Add Windows e2e tests via kind-in-WSL

tg123 · tg123 · commit 430a929d276e · 2026-06-08T14:22:17.000-07:00
diff --git a/.gitattributes b/.gitattributes
@@ -43,6 +43,11 @@
 *.fsx text=auto
 *.hs text=auto
 
+# Shell scripts must keep LF endings even when checked out on Windows; a CRLF
+# turns `set -euxo pipefail` into `pipefail\r` (invalid option) once the file is
+# copied into WSL.
+*.sh text eol=lf
+
 *.csproj text=auto
 *.vbproj text=auto
 *.fsproj text=auto
diff --git a/.github/e2e/bootstrap-kind.sh b/.github/e2e/bootstrap-kind.sh
@@ -0,0 +1,146 @@
+#!/usr/bin/env bash
+# Bring up a single node Kubernetes control plane inside the kindest/node rootfs
+# that oci-to-wsl imported into WSL. kind normally runs this image as a Docker
+# container and drives kubeadm from the host through `docker exec`; here WSL
+# boots the image's systemd directly, so the equivalent bootstrap is performed
+# in place.
+set -euxo pipefail
+
+# --------------------------------------------------------------------------
+# Reproduce the setup that kind's container entrypoint (/usr/local/bin/entrypoint)
+# performs when running kindest/node inside Docker. WSL boots systemd directly
+# from the image's rootfs, so these steps must be done explicitly.
+# --------------------------------------------------------------------------
+
+# 1. Mount propagation — kubeadm and kubelet need shared mounts.
+mount --make-rshared / 2>/dev/null || true
+
+# 2. /dev/kmsg — kubelet reads kernel messages from this device and exits
+#    immediately if it is missing. WSL2 does not create it by default.
+if [ ! -e /dev/kmsg ]; then
+  ln -sf /dev/console /dev/kmsg
+fi
+
+# 3. Kernel parameters required by kube-proxy and networking.
+sysctl -w net.ipv4.ip_forward=1 || true
+sysctl -w net.ipv4.conf.all.forwarding=1 || true
+sysctl -w net.ipv6.conf.all.forwarding=1 2>/dev/null || true
+
+# 4. Ensure /run is a tmpfs (systemd usually handles this, but be safe).
+if ! mountpoint -q /run; then
+  mount -t tmpfs tmpfs /run
+  mkdir -p /run/lock
+fi
+
+# 5. Ensure a machine-id exists (kubelet uses it as node identity).
+if [ ! -s /etc/machine-id ]; then
+  systemd-machine-id-setup 2>/dev/null || uuidgen | tr -d '-' > /etc/machine-id
+fi
+
+# 6. containerd configuration — use cgroupfs driver. WSL2's systemd has limited
+#    cgroup delegation, so the cgroupfs driver is more reliable here.
+mkdir -p /etc/containerd
+containerd config default \
+  | sed 's/SystemdCgroup = true/SystemdCgroup = false/' \
+  > /etc/containerd/config.toml
+
+# 7. Start containerd.
+systemctl enable --now containerd
+systemctl restart containerd
+
+# Wait for the container runtime to accept requests.
+for _ in {1..60}; do
+  if ctr --namespace k8s.io version >/dev/null 2>&1; then
+    break
+  fi
+  sleep 2
+done
+
+# 8. The kindest/node image ships a kubelet drop-in (11-kind.conf) whose
+#    ExecStartPre runs /kind/bin/create-kubelet-cgroup-v2.sh. That script
+#    expects Docker-managed cgroup namespaces and fails in bare WSL2.
+#    Patch it out so the kubelet service can start.
+if [ -f /etc/systemd/system/kubelet.service.d/11-kind.conf ]; then
+  sed -i '/create-kubelet-cgroup-v2/d' /etc/systemd/system/kubelet.service.d/11-kind.conf
+  systemctl daemon-reload
+fi
+systemctl stop kubelet 2>/dev/null || true
+
+# Initialize the control plane using a kubeadm config that forces cgroupfs and
+# disables swap checking.
+set +e
+kubeadm init \
+  --ignore-preflight-errors=all \
+  --config /dev/stdin <<'KUBEADM_CONFIG'
+apiVersion: kubeadm.k8s.io/v1beta4
+kind: InitConfiguration
+nodeRegistration:
+  criSocket: unix:///run/containerd/containerd.sock
+  ignorePreflightErrors:
+    - all
+---
+apiVersion: kubeadm.k8s.io/v1beta4
+kind: ClusterConfiguration
+networking:
+  podSubnet: 10.244.0.0/16
+apiServer:
+  certSANs:
+    - "127.0.0.1"
+    - "localhost"
+---
+apiVersion: kubelet.config.k8s.io/v1beta1
+kind: KubeletConfiguration
+cgroupDriver: cgroupfs
+failSwapOn: false
+KUBEADM_CONFIG
+rc=$?
+set -e
+
+if [ $rc -ne 0 ]; then
+  echo "=== kubeadm init failed (rc=$rc) — collecting diagnostics ===" >&2
+  systemctl status kubelet --no-pager 2>&1 || true
+  journalctl -xeu kubelet --no-pager -n 80 2>&1 || true
+  echo "=== cgroup info ===" >&2
+  mount | grep cgroup || true
+  cat /proc/self/cgroup 2>/dev/null || true
+  ls /sys/fs/cgroup/ 2>/dev/null || true
+  exit 1
+fi
+
+export KUBECONFIG=/etc/kubernetes/admin.conf
+
+# Single node cluster: allow workloads to schedule on the control-plane node.
+kubectl taint nodes --all node-role.kubernetes.io/control-plane- 2>/dev/null || true
+
+# The bundled kindnet manifest (/kind/manifests/default-cni.yaml) contains Go
+# template placeholders (e.g. {{ .PodSubnet }}) that kind normally renders at
+# cluster creation time. Render the template and apply; if that fails, install
+# a standalone CNI config for host-local networking on this single node.
+if ! sed -e 's/{{ \.PodSubnet }}/10.244.0.0\/16/g' \
+         -e 's/{{ \.PodSubnet}}/10.244.0.0\/16/g' \
+         -e 's/{{\.PodSubnet}}/10.244.0.0\/16/g' \
+         -e '/^{{/d' -e '/^}}/d' \
+         /kind/manifests/default-cni.yaml | kubectl apply -f - 2>&1; then
+  echo "kindnet manifest apply failed; installing host-local CNI config directly"
+  mkdir -p /etc/cni/net.d
+  cat > /etc/cni/net.d/10-kindnet.conflist <<'CNI'
+{
+  "cniVersion": "0.4.0",
+  "name": "kindnet",
+  "plugins": [
+    {
+      "type": "ptp",
+      "ipMasq": false,
+      "ipam": { "type": "host-local", "dataDir": "/run/cni-ipam-state", "routes": [{"dst": "0.0.0.0/0"}], "ranges": [[{"subnet": "10.244.0.0/24"}]] }
+    },
+    { "type": "portmap", "capabilities": {"portMappings": true} }
+  ]
+}
+CNI
+fi
+
+# Assign podCIDR to the node so kubelet can allocate pod IPs.
+NODE=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}')
+kubectl patch node "$NODE" -p '{"spec":{"podCIDR":"10.244.0.0/24","podCIDRs":["10.244.0.0/24"]}}' 2>/dev/null || true
+
+kubectl wait --for=condition=Ready nodes --all --timeout=300s
diff --git a/.github/e2e/kind-wsl.yaml b/.github/e2e/kind-wsl.yaml
@@ -0,0 +1,21 @@
+# oci-to-wsl profile that imports the kindest/node image into WSL as a
+# systemd-enabled distribution. Unlike the regular "kind in Docker" flow, the
+# Kubernetes node runs natively inside WSL, so no Docker daemon or nested
+# containers are required on the Windows runner.
+name: kind
+image: kindest/node:v1.32.2
+install_dir: C:\WSL\kind
+
+# kindest/node expects an init system; WSL boots systemd when configured.
+wsl_conf:
+  mode: merge
+  content: |
+    [boot]
+    systemd=true
+
+# Stage the bootstrap script that turns the imported rootfs into a running
+# single node control plane. Path is resolved relative to this profile.
+files:
+  - src: ./bootstrap-kind.sh
+    dst: /usr/local/bin/bootstrap-kind.sh
+    mode: "0755"
diff --git a/.github/workflows/buildtest.yaml b/.github/workflows/buildtest.yaml
@@ -87,6 +87,103 @@ jobs:
             exit 1
           fi              
 
+  # Run the same end to end suite as the Linux `e2e` job, but on Windows. There
+  # is no Linux Kubernetes distribution that runs natively on a Windows runner,
+  # so the kindest/node image (which already bundles containerd, the kubelet and
+  # the control-plane components) is imported straight into WSL with oci-to-wsl.
+  # WSL2 is enabled by default on the runner, so no separate WSL provisioning is
+  # needed, and the API server is reachable from the Windows host (which runs the
+  # test process) through WSL2 localhost forwarding.
+  e2e-windows-wsl:
+    runs-on: windows-latest
+    name: E2E (kind in WSL)
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - name: Setup dotnet
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
+        with:
+          dotnet-version: |
+           8.0.x
+           9.0.x
+           10.0.x
+      - name: Install oci-to-wsl
+        shell: pwsh
+        run: |
+          $url = "https://github.com/tg123/oci-to-wsl/releases/download/v0.0.1/oci-to-wsl_windows_x86_64.zip"
+          $expected = "79772846F1CE4A38E5B2841EA2406A070F4DB64F3DBF3EA32F04B519111FD003"
+          Invoke-WebRequest $url -OutFile oci-to-wsl.zip
+          $actual = (Get-FileHash oci-to-wsl.zip -Algorithm SHA256).Hash
+          if ($actual -ne $expected) {
+            throw "oci-to-wsl checksum mismatch: expected $expected, got $actual"
+          }
+          Expand-Archive -Force oci-to-wsl.zip -DestinationPath .
+      - name: Start kind cluster in WSL
+        shell: pwsh
+        run: |
+          # Import kindest/node into WSL as a systemd-enabled distro named "kind".
+          .\oci-to-wsl.exe --profile .github/e2e/kind-wsl.yaml
+
+          # Reboot the distro so the systemd configuration written by the profile
+          # takes effect.
+          wsl --shutdown
+
+          # WSL terminates the lightweight VM once its last session exits, which
+          # tears down the API server between steps and makes localhost:6443
+          # connections fail with "actively refused". Hold an idle session open in
+          # the background so the cluster (and WSL2 localhost forwarding) stay up
+          # for the duration of the host-side test steps.
+          Start-Process -FilePath wsl -ArgumentList '-d','kind','-u','root','--','sleep','infinity'
+
+          # Bring up the single node control plane in place.
+          wsl -d kind -u root -- bash /usr/local/bin/bootstrap-kind.sh
+
+          # Export a kubeconfig for the Windows host. kubeadm points it at the WSL
+          # eth0 address; rewrite it to localhost, which WSL2 forwards into WSL.
+          wsl -d kind -u root -- cat /etc/kubernetes/admin.conf | Out-File -Encoding ascii kind.kubeconfig
+          (Get-Content kind.kubeconfig) -replace 'server: https://[^ ]+', 'server: https://127.0.0.1:6443' | Set-Content kind.kubeconfig
+
+          # Wait until the API server is reachable from the Windows host through
+          # the forwarded port before handing off to the test steps.
+          $ok = $false
+          foreach ($i in 1..60) {
+            if ((Test-NetConnection -ComputerName 127.0.0.1 -Port 6443 -WarningAction SilentlyContinue).TcpTestSucceeded) {
+              $ok = $true
+              break
+            }
+            Start-Sleep -Seconds 5
+          }
+          if (-not $ok) {
+            throw "API server on 127.0.0.1:6443 was not reachable from the Windows host"
+          }
+      - name: Test
+        shell: pwsh
+        env:
+          K8S_E2E_MINIKUBE: "1"
+          KUBECONFIG: ${{ github.workspace }}\kind.kubeconfig
+        run: |
+          "" | Out-File -Encoding ascii skip.log
+          dotnet test tests/E2E.Tests --logger "SkipTestLogger;file=$PWD/skip.log" -p:BuildInParallel=false
+          if ((Get-Item skip.log).Length -gt 0) {
+            Get-Content skip.log
+            Write-Error "CASES MUST NOT BE SKIPPED"
+            exit 1
+          }
+      - name: AOT Test
+        shell: pwsh
+        env:
+          K8S_E2E_MINIKUBE: "1"
+          KUBECONFIG: ${{ github.workspace }}\kind.kubeconfig
+        run: |
+          "" | Out-File -Encoding ascii skip.log
+          dotnet test tests/E2E.Aot.Tests --logger "SkipTestLogger;file=$PWD/skip.log" -p:BuildInParallel=false
+          if ((Get-Item skip.log).Length -gt 0) {
+            Get-Content skip.log
+            Write-Error "CASES MUST NOT BE SKIPPED"
+            exit 1
+          }
+
 on:
   pull_request:
     types: [assigned, opened, synchronize, reopened]
