager
-# This script checks if cert-manager is installed and installs it if needed
-# Uses the same version as the e2e tests: v1.12.13 (LTS version)
+# This script checks if cert-manager is installed and installs it if needed.
 
 set -euo pipefail
 
-# Use LTS version of cert-manager (matches e2e tests)
-CERT_MANAGER_VERSION="v1.12.13"
+# Use LTS version of cert-manager
+# NOTE: ensure the following files use the same version when updating:
+#  - developing/scripts/setup-istio.sh
+#  - testing/scripts/setup-istio.sh
+#  - workspaces/controller/test/utils/certmanager.go
+CERT_MANAGER_VERSION="v1.20.2"
 CERT_MANAGER_URL="https://github.com/jetstack/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.yaml"
 
 # Check if cert-manager is already installed
@@ -40,4 +44,4 @@ kubectl wait --for=condition=established crd/certificates.cert-manager.io --time
 kubectl wait --for=condition=established crd/issuers.cert-manager.io --timeout=60s
 kubectl wait --for=condition=established crd/clusterissuers.cert-manager.io --timeout=60s
 
-echo "Cert-manager setup complete"
+echo "Cert-manager setup complete"

developing/scripts/setup-istio.sh

@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+
 # Setup script for Istio service mesh
 # This script checks if Istio is installed and installs it if needed.
 # Gateway resources (namespace, TLS cert, Gateway) are managed by Tilt.
@@ -9,15 +10,12 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 DEVELOPING_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
 LOCALBIN="${DEVELOPING_DIR}/bin"
 
-# Determine istioctl path - prefer LOCALBIN, fallback to PATH
+# Require istioctl from LOCALBIN to ensure a known version
 if [ -f "${LOCALBIN}/istioctl" ]; then
   ISTIOCTL="${LOCALBIN}/istioctl"
-elif command -v istioctl >/dev/null 2>&1; then
-  ISTIOCTL="istioctl"
 else
   echo "ERROR: istioctl is not installed. Please install istioctl first:"
   echo "  cd developing && make istioctl"
-  echo "  or visit: https://istio.io/latest/docs/setup/getting-started/#download"
   exit 1
 fi
 

developing/scripts/setup-kind.sh

@@ -26,7 +26,10 @@ else
 fi
 
 # Ensure kubectl context is set to the Kind cluster
-kubectl config use-context "kind-${CLUSTER_NAME}" || true
+kubectl config use-context "kind-${CLUSTER_NAME}" || {
+  echo "ERROR: Failed to set kubectl context to kind-${CLUSTER_NAME}"
+  exit 1
+}
 
 # Configure StorageClasses with Notebooks labels and annotations
 echo "Configuring StorageClasses for the Notebooks UI..."

testing/.gitignore

@@ -0,0 +1,2 @@
+# Binaries for programs and plugins
+bin/

testing/Makefile

@@ -0,0 +1,126 @@
+GIT_COMMIT     := $(shell git rev-parse HEAD)
+GIT_TREE_STATE := $(shell test -n "`git status --porcelain`" && echo "-dirty" || echo "")
+
+# Image URL to use all building/pushing image targets
+REGISTRY ?= ghcr.io/kubeflow/notebooks
+TAG ?= sha-$(GIT_COMMIT)$(GIT_TREE_STATE)
+
+CONTROLLER_NAME ?= workspaces-controller
+CONTROLLER_IMG ?= $(REGISTRY)/$(CONTROLLER_NAME):$(TAG)
+
+BACKEND_NAME ?= workspaces-backend
+BACKEND_IMG ?= $(REGISTRY)/$(BACKEND_NAME):$(TAG)
+
+FRONTEND_NAME ?= workspaces-frontend
+FRONTEND_IMG ?= $(REGISTRY)/$(FRONTEND_NAME):$(TAG)
+
+KIND_CLUSTER_NAME ?= local-e2e
+
+# Setting SHELL to bash allows bash commands to be executed by recipes.
+# Options are set to exit when a recipe line exits non-zero or a piped command fails.
+SHELL = /usr/bin/env bash -o pipefail
+.SHELLFLAGS = -ec
+
+# Export KIND_EXPERIMENTAL_PROVIDER to honor it if set in user's environment
+# (e.g., KIND_EXPERIMENTAL_PROVIDER=podman for podman support)
+export KIND_EXPERIMENTAL_PROVIDER
+
+##@ General
+
+# The help target prints out all targets with their descriptions organized
+# beneath their categories. The categories are represented by '##@' and the
+# target descriptions by '##'. The awk command is responsible for reading the
+# entire set of makefiles included in this invocation, looking for lines of the
+# file as xyz: ## something, and then pretty-format the target and help. Then,
+# if there's a line with ##@ something, that gets pretty-printed as a category.
+# More info on the usage of ANSI control characters for terminal formatting:
+# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters
+# More info on the awk command:
+# http://linuxcommand.org/lc3_adv_awk.php
+
+.PHONY: help
+help: ## Display this help.
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+##@ Deployment
+
+.PHONY: setup-cluster
+setup-cluster: check-kubectl check-kind ## Set up a complete kind cluster with cert-manager and Istio.
+	bash scripts/setup-kind.sh
+	bash scripts/setup-cert-manager.sh
+	bash scripts/setup-istio.sh
+
+.PHONY: teardown-cluster
+teardown-cluster: check-kind ## Delete the Kind cluster.
+	kind delete cluster --name $(KIND_CLUSTER_NAME)
+
+.PHONY: deploy-controller
+deploy-controller: check-kind check-kind-context ## Build and deploy the controller.
+	$(MAKE) -C ../workspaces/controller docker-build IMG=$(CONTROLLER_IMG)
+	kind load docker-image $(CONTROLLER_IMG) --name $(KIND_CLUSTER_NAME)
+	$(MAKE) -C ../workspaces/controller deploy IMG=$(CONTROLLER_IMG)
+
+.PHONY: deploy-backend
+deploy-backend: check-kind check-kind-context ## Build and deploy the backend.
+	$(MAKE) -C ../workspaces/backend docker-build IMG=$(BACKEND_IMG)
+	kind load docker-image $(BACKEND_IMG) --name $(KIND_CLUSTER_NAME)
+	$(MAKE) -C ../workspaces/backend deploy IMG=$(BACKEND_IMG)
+
+.PHONY: deploy-frontend
+deploy-frontend: check-kind check-kind-context ## Build and deploy the frontend.
+	$(MAKE) -C ../workspaces/frontend docker-build IMG=$(FRONTEND_IMG)
+	kind load docker-image $(FRONTEND_IMG) --name $(KIND_CLUSTER_NAME)
+	$(MAKE) -C ../workspaces/frontend deploy IMG=$(FRONTEND_IMG)
+
+.PHONY: deploy-all
+deploy-all: deploy-controller deploy-backend deploy-frontend ## Deploy all components.
+
+##@ E2E Tests
+
+.PHONY: sanity-check
+sanity-check: check-kind-context ## Verify all components are deployed and responding.
+	@bash scripts/sanity-check.sh
+
+.PHONY: local-e2e
+local-e2e: ## Run e2e tests.
+	@echo "..."
+	@echo "TODO: there are no e2e tests yet, they will be defined in Cypress..."
+	@echo "..."
+
+##@ Dependencies
+
+## Location to install dependencies to
+LOCALBIN ?= $(shell pwd)/bin
+$(LOCALBIN):
+	mkdir -p $(LOCALBIN)
+
+.PHONY: check-kind
+check-kind: ## Verify that kind is available in PATH.
+	@command -v kind >/dev/null 2>&1 || { \
+		echo "ERROR: kind is not found in PATH. Please install kind."; \
+		exit 1; \
+	}
+
+.PHONY: check-kind-context
+check-kind-context: ## Verify that the current kubectl context is set to the expected kind cluster.
+	@{ \
+		current_context=$$(kubectl config current-context); \
+		expected_context="kind-$(KIND_CLUSTER_NAME)"; \
+		if [ "$$current_context" != "$$expected_context" ]; then \
+			echo "ERROR: Current kubectl context is '$$current_context', but expected '$$expected_context'."; \
+			echo "ERROR: switch to the correct context using: kubectl config use-context $$expected_context"; \
+			exit 1; \
+		fi; \
+	}
+
+.PHONY: check-kubectl
+check-kubectl: ## Verify that kubectl is available in PATH.
+	@command -v kubectl >/dev/null 2>&1 || { \
+		echo "ERROR: kubectl is not found in PATH. Please install kubectl."; \
+		exit 1; \
+	}
+
+.PHONY: clean
+clean: ## Remove downloaded tool binaries.
+	rm -rf $(LOCALBIN)
+	@echo "INFO: '$(LOCALBIN)' successfully cleaned."

testing/OWNERS

@@ -0,0 +1,5 @@
+labels:
+  - area/ci
+  - area/v2
+approvers:
+  - andyatmiami

testing/istio-cni.yaml

@@ -0,0 +1,10 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  profile: default
+  components:
+    cni:
+      ## NOTE: we use istio CNI mode because otherwise setting pod-security.kubernetes.io/enforce=baseline on a
+      ##       namespace would prevent any pod with an istio sidecar from running, as the sidecar would be privileged.
+      enabled: true
+      namespace: kube-system